network.pdf
I am new to RouterOS and the MicroTik products. I want to setup a network as shown in the attached PDF file.
I have two internet connections. One of them is a cable connection with a public IP address, which is obtained through DHCP. The other is a VDSL connection, using VLAN tagging (internet goes over VLAN 6) and using PPPoE for getting a connection and an IP-address from the ISP. Once the VDSL connection is working, an additional /29 subnet is routed over that connection as well. The IP-addresses of this /29 subnet are not specially related to the public IP-address, used for setting up the internet connection. Both the single IP and the /29 subnet are public and static/fixed.
For both ISP’s I have a transparent modem. For the cable connection I can connect a router or a PC and simply use DHCP to get an IP-address. I have this working now with a simple el-cheapo router. For the DSL connection I now have a Fritz!box, which is capable of doing the VLAN 6 selection, and it also allows me to have the public /29 subnet on the LAN side. It, however, does not allow real separation. On the LAN side I have the public /29 subnet and at the same LAN I have the private 192.168.2.*/24 network. This is not what I want. If a host is configured with a 192.168.2.x address and at the same time it has an address in the public IP subnet, then both can be reached from that single host. Security-wise this is not a desirable situation (the /29 subnet will be in a much less secure environment than the private LAN and I really want them to be separated).
In the attached drawing I show what I really want. I want to use a single router, which is connected to both modems and which allows me to setup three totally disconnected LANs. One LAN must be a 192.168.1./24 network. All internet traffic through the cable modem must be from/to that LAN. Another LAN must be a 192.168.2./24 network. All internet traffic through the DSL modem, which is directed at the single public IP-address for setting up the VDSL connection must be from/to that LAN. The third LAN must be reached for all traffic towards an IP-address in my /29 subnet. One of these addresses must be a fully exposed host (without any firewalling), the other addresses must be behind a firewall. I will use a simple dumb switch so that multiple hosts can be connected to that thid LAN.
I have the RB2011 series router in mind. It has 10 ports, two of them needed for connection to the cable and DSL modems, 3 of them needed for the 192.168.1.* network, 3 of them needed for the 192.168.2.* network and 2 remaining for the public /29 subnet. The 100 mbit/s speed of half of the RB2011 ports is more than enough for me.
My question is a very simple one. Is it possible to use a Microtik RB2011 series router for setting up a network as scetched in the attached PDF-document? If this indeed is possible, then I’ll purchase such a router, otherwise I will have to look further. Unfortunately, buying an industrial grade big router is not an option for me, its price is way too high.
If the setup is not possible, then one simplification is acceptable to me: leaving out the cable modem and only having the DSL connection with two separated LANs. The cable modem then keeps its current simple consumer router. But I only do this if the 3-LAN setup is not possible. The less separate boxes I have in my cabinet the more I like it.