Splitting internal network

Primax · May 7, 2014, 9:27pm

I am hosting a number of website on my home lan and i now would like to separate the hosting traffic off my own lan on to its own, suppose you could put it as a DMZ or Hosting lan.

Can i do this ??

Current setup is Internet > Eth1 and then Eth2 is to my lan then 24port switch

Could i have internet > Eth1 (Home lan) 192.168.x.x range ?
and then internet > Eth2 (Hosting lan) 10.14.x.x range ?

obviously i do not want any traffic to traverse between Eth1 and Eth2

Any help appreciated

Rudios · May 8, 2014, 12:46pm

That is possible in a slightly different way as you suggested.
You haven’t given much information about the devices in use so I’m going to assume things.
What I would do is connect the webserver directly to one of the ether ports of the routerboad and setup a dedicated IP segment.
Put a different IP segment to the ether port that connects to the switch.

If you can not connect the webserver directly to your routerboard and you have a managed switch you could also setup vlan’s.
Create 2 VLAN’s on the interface connected to the switch and setup vlan’s on the switch.

That is some of the options.

If you can give some more information about your current topology and the possible/allowed changes there I can give you some more advice.

Primax · May 8, 2014, 7:49pm

Firstly. Thank you for replying to my post.

Everything that i talk about is at my home so any changes that need/might need to be changed can be done so very easily.

Current topology is INTERNET > Virgin DSL > Mikrotik (Ports forwarded) > Internal lan

I have now done this INTERNET > Virgin DSL > Ether1 Mikrotik > Ether 2 Internal lan 192.168.X.X/24

Ether 3 DMZ Lan 172.16.10.X/24

The 192 range is DHCP and because i have just setup the 172 range these are all static ips.

All this arrangement does work and both internal lan and dmz zone are able to reach the internet BUT they are able to talk to each other now too which is not what i want. I would like both to act quite independently from each other and not be able to see each other on the lan.
As i am running VMware on the server that attaches to the dmz i can run the second nic on my internal zone so i can manage this every easily whilst the DMZ traffic is elsewhere.

I hope this makes some sense.

Paul

Rudios · May 8, 2014, 9:43pm

Create a drop rule on your firewall filter, forward chain.
It even better. Built allowance rules for wanted traffic and drop anything else.
How is your firewall looking now?
Please post export of /ip firewall filter

Primax · May 9, 2014, 7:12am

By jove i think i have cracked it. Cannot not ping across the networks

This kit is great, a little hard to get my head round but just does what i want. BRILLIANT !

[admin@MikroTik] /ip address> export
# jan/19/1970 13:35:14 by RouterOS 6.12
# software id = HBJ0-KJ8A
#
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=wlan1 network=192.168.0.0
add address=172.16.10.1/24 interface=ether3 network=172.16.10.0

And then…

[admin@MikroTik] /ip firewall filter> export
# jan/19/1970 13:32:32 by RouterOS 6.12
# software id = HBJ0-KJ8A
#
/ip firewall filter
add action=drop chain=output protocol=tcp src-port=80
add action=drop chain=output protocol=tcp src-port=21-25
add action=drop chain=forward dst-address-list=local-networks src-address-list=local-networks

If this is a little messy then i apologize. It’s just things i have picked up as and when i needed them.

Rudios · May 9, 2014, 7:58am

Primax:

By jove i think i have cracked it. Cannot not ping across the networks

This kit is great, a little hard to get my head round but just does what i want. BRILLIANT !
[admin@MikroTik] /ip address> export
# jan/19/1970 13:35:14 by RouterOS 6.12
# software id = HBJ0-KJ8A
#
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=wlan1 network=192.168.0.0
add address=172.16.10.1/24 interface=ether3 network=172.16.10.0
And then…
[admin@MikroTik] /ip firewall filter> export
# jan/19/1970 13:32:32 by RouterOS 6.12
# software id = HBJ0-KJ8A
#
/ip firewall filter
add action=drop chain=output protocol=tcp src-port=80
add action=drop chain=output protocol=tcp src-port=21-25
add action=drop chain=forward dst-address-list=local-networks src-address-list=local-networks
If this is a little messy then i apologize. It’s just things i have picked up as and when i needed them.

This is one of the ways to do it. There are several.
Like I said, for better security it is better to allow traffic you want to flow and block anything else.
Your firewall could look like this
add chain=forward action=drop connection-state=invalid comment"Block invalid traffic"
add chain=forward connection-state=established comment=“Allow established traffic”
add chain=forward connection-state=related comment=“Allow related traffic”
add chain=forward in-interface=wlan1 src-address=192.168.0.0/24 out-interface=ether1 comment=“Allow traffic from wlan to outside”
add chain=forward in-interface=ether3 src-address=172.16.10.0/24 out-interface=ether1 comment=“Allow traffic from ether3 to outside”
add chain=forward action=log comment"Log all other traffic, enable rule only for debugging" disabled=yes log-prefix=“DROPPED:”
add chain=forward action=drop comment="drop all other traffic"In one of your earlier posts you mentioned something about port forwards.
If you have NAT rules on the Routerboard you have to create allowance rules for these connections in the filter also.

Primax · May 9, 2014, 9:44am

Thank you Rudios for you valued support on this.

I am very green when i comes to this and i am trying to pick it up as quick as i can as there are many things that i would like to achieve with this kit.

When i get home later i think i will back up the router config and try yours out just incase it all goes pear shaped.

I totally agree with your view on this and i am keen to get this in place as only allowing what i need is better.

My port forward rules are like this.

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=\
    "Forward to webhosting - pound gateway" dst-port=80 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat comment="SSH to webhosting" dst-port=22 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.17 \
    to-ports=22

Above is a few from the table as i didnt want to post all what is going on for obvious reasons.

I would have though you would be able to point the traffic at a certain interface rather than just a destination ip address to give more security ? but maybe thats just me not knowing.

Paul

Rudios · May 9, 2014, 10:42am

Primax:

Thank you Rudios for you valued support on this.

I am very green when i comes to this and i am trying to pick it up as quick as i can as there are many things that i would like to achieve with this kit.

When i get home later i think i will back up the router config and try yours out just incase it all goes pear shaped.

I totally agree with your view on this and i am keen to get this in place as only allowing what i need is better.

My port forward rules are like this.
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment=\
    "Forward to webhosting - pound gateway" dst-port=80 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.0.9 to-ports=80
add action=dst-nat chain=dstnat comment="SSH to webhosting" dst-port=22 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.17 \
    to-ports=22
Above is a few from the table as i didnt want to post all what is going on for obvious reasons.

I would have though you would be able to point the traffic at a certain interface rather than just a destination ip address to give more security ? but maybe thats just me not knowing.

Paul

Good to hear I can help you.
Derived from the NAT rules your posted the following filter rules must be applied.
/ip firewall filter
add chain=forward dst-address=192.168.0.9 protocol=tcp dst-port=80 in-interface=ether1-gateway
add chain=forward dst-address=192.168.0.17 protocol=tcp dst-port=22 in-interface=ether1-gatewayI only do not fully understand what you are trying to say with

I would have though you would be able to point the traffic at a certain interface rather than just a destination ip address to give more security ? but maybe thats just me not knowing.

Primax · May 9, 2014, 12:37pm

I only do not fully understand what you are trying to say with

I would have though you would be able to point the traffic at a certain interface rather than just a destination ip address to give more security ? but maybe thats just me not knowing.

Sorry i should have read what i had typed.

When applying nat rules i am surprised that you cannot specify the port that i needs to route to.

IE In ether 0 route port 80 through to Ether 1 rather than just specifying the ip address.

Anyway think i have taken up enough of your time on this.

REALLY appreciated.

Rudios · May 9, 2014, 1:12pm

Nat is indeed related to ip traffic and can not be tight to ports. Ports are only used to specify what traffic the Nat rule should be applied on.

Primax · May 9, 2014, 1:16pm

Again thank you so much for you help on this i am very grateful.

I shal go away now and play. Backing up the config first of course !!!

All best

Paul