Subnet of public addresses, NAT, VLAN

GeniuZ · September 2, 2010, 9:46pm

Hello all, I need help with MikroTik setting. I found lot of examples on Internet, but not little more complex one. I hope this example can help useful for more people.

Please see attached illustration for quick access. If someone can be so willing and explains complete setting script for this example I will be happy.

I have subnet of public addresses. In this example I choose three addresses (PUB1) 100.0.0.1, (PUB2) 100.0.0.2 and (PUB3) 100.0.0.3 (all others PUBs are similar to on of this three). Internet is connected to MikroTik (MT) to port 3. Next I have three LAN subnets (LAN1) 192.168.1.0/24, (LAN2) 192.168.2.0/24 and (LAN3) 192.168.3.0/24. Theese LAN subnets cant be mixed together with any packet. LAN1 is connected to MT port 1. LAN2 and LAN3 are connected to switch and encapsuled to VLANs, LAN2 to VLANID2, LAN3 to VLANID3 and VLANs are trunked to MT to port 2.

What I need. I need do NAT of LANs to PUBs, LAN1 to PUB1, LAN2 to PUB2, LAN3 to PUB3. Public addresses must be blocked from incoming traffic, only port 80 can be forwared to LANs IPs X.X.X.1:80, this means PUB1:80 to 192.168.1.1:80, PUB2:80 to 192.168.2.1:80, PUB3:80 to 192.168.3.1:80.

My next question is, becouse I do some testing with this, I need set every one public address on interface on port 3. When I set only subnet of public addresses on port 3, this is not functional. When I have more public addresses, is any option to set it withou put everyone public address to interface?

Thank you all for help.

fewi · September 3, 2010, 1:41pm

You can apply multiple IP addresses to an interface, and in this case should. It’s simple and works. You can fake it out with proxy ARP, but I personally think that’s messy. If you have a lot of IPs to add you can always script that out and have as many IPs as you want added with just a few lines of code in a for loop.

Overload public IPs on the WAN interface:

/ip address
add address=100.0.0.1/24 interface=ether3
add address=100.0.0.2/24 interface=ether3
add address=100.0.0.3/24 interface=ether3

In the firewall, permit tcp/80 inbound and block traffic between internal networks. This is not an exhaustive rule set, for example it does not protect the router itself:

/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether3 protocol=tcp dst-port=80 action=accept
add chain=forward out-interface=ether3 action=accept
add chain=forward action=drop

Forward tcp/80 to the relevant web servers:

/ip firewall nat
add chain=dstnat in-interface=ether3 dst-address=100.0.0.1 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.1
add chain=dstnat in-interface=ether3 dst-address=100.0.0.2 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.2
add chain=dstnat in-interface=ether3 dst-address=100.0.0.3 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.1.3

And PAT the internal networks as required:

/ip firewall nat
add chain=srcnat out-interface=ether3 src-address=192.168.1.0/24 action=src-nat to-address=100.0.0.1
add chain=srcnat out-interface=ether3 src-address=192.168.1.0/24 action=src-nat to-address=100.0.0.2
add chain=srcnat out-interface=ether3 src-address=192.168.1.0/24 action=src-nat to-address=100.0.0.3

There you go. The manual wiki pages on firewall filters and NAT go into detail on what the options do.

GeniuZ · September 3, 2010, 2:44pm

Fewi, thank you for explain the basic settings. What about VLAN implementation? I think some /interface vlan setting is missing…

fewi · September 3, 2010, 2:57pm

Yes, I didn’t show that as I didn’t realize you needed that information. It’s pretty simple and straight out of the manual.

First you create two VLAN interfaces tied to port 2:

/interface vlan
add name=vlan10 interface=ether2 vlan-id=10
add name=vlan20 interface=ether2 vlan-id=20

Now you treat the VLAN interfaces just like you’d treat a physical interface:

/ip address
add address=192.168.1.1/24 interface=ether1
add address=192.168.2.1/24 interface=vlan10
add address=192.168.3.1/24 interface=vlan20

GeniuZ · September 3, 2010, 3:09pm

Thank you fewi for care, I test this settings today.
Please can you help me with DNS too, I forgot it.
DNS is from another subnet, for example DNS IP will be 100.100.0.1
Need I set any rules for DNS?
And what about gateway, need I set any gateway?

fewi · September 3, 2010, 3:25pm

As long as DNS is reachable you can use it. You do obviously need a default gateway via a static route or a dynamic routing protocol, but that stuff is ALL covered in the manual. I didn’t realize originally that you’re essentially asking people to configure the whole thing for you.

GeniuZ · September 3, 2010, 4:47pm

Fewi, thank you, I think I’m able do all settings with manual and google and with experiment-error method and I do it, I’m now on half way and I’m waiting for todays switch delivery for VLAN testing (I know what VLAN means only two days). When you do whatever first time and you are not professional - here in network (I’m programmer), little mistake can destroy all your local data for example. More ways can be applied and good setting you can do only with experience. Next I found here are contradictions and errors on forum too. Without experience beginner is not able detect it. I hope general forum on Mikrotik and willing people can help do professional setting on Mikrotik routers. I think whole code can help many people. In documentation are only pieces of setting and assemble it is difficult. I think one big complex example is missing in MikroTik documentation. Thanx for support.

fewi · September 3, 2010, 5:18pm

The main issue with giving someone a complete configuration is that no two sites are the same - what works in one place won’t in another. If you just have a template to blindly copy and paste you end up with a mis-configured or badly configured system and no idea how to fix it. If, however, you spend the time reading the manual - even as a beginner - and learning the product you can configure it for your needs, and aren’t at a loss when something breaks further down the road. If all you did was copy and paste you have little chance to fix any issues yourself, and the worst time to start learning how something works is when you’re under pressure to fix it. If you take the time to learn how it works before deploying everything else will go much, much smoother.

Of course that’s just my personal opinion.

GeniuZ · September 3, 2010, 10:41pm

I agree, I’m doing setting now, it’s very impressive work. After it will be done, I put script here and hope for someone check it / correct it, maybe this will be easy fast work checkt the code for any specialist. I hoped for some ideas what can help me with this now becouse this is hard work for network-virgin as I am )