I’ve looked through the Mikrotik forums for a few hours yesterday looking for this, but couldn’t find exactly what I needed. I have been tasked with making a stand-alone “hardware” firewall on our network to separate a nic on one of our servers. I cannot use NAT.
I need to have my MT set up between the rest of my network and the protected server. I originally set the x86 MT up (2 nics) as a bridge, which seemed to work ok. Packets are coming through and hitting my IP firewall, but I’m having a problem pinging through to the host that is behind the firewall. How can I set this up so that traffic flows without interruption and without having to NAT anything?
When tracing the traffic through the router, it looks like the ping hits the server, the server tries to reply, the packet dies at the MT. I haven’t messed with a MT config in over 3 years, so any help is appreciated.
My config (default except for bridge and routing table):
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=65535 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default \
disable-running-check=yes disabled=no full-duplex=yes mac-address=\
00:C0:9F:22:F6:0C mtu=1500 name=public speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default \
disable-running-check=yes disabled=no full-duplex=yes mac-address=\
00:02:B3:D0:C5:38 mtu=1500 name=Xover speed=100Mbps
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/ppp profile
set default change-tcp-mss=yes name=default only-one=default use-compression=\
default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=\
default use-compression=default use-encryption=yes use-ipv6=yes use-mpls=\
default use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=public path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=Xover path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=128.194.149.198/27 disabled=no interface=public network=\
128.194.149.192
add address=10.26.5.1/24 disabled=no interface=Xover network=10.26.5.0
add address=128.194.149.200/27 disabled=no interface=bridge1 network=\
128.194.149.192
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward disabled=no dst-address=128.194.149.196 \
src-address=165.91.79.0/24
add action=drop chain=forward disabled=no dst-address=128.194.149.197 \
src-address=165.91.79.0/24
add action=drop chain=forward disabled=no dst-address=128.194.149.196 \
src-address=165.91.157.0/24
add action=drop chain=forward disabled=no dst-address=128.194.149.196 \
src-address=165.91.145.128/25
add action=drop chain=forward disabled=no dst-address=128.194.149.196 \
src-address=165.91.18.128/25
add action=drop chain=forward disabled=no dst-address=128.194.149.197 \
src-address=165.91.157.0/24
add action=drop chain=forward disabled=no dst-address=128.194.149.197 \
src-address=165.91.145.128/25
add action=drop chain=forward disabled=no dst-address=128.194.149.197 \
src-address=165.91.18.128/25
add action=drop chain=forward disabled=no dst-address=165.91.79.0/24 \
src-address=128.194.149.196
add action=drop chain=forward disabled=no dst-address=165.91.157.0/24 \
src-address=128.194.149.196
add action=drop chain=forward disabled=no dst-address=165.91.18.128/25 \
src-address=128.194.149.196
add action=drop chain=forward disabled=no dst-address=165.91.145.128/25 \
src-address=128.194.149.196
add action=drop chain=forward disabled=no dst-address=165.91.79.0/24 \
src-address=128.194.149.197
add action=drop chain=forward disabled=no dst-address=165.91.157.0/24 \
src-address=128.194.149.197
add action=drop chain=forward disabled=no dst-address=165.91.18.128/25 \
src-address=128.194.149.197
add action=drop chain=forward disabled=no dst-address=165.91.145.128/25 \
src-address=128.194.149.197
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=public
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=no ports=5060,5061
set pptp disabled=yes
/ip neighbor discovery
set public disabled=yes
set Xover disabled=yes
set bridge1 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
/ip route
add comment="added by setup" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=128.194.149.193 scope=30 target-scope=10
add disabled=no distance=1 dst-address=128.194.149.196/32 gateway=Xover \
scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=128.194.149.197/32 \
gateway=Xover scope=30 target-scope=10
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip ssh
set forwarding-enabled=no
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ipv6 nd
add advertise-dns=no advertise-mac-address=yes disabled=no hop-limit=\
unspecified interface=all managed-address-configuration=no mtu=\
unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m \
ra-lifetime=30m reachable-time=unspecified retransmit-interval=\
unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
add disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set public queue=ethernet-default
set Xover queue=ethernet-default