I am attempting to do something like "DMZPlus" or "ip passthrough" on a MT. I have tried using many configurations and so far I can get the MT to accept, forward and even receive the return packet but I can't get it into the fwd or output chains as the packet is "destined" to the WAN IP or RB1...
FLOW:
INTERNET <-> RB1 <-> DMZ <-> RB2
Example IP layout:
RB1 WAN: DHCP Client
RB1 DMZ: 192.198.1.1/32 network=DHCP/32
RB2 WAN: Reused DHCP/32 gw=192.168.1.1
Mangles:
add action=accept chain=output connection-mark=DMZplus out-interface=DMZ
add action=mark-routing chain=output connection-mark=DMZplus new-routing-mark=DMZplus passthrough=yes
add action=mark-routing chain=prerouting in-interface=DMZ new-routing-mark=DMZplus passthrough=yes src-address=174.109.x.x
add action=mark-connection chain=forward in-interface=DMZ new-connection-mark=DMZplus out-interface=WAN passthrough=yes src-address=174.109.x.x
I have excluded the DMZ from the outgoing nat, applied mangles all over and can see the packets leaving and even get icmp's back matching the connection marks but try as I might I can not get those packets out of RB1's input chain.
[admin@RB1] > ip dhcp-client print
Flags: X - disabled, I - invalid
INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 WAN no yes bound 174.109.x.x6/19
[admin@RB1] > ping 174.109.x.x6 interface=DMZ
SEQ HOST SIZE TTL TIME STATUS
0 174.109.x.x6 56 64 0ms
1 174.109.x.x6 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
[admin@RB1] > ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
ADDRESS MAC-ADDRESS INTERFACE
6 DC 174.109.x.1 00:17:10:xx:xx:xx WAN
26 DC 174.109.x.x6 D4:CA:6D:xx:xx:xx DMZ
[admin@RB1] /ip arp>
Thanks,
Don
The point of double firewall, is improved isolation of internal network. But this setup negates the advantage of second router/firewall, as the RB2 is exposed (external ip) to the internet, for all insistences and purposes, bypassing RB1
Just wondering, what do you gain of this extra router in pass-through mode?
The advantage to avoiding the double NAT is so that the inside firewall can do things like SIP helpers and be using the outside IP. The other advantage to this setup is you do have the option of “brand” diversity and same level of security by obscurity achieved with a double NAT.
So the question remains, is there a way to setup an IP Passthough on RouterOS?
Thanks again,
Don
I agree on the disadvantages, but disagree on the advantages: security is same as with ONE firewall as RB2 is directly exposed. And there is no double natting, everything is passed on, first RB is bypassed, so no double obscurity either…
Conceptually what you end up with is:
internet ------- RB ----- internal
|
dmz
And that’s easily achievable with just 1 RB.
Just my thoughts and considerations.
Regards
Ok fine, I’ll expand the scope beyond what I wanted to explain.
I want to separate IPv6 and IPv4 security policies. The ISP will not allow the DHCP client(s) to originate from 2 different MAC addresses. So RB1 will contain IPv6 policies, and RB2 will have no greater access to IPv4 hosts than external internet users. Yes, this can all be done in one monolithic firewall policy, but for simplicity sake IP Pass-through of the IPv4 IP allows the RB1 policy to be much simpler. And also RB2 does not have to be an RB, it could again add brand diversity with UTM features that can not be had in RB1, and yes RB1 can still filter traffic…
Don
Have you considered running RB1 as a filtering bridge: bridge ipv4 but route ipv6, so local ipv6 adresses only on RB1?
Would need to be worked out further but is what you are looking for, i think.
PS: had a further thought, this could work.
Your topology: INTERNET ↔ RB1 ↔ DMZ ↔ RB2
RB1:
create vlan on dmz interface
bridge internet & vlan for ipv4 & arp only (drop rest)
configure as ipv6 router (internet + dmz)
RB2
create vlan on dmz interface
setup dhcp client on vlan
configure as home router (masquerade…)
And that based on standard functionality, vendor independent.
Your getting closer 
Again, scope creep: My setup is a router on a stick. RB1 in fact is a RB912, powered by POE with 802.3AF POE “splitter” powering the cable modem… problem is you still do not have a working SIP helper with what you have come to. I also have another RB out of scope with cellular backup, so I can remote reboot debug etc. The point being I am trying to put my untrusted lab gear on the edge with IPv6 public addresses. More scope creep: I will be running a Palo Alto pseudowire between RB1 and the IPv6 LAB gear (yeah…)
“This would be cheaper”: My old Mikrotik lab which was is in the trainer class photo is: 4x2011’s, I have a post-production “refined” version people saw at the MUM in Miami 4x953’s, I wholly regret the CRS226 (not in the LAB!), I am eagerly awaiting the launch of CRS328-24P-4S+RM which will be ordered with a CRS317-1G-16S+RM on the same invoice. (upgrades that are really in need!) and thats before I get into the meat and potatoes of what I am trying to secure/segment.
“This would be easier”: Fact is I live in a area (RTP) where Google fiber, and AT&T gigapower are a reality for most, but my town told them to fly a kite as they want to do municipal broadband!
Leaving me with a Cable provider (300/30) and a DSL provider (10/2?) to get access to the internet over.
All I need to figure out, is can I get RouterOS who’s connection tracking is in fact tracking the packets as they come in to do the correct next step and FWD them rather than EAT them.
So: IP Passthrough…?
Thanks,
Don
You know very well what you’re requirements are and the desired setup.
I’m interested to hear what the final solution is 
.
MT @janisk - You out there? I know your the Queues guy but I have a Life of the packet question… I have added logging firewalls etc and I can’t explain why this is happening…
Last chance before I go the support route.
Don