Webserver configuration recommendation

Trying to assist a client with configuration of a new web server and need to make some adjustments to the Mikrotik for security reasons.

I’m looking for some suggestions regarding implementation. There are four basic requests.

1. The web server needs to access only one device and one port on the LAN. Traffic between the LAN and the web server should be otherwise restricted.

2. It would be beneficial for the web server to also have basic web (Internet) access for applying updates through a browser, etc.

3. The web server needs to be accessible publicly only on the port that is hosting the web server.

4. The web server needs to be reachable via VNC ONLY from the internal network.

I suppose to summarize, I’m basically wondering the best way to block all traffic excluding ports on specific devices that I allow. I suppose this may involve configuration of a DMZ?

Does anyone have any suggestions/thoughts?

The term DMZ is so “meh.” You’re really seeking isolation. This can be accomplished with the local firewall on the server, a segment protected by the firewall on a MikroTik router or a mix of both.

If you want the server to live on the same segment as the client devices you can control #1and #4 easily with the local firewall. This has the added benefit of keeping CPU inspection to a minimal level on the MikroTik if a lot of traffic will be passing from LAN clients to the server.

Alternatively, just segment the server off from the rest of the network either with VLANs or a routed port. You’ll want to use an IP range not in use anywhere else and then create firewall rules accordingly. Specifically for #3, I’d keep the default approach of allowing whatever goes out back in for Internet access unless you want to spend a lot of time troubleshooting why updates are failing.