DMZ + VPN + DNS Server on Mikrotik RB 1100 AH
Hello all friendly people in this forum I hope I can solve my problem there. Since I am new to Mikrotik, recently I have set up some Web-Server and File-Server that face much to the Internet Connection. Users can access to Web-Application and File Server by Public IP and Port. I think doing this , I will face much problem with Security for my network , after I scan through Internet for period of Time I come to conclusion that I will Set up VPN and DMZ in my RB1100 AH in case of security. I try many configuration, but it seem not working.
• Come to mikrotik Interface Setting:
- ether1-LAN is Local Interface in Network ( IP: 192.168.0.1/21)
- ether4-DMZ is DMZ interface ( IP: 192.168.200.1/24)
- ether13-WAN is Internet Interface - example ( IP: 18.104.22.168/28)
Everything is working fine beside DMZ. I block any access by public IP so that no one can access the Router or Resource. I set up PPTP Server for VPN purpose. Use mainly for some members that working remotely while they are traveling. IP pool for remote user is the same as IP for pool of DMZ, So any users access from outside will get 1 IP the same as DMZ server, this mean that they can access to any DMZ server freely. What I really want is
- VPN remote users should able to access the DMZ server example ( Server IP: 192.168.200.200)
- User in LAN should able to access Server in DMZ zone
- DMZ can not access to LAN back in case of security, for response back only port 80,443,21 is allow from DMZ so that LAN can get some response.
+ Above is what I really want to implement, but I have one point to consider and it is still in doubt, I hope you can suggest me. File-Server is main storage of my network, but remote will frequently using it. I think If I put it in DMZ it will face a lot of security problems. If I put it in Local it also dangerous because remote user will able to access to LAN directly. I also need to create another VPN pool for remote user to access that Fileserver. In professional-Security way, Where should to put it ?
Below is my setting my DMZ, but it not working
/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=ether1-LAN action=accept
add chain=input action=drop
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether1-LAN action=accept
add chain=forward in-interface=ether4-DMZ out-interface=ether13-WAN action=accept
add chain=forward dst-address=192.168.200.200 protocol=tcp dst-port=80,443,21 action=accept
add chain=forward action=drop
• 192.168.200.200 is the IP address of File Server in DMZ zone for remote VPN user.
+ Beside this I have one more problem related to DNS, I want to used RB1100 as DNS server for to translate some Server IP to Name convention so that it is convenient to remember. I already set it up and it working fine. Example another File Server, IP 192.168.7.7/21 , I point it to name: “ Fileserver.com”, it’s fine, but when I came to next Server, ERP server example 192.168.7.8:8069, I want to put it to name” ERP.com” , but mikrotik only allow IP to translate not with Port , in this part what should I do with port ? since port can not be change. I used to think about 1 rule that follow this, if request is IP: 192.168.7.8 (LOCAL) , router will not sure whether ( forward / Translate / Point ) to IP : 192.168.7.8:8069 (same IP).
Hope to Solve problem there.
Thank Best regard,