Community discussions

MikroTik App
 
StevStorm
just joined
Topic Author
Posts: 2
Joined: Fri Aug 19, 2016 7:45 am

DMZ + VPN + DNS on Mikrotik 1100AH

Fri Aug 19, 2016 7:51 am

DMZ + VPN + DNS Server on Mikrotik RB 1100 AH

Dear ,

Hello all friendly people in this forum I hope I can solve my problem there. Since I am new to Mikrotik, recently I have set up some Web-Server and File-Server that face much to the Internet Connection. Users can access to Web-Application and File Server by Public IP and Port. I think doing this , I will face much problem with Security for my network , after I scan through Internet for period of Time I come to conclusion that I will Set up VPN and DMZ in my RB1100 AH in case of security. I try many configuration, but it seem not working.

• Come to mikrotik Interface Setting:
Snip20160819_2.png
- ether1-LAN is Local Interface in Network ( IP: 192.168.0.1/21)
- ether4-DMZ is DMZ interface ( IP: 192.168.200.1/24)
- ether13-WAN is Internet Interface - example ( IP: 110.110.110.100/28)


Everything is working fine beside DMZ. I block any access by public IP so that no one can access the Router or Resource. I set up PPTP Server for VPN purpose. Use mainly for some members that working remotely while they are traveling. IP pool for remote user is the same as IP for pool of DMZ, So any users access from outside will get 1 IP the same as DMZ server, this mean that they can access to any DMZ server freely. What I really want is

- VPN remote users should able to access the DMZ server example ( Server IP: 192.168.200.200)
- User in LAN should able to access Server in DMZ zone
- DMZ can not access to LAN back in case of security, for response back only port 80,443,21 is allow from DMZ so that LAN can get some response.

+ Above is what I really want to implement, but I have one point to consider and it is still in doubt, I hope you can suggest me. File-Server is main storage of my network, but remote will frequently using it. I think If I put it in DMZ it will face a lot of security problems. If I put it in Local it also dangerous because remote user will able to access to LAN directly. I also need to create another VPN pool for remote user to access that Fileserver. In professional-Security way, Where should to put it ?

Below is my setting my DMZ, but it not working

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add chain=input in-interface=ether1-LAN action=accept
add chain=input action=drop


/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=ether1-LAN action=accept
add chain=forward in-interface=ether4-DMZ out-interface=ether13-WAN action=accept
add chain=forward dst-address=192.168.200.200 protocol=tcp dst-port=80,443,21 action=accept
add chain=forward action=drop


• 192.168.200.200 is the IP address of File Server in DMZ zone for remote VPN user.



+ Beside this I have one more problem related to DNS, I want to used RB1100 as DNS server for to translate some Server IP to Name convention so that it is convenient to remember. I already set it up and it working fine. Example another File Server, IP 192.168.7.7/21 , I point it to name: “ Fileserver.com”, it’s fine, but when I came to next Server, ERP server example 192.168.7.8:8069, I want to put it to name” ERP.com” , but mikrotik only allow IP to translate not with Port , in this part what should I do with port ? since port can not be change. I used to think about 1 rule that follow this, if request is IP: 192.168.7.8 (LOCAL) , router will not sure whether ( forward / Translate / Point ) to IP : 192.168.7.8:8069 (same IP).

Hope to Solve problem there.

Thank Best regard,
You do not have the required permissions to view the files attached to this post.
 
Azma
newbie
Posts: 40
Joined: Sat Sep 27, 2014 8:10 am

Re: DMZ + VPN + DNS on Mikrotik 1100AH

Fri Aug 19, 2016 10:00 am

oh man.. you have so many issues there, lets discuss one by one.
- VPN remote users should able to access the DMZ server example ( Server IP: 192.168.200.200)
the key point is routing, servers DMZ should have default route.
- User in LAN should able to access Server in DMZ zone
the answer is same with above question.
- DMZ can not access to LAN back in case of security, for response back only port 80,443,21 is allow from DMZ so that LAN can get some response.
drop all ports but 80,443,21 in firewall filter with chain forward.
 
StevStorm
just joined
Topic Author
Posts: 2
Joined: Fri Aug 19, 2016 7:45 am

Re: DMZ + VPN + DNS on Mikrotik 1100AH

Fri Aug 19, 2016 1:42 pm

Thank for engage,

- Remote User should be able to access DMZ server with the IP : 192.168.200.200 ( This is fine working, I already set it up and testing )
- You said "servers DMZ should have default route", Sorry since I am new to this I am not sure about routing, What's default route for DMZ, you mean Dynamic Route of DMZ or I need to route DMZ manually ? Can you indicate me some code of routing of LAN and DMZ , and route to drop the packet since I try alot of code on the Internet ,but It still not working.

Best regard

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], hossain, YaCy [Bot] and 41 guests