LAN - 10.1.0.0/16 [SFp-sfpplus1]
DMZ - 10.10.14.0/24 [ETH5]
Mail server - 10.10.14.10
Domain server - 10.1.0.190
WAN - [sfp1]
WAN aliast IP x.x.x.60
Mail server will be accessible outside on one of WAN Alias IP address like X.X.X.60 and domain https://mail.mydomain.com. As I read I don't need hairpin nat like my DMZ is on another subnet.
NAT:
Code: Select all
;;; masquerade all src-nat
chain=srcnat action=masquerade out-interface=sfp1 log=no log-prefix=""
;;; dst-nat https, imaps, pop3s
chain=dstnat action=dst-nat to-addresses=10.10.14.10 to-ports=443 protocol=tcp dst-address=x.x.x.60 dst-port=443 log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=10.10.14.10 to-ports=993 protocol=tcp dst-address=x.x.x.60 dst-port=993 log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=10.10.14.10 to-ports=995 protocol=tcp dst-address=x.x.x.60 dst-port=995 log=no log-prefix=""
;;; DMZ out using alias WAN IP
chain=srcnat action=src-nat to-addresses=x.x.x.60 src-address=10.10.14.0/24 log=no log-prefix=""
So I think I would create static DNS entry on mikrotik with this name and pointing to it's WAN alias IP x.x.x.60
1. First question is this good idea and if this will work, I mean accessing from LAN to internal mail server by it's public domain name. (I think is better solution for my because many of users working with laptops and often go outside to customers and then caching outside public DNS entries so their DNS cached entries would be the same - so no problems for them
2. How with setup like this view on mail server logs every user LAN IP - for troubleshooting and looking for spammers etc?
3. Is creation DNS static entry for LAN users with mail.mydomain.com - x.x.x.60 is good idea, or I should do it on Windows DSN server (2012)?
Firewall, (I skipped my INPUT rules)
Code: Select all
;;; block invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
1 XI ;;; dmz, allow established, related
chain=forward action=accept connection-state=established,related connection-type="" log=no log-prefix=""
2 XI ;;; dmz, allow out for LAN, DMZ to outside WAN
chain=forward action=accept out-interface=sfp1 log=no log-prefix=""
3 XI ;;; dmz: allow from local networks, to DMZ
chain=forward action=accept src-address-list=Local_Net out-interface=ether5 log=no log-prefix=""
4 ;;; dmz: allow from DMZ Host access to LAN domain server - users authentication
chain=forward action=accept src-address=10.10.14.10 dst-address=10.1.0.190 in-interface=ether5 out-interface=sfp-sfpplus1 log=no log-prefix=""
5 XI ;;; DMZ, allow dst-nat ports
chain=forward action=accept connection-nat-state=dstnat protocol=tcp in-interface=sfp1 dst-port=22,443,993,995,3389,3390,3391 log=no
log-prefix=""
6 XI ;;; DMZ, block everything else
chain=forward action=drop log=no log-prefix=""
4. If I have rule 5 with connection-nat-state=dstnat do I need specify in this rule dst-ports or my NAT redirection is enough?
5. My mail server on DMZ will need to contact my LAN domain server for users authentication - is rule 4 OK?
6. Is this firewall config enough to secure my lan and DMZ?
Big thanks for your help with my concerns.