So, I have (what I believe to be) a rather simple setup that I want to achieve, but I'm not exactly sure how to get there. Basically, I have two internal networks, 192.168.142.0/24 and 192.168.143.0/24. The 142 subnet is intended to be what is referred to as a firewalled DMZ by other devices -- ie: no connections from the "WAN" interface can initiate connections on the "LAN1" interface (private 143 network), nor is the "DMZ" (142) allowed to initiate connections into "LAN1" (143). I'm fairly confident that I have dstnat and masquerading setup correctly for both subnets, but I can't for the life of me find a good example of how to isolate the the "DMZ" interface. Here are a couple of configuration snips to help paint a better picture:
Code: Select all
[admin@MikroTik] > ip f e
# aug/21/2011 00:32:42 by RouterOS 5.6
# software id = XXXX-XXXX
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input disabled=no in-interface=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address=0.0.0.0/0 \
src-address=192.168.143.0/24
add action=masquerade chain=srcnat disabled=no dst-address=0.0.0.0/0 \
src-address=192.168.142.0/24
add action=dst-nat chain=dstnat disabled=no dst-port=25 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=21 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=443 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=587 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=993 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=8080 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=8080 in-interface=WAN \
protocol=udp to-addresses=192.168.142.225
add action=dst-nat chain=dstnat disabled=no dst-port=10022 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.225 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=10025 in-interface=WAN \
protocol=tcp to-addresses=192.168.142.240 to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@MikroTik] >
Now my best guess was '/ip firewall filter add action=drop chain=input disabled=no in-interface=DMZ'. While I haven't actually tried it, I don't think it would work because I do need to initiate connections from LAN1 to DMZ and there are no nat rules to circumvent the filter's 'drop' action (this based on the assumption in the above paragraph).
Code: Select all
[admin@MikroTik] > in pr
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R WAN ether 1500 1524 1524
1 R LAN1 ether 1500 1524 1524
2 LAN2 ether 1500 1524 1524
3 LAN3 ether 1500 1524 1524
4 R DMZ ether 1500 1524 1524
[admin@MikroTik] >
Thanks in advance.
-- DJ Lucas