Community discussions

MikroTik App
 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Advanced Home Setup - DMZ + DUAL WAN

Mon Dec 03, 2012 9:10 pm

Consider the following network diagram
My LAN.jpg
Everything works just fine... well almost :?.

Internet traffic from all my LAN clients, LAN servers and DMZ server goes out via 2.2.2.2 (DKTVWAN) just as expected. From my DMZ I can only open new connections to the internet on port 80 and 443. My LAN and LAN servers is not reachable from the DMZ server at all. From my LAN the DMZ server can only be contacted through port 3389 and port 80. Sor far so good.

But I wan't to take advantage of both my static IP'ed internet connections for inbound traffic. The one thing I can't get my head around is why inbound internet traffic on port 1.1.1.1 port 80 is lost somewhere on the way back from my DMZ host 192.168.1.3 (Yes it's not 192.168.1.2 as shown in the drawing). Using Torch I can see that connections is made from src 1.1.1.1 (TDCWAN) to dest. 192.168.1.3 and my DMZ host tries to send it's response back to the correct internet IP. Also I see connections on the IP/Firewall/Connections tab marked "OutsideConnection_TDCWAN" - so my forwarding mark-connection rules works. Also when using Torch to see if traffic originating from 1.1.1.1 is hitting the DKTVWAN (2.2.2.2) interface on the way back luckily nothing happens. So at least my connection-marks / routing-marks / routes makes sure that responses for traffic originating from 1.1.1.1 does not go out throug 2.2.2.2. But it's lost somewhere else and i can't figure out why or where. BTW ether4-10 + Wireless is bridged.

Here's an edited routeros printout :
My Lan.txt
You do not have the required permissions to view the files attached to this post.
 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 3:42 pm

Anybody? Maybe just a basic example of how to do the NAT, mangle rules and ip routes for a solution with two WANS, a LAN on one subnet and a DMZ zone on another could do. I'll strip my filter rules and start all over on them if I could just get the simple setup working.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 4:04 pm

Haven't digested the config fully yet but could you try adding a route to the 192.168.1.1 network with the same routing mark that you are using for those Ether1 inbound connections to see if anything changes?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 4:18 pm

Ok. Maybe i'm just a bit impatient. Sorry for that :D . What gateway should be defined in the route to 192.168.1.1 ? 1.1.1.189 ? Just tried that but no luck. Please do take your time. I'm in no rush. As I said before - i'm just being impatient and I know it's a bad habbit :wink:
 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:09 pm

You we're spot on. I think i just misunderstood what you meant by routing to 192.168.1.1 but it came to my mind that all these marks is just something that happens inside the router and not elsewhere. So of course the packages was lost on their way back from my host...well at least i think so. This is what I did to make it work :
Route.jpg
I'm not sure if this is the best way to do it so feedback would be much appreciated.
You do not have the required permissions to view the files attached to this post.
Last edited by RazterOfKefrens on Tue Dec 04, 2012 5:15 pm, edited 1 time in total.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:14 pm

Yes that was what I meant and if that has made it work then it should be a stable fix. Glad it is working!
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:19 pm

Well it sure did fix my problem. But as a complete newbie I'm constantly concerned about creating gaping holes in my firewall. So looking at my configuration as a whole do you think it's ok? I'm planning to harden it by adressing port scans issues and trojans.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:24 pm

Very quick scan - you have a drop all "catch all" for input chain but I didn't see a similar rule for forwarding.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:33 pm

Ooops! You're absolutely right. But i think i have to combine it with a couple of rules to forward "new" connections from my LAN or else i would loose internet connectivity wouldn't i?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:39 pm

Yes you may have to add some explicit "accepts". When I build a firewall forwarding table I add the "drop all" first which forces me to explicitly add all desired forwarding paths.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:41 pm

Yup. Below all my other forward rules I added a foward connections with State = new and at the bottom of the chain I did as you suggested a catch all "drop forward". And It worked. Everything works as expected. Thanx.
 
RazterOfKefrens
just joined
Topic Author
Posts: 15
Joined: Mon Nov 12, 2012 5:40 pm

Re: Advanced Home Setup - DMZ + DUAL WAN

Tue Dec 04, 2012 5:44 pm

That's a good tip. Begin with the most restrictive rules and then add ways around it when you need it. I'll make that my basic rule from now on.

Who is online

Users browsing this forum: No registered users and 61 guests