Page 1 of 1

Advanced Home Setup - DMZ + DUAL WAN

Posted: Mon Dec 03, 2012 9:10 pm
by RazterOfKefrens
Consider the following network diagram
My LAN.jpg
Everything works just fine... well almost :?.

Internet traffic from all my LAN clients, LAN servers and DMZ server goes out via 2.2.2.2 (DKTVWAN) just as expected. From my DMZ I can only open new connections to the internet on port 80 and 443. My LAN and LAN servers is not reachable from the DMZ server at all. From my LAN the DMZ server can only be contacted through port 3389 and port 80. Sor far so good.

But I wan't to take advantage of both my static IP'ed internet connections for inbound traffic. The one thing I can't get my head around is why inbound internet traffic on port 1.1.1.1 port 80 is lost somewhere on the way back from my DMZ host 192.168.1.3 (Yes it's not 192.168.1.2 as shown in the drawing). Using Torch I can see that connections is made from src 1.1.1.1 (TDCWAN) to dest. 192.168.1.3 and my DMZ host tries to send it's response back to the correct internet IP. Also I see connections on the IP/Firewall/Connections tab marked "OutsideConnection_TDCWAN" - so my forwarding mark-connection rules works. Also when using Torch to see if traffic originating from 1.1.1.1 is hitting the DKTVWAN (2.2.2.2) interface on the way back luckily nothing happens. So at least my connection-marks / routing-marks / routes makes sure that responses for traffic originating from 1.1.1.1 does not go out throug 2.2.2.2. But it's lost somewhere else and i can't figure out why or where. BTW ether4-10 + Wireless is bridged.

Here's an edited routeros printout :
My Lan.txt

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 3:42 pm
by RazterOfKefrens
Anybody? Maybe just a basic example of how to do the NAT, mangle rules and ip routes for a solution with two WANS, a LAN on one subnet and a DMZ zone on another could do. I'll strip my filter rules and start all over on them if I could just get the simple setup working.

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 4:04 pm
by CelticComms
Haven't digested the config fully yet but could you try adding a route to the 192.168.1.1 network with the same routing mark that you are using for those Ether1 inbound connections to see if anything changes?

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 4:18 pm
by RazterOfKefrens
Ok. Maybe i'm just a bit impatient. Sorry for that :D . What gateway should be defined in the route to 192.168.1.1 ? 1.1.1.189 ? Just tried that but no luck. Please do take your time. I'm in no rush. As I said before - i'm just being impatient and I know it's a bad habbit :wink:

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:09 pm
by RazterOfKefrens
You we're spot on. I think i just misunderstood what you meant by routing to 192.168.1.1 but it came to my mind that all these marks is just something that happens inside the router and not elsewhere. So of course the packages was lost on their way back from my host...well at least i think so. This is what I did to make it work :
Route.jpg
I'm not sure if this is the best way to do it so feedback would be much appreciated.

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:14 pm
by CelticComms
Yes that was what I meant and if that has made it work then it should be a stable fix. Glad it is working!

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:19 pm
by RazterOfKefrens
Well it sure did fix my problem. But as a complete newbie I'm constantly concerned about creating gaping holes in my firewall. So looking at my configuration as a whole do you think it's ok? I'm planning to harden it by adressing port scans issues and trojans.

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:24 pm
by CelticComms
Very quick scan - you have a drop all "catch all" for input chain but I didn't see a similar rule for forwarding.

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:33 pm
by RazterOfKefrens
Ooops! You're absolutely right. But i think i have to combine it with a couple of rules to forward "new" connections from my LAN or else i would loose internet connectivity wouldn't i?

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:39 pm
by CelticComms
Yes you may have to add some explicit "accepts". When I build a firewall forwarding table I add the "drop all" first which forces me to explicitly add all desired forwarding paths.

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:41 pm
by RazterOfKefrens
Yup. Below all my other forward rules I added a foward connections with State = new and at the bottom of the chain I did as you suggested a catch all "drop forward". And It worked. Everything works as expected. Thanx.

Re: Advanced Home Setup - DMZ + DUAL WAN

Posted: Tue Dec 04, 2012 5:44 pm
by RazterOfKefrens
That's a good tip. Begin with the most restrictive rules and then add ways around it when you need it. I'll make that my basic rule from now on.