Community discussions

MUM Europe 2020
 
Presler
just joined
Topic Author
Posts: 2
Joined: Tue Apr 08, 2014 6:57 pm

RB1100AHx2 as Internet Gateway

Wed May 14, 2014 3:02 pm

Good Day everyone

I'm in need of assistance and believe this is the place to get it. :)

Upfront I will confess, I know nothing of the task I'm given, but hope to learn and add to my knowledge. I've been around IT and networks for 19 years, built Wifi systems and Server rooms but routing and gateways was always supplied configured and the closest I got to internet connections was the Gateway IP given by ISP's, so this is very new to me.

The Hotel I work for has an existing wifi backbone infrastructure consisting of 91 x Picostation M2 AP's that splits from 6 x D-link Websmart switches. Currently it feeds to a router provided by a 3rd party which is very troublesome and results in numerous complaints. So I was tasked to take the provided RB1100AHx2 and replace the 3rd party unit.

What is available to me
Routerboard RB1100AHx2 with RouterOS 5.26
30Mb Fibre connection, Internet Access will be on this connection and for purpose of discussion IP range A.A.A.A and therefore gateway of A.A.A.225
Public IP on range A.A.A.A, for purpose of discussion IP A.A.A.230
4Mb ADSL connnection, will be used to handle all SMTP traffic as the connection mentioned above does not allow SMTP traffic, for purpose of discussion IP Range B.B.B.B Gate way B.B.B.3

This is what I need to do.
1. Configure this unit to relay all traffic from the backbone Wifi system onto the Internet through gateway A.A.A.225
2. Configure a port to relay all smtp traffic over gateway B.B.B.3
3. Configure a port with public IP address A.A.A.230 to allow remote access
4. Disable viewing of illicit websites
5. Restrict P2P downloads

In short, This unit will be placed between the Gateway and Backbone to allow any user connected to it uncapped internet access, but control what that user is allowed to see and download.

Any assistance will be greatly appreciated even if I am only pointed on the direction of material that explains how this can be done, any other suggestions is welcome.

Thanking you in advance

Presler
Rule #9 - Never go anywhere without a knife
 
joegoldman
Long time Member
Long time Member
Posts: 521
Joined: Mon May 27, 2013 2:05 am

Re: RB1100AHx2 as Internet Gateway

Thu May 15, 2014 6:34 am

Hi,

All information you requested is really available in the wiki. It will take some learning to do.

A lot of the distributors provide a certain amount of config support for X days after purchase, maybe see if they can assist?

Giving the requirements and no attempt to configure yourself, you are not going the right way on a support forum. Really, people charge consulting fee's to ready configs like this, so I doubt someone will be willing to give you a config ready to go for free.
 
User avatar
aacable
Member
Member
Posts: 428
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:

Re: RB1100AHx2 as Internet Gateway

Fri May 16, 2014 8:33 am

Good Day everyone
I'm in need of assistance and believe this is the place to get it. :)
This is what I need to do.
1. Configure this unit to relay all traffic from the backbone Wifi system onto the Internet through gateway A.A.A.225
2. Configure a port to relay all smtp traffic over gateway B.B.B.3
3. Configure a port with public IP address A.A.A.230 to allow remote access
4. Disable viewing of illicit websites
5. Restrict P2P downloads
In short, This unit will be placed between the Gateway and Backbone to allow any user connected to it uncapped internet access, but control what that user is allowed to see and download.
Any assistance will be greatly appreciated even if I am only pointed on the direction of material that explains how this can be done, any other suggestions is welcome. Thanking you in advance
Presler
All required tasks can be accomplished using Mikrotik. Thats the beauty of ROS that its multi tasking system :D

1- Single NAT/ROUTE rule will do all the masquerading for local users pointing to your A.A.A.225

2- You can mark all traffic for port 25 (or others required) and then create a rotue which will route all marked traffic for smtp to B.B.B.3
Example:
http://wiki.mikrotik.com/wiki/Per-Traff ... _Balancing
OR you can use policy base routing to route specific user/server to force them to route through desired gateway.
http://aacable.wordpress.com/2011/10/27 ... p-address/

3- Remote access for what? mikrotik itself like winbox access? or remote to RDP for local pc/server,
if , its winbox, then you actually dont have to create any special rule (unless you are using tight firewall to secure your router then you have to create a rule which will allow inbound access to winbox port) or if you want to route rdp request to local internal pc, then you can use simply port forwarding.
http://aacable.wordpress.com/2013/11/13 ... orwarding/

4- Explain 'illicit' web sites. If you mean Pornographic sort of sites, then unfortunately mikrotik dont have 'porn' filter capability, actually the job of proxy with proper filtering addons , but as a workaround you can use free OPENDNS to filter porn/illegal web sites (categories are selectable). I am using this trick in my company's TMG from past 2 years with a GREAT success.
http://aacable.wordpress.com/2012/11/22 ... -for-free/

5- Yes P2P's can be blocked using Filter/L7 marking.
http://forum.mikrotik.com/viewtopic.php?f=2&t=59234
http://aacable.wordpress.com/2011/08/15 ... wan-users/

As you can see every thing is possible, but UNFORTUNATELY there is no single guide you can follow to create all rules. You have to read several guides. Mikrotik WIKI is one good sort of 'Howto use Mikrotik, or MIKROTIK EXPLAIN' book to build good base, but even then you have to consult with forums to build your own customized solution, like one you are searching for.
I have provided you some links to take a good start with, which will surely cover most of the things you are looking for. Also following book will help you to take a good flight with ROS.
http://learnmikrotik.com/index.php?opti ... cle&id=151

Hope this helps.
_____________
Regard's

Syed Jahanzaib
Web: http://aacable.wordpress.com
Email: aacable [at] hotmail.com
 
Presler
just joined
Topic Author
Posts: 2
Joined: Tue Apr 08, 2014 6:57 pm

Re: RB1100AHx2 as Internet Gateway

Fri May 16, 2014 3:47 pm

@aacable

Thank you for the reply Sir, all the information in the links provided ample assistance. That is exactly what I was looking for. A good nudge in the right direction.

@joegoldman

I apologize if my post looked like I was looking for a point by point write up, that wasn't the intention. While that might achieve the end result, I will learn nothing by it.

This might seem a few easy steps for many here, but as I noted before, this is all new to me.

Up to now I managed to configure the router WAN port, LAN port, DNS and DHCP server. P2P downloads are blocked as per the link and right now I'm busy updating security settings and Firewall rules to limit attacks and/or Virus attempts. Many things tested and thus far, I am happy with my progress and everything appears to be working.

I'm still to work on the Illicit website control(Disabling the viewing and download of pornographic material) but I will get there in the next two days.

I do have one question though for which the answer appears to evade my digging. At some point 254 IP addresses won't be enough, so under /IP DHCP-Server Networks I created 3 pools, but the DHCP server itself only allows for 1 pool. In order to step over to the next pool when the first one is depleted, do I add the next pool to "Next Server" under /IP DHCP-Server Networks?
Rule #9 - Never go anywhere without a knife
 
pradeepsekar
just joined
Posts: 13
Joined: Sun Oct 13, 2013 6:21 am

Re: RB1100AHx2 as Internet Gateway

Thu May 22, 2014 6:15 pm

You might want to select a larger subnet for your intranet and use it for your DHCP pool - e.g. 192.168.0.0/16 instead of 192.168.0.0/24 that you might be using.

Regards,
Pradeep

Who is online

Users browsing this forum: dovob and 29 guests