I'm about to upgrade from ADSL to 80/20Mbps Fibre on Plusnet. My current setup follows; it's probably a bit unusual. What I need to know is if I can replace the Cisco 1841 with a RouterOS based device doing the same job. Probably a RouterBoard; I can't be bothered building PCs any more. I just want something that works pretty-much out of the box (+/- configuring).
I have a Zyxel VMG8324 on the way which will probably see duty just as a modem; ideally as a stand-alone L3 bridge with just a public IP address that handles the PPPoA connection itself, like I have my Bintec configured. If I can't make it do that, then just a dumb modem driven by the router.
- /29 routed subnet over ADSL. Call the subnet x.0/29. Will be replaced with faster FTTC VDSL2.
- A huge IPv6 global unicast range from Hurricane Electric.
- A L3 3560G switch that I can use to break out VLANs if needed, and some local interVLAN routing to take pressure of the router.
- Control the modem and make PPPox connection if necessary.
- WAN-side router port with an ACL to forward incoming server traffic and stateful firewall.
- Applying the protection directly to this port should provide protection for all the following:
- Bridge the WAN port to another port (or VLAN) so I can use a server or two with a public IPv4 address on my public subnet. Did I mention protected by the ACL on the WAN port?
- Another two ports/VLANs in private IPv4 ranges for my LANs (House LAN and Cisco Lab), NAT/PAT to the main IP address. DHCP and OSPF required.
- One of the PCs in the above requires static NAT to its own public IPv4 address due to occasional very high traffic.
- Terminate my HE IPv6IP tunnel on the main IPv4 public interface and route outgoing IPv6 traffic through this tunnel. IPv6 ACLs and Stateful inspection required here.
- All the above interfaces need IPv6 addresses assigning manually. Plus IPv6 DHCP and OSPFv3.
- NTP service. Sometimes DNS, but not essential.
- Bintec ADSL modem/router, configured with WAN and LAN bridged but still doing the PPPoA connection itself. It takes a single, manually configured public address (x.1) and routes to my ISP. It is the default gateway for everything else on this subnet.
- Cisco 1841 connected to the Bintec's bridged LAN port. I call this Cisco's RED port.
- The RED port has no IP address. It is a member of a bridge group along with a VLAN and the bridge has IPv4 address x.2 and a manually configured IPv6 address on my global unicast range from HE.
- The RED port itself has an ACL to forward allowed traffic for my servers and an Inspect-Out configuration for stateful firewalling for all traffic entering via the RED port.
- Another port is a member of the above bridged VLAN and allows connectivity on the public subnet to a server, giving it a firewalled connection with a public IP address (x.3).
- The bridge interface is the outside NAT for other VLANs (below).
- A second VLAN exists in the IPv4 subnet 192.168.1.0/24 and a subnet on my IPv6 range, with IPv4 NAT/PAT (using the bridge IP address) for my main LAN. It also has one static NAT to another public IP address (x.4) for a specific PC on the 192.168.1.0 subnet.
- A third VLAN, similar to above but a different range, for my Lab. Again both IPv4 and IPv6.
- An IPV6IP tunnel terminates on the bridge's interface, for my HE IPv6 service. This is where any IPv6 traffic destined for outside routes through. ACL and Inspection applied here.
- DHCP on the LAN VLANs for IPv4 and IPv6.
- OSPFv2 and v3 on internal interfaces.
- NTP client and server.
- Sometimes DNS server.