I have a bit of analysis paralysis...we have an older Adtran router in our company network that needs to replaced. I suggested using a Mikrotik CCR I am not a router pro. I've been staring at the way Adtran configures all of its routing rules and trying to map that to how a CCR-1036-8G would need to be configured to replicate the routing policies. I have a little exposure to Cisco ACLs on ASAs and the Adtran has similar methods of how it configures the routing functions but thru a GUI interface. The two main things I need to get right/some help on is mapping the Adtran firewall/routing rules to the RouterOS configs and getting our VPN service correct so our road warriors and connect to our network remotely.

The Adtran defines two "Security Zones" - one is "Public" and one is "Private". Each interface on the router is assigned to either of these. The Public zone is used by the WAN port, and all the LAN ports are in the Private zone. Each Security Zone has multiple "Policies" defined (what Action to take, eg., NAT, ALLOW, DISCARD, etc). Each Policy will have "Traffic Selectors" configured, which is a more familiar Type (Permit/Deny), Protocol (Any, TCP, UDP, etc) Source IP/Ports, Dest IP/Ports. Then the Adtran has a subsection under the Firewall menu that defines "ACL Lists" that have your same Traffic Selectors configs (Type,Protocol,Source, Destination). These ACLs are applied to the Private and Public policy-class.

What I've gotten myself all wrapped up around is trying to map the Mikrotik firewall configs to the Adtran Zones/Policies/ACLs/Traffic Selectors. Does anybody have any guidance on helping me understand the basic Mikrotik mappings?

Thanks in advance,
David

Here are the various firewalls
/ip firewall filter -> This is where your basic firewall rules are, the allow and deny (think your ACL)
/ip firewall nat -> This is where you define source and dst NAT
/ip firewall mangle -> This is where you can modify how the router handles routing and a few other things, probably not relevant to you at this point.

Then there are chains within the firewall.
Filter had 3 basic "chains":
Forward: Traffic moving over the router itself, ie LAN to WAN or WAN to LAN
Input: Traffic addressed to the router itself
Output: Traffic generated by the router itself

NAT has two basic chains:
SRC-NAT: Allows you to change the source information on a packet
DST-NAT: Allows you to change the destination information on a packet

When building a firewall rule, action defines what you want to do to the packet, and everything before that action is a selector. You have the basic src, dst, IP and port, in and out interfaces, and more advanced ones. MikroTik doesn't really have a concept of a "Security Zone" outside of what you define internally. That's just a layer of abstraction that the Adtran is adding in, where as MikroTik tends to let you get in at a low level to tweak things to your liking. Also keep in mind that each port on a MikroTik can be, and is often considered it's own routed interface that can have it's own services, ip space, etc. They are not grouped together unless you either use a built in switch chip, or bridge them in software.

There is a lot there, and MikroTik does have a steep learning curve, but once you get your head wrapped around it, it is very powerful. They don't hide much form you behind the scenes like many other products, but instead give you control and expect you to configure it how you want.