Greetings.

I need to setup up a Mikrotik router and a cable modem. The cable company has provided me with a public /28, say 66.1.1.240-255 with a gateway address -- 66.1.1.241 -- as part of the /28.

The router has two ethernet ports, one of which will have the cable modem directly attached. I assume the ip address of the modem is 66.1.1.241.

The workstations behind the firewall will have addresses from .242 - 254.

How do I configure the router, specifically the ip address of eth1 to which the modem is attached and the ip address of eth2 which will handle the workstations? Can eth2 be ip-less and simply have a default route to eth1?

Do the client workstations have their gateway set to the ip of eth1 or the ip of the cable modem?

As a note, I've never done this with this kind of setup. Usually, I'm setting up fiber connections such that I have a separate subnet for eth1, usually a /30 and eth1's gateway is the remote fiber switch.

Thanks for any input.

Hi

"I assume the ip address of the modem is 66.1.1.241." => will be something else as that was your gateway, remember?

You have a few options:

• bridge eth1 & eth2, and have a firewall in between => ~ "protected dmz"
  you can filter here traffic from internet to workstations, workstations will be otherwise behaving as if directly connected to modem
• have "servers" directly exposed on same subnet as modem and eth1
  basically set a switch between modem and eth1, workstations will be directly connected to modem
• nat firewall, with "hidden" workstations with private ips
  if workstations don't need to be accessible from internet, so no servers, put them behind natting router, workstations will be directly connected to router as its gateway

No, that ip is what the cable company said I should use as a gateway. I assumed that was the modem ip address. In other words, if I weren't trying to install a router/firewall in the middle, I would just assign a workstation an ip -- 66.1.1.242 -- and a gateway of 66.1.1.241.

I'm just trying to put a firewall in the middle such that any traffic that comes in is checked for firewall rules (and presumably, any traffic going out).

Thanks

Then option 1: transparent firewall is for you

Got a resource I can look at? Basically, I have a list of firewall rules including mangle and nat rules that every packet/connection from the outside needs to honor.

How do I configure eth1 and eth2?

Thanks,
Chris

Have a look here: https://www.youtube.com/watch?v=6eeYac5xBrE
The steps you'll need are there too:
* briding
* L2 filtering
* (mangling)

(I don't like the presentation, but the general info is there...)

And here: https://wiki.mikrotik.com/wiki/TransparentTrafficShaper

=> If you don't want queueing, don't apply mangling / queues, just filtering of traffic