alright I had a network that require consolidation/revamp.
assume I have 4 subnet, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 all connected to Eth1-4 on a mikrotik device, with all the GW of individual subnet of 192.168.x.254/32
The Eth5 of this mikrotik device then connect to a firewall, e.g. Fortigate or Checkpoint, etc. This Eth5 has 4 VLAN that is IP with 192.168.x.253 (the VLAN is bridged with Eth1-4 individually so it reaches the IP at fortigate) connect to the Fortigate firewall of 192.168.x.252.
What I want to achieve:
1. when the traffic require to route internally, e.g. 192.168.0.25 to 192.168.1.25, it would use mikrotik device to perform the routing. No issue with that
2. But when the internal traffic require to go out of internet, it would then forward to traffic to 192.168.x.252 without any NAT/MASQ (or setting the next hop to 192.168.x.252) at the fortigate firewall. The intention of doing this is to allow the firewall to do all the reporting, threat prevention, and to use all the security feature on the fortigate firewall. How can I achieve this. At the same time, the return traffic would traverse the same path from internet ->Fortigate firewall -> Mikrotik -> device at their originating IP
3. I dont foreseen any issue if there is a direct incoming traffic to Fortigate firewall that requires DST-NAT to the internal IP, but I havent really try that yet.
Any help on this?
Lee