Community discussions

MikroTik App
 
User avatar
senseivita
newbie
Topic Author
Posts: 35
Joined: Fri Jan 01, 2021 4:20 am

Advice for routing internally with multiple WANs

Thu Jul 15, 2021 11:28 pm

Hey all, :)

I'm setting up CHR as the edge device but I need to route traffic in and out to several devices. It was suggested to me that I used VRF but that seems to capture everything (a default route) and I still have to direct X to Y, part of X to Z both internally and over multiple Internet-facing gateways for a single given host. Using normal routing I can direct traffic into the IDS/IPS, for example, but on the way back the CHR would route it back using the most efficient path (right?) creating an asymmetric route that would get blocked somewhere. e.g;
chr-routing-asymmetric.png
Furthermore, VRF doesn't seems as straightforward in the case of hosts that are in the way of traffic but don't necessarily need more than a single interface, like a reverse proxy or a DNS server. e.g;
chr-routing-gateway-selection.png
There are more complex cases, for instance; I have this server that is one of those difficult Microsoft services that needs to speak with Active Directory thus updating it address in DNS when it would. I need to change its HTTPS certificate which HAProxy will only do if the host is behind NAT, otherwise the server tells HAProxy not to change the cert if it's the intranet. NAT seems fool the server enough to break its awareness of being on the intranet where the client is without breaking things like Kerberos for AD to work. I use NAT to single out ADFS-bound HTTPS traffic and change the cert, and again at the edge firewall to NAT back the address ADFS reported to AD. The rest of the traffic flows purely routed, without any NAT, from subnet to subnet. Luckily, it actually might be easier to masquerade the host in CHR but I still need to figure out the rest and for that I need to learn how to route things first.

Right now, CHR is a DHCP server and a basic inter-VLAN router chained behind other devices that do most of the work. I attempted to do them before but that's before I remembered I had to sort out routing. I put it all in a chain to gain time to learn about it without being offline and at the same time sort of have things in place for when I hopefully learn enough to start moving devices down the chain leaving CHR at the center.
chr-routing-chained-setup.png
Goal:
chr-master-router.png
I don't even have firewall rules, just a couple that pass everything, it made little sense creating them there than further out in the edge where it's also a familiar UI. i.e;
Screen Shot 2021-07-15 at 12.12.03.png
I assume I'll need a combination of routing methods, I just need a little clue to get to it.

I appreciate your advice on this, you can get technical if you want (just not BGP-level technical), I'll research whatever needs researching. Thanks!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: dmitris, onnyloh and 92 guests