Page 1 of 1

Looking for DMZ example config

Posted: Wed Oct 12, 2011 2:18 am
by Kevo
Does anyone have a config with DMZ and 1:1 NAT they could post as an example. I just got my first Mikrotik device, 750GL and am trying to set it up with a WAN, LAN, and DMZ interface. The WAN has a static subnet from the ISP and I would like the LAN and WAN to use internal numbers with NAT. There would be certain machines on the DMZ and LAN that should be accessible from the internet using static NAT from the public range.

I was hoping someone might have an example of this or something similar available I could look at. My initial attempts don't seem to work. I was able to set up all three interfaces and NAT such that the DMZ and LAN could access the internet, but my static NAT attempts don't seem to work right, and I think I must be missing something that would probably be obvious from looking at a working example.

Thanks.

BTW, So far I'm pretty impressed with the capabilities of RouterOS compared to what I usually work with. I think the auto save default with safe mode is not such a great way to work by default, but maybe I'll get past that when I become more familiar with things.

Re: Looking for DMZ example config

Posted: Wed Oct 12, 2011 2:23 am
by fewi
http://wiki.mikrotik.com/wiki/How_to_co ... ome_router

The only change to that is that you want to use a dedicated IP for the DMZ, which changes the example network in the NAT section to something like below, assuming 1.1.1.3 as the IP to use and that 1.1.1.3 has been assigned to an interface (of course the other netmasks etc. won't work as the examples assume a /30, adjust all that as required):
/ip firewall nat
add chain=srcnat out-interface=outside src-address=10.1.0.0/24 action=src-nat to-address=1.1.1.2
add chain=srcnat out-interface=outside src-address=10.2.0.0/24 action=src-nat to-address=1.1.1.3
add chain=dstnat dst-address=1.1.1.3 action=dst-nat to-addresses=10.2.0.10
Hope that helps.

Re: Looking for DMZ example config

Posted: Wed Oct 12, 2011 8:36 pm
by Kevo
Thanks. That's what I needed. My initial attempt was thinking in the right direction, but I wasn't quite understanding the operation of NAT properly. I wasn't using the forward chain where I should have been, and I had srcnat's for the DMZ ips that weren't needed.

I really did search a lot and looked at quite a few threads for DMZ issues, but I never managed to find the link you posted. It'd be nice if there was a way to get that page to show up higher in the all-knowing google. :-(

To that end I link it again. DMZ Example Config http://wiki.mikrotik.com/wiki/How_to_co ... ome_router