Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

2 Private networks, MASQUERADE, Block network from Internet

Post Reply
 
sharkyjc
just joined
Topic Author
Posts: 4
Joined: Wed Mar 23, 2016 5:38 pm

2 Private networks, MASQUERADE, Block network from Internet

Mon Jan 10, 2022 1:49 am

Its been a while since I have use a Mikrotik device. I was using a CCR1009 for a few years and moved and had no need for it. I now have a use for the CCR1009 and decided to boot er' up and configure it..

I want to use the CCR1009 to act as my main firewall and also provide 2 bonding interfaces. One bond will be used to connect to a CRS326 to provide client PC's with access to the internet and the second bond will be used to connect to a Cisco SG300-10. The Cisco will provide connections to security cameras and NAS devices.

I'd like the Client PC's (10.10.200.0/24) to be able to access the security camera's, internet and NAS but, would like the firewall to block NAS and Cameras (192.168.0.0/24) from accessing the internet. How do I achieve this with firewall rules? I plan on updating the NAS and Cameras manually by downloading any updates required from a client PC..

I also have a question regarding the masquerade and wondered if that is setup correctly? I've seen other Masquerade rules where the source address is used and not used..

I've included the configs from the CCR1009 and the CRS326 below and also a network topology. I am just looking for someone to pick apart what I have done so far and point out any issues or perhaps any improvements. I am also a little fuzzy on firewall configuration and would also like to include rules to filter out BOGON ip addresses. So, a little guidance on the firewall and what should be in there to protect the router and the rest of the network would be appreciated. I plan on using this in a residential setting..

This topology has not gone live yet and is just sitting on my workbench as a test lab..

Thanks in advance.
Net Topology.JPG
CCR1009 config
Code: Select all
# jan/09/2022 12:36:15 by RouterOS 7.1.1
# software id = QFT2-ARPR
#
# model = CCR1009-8G-1S-1S+
# serial number = 606F05B357EA
/interface bridge
add name=BRIDGE-LAN
/interface ethernet
set [ find default-name=ether8 ] name=WAN8
/interface bonding
add min-links=1 mode=802.3ad name=BOND-ROUTE slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
add min-links=1 mode=802.3ad name=BOND-SG300 slaves=ether3,ether4 transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.0.2-192.168.0.20
add name=pool2 ranges=10.10.100.2-10.10.100.100
/ip dhcp-server
add address-pool=pool1 interface=BOND-SG300 lease-time=4w2d10m name=dhcp1
add address-pool=pool2 interface=BRIDGE-LAN lease-time=4w2d10m name=DHCP-SERVER-LAN
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=10.0.0.1/30 interface=BOND-ROUTE network=10.0.0.0
add address=192.168.0.1/24 interface=BOND-SG300 network=192.168.0.0
add address=10.10.100.1/24 interface=sfp-sfpplus1 network=10.10.100.0
/ip dhcp-client
add interface=WAN8
/ip dhcp-server network
add address=10.10.100.0/24 gateway=10.10.100.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1
/ip firewall filter
add action=accept chain=input comment=Xbox dst-port=3074 in-interface=WAN8 protocol=tcp
add action=accept chain=input comment=Xbox dst-port=85,500,3074,3544,4500,5730-5731,5739 in-interface=\
    WAN8 protocol=udp
add action=accept chain=forward comment=Xbox dst-port=3074 in-interface=WAN8 protocol=tcp
add action=accept chain=forward comment=Xbox dst-port=85,500,3074,3544,4500,5730-5731,5739 \
    in-interface=WAN8 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN8 src-address=10.10.200.0/24
add action=dst-nat chain=dstnat dst-port=3074 in-interface=WAN8 protocol=tcp to-addresses=\
    10.10.200.250
add action=dst-nat chain=dstnat dst-port=88,500,3074,3544,4500,5730-5731,5739 in-interface=WAN8 \
    protocol=udp to-addresses=10.10.200.250
/ip route
add disabled=no distance=1 dst-address=10.10.200.0/24 gateway=10.0.0.2 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/Toronto
/system identity
set name=R1-CCR1009
/tool mac-server
set allowed-interface-list=none
/tool romon
set enabled=yes
[admin@R1-CCR1009] >
CRS326 Config
Code: Select all
# jan/02/1970 17:13:26 by RouterOS 7.1.1
# software id = 8G5A-Q97Q
#
# model = CRS326-24G-2S+
# serial number = CD010E6D247F
/interface bridge
add name=BRIDGE-LAN
/interface bonding
add min-links=1 mode=802.3ad name=BOND-ROUTE slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=POOL-LAN ranges=10.10.200.2-10.10.200.230
add name=dhcp_pool1 ranges=10.10.200.2-10.10.200.230
/ip dhcp-server
add address-pool=dhcp_pool1 interface=BRIDGE-LAN lease-time=4w2d10m name=DHCP-LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=BRIDGE-LAN interface=ether3
add bridge=BRIDGE-LAN interface=ether4
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7
add bridge=BRIDGE-LAN interface=ether8
add bridge=BRIDGE-LAN interface=ether9
add bridge=BRIDGE-LAN interface=ether10
add bridge=BRIDGE-LAN interface=ether11
add bridge=BRIDGE-LAN interface=ether12
add bridge=BRIDGE-LAN interface=ether13
add bridge=BRIDGE-LAN interface=ether14
add bridge=BRIDGE-LAN interface=ether15
add bridge=BRIDGE-LAN interface=ether16
add bridge=BRIDGE-LAN interface=ether17
add bridge=BRIDGE-LAN interface=ether18
add bridge=BRIDGE-LAN interface=ether19
add bridge=BRIDGE-LAN interface=ether20
add bridge=BRIDGE-LAN interface=ether21
add bridge=BRIDGE-LAN interface=ether22
add bridge=BRIDGE-LAN interface=ether23
add bridge=BRIDGE-LAN interface=ether24
/ip address
add address=10.0.0.2/30 interface=BOND-ROUTE network=10.0.0.0
add address=10.10.200.1/24 interface=BRIDGE-LAN network=10.10.200.0
/ip dhcp-server lease
add address=10.10.200.230 client-id=1:d0:bf:9c:fa:ac:8d mac-address=D0:BF:9C:FA:AC:8D server=DHCP-LAN
/ip dhcp-server network
add address=10.10.200.0/24 gateway=10.10.200.1 netmask=24
/ip route
add disabled=no dst-address=10.10.100.0/24 gateway=10.0.0.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=10.0.0.1 routing-table=main suppress-hw-offload=no
/system identity
set name=R2-CRS326
/system routerboard settings
set boot-os=router-os silent-boot=yes
/tool romon
set enabled=yes
[admin@R2-CRS326] >
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 28 guests
  4. RouterOS
  5. Beginner Basics