Community discussions

MikroTik App
 
Azar1K
just joined
Topic Author
Posts: 4
Joined: Mon May 16, 2022 1:29 am

Dual routing/DMZ?

Mon May 16, 2022 2:01 am

So, I have on my router IP /30. Behind this IP in intranet exist two networks separated by VLANs with some DNAT:
add chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp dst-port=443
add chain=dstnat action=dst-nat to-addresses=192.168.10.20 to-ports=3389 protocol=tcp dst-port=3389
add chain=srcnat action=masquerade src-address=192.168.10.0/24 out-interface-list=WAN

add chain=dstnat action=dst-nat to-addresses=192.168.11.10 to-ports=80 protocol=tcp dst-port=80
add chain=srcnat action=masquerade src-address=192.168.11.0/24 out-interface-list=WAN
Current schema
                   INTERNET
                       |
              150.160.170.180/30
               /             \
VLAN 10                     VLAN 11
192.168.10.0/24	            192.168.11.0/24
Future schema I want to get:
                   INTERNET
                       |
              150.160.170.180/30
               /             \
150.160.165.185/29	    150.160.165.186/29
VLAN 10                     VLAN 11
192.168.10.0/24	            192.168.11.0/24
How it should look in config, if I want go on website to 192.168.10.10 via 150.160.165.185 for example?
Provider will make my /30 IP as routable peer for /29 so it should be like what? Some kind of double routing and double DMZ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual routing/DMZ?

Tue May 17, 2022 1:52 am

It's not exactly clear.

First, if those NAT rules you posted is all you have there, it can't work well, because any request to ports 80 and 443 from anywhere is redirected to your internal servers, so web browsing from your LANs can't work.

Second, I'm not sure I understand "make my /30 IP as routable peer for /29". Does it mean that whole /29 will be routed to you via 150.x.x.180? If so, you can either keep them on router too and stick with src/dstnat, or you can give them directly to internal devices (either route individual addresses to them, or assign two /30 subnets to VLANs, but that would be terribly wasteful, because instead of eight addresses you'd have only two).
 
Azar1K
just joined
Topic Author
Posts: 4
Joined: Mon May 16, 2022 1:29 am

Re: Dual routing/DMZ?

Tue May 17, 2022 5:35 pm

You are right. To be more precise, rules should be like this:
add action=dst-nat chain=dstnat dst-address=192.168.10.10 dst-port=443 protocol=tcp to-addresses=192.168.10.10 to-ports=443

Yes, /29 will be routed via .180/30, but /30 will be configured as main IP on my router for routing /29 and as management IP if I need to access router actually.
I do not want them directly configure on each virtual machine, because there will be a lot of VMs on host which is connected to router.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual routing/DMZ?

Tue May 17, 2022 8:02 pm

So what exactly is the problem? Aside from wrong address in last rule, you seem to have some idea about what you need. Or not?

Something like:
/ip firewall nat
add chain=dstnat dst-address=150.x.x.185 protocol=tcp dst-port=80,443 action=dst-nat to-addresses=192.168.10.10
add chain=dstnat dst-address=150.x.x.186 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.10.20
add chain=dstnat dst-address=150.x.x.187 protocol=tcp dst-port=25,465,587 action=dst-nat to-addresses=192.168.11.30
...
add chain=srcnat src-address=192.168.10.10 action=src-nat to-addresses=150.x.x.185
add chain=srcnat src-address=192.168.10.20 action=src-nat to-addresses=150.x.x.186
add chain=srcnat src-address=192.168.11.30 action=src-nat to-addresses=150.x.x.187
...
 
Azar1K
just joined
Topic Author
Posts: 4
Joined: Mon May 16, 2022 1:29 am

Re: Dual routing/DMZ?

Tue May 17, 2022 10:45 pm

Your examples look helpful for me)
And second (last) question about routable /30 IP
It will be configured on ISP side or should I make some additional routing on Mikrotik side for /29?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual routing/DMZ?  [SOLVED]

Wed May 18, 2022 2:29 am

If it's routed subnet, then ISP will do this on their router:
/ip route
add dst-address=x.x.x.184/29 gateway=x.x.x.180
And all eight addresses from /29 will be going to you. You don't need to do anything special. If you're not going to route them further, it's good idea to assign them to router. It doesn't matter where, it could be WAN interface, or empty bridge serving as loopback interface. It would mostly work even if you didn't, but packets to ports that won't be forwarded to internal devices would bounce back to ISP (and then back to you, ISP, you, ISP, ... until their TTL expires) and that wouldn't be good.
 
Azar1K
just joined
Topic Author
Posts: 4
Joined: Mon May 16, 2022 1:29 am

Re: Dual routing/DMZ?

Wed May 18, 2022 9:59 am

Thank you for help and clarification!

Who is online

Users browsing this forum: arebelo and 42 guests