Hi,
I've just now replaced some generic Huawei LTE router with the Chateau LTE12 and configured it for passthrough mode.
For management, I have removed ether5 from the bridge and assigned an IP address to it. ether5 is connected to my hardware firewall to a DMZ interface so that there is no way for an intruder to enter my LAN through that management port.
ether1 obviously is connected to the WAN port of my hardware firewall, which makes use of the passthrough'd public IP.
So far so good, but how is the Chateau supposed to reach the internet for NTP, DNS and Firmware Upgrades?
I see multiple approaches:
- set time manually, do firmware upgrades manually by downloading the files from mikrotik website and uploading it to the router manually, dns therefore not needed -> boom, done
- default route to my hardware firewall through the management interface and allow traffic on that firewall to the internet
wouldn't the second approach with its default route interfere with the purpose of the modem (sending all traffic back to the firewall, effectively creating a layer 3 loop)?
or is that of no concern because of passthrough mode and the internal bridge (which is the passthrough target) does nothing but plain passthrough?
would it be advisable to create a separated VRF? if so, i was thinking about creating the VRF for internet access and leaving all the management stuff in the main VRF, as there are some services (like FTP, iirc), which you can't bind to a different VRF than "main".
Please share your thoughts and best practices, if there are any.
Thanks!