I have a MT Router (2.8.11) with a 4-port Ethernet card. I'm using 2 ports, one (Public) connected to the T1 router, one (Private) connected to all the servers and radios. The 2.4ghz network is routed (Proxim MP.11) and the 900mhz network is bridged (Alvarion). All the clients have private IP's and are NAT'ed through the MT firewall. All the radios and servers have private IP's. The servers are linked to their public IP's by 1:1 NAT. (I have a /26 with the T1).
I want to get things in order before the network gets real big. I would like to put public IP's on the servers, but still run the traffic through the MT firewall. I want to be able to give public IP's to certain customers. Since they are only for management, I want to leave private IP's on all the radios.
If I understand correctly, I can add a Bridge interface that will let me put public IP's on the servers and Alvarion clients, while keeping private IP's on the radios, and still have all traffic go through the MT firewall. Will this also work for the (routed) Proxim clients, or do I continue 1:1 NAT for them. (This is working so far, but I've read it can cause trouble for clients needing to use a VPN).
Any comments, suggestions, and advice greatly appreciated.
Thanks,
Bill
I have a similair setup but with 3 interfaces.... I used the following config:
/ interface ethernet
set Internal name="Internal" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps \
disabled=no
set External name="External" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps \
disabled=no
set Management name="Management" mtu=1500 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
long-cable=no speed=100Mbps disabled=no
/ interface bridge
add name="bridge1" mtu=1500 arp=enabled forward-protocols=ip,arp,ipv6,other \
stp=no priority=32768 ageing-time=5m forward-delay=15s \
garbage-collection-interval=4s hello-time=2s max-message-age=20s \
disabled=no
/ interface bridge port
set Internal bridge=bridge1 priority=128 path-cost=10
set External bridge=bridge1 priority=128 path-cost=10
set Management bridge=bridge1 priority=128 path-cost=10
/ ip address
add address=10.10.10.200/24 network=10.10.10.0 broadcast=10.10.10.255 \
interface=bridge1 comment="Management IP" disabled=no
add address=XXX.124.100.102/25 network=XXX.124.100.0 \
broadcast=XXX.124.100.127 interface=bridge1 comment="Outside Address for Natd Clients" disabled=no
Which gives me:
1. A Management Network, which has my servers on it, using both public and private addresses.
2. An Internal Network, which allows users/routers/AP's etc to access the internet via Public or Private IP's.
3. An External Network, which is directly connected to my Frame router using a cross over cable.
4. The ability to firewall the Management interface for each IP range independantly, ie VPN Access on the Private Range but not on Public etc etc.
5. Traffic Monitoring and Bandwidth Throttling for all IP's
6. NAT for the 10.10.10.0 network, using 10.10.10.200 (Private Bridge IP) for my NATed Default Gateway.
7. Direct Access to my frame router (with the router as my default gateway) for all Public IP based systems.
If it sounds like what your after, I can email you the full config file... ;)
/ interface ethernet
set Internal name="Internal" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps \
disabled=no
set External name="External" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps \
disabled=no
set Management name="Management" mtu=1500 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
long-cable=no speed=100Mbps disabled=no
/ interface bridge
add name="bridge1" mtu=1500 arp=enabled forward-protocols=ip,arp,ipv6,other \
stp=no priority=32768 ageing-time=5m forward-delay=15s \
garbage-collection-interval=4s hello-time=2s max-message-age=20s \
disabled=no
/ interface bridge port
set Internal bridge=bridge1 priority=128 path-cost=10
set External bridge=bridge1 priority=128 path-cost=10
set Management bridge=bridge1 priority=128 path-cost=10
/ ip address
add address=10.10.10.200/24 network=10.10.10.0 broadcast=10.10.10.255 \
interface=bridge1 comment="Management IP" disabled=no
add address=XXX.124.100.102/25 network=XXX.124.100.0 \
broadcast=XXX.124.100.127 interface=bridge1 comment="Outside Address for Natd Clients" disabled=no
Which gives me:
1. A Management Network, which has my servers on it, using both public and private addresses.
2. An Internal Network, which allows users/routers/AP's etc to access the internet via Public or Private IP's.
3. An External Network, which is directly connected to my Frame router using a cross over cable.
4. The ability to firewall the Management interface for each IP range independantly, ie VPN Access on the Private Range but not on Public etc etc.
5. Traffic Monitoring and Bandwidth Throttling for all IP's
6. NAT for the 10.10.10.0 network, using 10.10.10.200 (Private Bridge IP) for my NATed Default Gateway.
7. Direct Access to my frame router (with the router as my default gateway) for all Public IP based systems.
If it sounds like what your after, I can email you the full config file... ;)
Hmm it bounced, okay the config is below, with my public ip's edited:
All this on a P100 with 64Mb RAM and two intel server nics... sits at an average 11% CPU and 19mb mem usage# jul/02/2004 21:04:49 by RouterOS 2.8.11
# software id = B05M-NTT
#
/ interface ethernet
set Internal name="Internal" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps \
disabled=no
set External name="External" mtu=1500 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes long-cable=no speed=100Mbps \
disabled=no
set Management name="Management" mtu=1500 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
long-cable=no speed=100Mbps disabled=no
/ interface bridge
add name="bridge1" mtu=1500 arp=enabled forward-protocols=ip,arp,ipv6,other \
stp=no priority=32768 ageing-time=5m forward-delay=15s \
garbage-collection-interval=4s hello-time=2s max-message-age=20s \
disabled=no
/ interface bridge port
set Internal bridge=bridge1 priority=128 path-cost=10
set External bridge=bridge1 priority=128 path-cost=10
set Management bridge=bridge1 priority=128 path-cost=10
/ ip accounting
set enabled=yes threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=10.10.10.0/24
/ ip address
add address=10.10.10.200/24 network=10.10.10.0 broadcast=10.10.10.255 \
interface=bridge1 comment="added by setup" disabled=no
add address=XXX.XXX.XXX.102/25 network=XXX.XXX.XXX.0 \
broadcast=XXX.XXX.XXX.127 interface=bridge1 comment="" disabled=no
/ ip arp
/ ip dns
set primary-dns=202.124.98.98 secondary-dns=202.124.98.99 \
allow-remote-requests=yes cache-size="2048 kB" cache-max-ttl=7d
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="Management" policy=none comment=""
add name="Private" policy=none comment=""
add name="Public_Man" policy=none comment=""
/ ip firewall rule Management
add protocol=tcp tcp-options=non-syn-only connection-state=established \
action=accept comment="Allow established TCP connections" disabled=no
add protocol=udp action=accept comment="Allow UDP connections" disabled=no
add protocol=icmp action=accept comment="Allow ICMP messages" disabled=no
add dst-address=10.10.10.10/32:53 protocol=tcp action=accept comment="Allow \
DNS" disabled=no
add dst-address=XXX.XXX.XXX.101/32:53 protocol=tcp tcp-options=syn-only \
action=accept comment="" disabled=no
add dst-address=10.10.10.10/32:80 protocol=tcp tcp-options=syn-only \
action=accept comment="Allow http connections to the server" disabled=no
add dst-address=XXX.XXX.XXX.101/32:80 protocol=tcp tcp-options=syn-only \
action=accept comment="" disabled=no
add dst-address=10.10.10.10/32:443 protocol=tcp tcp-options=syn-only \
action=accept comment="" disabled=no
add dst-address=XXX.XXX.XXX.101/32:443 protocol=tcp tcp-options=syn-only \
action=accept comment="" disabled=no
add dst-address=XXX.XXX.XXX.101/32:1723 protocol=tcp tcp-options=syn-only \
action=accept comment="Allow VPN connections to the server" disabled=no
add dst-address=XXX.XXX.XXX.101/32 protocol=gre action=accept comment="" \
disabled=no
add dst-address=10.10.10.10/32:1723 protocol=tcp tcp-options=syn-only \
action=accept comment="Allow VPN connections to the server" disabled=no
add dst-address=10.10.10.10/32 protocol=gre action=accept comment="" \
disabled=no
add dst-address=XXX.XXX.XXX.101/32:25 protocol=tcp tcp-options=syn-only \
action=accept comment="Allow SMTP connections to the server " disabled=no
add dst-address=XXX.XXX.XXX.101/32:110 protocol=tcp tcp-options=syn-only \
action=accept comment="Allow POP3 connections to the server" disabled=no
add dst-address=10.10.10.10/32:3389 protocol=tcp action=accept comment="Allow \
TS connections to the server" disabled=no
add dst-address=XXX.XXX.XXX.101/32:3389 protocol=tcp action=accept comment="" \
disabled=no
add dst-address=10.10.10.10/32:21 protocol=tcp tcp-options=syn-only \
action=accept comment="Allow FTP connections to the server " disabled=no
add dst-address=XXX.XXX.XXX.101/32:21 protocol=tcp tcp-options=syn-only \
action=accept comment="" disabled=no
add dst-address=XXX.XXX.XXX.101/32:20 protocol=tcp \
connection-state=established action=accept comment="" disabled=no
add src-address=:20 dst-address=XXX.XXX.XXX.101/32 protocol=tcp \
tcp-options=syn-only action=accept comment="" disabled=no
add dst-address=10.10.10.10/32 protocol=tcp tcp-options=syn-only \
connection-state=related action=accept comment="" disabled=no
add dst-address=XXX.XXX.XXX.101/32 protocol=tcp tcp-options=syn-only \
connection-state=related action=accept comment="" disabled=no
add dst-address=XXX.XXX.XXX.101/32:22518 protocol=tcp action=accept \
comment="DC Connection" disabled=no
add action=reject log=yes comment="Reject and log everything else" \
disabled=no
/ ip firewall rule Private
add src-address=10.100.100.0/24 action=reject comment="" disabled=no
/ ip firewall rule forward
add out-interface=Management action=jump jump-target=Management comment="" \
disabled=no
add out-interface=Management action=jump jump-target=Private comment="" \
disabled=no
add out-interface=Management action=jump jump-target=Public_Man comment="" \
disabled=no
/ ip firewall mangle
add src-address=10.10.10.0/24 dst-address=10.10.10.0/24 action=passthrough \
mark-flow=10.10.10.0_Local comment="" disabled=no
add src-address=XXX.XXX.XXX.0/25 dst-address=XXX.XXX.XXX.0/25 \
action=passthrough mark-flow=XXX.XXX.XXX.0_Local comment="" disabled=no
add src-address=XXX.XXX.XXX.100/32 action=passthrough \
mark-flow=XXX.XXX.XXX.100_Out comment="" disabled=no
add dst-address=XXX.XXX.XXX.100/32 action=passthrough \
mark-flow=XXX.XXX.XXX.100_In comment="" disabled=no
add src-address=XXX.XXX.XXX.101/32 action=passthrough \
mark-flow=XXX.XXX.XXX.101_Out comment="" disabled=no
add dst-address=XXX.XXX.XXX.101/32 action=passthrough \
mark-flow=XXX.XXX.XXX.101_In comment="" disabled=no
add src-address=10.10.10.0/24 action=passthrough \
mark-flow=10.10.10.0_Public_Out comment="" disabled=no
add dst-address=XXX.XXX.XXX.102/32 action=passthrough \
mark-flow=10.10.10.0_Public_In comment="" disabled=no
add dst-address=XXX.XXX.XXX.4/32 action=passthrough \
mark-flow=XXX.XXX.XXX.4_In comment="" disabled=no
add src-address=XXX.XXX.XXX.4/32 action=passthrough \
mark-flow=XXX.XXX.XXX.4_Out comment="" disabled=no
add dst-address=XXX.XXX.XXX.6/32 action=passthrough \
mark-flow=XXX.XXX.XXX.6_In comment="" disabled=no
add src-address=XXX.XXX.XXX.6/32 action=passthrough \
mark-flow=XXX.XXX.XXX.6_Out comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=no
set gre disabled=no
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add src-address=10.10.10.0/24 action=masquerade comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip neighbor discovery
set Internal discover=yes
set External discover=yes
set Management discover=yes
set bridge1 discover=yes
/ ip route
add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=10.10.10.250 \
distance=1 comment="added by setup" disabled=no
add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=XXX.XXX.XXX.120 \
distance=1 comment="" disabled=no
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip policy-routing
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 flow="" interface=all \
action=lookup table=main comment="" disabled=no
/ ip policy-routing table main
add dst-address=0.0.0.0/0 gateway=10.10.10.250 preferred-source=0.0.0.0 \
comment="added by setup" disabled=no
add dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.120 preferred-source=0.0.0.0 \
comment="" disabled=no
/ ip upnp
set enabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=8080 hostname="proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size="9999 kB" \
cache-drive=system max-cache-size=2048
/ ip web-proxy access
add dst-port=!443,563 method=connect action=deny comment="allow CONNECT only \
to SSL ports 443 \[https\] and 563 \[snews\]" disabled=no
add src-address=XXX.XXX.XXX.0/25 action=allow comment="" disabled=no
add src-address=10.10.10.0/24 action=allow comment="" disabled=no
/ ip web-proxy cache
add url="cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
/ system identity
set name="WNK_BB4_BR"
/ system logging
set default-remote-address=10.10.10.10 default-remote-port=514 \
disk-buffer-lines=100 memory-buffer-lines=100
/ system logging facility
set Firewall-Log local=memory remote=syslog remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set System-Info local=memory remote=syslog remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set System-Error local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set System-Warning local=memory remote=syslog remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set Web-Proxy-Access local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set IPsec-Event local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set IKE-Event local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=no
set IPsec-Warning local=memory remote=none remote-address=0.0.0.0 \
remote-port=0 prefix="" echo=no
set System-Echo local=memory remote=none remote-address=0.0.0.0 remote-port=0 \
prefix="" echo=yes
/ system serial-console
set enabled=yes port=serial0
/ system upgrade upgrade-package-source
add address=10.10.10.200 user="admin"
/ system upgrade mirror
set enabled=no primary-server=10.10.10.72 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system watchdog
set reboot-on-failure=no watch-address=none watchdog-timer=no \
ping-start-after-boot=5m
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ queue type
set default name="default" kind=pfifo bfifo-limit=15000 pfifo-limit=50 \
red-limit=60 red-min-threshold=10 red-max-threshold=50 red-burst=20 \
sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 pcq-classifier=""
set ethernet-default name="ethernet-default" kind=pfifo bfifo-limit=15000 \
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
pcq-classifier=""
set wireless-default name="wireless-default" kind=sfq bfifo-limit=15000 \
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
pcq-classifier=""
set synchronous-default name="synchronous-default" kind=red bfifo-limit=15000 \
pfifo-limit=50 red-limit=60 red-min-threshold=10 red-max-threshold=50 \
red-burst=20 sfq-perturb=5 sfq-allot=1514 pcq-rate=0 pcq-limit=50 \
pcq-classifier=""
/ queue tree
add name="In Queue" parent=global-in flow="" limit-at=524288 queue=default \
priority=5 max-limit=1048576 burst-limit=0 burst-threshold=0 burst-time=0 \
disabled=no
add name="XXX.XXX.XXX.100_Out" parent="Out Queue" flow=XXX.XXX.XXX.100_Out \
limit-at=262144 queue=default priority=8 max-limit=262144 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="Internal Queue" parent=Internal flow="" limit-at=5242880 \
queue=default priority=1 max-limit=5242880 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.100_In" parent="In Queue" flow=XXX.XXX.XXX.100_In \
limit-at=262144 queue=default priority=8 max-limit=786432 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.101_Out" parent="Out Queue" flow=XXX.XXX.XXX.101_Out \
limit-at=131072 queue=default priority=8 max-limit=262144 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.101_In" parent="In Queue" flow=XXX.XXX.XXX.101_In \
limit-at=131072 queue=default priority=8 max-limit=524288 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="Local Traffic - Private" parent="Internal Queue" \
flow=10.10.10.0_Local limit-at=0 queue=default priority=2 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="Local Traffic - Public" parent="Internal Queue" \
flow=XXX.XXX.XXX.0_Local limit-at=0 queue=default priority=2 max-limit=0 \
burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="Out Queue" parent=global-out flow="" limit-at=524288 queue=default \
priority=5 max-limit=1048576 burst-limit=0 burst-threshold=0 burst-time=0 \
disabled=no
add name="10.10.10.0_Public_Out" parent="Out Queue" \
flow=10.10.10.0_Public_Out limit-at=262144 queue=default priority=8 \
max-limit=262144 burst-limit=0 burst-threshold=0 burst-time=0 disabled=no
add name="10.10.10.0_Public_In" parent="In Queue" flow=10.10.10.0_Public_In \
limit-at=262144 queue=default priority=8 max-limit=262144 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.4_Out" parent="Out Queue" flow=XXX.XXX.XXX.4_Out \
limit-at=131072 queue=default priority=8 max-limit=524288 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.4_In" parent="In Queue" flow=XXX.XXX.XXX.4_In \
limit-at=131072 queue=default priority=8 max-limit=524288 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.6_Out" parent="Out Queue" flow=XXX.XXX.XXX.6_Out \
limit-at=131072 queue=default priority=8 max-limit=262144 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
add name="XXX.XXX.XXX.6_In" parent="In Queue" flow=XXX.XXX.XXX.6_In \
limit-at=131072 queue=default priority=8 max-limit=262144 burst-limit=0 \
burst-threshold=0 burst-time=0 disabled=no
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
/ user group
add name="read" policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,w\
eb
add name="write" policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,w\
eb
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ driver
/ snmp
set enabled=yes contact="xxx@xxx.net.nz" location="xxx xxx, \
xxxxxx"
/ snmp community
set public name="public" address=10.10.10.10/32 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool sniffer
set interface=Internal only-headers=no memory-limit=10 file-name="" \
file-limit=10 streaming-enabled=no streaming-server=0.0.0.0 \
filter-stream=yes filter-protocol=all-frames \
filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535
Thanks, much. I really appreciate it. I'll have to print this out and look it over.
I've been using a P166 with 48mb RAM and a 2port Intel card. It worked quite well. It's now the backup router. I found a 1ghz PIII with 512mb RAM and added a Routerboard44. I plan to add a 40gb hard drive and enable the transparent web proxy. The hard part is finding some down time to do it. :D
I've been using a P166 with 48mb RAM and a 2port Intel card. It worked quite well. It's now the backup router. I found a 1ghz PIII with 512mb RAM and added a Routerboard44. I plan to add a 40gb hard drive and enable the transparent web proxy. The hard part is finding some down time to do it. :D