Hi forum,
Im wanting to use a mikrotik RB750 like a Dlink DIR-120, has one WAN port and four ports in a switch.
Want to put this on a network where the computers can have internet - mikrotik doing dhcp, dns etc.
We dont want the computers to access anything on the WAN port which i pluged into another local network which we dont want them to have access to.
Is this a simple as changing the NAT settings or is it more difficult than that.
Thanks
Joseph
Re: WAN setup
I'm not entirely sure I understand - how do the hosts on the network access the Internet if they can't get past the WAN port on the router? Will a different router on that network serve as the Internet gateway?
That said, you can block traffic between any of the ports via IP firewall filters. A very simple approach would be the below, which assumes the WAN port is called 'WAN', and the four other ports are slaved together via the switch chip with a logical interface called 'LAN':
That said, you can block traffic between any of the ports via IP firewall filters. A very simple approach would be the below, which assumes the WAN port is called 'WAN', and the four other ports are slaved together via the switch chip with a logical interface called 'LAN':
Code: Select all
/ip firewall filter
add chain=forward in-interface=LAN out-interface=WAN action=drop
add chain=forward in-interface=WAN out-interface=LAN action=dropRe: WAN setup
I sort of want it like a modem/router. I want the mikrotik to do dhcp, dns. Any Internet requests go out the WAN but no access to the network on the other side.
Can this be done? And is this enough information?
Can this be done? And is this enough information?
Re: WAN setup
Now I understand.
Yes, you can do that. It isn't very good design since the traffic from the unsecure network behind the LAN ports of the Mikrotik has to traverse the secure network on the WAN side to get to the Internet. That is not ideal. It would be better if the two networks came off the same router - if the Mikrotik router was terminating the WAN directly, and the two LAN networks went through it. That way packets from the two LAN networks never have to touch/traverse each other.
However, you can firewall whatever you'd like. Assuming the network on the WAN side is 192.168.1.0/24, you could do this:
Yes, you can do that. It isn't very good design since the traffic from the unsecure network behind the LAN ports of the Mikrotik has to traverse the secure network on the WAN side to get to the Internet. That is not ideal. It would be better if the two networks came off the same router - if the Mikrotik router was terminating the WAN directly, and the two LAN networks went through it. That way packets from the two LAN networks never have to touch/traverse each other.
However, you can firewall whatever you'd like. Assuming the network on the WAN side is 192.168.1.0/24, you could do this:
That would drop all packets from the LAN network destined to hosts directly connected to the network on the WAN port./ip firewall filter
add chain=forward out-interface=WAN dst-address=192.168.1.0/24 action=drop
Re: WAN setup
Thanks fewi,
That work really well.
Thanks again.
Joseph
That work really well.
Thanks again.
Joseph