Community discussions

MikroTik App
  4. RouterOS
  5. General

What router to get for the following setup

Post Reply
 
titansmc
just joined
Topic Author
Posts: 16
Joined: Wed Jun 07, 2017 11:51 am

What router to get for the following setup

Mon Jun 12, 2017 3:37 pm

Hi,
I am wondering what router can support my actual setup and also how hard it could be to migrate from a Linux router to a mikrotik. I have like 300 users making use of the internal services such as SMB resources and going out to the internet with 100Mb symmetric fiber. Here is my Linux router configuration:

Thanks.
Code: Select all
#!/bin/bash

export IF_IN=em1
export IF_OUT=em2

ifconfig em2 up

#Define global default route
#route del default
#route add default gw 11.115.244.253
#modprobe ip_conntrack_ftp

iptables  -I INPUT -i em1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables  -I INPUT 2 -i em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 3 -i lo -j ACCEPT
iptables -I INPUT 4 -i em1 -d 192.168.10.0/24 -j ACCEPT

iptables -I INPUT 5 -i em1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -I INPUT 6 -i em1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -I INPUT 7 -i em1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -I INPUT 8 -i em1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -I INPUT 9 -i em1 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -I INPUT 10 -i em1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# to be replaced with iptables -I INPUT 4 -i em1 -m unclean -j DROP

iptables -I INPUT 11 -i em2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -I INPUT 12 -i em2 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -I INPUT 13 -i em2 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -I INPUT 14 -i em2 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -I INPUT 15 -i em2 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -I INPUT 16 -i em2 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

#Define external ips and routes
ip addr add 11.115.244.254/24 dev em1
#ip route add default via 11.115.244.253 table 100
ip route add 11.115.244.0/24 dev em1 src 11.145.244.254 table 100
ip route add 11.115.244.0/24 dev em1 src 11.145.244.254 table 102
ip route add 11.115.244.0/24 dev em1 src 11.145.244.254 table 103
ip rule add from 11.115.244.0/24 lookup 100 pri 100
route add default gw 84.88.16.5

ip addr add 11.115.6.8/24 dev em1
ip addr add 11.115.6.254/24 dev em1
ip addr add 11.115.6.253/24 dev em1
ip addr add 11.115.6.252/24 dev em1
#ip route add default via 11.115.6.254 table 101 
ip route add 11.115.6.0/24 dev em1 src 11.145.6.253 table 101
ip route add 11.115.6.0/24 dev em1 src 11.145.6.253 table 100
ip route add 11.115.6.0/24 dev em1 src 11.145.6.253 table 103
ip route add 11.115.6.0/24 dev em1 src 11.145.6.253 table 103
ip rule add from 11.115.6.0/24 lookup 101 pri 100
ip rule add from 11.115.6.0/24 to 172.20.4.0/22 lookup 103 pri 95

ip addr add 11.117.240.254/24 dev em1
ip addr add 11.117.240.200/24 dev em1
ip route add default via 84.88.16.5 table 102 
ip route add 11.117.240.0/24 dev em1 src 11.147.240.254 table 102
ip route add 11.117.240.0/24 dev em1 src 11.147.240.254 table 100
ip rule add from 11.117.240.0/24 lookup 102 pri 100

ip addr add 11.114.6.8/24 dev em1
ip addr add 11.114.6.254/24 dev em1
ip addr add 11.114.6.200/24 dev em1
ip addr add 11.114.6.151/24 dev em1
ip addr add 11.114.6.152/24 dev em1
ip addr add 11.114.6.153/24 dev em1
ip addr add 11.114.6.154/24 dev em1
ip addr add 11.114.6.155/24 dev em1
ip addr add 11.114.6.156/24 dev em1
ip addr add 11.114.6.157/24 dev em1
ip addr add 11.114.6.158/24 dev em1
ip addr add 11.114.6.150/24 dev em1

ip route add default via 84.88.16.5 table 103 
ip route add 11.114.6.0/24 dev em1 src 11.144.6.254 table 103
ip route add 11.114.6.0/24 dev em1 src 11.144.6.254 table 100
ip rule add from 172.20.4.0/22 to 11.115.56.0/24 table 103 pri 99
ip rule add from 172.20.4.0/22 to 11.114.6.0/24 lookup 103
ip rule add from 172.20.134.0/22 to 11.114.6.0/24 lookup 103
ip rule add from 11.114.6.0/24 lookup 103 pri 100
# To delete once we have one single firewall

#Define internal addresses
ip addr add 192.168.0.254/24 dev em1
ip route add 192.168.0.0/24 dev em1 src 192.168.0.254 table 400
ip route add default via 192.168.0.3 table 400
ip route add 172.20.4.0/22 dev em1 src 172.20.4.99 table 400
ip rule add from 192.168.0.0/24 table 400 pri 100
ip rule add from 172.20.4.0/22 to 192.168.0.0/24 table 400 pri 50


#ifconfig em1:200 192.168.10.30 netmask 255.255.252.0
ip addr add 192.168.10.254/24 dev em1
ip addr add 192.168.10.31/24 dev em1
ip addr add 192.168.10.32/24 dev em1
ip route add 192.168.10.0/24 dev em1 src 192.168.10.30 table 100
ip route add 192.168.10.0/24 dev em1 src 192.168.10.30 table 101
ip route add 192.168.10.0/24 dev em1 src 192.168.10.30 table 102
ip route add 192.168.10.0/24 dev em1 src 192.168.10.30 table 103
ip rule add from 192.168.10.0/24 table 100 pri 100
ip rule add from 192.168.10.0/24 to 11.115.6.253 table 101 pri 99

#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 11.115.6.253 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 11.115.6.252 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 11.114.6.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 10.0.0.0/8 -j SNAT --to 172.20.4.99
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to 11.114.6.152

iptables -t nat -A POSTROUTING -d 192.168.99.0/24 -j SNAT --to 192.168.103.50

ip addr add 172.20.4.99/22 dev em1
ip addr add 172.20.6.201/22 dev em1
ip route add 172.20.4.0/22 dev em1 src 172.20.4.99 table 102
ip route add 172.20.4.0/22 dev em1 src 172.20.4.99 table 101
ip route add 172.20.4.0/22 dev em1 src 172.20.4.99 table 100
ip route add 172.20.4.0/22 dev em1 src 172.20.4.99 table 103
ip route add 192.168.103.0/24 via 192.168.103.1 table 103
ip route add 192.168.99.0/24 via 192.168.103.1 table 103

ip rule add from 172.20.4.0/22 to 11.117.242.0/24 table 145 pri 99
# mailscanner
ip rule add from  172.20.4.35/32 table 103 pri 95


ip rule add from  172.20.4.40/32 table 103 pri 95
ip rule add from  172.20.4.41/32 table 103 pri 95
ip rule add from  172.20.4.42/32 table 103 pri 95
ip rule add from  172.20.4.43/32 table 103 pri 95
ip rule add from  172.20.4.17/32 table 103 pri 95
ip rule add from  172.20.4.30/32 table 103 pri 95
ip rule add from  172.20.4.31/32 table 103 pri 95
ip rule add from  172.20.4.34/32 table 103 pri 95
ip rule add from  172.20.4.50/32 table 103 pri 95
ip rule add from  172.20.4.51/32 table 103 pri 95
ip rule add from  172.20.4.54/32 table 103 pri 95
ip rule add from  172.20.4.56/32 table 103 pri 95
ip rule add from 172.20.4.0/22 to 11.116.191.0/24 table 103 pri 99
ip rule add from 172.20.4.0/22 table 103 pri 90



iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 11.115.56.0/24 -j SNAT --to 11.144.6.153



ip addr add 172.20.150.253/24 dev em1
ip addr add 172.20.150.254/24 dev em1
ip route add 172.20.150.0/24 dev em1 src 172.20.150.253 table 100
ip route add 172.20.150.0/24 dev em1 src 172.20.150.253 table 102
ip route add 172.20.150.0/24 dev em1 src 172.20.150.253 table 103
ip rule add from 172.20.150.0/24 table 100 pri 100

iptables -t nat -A POSTROUTING -s 172.20.150.0/24 -j SNAT --to 11.115.244.254


ip addr add 172.20.152.253/24 dev em1
ip addr add 172.20.153.253/24 dev em1
ip addr add 172.20.154.253/24 dev em1
ip addr add 172.20.16.253/24 dev em1





vconfig add em2 8
ifconfig em2.8 11.116.191.254 netmask 255.255.255.248
ip route add 11.116.190.0/23 via 11.146.191.253
ip route add 11.116.190.0/23 via 11.146.191.253 table 103


vconfig add em1 9
ifconfig em1.9 192.168.20.1 netmask 255.255.255.0
ip route add 192.168.110.0/24 via 192.168.20.2 dev em1.9
ip route add 10.0.0.0/8 via 192.168.20.2 dev em1.9
ip route add 192.168.110.0/24 via 192.168.20.2 dev em1.9 table 100
ip route add 10.0.0.0/8 via 192.168.20.2 dev em1.9 table 100
ip route add 10.0.0.0/8 via 192.168.20.2 dev em1.9 table 103
ip route add 192.168.20.0/24 dev em1.9 src 192.168.20.1 table 100
ip route add 192.168.20.0/24 dev em1.9 src 192.168.20.1 table 103
ip route add 192.168.110.0/24 via 192.168.20.2 dev em1.9 table 103
ip rule add from 192.168.110.0/24 table 100 pri 100
ip rule add from 10.0.0.0/8 table 100 pri 100


vconfig add em2 297
ifconfig em2.297 84.88.16.6 netmask 255.255.255.252
ip route add 84.88.16.4/30 dev em2.297 src 84.88.16.6 table 100
ip route add 84.88.16.4/30 dev em2.297 src 84.88.16.6 table 101
ip route add 84.88.16.4/30 dev em2.297 src 84.88.16.6 table 102
ip route add 84.88.16.4/30 dev em2.297 src 84.88.16.6 table 103
route add default gw 84.88.16.5
ip route add default via 84.88.16.5 table 100
ip route add default via 84.88.16.5 table 101
ip route add default via 84.88.16.5 table 102
ip route add default via 84.88.16.5 table 103

vconfig add em2 597
ifconfig em2.597 84.88.20.6 netmask 255.255.255.252
ip route add default via 84.88.20.5 table 200
ip route add 84.88.20.4/30 dev em2.597 src 84.88.20.6 table 200
ip rule add from 84.88.20.6 lookup table 200 pri 100



vconfig add em1 4001
ifconfig em1.4001 192.168.16.4 netmask 255.255.255.0
ifconfig em1.4001 192.168.16.2 netmask 255.255.255.0


vconfig add em1 201
ifconfig em1.201 172.20.135.1 netmask 255.255.255.0
iptables -t nat -A POSTROUTING -s 172.20.135.0/24 -d 11.114.6.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.135.0/24 -j SNAT --to 11.114.6.155
ip route add 172.20.135.0/24 dev em1.201 table 100
ip route add 172.20.135.0/24 dev em1.201 table 101
ip route add 172.20.135.0/24 dev em1.201 table 102
ip route add 172.20.135.0/24 dev em1.201 table 103
ip rule add from 172.20.135.0/24 table 103 pri 100


vconfig add em1 202
ifconfig em1.202 172.20.136.1 netmask 255.255.252.0
iptables -t nat -A POSTROUTING -s 172.20.136.0/22 -d 11.114.6.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.136.0/22 -j SNAT --to 11.114.6.155
ip route add 172.20.136.0/22 dev em1.202 table 100
ip route add 172.20.136.0/22 dev em1.202 table 101
ip route add 172.20.136.0/22 dev em1.202 table 102
ip route add 172.20.136.0/22 dev em1.202 table 103
ip rule add from 172.20.136.0/22 to 11.114.6.0/24 lookup 103
ip rule add from 172.20.136.0/22 table 103 pri 100
# Limitem ample de banda wifi


vconfig add em1 205

ifconfig em1.205 172.20.132.50 netmask 255.255.255.0
ip addr add 172.20.132.1/24 dev em1.205
ip route add 172.20.132.0/24 dev em1.205  table 100
ip route add 172.20.132.0/24 dev em1.205  table 102
ip route add 172.20.132.0/24 dev em1.205  table 103
ip rule add from 172.16.0.0/16 to 172.20.132.0/24  table 100 pri 99
ip rule add from 172.20.132.0/24 dev em1.205 table 100 pri 100


vconfig add em1 206
ifconfig em1.206 172.20.133.1 netmask 255.255.255.0
ip route add 172.20.133.0/24 dev em1.206 table 100
ip rule add from 172.20.133.0/24 table 100 pri 100


vconfig add em1 207
ifconfig em1.207 172.20.134.1 netmask 255.255.255.0
iptables -t nat -A POSTROUTING -s 172.20.134.0/24 -d 11.114.6.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.134.0/24 -j SNAT --to 11.114.6.155
ip route add 172.20.134.0/24 dev em1.207 table 100
ip route add 172.20.134.0/24 dev em1.207 table 101
ip route add 172.20.134.0/24 dev em1.207 table 102
ip route add 172.20.134.0/24 dev em1.207 table 103
ip rule add from 172.20.134.0/24 table 103 pri 100



vconfig add em1 210

ifconfig em1.210 172.20.130.50 netmask 255.255.255.0
ip route add 172.20.130.0/24 dev em1.210 table 103
ip rule add from 172.20.130.0/24 table 103 pri 100


vconfig add em1 223
ifconfig em1.223 172.20.128.54 netmask 255.255.255.0
ifconfig em1.223 172.20.128.254 netmask 255.255.255.0


vconfig add em1 224
ifconfig em1.224 172.20.129.254 netmask 255.255.255.0

vconfig add em1 225

vconfig add em1 2016
ifconfig em1.2016 172.16.0.1 netmask 255.255.0.0
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 11.114.6.0/24 -j SNAT --to 11.144.6.254
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 11.117.240.0/24 -j SNAT --to 11.147.240.254
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.20.4.0/22 -j SNAT --to 172.20.4.99
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j SNAT --to 11.114.6.154
ip rule add from 172.16.0.0/16 table 103 pri 100
ip rule add from 172.16.0.0/16 to 11.114.6.0/24 table 103 pri 99
ip route add 172.16.0.0/16 dev em1.2016 src 172.16.0.1 table 100
ip route add 172.16.0.0/16 dev em1.2016 src 172.16.0.1 table 102
ip route add 172.16.0.0/16 dev em1.2016 src 172.16.0.1 table 103
ip rule add from 172.16.0.0/16 to 172.20.150.0/24 table 100 pri 99
ip rule add from 172.16.0.0/16 to 172.20.4.0/22 lookup 100 pri 99

vconfig add em1 2018
ifconfig em1.2018 172.18.0.1 netmask 255.255.0.0
ip rule add from 172.18.0.0/16 lookup 118 pri 100
ip route add default via 172.18.254.2 table 118
ip route add 172.18.0.0/16 via 172.18.0.1 dev em1.2018 table 118


vconfig add em1 4005
ifconfig em1.4005 11.117.242.100 netmask 255.255.255.0
ifconfig em1.4005 11.117.242.254 netmask 255.255.255.0
ip rule add from 11.117.242.0/24 table 145 pri 100
ip route add default via 192.168.16.1 table 145
ip route add 192.168.16.0/24 dev em1.4001 src 192.168.16.2 table 145
ip route add 11.117.242.0/24 dev em1.4005 src 11.147.242.254 table 145
ip route add 172.20.4.0/22 dev em1 src 172.20.4.99 table 145


ip route add 172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 table 100
ip route add 172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 table 101
ip route add 172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 table 102
ip route add 172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 table 103


iptables -A FORWARD -d 192.168.10.0/24 -s 11.115.6.253 -j ACCEPT
iptables -A FORWARD -s 192.168.10.0/24 -d 11.115.6.253 -j ACCEPT
iptables -A FORWARD -d 192.168.10.0/24 -s 11.115.6.252 -j ACCEPT
iptables -A FORWARD -s 192.168.10.0/24 -d 11.115.6.252 -j ACCEPT


iptables -A FORWARD -s 172.20.4.0/22 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 172.20.4.36/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.35/32 -p tcp -m tcp --dport 25 -j ACCEPT


iptables -A FORWARD -s 172.20.4.40/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.41/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.42/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.43/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.17/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.30/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.31/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.34/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.50/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.54/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.56/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.58/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.71/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.72/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 172.20.4.51/32 -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A FORWARD -s 172.20.4.0/22 -p tcp -m tcp --dport 25 -j DROP


iptables -A FORWARD -s 172.16.0.0/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 8090 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 5001 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 6690 -j ACCEPT

iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 8006 -j ACCEPT

iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 3389 -j ACCEPT
# IMAP
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 993 -j ACCEPT

iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A FORWARD -s 172.16.0.0/16 -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A FORWARD -s 172.16.0.0/16 -j DROP

iptables -A FORWARD -s 172.20.134.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 389 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 636 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 5006 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p udp -m udp --dport 1194 -j ACCEPT




iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 5001 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 6690 -j ACCEPT

iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 993 -j ACCEPT

iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 587 -j ACCEPT

iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 3389 -j ACCEPT

iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 5900 -j ACCEPT

iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.20.134.0/24 -j DROP


iptables -A FORWARD -s 172.20.136.0/22 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 389 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 636 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 5006 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p udp -m udp --dport 1194 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -d 192.168.10.0/24 -p tcp -m tcp --dport 8880 -j ACCEPT




iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 5001 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 6690 -j ACCEPT

iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 993 -j ACCEPT

iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 587 -j ACCEPT
# RDP
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 3389 -j ACCEPT
# VNC
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 5900 -j ACCEPT

#iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.20.136.0/22 -j DROP

iptables -A FORWARD -s 172.20.132.0/24 -d 172.20.4.0/22 -p tcp -m tcp -j ACCEPT
iptables -A FORWARD -s 172.20.4.0/22 -d 172.20.132.0/24 -p tcp -m tcp -j ACCEPT
iptables -A FORWARD -s 192.168.10.0/24 -d 172.20.132.0/24 -p tcp -m tcp -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -d 192.168.10.0/24 -p tcp -m tcp -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p udp -m udp --dport 10001 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p udp -m udp --dport 3478 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 8081 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 8443 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 8880 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 8843 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.20.132.0/24 -p udp -m udp --dport 123 -j ACCEPT

iptables -A FORWARD -s 172.20.132.0/24 -j DROP


iptables -I FORWARD 107 -s 172.20.7.36 -d 11.114.6.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.5.134 -d 11.114.6.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.4.246 -d 11.114.6.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.7.233 -d 11.114.6.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.7.233 -d 11.114.6.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.4.246 -d 11.114.6.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.5.134 -d 11.114.6.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 107 -s 172.20.7.36 -d 11.114.6.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 107  -s 172.20.7.36 -p tcp -m tcp --dport 80 -j DROP
iptables -I FORWARD 107  -s 172.20.5.134 -p tcp -m tcp --dport 80 -j DROP
iptables -I FORWARD 107  -s 172.20.4.246 -p tcp -m tcp --dport 80 -j DROP
iptables -I FORWARD 107  -s 172.20.7.233 -p tcp -m tcp --dport 80 -j DROP
iptables -I FORWARD 107  -s 172.20.7.233 -p tcp -m tcp --dport 443 -j DROP
iptables -I FORWARD 107  -s 172.20.4.246 -p tcp -m tcp --dport 443 -j DROP
iptables -I FORWARD 107  -s 172.20.5.134 -p tcp -m tcp --dport 443 -j DROP
iptables -I FORWARD 107  -s 172.20.7.36 -p tcp -m tcp --dport 443 -j DROP
######################################################


iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 192.168.110.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 11.115.244.254 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 10.0.0.0/8 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 192.168.20.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 11.116.191.0/24 -j SNAT --to 11.144.6.254
iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 11.114.6.0/24 -j SNAT --to 11.144.6.254
iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -d 192.168.0.0/24 -j SNAT --to 192.168.0.254


iptables -t nat -A POSTROUTING  -s 172.20.4.35/32 -j SNAT --to-source 11.114.6.153

iptables -t nat -A POSTROUTING -s 172.20.4.0/22 -j SNAT --to 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.40/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.41/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.42/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.43/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.17/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.30/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.31/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.34/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.50/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.51/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.54/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.56/32 -j SNAT --to-source 11.114.6.155
iptables -t nat -A POSTROUTING  -s 172.20.4.0/22 -d 11.117.242.0/24 -j SNAT --to 11.147.242.254


iptables -t nat -A POSTROUTING  -s 172.20.132.0/24 -j SNAT --to-source 11.114.6.151




iptables -t nat -A POSTROUTING -s 172.20.133.0/24  -j SNAT --to 11.115.244.254


iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 80 -j DNAT --to 172.20.4.72:80
iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 443 -j DNAT --to 172.20.4.72:443
iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 10443 -j DNAT --to 172.20.4.72:10443
iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 993 -j DNAT --to 172.20.4.36:993
iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 995 -j DNAT --to 172.20.4.36:995
iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 3389 -j DNAT --to 172.20.4.73:3389


iptables -t nat -A PREROUTING -d 11.114.6.158 -p tcp --dport 993 -j DNAT --to 172.20.4.36:993
iptables -t nat -A PREROUTING -d 11.114.6.158 -p tcp --dport 995 -j DNAT --to 172.20.4.36:995
iptables -t nat -A PREROUTING -d 11.114.6.158 -p tcp --dport 145 -j DNAT --to 172.20.4.36:145
iptables -t nat -A PREROUTING -d 11.114.6.158 -p tcp --dport 587 -j DNAT --to 172.20.4.36:587
iptables -t nat -A PREROUTING -d 11.114.6.158 -p tcp --dport 465 -j DNAT --to 172.20.4.36:465
iptables -t nat -A PREROUTING -d 11.114.6.153/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.20.4.36:25
iptables -t nat -A PREROUTING -d 11.114.6.153 -p tcp --dport 465 -j DNAT --to 172.20.4.36:465
iptables -t nat -A PREROUTING -d 11.114.6.153 -p tcp --dport 587 -j DNAT --to 172.20.4.36:587
iptables -t nat -A PREROUTING -d 11.114.6.153 -p tcp --dport 145 -j DNAT --to 172.20.4.36:145
iptables -t nat -A PREROUTING -d 11.114.6.153 -p tcp --dport 995 -j DNAT --to 172.20.4.36:995
iptables -t nat -A PREROUTING -d 11.114.6.153 -p tcp --dport 993 -j DNAT --to 172.20.4.36:993

iptables -t nat -A PREROUTING -d 11.115.244.254 -p udp --dport 1194 -j DNAT --to 192.168.10.68:1194


iptables -t nat -A PREROUTING -d 11.115.6.159 -p tcp --dport 7571 -j DNAT --to 192.168.10.68:7571


iptables -t nat -A OUTPUT -p tcp -d 11.115.244.254 --dport 80 -j DNAT --to 172.20.4.72:80
iptables -t nat -A OUTPUT -p tcp -d 11.115.244.254 --dport 443 -j DNAT --to 172.20.4.72:443


iptables -t nat -A PREROUTING -d 11.114.6.150 -p tcp -m tcp --dport 80 -j DNAT --to 172.20.4.46:8080
iptables -t nat -A PREROUTING -d 11.114.6.150 -p tcp -m tcp --dport 443 -j DNAT --to 172.20.4.46:8443
iptables -t nat -A PREROUTING -d 11.114.6.150 -p tcp -m tcp --dport 5001 -j DNAT --to 172.20.4.46:5001
#iptables -t nat -A PREROUTING -d 11.114.6.150 -p tcp -m tcp --dport 3389 -j DNAT --to 192.168.10.5:3389
iptables -t nat -A PREROUTING -d 11.114.6.254 -p tcp -m tcp --dport 3389 -j DNAT --to 172.20.4.73:3389
iptables -t nat -A PREROUTING -d 11.115.244.254 -p tcp --dport 25 -j DNAT --to 172.20.4.36:25
iptables -t nat -A PREROUTING -d 11.114.6.155/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.20.4.40:2525
iptables -t nat -A PREROUTING -d 11.114.6.158/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.20.4.36:25

iptables -t nat -A PREROUTING -d 11.115.244.254/32 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 172.20.4.72:10000



iptables -A INPUT  -d 11.117.242.254 -p tcp --dport 6379 -j DROP


iptables -A INPUT -s 172.20.4.0/22 -d 11.115.6.253 -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -d 11.115.6.253 -p tcp -m tcp --dport 3306 -j DROP


ipset restore </root/firewall/iplists.txt
iptables -I INPUT 1 -m set --match-set routerips dst -p tcp --dport 6379 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p tcp --dport 135 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p tcp --dport 1433 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p udp --dport 1433 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p tcp --dport 1434 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p udp --dport 1434 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p tcp --dport 2382 -j DROP
iptables -I FORWARD 6 -m set --match-set externalips dst -p tcp --dport 2383 -j DROP
Top
 
gustavomam
Trainer
Trainer
Posts: 287
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:
Contact gustavomam

Re: What router to get for the following setup

Mon Jun 12, 2017 6:09 pm

Hi.

You need at least one L5 router
https://routerboard.com/RB3011UiAS-RM


If you want to be over-dimension use this L6 routers and think in the future

https://routerboard.com/RB1100Dx4
https://routerboard.com/CCR1009-7G-1C-PC
Top
 
titansmc
just joined
Topic Author
Posts: 16
Joined: Wed Jun 07, 2017 11:51 am

Re: What router to get for the following setup

Mon Jun 12, 2017 6:38 pm

Hi,
I was thinking to go for a RB/CCR1036-8G2S+ , so I guess I shouldn't have any problem with this.

Cheers!
Top
 
gustavomam
Trainer
Trainer
Posts: 287
Joined: Tue Jul 23, 2013 6:29 pm
Location: Spain
Contact:
Contact gustavomam

Re: What router to get for the following setup

Mon Jun 12, 2017 6:46 pm

This RouterBoard rocks!

If you have extra money and you can afford it, buy it!

I was telling you the minimum router to achieve this traffic. As you know if you can buy a better router of course you are covered to scale your network.
Top
Post Reply
  4. RouterOS
  5. General