MikroTik

The default hEX "Quick Set" has everything except the DMZ. How do you turn it on? Here's my export after trying a bunch of the command line suggestions from old threads, but I'd rather wipe to default settings and use the formal solution.

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="DMZ rule" in-interface=ether1 \
to-addresses=192.168.1.100

Normal routers have a drop-down box with MAC/IP so you can simply select one.

What is "normal router" for you? Why aren't you using "normal" router?

Have you tried http://bfy.tw/IvvK ?

Let me fix that for you -

"Basic consumer level routers" have a drop-down box with MAC/IP so you can simply select one

You haven't bought a Basic consumer level router. The MT router with the RouterOS operating system on it doesn't have the hardware power of an enterprise grade unit, but certainly s very close in terms of functions and features.

In my mind a DMZ is a seperate subnet firewalled off from the inside trusted subnet, which may contain many computers, not just one that are intended in some way to be further exposed to the outside world than you want your internal network to be. This can be a phyisical network (port on router) or a virtual network (VLAN). the MT router absolutely has the ability to do this and much more. What you will have to do is raise your level of understanding and capability to be able to configure it in a way that meets your needs. If you're not prepared to do that then you have probably bought the wrong router and would be better with a consumer grade router.

In terms of a starting point, assuming ether1 is your WAN connection, then I would take ether 2 out of the bridge and configure it with it's own IP address, subnet, DHCP (if required) etc. This would make ether1 your WAN, ether2 your DMZ and the other ports would be bridged together into your inside network. You will then have to work with the firewall to define rules for traffic flow between the WAN, DMZ and the inside network.

Can I ask what you are trying to do? Do you need to DMZ a device or will a few port forwards be enough?

Mikrotik does not have a DMZ option but you can simulate the effect if you need to but rarely is there a need.

In terms of a starting point, assuming ether1 is your WAN connection, then I would take ether 2 out of the bridge and configure it with it's own IP address, subnet, DHCP (if required) etc. This would make ether1 your WAN, ether2 your DMZ and the other ports would be bridged together into your inside network. You will then have to work with the firewall to define rules for traffic flow between the WAN, DMZ and the inside network.

This week I have just gone through this process with an RB750GL which was updated to latest firmware. I have set it up as above several times with some difficulty as the documentation generally does not reflect the changes made to the interface recently (master/slave vs switches), but I still can't get internet connectivity on the DMZ. It is probably my firewall filters that are wrong, but the various pieces of documentation I have read have yet to help.

Regrettably there seems to be a view that once someone writes some documentation, it is considered perfect and all-encompassing and in no need of improvement.

Hey oztony

Sounds like the first thing to do would be to test whether the firewall is the issue. It would be very easy depending on the complexity of your configuration to have issues before the firewall even gets involved.

I've never used MT firewalls as my firewalls are on a seperate Linux router, but my understanding is that the MT construct is very similar to IPTables on Linux.

Assuming that the isue is firewall based, you might be able to look at some IPTables examples, seperate out the parts you don't need and use the remainder to crosscheck that there is nothing missing or strange in your firewall config.

This might not help you in any way, but without a better description/understanding of your problem, I'm just trying to suggest alternative approaches in the hope it might help.

As examples, you could look at the below and many more -
https://www.cs.montana.edu/courses/309/ ... t/dmz.html
https://www.pacificsimplicity.ca/blog/i ... mz-example

Apologies if this doesn't help, just a suggestion to try and move you closer to your goal.

Asking Google with "mikrotik forwarding all ports" gives answer

viewtopic.php?t=93228

after trying a bunch of the command line suggestions from old threads

Does anyone know how to write the actual DMZ command?

no, because there is no such command or network feature
DMZ is just simplified term, usually understood as separate L2/L3 network with some exposure to outer world. DMZ is not particular network function, rather set of rules and settings which in the end produce desired result. You need to define each setting by yourself based on your requirements.

If there was specific "DMZ command", it would in the end lead to limited choices, because it would work just some specific way. This is typical for some other manufacturers: For example asuswrt DMZ is just selection of particular IP on LAN subnet, which will get all ports forwarded (therefore no firewall between DMZ device and rest of LAN)

after trying a bunch of the command line suggestions from old threads

Does anyone know how to write the actual DMZ command?

It's just a port forward that forwards everything from your inbound WAN interface to an IP on your LAN.

I don't know why nobody's given you a simple straightforward answer because the answer is simple and straightforward
Where 1.2.3.4 = your public IP
ether1 = whatever is the internet facing interface, could be pppoe1 or w/e
192.168.1.5 = the private IP of the device

This isn't 'port forwarding' this is 'forward absolutely everything', including protocols such as GRE or ICMP
Rules are processed in order until the first match is found, then stops. So adding anything above that i.e. In this case means WinBox connections will stop at the router allowing you to log in to it, and if the first rule was placed directly after this, then everything else goes to 192.168.1.5

That is not DMZ. That is just forwarding.
DMZ by definition should be separated from LAN. So you also need another internal subnet, probably on specific port or vlan, add forwarding rules, etc etc...
NAT is just part of the whole puzzle. That's why nobody gave a straightforward answer - it is incomplete.

That is not DMZ. That is just forwarding.
DMZ by definition should be separated from LAN.

Right. But "normal routers" concept of "DMZ" is really nothing different than an "exposed host".

If the exposed host is comprimised then there is access to the internal network. Not with a DMZ if it is separated well.

That is not DMZ. That is just forwarding.
DMZ by definition should be separated from LAN. So you also need another internal subnet, probably on specific port or vlan, add forwarding rules, etc etc...
NAT is just part of the whole puzzle. That's why nobody gave a straightforward answer - it is incomplete.

You gotta read between the lines. Clearly the OP just wants forwarding of everything to a host

It's like when a customer calls and says "My DSL router is not syncing and...."
I don't go all "Ok hold up imma let you finish but first I just gotta say what you have is a ADSL2/VDSL2 compliant 'modem' and thats responsible for the syncing, not the router component. There is no such thing as a DSL router. I can't help you until you get your technologies straight"

Even though other vendor offers simplified command "DMZ" (which does some job which is sub-optimal) doesn't mean we can't even try to explain OP how to do things properly. He showed decent willingness to do things properly (even showed textual configuration which is more than majority of "one klick is enough for everything" users are capable of).

So when you come to a pond and want to have a fish (or two), do you drain the pond and pick one just because somebody without fishing knowledge said it can be done like that?

Now this is what I am talking about. Come to MT forums and learn philosophy!!
The correct answer is use lights or dynamite! - too much work to drain a pond and one may starve to death in the meantime

As for the OP, I think its fair to say, there is no such functionality called DMZ at least in terms of specification RFC etc.........
I tend to agree that its basically port forwarding all ports to a single host which renders any other port forwarding for that WANIP impossible. Thus it is very limiting.
I do agree that such a host should be separated from the rest of the router lan and if this is what some consumer branded vendors do, tis not a bad thing.

Here is what may work or not?
So two/three rules are required (minimum)
/ip firewall filter
{forward chain}
accept connection-state=new, connection-nat-state=dstnat in-interface=eth1-WAN

/ip firewall nat
add action=dstnat chain=dst-nat dst-port=!67,68 protocol=tcp in-interface=eth1-wan to addresses=dmzIP *
add action=dstnat chain=dst-nat dst-port=!67,68 protocol=udp in-interface=eth1-wan to-addresses=dmzIP *
*where dmzIP is a different subnet Not on the bridge.

I would ensure my firewall rules dropped all traffic(last rule for both input and forward chains).
I would ensure that no traffic from the dmzIP subnet is allowed to the router or to the bridge.
Thus the only rule required for forward chain for the dmzIP
/ip firewall filter
add chain=forward action=accept connection-state=new in-interface=eth3-DMZ out-interface=eth1-wan