Page 1 of 1

I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stead

Posted: Sun Jun 06, 2021 11:43 am
by SecCon
I am trying to wrap my head on setting up my Mikrotik RouterOS Router as Gateway and DHCP server for my local LAN, while keeping a dedicated FW that I purchased a license for as "filter" between the ISP and the Mikrotik Router.

Some kind of schematic:

Current
ISP <-> FW/Router <-> Switch <-> LAN

New
ISP <-> FW <-> Mikrotik Router <-> Switch <-> LAN

So basically remove the DHCP role from the FW and give it a dedicated IP provided by the DHCP on the Mikrotik Router. I have not tested this yet, mostly posting if you guys see any obvious problem with this.

The FW is a Zyxel USG40 that works just fine, I want to keep it for the duration of the license period, after which I will setup the Mikrotik Router to act as Firewall. The Mikrotik Router is the one in my signature.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 12:13 pm
by mkx
Proper thing to do would be the following: use one IP subnet for LAN devices (right of MT router) and one subnet for MT-FW "subnet".
Ideally you would keep using same IP subnet for LAN (in case you have any static configuration on any of LAN devices). MT would simply have two interfaces, configured with IP addresses from each of subnets ... and empty /ip firewall setup. With default route pointing at FW.
FW then has to be reconfigured to have LAN IP address from the new subnet and (this one is important) static route towards LAN subnet via RB as gateway. If FW doesn't support LAN subnets behind routers, then it would probably still be possible to make things work using (more or less) ugly hacks and workarounds.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 2:30 pm
by SecCon
Subnets? I really don't get why?

I was thinking along the lines of (assuming 192.168.1.1/24) :

ISP >
> Zyxel FW @ 192.168.1.2 (Cabling channels all the traffic through here) >
> MT RO @ 192.168.1.1 (DHCP server) >
> SW @ 192.168.1.3 >
> LAN at 192.168.1.1/24 (also a WiFi AP)

I don't see why I should have any sub net, there is no DMZ, nothing exposed to WWW.

To achieve this I would disconnect the ZYFWRO and hook up the MTRO, setting up DHCP and Gateway on MTRO, checking everything.
Then:
Take the ZYFWRO and reconfigure it offline to a ZYFW only and get a static IP from MTRO and not act as DHCP, and then reconnect it as explained above. Fingers crossed.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 2:43 pm
by anav
I got rid of my zyxel stuff awhile ago, no need for the inferior z40......... an RB4011 kicks butt.......
If you paid extra for services then I can see you wanting to use it until they expire though.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 4:30 pm
by SecCon
If you paid extra for services then I can see you wanting to use it until they expire though.
Exactly, got to around end of year worth of license. Then dump.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 5:54 pm
by bpwl
A bit difficult to comment on this, as it all depends ... on what functions are used, how complex the LAN network is, on what is desired as new functionality.

Many setups are completely valid. Choosing the best might be a challenge.
Even more , I never configured a Zyxel Firewall, so I don't know all the possibilities, e.g. being able to work in full transparant mode (like a Fortigate).

The @mkx setup with the MT as router is OK. The extra subnet is needed for the routing, if the Zyxel is still a router.
The setup with one subnet is also valid, but the RB1100 is used as a switch for this traffic. (No need to set up a gateway, just add all involved interfaces as bridge ports. Routing does not happen within the same subnet/netmask interfaces. DHCP server on the bridge.)

The payed for license gives some functions like Kaspersky anti-virus, Intrusion detection and prevention, APP identification, malware detection, mail screening for spam .... these up-to-date filters do cost a yearly license fee. I have not seen an equivalent product for RouterOS. The cost will stop, but so will the protection.

Moving off some functions from the Zyxel should be no problem. (DHCP server, DNS cache, VPN tunnels, ...) even moving some functions off the ISP modem could be done (NAT?)

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 6:00 pm
by mkx
Subnets? I really don't get why?
To ensure packets flow in both directions via same path ... otherwise things can get messy.
I agree that this seems unsolicited complication, but in long term it it would save you some time ...

ISP >
> Zyxel FW @ 192.168.1.2 (Cabling channels all the traffic through here) >
> MT RO @ 192.168.1.1 (DHCP server) >
> SW @ 192.168.1.3 >
> LAN at 192.168.1.1/24 (also a WiFi AP)

What will happen in this case is the following:
  • forward packet will travel: client (192.168.1.x) -> MT RO -> Zyxel FW -> ISP
  • return packet will travel: ISP -> Zyxel FW -> client ... MT RO will be bypassed.
As long as no firewall exists on MT it would be fine. However stateful firewall burps if it doesn't see all packets in both directions (many people had problems when introducing such routing triangles).

Making separate subnet for Zyxel-MT would actually prepare network topology for the time when you decide to ditch Zyxel. Only WAN side of MT would get changed. And of course MT has to get decent firewall then ... since your RB1100 doesn't come with default, you'll have to construct one. I strongly suggest you to go with MT default, available on basic models, there are posts on this forum listing the config.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 7:44 pm
by SecCon
A bit difficult to comment on this, as it all depends ... on what functions are used, how complex the LAN network is, on what is desired as new functionality.
The local lan is extremely simple. Only the basics; a bunch of distributed ip's from a dhcp.

Even more , I never configured a Zyxel Firewall, so I don't know all the possibilities, e.g. being able to work in full transparant mode (like a Fortigate).
I don't get the comparison, but if I see issues I can't solve, I will most certainly put a hammer to it.

The @mkx setup with the MT as router is OK. The extra subnet is needed for the routing, if the Zyxel is still a router.
No, it won't be.

The setup with one subnet is also valid, but the RB1100 is used as a switch for this traffic. (No need to set up a gateway, just add all involved interfaces as bridge ports. Routing does not happen within the same subnet/netmask interfaces. DHCP server on the bridge.)
Again, why a subnet with the layout I have presented...?


The payed for license gives some functions like Kaspersky anti-virus, Intrusion detection and prevention, APP identification, malware detection, mail screening for spam .... these up-to-date filters do cost a yearly license fee. I have not seen an equivalent product for RouterOS. The cost will stop, but so will the protection.
The licensing is actually divided in the functions, sure you can the the whole shebang, but considering I already use antimalware on every local client it is just not needed and a waste of money. The IDP, which I do have, has yet to render a single hit in the logs after a couple of months of running... many millions of sessions, not a single report of anything in the log, I was beginning to consider it a hoax when another guy at the Zyxel forum published his logs which were ample, to say the least.


even moving some functions off the ISP modem could be done (NAT?)
The ISP modem, as used, has pretty much zero functionality and only converts the signal from the fiberoptics to RJ45.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 7:48 pm
by SecCon
Making separate subnet for Zyxel-MT would actually prepare network topology for the time when you decide to ditch Zyxel. Only WAN side of MT would get changed. And of course MT has to get decent firewall then ... since your RB1100 doesn't come with default, you'll have to construct one. I strongly suggest you to go with MT default, available on basic models, there are posts on this forum listing the config.

When I ditch the Zyxel i will just disconnect it and rewire the net thus:

ISP > MTRO > MTSW > LAN

and configure the MTRO's firewall functionality.

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Sun Jun 06, 2021 11:31 pm
by rextended
Facts: ZyWALL can not decrypt HTTPS, DoH, DoT, etc.
then: can not protect from new malware

Facts: ZyWALL can have some bad DNS list
then: ZyWALL can not see inside DoH, DoT, etc.
then: can not protect from visiting unwanted or risky sites

Facts: ZyWALL can not decrypt email sended or received by "STARTTLS" or other SSL/TLS transmission/reception methods.
then: ZyWALL can not see inside email
then: can not protect from old or new malware

Facts: ZyWALL can not decrypt social traffic (for ex. whatsapp)
then: ZyWALL can not see inside social traffic (for ex. whatsapp)
then: can not protect from idiot user

Facts: Neither MikroTik can do that
then: The only thing can both do, and with success, is blocking IP from blacklists.

if it was my network, what would i do until the subscription expires:
Remove ZyWALL from the balls.

But if I see someone ask to leave it on play forcefully:
ISP "modem" -> ZyWALL "Hoax" -> RB1100Dx4 -> CRS326-24G-2S+ -> LAN
ISP "modem" give the Public IP directly to RB1100Dx4,
ZyWALL "Hoax" check the connection between RB1100Dx4 and the ISP "modem"
RB1100Dx4 act already as firewall with default rules and make the routing and NAT for the LAN
Internal LAN are connected at wire speed
ISP "modem" ether -> etherin ZyWALL "Hoax" etherout -> ether1 RB1100Dx4 ether2 -> ether1 CRS326-24G-2S+ (all remaining ether2..ether24) -> LAN

On future, when ZyWALL "Hoax" go out of the balls:
                        sfp1+ 
fiber cable ───────────────┐
               CRS326-24G-2S+          RB1100Dx4
sfp2+ unused          ││└─────────────────┘││  ether11 and ether12 unused
                      ││  ether24-ether13  ││
                      ││                   ││
                      │└───────────────────┘│
                      │    ether1-ether1    │
                      │                     │
                     LAN (ether1..23)      LAN (ether1..5) + limited speed (by CPU) LAN (ether6..10)
ISP "modem" function as media converter moved to SFP+ on CRS326-24G-2S+
RB1100Dx4 act as "modem" and firewall with default rules and make the routing and NAT for the LAN
Internal LAN are connected at wire speed
fiber cable -> sfp1 CRS326-24G-2S+ ether24 -> ether13 RB1100Dx4 ether1 -> ether1 CRS326-24G-2S+ (all remaining ether2..ether23) -> LAN

or better if have also S-RJ01:
                        sfp1+ 
fiber cable ───────────────┐
               CRS326-24G-2S+          RB1100Dx4
                      ││   └──────────────┘││  ether11 and ether12 unused
                      ││   sfp2+ -ether13  ││
                      ││                   ││
                      │└───────────────────┘│
                      │    ether1-ether1    │
                      │                     │
                     LAN (ether1..24)      LAN (ether1..5) + limited speed (by CPU) LAN (ether6..10)


but if ISP "modem" must remain, link to RB1100Dx4 directly on ether13
                                 ether13
fiber cable ──────────────────────────┐
                                      │
               CRS326-24G-2S+       RB1100Dx4
sfp1+ & sfp2+ unused  │└───────────────┘│  ether11 and ether12 unused
                      │  ether1-ether1  │
                      │                 │
                    LAN (ether1..24)  LAN (ether1..5) + limited speed (by CPU) LAN (ether6..10) 

but if ISP "modem" must remain, and you have S-RJ01 to use, the best is
                                 ether13
fiber cable ──────────────────────────┐
                                      │
               CRS326-24G-2S+       RB1100Dx4
sfp2+ unused          │    └───────────┘│  ether11 and ether12 unused
                      │  sfp1+ -ether1  │
                      │                 │
                    LAN (ether1..24)  LAN (ether1..5) + limited speed (by CPU) LAN (ether6..10) 


all considerations are based on block diagram of both devices:
https://i.mt.lv/cdn/product_files/RB110 ... 170842.png
https://i.mt.lv/cdn/product_files/CRS326_180248.png

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Mon Jun 07, 2021 6:07 pm
by SecCon
The Italian Job
Would you accept pizza and beer for job done?

Re: I have a dedicated FW that I wish to keep, but demote from being the Gateway placing a Mikrotik Router there in stea

Posted: Mon Jun 07, 2021 6:25 pm
by rextended
The Italian Job
Would you accept pizza and beer for job done?
Eh?

Thanks :))