MikroTik

Community discussions
https://forum.mikrotik.com/

WAN setup

https://forum.mikrotik.com/viewtopic.php?t=54107

Page 1 of 1

WAN setup

Posted: Wed Aug 10, 2011 8:33 am
by supergeek
Hi forum,

Im wanting to use a mikrotik RB750 like a Dlink DIR-120, has one WAN port and four ports in a switch.

Want to put this on a network where the computers can have internet - mikrotik doing dhcp, dns etc.

We dont want the computers to access anything on the WAN port which i pluged into another local network which we dont want them to have access to.

Is this a simple as changing the NAT settings or is it more difficult than that.

Thanks

Joseph

Re: WAN setup

Posted: Wed Aug 10, 2011 7:27 pm
by fewi
I'm not entirely sure I understand - how do the hosts on the network access the Internet if they can't get past the WAN port on the router? Will a different router on that network serve as the Internet gateway?

That said, you can block traffic between any of the ports via IP firewall filters. A very simple approach would be the below, which assumes the WAN port is called 'WAN', and the four other ports are slaved together via the switch chip with a logical interface called 'LAN':
Code: Select all
/ip firewall filter
add chain=forward in-interface=LAN out-interface=WAN action=drop
add chain=forward in-interface=WAN out-interface=LAN action=drop

Re: WAN setup

Posted: Thu Aug 11, 2011 12:05 am
by supergeek
I sort of want it like a modem/router. I want the mikrotik to do dhcp, dns. Any Internet requests go out the WAN but no access to the network on the other side.

Can this be done? And is this enough information?

Re: WAN setup

Posted: Thu Aug 11, 2011 12:15 am
by fewi
Now I understand.

Yes, you can do that. It isn't very good design since the traffic from the unsecure network behind the LAN ports of the Mikrotik has to traverse the secure network on the WAN side to get to the Internet. That is not ideal. It would be better if the two networks came off the same router - if the Mikrotik router was terminating the WAN directly, and the two LAN networks went through it. That way packets from the two LAN networks never have to touch/traverse each other.

However, you can firewall whatever you'd like. Assuming the network on the WAN side is 192.168.1.0/24, you could do this:
/ip firewall filter
add chain=forward out-interface=WAN dst-address=192.168.1.0/24 action=drop
That would drop all packets from the LAN network destined to hosts directly connected to the network on the WAN port.

Re: WAN setup

Posted: Thu Aug 11, 2011 2:11 am
by supergeek
Thanks fewi,

That work really well.

Thanks again.

Joseph
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/