I'm looking for some guidance on my first Mikrotik router. Background is Cisco CCNA from many, many years ago.
Installation is a datacenter rack with 1GB fiber cross connect. I have the CCR2004-16G-2S+ with MikroTik S+85DLC03D SFP+ module installed in SFP+1 port . Starting off with one server connected via 1GbE to Ether1, plans for future expansion to fill my rack(hopefully).
I've been provided with a /29 subnet x.x.x.176/29.
Gateway is to be x.x.x.177/29.
I want the first server to be on x.x.x.178.
.179-.181 will be for future server expansion and mapped to Ether2-4
Ether 9-16 will be bridged for LAN running DHCP for 10.100.100.0/24 network
My first thought was to create a bridge for the WAN. Now that I'm further into the config, I'm second guessing my setup. I would like to firewall these servers to allow only certain ports through. I'm not sure if a bridge is the best way to do this or statically routing each address is better.
Note: that I'm not out at the Datacenter yet, hope to set an appt for installation by the end of this week. My config is purely theoretical at this point and I realize that much will need to be changed so feel free to steer me away from my chosen pitfalls.
Note2: the LAN part of this is not important. There will be no devices connected to the LAN, it is only for internal config, etc. DHCP is not needed, was just setting it up to see it work.
Here is where I'm at so far:
Code: Select all
/interface bridge
add name=bridge1_Internet
add name=bridge2_LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_S178
set [ find default-name=ether2 ] name=ether2_S179
set [ find default-name=ether3 ] name=ether3_S180
set [ find default-name=ether4 ] name=ether4_S181
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.100-10.100.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge2_LAN lease-time=1d name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1_Internet interface=sfp-sfpplus1_WAN
add bridge=bridge1_Internet interface=ether1_S178
add bridge=bridge1_Internet interface=ether2_S179
add bridge=bridge1_Internet interface=ether3_S180
add bridge=bridge1_Internet interface=ether4_S181
add bridge=bridge2_LAN interface=ether9
add bridge=bridge2_LAN interface=ether10
add bridge=bridge2_LAN interface=ether11
add bridge=bridge2_LAN interface=ether12
add bridge=bridge2_LAN interface=ether13
add bridge=bridge2_LAN interface=ether14
add bridge=bridge2_LAN interface=ether15
add bridge=bridge2_LAN interface=ether16
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=x.x.x.177/29 interface=bridge1_Internet network=x.x.x.176
add address=10.100.100.1/24 interface=bridge2_LAN network=10.100.100.0
/ip dhcp-server network
add address=10.100.100.0/24 gateway=10.100.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=10.100.100.0/24 comment="LAN Group " list=LAN
add address=x.x.x.176/29 comment="WAN Group" list=WAN
add address=x.x.x.178-x.x.x.181 list=SERVERS
/ip firewall filter
add action=accept chain=input comment="Allow established INPUT traffic" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid INPUT connections" \
connection-state=invalid
add action=accept chain=input comment="Allow INPUT pings" protocol=icmp
add action=drop chain=input comment="Drop all non-LAN INPUT traffic" \
src-address-list=!LAN
add action=accept chain=forward comment="Allow established FORWARD traffic" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid FORWARD connections" \
connection-state=invalid
add action=accept chain=forward comment=\
"Allow TCP HTTP port access from LAN to WAN" dst-port=\
80,443,8080,8443,9191,9443 out-interface=bridge1_Internet protocol=tcp \
src-address-list=LAN
add action=accept chain=forward comment=\
"Allow TCP DNS port access from LAN to WAN" dst-port=53 out-interface=\
bridge1_Internet protocol=tcp src-address-list=LAN
add action=accept chain=forward comment=\
"Allow UDP DNS port access from LAN to WAN" dst-port=53 out-interface=\
bridge1_Internet protocol=udp src-address-list=LAN
add action=accept chain=forward comment="Allow ICMP FORWARD" out-interface=\
bridge1_Internet protocol=icmp
add action=drop chain=forward comment="Drop all other FORWARD traffic" \
out-interface=bridge1_Internet
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1_Internet
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
x.x.x.177 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10