Suggest me a firewall

[Randy_The_Squirrel]

No I have done the MTCNA and what not. Just a matter of actually being able to play and apply it. I'd like to do the MTCRE course Miro is having next month.

Yeah google can help, but there's a lot of yappies out there that post ****. Also, the Mikrotik forum is useless at best.

Step 1: Go to Scoop Distribution if you don't already have a router to play with
Step 2: Install Winbox
Step 3: Start playing, its really easy if you know something about how Linux handles TCP sockets (well for me it was)
Step 4: Yes the Mikrotik forum is useless, but this one can help you, I can try and help too.

 

[SauRoNZA]

As was already said and done all of this is possible with the Mikrotik you already have.

Just a case of configuring it properly.

 

[DMNknight]

You guys are forgetting that the Mikrotik mentioned above is single WAN port and made no suggestions as to an alternate device?

Essentially, the VLAN switch is the first item exposed to the internet before it hits the one NIC firewall. That's really tempting fate imho.

*edit* Just to be clear, which current mikrotik device are we talking about?

 

[Dirty Harry101]

The only way he has one LAN port is if he is using a Groove which I highly doubt. He should have a device with atleast 5 ports minimum.

 

[Genisys]

You guys are forgetting that the Mikrotik mentioned above is single WAN port and made no suggestions as to an alternate device?

Essentially, the VLAN switch is the first item exposed to the internet before it hits the one NIC firewall. That's really tempting fate imho.

*edit* Just to be clear, which current mikrotik device are we talking about?

It's actually a RB3011 I'm using.

As for the firewall, Vlans are isolated. It still works like independent NIC's over a single nic. Never have I been able to expose an of my Vlans over the Internet using this setup. The PPPoE connection was still on the firewall, only dialing over a vlan to the modem.

 

[Dirty Harry101]

Plenty of ports available.

 

[Genisys]

Plenty of ports available.

Yup, I suspect I'm just being impatient.

 

[Dirty Harry101]

Yup, I suspect I'm just being impatient.

PM sent dude.

 

[SauRoNZA]

You guys are forgetting that the Mikrotik mentioned above is single WAN port and made no suggestions as to an alternate device?

Essentially, the VLAN switch is the first item exposed to the internet before it hits the one NIC firewall. That's really tempting fate imho.

*edit* Just to be clear, which current mikrotik device are we talking about?

You can make any other LAN port a WAN port.

It's just not pre-configured like that.

****

And even then you could have one single WAN port with multiple PPPoE sessions on that port depending on the configuration/need here.

 

[Dirty Harry101]

You can make any other LAN port a WAN port.

It's just not pre-configured like that.

Correcto mundo

And even then you could have one single WAN port with multiple PPPoE sessions on that port depending on the configuration/need here.

I need to understand this. Why and how? Never seen this or the need for it? Not saying there isn't one, just used to the 2ports one for each WAN. Good to learn something new.

 

[DMNknight]

You can make any other LAN port a WAN port.

It's just not pre-configured like that.

****

And even then you could have one single WAN port with multiple PPPoE sessions on that port depending on the configuration/need here.

Nice... and powerful

 

[Genisys]

Also, the secondary connection is LTE, so Eth1 is for ADSL and Eth2 is for LTE.

 

[SauRoNZA]

Correcto mundo



I need to understand this. Why and how? Never seen this or the need for it? Not saying there isn't one, just used to the 2ports one for each WAN. Good to learn something new.

Well say you have two accounts with different configurations.

One Unshaped and Capped and the other Shaped but Uncapped.

You maybe want all your VOIP and Gaming traffic to be unshaped so you send all that traffic over one instead of the other.

You don't always need a physical secondary WAN. For that matter you could even assign two IP addresses to one WAN port that talks to a 3G and ADSL modem on the same interface and fails over between them.

Never done that but it should work in a pinch.

 

[Dirty Harry101]

But if you have two accounts, that means separate links yes? Separate ISP connections essentially, no matter who it is.
The way I see it, or am used to it is, one port, one connection. Well, that's how I have it anyway, with successful failover working.

I'll need to play with your config to see if it works ha ha. I do actually want to setup traffic shaping, but not 100% sure how.

Sorry OP for the hijack.

 

[Genisys]

But if you have two accounts, that means separate links yes? Separate ISP connections essentially, no matter who it is.
The way I see it, or am used to it is, one port, one connection. Well, that's how I have it anyway, with successful failover working.

I'll need to play with your config to see if it works ha ha. I do actually want to setup traffic shaping, but not 100% sure how.

Sorry OP for the hijack.

Also look at CHR. It is free and runs in a virtual machine, so if you break something, you can just set up a new instance.

 

[Dirty Harry101]

Nah stuff it, I'll break the on for work, then people can stop wasting time on takealot ha ha ha

 

[HApyM3al]

Well say you have two accounts with different configurations.

One Unshaped and Capped and the other Shaped but Uncapped.

You maybe want all your VOIP and Gaming traffic to be unshaped so you send all that traffic over one instead of the other.

You don't always need a physical secondary WAN. For that matter you could even assign two IP addresses to one WAN port that talks to a 3G and ADSL modem on the same interface and fails over between them.

Never done that but it should work in a pinch.

Thank you someone that knows what's up.

What you saying is 100% correct. Currently I am running 2x PPPoE over same Dsl line out one interface. You can run as much as you would like tbh. Any port on mikrotik can be a "wan" port.

Got few clients with Fibre and then Dsl as failover as well. Know people running 3 x Dsl lines out to 3 modems and works fine. That's again one Dsl line to one interface. But you can have multiple PPPoE over one line.

As for normal QoS stuff there is lots of guides and simple rules for this on Mikrotik forums. I'll post some later.

 

[SauRoNZA]

Thank you someone that knows what's up.

What you saying is 100% correct. Currently I am running 2x PPPoE over same Dsl line out one interface. You can run as much as you would like tbh. Any port on mikrotik can be a "wan" port.

Got few clients with Fibre and then Dsl as failover as well. Know people running 3 x Dsl lines out to 3 modems and works fine. That's again one Dsl line to one interface. But you can have multiple PPPoE over one line.

As for normal QoS stuff there is lots of guides and simple rules for this on Mikrotik forums. I'll post some later.

Yeah a great many ways to skin a cat with a Mikrotik.

Only thing I haven't managed to do is a PPPoE connection for VDSL with a tagged VLAN ID.

 

[The_Librarian]

A mikrotik on its own is fine, but when you want to log sites visited, block or filter certain web sites, do traffic graphs and so on, a smoothwall/pfsense is preferred.

Internet - mikrotik with basic firewall - smoothwall - network
Or just any way you prefer.

 

[Dirty Harry101]

A mikrotik on its own is fine, but when you want to log sites visited, block or filter certain web sites, do traffic graphs and so on, a smoothwall/pfsense is preferred.

Internet - mikrotik with basic firewall - smoothwall - network
Or just any way you prefer.

You can do the same with mikrotik, just depends how hands on you are. busy trying to sort that out now.