Networking with Mikrotik | Part 1: Small Office Setup (ISP Setup, Firewall, DNS, Port Forwarding, NAT)
Hi, Welcome back. Today I am going to set up a Mikrotik Router to an Office with some given requirements. Let’s see the network diagram.
Let’s see what we have over here.
We have an ISP that provides a REAL IP Static Config.
IP: 103.125.125.140/22 (Used as Example) Class A IP
Gateway: 10.0.2.0
We have taken a Mikrotik Router which has 5 ports on it.
ISP Cable is Connected to Port 1 or Ether1
Ether2 or Port 2 Connected to a Switch.
On Ether3 or Port 3 Core Web Server is Connected (Which will be accessible online by anyone)
Ether4 or Port 4 Core Private Server is Connected (Which will be only accessed by office users)
On Switch. We have a Mikrotik 24-Port Managed Switch.
On Port 1–6 = Connected to HR Department — Assigned VLAN: 1020
On Port 7–12 = Connected to Support Department — Assigned VLAN: 1040
On Port 13–18 = Connected to Accounts Department — Assigned VLAN: 1030
Those Users will get a DHCP Connection With Different IP Block
Home Office Users will connect with our System with a VPN. We will set up L2TP over here.
Let’s Config:::::::
1st we will Config the ISP to our router and will make sure that our router has internet.
Login to your Mikrotik Router with Winbox.
In Default Config, you will get
IP: 192.168.88.1
User: admin
Password: blank
After you log in Click on Interface. You will able to see something like this
As I am using VirtualBox I am limited with port.
Let’s Delete the Default Config: System > Reset Configuration > No Default Configuration > Reset Configuration
In Command Line:
/system reset
Press Y and wait it will reboot the server.
Now let’s config ISP on Ether1
We will go to IP > Addresses > + > 103.125.125.40/22 > interface: ether1 > Apply > Ok| Network Address will appear auto.
In Command Line:
/ip address add ip=103.125.125.140/22 interface=ether1
Gateway:
IP > Routes > + > Gateway:10.0.2.0 > Apply > OK
You will see route will be reachable ether1
In Command Line
/ip route add gateway=10.0.2.0
DNS:
We need to add resolve DNS or Internet will be not reachable, Let’s Add it
IP > DNS > Servers > Click on Arrow Down Twice > 1st one will be 1.1.1.1 | 2nd one will be 8.8.8.8 > Apply > OK | I am using Public DNS as ISP didn’t give me any new DNS. If they provide any DNS those DNS will be there, replace of public DNS.
In Command Line
/ip dns set servers=8.8.8.8,1.1.1.1
Now Let’s configure our 2 core servers.
Core Web Server and Core Private Server will have IP
S1 IP: 192.168.10.10/24 | Will open to Internet
S2 IP: 192.168.10.20/24 | Will close to private or in office network
IP > Addresses > + > 192.168.10.10/24 > Interface: ether3 > Apply | OK
As Core Web Server connected to ether3.
IP > Addresses > + > 192.168.10.20/24 > Interface: ether4 > Apply | OK
As Core Private Server Connected to ether4
Let’s add a gateway:
IP > Routes > + > Gateway: 192.168.10.1
You will see it’s reachable to ether2 and ether3
We need to convert the private IP to a public IP. Let’s config the NAT in the firewall
IP > Firewall > NAT > + > Chain: SRCNAT > Action: masquerade > Apply | OK
It will convert the Private IP to Public IP and the Internet will be accessible to servers.
In Command Line
/ip firewall nat add chain=srcnat action=masquerade
Config those IPs to Servers where servers will get Internet.
Now Let’s set the Firewall to forward ports on 80, and 443 of core web server to public ip.
IP > Firewall > NAT > + > Chain: dstnat > Dst Address: 103.125.125.140 > Protcol: 6(TCP) > Dst Port: 80 > Action : dst-nat > To Addresses: 192.168.10.10 > Port: 80 > Apply > OK
In Command Line
/ip firewall nat add chain=dstnat protocol=6 dst-address=103.125.125.140 dst-port=443 action=dst-nat to-addresses=192.168.10.10 to-port=443
Now we have forwarded ports 80, and 443 to our core server. So if anyone hits 103.125.125.140 it will see the content of the core web server.
- Note: If you see the Mikrotik web interface over the IP when you hit port 80. You need to disable or change the Mikrotik Web service port. For that go to IP > Services > Web > change the port from 80 to 5055 and change port 443 to 5056
- You can change to any of them you want.
Summary:
Today We have Checked the given network diagram and understand it. We had set up the ISP config. Set up the IPs. We have set up our core web and private server IPs and routes. Set up NAT config and Port Forwarding.
In the Next Part, we will set up our office PC and switch with VLAN and VPN Server. Till Then Peace.