How to organize a LAN with a strict proxy and NAT behind it from the provider?

A

Andrew2020-01-14 04:43:25

Computer networks

Andrew, 2020-01-14 04:43:25

Dear colleagues, greetings!
There was a problem when switching to a provider by order of the Ministry of Communications.
Background:
The primary provider provides its own channel for communication with the Rostelecom data center, the connection to which is carried out according to their instructions by statically specifying a range of gray addresses, installing a certificate and configuring a proxy on each working machine, and, as I understand it, NAT is behind the proxy, so there is no Internet without following these steps. This scheme does not work differently, with all my efforts to set up a connection to a proxy on RouterOS Mikrotik through a web proxy and by installing a certificate on it, and, as knowledgeable comrades explained, the certificate must be on each machine for correct replacement.
Essence:
How to organize the management of such a network, where the router turns into a bridge (switch), because when using its own subnet addressing, specifying the necessary statics and trying to set up a web proxy on Mikrotik, nothing works.
So I want to find out if I can return control of the network or if I have to have a "direct" to the provider's gateway anyway.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

L

Lev Zabudkin, 2020-01-15
@zabudkin

What are these miracles?
1. Do you have a proxy provider address? / Is it on the same network as your Mikrotik?
2. Does your network have direct access to the ISP's proxy? / You do not want to prescribe a proxy provider on all machines?
3. Read: here
and here
Answer the questions after completing all 3 points.
We will decide.

D

Dmitry Alexandrov, 2020-01-15
@jamakasi666

If I understand correctly, then the certificate appears here as mitm for the proxy provider? In addition, a condition is required that all cars live with the provider's ip addresses? Do you want to get at least some kind of control over such a network?
If so, then you can organize your dhcp with the issuance of a list of addresses that the provider wants. Of course, I can make mistakes in the configuration path, but in theory it should be correct and should work.
wan port throws into the bridge with all other ports, block the udp \ tcp associated with the dhcp server with a firewall. Create a pool with ip that the provider wants. Create a dhcp server with this pool for the bridge. Add any necessary dhcp options if necessary, separate networks for, say, internal servers with balls, etc. Set up firewall rules to block all unnecessary access to the port where the provider lives. Set up the Tikovsky dns server, poke it into the provider and distribute the Tikovsky ip to the local network. As a result, you will be able to steer the network already at this stage, do what you want, block, see who received the addresses, etc.
Another option is to do a double nat classically, on the wan port with a static address that the provider wants, nat, its own server network inside, etc.
With a proxy, there are also several options.
You can wrap all the necessary proxy settings in pac files and distribute them via dhcp. It is possible not by dhcp but by the default domain name. The advantage is that you will get a lot of settings, at the dhcp level it will be possible to steer which client to put which file.
It is possible to wrap all requests for 80 \ 443 ports in the firewall in the provider's proxy ip.
But if the certificate is used for mitm, then in any case, you will have to shove these certificates on each machine with your hands 1 time.