Mikrotik How to divide a network into two segments without changing IP addresses and without VLAN?

V

VIVerCOM2018-03-28 07:57:23

Computer networks

VIVerCOM, 2018-03-28 07:57:23

Hello.
Tell me, am I digging in the right direction?
Introductory:
Got the network. Servers and users on the same subnet 192.168.195.0/24. Physically, all servers are connected to one switch, and users (100+) to another.
The gateway is Mikrotik RB3011 (192.168.195.1), which is connected to a switch with servers.

Scheme (original)

Ports used on RB3011 are as follows:
ether1-WAN1
ether2
ether3-WAN2
ether4-
LAN2 ether5-LAN1
remaining free
Task:
At this stage, the task is to separate the servers, prohibiting all traffic between users and servers, except for allowed services and ports. And at the same time do not change IP addresses, because. a lot of self-written software and scripts are used with reference to the IP of servers and users. You also need to take into account that the gateway, in the near future, will increase the load in the form of VPN connections from several offices.
Possible Solution:
There was an idea to physically divide the network into two segments, servers into one segment (switch), users into another. Insert Mikrotik RB750Gr3 between the segments (there is a free hEX) which will prohibit unnecessary traffic and at the same time take on the entire load of user and server communication. Accordingly, the RB3011 gateway will unload. And since everyone uses a single gateway to access the Internet, when segments are separated, one will remain without connecting to the gateway. Accordingly, you need to connect this segment by using a free port on the RB3011. You also need to prohibit the passage of traffic between network segments through the gateway in order to avoid a loop and the connection of the segments was only through hEX.

idea scheme

Is the idea correct? And how it is better to implement it (what filtering rules)?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

D

Dmitry Tallmange, 2018-03-28
@p00h

If I understand the current picture correctly, then the solution is quite simple: traffic between two network segments, even on the same logical subnet, must go through the L3 device, and this path must be exclusively unique .
There is a switch to which all clients are connected - Switch1.
There is a switch to which all servers are connected - Switch2.
There is an abstract microtic with two ports: Lan1, Lan2.
We combine ports Lan1 + Lan2 in Bridge1.
On Bridge1 we hang the address 192.168.195.1.
Switch1 => Lan1. Switch2 => Lan2.
And that's it. All traffic between clients and servers goes through Bridge1. Any rules for filtering and restrictions.

D

Dmitry, 2018-03-28
@Tabletko

If you physically divide the network into two segments, then you cannot do without changing the ip addressing.

U

user2k, 2018-03-28
@user2k

drive user addresses into the address list, drive server addresses into the address list. create a deny rule in the forward, where the source is users, the destination is server addresses. and above to do permissive rules to a specific user(s) to a specific server and port.

D

Dmitry Alexandrov, 2018-03-28
@jamakasi666

1) To begin with, push the networks physically, leave only the servers and the link up to the 2nd microt on which the users will sit on the main microt.
2) Set networks with servers to 192.168.195.0/26, which will give 62 addresses, which should be enough for your eyes
3) Set networks with users to 192.168.195.64/26 192.168.195.128/26 and 192.168.195.192/26 naturally dividing these networks by ports.
4) We aggregate subnets or we knit so insolently.
5) On the main micro-plane we steer to whom and where we can.
The output will be a segmented network in which everything will work the same as before, but it will be possible to steer the rules for segments or specific addresses without overloading the firewall with unnecessary rules.