Routing between 3 interfaces in 3 separate networks

Question

Prologue

Greetings network engineers out there! I would appreciate your help in following scenario. I did some research, and I figured out only two solutions. And because one of them is not suitable for me, I need your help with the second.

---

Environment

I have 2 devices with 3 interfaces in total. Each interface is in different VLAN. Here is an overview:

Name: DevA
Type: Red Hat Enterprise Linux (v7)
Interface #1: eth0
Interface #1: xxx.xxx.215.222

and

Name: DevB
Type: MikroTik RouterOS v6.42
Interface #1: ether1
Interface #1: zzz.zzz.214.128
Interface #2: ether2
Interface #2: yyy.yyy.216.92

Here we go with more details:

• Each of the 3 interfaces have public static IP address.
• Each of the 3 interfaces have access to internet.
• There are services running on DevA (let's say on ports 666 and 999 for example).

---

Goal

• DevB is accessible from internet only on ether1.
• Devices DevA and DevB are communicating with each other only through dedicated interfaces (eth0 and ether2).
• Services on DevA are accessible only through DevB, not directly from internet.
• If DevA wants to reach something in the internet (updates, for example), it must be reachable directly. Means, if DevA initiates connection, it goes directly to the internet.
• Services on DevA have to be visible for public with DevB's ether1 IP address (if possible).

• VPN betwen DevA and DevB is not allowed. This is solution which I mentioned earlier, and which is not suitable in this scenario. I will consider this only if there is no other option.

---

What do I have already

DevA - Firewall cofiguration

- allow all outgoing traffic on eth0
- allow all incoming traffic from ether2 to eth0
- allow all related and established connections
- drop everything else

DevA - Routing configuration

dst-address          pref-src            gateway           distance
0.0.0.0/0                                xxx.xxx.215.1     1
xxx.xxx.215.0/24     xxx.xxx.215.222     eth0              0

DevB - Firewall cofiguration

- allow all outgoing traffic on ether1 and ether2
- allow incoming traffic on ether1 for ports 666 and 999 
- allow all incoming traffic from eth0 to ether2
- allow all related and established connections
- drop everything else

DevB - Routing configuration

dst-address          pref-src            gateway           distance
0.0.0.0/0                                zzz.zzz.214.1     1
zzz.zzz.214.0/24     zzz.zzz.214.128     ether1            0
xxx.xxx.215.0/24                         yyy.yyy.216.1     1
yyy.yyy.216.0/24     yyy.yyy.216.92      ether2            0

---

So, can you help me solve this puzzle?

I expect more routes have to be configured on DevB (maybe NAT/masquerade as well?) and probably on DevA, too. Any ideas? If I forgot to mention something, just ask..

Thanks a lot.

Answer 1

You shoud write a DNAT rule to forward traffic from DevB to DevA, and also a good idea to write a SNAT/MASQUERADE in DevB to make the forwarded traffic return back to DevB and then to Internet. like this:

DNAT :

 ip firewall nat add chain=prerouting protocol=tcp dst-address=zzz.zzz.214.128 dst-port=666,999 action=dst-nat to-addresses=xxx.xxx.215.222

SNAT :

ip firewall nat add chain=srcnat dst-address=xxx.xxx.215.222 action=masquerade

BTW, It would be wise putting the 2 interfaces that should be connected to each other on devices to same Vlan and using invalid IP addresses to make them communicate with each other. (If possible!)