Prologue
Greetings network engineers out there! I would appreciate your help in following scenario. I did some research, and I figured out only two solutions. And because one of them is not suitable for me, I need your help with the second.
Environment
I have 2 devices with 3 interfaces in total. Each interface is in different VLAN. Here is an overview:
Name: DevA
Type: Red Hat Enterprise Linux (v7)
Interface #1: eth0
Interface #1: xxx.xxx.215.222
and
Name: DevB
Type: MikroTik RouterOS v6.42
Interface #1: ether1
Interface #1: zzz.zzz.214.128
Interface #2: ether2
Interface #2: yyy.yyy.216.92
Here we go with more details:
- Each of the 3 interfaces have public static IP address.
- Each of the 3 interfaces have access to internet.
- There are services running on DevA (let's say on ports 666 and 999 for example).
Goal
- DevB is accessible from internet only on ether1.
- Devices DevA and DevB are communicating with each other only through dedicated interfaces (eth0 and ether2).
- Services on DevA are accessible only through DevB, not directly from internet.
- If DevA wants to reach something in the internet (updates, for example), it must be reachable directly. Means, if DevA initiates connection, it goes directly to the internet.
- Services on DevA have to be visible for public with DevB's ether1 IP address (if possible).
VPN betwen DevA and DevB is not allowed. This is solution which I mentioned earlier, and which is not suitable in this scenario. I will consider this only if there is no other option.
What do I have already
DevA - Firewall cofiguration
- allow all outgoing traffic on eth0
- allow all incoming traffic from ether2 to eth0
- allow all related and established connections
- drop everything else
DevA - Routing configuration
dst-address pref-src gateway distance
0.0.0.0/0 xxx.xxx.215.1 1
xxx.xxx.215.0/24 xxx.xxx.215.222 eth0 0
DevB - Firewall cofiguration
- allow all outgoing traffic on ether1 and ether2
- allow incoming traffic on ether1 for ports 666 and 999
- allow all incoming traffic from eth0 to ether2
- allow all related and established connections
- drop everything else
DevB - Routing configuration
dst-address pref-src gateway distance
0.0.0.0/0 zzz.zzz.214.1 1
zzz.zzz.214.0/24 zzz.zzz.214.128 ether1 0
xxx.xxx.215.0/24 yyy.yyy.216.1 1
yyy.yyy.216.0/24 yyy.yyy.216.92 ether2 0
So, can you help me solve this puzzle?
I expect more routes have to be configured on DevB (maybe NAT/masquerade as well?) and probably on DevA, too. Any ideas? If I forgot to mention something, just ask..
Thanks a lot.