This might be a complete noob question, but what’s the by-the-book setup for putting your own router behind an ISP multi-box?
My use case:
SOHO - enable guests to use WI-FI but on a separate network range (employees aren’t supposed to use WI-Fi for Company needs).
3 LANS (or VLANS) (office-LAN + CCTV (cameras only accessible on the internet through a security application in a docker and a reverse proxy) + WIFI. With blocked communication between them).
UNRAID/freeNAS storage solution, for LAN file sharing, but probably running a Nextcloud docker (and previously mentioned CCTV solution), so a reverse proxy setup is needed for that docker.
So far I’ve had a Mikrotik router (a simple Routerboard HEX) behind the ISP router (MT WAN to ISP LAN port), since there was no need for reverse proxy or port forwarding, and it worked just fine (using wi-fi on a ISP and everything else on the MT router), but now I would like to configure that properly - either using another (more capable) router or maybe even trying out Wendell’s “pfsense on an old machine” idea
My available equipment:
My ISP uses FRITZbox 7590 multibox (router, switch, 2 WiFI AP with advanced options like scheduled availability,…), but 3 of 4 RJ45s are used for UDP (IPTV).
managed Cisco SG-200 switch with PoE
Mikrotik CRS309 10GB switch (for 8PCs with the highest transfer file loads).
TP link unmanaged 16port Gigabit switch
Should I go with a double router config at all, or just use the ISP’s one and add my switches and configure firewall rules in the ISP box? I have no problem setting a separate WAP on a VLAN if you tell me to put an ISP’s box into the bridge mode (I’m not sure if that’s possible). But honestly I would prefer to have it on physically separate network, with a router that has no known security issues.
Your routerboard hex is certainly as capable as a typical pfsense solution would be.
That’s CRS309 can probably be used for basic DHCP or DNS if you wanted to in a pinch, but I wouldn’t bother and woutuse it as just a plain old L2 switch instead.
Ports on either Mikrotik don’t have a fixed function, you can use them entirely separately if you want, or you can group them so they act as a switch, or several switches if that’s what you need. By default on Hex, 1 would be separate and used for wan, remaining would form a group and would act as a switch, and in configuration you’d only use the “master” port of such a group.
For your 3 VLANs you’d just need to make sure you have enough separate interfaces with their ports and setup, for example a DHCP server on each of your separate local subnets (or VLANs) and perhaps ensure that your firewall setup from each of these behaves well enough for what you need to use them for. Typically you’d have a bridge interface per your VLAN. Perhaps you can even use 802.1q tags there if that’s what you need.
For wifi, typically, a single accesspoint, over a single radio would transmit beacons for multiple SSID networks on one same channel. Your clients could choose which one they want to associate with, and would use whatever wifi security settings accesspoint requires for that ssid. Once associated network packets for/from wifi clients of different networks would be multiplexed over a single Ethernet cable out of the accesspoint device using 802.1q VLAN tags. Typically untagged traffic going over that cable would be assigned to either LAN or “management” vlan.
As Adubs says, you’d use the fritzbox for as little as possible, you wouldn’t use wifi on it, and would just use the “dmz feature” to automatically port forwarding any connections to the mikrotik hex. Mikrotik hex would then be in charge of dealing with port forwarding stuff as different use cases on your network require.
Ironically, IPv6 is more complicated to setup, because of multiple ways of assigning addresses, or proxying address assignment or neighbor discovery to devices but generally possible. Depends on what your ISP gives you and what fritzbox supports. With ADSL you might even have PPPoE involved somewhere and that might affect how you do IPv6 on your end.
The problem is that the Fritzbox doesn’t seem to have a dmz function (haven’t found one in the manual). I’ve read about the bridge mode on it but, but haven’t tried in in practice, besides I don’t know what will happen to 3 IPTV connections and 2 telephone lines also connected to the fritzbox if I put it in bridge mode…I’m guesing it will shut down everything. It’s not Mikrotik where you can configure each port separately.
I can’t use the CRS309 as a DHCP server since I loose the 10Gb capabilities if I do.
So I’m back at the beginning…
How do large companies solve that? I’m guessing they only get the modem, not the multipurpose box…
