Hi, another experiment.
Configuration 1: PF-AIR disabled, port forwarding works fine, I can reach the internet. Obviously load balancing doesn't work.
# 2024-04-26 19:51:28 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=11 interface=ether1-PF_AIR \
name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=11 disabled=no interface=\
sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
"' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
# PF-AIR not ready
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
8123
add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
routing print:
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-O>
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TA
Av 0.0.0.0/0 PF-FTTC ip4 11 30 10
Ac 83.136.110.254/32 PF-FTTC ip4 0 10
Ac 172.16.0.0/16 bridge-LAN ip4 0 10
Ac 192.168.2.0/24 ether2-TIM ip4 0 10
Ac 192.168.10.0/24 vlan10-Ospiti ip4 0 10
Ac 192.168.11.0/24 vlan11-IoT ip4 0 10
Ac 192.168.12.0/24 ether5-LAN2 ip4 0 10
Ac 192.168.13.0/24 vlan13-Inaffidabile ip4 0 10
Ac 192.168.216.0/24 back-to-home-vpn ip4 0 10
As 0.0.0.0/0 PF-FTTC ip4 1 30 10
UsH 0.0.0.0/0 PF-AIR ip4 1 30 10
A H ether1-PF_AIR link 0
A H ether2-TIM link 0
A H ether5-LAN2 link 0
A H sfp1 link 0
A H ether6 link 0
A H bridge-LAN link 0
A H PF-FTTC link 0
A H lo link 0
A H back-to-home-vpn link 0
A H vlan10-Ospiti link 0
A H vlan11-IoT link 0
A H vlan13-Inaffidabile link 0
Configuration 2: I enable PF-AIR, but NOT the first two mangle rules below:
Schermata del 2024-05-05 10-28-32.png
Results: Load balancing works very well (speedtest.net gives 150Mbit/s and 30Mbit/s, so they're clearly getting summed up) but port forwarding doesn't work all the times. Sometimes I can reach a server only through a particular connection (either PF-AIR or PF-FTTC, it seems random) and sometimes I can't reach it at all, and sometimes it works through both. This changes in a matter of seconds.
# 2024-04-26 19:55:16 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=11 disabled=no interface=\
ether1-PF_AIR name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=11 disabled=no interface=\
sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
"' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
new-connection-mark=FTTC_conn
add action=mark-connection chain=input in-interface=PF-AIR \
new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
8123
add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Routing print:
Flags: A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TA
Av + 0.0.0.0/0 PF-AIR ip4 11 30 10
Av + 0.0.0.0/0 PF-FTTC ip4 11 30 10
Ac 83.136.109.254/32 PF-AIR ip4 0 10
Ac 83.136.110.254/32 PF-FTTC ip4 0 10
Ac 172.16.0.0/16 bridge-LAN ip4 0 10
Ac 192.168.2.0/24 ether2-TIM ip4 0 10
Ac 192.168.10.0/24 vlan10-Ospiti ip4 0 10
Ac 192.168.11.0/24 vlan11-IoT ip4 0 10
Ac 192.168.12.0/24 ether5-LAN2 ip4 0 10
Ac 192.168.13.0/24 vlan13-Inaffidabile ip4 0 10
Ac 192.168.216.0/24 back-to-home-vpn ip4 0 10
As 0.0.0.0/0 PF-FTTC ip4 1 30 10
As 0.0.0.0/0 PF-AIR ip4 1 30 10
A H ether1-PF_AIR link 0
A H ether2-TIM link 0
A H ether5-LAN2 link 0
A H sfp1 link 0
A H ether6 link 0
A H bridge-LAN link 0
A H PF-FTTC link 0
Configuration 3: same as config 2 but this time the two mangle rules below are enabled:
Schermata del 2024-05-05 10-33-04.png
# 2024-04-26 19:59:42 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=11 disabled=no interface=\
ether1-PF_AIR name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=11 disabled=no interface=\
sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
"' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
new-connection-mark=FTTC_conn
add action=mark-connection chain=input in-interface=PF-AIR \
new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
8123
add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \
in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Routing table:
[admin@MikroTik-VR] > /routing/route/print
Flags: A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE
DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TA
Av + 0.0.0.0/0 PF-AIR ip4 11 30 10
Av + 0.0.0.0/0 PF-FTTC ip4 11 30 10
Ac 83.136.109.254/32 PF-AIR ip4 0 10
Ac 83.136.110.254/32 PF-FTTC ip4 0 10
Ac 172.16.0.0/16 bridge-LAN ip4 0 10
Ac 192.168.2.0/24 ether2-TIM ip4 0 10
Ac 192.168.10.0/24 vlan10-Ospiti ip4 0 10
Ac 192.168.11.0/24 vlan11-IoT ip4 0 10
Ac 192.168.12.0/24 ether5-LAN2 ip4 0 10
Ac 192.168.13.0/24 vlan13-Inaffidabile ip4 0 10
Ac 192.168.216.0/24 back-to-home-vpn ip4 0 10
As 0.0.0.0/0 PF-FTTC ip4 1 30 10
As 0.0.0.0/0 PF-AIR ip4 1 30 10
A H ether1-PF_AIR link 0
A H ether2-TIM link 0
A H ether5-LAN2 link 0
A H sfp1 link 0
A H ether6 link 0
A H bridge-LAN link 0
A H PF-FTTC link 0
If I use the connection tracker, I see some of what I believe are incoming port forwarding connections (that I initiated from my phone) get stuck in TIMED WAIT.
Schermata del 2024-05-05 10-38-43.png
Thanks again
You do not have the required permissions to view the files attached to this post.