I'm new to Mikrotik and routerOs plateform.
I'll trying my best to describe my context and problem.
Context:
L009UiGs @ router OS V7.12.1
ETH1: WAN1(named ADSL)@192.168.10.5
ETH2: WAN2(named LTE)@192.168.8.1
ETHx: LAN@192.168.88.0/24
Currently, and according to youtube/forum help, I was able to create a failover configuration WAN1->WAN2.
What i'm trying to do is to redirect streaming traffic such as Youtube and Netflix to WAN2 which has more bandwith.
I try to follow @Anav advise, especially on MANGLE rule with TLS request.
I'm missing something because, I see trafic on rules when going on Youtube, but no video is buffered and no trafic occurs on WAN2.
I appreciate some help.
Code: Select all
# 2024-04-27 16:13:50 by RouterOS 7.12.1
# software id = **ELIDED**
#
# model = L009UiGS-2HaxD
# serial number = **ELIDED**
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
/interface list member
add comment=defconf disabled=no interface=bridge_lan list=LAN
add comment=defconf disabled=no interface=ADSL list=WAN
add comment=defconf disabled=no interface=LTE list=WAN
add disabled=no interface=wifi1 list=LAN
/ip dns
set address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=1w \
cache-size=2048KiB doh-max-concurrent-queries=50 \
doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
query-server-timeout=2s query-total-timeout=10s servers=\
8.8.8.8,8.8.4.4,**ELIDED** use-doh-server="" \
verify-doh-cert=no
/ip firewall address-list
add address=192.168.8.1 disabled=no dynamic=no list=LTE
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate !connection-state \
!connection-type !content disabled=yes !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !packet-mark \
!packet-size !per-connection-classifier !port !priority !protocol !psd \
!random !routing-mark !src-address !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=jump chain=prerouting !connection-bytes !connection-limit \
connection-mark=no-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit dst-port=443 \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
!in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
!ipv4-options jump-target=DnsToMove !layer7-protocol !limit log=no \
log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority protocol=tcp !psd !random !routing-mark !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time tls-host=*.googlevideo.com !ttl
add action=jump chain=prerouting !connection-bytes !connection-limit \
connection-mark=no-mark !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit dst-port=443 \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
!in-interface in-interface-list=LAN !ingress-priority !ipsec-policy \
!ipv4-options jump-target=DnsToMove !layer7-protocol !limit log=no \
log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority protocol=tcp !psd !random !routing-mark !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time tls-host=*.netflix.com !ttl
add action=add-dst-to-address-list address-list=Streaming_users \
address-list-timeout=12h chain=DnsToMove
add action=mark-connection chain=DnsToMove !connection-bytes \
!connection-limit connection-mark=no-mark !connection-nat-state \
!connection-rate !connection-state !connection-type !content disabled=yes \
!dscp !dst-address dst-address-list=Streaming_users !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface in-interface-list=LAN \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" new-connection-mark=markStreamers !nth \
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
!packet-mark !packet-size passthrough=yes !per-connection-classifier \
!port !priority !protocol !psd !random !routing-mark !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !tls-host !ttl
add action=mark-routing chain=DnsToMove !connection-bytes !connection-limit \
connection-mark=markStreamers !connection-nat-state !connection-rate \
!connection-state !connection-type !content disabled=yes !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
!in-interface !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" \
new-routing-mark=ISP2 !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size passthrough=\
no !per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !src-address !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-ports
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.10.5 pref-src="" routing-table=ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.8.1 routing-table=ISP2 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.5 \
pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.8.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
