I'm having issues creating a set of mangle rules for a router which will have 2x separate WAN connections (eventually 3) for redundancy. Assume all three WAN connections will be dynamic IPs at this point.
It's only partly setup at the moment but the basic background for this setup:
3 VLANs - 20 will be guest wireless, 30 IP phones, and 40 will be CCTV.
Ether1 and Ether2 are WAN1 and WAN2 respectively.
Up until I created the routing tables there was something odd going on where I had internet access from a client machine via WAN1, but if I disabled WAN1 (forcing all traffic via WAN2), it would only work for another 15-20 seconds before WAN2 was unusable. I've made a change somehow which has resulted in a situation where there is flapping having recreated the IP routes. If I access config via IP address (rather than MAC address) it will connect for 10 seconds then disconnect for 20, then back again.
It's only partially setup still, so there's plenty to do, but just trying to set things up logically one step at a time!
Grateful of any pointers
Andy
Code: Select all
# apr/12/2024 12:45:28 by RouterOS 6.49.13
# software id = E75X-80RJ
#
# model = RB1100Dx4
# serial number = HEY09AX5MMT
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface vlan
add interface=bridge1 name=vlan20_Guest vlan-id=20
add interface=bridge1 name=vlan30_VOIP vlan-id=30
add interface=bridge1 name=vlan40_CCTV vlan-id=40
add interface=bridge1 name=vlan90_WAN3 vlan-id=90
/caps-man datapath
add bridge=bridge1 name=datapath_StaffMGMT
add bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_StaffMGMT
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Guest
/caps-man configuration
add country="united kingdom" datapath=datapath_Guest datapath.client-to-client-forwarding=no datapath.vlan-id=20 datapath.vlan-mode=use-tag installation=indoor mode=ap name=cfg_GuestWifi security=security_Guest ssid=OldMill_GuestWiFi
add country="united kingdom" datapath=datapath_StaffMGMT datapath.bridge=bridge1 installation=indoor mode=ap name=cfg_StaffMGMT security=security_StaffMGMT ssid=OldMill_Staff
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=vlan30_VOIP lease-time=4w2d name=dhcpVOIP
add disabled=no interface=vlan40_CCTV lease-time=4w2d name=dhcpCCTV
/ip pool
add name=dhcp_StaffMGMT ranges=10.10.100.1-10.10.199.254
add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254
add name=dhcp_VOIP ranges=10.30.100.1-10.30.199.254
add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254
/ip dhcp-server
add address-pool=dhcp_StaffMGMT disabled=no interface=bridge1 lease-time=1w3d name=dhcpStaffMGMT
add address-pool=dhcp_Guest disabled=no interface=vlan20_Guest lease-time=1d name=dhcpGuest
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
add disabled=no
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_StaffMGMT name-format=identity slave-configurations=cfg_GuestWifi
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether9
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=vlan20_Guest
add bridge=bridge1 interface=vlan30_VOIP
add bridge=bridge1 interface=vlan40_CCTV
/ip address
add address=10.30.0.1/16 interface=vlan30_VOIP network=10.30.0.0
add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0
add address=10.10.0.1/16 interface=bridge1 network=10.10.0.0
add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN1
add add-default-route=no disabled=no interface=WAN2
/ip dhcp-server lease
add address=10.10.0.11 mac-address=78:9A:18:2D:87:60 server=dhcpStaffMGMT
add address=10.10.0.101 client-id=1:d4:1:c3:57:47:2e mac-address=D4:01:C3:57:47:2E server=dhcpStaffMGMT
add address=10.10.0.102 client-id=1:d4:1:c3:57:20:3f mac-address=D4:01:C3:57:20:3F server=dhcpStaffMGMT
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1
add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.100.1-10.20.199.254 list=Guest
/ip firewall filter
add action=drop chain=input comment="Block guest access to router local ports" dst-address=10.20.0.0/16 dst-port=80,21,22,23,8291 protocol=tcp src-address-list=Guest
add action=drop chain=input dst-address=10.10.0.0/16 src-address-list=Guest
add action=drop chain=input dst-address=10.30.0.0/16 src-address-list=Guest
add action=drop chain=input dst-address=10.40.0.0/16 src-address-list=Guest
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=viaWAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=viaWAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=viaWAN1 new-routing-mark=viaWAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=viaWAN2 new-routing-mark=viaWAN2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=viaWAN1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=viaWAN2 passthrough=yes per-connection-classifier=both-addresses:1/0
add action=fasttrack-connection chain=forward connection-mark=no-mark connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1 src-address=10.10.0.0/16
add action=masquerade chain=srcnat out-interface=WAN2 src-address=10.10.0.0/16
add action=masquerade chain=srcnat out-interface=WAN1 src-address=10.20.0.0/16
add action=masquerade chain=srcnat out-interface=WAN2 src-address=10.20.0.0/16
add action=masquerade chain=srcnat out-interface=WAN1 src-address=10.30.0.0/16
add action=masquerade chain=srcnat out-interface=WAN2 src-address=10.30.0.0/16
add action=masquerade chain=srcnat out-interface=WAN1 src-address=10.40.0.0/16
add action=masquerade chain=srcnat out-interface=WAN2 src-address=10.40.0.0/16
/ip route
add distance=1 gateway=WAN1 routing-mark=viaWAN1
add check-gateway=ping distance=5 gateway=WAN1 routing-mark=viaWAN1
add distance=1 gateway=WAN2 routing-mark=viaWAN2
add distance=10 gateway=WAN2 routing-mark=viaWAN2
/ip route rule
add table=viaWAN1
add table=viaWAN2
add table=viaWAN3
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB1100-Reception