Community discussions

MikroTik App
  4. RouterOS
  5. General

2 wan setting

Post Reply
 
mikeleord
just joined
Topic Author
Posts: 24
Joined: Thu Apr 18, 2019 8:41 pm

2 wan setting

Sat Mar 09, 2024 9:40 pm

Hi guys,
i need some help i have 2 fiber lines one from an operator 1G and one 2.5G on a rb5009.
I post my configuration do you have any suggestions? everything works and failover works but the speed is slow, especially the dns i have the average of 184000 ms

Thanks
Code: Select all
# model = RB5009UG+S+

/interface list
add name=WAN
add name=LAN
add name=WAN-OUT

/ip pool
add name=dhcp_pool0 ranges=10.29.22.20-10.29.22.50

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridgeLocal name=dhcpLocal

/routing table
add disabled=no fib name=DIGI-table
add disabled=no fib name=ORANGE-table

/container
add interface=veth1-adguard root-dir=disk1/adguard start-on-boot=yes workdir=/opt/adguardhome/work
add cmd="tail -f /dev/null" interface=veth2-speed root-dir=/disk1/alpine

/interface bridge port
add bridge=bridgeLocal interface=SWITCH internal-path-cost=10 path-cost=10
add bridge=bridgeLocal interface=ether3 internal-path-cost=10 path-cost=10
add bridge=docker interface=veth1-adguard


/ip firewall connection tracking
set tcp-syn-received-timeout=1s tcp-syn-sent-timeout=1s udp-timeout=10s

/interface list member
add interface=WAN-ORANGE list=WAN
add interface=WAN-DIGI list=WAN
add interface=bridgeLocal list=LAN
add interface=veth1-adguard list=LAN
add interface=pppoe-digi list=WAN-OUT
add interface=WAN-ORANGE list=WAN-OUT
add interface=vpn list=LAN

/ip address
add address=10.29.22.1/24 interface=bridgeLocal network=10.29.22.0
add address=10.29.3.1/24 interface=docker network=10.29.3.0
add address=10.29.25.1/24 interface=vpn network=10.29.25.0

/ip dhcp-client
add add-default-route=no interface=WAN-ORANGE use-peer-dns=no use-peer-ntp=no

/ip dns
set servers=10.29.3.2 use-doh-server=https://10.29.3.2/dns-query

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=10.29.22.2-10.29.22.254 list=allowed_to_router
add list=ddos-attackers
add list=ddos-targets

/ip firewall filter
add action=accept chain=input comment="wireguard in" dst-port=13231 in-interface=WAN-ORANGE protocol=udp
add action=drop chain=forward comment="solo porte in uscita" connection-state=!established,related dst-port=\
    !80,443,853,53,6011,6022,6021,993,25,465,8080,22,9001,81 log-prefix=DENY_OUT out-interface-list=WAN-OUT \
    protocol=tcp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=\
    pppoe-digi log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=\
    WAN-ORANGE log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=\
    bridgeLocal log=yes log-prefix=LAN_!LAN src-address=!10.29.22.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=return chain=detect-ddos comment=ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack

/ip firewall mangle
add action=accept chain=prerouting dst-address=0.0.0.0/0 \
    in-interface=bridgeLocal
add action=mark-connection chain=input connection-state=new in-interface=WAN-ORANGE new-connection-mark=\
    orange_conn passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=pppoe-digi new-connection-mark=\
    digi_conn passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=\
    orange_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=\
    digi_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=\
    !local in-interface=bridgeLocal new-connection-mark=orange_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=\
    !local in-interface=bridgeLocal new-connection-mark=digi_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=output connection-mark=orange_conn new-routing-mark=ORANGE-table passthrough=\
    yes
add action=mark-routing chain=prerouting connection-mark=orange_conn in-interface=bridgeLocal \
    new-routing-mark=ORANGE-table passthrough=yes
add action=mark-routing chain=output connection-mark=digi_conn new-routing-mark=DIGI-table passthrough=no
add action=mark-routing chain=prerouting connection-mark=digi_conn in-interface=bridgeLocal new-routing-mark=\
    DIGI-table passthrough=no
   
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-ORANGE
add action=masquerade chain=srcnat out-interface=pppoe-digi
add action=masquerade chain=srcnat src-address=10.29.3.0/24
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface=bridgeLocal protocol=tcp src-address=\
    !10.29.3.2 to-addresses=10.29.3.2
add action=dst-nat chain=dstnat dst-port=53 in-interface=bridgeLocal protocol=udp src-address=!10.29.3.2 \
    to-addresses=10.29.3.2
    
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers

/ip firewall service-port
set ftp disabled=yes

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=90.zz.yyy.x pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-digi pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=90.zz.yyy.x pref-src="" routing-table=ORANGE-table \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-digi pref-src="" routing-table=DIGI-table \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=90.zz.yyy.0/24 gateway=WAN-ORANGE pref-src="" routing-table=\
    ORANGE-table scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.0.1/32 gateway=pppoe-digi pref-src="" routing-table=DIGI-table \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=90.84.231.1 pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=9.9.9.9/32 gateway=pppoe-digi pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
Last edited by holvoetn on Sat Mar 09, 2024 9:45 pm, edited 1 time in total.
Reason: added code quotes for readability
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19405
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: 2 wan setting

Sat Mar 09, 2024 9:57 pm

My advice, stick to basic default firewall rules and add very little and fix mangling its not correct.
Top
 
mikeleord
just joined
Topic Author
Posts: 24
Joined: Thu Apr 18, 2019 8:41 pm

Re: 2 wan setting

Mon Mar 11, 2024 3:42 pm

ok thank you very much for the advice
Top
Post Reply

Who is online

Users browsing this forum: noyo, qamtester, Techsystem and 29 guests
  4. RouterOS
  5. General