(2 Mikrotik + 1 Cisco ) & Mikrotik with 2 WANs PCC

Alein · January 14, 2018, 8:45pm

Hi.
I am a new user of Microtik devices, and I have some problems with understanding configuration.

First off all this is my initial configuration.

3 sites

3rd site Cisco RV82
Static IP + IPSEC to 1st and 2nd router

WAN: / site3.250
Local:192.168.97.0/24

2nd site Mikrotik CRS125-24G-1S
Static IP + IPSEC to 3rd router and EOIP with different subnets to 1st router.

WAN: / site2.171
Local:172.26.12.0/24

1.site Main router CRS

WAN1: / public.181
WAN2: /public.72 (Dynamic but not changing itself)
Local:172.26.10.0/24

There is a problem.

I have two WANS. My point was to use them with PCC.
But something is going wrong.

When I enable mangle rules I paralyze the whole network. I expect that problem is with mangle and routing, but I do not know where.
I was reading and watching a lot of tutorials, but they are not complete, there is always missing a lot of real world configuration.

I need also the possibility to forward ports from boths WANs to servers.

Extra Configuration
Perfect solution will use both WANS for IPSEC and EOIP (failover, or aggregation )

Perhaps someone knows how to configure it right.

jan/14/2018 21:09:33 by RouterOS 6.41

software id = I9R4-C4J1

model = CCR1016-12S-1S+

serial number =

/interface ethernet
set [ find default-name=sfp1 ] mac-address=00:16:B6:87:53:B8 name=
"sfp1 - T"
set [ find default-name=sfp2 ] name="sfp2 - U"
set [ find default-name=sfp3 ] disabled=yes
set [ find default-name=sfp4 ] disabled=yes
set [ find default-name=sfp5 ] disabled=yes
set [ find default-name=sfp6 ] disabled=yes
set [ find default-name=sfp7 ] disabled=yes
set [ find default-name=sfp8 ] disabled=yes
set [ find default-name=sfp9 ] disabled=yes
set [ find default-name=sfp10 ] disabled=yes
set [ find default-name=sfp11 ] name="sfp11 - GS_49"
set [ find default-name=sfp12 ] mac-address=6C:3B:6B:FA:07:15 name=
"sfp12 - GS_50"
set [ find default-name=sfpplus1 ] disabled=yes
/interface eoip
add !keepalive local-address=public.181 mac-address=02:84:FD:4A:72:AD
name=eoip-CHR2WRO remote-address=site2.171 tunnel-id=120
/interface bonding
add mode=802.3ad name="bond1-GS748T (LACP)" slaves=
"sfp11 - GS_49,sfp12 - GS_50" transmit-hash-policy=layer-3-and-4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc,null name=Cisco-RV pfs-group=modp768
add enc-algorithms=aes-128-cbc,camellia-128,null name=highspeed pfs-group=
modp768
/ip pool
add name=CHR ranges=172.26.10.0/24
add name=dhcp_pool1 ranges=172.26.10.201-172.26.10.250
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=
"bond1-GS748T (LACP)" lease-time=1h name=dhcp1
/port
set 2 baud-rate=9600 data-bits=8 flow-control=none name=usb3 parity=none
stop-bits=1
/snmp community
set [ find default=yes ] addresses=172.26.10.167/32 name=SNMPRO
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=172.26.10.254/24 interface="bond1-GS748T (LACP)" network=
172.26.10.0
add address=public.181/21 interface="sfp1 - T" network=...16.0
add address=192.168.251.1/30 interface=eoip-CHR2WRO network=192.168.251.0
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no
interface="sfp2 - U" use-peer-dns=no use-peer-ntp=no
add dhcp-options=hostname,clientid interface="sfp1 - T" use-peer-dns=no
use-peer-ntp=no
/ip dhcp-server lease

add address=172.26.10.9 client-id=1:0:26:ab:3d:c6:5a comment="Epson Printer"
mac-address=00:26:AB:3D:C6:5A server=dhcp1
/ip dhcp-server network
add address=172.26.10.0/24 dns-server=172.26.10.150,172.26.12.150 domain=
xyz.local gateway=172.26.10.254 netmask=24 ntp-server=172.26.10.150
wins-server=172.26.10.150
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall mangle
add action=mark-connection chain=input in-interface="sfp1 - T"
new-connection-mark="WAN-1 Mark Connection" passthrough=yes
add action=mark-connection chain=input in-interface="sfp2 - U"
new-connection-mark="WAN-2 Mark Connection" passthrough=yes
add action=mark-routing chain=output connection-mark="WAN-1 Mark Connection"
dst-address=!site3.250 new-routing-mark="WAN-1 Mark Routing"
passthrough=yes
add action=mark-routing chain=output connection-mark="WAN-2 Mark Connection"
new-routing-mark="WAN-2 Mark Routing" passthrough=yes
add action=accept chain=prerouting dst-address=...16.0/21 in-interface=
"bond1-GS748T (LACP)"
add action=accept chain=prerouting dst-address=...248.0/22 in-interface=
"bond1-GS748T (LACP)"
add action=mark-connection chain=prerouting dst-address=!172.26.12.0/24
dst-address-type=!local in-interface="bond1-GS748T (LACP)"
new-connection-mark="WAN-1 Mark Connection" passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address=!172.26.12.0/24
dst-address-type=!local in-interface="bond1-GS748T (LACP)"
new-connection-mark="WAN-2 Mark Connection" passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=
"WAN-1 Mark Connection" in-interface="bond1-GS748T (LACP)"
new-routing-mark="WAN-1 Mark Routing" passthrough=yes
add action=mark-routing chain=prerouting connection-mark=
"WAN-2 Mark Connection" in-interface="bond1-GS748T (LACP)"
new-routing-mark="WAN-2 Mark Routing" passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.97.0/24 src-address=
172.26.10.0/24
add action=accept chain=srcnat dst-address=172.26.12.0/24 src-address=
172.26.10.0/24
add action=masquerade chain=srcnat out-interface="sfp1 - T"
add action=masquerade chain=srcnat out-interface="sfp2 - UPC"
add action=dst-nat chain=dstnat dst-port=12345 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.200 to-ports=3389
add action=dst-nat chain=dstnat dst-port=65456 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.167 to-ports=65456
add action=dst-nat chain=dstnat dst-port=993 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.175 to-ports=993
add action=dst-nat chain=dstnat dst-port=995 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.175 to-ports=995
add action=dst-nat chain=dstnat dst-port=1723 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.150 to-ports=1723
add action=dst-nat chain=dstnat dst-port=444 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.175 to-ports=444
add action=dst-nat chain=dstnat dst-port=993 in-interface="sfp1 - T"
protocol=udp to-addresses=172.26.10.175 to-ports=993
add action=dst-nat chain=dstnat dst-port=61524 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.147 to-ports=61524
add action=dst-nat chain=dstnat dst-port=143 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.175 to-ports=143
add action=dst-nat chain=dstnat dst-port=65457 in-interface="sfp1 - T"
protocol=tcp to-addresses=172.26.10.161 to-ports=65457
add action=dst-nat chain=dstnat disabled=yes dst-port=64246 in-interface=
"sfp1 - T" protocol=tcp to-addresses=172.26.10.10 to-ports=64246
add action=dst-nat chain=dstnat disabled=yes dst-port=64200-64245
in-interface="sfp1 - T" protocol=tcp src-address=!172.26.10.0/24
to-addresses=172.26.10.10 to-ports=64200-64245
/ip ipsec peer
add address=site3.250/32 dh-group=modp768 enc-algorithm=aes-128
nat-traversal=no secret=very
add address=site2.171/32 dh-group=modp768 disabled=yes enc-algorithm=
aes-128 nat-traversal=no secret="very" send-initial-contact=no
/ip ipsec policy
add disabled=yes dst-address=172.26.12.0/24 proposal=highspeed
sa-dst-address=site2.171 sa-src-address=...132 src-address=
172.26.10.0/24 tunnel=yes
add disabled=yes dst-address=172.26.12.0/24 proposal=highspeed
sa-dst-address=site2.171 sa-src-address=public.181 src-address=
172.26.10.0/24 tunnel=yes
add disabled=yes dst-address=192.168.97.0/24 proposal=Cisco-RV
sa-dst-address=site3.250 sa-src-address=...132 src-address=
172.26.10.0/24 tunnel=yes
add dst-address=192.168.97.0/24 proposal=Cisco-RV sa-dst-address=
site3.250 sa-src-address=public.181 src-address=172.26.10.0/24
tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway="sfp1 - T" routing-mark=
"WAN-1 Mark Routing"
add check-gateway=ping distance=2 gateway="sfp2 - U" routing-mark=
"WAN-2 Mark Routing"
add distance=1 gateway=GTW_WAN1
add distance=1 dst-address=172.26.12.0/24 gateway=192.168.251.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/lcd
set color-scheme=dark
/snmp
set contact=none enabled=yes location=CHR trap-target=172.26.10.167
trap-version=2
/system clock
set time-zone-name=Europe
/system leds
add interface="sfp1 - T" leds=eth1-led type=interface-activity
add interface="sfp2 - UPC" leds=eth2-led type=interface-activity
add interface=sfp3 leds=eth3-led type=interface-activity
add interface=sfp4 leds=eth4-led type=interface-activity
add interface=sfp5 leds=eth5-led type=interface-activity
add interface=sfp6 leds=eth6-led type=interface-activity
add interface=sfp7 leds=eth7-led type=interface-activity
add interface=sfp8 leds=eth8-led type=interface-activity
add interface=sfp9 leds=eth9-led type=interface-activity
add interface=sfp10 leds=eth10-led type=interface-activity
add interface="sfp11 - GS_49" leds=eth11-led type=interface-activity
add interface="sfp12 - GS_50" leds=eth12-led type=interface-activity
add interface=sfpplus1 leds=eth0-led1 type=interface-speed
add interface=sfpplus1 leds=eth0-led2 type=interface-activity
/system logging
add disabled=yes topics=firewall
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=46.175.224.7 secondary-ntp=134.0.16.1
server-dns-names=""
/system routerboard settings