2 mikrotik and one CISCO RV082 redundant configuration

Alein · September 1, 2020, 2:32pm

HI,
I have 3 sites, and some big problems with connecting them togther.

1.CHR - 2 WANs ( 2 x cable) (Mikrotik) (1.1.1.1 and 2.2.2.2)

2.WRO - 1 WANs (cable) (Mikrotik) (3.3.3.3)

3.BYT - 2 WANs (cable + LTE) (cisco RV82) (4.4.4.4)

\

The goal is to configure VPN ( EOIP) between CHR and WRO in redundant mode.
I use 2 EOIP tunnels and bond them (from backup active to L3,4 LACP). but all the time’s something is wrong, the tunnel is not switching automatically to backup, many times EOIP tunnel is trying to go through the wrong WAN in CHR. Something is wrong with the mangle, routing I have no idea. The idea was, that EOIP for 1 WAN goes only through the correct 1 specific WAN. Since in WRO i have only one WAN, I expect that I messed something with this configuration.
2.I would like to have a backup VPN between CHR and BYT on IPSEC. RV82 has such an option for backup IP in a single tunnel, but Mikrotik is not able to recognize 2nd VPN with this same subnet and marking it in RED.
Also, I need to check and disable WAN with the issue. My main provider use unstable GW and further routers, As a result, recursive routing is not working all the time. The best way would be to check 2 IPs, GW, and public addresses for each WAN.

BONUS. BYT has 2nd WAN LTE. I would like to use it as a dial-in option, but this is just an idea for the future.

If someone of you has the knowledge to fix my issues, it would be great. I am not a Mikrotik specialist and this task seems to be a little tricky. Also, I am looking for a good book/ebook with more complex configuration and examples.

Diagram
https://ibb.co/NYgWXxw

Some rules,configurations are disabled please keep it in mind.

CHR

[admin@CHR-CCR1016] > export compact    
# sep/01/2020 15:20:56 by RouterOS 6.47.2
# software id = I9R4-C4J1
#
# model = CCR1016-12S-1S+
# serial number = 
/interface ethernet
set [ find default-name=sfp1 ] advertise=100M-full,1000M-full mac-address=00:16:B6:87:53:B8 name="sfp1 - TelPol"
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full name="sfp2 - UPC"
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp5 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp6 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp7 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp8 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp9 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp10 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp11 ] advertise=10M-full,100M-full,1000M-full name="sfp11 - GS_49"
set [ find default-name=sfp12 ] advertise=10M-full,100M-full,1000M-full name="sfp12 - GS_50"
set [ find default-name=sfpplus1 ] advertise=10M-full,100M-full,1000M-full disabled=yes
/interface eoip
add comment=EOIP-WRO-Telpol disabled=yes keepalive=5s,1 local-address=1.1.1.1 mac-address=02:84:FD:4A:72:AD name=EOIP-CHR2WRO-Telpol remote-address=3.3.3.3 tunnel-id=120
add !keepalive local-address=2.2.2.2 mac-address=02:84:FD:4A:72:AD name=EOIP-CHR2WRO-UPC remote-address=3.3.3.3 tunnel-id=121
/interface bonding
add mode=active-backup name="Bond-CHR-WRO (LACP)" primary=EOIP-CHR2WRO-Telpol slaves=EOIP-CHR2WRO-Telpol,EOIP-CHR2WRO-UPC
add mode=802.3ad name="bond1-GS748T (LACP)" slaves="sfp11 - GS_49,sfp12 - GS_50" transmit-hash-policy=layer-3-and-4
/ip dhcp-server option
add code=43 name=APC value=0x010431415043
add code=66 name=ESXi-66-BootServer value="'172.26.10.170'"
add code=67 name=ESXi-67-BootFilename value="'undionly.kpxe.vmw-hardwired'"
/ip dhcp-server option sets
add name=ESXi-AutoDeploy options=ESXi-66-BootServer,ESXi-67-BootFilename
/ip ipsec profile
add dh-group=modp1536,modp1024,modp768 enc-algorithm=aes-256,aes-192,aes-128,3des,des name=Cisco-RV
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name="MIkrotik - Hardware Acceleration"
/ip ipsec peer
add address=3.3.3.3/32 disabled=yes local-address=31.133.17.181 name=peer2 profile="MIkrotik - Hardware Acceleration"
add address=4.4.4.4/32 local-address=1.1.1.1 name=RezDent-Telpol passive=yes profile=Cisco-RV
add address=4.4.4.4/32 local-address=2.2.2.2 name=RezDent-UPC passive=yes profile=Cisco-RV
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des,null name=Cisco-RV pfs-group=modp768
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-128-cbc name="MIkrotik - Hardware Acceleration" pfs-group=ecp256
/ip pool
add name=CHR ranges=172.26.10.0/24
add name=dhcp_pool1 ranges=172.26.10.201-172.26.10.240
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface="bond1-GS748T (LACP)" lease-time=1h name=dhcp1
/port
set 2 baud-rate=9600 data-bits=8 flow-control=none name=usb3 parity=none stop-bits=1
/snmp community
set [ find default=yes ] addresses=172.26.10.167/32 name=yes
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set authentication=pap,chap default-profile=default
/ip address
add address=172.26.10.254/24 interface="bond1-GS748T (LACP)" network=172.26.10.0
add address=192.168.251.1/30 interface="Bond-CHR-WRO (LACP)" network=192.168.251.0
add address=192.168.251.5/30 disabled=yes interface=EOIP-CHR2WRO-Telpol network=192.168.251.4
add address=1.1.1.1/26 comment="New IP from TelPol" disabled=yes interface="sfp1 - TelPol" network=193.106.84.0
/ip dhcp-client
add disabled=no interface="sfp2 - UPC" use-peer-dns=no use-peer-ntp=no
add disabled=no interface="sfp1 - TelPol" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
*removed
/ip dhcp-server network
add address=172.26.10.0/24 dns-server=172.26.10.150,172.26.12.150 domain=xyz gateway=172.26.10.254 netmask=24 ntp-server=172.26.10.150 wins-server=172.26.10.150
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=192.41.230.0/24 list=mBank
add address=172.26.12.0/24 list=WRO
add address=172.26.10.0/24 list=CHR
add address=192.168.97.0/24 comment="RezDent - VLAN Internal 5" list=RezDent
add address=172.26.10.231 list=Parents
add address=172.26.10.226 list=TS01
add address=172.26.10.167 list=OPManager
add address=193.106.84.0/26 list=TelPol-WAN-Subnet
add address=89.76.188.0/22 list=UPC-WAN-Subnet
add address=3.3.3.3 list=WRO-WAN
add address=2.2.2.2 list=UPC-WAN
add address=1.1.1.1 list=TelPol-WAN
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related disabled=yes
add action=drop chain=input dst-port=22 in-interface="sfp1 - TelPol" protocol=tcp
add action=drop chain=input dst-port=22 in-interface="sfp2 - UPC" protocol=tcp
add action=accept chain=input dst-port=8291 in-interface="sfp2 - UPC" protocol=tcp src-address=3.3.3.3
add action=accept chain=input dst-port=8291 in-interface="sfp2 - UPC" protocol=tcp src-address=4.4.4.4
add action=accept chain=input dst-port=8291 in-interface="sfp1 - TelPol" protocol=tcp src-address=4.4.4.4
add action=accept chain=input dst-port=8291 in-interface="sfp1 - TelPol" protocol=tcp src-address=3.3.3.3
add action=drop chain=input dst-port=8291 in-interface="sfp2 - UPC" protocol=tcp
add action=drop chain=input dst-port=8291 in-interface="sfp1 - TelPol" protocol=tcp
add action=drop chain=input disabled=yes dst-port=68 protocol=udp src-address=172.26.10.254 src-port=67
add action=drop chain=input disabled=yes dst-port=67 protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface="sfp2 - UPC" protocol=udp
add action=accept chain=input dst-port=500 in-interface="sfp1 - TelPol" protocol=udp
add action=accept chain=forward dst-address-list=RezDent src-address-list=CHR
add action=accept chain=forward dst-address-list=CHR src-address-list=RezDent
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec connections t1" disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec connections t1" disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=input comment="PCC Incomming WAN 1 -> WAN 1" in-interface="sfp1 - TelPol" new-connection-mark=WAN-1 passthrough=yes
add action=mark-connection chain=input comment="PCC Incomming WAN 2 -> WAN 2" in-interface="sfp2 - UPC" new-connection-mark=WAN-2 passthrough=yes
add action=mark-routing chain=output comment="PCC Connection Mark WAN 1 -> Route WAN 1" connection-mark=WAN-1 dst-address-list=!WRO new-routing-mark=WAN-1 passthrough=no
add action=mark-routing chain=prerouting comment="PCC Connection Mark WAN 1 -> Route WAN 1 - GRE" connection-mark=WAN-1 disabled=yes dst-address-list=WRO new-routing-mark=WAN-1 passthrough=no
add action=mark-routing chain=output comment="PCC Connection Mark WAN 2 -> Route WAN 2" connection-mark=WAN-2 dst-address-list=!WRO new-routing-mark=WAN-2 passthrough=no
add action=mark-routing chain=prerouting comment="PCC Connection Mark WAN 2 -> Route WAN 2 gre" connection-mark=WAN-2 disabled=yes dst-address-list=WRO new-routing-mark=WAN-2 passthrough=no
add action=mark-connection chain=postrouting comment="test for wan vpn gre" dst-address=3.3.3.3 new-connection-mark=WAN-1 out-interface="sfp1 - TelPol" passthrough=no protocol=gre src-address=1.1.1.1
add action=mark-connection chain=postrouting comment="test for wan vpn gre" dst-address=3.3.3.3 new-connection-mark=WAN-2 passthrough=no protocol=gre src-address=2.2.2.2
add action=mark-connection chain=output comment="test for wan vpn rezdent" dst-address=4.4.4.4 new-connection-mark=WAN-2 passthrough=yes src-address=2.2.2.2
add action=mark-connection chain=output comment="test for wan vpn rezdent" dst-address=4.4.4.4 new-connection-mark=WAN-1 passthrough=yes src-address=1.1.1.1
add action=mark-connection chain=prerouting comment=VPN in-interface=all-ppp new-connection-mark=WAN1-VPN passthrough=yes
add action=mark-connection chain=prerouting dst-address=3.3.3.3 in-interface="sfp1 - TelPol" new-connection-mark=WAN-1 passthrough=yes protocol=gre src-address=1.1.1.1
add action=mark-connection chain=prerouting dst-address=3.3.3.3 in-interface="sfp2 - UPC" new-connection-mark=WAN-2 passthrough=yes protocol=gre src-address=2.2.2.2
add action=mark-routing chain=prerouting comment="Force WAN-2 - TLX" dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-routing-mark=WAN-2 passthrough=yes src-address=172.26.10.235
add action=mark-routing chain=prerouting comment="Force WAN-1 - ts01" dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-routing-mark=WAN1-Route passthrough=no src-address=172.26.10.240
add action=mark-routing chain=prerouting comment="Force WAN-1 - PAP2T" disabled=yes dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-routing-mark=WAN-2 passthrough=no src-address=172.26.10.5
add action=mark-connection chain=prerouting comment="Force WAN-2 - Parents" disabled=yes dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-connection-mark=WAN-1 passthrough=yes src-address=172.26.10.208
add action=mark-routing chain=prerouting comment="Force WAN-1 - OpManager" disabled=yes dst-address=192.168.1.0/24 dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-routing-mark=WAN1-Route passthrough=no src-address=172.26.10.167
add action=mark-connection chain=prerouting comment="Working Force WAN1" disabled=yes dst-address-list=!WRO new-connection-mark=WAN-1 passthrough=yes src-address-list=OPManager
add action=mark-connection chain=prerouting comment="TelPol Force WAN1" disabled=yes dst-address-list=83.242.95.67 new-connection-mark=WAN1-Traffic passthrough=no
add action=accept chain=prerouting comment="PCC WAN 1" dst-address-list=TelPol-WAN-Subnet in-interface="bond1-GS748T (LACP)"
add action=accept chain=prerouting comment="PCC WAN 2" dst-address-list=UPC-WAN-Subnet in-interface="bond1-GS748T (LACP)"
add action=mark-connection chain=prerouting comment="PCC 4/0" connection-mark=no-mark disabled=yes dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-connection-mark=WAN-2 passthrough=yes per-connection-classifier=dst-address:4/0
add action=mark-connection chain=prerouting comment="PCC 4/1" connection-mark=no-mark disabled=yes dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-connection-mark=WAN-2 passthrough=yes per-connection-classifier=dst-address:4/1
add action=mark-connection chain=prerouting comment="PCC 4/2" connection-mark=no-mark disabled=yes dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-connection-mark=WAN-2 passthrough=yes per-connection-classifier=dst-address:4/2
add action=mark-connection chain=prerouting comment="PCC 4/3" connection-mark=no-mark disabled=yes dst-address-list=!WRO dst-address-type=!local in-interface="bond1-GS748T (LACP)" new-connection-mark=WAN-1 passthrough=yes per-connection-classifier=dst-address:4/3
add action=mark-routing chain=prerouting comment="PCC Connection Mark WAN 1 -> Route WAN 1" connection-mark=WAN-1 in-interface="bond1-GS748T (LACP)" new-routing-mark=WAN-1 passthrough=no
add action=mark-routing chain=prerouting comment="PCC Connection Mark WAN 2 -> Route WAN 2" connection-mark=WAN-2 in-interface="bond1-GS748T (LACP)" new-routing-mark=WAN-2 passthrough=no
add action=mark-connection chain=prerouting comment="WAN-2 - Routers" disabled=yes dst-address=89.76.188.1 new-connection-mark=WAN2-Traffic passthrough=no
add action=mark-connection chain=prerouting comment="WAN-2 - Routers" disabled=yes dst-address=89.75.4.1 new-connection-mark=WAN2-Traffic passthrough=no
add action=mark-connection chain=prerouting comment="WAN1 - Port Forward - return WAN1" connection-state=established,new in-interface="sfp1 - TelPol" new-connection-mark=WAN-1 passthrough=no
add action=mark-connection chain=prerouting comment="WAN2 - Port Forward - return WAN2" connection-state=established,new in-interface="sfp2 - UPC" new-connection-mark=WAN-2 passthrough=no
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.97.0/24 src-address=172.26.10.0/24
add action=accept chain=srcnat dst-address=172.26.12.0/24 src-address=172.26.10.0/24
add action=masquerade chain=srcnat out-interface="sfp1 - TelPol"
add action=masquerade chain=srcnat out-interface="sfp2 - UPC"
add action=dst-nat chain=dstnat comment="VDI-RDP - WAN1" dst-port=12345 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.240 to-ports=3389
add action=dst-nat chain=dstnat comment="VDI-RDP - WAN2" dst-port=12345 in-interface="sfp2 - UPC" protocol=tcp to-addresses=172.26.10.240 to-ports=3389
add action=dst-nat chain=dstnat comment=OpManager dst-port=65456 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.167 to-ports=65456
add action=dst-nat chain=dstnat comment=DesktopCentral dst-port=65455 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.135 to-ports=65455
add action=dst-nat chain=dstnat comment="Axigen - IMAPS - WAN1" dst-port=993 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.175 to-ports=993
add action=dst-nat chain=dstnat comment="WANOS - WAN1" dst-port=4050 in-interface="sfp1 - TelPol" protocol=udp to-addresses=172.26.10.132 to-ports=4050
add action=dst-nat chain=dstnat comment="Axigen - SMTPS - WAN1" dst-port=465 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.175 to-ports=465
add action=dst-nat chain=dstnat comment="Axigen - SMTP - WAN1" dst-port=25 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.175 to-ports=25
add action=dst-nat chain=dstnat comment="Axigen - SMTP - WAN2" dst-port=25 in-interface="sfp2 - UPC" protocol=tcp to-addresses=172.26.10.175 to-ports=25
add action=dst-nat chain=dstnat comment="NAS-X - FTP - WAN1" dst-address-type="" dst-port=65299-65400 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.10 to-ports=65299-65400
add action=dst-nat chain=dstnat comment="NAS-X - FTP - WAN2" dst-port=65299-65400 in-interface="sfp2 - UPC" protocol=tcp to-addresses=172.26.10.10 to-ports=65299-65400
add action=dst-nat chain=dstnat dst-port=995 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.175 to-ports=995
add action=dst-nat chain=dstnat dst-port=1723 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.150 to-ports=1723
add action=dst-nat chain=dstnat comment="Axigen - Webmail" dst-port=444 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.175 to-ports=444
add action=dst-nat chain=dstnat comment="Axigen - Webmail" dst-port=444 in-interface="sfp2 - UPC" protocol=tcp to-addresses=172.26.10.175 to-ports=444
add action=dst-nat chain=dstnat disabled=yes dst-port=993 in-interface="sfp1 - TelPol" protocol=udp to-addresses=172.26.10.175 to-ports=993
add action=dst-nat chain=dstnat comment=OwnCloud dst-port=61524 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.147 to-ports=61524
add action=dst-nat chain=dstnat dst-port=143 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.175 to-ports=143
add action=dst-nat chain=dstnat comment="ServiceDesk - WAN1" dst-port=65457 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.161 to-ports=65457
add action=dst-nat chain=dstnat comment="ServiceDesk - WAN2" dst-port=65457 in-interface="sfp2 - UPC" protocol=tcp to-addresses=172.26.10.161 to-ports=65457
add action=dst-nat chain=dstnat disabled=yes dst-port=64246 in-interface="sfp1 - TelPol" protocol=tcp to-addresses=172.26.10.10 to-ports=64246
add action=dst-nat chain=dstnat disabled=yes dst-port=64200-64245 in-interface="sfp1 - TelPol" protocol=tcp src-address=!172.26.10.0/24 to-addresses=172.26.10.10 to-ports=64200-64245
add action=dst-nat chain=dstnat comment="owncloud - internal connection redirect" dst-port=61524 protocol=tcp to-addresses=172.26.10.147
add action=masquerade chain=srcnat comment="owncloud - internal connection" dst-address=172.26.10.174 dst-port=61524 out-interface="bond1-GS748T (LACP)" protocol=tcp src-address=172.26.10.0/24
/ip ipsec identity
add peer=RezDent-Telpol secret=yes!
add peer=RezDent-UPC secret=yes!
/ip ipsec policy
add dst-address=192.168.97.0/24 peer=RezDent-UPC proposal=Cisco-RV sa-dst-address=4.4.4.4 sa-src-address=2.2.2.2 src-address=172.26.10.0/24 tunnel=yes
add dst-address=192.168.97.0/24 peer=RezDent-Telpol proposal=Cisco-RV sa-dst-address=4.4.4.4 sa-src-address=1.1.1.1 src-address=172.26.10.0/24 tunnel=yes
/ip route
add check-gateway=ping comment="WAN-1 Route" distance=1 gateway=193.106.84.1 routing-mark=WAN-1
add check-gateway=ping comment="WAN-2 Route" distance=1 gateway=89.76.188.1 routing-mark=WAN-2
add disabled=yes distance=1 gateway=89.76.188.1 routing-mark=WAN2-Route,VPN-Route
add check-gateway=ping comment="wan1 recursive" disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=193.106.84.1 target-scope=40
add distance=1 dst-address=172.26.12.0/24 gateway=192.168.251.2
add check-gateway=ping comment="WAN1-recursive routing-check" disabled=yes distance=1 dst-address=193.106.84.1/32 gateway=8.8.4.4 target-scope=40
/ip route rule
add action=drop disabled=yes dst-address=8.8.8.8/32 interface="sfp2 - UPC" routing-mark=WAN2-Route
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set backlight-timeout=2h color-scheme=dark
/snmp
set contact=no enabled=yes location=CHR trap-target=172.26.10.167
/system clock
set time-zone-name=Europe/Warsaw
/system health
set use-fan=auxiliary
/system identity
set name=CHR-CCR1016
/system leds
set 12 interface=EOIP-CHR2WRO-Telpol leds=sfpplus1-led2 type=interface-activity
set 13 interface="bond1-GS748T (LACP)" leds=user-led
/system logging
set 1 action=disk
add disabled=yes topics=firewall
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes server-dns-names=0.europe.pool.ntp.org,1.north-america.pool.ntp.org,1.pool.ntp.org,0.pool.ntp.org,1.pl.pool.ntp.org,3.pl.pool.ntp.org
/system routerboard settings
# Warning: cpu not running at default frequency
set auto-upgrade=yes cpu-frequency=400MHz
/system scheduler
add interval=3d name=schedule1 on-event=DHCP-Backup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/18/2018 start-time=12:10:06
add interval=1d name=schedule_autoupdate on-event="/system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 1s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/24/2018 start-time=05:00:00
/system script
add comment="/import file-name=dhcp" dont-require-permissions=no name=DHCP-Backup owner=admin policy=ftp,read,write,policy,test,password,sniff,sensitive,romon source="/ip dhcp-server lease export file=CHR-DHCP_BCK"
/tool e-mail
set address=smtp.gmail.com from=outgoing@ password=yes! port=587 start-tls=yes user=outgoing@
/tool netwatch
add host=8.8.4.4
[admin@CHR-CCR1016] >

WRO

[admin@MikroTik] > export compact                                                                                                                                                         
# sep/01/2020 15:23:20 by RouterOS 6.48beta27
# software id = UNUM-70B8
#
# model = CRS125-24G-1S
# serial number = 
/interface bridge
add admin-mac=4C:5E:0C:95:2A:45 auto-mac=no mtu=1500 name=bridge-WRO protocol-mode=none
/interface ethernet

/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface="ether2-FineMedia Gateway" keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=FineMedia password=yes! user=FMPPP_0005840@
/interface eoip
add disabled=yes keepalive=5s,1 local-address=3.3.3.3 mac-address=02:22:AB:F0:B2:AB name=EoIP-WRO2CHR-Telpol remote-address=1.1.1.1 tunnel-id=120
add !keepalive local-address=3.3.3.3 mac-address=02:22:AB:F0:B2:AB name=EoIP-WRO2CHR-UPC remote-address=2.2.2.2 tunnel-id=121
/interface bonding
add mode=active-backup name="Bond-CHR-WRO (LACP)" primary=EoIP-WRO2CHR-Telpol slaves=EoIP-WRO2CHR-Telpol,EoIP-WRO2CHR-UPC
add mode=802.3ad name=TS120s-DS slaves="ether23 - vmnic2,ether24 - vmnic3" transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=ESXi-66-BootServer value="'172.26.10.170'"
add code=67 name=ESXi-67-BootFilename value="'undionly.kpxe.vmw-hardwired'"
add code=66 name=tftp-server value="'172.26.10.170'"
add code=67 name=file value="'undionly.kpxe.vmw-hardwired'"
/ip dhcp-server option sets
add name=ESXi-AutoDeploy options=ESXi-66-BootServer,ESXi-67-BootFilename
add name=set1 options=file,tftp-server
/ip ipsec profile
add dh-group=modp768 enc-algorithm=aes-128 name=profile_1 nat-traversal=no
add dh-group=modp768 enc-algorithm=aes-128 name=profile_2 nat-traversal=no
add dh-group=modp768 enc-algorithm=aes-128 name=profile_3 nat-traversal=no
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name="MIkrotik - Hardware Acceleration"
/ip ipsec peer
add address=4.4.4.4/32 local-address=3.3.3.3 name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5,null enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des,null pfs-group=modp768
add enc-algorithms=aes-128-cbc,camellia-128,null name=highspeed pfs-group=modp768
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-128-cbc name="MIkrotik - Hardware Acceleration" pfs-group=ecp256
add enc-algorithms=aes-128-cbc,null name=CISCO-RV pfs-group=modp768
/ip pool
add name=WRO-Pool ranges=172.26.12.200-172.26.12.230
/ip dhcp-server
add add-arp=yes address-pool=WRO-Pool authoritative=after-2sec-delay dhcp-option-set=set1 disabled=no interface=bridge-WRO lease-time=3h name=dhcp1
/ppp profile
add comment=VPN-test name=VPN-P use-compression=no use-encryption=required use-mpls=no
/queue simple
add disabled=yes name=CHR packet-marks=no-mark priority=2/2 target=172.26.10.0/24
add name=Main packet-marks=no-mark priority=2/2 target=""
add name=P2P packet-marks=P2P priority=7/7 target=""
add name=RSync packet-marks=RSync target=""
/snmp community
set [ find default=yes ] addresses=172.26.10.167/32 name=yes
/system logging action
set 0 memory-lines=10000

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip address
add address=172.26.12.254/24 interface="ether3 - master" network=172.26.12.0
add address=192.168.251.2/30 interface="Bond-CHR-WRO (LACP)" network=192.168.251.0
add address=192.168.251.6/30 disabled=yes interface=EoIP-WRO2CHR-Telpol network=192.168.251.4
add address=192.168.245.254/24 disabled=yes interface="ether7 - NAS-C-1" network=192.168.245.0
/ip dhcp-server lease

/ip dhcp-server network
add address=172.26.12.0/24 dns-server=172.26.12.150,172.26.10.150 domain=yes gateway=172.26.12.254 ntp-server=172.26.12.150 wins-server=172.26.12.150
/ip dns
set allow-remote-requests=yes servers=172.26.12.150,172.26.10.150
/ip firewall address-list
add address=192.168.123.1 list=Test1
add address=192.168.123.2 list=Test1
add address=192.168.123.3 list=Test1
/ip firewall filter
add action=drop chain=input comment="Block 22" dst-port=22 in-interface=FineMedia protocol=tcp
add action=drop chain=input comment="Block winbox" dst-port=8291 in-interface=FineMedia protocol=tcp
/ip firewall mangle
add action=mark-packet chain=forward disabled=yes new-packet-mark=vCenter passthrough=yes src-address=172.26.10.0/24
add action=mark-packet chain=prerouting comment="Bittorent P2P" disabled=yes new-packet-mark=P2P passthrough=yes protocol=udp src-port=65513-65514
add action=mark-connection chain=forward disabled=yes new-connection-mark=P2P passthrough=no protocol=udp src-port=65513-65514
add action=mark-connection chain=forward disabled=yes new-connection-mark=P2P passthrough=no protocol=tcp src-port=65513-65514
add action=mark-packet chain=forward connection-mark=P2P disabled=yes new-packet-mark=P2P passthrough=no
add action=mark-connection chain=prerouting comment=P2P new-connection-mark=P2P passthrough=yes src-address=172.26.12.60
add action=mark-connection chain=prerouting comment=RSync dst-port=873 new-connection-mark=RSync passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=TS02-seed4me new-connection-mark=seed4me passthrough=yes src-address-list=172.26.12.60
/ip firewall nat
add action=accept chain=srcnat dst-address=172.26.10.0/24 src-address=172.26.12.0/24
add action=accept chain=srcnat dst-address=192.168.97.0/24 src-address=172.26.12.0/24
add action=masquerade chain=srcnat out-interface=FineMedia
add action=dst-nat chain="dstnat - GPCW - Torrent TCP" dst-port=65513 in-interface=FineMedia protocol=tcp to-addresses=172.26.12.60 to-ports=65513
add action=dst-nat chain=dstnat comment=NVR disabled=yes dst-port=7443 in-interface=FineMedia protocol=tcp to-addresses=172.26.12.225 to-ports=7443
add action=dst-nat chain="dstnat - GPCW - Torrent UDP" dst-port=65513 in-interface=FineMedia protocol=udp to-addresses=172.26.12.60 to-ports=65513
add action=dst-nat chain=dstnat dst-address-type="" dst-port=443 in-interface=FineMedia protocol=tcp src-address-type="" to-addresses=172.26.12.200 to-ports=3389
add action=dst-nat chain=dstnat comment="NAS-X - FTPS" disabled=yes dst-address-type="" dst-port=65299-65400 in-interface=FineMedia protocol=tcp src-address-type="" to-addresses=172.26.12.20 to-ports=65299-65400
add action=dst-nat chain=dstnat comment=WANOS dst-address-type="" dst-port=4050 in-interface=FineMedia protocol=udp src-address-type="" to-addresses=172.26.12.27 to-ports=4050
add action=dst-nat chain=dstnat comment=TS02 dst-address-type="" dst-port=53 in-interface=FineMedia protocol=tcp src-address-type="" to-addresses=172.26.12.60 to-ports=3389
add action=dst-nat chain=dstnat comment="Traccar - GPS Port - ST-901" dst-address-type="" dst-port=5013 in-interface=FineMedia protocol=tcp src-address-type="" to-addresses=172.26.12.70 to-ports=5013
add action=dst-nat chain=dstnat comment="Traccar - WWW Port " disabled=yes dst-address-type="" dst-port=8082 in-interface=FineMedia protocol=tcp src-address-type="" to-addresses=172.26.12.70 to-ports=8082
add action=masquerade chain=srcnat comment=Traccar-Internat disabled=yes dst-address=3.3.3.3 dst-port=8082 out-interface=bridge-WRO protocol=tcp src-address=172.26.12.0/24
add action=dst-nat chain=dstnat comment=MAIL-SMTP-incomming dst-port=25 in-interface=FineMedia protocol=tcp to-addresses=172.26.12.225 to-ports=25
add action=dst-nat chain=dstnat comment=MAIL-SMTPs-incomming dst-port=587 in-interface=FineMedia protocol=tcp to-addresses=172.26.12.225 to-ports=587
add action=dst-nat chain=dstnat comment=MAIL-WWW-incomming dst-port=8443 in-interface=FineMedia protocol=tcp to-addresses=172.26.12.214 to-ports=8443
add action=dst-nat chain=dstnat comment=MAIL-IMAPs-incomming dst-port=7993 in-interface=FineMedia protocol=tcp to-addresses=172.26.12.225 to-ports=7993
add action=dst-nat chain=dstnat comment="Traccar - Internat Connection - Redirect" dst-address=3.3.3.3 dst-port=8082 protocol=tcp to-addresses=172.26.12.70
add action=dst-nat chain=dstnat comment="IMAPS 7993 - Internal Connection-Redirect" dst-address=3.3.3.3 dst-port=7993 protocol=tcp to-addresses=172.26.12.225
add action=dst-nat chain=dstnat comment="SMTPS 587 - Internal Connection-Redirect" dst-address=3.3.3.3 dst-port=587 protocol=tcp to-addresses=172.26.12.225
add action=masquerade chain=srcnat comment="Traccar - Internal Connection" dst-address=172.26.12.70 dst-port=8082 out-interface=bridge-WRO protocol=tcp src-address=172.26.12.0/24
add action=masquerade chain=srcnat comment="IMAPS 7993 - Internal Connection" dst-address=172.26.12.225 dst-port=7993 out-interface=bridge-WRO protocol=tcp src-address=172.26.12.0/24
add action=masquerade chain=srcnat comment="SMTPS 587 - Internal Connection" dst-address=172.26.12.225 dst-port=587 out-interface=bridge-WRO protocol=tcp src-address=172.26.12.0/24
/ip ipsec identity
add peer=peer1 secret=yes
add peer=peer4 secret=yes
/ip ipsec policy
add dst-address=192.168.97.0/24 peer=peer1 sa-dst-address=4.4.4.4 sa-src-address=3.3.3.3 src-address=172.26.12.0/24 tunnel=yes
add disabled=yes dst-address=172.26.10.0/24 peer=peer1 proposal="MIkrotik - Hardware Acceleration" sa-dst-address=4.4.4.4 sa-src-address=3.3.3.3 src-address=172.26.12.0/24 tunnel=yes
set 2 disabled=yes
/ip route
add comment=netflix disabled=yes distance=1 dst-address=45.57.0.0/17 gateway=seed4me
add distance=1 dst-address=172.26.10.0/24 gateway=192.168.251.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.26.12.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set backlight-timeout=never default-screen=stats flip-screen=yes time-interval=daily
/snmp
set contact=no enabled=yes location=WRO trap-target=172.26.10.167 trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system leds
set 0 interface=bridge-WRO
add interface=FineMedia leds=user-led type=interface-activity
add interface=EoIP-WRO2CHR-Telpol leds="" type=interface-activity
/system logging
set 1 action=disk
add disabled=yes topics=ipsec
add disabled=yes topics=firewall
add disabled=yes topics=pppoe
/system ntp client
set enabled=yes server-dns-names=0.europe.pool.ntp.org,1.north-america.pool.ntp.org,1.pool.ntp.org,0.pool.ntp.org,1.pl.pool.ntp.org,3.pl.pool.ntp.org
/system package update
set channel=testing
/system routerboard settings
set cpu-frequency=750MHz
/system scheduler
add disabled=yes interval=3d name=DHCP-BCK on-event=DHCP-Backup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/18/2018 start-time=12:26:49
add interval=1d name=schedule_autoupdate on-event="/system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 1s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=apr/24/2018 start-time=05:00:00
/system script
add comment="/import file-name=dhcp" dont-require-permissions=no name=DHCP-Backup owner=admin policy=ftp,read source="/ip dhcp-server lease export file=WRO-DHCP_BCK"
[admin@MikroTik] >

RV has no log export

Alein · September 4, 2020, 4:58pm

I see a huge response
So. one point I was able to solve.

2. It seems that it is very easy to achieve it . All what I had to do was to merge 2 peers.

/ip ipsec policy
add dst-address=192.168.97.0/24 peer=RezDent-Telpol,RezDent-UPC proposal=Cisco-RV sa-dst-address=4.4.4.4 sa-src-address=2.2.2.2 src-address=172.26.10.0/24 tunnel=yes

I was able to simulate FO, and it is working.

I belive that my main problem is connected with mangle. I expected that perhaps I am marking connection or routing in wrong way. But I do not see it yet.

pe1chl · September 4, 2020, 6:20pm

For a config that is much like that, I use GRE/IPsec tunnels between fixed IP, L2TP/IPsec for dynamic IP (for LTE) and then I use BGP to route the traffic over the tunnels so it can select a working path. For quick changeover I use BFD (not over the LTE tunnel because it is only used for last-resort and I want to limit its data use).
Separating the IPsec layer and an independent tunnel layer on top of it (GRE or L2TP) solves issues with the IPsec policies being dependent on the user subnets, and BGP solves the redundancy without having to resort to EoIP and bonding.
This solution is also scalable to more locations.

Alein · September 5, 2020, 8:28am

@pe1chl

Thank you for the respond.

But I use GRE for static IP, and will use L2TP for dynamic (2nd it is just not implement yet).Also CISCo RV082 has a lot of limitations.
The ide with BGP and BGD is smart, I know that this will not allow me to utilize 2 WANs for one EoIP tunnel, but well I can live with it.
However the main problem stil exist, My traffic is not going correctly through correct WAN.
As I wrote
“I belive that my main problem is connected with mangle. I expected that perhaps I am marking connection or routing in wrong way. But I do not see it yet.”

Is there an yway how, I can see how router is marking connection and later routing? I have there mistake, but I just can not find it.

Also I changed WAN-1 to distance 2, as I had both D1.

But still both EoIP are trying to go through default GW with D1.

pe1chl · September 5, 2020, 8:38am

There is no way to control routing over direct IPsec tunnels with mangle. Routing defined by IPsec policies always takes precedence over any routes in the routing table(s) and any route marking.
That is one of the reasons why I do not like direct IPsec tunnels. There is little control, it is more difficult to firewall, etc.

So I use GRE over IPsec transport (easy to configure in RouterOS and Cisco also supports it in IOS). The IPsec is now only defined between the external IP addresses and only for protocol 47, all other traffic will follow the routing tables. And the tunnel can transport any IP address range without need to adjust the IPsec policies.

By just setting a /30 address on the GRE tunnel endpoints and static routes for the remote subnets it already is working, and for more convenience and failover I use BGP+BFD.

Alein · September 5, 2020, 1:28pm

Yes, I understand it. But please read it or see the diagram.
My problem is with EoIP between two MIkrotiks. IPSEC with CISCO is working fine at the moment. This solves the problem

/ip ipsec policy
add dst-address=192.168.97.0/24 peer=RezDent-Telpol,RezDent-UPC proposal=Cisco-RV sa-dst-address=4.4.4.4 sa-src-address=2.2.2.2 src-address=172.26.10.0/24 tunnel=yes

Cisco RV082 is a very simple SOHO router with 2 WANs and IPSEC VPN.
There is no way to configure anything else there.

I have 2 EoIP from 1 site with 2 WANs to 2nd site with one WAN. Somewhere I have a mistake, and both EoIPs are trying to go through default GW, as I suspect.

MIkrotik 1 ( 2 WANS)

https://freeimage.host/i/298wLQ
https://freeimage.host/i/298OBV
MIkrotik 2

https://freeimage.host/i/298jhx

Thank you for support

pe1chl · September 5, 2020, 6:16pm

I would recommend to throw the Cisco away (it is end-of-life anyway and support will stop in a few months) and get another MikroTik for that location.
E.g. a RB4011.
Then you can setup an optimal solution without having to cope with limitations of the Cisco.

Alein · September 5, 2020, 8:32pm

And this will happens one day. But my issue is with 2 Mikrotiks.

pe1chl · September 6, 2020, 8:55am

Your issue is that you have to use an unreasonable setup on your MikroTiks because you have to live with the limitations of your Cisco.
Replacing the Cisco with a MikroTik you could throw that entire config away and make some very simple GRE/IPsec tunnels (with a couple of mouseclicks) and an autorouting protocol to select the redundant links.
No messing with EoIP, Bonding, ipsec policy, mangling, or whatever.

Alein · September 8, 2020, 2:12pm

Ok, so let’s say, that CISCO is gone, there is no such site.
I have only 2 sites.
My problem is still the same. EoIP and GRE are almost the same.
So, how to control traffic on the router with 2 WANs to the router with 1 WAN in the correct way.
From my understanding, I need 2 GRE tunnels, but for me, one is not working, seems that the router is forwarding both tunnels through this same WAN.
After that, I will not provide routes but configure BGP and BFD.
That is all that I need to know at this time.
Thank you for support, I am still learning Mikrotik, and the manual on the wiki does not exactly fit my needs.