2-WAN basic help needed

Long time Linksys LRT224 (dual wan) and similar multi-wan routers, and decided to upgrade to hEX S RB760iGS device.
Got it powered up, however feel a bit overwhelmed from the options.. Is there a simple guide that can explain how to set up a 2 WAN set up, with NAT and all “normal” protections?

One of the ISP is PPPoE, the other is DHCP..

Managed to login to WebFig, and see all the options, just not certain how to proceed, and too fearful that if i don’t do it right, i won’t even know that system is not right, and/or wide-open to the outside?? something that was close to impossible in a linksys device, here, at least based on “feeling” seems very much possible
Thanks for any full guide/example (I do see the normal docs, but that’s a lot of content too).

Hello Stormy,

First, I recommend to you to use winbox, this is a free tool which you can download from https://mikrotik.com/download
There is not a kind of guide to set up it all in one step (As I know), you can do almost everything you can do with other routers, but you should configure it step by step.
I dont use “Quick set” because sometimes it has weird behaviors.
What do you want to do with both WAN interfaces? Only failover? Load balance is a bit tricky

Please, open “New terminal” (In winbox or webfig) and write “export compact” or “export compact file=filename” to see the current settings
The first command will show you the settings in the screen, and the second creates a file which you can see in the “Files” section (And download)
Please copy here the settings, if you changed anything sensible, you can change it for a understandable name.
We can try to help you but step by step.

If you didnt change the admin password, you can use admin → “” from Winbox, but it allways is recommended to change it

Regards,
Damián

Thanks so much for being open to new user

I’m very eager to learn, but a bit too scared to change anything for now most is default, just changed passwd and put it on 192.168.1.3.

Hoping to setup the 2 WANs with Load Balancing and “stickyness” (so that say a vpn link established by one client remains through same ISP/WAN), in consumer grade multi-WAN, like TP Link TL-R470T+ or Linksys LRT224 that is “builtin” in the menus..

export is below (with few things modified for privacy):

# jan/04/1970 14:52:26 by RouterOS 6.44.4
# software id = 
#
# model = RB760iGS
# serial number = AE37...
/interface bridge
add admin-mac=74:4D:28:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.1.30-192.168.1.49
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.3/24 comment=defconf interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.3 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.3 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
    WAN
/system identity
set name=MiK
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

No problem,

Ok, first work to make 2 wans working.

First step is remove ether2 from the bridge (to use ether1 and ether2 as WAN, you can use another interfaces)
In the graphic interface, go to bridge → “ports” tab → remove ether2 from there

ether1 has a dhcp-client, so you can use it for the dhcp ISP
So, lets create the pppoe virtual interface
go to ppp menu → “Interface” tab → click on the button with the “+” signal → select “pppoe client”
Select ether2 in “Interfaces”, write a proper name, I dont know the other parameters
If the pppoe modem is as router mode, you just need a dhcp-client on ether2

Then we can add the pppoe interface to “WAN” interface list
Go to “Interfaces” → “Interface list” tab → click on the “+” button and select “WAN” and pppoe interface
The nat is configured for all interfaces in “WAN” interface list, for now we can let it as it is

I will continue from my home, because in my office never have time enought.
Regards
Damián

Oh Dear.,. Oh dear… What I was afraid of…

In winBox, Went to bridge/port, highlight eth2, clicked the X button noticed the line remained but faded, so did the “V” and it became non-faded, so then noticed the “-” says “remove”, so, clicked on that, and after ~10 seconds, BOOM was thrown out of the winbox interface!!

I’m 10000% certain I was connected to eth4 (port#4) on the device, that is the only cable connected at this point.. the 192.168.1.3 IP kept pinging, but no telnet or winbox or webfig, nothing responds (aside from ping), still had a separate telnet open to 192.168.1.3 in the box, so i know it was still running, just don’t know what to type.. tried:

[admin@MiK] /system> check-installation
  status: installation is ok

did not know how to check “ifconfig” or similar, need to find a cheat-sheet, it seems totally different than linux

So, pulled power cable out, then back in, made beeps, blue-light solid, and eth4 green light blinking..

however, now, it does not ping on 192.168.1.3 or 192.168.88.1… and also lost that open telnet connection

I suspect this is not normal? I suspect i would need to reset or some fancy serial cable?

Thanks so much for your time, highly appreciated!
Stormy.

WinBox can also connect to MAC address. Check Neighbors tab if you see the router there. If not, try different ports. And you don’t need cheat sheet, just look at the config you posted. Lines like “/ip address”, it’s where those things are, “add” is one useful command, others are “print” or “set”, it’s easy. And if you need more, there’s manual.

Wow!!! Connected via MAC, impressive! managed to do all rest of the steps! (although have not connected the actual ISP wires yet

(looking around in “IP->Address List” noticed that the 192.168.1.3 was set up on “eth2” (which was removed , changed it to go to “bridge” and now telnet/ssh is reachable!!)

As for cheatsheet; now found few online blogs; the full wiki/doc is good once u know where to begin. I guess my concern, as an “end user”, is that with so much power, there’s no sure way to know that system/router is setup “correctly”.. I guess this comes with all the power curious to see how performance looks like compared to the LRT224

Tried to look at https://wiki.mikrotik.com/wiki/Load_Balancing, but got lost a bit.. I think i need SESSION level balancing, and it would be OK to round robin different clients from same PC to different WAN after some time… can’t figure which is “best” (simplest) approach..

Thanks!

Stormy.

Sorry, my mistake
I didn’t reallice that the private IP was in ether2
Anyway, I think this router is not in production, right?
If it stop working, you allways can reset it.
Try to make a backup often, you can do this by clicking in “file”, you can copy the file to your computer,

I think you should first to make it work both internet connections, then we can worry about load balance.
If you want, you can read https://wiki.mikrotik.com/wiki/Manual:PCC, I think this will work fine.

I will writte again later.
Regards,
Damián

Sorry, I could not continue with this yesterday and I think I won’t have enough time today, should be tomorrow.
What happened with the internet connections? Could you test them in the Mikrotik?
If the current router is making failover and load balance, you can disconnect only one ISP and connect it to the Mikrotik to test.
About the adsl, which is authenticating with username and password? Your current router or the ISP’s modem?

Regards,
Damián

Thanks Damian,
Yes, i can pull one ISP wire, but have not done that yet, busy with other things, i had no idea the device requires so much learning, all for it, will have to dedicate a bit more time over next few weeks, surely cannot put this into “production” / usage without fully learning/knowing.. like, how would i exclude certain IPs/clients from switching ISPs constantly.. will reply soon… and at the end will be glad to share the export if it will help someone sounds like a very basic set up (to replace existing 2-WAN device)..
Stormy.

will revisit this in few days/weeks, as need to dedicate time to learn cli, methods, etc. did not realize it is that involved…

You don’t necessarily have to learn CLI. You will find most examples as CLI commands, but WinBox has the same structure, so you will easily find where each command belongs and you’ll also see other available options in same window.