Of course it should, you programmed the router to do so. Geez, there is no accountability in todays youth
( for marking connections more accurate to use input chain for rules to router and forward chain through router )
\
Set this to NONE is the general recommendation from users and MT…
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
Why do you have SSH22 setup? If you are using BTH VPN, I am assuming you dont have a publicly accessible WANIP???
Also why all the DNS, honeypot and all the other crap? Are you being attacked all the time or something…The
Big Security NO NO, winbox should not be open to the internet…REMOVE! add action=accept chain=input comment=“myconf: accept WinBox” dst-port=8291 protocol=tcp
If you need remote access use your Wireguard!!!
Boggles my mind you have this obsession with bloatware firewall rules but create a door right to your winbox… its rather ironically amusing.
The two routes for the specific tables DO NOT REQUIRE check-gateway=ping, serves no purpose here.
Suggest recursive to at least ensure connectivity is past the ISP…For future work… /ip route
add dst-address=0.0.0.0/0 gateway=192.168.178.1 routing-table=ISP1 comment=“PCC out WAN1”
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=ISP2 comment=“PCC out WAN2”
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=1 dst-address=9.9.9.9/32 gateway=192.168.178.1 scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=208.67.220.220 scope=10 target-scope=12
add distance=2 dst-address=208.67.220.220/32 gateway=192.168.0.1 scope=10 target-scope=11
MANGLING, where the main issue probably is located…, although its not an issue just something unexpected by the OP.
a. do you have any specific external users or services entering WAN2 that need to go out WAN2 - none so far…
b. do you have any specific external user going to the LAN (aka servers) via WAn2, none so far.
Note: we dont need to discussWAN1, because by default its the Primary WAN and traffic will naturally flow back out the correct WAN.
I typically dont use your first two rules, as rare to have two static WANIPs so will leave them in place.
I also do not understand the need as the PCC rules already do not include local traffic… ???
/ip firewall mangle Good add action=accept chain=prerouting comment=“allow usage of default routing tab
le for traffic to ISP1 connected networks” dst-address=192.168.178.0/24
in-interface=bridge
add action=accept chain=prerouting comment=“allow usage of default routing tab
le for traffic to ISP2 connected networks” dst-address=192.168.0.0/24
in-interface=bridge
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The next set of rules you had, were redundant and not required and removed.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
These rules look fine: ( prefer to use forward chain as its more accurate ). Connection state=new is NOT required.
In-interface bridge on mark-routing rules is not required in your setup as you have it identified when marking traffic.
passthrough=no on mark-routing rules.
add action=mark-connection chain=forward comment=
“divide traffic from LAN into two groups ISP1” connection-mark=no-mark
dst-address-type=!local in-interface=bridge
new-connection-mark=ISP1-Conn passthrough=yes per-connection-classifier=
src-address-and-port:2/0
add action=mark-connection chain=forward comment=
“divide traffic from LAN into two groups ISP2” connection-mark=no-mark
dst-address-type=!local in-interface=bridge
new-connection-mark=ISP2-Conn passthrough=yes per-connection-classifier=
src-address-and-port:2/1
add action=mark-routing chain=prerouting comment=
“route ISP1 connections through ISP1” connection-mark=ISP1-Conn
new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting comment=
“route ISP2 connections through ISP2” connection-mark=ISP2-Conn
new-routing-mark=ISP2 passthrough=no
And this is why I always think ECMP and routing rules is often a better approach to load balancing. Even though ECMP is “less random” than PCC, changing the default firewall is frought with risk since it is confusing if new. Using routing rules keeps the routing separate from firewall.
Big Security NO NO, winbox should not be open to the internet…REMOVE!
Totally agree winbox being open is likely not a best practices for sure. And with BTH or plain WG, or zerotier are all pretty easy VPN options, that avoid it.
But winbox is encrypted so passwords aren’t in the clear, so it’s not a security disaster per se. At least no more so than opening HTTP/HTTPS or other services on internet. Still a bad idea & easily avoid with VPN.
Yeah if you don’t use mobile apps, the use of “detect-internet” is unclear. But if you do use the mobile apps…it front-and-center on the app & does enable a nice graph of WAN usage if enabled.
And you’ve done it right by setting “detect-interface-list=WAN” which limits the nasty side effects of potentially adding dhcp-clients to more things… e.g. the WAN has DHCP client, so little chance for interference .
Part of the detect-internet logic includes adding a dhcp-client. Given “Detect” is in name, it is odd it modifies config. And since adding a dhcp-client could effect routing…why folks have negative reaction.
But the graph in mobile app is super useful & quick to know things are working. If it showed the same graph in winbox/webfig, folks might have different opinion on detect-internet.
Don’t enable it using the mobile app is my #1 advice**. The “detect-interface-list” is the only important setting. That setting is where it does the detection. Since there is no point in looking a VLAN/LANs, setting that to “WAN” interface list is safe.
** Reason: In the app, if you click the item on the main screen that says “Internet: Not detected”… app asks “Do you want to enable detect internet? YES / NO”. And what that does is set “detect-interface-list=all” — so it start looking at all the VLAN and stuff, which is pointless.
Thanks for the answer, my question was poor.
Assume my question has nothing to do with the APP, personally never have.
My question is regarding the router! I have never turned it on and it does not prevent my access via iphone.
Neither router nor smartphone apps care if disabled. But if do use the app… it quite visible since it kinda looks like there is no internet (e.g. it says “Internet: disabled” or something). So just a UI thing.
AFAIK QuickSet does NOT use it, but I suppose that be possible.
