Dual APN Question - Use a second APN for a specific device

RouterOS Beginner Basics
1

Hello everyone. Hope you’re doing well.

I’m trying to figure out a way to setup my equipment and I could use your help.
If anyone is interested in my problem I’d be super happy to hear from you.

I made a post a while back when I bought the machines, but never actually found a solution, nor did I bother to solve the problem. I just lived with it.
Said post: http://forum.mikrotik.com/t/help-confiduring-my-home-network/164597/1

I have 3 devices:

  • An LHG-LTE18
    Acts as a modem-only with Passthrough enabled.
    I use two APNs. One APN is full speed but CG-NATed, and the second APN gets a public IP but is bandwidth limited. Each APN is passed-through to a separate VLAN (VLAN 3 and 4 respectively)
    I followed Mikrotik’s guide from YouTube to setup passthrough with a management VLAN and took the liberty to add the second APN myself.


  • An RB5009UG+S+IN
    Acts as my Router. Has 2 DHCP Clients on VLANs 3 and 4 which are both in the WAN list, and MOSTLY the default config, that worked great so far, using a single WAN just with the VLAN 3 that is.
    Then (following some guides online) I added a Mangle that marks traffic from a single Src. Address, created a second Routing Table and tried to Route that traffic through the secondary APN. (will post full config bellow)


  • A CSS326-24G-2S+
    Acts as my switch, and is connected to the RB5009 via the SFP port. Nothing more to add here. I’ve used the documentation online, to setup which VLANs are used by which ports/devices.

Now for the problems !!

  1. Upon receiving both IPs from the VLANs 3/4 the RB5009 creates two Routes that can’t be changed. With Dst. Address 0.0.0.0 and for the Gateway, the corresponding IP the LHG gave it. One does look like public (and I bet it is) and the other one being 10.57.. looks like the CG-NAT situation I’m behind.

If I create a new route myself for the Routing Table I made, it DOES NOT WORK, and all devices use the normal, CG-NATed APN as I suspect they use the “default” auto-created ones which both Route the “main” Routing table.
If I delete those automatically created Routes, and create two new myself, with the same IPs, but one has the custom Routing Table, everything works. The specific device I need to have a public IP, DOES have one.
BUT: If the routers restart or they lose power, or my ISP-assigned IPs change, obviously nothing will work, as I will have to go and re-assign them manual on the RB5009.
What can I do about that ?

  1. Even when “everything works” as I said above, the device that gets the PUBLIC IP APN Access, gets next-to-nothing bandwidth. Less than 1Mbps.
    Searching online I found that, if I disable the (default) fasttrack firewall rule, both devices run pretty fast, BUT, the ones that were on the CG-NAT (and faster) APN, actually lose some speed. 50-100Mbps less.
    Is there something to be done about this ?

  2. Looking at my config, am I doing something COMPLETELY wrong ?
    Excuse my lack of knowledge, I’m way over my head here. :frowning:


    PS. WHY AM I DOING THIS ?
    You don’t need to read this, it’s just extra info in case you think I’m nuts for trying these stuff without proper networking knowledge.
    I have a Coffee Shop and I obviously need a landline. A phone number.
    My phone is VoIP, and I (SADLY) can’t use it behind a CG-NAT.

So Either I had to force myself to use less speed (AND THAT IS A NO-NO given the fact that the LHG-LTE is a beast of speed and that’s why I paid it) OR, actually have no phone. Or pay for a second internet connection I don’t know. :smiley:

TEMPORARILY, I’ve setup a FreePBX VM on my server, that handles my VoIP, and it does seem like it works, even behind the NAT.
BUT THAT IS NOT A SOLUTION. I Run a coffee shop. Not a Bank. I shouldn’t have to use Enterprise-Grade software that add 150 points of failure just to make or more importantly RECEIVE a phone call :frowning:

I run a Homelab as well, with Unraid and a big number of services and dockers. Like Emby or Nextcloud etc… To be honest, this little Mikrotik setup, is serving 40 of my friends and their Media-Hungry needs if you know what I mean. So my Mikrotik LHG has really opened new horizons for me.
But since I couldn’t port forward behind the CG-NAT, I am using Cloudflare’s Tunnel services which also work great.

Again. I am just trying to figure out how to make the phone work.
Port Forwarding into my server is easily done via Cloudflare. Or Tailscale or whatever, I tried a few.

WHAT ABOUT THE PHONE ? AHHAHAHAHAH

Thanks a lot in advance and sorry for the long post.
Posting Configs bellow…

2

RB5009 Config:

# 2024-11-05 20:02:43 by RouterOS 7.14.2
# software id = C87L-8BI4
#
# model = RB5009UG+S+
# serial number = HE408J76HN4
/interface bridge
add admin-mac=48:A9:8A:59:8D:3E auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=guest vlan-id=50
add interface=bridge name=iot vlan-id=30
add interface=ether1 name=man vlan-id=2
add interface=ether1 name=net-cgnat vlan-id=3
add interface=ether1 name=net-public-ip vlan-id=4
add interface=bridge name=remote vlan-id=100
add interface=bridge name="voip - cash register" vlan-id=1000
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=iot-pool ranges=10.98.30.30-10.98.30.254
add name=guest-pool ranges=10.98.50.2-10.98.50.254
add name=masternet-pool ranges=10.98.20.50-10.98.20.254
add name=remote-airfiber-pool ranges=192.168.1.2-192.168.1.254
add name=voip-cashreg-pool ranges=10.98.100.20-10.98.100.254
/ip dhcp-server
add address-pool=iot-pool interface=iot name="IoT Network"
/routing table
add disabled=no fib name=public-ip-routing
/user group
add name=hassio policy="reboot,read,write,policy,test,api,!local,!telnet,!ssh,\
    !ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=man
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=50
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=1000
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=net-cgnat list=WAN
add interface=man list=LAN
add interface=ether8 list=LAN
add interface=net-public-ip list=WAN
/ip address
add address=10.98.30.1/24 interface=iot network=10.98.30.0
add address=10.98.50.1/24 interface=guest network=10.98.50.0
add address=192.168.1.1/24 interface=remote network=192.168.1.0
add address=10.98.20.1/24 interface=bridge network=10.98.20.0
add address=10.98.100.1/24 interface="voip - cash register" network=\
    10.98.100.0
/ip dhcp-client
add interface=net-cgnat
add interface=net-public-ip
/ip dhcp-server
add address-pool=guest-pool interface=guest name="Guest Network" \
    parent-queue=*FFFFFFFF
add address-pool=masternet-pool interface=bridge name="Master Network" \
    parent-queue=*FFFFFFFF
add address-pool=remote-airfiber-pool interface=remote name="Remote Network" \
    parent-queue=*FFFFFFFF
add address-pool=voip-cashreg-pool interface="voip - cash register" name=\
    "Olenia VoIP/CashReg" parent-queue=*FFFFFFFF
/ip dhcp-server lease
add address=10.98.20.3 client-id=1:18:fd:74:66:9b:a8 mac-address=\
    18:FD:74:66:9B:A8 server="Master Network"
add address=10.98.30.10 client-id=1:78:8c:b5:4a:7f:ff mac-address=\
    78:8C:B5:4A:7F:FF server="IoT Network"
add address=10.98.30.11 client-id=1:78:8c:b5:4a:84:6a mac-address=\
    78:8C:B5:4A:84:6A server="IoT Network"
add address=10.98.30.12 client-id=1:28:ee:52:77:9e:a3 mac-address=\
    28:EE:52:77:9E:A3 server="IoT Network"
add address=10.98.30.13 client-id=1:78:8c:b5:94:2c:50 mac-address=\
    78:8C:B5:94:2C:50 server="IoT Network"
add address=10.98.20.5 client-id=1:2:25:90:f2:e7:b6 mac-address=\
    02:25:90:F2:E7:B6 server="Master Network"
add address=10.98.20.2 client-id=1:18:fd:74:8e:b8:e1 mac-address=\
    18:FD:74:8E:B8:E1 server="Master Network"
/ip dhcp-server network
add address=10.98.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.98.20.1
add address=10.98.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.98.30.1
add address=10.98.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.98.50.1
add address=10.98.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.98.100.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark for PublicIP" \
    connection-mark=no-mark new-routing-mark=public-ip-routing passthrough=\
    yes src-address=10.98.20.30
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9891 in-interface-list=WAN protocol=\
    tcp to-addresses=10.98.20.10 to-ports=9891
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=149.210.40.166 \
    pref-src="" routing-table=public-ip-routing scope=30 suppress-hw-offload=\
    no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.57.3.200 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

LHG-LTE Config:

# 2024-11-05 20:03:07 by RouterOS 7.14.2
# software id = AT1V-LL54
#
# model = LHGGM
# serial number = HD2088SHTMR
/interface vlan
add interface=ether1 name=man vlan-id=2
add interface=ether1 name=net vlan-id=3
add interface=ether1 name=net-vpn vlan-id=4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 name=cg-nat-apn passthrough-interface=\
    net passthrough-mac=auto use-network-apn=no
add apn=vpn-internet ip-type=ipv4 name=public-ip-apn passthrough-interface=\
    net-vpn passthrough-mac=auto
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=\
    cg-nat-apn,public-ip-apn band=1,3,7 name=lte-main network-mode=lte \
    sms-read=no
set [ find default-name=lte-vpn ] master=lte-main
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=main_pool ranges=192.168.1.50-192.168.1.250
/ip dhcp-server
add address-pool=main_pool disabled=yes interface=ether1 lease-time=10m name=\
    dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=vpn_table
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=LAN
add interface=lte-main list=WAN
add interface=*FFFFFFFF list=LAN
add interface=man list=LAN
add interface=net-vpn list=LAN
/ip arp
add address=192.168.1.21 interface=ether1 mac-address=02:E0:4C:11:F3:FA
/ip dhcp-client
add interface=man
add interface=net-vpn
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=no-mark \
    in-interface=net-vpn new-routing-mark=vpn_table passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=lte-main
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=lte-vpn
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=lte-main pref-src="" \
    routing-table=vpn_table scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="" routing-table=\
    vpn_table suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="LTE18 Antenna"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte-main receive-enabled=yes

rb-conf.rsc (9.77 KB)
lhg-conf.rsc (7.14 KB)

3

guys, no one ? :smiley:

I guess I’m on my own, again. hahaha

4

If the 2nd APN is working, you get a 2nd LTE interface. With that…
At a high level, you need to add new /routing/table that has the 2nd APN’s LTE interface as a /ip/route & use /routing/rules to steer the particular IP/subnet traffic to the new routing table for the 2nd LTE interface.
But it actually same as other multiwan examples in the forum - i.e. you have two WAN interface, the fact both are LTE kinda doesn’t matter.

Overall, I’m not necessarily a fan of mangle approach to routing… Since it’s the mangle rule are hard to “read” to figure out what’s going on, like here :wink:.

5

Let’s go one by one.
#1
If you try “/ip route print” in terminal, you will find that the routes you are getting (after a reboot) come from the DHCP client(s) and likely have a distance of 0 or 1 (i.e. they are “very near”).
You can do two things (up to you to decide which one or a mix of the two), change the DHCP clients so that they either they do not set the automatic route or change the distance of the given route.
https://help.mikrotik.com/docs/spaces/ROS/pages/24805500/DHCP
either
add-default-route=no
or
default-route-distance=2 (say)

in both cases your manually added (static) routes (with distance=1) will “prevail”

6

Hello and thanks for your answer. <3

Yes, I kinda did that.
I didn’t change anything for the default DHCP-created (“cg-nat”) route, but I changed: add-default-route to “no” for the “vpn” LTE APN DHCP Client.
Then I added my own Route, with dst 0.0.0.0, Gateway, the IP I see on the LHG’s secondary LTE Interface (the Public one) and “Routing Table” the one I create that contains all the marked packets.
This way, I can see a “CG-NATed” IP from ALL of my devices, but a “PUBLIC IP” from the SPECIFIC device I chose on the mangle rule.

The problems with this approach, is that:

  1. [FROM MY UNDERSTANDING] When the Modem restarts, or the ISP decides to give me a new public IP, the device on the custom Routing Table, will not work, as my Route, setup with a Gateway as the IP my Modem gave me, will point to a wrong address.

Example:

My LHG gives me the Public IP “149.210.93.145”
I create a Route with:

  • dst Address: 0.0.0.0/0
  • Gateway: 149.210.93.145
  • Routing Table: my-routing-table

When the LHG gets a new IP from the ISP, let’s say “149.210.80.150”
Then my Route STILL points to “149.210.93.145” which doesn’t exist any more.

Can’t I somehow, point the Route, to “WHATEVER THE DHCP CLIENT RECEIVES AT THE VLAN 4” ?

I can change the Automatically Created by the DHCP Client, Route, to ON or OFF as you said, and set a custom Distance. But I can’t set a custom Routing Table. Correct? That would be what I’d like.

  1. The Second problem, is that, the clients on the Routing Table that run through the secondary APN, DO have internet access as I said, but with stupid-slow speeds. If I disable FASTTRACK on the Firewall, then speeds go UP for these devices, but go down overall for all OTHER devices.
    The second problem is far less significant, as, to-be-honest, I mostly care about my VoIP telephony working.
    Even 2 or 3 Mbps, are enough for that.

The FIRST problem, of the dynamically setting the gateway up, is much more important I guess.

7

There is one rule with routing rules — the route MUST still exist in main, to be able to be used in another routing table.

So you may want the use-default-route enabled on both APNs (or VLAN passthrough’ed), as that would deal with a changing public IP. Just set the default-route-distance higher on it — that will get the route in main routing table (see rule above)… . Then in the routing table use lte2 (or etherX/vlanX if passthrough) as the gateway.

(& if you really didn’t want to it be part of a failover, use a blackhole route at a lower distance than the non-failover default route added by DHCP/APN)

8

I will give your solution a try, but currently, using some online-search magic I found out this solution that SEEMS to work.

  • I kept the default DHCP Client with Default Route enabled and Untouched.
  • I turned off “Default Route” for the second DHCP Client that runs on the VLAN that receives the public IP.
  • Created a script that checks what IP is received by the DHCP on that VLAN, and then creates a Route with that IP as the gateway and the appropriate Routing Table.
    (the same way I did it manually, but this does it for me)
  • Using RouterOS’ scheduler, I run the script every 5 minutes.

This way, everything works.

The only thing left to figure out, is the “FASTTRACK” problem.
As I’ve said, with Fasttrack (on the Firewall) enabled, the device getting through the public IP, has super slow speeds. Next to nothing I’d say.
Disabling fasttrack, INSTANTLY gives me full bandwidth. At least up to 150Mbps where the ISP Limits me.
But Disabling it, also slows down the normal “faster” and cg-nated connection.

Does anyone have any idea why this would happen ? :slight_smile: