Dual WAN, dual subnet, multiple VLANs

Hello All,

I’ve read almost every topic I’ve found here (and somewhere else too) that could by close to my set-up, but unfortunately - nothing gave me the answer. Also, all of my tries went to nowhere.

Here’s my setup:
1 x RBSXTR with LTE passthrough to VLAN “vlan1_sxt” and second VLAN “vlan100_mgmt” (for managing purposes)
1 x RBLHGR with LTE passthrough to VLAN “vlan2_lhg” and second VLAN “vlan100_mgmt” (for managing purposes)
1 x RB750 as main router with all 5 ports bridged together with 5 VLANs: vlan1_sxt, vlan2_lhg, vlan100_mgmt, vlan200_lan1, vlan201_lan2
1 x RB750 as a switch for IP cameras with ETH1-ETH4 bridged with “vlan201_lan2” (interface: ETH5) and “vlan100_mgmt” on ETH5. The clients connected to ports 1-4 are getting correct IP address from dhcp server on main router. Also - I can access this device and main router from client connected to ETH1-4
1 x cAP managed by CAPsMAN on main router with two separate SSIDs connected to VLAN’s 200 and 201. WiFi clients are getting correct addresses corresponding to their VLAN’s.

Every device can ping each other on the network (whole traffic between subnets is temporarily allowed for testing purposes).

But, no device (network device or client computers) can access WAN / Internet.

On my main router I have two mangle rules for each of subnets (LAN1 & LAN2) that’s marking routing for the packets.
In routing table I have two routes to 0.0.0.0/0 for each routing mark and for it’s designed gateway.
In NAT I have defined two masquerades, one for each VLAN (vlan1_sxt & vlan2_lhg).
When I try to ping anything outside my local network - I can see the packets are being sent correctly, and they’re coming back to my main router, but then - they disappear. It seems that my main router is unable to correctly route the server’s reply back to the device that initiated the connection.

Please help my out with this. I have no more ideas what can be wrong and without it - I can’t move to my summer house

It’s hard to tell without seeing actual configuration at least of the main router.

One thing does ring the bell: vlan1_sxt implies use of VLAN ID 1. Use of VLAN ID 1 is a bad choice. This VID is used as default value all around and if you’re not extra carefull, it can mess with config. So it’s better to use another VID instead. But as I wrote, this may not be a problem but impossible to tell without seeing the config.

Hi,

Thank you for the reply. I’ve changed the Internet VLAN IDs to vlan10_sxt and vlan20_lhg. Unfortunately - it gave me nothing.

Here’s my config:

# apr/26/2021 17:25:04 by RouterOS 6.48.2
# software id = IDVH-06WR
#
# model = 750
# serial number = 2198018B1434
/interface bridge
add arp=proxy-arp name=bridge
/interface vlan
add arp=proxy-arp interface=bridge name=vlan10_SXT vlan-id=10
add arp=proxy-arp interface=bridge name=vlan20_LHG vlan-id=20
add arp=proxy-arp interface=bridge name=vlan100_mgmt vlan-id=100
add arp=proxy-arp interface=bridge name=vlan200_msvc vlan-id=200
add arp=proxy-arp interface=bridge name=vlan201_fru vlan-id=201
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=wpa2psk
/caps-man configuration
add country=poland datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes datapath.vlan-id=200 datapath.vlan-mode=\
    no-tag mode=ap name=MSVC security=wpa2psk security.passphrase=\
    PassLAN2 ssid=MSVC
add country=poland datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes datapath.vlan-id=201 datapath.vlan-mode=\
    no-tag name=FRU security=wpa2psk security.passphrase=PassLAN1 ssid=FRU
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MSVC ranges=10.0.13.100-10.0.13.200
add name=FRU ranges=10.1.13.100-10.1.13.200
/ip dhcp-server
add address-pool=MSVC disabled=no interface=vlan200_msvc lease-time=1h name=\
    dhcp-msvc
add address-pool=FRU disabled=no interface=vlan201_fru lease-time=1h name=\
    dhcp-fru
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/ \
    upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=MSVC \
    slave-configurations=FRU
/interface bridge port
add bridge=bridge interface=ether3 multicast-router=disabled
add bridge=bridge interface=ether4 multicast-router=disabled
add bridge=bridge interface=ether5 multicast-router=disabled
add bridge=bridge interface=ether1 multicast-router=disabled
add bridge=bridge interface=ether2 multicast-router=disabled
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=201
/ip address
add address=192.168.88.1/24 interface=vlan100_mgmt network=192.168.88.0
add address=10.0.13.1/24 interface=vlan200_msvc network=10.0.13.0
add address=10.1.13.1/24 interface=vlan201_fru network=10.1.13.0
/ip dhcp-client
add comment=FRU disabled=no interface=vlan10_SXT script=":local curGw [ /ip dh\
    cp-client get [ /ip dhcp-client find comment=\"FRU\" ] gateway ]\r\
    \n:local rtGw [ /ip route get [ /ip route find comment=\"FRU\" ] gateway ]\
    \r\
    \n:if (\$curGw != \$rtGw) do={\r\
    \n    :local rt [ /ip route find comment=\"FRU\" ]\r\
    \n    :if ([ :typeof \$rt ]=nil ) do={\r\
    \n        /ip route add dst-address=\"0.0.0.0/0\" gateway=\$curGw routing-\
    mark=\"FRU-WAN\" comment=\"FRU\"\r\
    \n    } else={\r\
    \n        /ip route set \$rt gateway=\$curGw\r\
    \n    }\r\
    \n}"
add add-default-route=no comment=MSVC disabled=no interface=vlan20_LHG \
    script=":local curGw [ /ip dhcp-client get [ /ip dhcp-client find comment=\
    \"MSVC\" ] gateway ]\r\
    \n:local rtGw [ /ip route get [ /ip route find comment=\"MSVC\" ] gateway \
    ]\r\
    \n:if (\$curGw != \$rtGw) do={\r\
    \n    :local rt [ /ip route find comment=\"MSVC\" ]\r\
    \n    :if ([ :typeof \$rt ]=nil ) do={\r\
    \n        /ip route add dst-address=\"0.0.0.0/0\" gateway=\$curGw routing-\
    mark=\"MSVC-WAN\" comment=\"MSVC\"\r\
    \n    } else={\r\
    \n        /ip route set \$rt gateway=\$curGw\r\
    \n    }\r\
    \n}"
/ip dhcp-server network
add address=10.0.13.0/24 comment=MSVC dns-server=194.204.159.1,194.204.152.34 \
    domain=msvc.local gateway=10.0.13.1 netmask=24
add address=10.1.13.0/24 comment=FRU dns-server=194.204.159.1,194.204.152.34 \
    domain=fru.local gateway=10.1.13.1 netmask=24
/ip firewall address-list
add address=10.1.13.0/24 list=LAN
add address=10.0.13.0/24 list=LAN
/ip firewall filter
add action=accept chain=input in-interface=vlan10_SXT protocol=icmp
add action=accept chain=input in-interface=vlan20_LHG protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting comment=MSVC dst-address-list=!LAN \
    in-interface=vlan200_msvc new-routing-mark=MSVC-WAN passthrough=yes
add action=mark-routing chain=prerouting comment=FRU dst-address-list=!LAN \
    in-interface=vlan201_fru log=yes log-prefix="[FRU-WAN]" new-routing-mark=\
    FRU-WAN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=MSVC out-interface=vlan20_LHG \
    routing-mark=MSVC-WAN src-address=10.0.13.0/24
add action=masquerade chain=srcnat comment=FRU out-interface=vlan10_SXT \
    src-address=10.1.13.0/24
/ip route
add comment=FRU distance=1 gateway=100.83.155.221 routing-mark=FRU-WAN
add comment=MSVC distance=1 gateway=1.2.3.4 routing-mark=MSVC-WAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB750-Main

P.S. Please - don’t mind the second gateway IP as it’s currently off-line (my LHG is on RMA now).

You only have two vlans defined or I should state only two with DHCP serving capacity on the router.
200 and 201???

Where should we assume vlans 10, 20, 100 are coming from???

If this is a five port unit, why is the ISP (assuming ether1) included in the bridge??

So I see all bridge ports are carrying vlan201, what happened to vlan200??

I see you have at least given the mgnmt vlan an address, but missing the rest of the required info.

I see now that vlan10 and 20 are WAN side vlans??

Okay you really need to draw a network diagram. Its not clear if this device is hooked up to an ISP directly or via another router for example.
Your firewall rules are not SAFE or complete and cannot advise further.

Suggest you read this after putting default firewall rules in place…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Hi and thank you for the reply.

Only two with DHCP (the are networks for my work and fun).

VLANs 10 and 20 are from LTE modems on the house roof. VLAN 10 is RBSXTR and VLAN 20 is RBLHGR. VLAN 100 is a management VLAN for modems and switches and yes - it ain’t got no DHCP server as it’s not needed.

The "ISP"s are connected to ETH1 and ETH2. They’re included in the bridge because I couldn’t find any other way to connect both of the "ISP"s to my management VLAN (100).

Honestly - I have no idea! It’s probably gone due to some tries-and-fails…

What other info? All VLAN’s have their respective IP’s (100, 200, 201) or DHCP clients (10, 20)

Yes.

It’s really simple. Two modems are connected to main RB750. Other devices are connected to this RB750 directly or via another RB750 (cameras, apple tv etc.).
the firewall is one of my least problems (I have private IP addresses on both ISP’s) and wouldn’t concern about them too much as long as my Internet connection isn’t working

I am not comfortable with, firewall rules are not needed because they are private IPs??
Do the LTE modem devices have firewalls?? Where is the protection point if not your router??

I have never heard of vlans from an LTE modem unless the ISP specfically carries the data on vlans and not on normal ethernet channels.
I am confused by you trying to access the LTE modem in any other way except entering the Gateway Address of the MODEM from your PC.
None of this make sense, probably due to my lack of experience.

Typically the bridge port setup is NOT for your WAN connections.
Typically the managment vlan is part of the Bridge port architecture, with it being the home vlan or a separate vlan, typically the one the admin usually works within or if separate then one the admin then gives himself access to in the firewall rules forward chain.

in-interface=vlan (where admin resides) out-interface=manangmentvlan source-address-list=adminaccess
where adminaccess could be a list of IP addresses the admin uses (desktop, laptop, smartphone etc.)

The same accessadmin would be used for the input chain
{standard default input rules}
accept in-interface=vlan source-address-list=adminaccess
accept dns servers for users/devices in-interface-list=LAN
…
drop all else

@anav, I feel your point, but let me repeat once again: my ISP gave me only SIM cards. The modems are two Mikrotiks (one SXT and one LHG) working in LTE passthrough mode with two VLAN’s configured: one VLAN is for traffic, and the second one is for management.

The bridge is only because the TWO of my Mikrotik modems couldn’t see the management VLAN when it was configured for one the ETH ports only (and I couldn’t figure out how to configure it for two ETH ports without a bridge).

This can’t hurt Using RouterOS to VLAN your network

No, this is really cool and different so interested LOL.

Can you add the config of each LTE
/export hide-senstive file=anynameyouwish

I am still thinking only one bridge is needed.
On the trunk port between the LTE and the router there are two vlans,
ONe goes to DHCP client on the router, the other goes to the bridge.’
Is what I am thinking…

In other words, the management vlan can be the management vlan for all devices, the LTES, the router and any thing behind the router.
YOu still need to create a DHCP and servers etc for the mnagement vlan, heck you could use 200 as your management vlan.

BUT ABOVE ALL YOU NEED firewall rules protection.

I will do the firewall rules. It’s just not the time for them as I’ve resetted the configuration few times yesterday and it would by pointless to configure them and the have to configure them over and over again

Do I understand correctly that one bridge should contain all of the physical ports (as it is now)? I can simplify the setup and indeed, use a vlan 200 as management. It’s only going to be for my summer house so total separation is not my concern. This setup is necessary for only one reason: me and my wife need a fast, stable LTE connection for our work (that’s why I’ve bought LHG LTE) and we can’t afford to have downtime due to data transfer limit. The other subnet is purely for entertainment, where reaching a data limit wouldn’t cause any downtime (and this limit is reached quickly when my son watches YouTube videos ). Also - my summer house is at very remote location, where SXT LTE reaches 5Mbps max, and it’s too low to work with it, but enough to watch YT videos

P.S. I’ll post the configuration of SXT later, during the day. LHG will be configured the same way when it will be back from RMA.

[EDIT]
I think I’ve got it working. It very not-quick and dirty way, but works as intended:
On my main router, I’ve created 5 vlans for management. One for each ETH port. then removed all physical ports from bridge and added all VLAN’s to it and assigned one management IP to that bridge. Next, I’ve created three vlans for one subnet, and another three for the second subnet. Each three vlans are added to their respective bridges. I’ve directed the LTE passthrough on modem to physical port and configured routing for the subnet to that port. Routing for the second subnet is configured to the second port (where LHG will be when it will be back from RMA).

The traffic for both subnets works flawlessly

Now, it’s the time to configure firewall rules

post your configs, otherwise have no idea what you have done LOL.

I have no idea also, but my configuration wasn’t as perfect, as I previously thought… After two hours - my RB750 became really hot and fried… It was the oldest RB750 I’ve had (three electrolytic capacitors on board). So I’ve replaced it with a newer one and guess what? It also fried! Now, I’m thinking of buying used RB2011, so probably it will be more efficient…

https://en.wikipedia.org/wiki/Capacitor_plague

I lost near 200 devices RB450 and RB411 for the “green” capacitor… model with black capacitor never have problems, all relpaced for RB711+, on the past years…

The only way to read back the cfg, if no backup are available, is replace the 2/3 green capacitors wit new or power the device with 9/10 volt…