Hello this is my configuration and all is working good with dual wan PCC.
When I try to connect from 192.168.3.X on 192.168.2.X the connection is not 100% working because of PCC so Is working only 50% of the connections…
How can I force traffic from BRIDGE LAN 192.168.3.0 to reach 192.168.2.0 through WAN2?
PS:
ping from mikrotik 192.168.3.1 to any 192.168.2.0 is working.
ping from any clients 192.168.3.X trying to reach any 192.168.2.0 is NOT working well.
Thanks
without seeing the config…
/export file=anynameyouwish (minus router serial number, any public WANIP info, keys etc. )
Here my configuration:
2024-06-19 17:45:43 by RouterOS 7.15.1
# software id = SLHZ-471N
#
# model = RB750Gr3
# serial number =
/interface bridge
add name=BridgeLAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface l2tp-server
add name=l2tp-in1 user=marco
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=penguard
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.3.20-192.168.3.230
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.3.1 local-address=192.168.89.1 \
remote-address=vpn
/queue simple
add dst=WAN2 max-limit=0/10M name="synove download max da wan2" \
packet-marks=no-mark target=192.168.3.247/32 time=\
6h-1h,sun,mon,tue,wed,thu,fri,sat
add dst=WAN1 max-limit=0/20M name="synove download max da wan1" \
packet-marks=no-mark target=192.168.3.247/32
add dst=BridgeLAN max-limit=0/10M name="synotto download max da wan2" \
packet-marks=no-mark target=192.168.2.70/32 time=\
6h-1h,sun,mon,tue,wed,thu,fri,sat total-queue=default
add dst=BridgeLAN max-limit=0/5M name="synotto drivesync" packet-marks=\
no-mark target=95.232.173.51/32 time=6h-1h,sun,mon,tue,wed,thu,fri,sat \
total-queue=default
/routing table
add disabled=no fib name=to-ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=BridgeLAN ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
all wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1 list=WAN
add interface=BridgeLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.2.0/24 endpoint-address=\
e1ceba6jwph9qfyj.myfritz.net endpoint-port=50366 interface=penguard name=\
peer1 persistent-keepalive=25s preshared-key=\
"1njp+zc4QMqvXPas5uUJlddULYHfG+Wj3J1xd5Y24Bc=" public-key=\
"FqvCmXpykxEWI97o6NeP44mU3ge1VaSa9Tz5wdZEEh0="
/ip address
add address=192.168.8.2/24 interface=WAN1 network=192.168.8.0
add address=192.168.2.254/24 interface=WAN2 network=192.168.2.0
add address=192.168.3.1/24 interface=BridgeLAN network=192.168.3.0
/ip arp
add address=192.168.3.3 interface=BridgeLAN mac-address=00:C0:08:86:72:1B
add address=192.168.3.2 interface=BridgeLAN mac-address=F8:32:E4:77:3E:F8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=192.168.3.254 client-id=1:0:11:32:db:5d:f2 mac-address=\
00:11:32:DB:5D:F2 server=dhcp1
add address=192.168.3.247 address-lists=synpen client-id=1:0:11:32:db:5d:f1 \
mac-address=00:11:32:DB:5D:F1 server=dhcp1
add address=192.168.3.239 mac-address=50:2D:F4:1C:6E:31 server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.3.253 list="Synove NAS 2"
add address=192.168.3.239 list=Sonnen
add address=192.168.3.3 list=Vimar
add address=192.168.3.247 list="Synove NAS 1"
add address=192.168.3.23 list=iphone15pro
add address=192.168.3.2 list=AC87U
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Mark-con connection-mark=\
no-mark connection-state=new in-interface=WAN1 new-connection-mark=ISP1 \
passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=WAN2 new-connection-mark=ISP2 \
passthrough=yes
add action=mark-routing chain=output comment=Output connection-mark=ISP1 \
new-routing-mark=to-ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\
to-ISP2 passthrough=yes
add action=accept chain=prerouting comment=Accept disabled=yes dst-address=\
192.168.8.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.2.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.3.0/24
add action=mark-connection chain=input comment=Input disabled=yes \
in-interface=WAN1 new-connection-mark=ISP1 passthrough=no
add action=mark-connection chain=input disabled=yes in-interface=WAN2 \
new-connection-mark=ISP2 passthrough=no
add action=mark-connection chain=prerouting comment=PCC connection-mark=\
no-mark connection-state=new dst-address-type=!local in-interface=\
BridgeLAN new-connection-mark=ISP1 passthrough=yes \
per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new connection-type="" dst-address-type=!local \
in-interface=BridgeLAN new-connection-mark=ISP2 passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment=Mark-route connection-mark=\
ISP1 in-interface=BridgeLAN new-routing-mark=to-ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=\
BridgeLAN new-routing-mark=to-ISP2 passthrough=yes
/ip firewall nat
add action=accept chain=input comment="masq. vpn traffic" disabled=yes \
protocol=ipsec-esp
add action=accept chain=input disabled=yes dst-port=500,1701,4500 protocol=\
udp
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VIMAR Accesso esterno" dst-port=8002 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.3.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=8002 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=8002 in-interface=BridgeLAN \
protocol=tcp to-addresses=192.168.3.3 to-ports=443
add action=dst-nat chain=dstnat comment="Mikrotik RB ext" dst-port=8291 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.3.1 to-ports=8291
add action=dst-nat chain=dstnat dst-port=8291 in-interface=BridgeLAN \
protocol=tcp to-addresses=192.168.3.1 to-ports=8291
add action=dst-nat chain=dstnat dst-port=8291 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.1 to-ports=8291
add action=dst-nat chain=dstnat comment=Homeassistant dst-port=8123 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.3.254 to-ports=8123
add action=dst-nat chain=dstnat dst-port=8123 in-interface=BridgeLAN \
protocol=tcp to-addresses=192.168.3.254 to-ports=8123
add action=dst-nat chain=dstnat comment="Synove PLEX" dst-port=32400 \
in-interface=BridgeLAN protocol=tcp to-addresses=192.168.3.247 to-ports=\
32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.247 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=32400
add action=dst-nat chain=dstnat comment=Synove dst-port=4000 in-interface=\
BridgeLAN protocol=tcp to-addresses=192.168.3.247 to-ports=4000
add action=dst-nat chain=dstnat dst-port=4000 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=4000
add action=dst-nat chain=dstnat dst-port=4001 in-interface=BridgeLAN \
protocol=tcp to-addresses=192.168.3.247 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.247 to-ports=4001
add action=dst-nat chain=dstnat comment=SynoveSynottodrive disabled=yes \
dst-port=6690 in-interface=WAN2 protocol=tcp to-addresses=192.168.3.247 \
to-ports=6690
add action=dst-nat chain=dstnat disabled=yes dst-port=6690 in-interface=\
BridgeLAN protocol=tcp to-addresses=192.168.2.70 to-ports=6690
add action=dst-nat chain=dstnat comment="Synove BT ports" dst-port=6881 \
in-interface=WAN1 protocol=udp to-addresses=192.168.3.247 to-ports=6881
add action=dst-nat chain=dstnat dst-port=16881 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.247 to-ports=16881
add action=dst-nat chain=dstnat dst-port=6881 in-interface=WAN2 protocol=udp \
to-addresses=192.168.3.247 to-ports=6881
add action=dst-nat chain=dstnat disabled=yes dst-port=6881 in-interface=WAN2 \
protocol=udp to-addresses=192.168.3.254 to-ports=6881
add action=dst-nat chain=dstnat dst-port=16881 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=16881
add action=dst-nat chain=dstnat disabled=yes dst-port=16881 in-interface=WAN2 \
protocol=tcp to-addresses=192.168.3.254 to-ports=16881
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.8.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.8.1 pref-src=0.0.0.0 routing-table=to-ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 pref-src=0.0.0.0 routing-table=to-ISP2 scope=30 \
suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip upnp
set enabled=yes
/ppp secret
add name=marco profile=default-encryption
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MP-Mikrotik
/system note
set show-at-login=no
/tool graphing interface
add interface=WAN1 store-on-disk=no
add interface=WAN2 store-on-disk=no
/tool graphing queue
add
Hello @anav.
When you request the forum user the config, could you also add how to use the forums code tags to the message.
Don’t you have any work to do ?? You are so helpfull in this forum, thanks for that.
hahahaha, I love the long lines of MT config, its like poetry.
What I want is for each new poster to first be eligible for a sandbox forum.
There they have to read some dos and donts and then present their post after reading.
IF the post meets the standards the post gets elevated to the beginner forum (or if a trained IT guy might go straight to General, or WIFI or other forum as appropriate).
IF the post does not, then the OP makes suggestion on how to improve ( basically read the rules/ again etc..)
Imagine every new post we see is properly formatted, contains any necessary diagrams and full config and requirements for traffic flow through. -------------
duplicate
(1) You have wireguard Okay I see this is not for remote access to the MT but to go out a third party for wireguard?? Please confirm who/what/where is providing server instance for handshake.
(and purpose of wireguard in your setup)
(2) WHat is the purpose of queuing? You have PCC setup on wan1 and wan2 so presumably they have roughly the same throughput and you are looking for even use of both.
Confirm speeds of WAN1 and WAN2 both up and down.
(3) Since you should be able to port forward from FRITZBOX, we can use MT to host wireguard for remote access!
(4) Destination NAT very confusing picture.
Are there MT users attempting to reach servers on MT by other than direct LANIP address?
(5) I see a mix of WAN1 and WAN2 being used for port forwarding. I am assuming that there is no expectation of failover, if WAN1 goes down, servers via WAN1 are not accessible through WAN1 and if WAN2 goes down servers via WAN2 are not accessible thru WAN2.
(6) Routes need work, the main table routes need a route differentiation, the special routes do not.
I try configuring WireGuard from MikroTik to fritzbox to try solve the problem of connecting the 2 LANs in case PtP radio was down but is not configured correctly.
wan1 is connected to a 4G router with unlimited data, bandwidth down is variable from 40 to 80Mbps, upload is 50Mbps
Wan2 receive connection from adsl (down 40Mbps, up 10Mbps) connected to Fritz box. In this case the limit is the PtP radio of 20Mbps.
Scope of PCC is to increase total bandwidth available in down and in up and have automatic backup in case PtP is down.
I need to access lan of fritzbox to manage some pc and backup between the 2 synology nas
The purpose of queuing is not saturate PtP during backup and to limit torrent speed.
Thank you
Now I fix the code in the right way 
It was my first post!
All understood.
PTP is primary WAN, with throughput of 20Mbps
4G router is secondary WAN with throughput roughly double of 50Mbps
If this is the case then I would at least do PCC on a 2:1 type basis…
3:0 wan1 - 4g
3:1 wan2 adsl
3:2 wan1 - 4g
The queuing is confusing why are you:
Can you confirm they work properly??
Without looking at config, if you can ping clients but not reach them…hmmm
Normally
On fritz
a. need static route stating if you want to reach 192.168.3.0/24 use gateway of 192.168.254
b. need at least firewall rule for 3.0 user to visit 2.0 users.
However, since MT is a router you could also simply state that sourcenat will work for you in that
all traffic leaving the MT device will get an IP address of 2.254 and thus be accepted by the fritz, reach the 2.0 subnet users and return traffic to .254 and the MT will unsourcenat that to the user.
So it should work without much effort.
Therefore I suspect that either queuing or more likely PCC is getting in the way.
Lets see if we can solve it.
(1) dont need connection-state=new
(2) REMOVE 8291 from port forwarding, this is a router service, so port forwarding does not apply, FURTHER, its not safe to access from external… REMOVED.
Clue port forwarding to gateway is usually not a good idea!
The first set of rules below are ONLY REQUIRED if you have external traffic TO THE ROUTER, aka input chain rules for VPN for example.
If not you can disregard!
/ip firewall mangle
{ Lets ensure any traffic coming to the router itself goes out the same ISP ( input/output chains ) }
add action=mark-connection chain=input connection-mark=no-mark
in-interface=WAN1 new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark
in-interface=WAN2 new-connection-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1
new-routing-mark=to-ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2
new-routing-mark=to-ISP2 passthrough=no
Note: if we had multiple local subnets, we would consider adding some rules here, in the order, so that internal traffic was not captured by mangles.
Basically an accept mangle rule for such traffic. Normally I would say not required but since you have 192.168.2.0 traffic that is almost local and should not be caught up in PCC traffic, aka we dont want traffic to go out WAN1 when it should be going directly via WAN2 …
THUS NEED:
add action=accept chain=prerouting src-address=192.168.3.0/24 dst-address=192.168.2.0/24
The rationale here is that any traffic from users to users will be processed before PCC mangling does so. Since the MT router knows where 192.168.2.1 gateway exists, it will sends such traffic regardless out WAN2. Since we sourcenat all traffic going out WAN2, it will work as all traffic will appear to be from MT (local LAN) at fritz.
{ Lets ensure any traffic originating externally and heading to the LAN, coming in on WANX and being returned from LAN Servers leaves on WANX ( forward/prerouting chains ) }
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=WAN1 dst-address=192.168.3.0/24 new-connection-mark=incoming-ISP1 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=WAN2 dst-address=192.168.3.0/24 new-connection-mark=incoming-ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=incoming-ISP1
new-routing-mark=to-ISP1 src-address-list=MyServers passthrough=no
add action=mark-routing chain=prerouting connection-mark=incoming-ISP2
new-routing-mark=to-ISP2 src-address-list=MyServers passthrough=no
It should be obvious that you would need to make a firewall address list for all the LAN servers!
/ip firewall address-list
add address=192.168.3.3 list=MyServers
add address=192.168.3.247 list=MyServers
add address=192.168.3.254 list=MyServers
{ Now we mangle for PCC }
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BridgeLAN new-connection-mark=out-ISP1
passthrough=yes per-connection-classifier=src-address-and-port**:3/0**
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BridgeLAN new-connection-mark=out-ISP2
passthrough=yes per-connection-classifier=src-address-and-port:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=BridgeLAN new-connection-mark=out-ISP1
passthrough=yes per-connection-classifier=src-address-and-port:3/2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=mark-routing chain=prerouting comment=Mark-route connection-mark=
out-ISP1 new-routing-mark=to-ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=
out-ISP2 new-routing-mark=to-ISP2 passthrough=no
What should be clear is that I use different connection marks, to ensure no cross contamination in rules but mainly
to ensure that when logging traffic for troubleshooting purposes its clear what traffic is being logged/captured.
Only real change is adding distance to WAN2.
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.8.1routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-table=to-ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=to-ISP2
WOW Anav, thank you so much.
So:
all worked with this:
add action=accept chain=prerouting src-address=192.168.3.0/24 dst-address=192.168.2.0/24
so now now I can access to all the LAN2 devices.
regarding this:
(1) dont need connection-state=new
I follow this video from official mikrotik channel and for me make sense connection-state=new
https://www.youtube.com/watch?v=nlb7XAv57tw&ab_channel=MikroTik
regarding forward connection you are right…I never experience the problem because only 1 connection has public IP but when I’m connected with the company VPN this problem happens.
So now I check if it’s solved…
One stupid thing…when I try to create the rules:
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=WAN1 dst-address=192.168.3.0/24 new-connection-mark=incoming-ISP1 passthrough=yes
I cannot find in winbox " new connection mark"…is something that I can do it only by writing in the code?
Connection new is in examples, but its not required in mangles nor in firewall rules. One has to take MT documentation with a grain of salt.
It could be used in mangles in very specific circumstances to finesse the identifying of traffic but not in your case.
The new-connection-mark appears when you choose ACTION - “mark connection”. Look below!
Hello, I try this full configuration but doesn’t work…
Where I’m Wrong?
# model = RB750Gr3
# serial number =
/interface bridge
add name=BridgeLAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface l2tp-server
add name=l2tp-in1 user=marco
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=penguard
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.3.20-192.168.3.230
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.3.1 local-address=192.168.89.1 remote-address=\
vpn
/queue simple
add dst=WAN2 max-limit=0/10M name="synove download max da wan2" packet-marks=\
no-mark target=192.168.3.247/32 time=6h-1h,sun,mon,tue,wed,thu,fri,sat
add dst=WAN1 max-limit=0/20M name="synove download max da wan1" packet-marks=\
no-mark target=192.168.3.247/32
add dst=BridgeLAN max-limit=0/10M name="synotto download max da wan2" \
packet-marks=no-mark target=192.168.2.70/32 time=\
6h-1h,sun,mon,tue,wed,thu,fri,sat total-queue=default
add dst=BridgeLAN max-limit=0/5M name="synotto drivesync" packet-marks=no-mark \
target=95.232.173.51/32 time=6h-1h,sun,mon,tue,wed,thu,fri,sat total-queue=\
default
/routing table
add disabled=no fib name=to-ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=BridgeLAN ingress-filtering=no interface=ether3 internal-path-cost=\
10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether4 internal-path-cost=\
10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether5 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
all wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1 list=WAN
add interface=BridgeLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN
protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.2.0/24 endpoint-address=\
e1ceba6jwph9qfyj.myfritz.net endpoint-port=50366 interface=penguard name=\
peer1 persistent-keepalive=25s preshared-key=\
"1njp+zc4QMqvXPas5uUJlddULYHfG+Wj3J1xd5Y24Bc=" public-key=\
"FqvCmXpykxEWI97o6NeP44mU3ge1VaSa9Tz5wdZEEh0="
/ip address
add address=192.168.8.2/24 interface=WAN1 network=192.168.8.0
add address=192.168.2.254/24 interface=WAN2 network=192.168.2.0
add address=192.168.3.1/24 interface=BridgeLAN network=192.168.3.0
/ip arp
add address=192.168.3.3 interface=BridgeLAN mac-address=00:C0:08:86:72:1B
add address=192.168.3.2 interface=BridgeLAN mac-address=F8:32:E4:77:3E:F8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=192.168.3.254 client-id=1:0:11:32:db:5d:f2 mac-address=\
00:11:32:DB:5D:F2 server=dhcp1
add address=192.168.3.247 address-lists=synpen client-id=1:0:11:32:db:5d:f1 \
mac-address=00:11:32:DB:5D:F1 server=dhcp1
add address=192.168.3.239 mac-address=50:2D:F4:1C:6E:31 server=dhcp1
add address=192.168.3.174 client-id=1:80:69:1a:13:23:cd mac-address=\
80:69:1A:13:23:CD server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.3.253 list="Synove NAS 2"
add address=192.168.3.239 list=Sonnen
add address=192.168.3.3 list=Vimar
add address=192.168.3.247 list="Synove NAS 1"
add address=192.168.3.23 list=iphone15pro
add address=192.168.3.2 list=AC87U
add address=192.168.3.247 list=MyServers
add address=192.168.2.0/24 list=PrivateIP2
add address=192.168.3.0/24 list=PrivateIP3
add address=192.168.3.253 list=MyServers
add address=192.168.3.3 list=MyServers
add address=192.168.3.174 list=DELL_Office
/ip firewall mangle
add action=accept chain=prerouting comment="LAN3 access to LAN2" dst-address=\
192.168.2.0/24 src-address=192.168.3.0/24 src-address-type=unicast
add action=mark-connection chain=prerouting comment=Mark-con connection-mark=\
no-mark connection-state=new disabled=yes in-interface=WAN1 \
new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new disabled=yes in-interface=WAN2 new-connection-mark=\
ISP2 passthrough=yes
add action=mark-connection chain=input comment=Input connection-mark=no-mark \
in-interface=WAN1 new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
WAN2 new-connection-mark=ISP2 passthrough=yes
add action=mark-routing chain=output comment=Output connection-mark=ISP1 \
new-routing-mark=to-ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\
to-ISP2 passthrough=no
add action=mark-connection chain=forward comment="forward to same connection" \
connection-mark=no-mark dst-address=192.168.3.0/24 in-interface=WAN1 \
new-connection-mark=incoming-ISP1 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark dst-address=\
192.168.3.0/24 in-interface=WAN2 new-connection-mark=incoming-ISP2 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=incoming-ISP1 \
new-routing-mark=to-ISP1 passthrough=no src-address-list="Synove NAS 2"
add action=mark-routing chain=prerouting connection-mark=incoming-ISP2 \
new-routing-mark=to-ISP2 passthrough=no src-address-list="Synove NAS 2"
add action=mark-connection chain=prerouting comment=PCC connection-mark=no-mark \
connection-state="" dst-address-type=!local in-interface=BridgeLAN \
new-connection-mark=out-ISP1 passthrough=yes per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state="" connection-type="" dst-address-type=!local \
in-interface=BridgeLAN new-connection-mark=out-ISP2 passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment="Mark-route PCC" \
connection-mark=out-ISP1 new-routing-mark=to-ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=out-ISP2 \
new-routing-mark=to-ISP2 passthrough=no
/ip firewall nat
add action=accept chain=input comment="masq. vpn traffic" disabled=yes \
protocol=ipsec-esp
add action=accept chain=input disabled=yes dst-port=500,1701,4500 protocol=udp
add action=masquerade chain=srcnat disabled=yes
add action=dst-nat chain=dstnat comment="VIMAR Accesso esterno" dst-port=8002 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.3.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=8002 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=8002 in-interface=BridgeLAN protocol=\
tcp to-addresses=192.168.3.3 to-ports=443
add action=dst-nat chain=dstnat comment="Mikrotik RB ext" disabled=yes \
dst-port=8291 in-interface=WAN2 protocol=tcp to-addresses=192.168.3.1 \
to-ports=8291
add action=dst-nat chain=dstnat disabled=yes dst-port=8291 in-interface=WAN1 \
protocol=tcp to-addresses=192.168.3.1 to-ports=8291
add action=dst-nat chain=dstnat comment=Homeassistant dst-port=8123 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.3.254 to-ports=8123
add action=dst-nat chain=dstnat dst-port=8123 in-interface=BridgeLAN protocol=\
tcp to-addresses=192.168.3.254 to-ports=8123
add action=dst-nat chain=dstnat comment="Synove PLEX" dst-port=32400 \
in-interface=BridgeLAN protocol=tcp to-addresses=192.168.3.247 to-ports=\
32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.247 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=32400
add action=dst-nat chain=dstnat comment=Synove dst-port=4000 in-interface=\
BridgeLAN protocol=tcp to-addresses=192.168.3.247 to-ports=4000
add action=dst-nat chain=dstnat dst-port=4000 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=4000
add action=dst-nat chain=dstnat dst-port=4001 in-interface=BridgeLAN protocol=\
tcp to-addresses=192.168.3.247 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.247 to-ports=4001
add action=dst-nat chain=dstnat comment=SynoveSynottodrive disabled=yes \
dst-port=6690 in-interface=WAN2 protocol=tcp to-addresses=192.168.3.247 \
to-ports=6690
add action=dst-nat chain=dstnat disabled=yes dst-port=6690 in-interface=\
BridgeLAN protocol=tcp to-addresses=192.168.2.70 to-ports=6690
add action=dst-nat chain=dstnat comment="Synove BT ports" dst-port=6881 \
in-interface=WAN1 protocol=udp to-addresses=192.168.3.247 to-ports=6881
add action=dst-nat chain=dstnat dst-port=16881 in-interface=WAN1 protocol=tcp \
to-addresses=192.168.3.247 to-ports=16881
add action=dst-nat chain=dstnat dst-port=6881 in-interface=WAN2 protocol=udp \
to-addresses=192.168.3.247 to-ports=6881
add action=dst-nat chain=dstnat disabled=yes dst-port=6881 in-interface=WAN2 \
protocol=udp to-addresses=192.168.3.254 to-ports=6881
add action=dst-nat chain=dstnat dst-port=16881 in-interface=WAN2 protocol=tcp \
to-addresses=192.168.3.247 to-ports=16881
add action=dst-nat chain=dstnat disabled=yes dst-port=16881 in-interface=WAN2 \
protocol=tcp to-addresses=192.168.3.254 to-ports=16881
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.8.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.8.1 pref-src=0.0.0.0 routing-table=to-ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 pref-src=0.0.0.0 routing-table=to-ISP2 scope=30 \
suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip upnp
set enabled=yes
/ppp secret
add name=marco profile=default-encryption
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MP-Mikrotik
/system note
set show-at-login=no
/tool graphing interface
add interface=WAN1 store-on-disk=no
add interface=WAN2 store-on-disk=no
/tool graphing queue
add
Dont see anything OBVIOUS yet… some small items.
(1) Modify
From:
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=
all wan-interface-list=WAN
TO:
/interface detect-internet
set detect-interface-list=NONE can cause issues…
(2) Not sure why you added this, UNICAST to the first mangle rule but remove it for now as I am not sure its effects.
/ip firewall mangle
add action=accept chain=prerouting comment=“LAN3 access to LAN2” dst-address=
192.168.2.0/24 src-address=192.168.3.0/24 src-address-type=unicast
(3) After removing that, try using chain=forward not prerouting as that is more accurate.
(4) Remove these rules, keep the config UNCLUTTERED!!! ( 2,3rd mangle rules )
add action=mark-connection chain=prerouting comment=Mark-con connection-mark=
no-mark connection-state=new disabled=yes in-interface=WAN1
new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new disabled=yes in-interface=WAN2 new-connection-mark=
ISP2 passthrough=yesconnection-state=new, not required in mangle rules.
(5) The first two PCC rules chain is more accurately forward chain.
add action=mark-connection chain=forward comment=PCC connection-mark=no-mark
connection-state=“” dst-address-type=!local in-interface=BridgeLAN
new-connection-mark=out-ISP1 passthrough=yes per-connection-classifier=
src-address-and-port:2/0
add action=mark-connection chain=forward connection-mark=no-mark
connection-state=“” connection-type=“” dst-address-type=!local
in-interface=BridgeLAN new-connection-mark=out-ISP2 passthrough=yes
per-connection-classifier=src-address-and-port:2/1
(6) Put the two masquerade rules at the top of the NAT rules, just for clarity.
(7) AHHHHHHHHHHHH maybe this is the issue…
WE do not control the two upstream routers providing private IPs.
the LTE MODEM is not a modem its an LTE MODEM Router, how else would it be able to give you a private IP.
Secondly the other WAN source is through a different Router, the Fritz Router, which does get a public IP.
1**. FRITZ**
you need to forward every port that needs to reach the MT to 192.168.2.254