Existing ISP1 configuration (ISP1 → RB → LAN, no DHCP on the RB itself) , adding ISP2 to provide redundancy to existing configuration
ISP 1 Cable modem
ISP 2 - ATT Uverse internet (Uverse modem configured in passthrough mode)
What I did/what I see
Plug in ISP2. On Interfaces, I now see I see ISP1 marked “R” (Master) and IPS2 marked “RS” (Slave). not sure why ISP2 got RS.
On IP->Addresses , i see
LAN address belonging to interface “bridge1”
ISP1 Address
added ISP2 address based on what Uverse modem issues in passthrough (76.217. etc address for me)
Going to IP-Firewall->NAT , trying to allow ISP2 to be used for Out Interface I get message "in/out interface not possible when ISP2 is slave, use master instead “bridge 1”)
What am I doing wrong? what should I be doing instead?
What I want is
ISP1 → LAN
ISP2 → LAN
no DHCP
thank you!
I exported the current config as well, right now new interfaces is added but no rules are configured. what should I do next?
/interface bridge
add admin-mac=6C:3B:6B:64:E0:34 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \
speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \
speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \
speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ATT_Uverse_Internet
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ATT_Uverse_Internet list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\
76.217.231.255
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.1.1.41,9.9.9.9
/ip dns static
add address=10.1.1.100 name=router
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WOW_cable_internet
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WOW_cable_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WOW_cable_internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Chicago
/system identity
set name=SMR
/system resource irq rps
set WOW_cable_internet disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ATT_Uverse_Internet disabled=no
set ether2-master disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Thank you! I have removed the port where ISP2 was incoming from Bridge which I think was making it a ‘slave below’
This is what I have right now (below) and I think I need to get firewall script configured and set up load balance/failover
(1) I disagree with CZFAN - Depends what the OP wants to do, he wants one lan, so I am assuming he wants LAN on ports 2,3,4
(2) The error I noted was this one
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ATT_Uverse_Internet (wan does not normally belong on bridge)
add bridge=bridge1 interface=ether2-master
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
SO all ports (3,4,5) will allow users to be on this network (assuming dhcp turned off but all devices assigned IPs manually).
FIREWALL FILTER RULES
(3) This rule is incomplete, you need to include the other WAN ISP as well.
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=WOW_cable_internet
(if you add both ISP to interface list members for WAN, then you can use in-interface-list=WAN)
Alternatively the default rule also works and is stated as such:
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN (however you dont have your lan interface list identified)
(4) You need to create a second masquerade rule for sourcenat, one for each wan is fine.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=WOW_cable_internet (add the other out-interface!!!)
(5) Dont see second DHCP client for second WAN???
(6) Dont see any routing rules???
Thank you both!! Here is full config (vs posting the pieces of it)
I only have single LAN (home) and my only port on the RB is either2 where LAN comes in. RouterBoard is a router that is setup as gateway for my internal devices (server, DHCP, DNS all handed elsewhere)
I have ISP1 on either1 and ISP2 on either5.
I know my configuration is not complete
FIREWALL FILTER RULES are missing
Failover rules are missing (check gateway, etc).
I am not finding where in GUI to edit IP ROUTE check gateway sections and I think coming to the desire to edit the actual config file myself (vs trying through GUI).
/interface bridge
add admin-mac=6C:3B:6B:64:E0:34 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \
speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \
speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \
speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ATT_Uverse_Internet list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\
76.217.231.255
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.1.1.41,9.9.9.9
/ip dns static
add address=10.1.1.100 name=router
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WOW_cable_internet
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WOW_cable_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WOW_cable_internet
add action=masquerade chain=srcnat out-interface=ATT_Uverse_Internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Chicago
/system identity
set name=SMR
/system resource irq rps
set WOW_cable_internet disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ATT_Uverse_Internet disabled=no
set ether2-master disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Yeah still seeing only 1 dhcp client setting and one associated address for wan>
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip address
add address=76.217.230.243 interface=ATT_Uverse_Internet network=
76.217.231.255
Still missing second input chain rule for second ISP
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=WOW_cable_internet
???
Thank you ALL!!! Awesome community!
So i had the following problems
the port I put ISP2 was still assigned to bridge (caught and fixed)
the DHCP client was not set up (caught and fixed)
suggestion to set up the WAN list for interfaces and update the firewall script to use it (thank you)
I posted what I have right now below , in testing from LAN PC I was able to disable ISP1 and still be connected (as well as check on sites like speedtest that I am coming from ISP2), disable ISP2 and test , enable both and test.
I think my config is not smart , it does not take into account capacity in any form (ISP1 is 500/50, ISP2 is backup 100/10)
System had ISP1 with Distance of 1 so I manually added Distance of 2 for ISP2 which I think would allow users to prefer ISP.
Hopefully last request - for my config below anything else I may be missing or should think about?
/interface bridge
add admin-mac=6C:3B:6B:64:E0:34 auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \
speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \
speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \
speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add disabled=yes interface=ether3 list=discover
add disabled=yes interface=ether4 list=discover
add interface=ATT_Uverse_Internet list=WAN
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
add interface=WOW_cable_internet list=WAN
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
add disabled=no interface=ATT_Uverse_Internet
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.1.1.41,9.9.9.9
/ip dns static
add address=10.1.1.100 name=router
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WOW_cable_internet
add action=masquerade chain=srcnat out-interface=ATT_Uverse_Internet
/ip route
add distance=2 gateway=76.217.228.1
Here it is . I don’t get why ATT uses 76.217.228.1 for gateway and 76.217.230.243 for the preferred source but it seem to work. Everything was configured through DHCP client attached to each connection , ATT gateway is in passthrough mode.
I think failover works (since i tested it yesterday). I dont remember settings up the failback routes for each connection (the way I remember doing it in pfsense years ago if A goes down ->B, if B goes down ->A , etc)
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 65.60.182.1 1
1 DS 0.0.0.0/0 76.217.228.1 2
2 ADC 10.1.1.0/24 10.1.1.100 bridge1 0
3 ADC 65.60.182.0/24 65.60.182.76 WOW_cable_internet 0
4 ADC 76.217.228.0/22 76.217.230.243 ATT_Uverse_Inte... 0