Hi everyone, I’m new to Mikrotik and actively learning.
I just ordered SXT LTE6 kit-US, ordered a SIM card for hotspot from T-Mobile and planning on configuring a failover wan connection on RB5009.
I’m not looking for a setup help yet, what I would like to ask is how I should configure lan in order to block some devices from ever using wan2. In particular 3 TVs, couple cameras, music streaming player, as well as all devices on wlan. Only devices allowed to use wan2 in case of failover are 3 computers and 2 phones.
As of i right now I’m running default config with couple port forwarding rules.
Are those devices fixed IP or also dynamic IP ?
If fixed: easily done using firewall rules only allowing address list having those IP addresses in it to get access to WAN2.
If dynamic: tricky. You need some attribute to determine what is what.
Is it e.g. an option to have those computers and 2 phones always getting the same IP address ?.
You can do it via static DHCP leases based on MAC, no need to set it on the devices themselves. Be sure though those phones don’t use dynamic MAC or you’re lost again (you should be able to toggle that option based on SSID they connect to).
So it sounds like you want:
a. WAN1 as primary for all devices.
b. WAN2 only available for failover and for a limited number of devices.
The main approach is to give wan1 a lower distance than wan2
/ip route
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-table=main
add distance=4 dst-address=0.0.0.0/0 gateway=ISP2-gateway-IP routing-table=main
Thus if WAN1 goes down the router knows there is an alternative route out WAN2 and if WAN1 comes back up, then all new traffic will be sent out WAN1.
A bit trickier is that we have to limit which devices can actually be sent out WAN2.
The easiest way is
A. Firewall Rules
/ip firewall address-list { using static dhcp leases }
add address=x.x.x.a/32 list=ALLOWED comment=computer1
add address=x.x.x.b/32 list=ALLOWED comment=computer2
add address=x.x.x.c/32 list=ALLOWED comment=computer3
add address=x.x.x.d/32 list=ALLOWED comment=phone1
add address=x.x.x.e/32 list=ALLOWED comment=phone2
/ip firewall forward chain
…
…
add action=accept chain=forward in-interface-list=LAN out-interface=ether1 comment=“internet for all WAN1”
add action=accept chain=forward in-interface-list=LAN out-interface=ether2 src-address-list=ALLOWED comment=“internet for few WAN2”
add action=drop chain=forward comment=“Drop all else”
In this solution, traffic for only those on the source address list will be allowed out WAN2.
So access list will work for known devices and I can certainly assign static IPs.
What about unknown devices/ visitors on Wi-Fi?
Is there another way? Can I allow access to wan1 and wan2 for eth3,4. But eth5,6,7,8 only to wan1 and never wan2.
Sure.
ROS allows you to do plenty of stuff.
You can even go completely wonky and have several SSID with VLAN and assign access based on that VLAN.
Actually, it would be IMHO the most ideal way of handling things…
I am not interested in chasing your wish list.
Either your requirement are as stated
- all devices use WAN1 as primary
- only 5 devices use WAN2 as secondary.
Or its something else… if you dont know what you want, suggest you need to plan first and then rewrite your requirements to be accurate.
a. identify user(s)/device(s) / groups of users/device and dont forget admin ( and both internal and external users )
b. identify all the traffic they need to execute.
@holvoetn I would agree with you, vlans are probably the way to go. I just have to figure it out, ros is not as intuitive as I thought it would be
You can use routing rules for that:
https://help.mikrotik.com/docs/display/ROS/Policy+Routing
they have a “interface” parameter/property (which should be called IMHO “in-interface”) that can filter by ethernet port.
There are actually two requests here…
a. unknown device/visitors on WIFI.
The quick answer is why do you have unknown devices or visitors on a trusted WLAN.
Provide a separate WLAN with its own SSID and then put them within their own VLAN… solved, VLAN not allowed out WAN2.
b. Delineation by Port…
Well if using vlans and a bridge, then port separation becomes a challenge.
You have two option bridge for one subnet and then assign other LAN subnet to the other ports…
In the above examples, the forward chain firewall rules AGAIN will decide who goes where.
a. VLANs for wlans
/interface members
add interface=vlan10Trusted list=LAN comment=“wired and wifi”
add interface=vlan20-media list=LAN comment=“devices”
add interface=vlan30-guest list=LAN comment=“visitors”
/interface bridge ports
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=wlan1-5G pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=wlan2-2G pvid=20
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=wlan3-5G pvid=30
/Interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether3,ether4,wlan1-5G vlan-id=10
add bridge=bridge tagged=bridge untagged=wlan2-2G vlan-id=20
add bridge=bridge tagged=bridge untagged=wlan3-5G vlan-id=30
add action=accept chain=forward in-interface-list=LAN out-interface=ether1 comment=“internet for all WAN1”
add action=accept chain=forward in-interface=vlan10-Trusted out-interface=ether2 comment=“failover to WAN2 only for vlan10”
add action=drop chain=forward comment=“Drop all else”
b. (i) With VLAN and Bridge.
/interface members
add interface=vlan10Trusted list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
/interface bridge ports
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-prioirity-and untagged interface=ether4 pvid=10
/Interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether3,ether4 vlan-id=10
/ip address
add address=192.168.10.1/24 interface=vlan10-trusted network=192.168.10.0
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=192.168.88.2/24 interface=ether6 network=192.168.88.0
add address=192.168.88.3/24 interface=ether7 network=192.168.88.0
add address=192.168.88.4/24 interface=ether8 network=192.168.88.0
add action=accept chain=forward in-interface-list=LAN out-interface=ether1 comment=“internet for all WAN1”
add action=accept chain=forward in-interface=vlan10-Trusted out-interface=ether2 comment=“failover to WAN2 only for vlan”
add action=drop chain=forward comment=“Drop all else”
b (ii) Two separate subnets no vlans.
Modify as required…
/ip address
add address=192.168.10.1/24 interface=ether3 network=192.168.10.0
add address=192.168.10.1/24 interface=ether4 network=192.168.10.0
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=192.168.88.2/24 interface=ether6 network=192.168.88.0
add address=192.168.88.3/24 interface=ether7 network=192.168.88.0
add address=192.168.88.4/24 interface=ether8 network=192.168.88.0
add action=accept chain=forward in-interface-list=LAN out-interface=ether1 comment=“internet for all WAN1”
add action=accept chain=forward src-address=192.168.10/0/24 out-interface=ether2 comment=“failover to WAN2 only for trusted subnet”
add action=drop chain=forward comment=“Drop all else”
Thanks for helping.
There are no servers or valuable data on local network and no security concerns from visitors/unknown devices
Main goal is to limit low priority devices from using metered LTE wan. But If configuration is too complex it might be more cost efficient to pay for more bandwidth than to deal with learning curve, setup and maintenance.
There was nothing complex about the firewall rules on the initial post as a solution, nor actually is anything else complex mentioned above.
Look at it from another angle:
it is complex at first (and nobody should say it isn’t, we all have climbed that hill to learn, some faster then others) but once you grasp the concepts, it goes that much easier next time when you need to change things.
And the flexibility it brings is enormous.
Besides, where’s the fun if you can’t learn something new ?
Difference between simple but dont understand RoS and complex and dont understand RoS.
So concur one has to get comfortable with RoS to some degree to see the difference.
I recommend Slovenian beer LOL.
Is there a way to schedule 8to5 Monday through Friday access to wan2 failover.
I think it will be the easiest way of all, because most of devices I’m trying to limit on wan2 are not even active during the day.
I also found out that T-Mobile doesn’t charge for overages, but simply throttles speed, so there are no $$$ bill surprises
So the last entry was interesting, as you are attempting to communicate requirements.
First that you are trying to limit access to WAN2 for some users/devices ???..
Assuming T Mobile is your failover WAN.
It would seem you have a few user/devices that can have access to WAN1 ALL the time, but
should only have access to WAN2 during working hours if WAN1 is not available ???
This is a bit more information than your first post which stated only devices A,B,C should have access to WAN2 during failover.
It would appear you are now stating besides devices A,B,C you also need to give devices X,Y,Z access to WAN2 during failover over but only M-F 8-5pm correct ???
Yes, instead of limiting access to failover wan2 per device, i would like to limit working hours of wan2.
Well you must be precise and i could care less about WAN2, I care about user/device traffic needs.
Primary -WAN1
Secondary -WAN2 (failover)
a. access to WAN1 for all (all the time).
b. access to WAN2 all the time for a few devices, when failover occurs
c. access to WAN2 part time (8-5 M-F) for a few devices, when failover occurs
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Being precise, weeds out the unknowns and in this case.
—> What about the devices not identified in b. or c.
Or more accurately should the definitions be
b. access to wan2 ALL the time for ALL devices/users except those identified in c.
c. access to WAN2 part time (8-5 M-F) for a few devices, when failover occurs
OR should the requirements be expressed as follows:
b. access ONLY to wan 2 for a few devices when failover occurs.
c. access ONLY to wan2 for a few devices, 8-5 M-F, when failover occurs
d. all other users/devices do not have any failover options.