I have routrer with working Active DualWan + mangle rules + check gateway failover. Wire Guard is working on ISP wich leads to my main routing table, but not with reserve one. I think its some thing with my marking and routing mangle rules, but on everythin exept wireguard they are working.
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DCTEL-PREROUTING-MARK \
in-interface=ether2-vib-DCTel new-connection-mark=DCTEL-conn passthrough=\
yes
add action=mark-routing chain=prerouting comment=DCTEL-PREROUTING-ROUTE \
connection-mark=DCTEL-conn in-interface=!ether2-vib-DCTel \
new-routing-mark=DCTel passthrough=yes
add action=mark-routing chain=output comment=DCTEL-OUT-IP-ROUTE \
new-routing-mark=DCTel passthrough=yes src-address=IPISP1
add action=mark-routing chain=output comment=DCTEL-OUT-ROUTE connection-mark=\
DCTEL-conn new-routing-mark=DCTel passthrough=yes
add action=mark-connection chain=prerouting comment=INFOCOM-PREROUTING-MARK \
in-interface=ether1-vib-Infocom new-connection-mark=INFOCOM-conn \
passthrough=yes
add action=mark-routing chain=prerouting comment=INFOCOM-PREROUTING-ROUTE \
connection-mark=INFOCOM-conn in-interface=!ether1-vib-Infocom \
new-routing-mark=Infocom passthrough=yes
add action=mark-routing chain=output comment=INFOCOM-OUT-IP-ROUTE \
new-routing-mark=Infocom passthrough=yes src-address=IPISP2
add action=mark-routing chain=output comment=INFOCOM-OUT-ROUTE \
connection-mark=INFOCOM-conn new-routing-mark=Infocom passthrough=yes
add action=mark-connection chain=forward comment=DCTEL-FORWARD disabled=yes \
in-interface=ether2-vib-DCTel new-connection-mark=DCTEL-conn-f \
passthrough=no
add action=mark-connection chain=forward comment=INFOCOM-FORWARD disabled=yes \
in-interface=ether1-vib-Infocom new-connection-mark=INFOCOM-conn-f \
passthrough=no
add action=mark-routing chain=prerouting comment=MAIL-PREROUTING dst-address=\
!192.168.0.0/16 in-interface=!ether2-vib-DCTel new-routing-mark=DCTel \
passthrough=yes src-address=192.168.1.11
add action=mark-routing chain=prerouting comment=WEB-PREROUTING dst-address=\
!192.168.0.0/16 in-interface=!ether2-vib-DCTel new-routing-mark=DCTel \
passthrough=yes src-address=192.168.1.10
anav
July 2, 2023, 6:35pm
2
Full config required minus router serial number, any public WANIP information and keys etc..
Not sure where the WG server is and are you talking coming into the MT from road warriors… lacking context.
Full config required minus router serial number, any public WANIP information and keys etc..
Not sure where the WG server is and are you talking coming into the MT from road warriors… lacking context.
Thank you. your answer in another thread helped me. Ive added routing rule with src adress ISP2 Wan ip and lookup only in ISP2 roting table. And Everything worked just fine. One thing i dont understand this rule
add action=mark-routing chain=output comment=INFOCOM-OUT-IP-ROUTE \
new-routing-mark=Infocom passthrough=yes src-address=IPISP2
must do the same as routing rule but it is not working why?
anav
July 3, 2023, 12:23am
4
No idea what you have done… so cannot guess.
/interface bridge
add admin-mac=6C:3B:6B:DD:95:1F arp=proxy-arp auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1 name=ether1-ISP1
set [ find default-name=ether2 ] comment=ISP2 ether1-ISP2
set [ find default-name=ether3 ] arp=proxy-arp comment=Lan name=\
ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/interface wireguard
add listen-port=49005 mtu=1420 name=wireguard-user1
/disk
set sd1 type=hardware
add parent=sd1 partition-number=1 partition-offset="66 048" partition-size=\
"1 000 275 456" slot=Cash type=partition
/interface list
add name=mactel
add name=mac-winbox
add name=VPN
add name=TUNNELS
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=Router
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.251.1 name=sstp remote-address=vpn_pool
/queue simple
add max-limit=2M/2M name=192.168.1.52 target=192.168.1.52/32
add dst=192.168.11.30/32 max-limit=2M/2M name=192.168.1.108 target=\
192.168.1.108/32
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2 router-id=10.255.255.1
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=ISP2
add fib name=ISP1
/snmp community
set [ find default=yes ] addresses=192.168.0.0/16
/system logging action
set 0 disk-lines-per-file=2000 target=disk
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether4-slave-local
add bridge=bridge1 ingress-filtering=no interface=ether5-slave-local
add bridge=bridge1 interface=ether3-slave-local
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap2 default-profile=*6 max-mru=1400 max-mtu=1400
/interface list member
add interface=ether2-test-ISP2 list=WAN
add interface=ether1-ISP1 list=WAN
add interface=ether3-slave-local list=LAN
add interface=ether4-slave-local list=LAN
add interface=ether5-slave-local list=LAN
add interface=bridge1 list=LAN
add interface=wireguard-user1 list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=*7 mode=ethernet require-client-certificate=yes
/interface pppoe-server server
add disabled=no interface=ether1-ISP1 keepalive-timeout=disabled \
max-mru=1480 max-mtu=1480 service-name=service1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set max-mru=1460 max-mtu=1460
/interface sstp-server server
set authentication=mschap2 certificate=corp.zp.ua2023 enabled=yes port=49002
/interface wireguard peers
add allowed-address=192.168.254.2/32,192.168.90.0/24 interface=\
wireguard-user1 public-key=\
"**************************************"
/ip address
add address=192.168.1.254/24 comment="default configuration" interface=\
bridge1 network=192.168.1.0
add address=ISP1WANIP/30 interface=ether1-ISP1 network=GW1
add address=ISP2WANIP/30 interface=ether2-test-ISP2 network=GW2
add address=10.255.255.1 interface=loopback network=10.255.255.1
add address=192.168.254.1/24 interface=wireguard-user1 network=\
192.168.254.0
add address=ISP2WANIP name=router
add address=192.168.1.254 name=corp-test.corp.local
/ip firewall filter
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward dst-address=192.168.0.0/16 src-address=\
192.168.0.0/16
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input in-interface-list=WAN protocol=icmp
add action=accept chain=input dst-port=500,4500,1701 in-interface-list=WAN \
log-prefix=VPN protocol=udp
add action=accept chain=input dst-port=49005 in-interface-list=WAN protocol=\
udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
tcp src-address=192.168.0.0/16
add action=accept chain=input dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=49002 in-interface-list=WAN protocol=\
tcp
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=12h chain=input comment="telnet brute" dst-port=23 \
log-prefix=" --- Telnet ATTEMPT --- " protocol=tcp
add action=add-src-to-address-list address-list="dns flood" \
address-list-timeout=12h chain=input comment="dns flood" dst-port=53 \
log-prefix=---DNS_FLOOD protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="port scan" log-prefix=\
--Scan_Ports protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=12h chain=input comment="ssh brute" dst-port=22 \
log-prefix="---SSH ATTEMPT__" protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="ssh brute drop" protocol=tcp \
src-address-list=ssh_blacklist
add action=drop chain=input comment="telnet brute drop" protocol=tcp \
src-address-list=telnet_blacklist
add action=drop chain=input comment="dns flood drop" dst-port=53 protocol=udp \
src-address-list="dns flood"
add action=drop chain=input comment="port scan drop" src-address-list=\
"port scanners"
add action=drop chain=input comment=blacklist src-address-list=blacklist
add action=drop chain=input connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=MAIL-PREROUTING dst-address=\
!192.168.0.0/16 in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no src-address=192.168.1.11
add action=mark-routing chain=prerouting comment=WEB-PREROUTING dst-address=\
!192.168.0.0/16 in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no src-address=192.168.1.10
add action=mark-routing chain=prerouting comment=VODAFONE-PREROTING \
dst-address=*********** in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no
add action=mark-connection chain=prerouting comment=ISP2-PREROUTING-MARK \
in-interface=ether2-test-ISP2 new-connection-mark=ISP2-conn passthrough=\
yes
add action=mark-connection chain=prerouting comment=ISP1-PREROUTING-MARK \
in-interface=ether1-ISP1 new-connection-mark=ISP1-conn \
passthrough=yes
add action=mark-routing chain=prerouting comment=ISP2-PREROUTING-ROUTE \
connection-mark=ISP2-conn in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no
add action=mark-routing chain=prerouting comment=ISP1-PREROUTING-ROUTE \
connection-mark=ISP1-conn in-interface-list=!WAN new-routing-mark=\
ISP1 passthrough=no
add action=mark-routing chain=output comment=ISP2-OUT-IP-ROUTE \
new-routing-mark=ISP2 passthrough=no src-address=ISP2WANIP
add action=mark-routing chain=output comment=ISP1-OUT-IP-ROUTE \
new-routing-mark=ISP1 passthrough=no src-address=ISP1WANIP
add action=mark-connection chain=output comment=VODAFONE-OUT-UDP \
connection-mark=no-mark dst-address=********** dst-port=500,4500 \
new-connection-mark=ipsec1 passthrough=yes protocol=udp
add action=mark-connection chain=output comment=VODAFONE-OUT-IPSEC \
connection-mark=no-mark dst-address=*********** new-connection-mark=\
ipsec1 passthrough=yes protocol=ipsec-esp
add action=mark-routing chain=output comment=VODAFONE-OUT-ROUTE \
connection-mark=ipsec1 new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output comment=ISP2-OUT-ROUTE connection-mark=\
ISP2-conn new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output comment=ISP1-OUT-ROUTE \
connection-mark=ISP1-conn new-routing-mark=ISP1 passthrough=no
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 out-interface-list=\
WAN src-address=192.168.0.0/16
add action=src-nat chain=srcnat comment="SRCNAT ISP2 MARK" routing-mark=\
ISP2 src-address=192.168.1.0/24 to-addresses=ISP2WANIP
add action=src-nat chain=srcnat comment="SRCNAT ISP1 MARK" routing-mark=\
ISP1 src-address=192.168.1.0/24 to-addresses=ISP1WANIP
add action=src-nat chain=srcnat comment="SRCNAT VODAFONE" dst-address=\
************** out-interface=ether2-test-ISP2 src-address=192.168.1.0/24 \
to-addresses=**************
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.1.0/24
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
GW1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=1 dst-address=192.168.90.0/24 gateway=\
wireguard-user1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="ISP2 Mark" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=GW2 pref-src=0.0.0.0 \
routing-table=ISP2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=bridge1 \
pref-src=192.168.1.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.6.0/24 gateway=bridge1 \
pref-src=192.168.1.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.8.0/24 gateway=bridge1 \
pref-src=192.168.1.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=bridge1 \
pref-src=192.168.1.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.11.0/24 gateway=bridge1 \
pref-src=192.168.1.254 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.15.0/24 gateway=gunchak_sstp pref-src=\
192.168.1.254
add check-gateway=ping comment="ISP1 Mark" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=GW1 pref-src=0.0.0.0 \
routing-table=ISP1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
GW2 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp disabled=yes
set www port=5555
set ssh address=192.168.1.0/24 disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=4k enabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/routing rule
add action=lookup-only-in-table disabled=no src-address=ISP2WANIP/32 \
table=ISP2
/system leds
add interface=ether1-ISP1 leds=user-led type=interface-activity
/system logging
add disabled=yes topics=debug
add topics=wireguard
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.2
add address=62.149.0.30
/system resource irq rps
set ether1-ISP1 disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
set ether2-test-ISP2 disabled=no
/system watchdog
set ping-start-after-boot=4m
/tool graphing interface
add allow-address=192.168.1.0/24
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
Wireguard Mikrotik server this router and mikrotik router client initiator.
anav
July 3, 2023, 11:51am
6
Your mangling is so weird,
mark all traffic from dual wan and out it through specific wan IPs. Vodafon rules are for vodafon smtp gateway theya re working fine. First rules are policy based forward rules for specific host to use reserve ISP Always.
anav
July 3, 2023, 4:42pm
8
If you are not doing PCC and simply need too ensure what comes in wanX goes out wanX, then the format is straight forward.
{ connection mark the traffic }
{ route mark the traffic on the way out }
You have that as seen below but II dont see any effort to PCC traffic, so what are the rest of the mangle rules for ???
In other words these rules?? Detail what each one is supposed to accomplish??add action=mark-routing chain=prerouting comment=MAIL-PREROUTING dst-address= ********* in-interface-list=!WAN new-routing-mark=ISP2 These rules below are good. add action=mark-connection chain=prerouting comment=ISP2-PREROUTING-MARK add action=mark-routing chain=output comment=ISP2-OUT-ROUTE connection-mark= add action=accept chain=srcnat dst-address=192.168.0.0/16 out-interface-list=
How does anything really work on your config, it looks like a hodgepodge of copying from different places…?
add action=mark-routing chain=prerouting comment=MAIL-PREROUTING dst-address=\
!192.168.0.0/16 in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no src-address=192.168.1.11 //// This rule is for forwarding spc hosts to reserve IPS
add action=mark-routing chain=prerouting comment=WEB-PREROUTING dst-address=\
!192.168.0.0/16 in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no src-address=192.168.1.10 //// This rule is for forwarding spc hosts to reserve IPS
add action=mark-routing chain=prerouting comment=VODAFONE-PREROTING \
dst-address=*********** in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no
add action=mark-routing chain=prerouting comment=ISP2-PREROUTING-ROUTE \
connection-mark=ISP2-conn in-interface-list=!WAN new-routing-mark=ISP2 \
passthrough=no ///////This rule is for routing forwarding traffic
add action=mark-routing chain=prerouting comment=ISP1-PREROUTING-ROUTE \
connection-mark=ISP1-conn in-interface-list=!WAN new-routing-mark=\
ISP1 passthrough=no///////This rule is for routing forwarding traffic
add action=mark-routing chain=output comment=ISP2-OUT-IP-ROUTE \
new-routing-mark=ISP2 passthrough=no src-address=ISP2WANIP //This rule is for routing local traffic not-marked by postrouting chain
add action=mark-routing chain=output comment=ISP1-OUT-IP-ROUTE \
new-routing-mark=ISP1 passthrough=no src-address=ISP1WANIP//This rule is for routing local traffic not-marked by postrouting chain
add action=mark-connection chain=output comment=VODAFONE-OUT-UDP \
connection-mark=no-mark dst-address=********** dst-port=500,4500 \
new-connection-mark=ipsec1 passthrough=yes protocol=udp
add action=mark-connection chain=output comment=VODAFONE-OUT-IPSEC \
connection-mark=no-mark dst-address=*********** new-connection-mark=\
ipsec1 passthrough=yes protocol=ipsec-esp
add action=mark-routing chain=output comment=VODAFONE-OUT-ROUTE \
connection-mark=ipsec1 new-routing-mark=ISP2 passthrough=no
All Vodafone rules it is very complex ipcec connection through reserve IPS to SMPP gateway.
Its main filial production router)). Trying to clean it up bit itsa very difficult work)
anav
July 3, 2023, 9:42pm
10
Ahh okay…
Too messy AND complex for me to work through anyway. GLuck!