Hi all!! I would like to know if some can help me here. i have setup a network (RB750GL) with 2 ISP doing load balances, DHCP server, i’m using open dns, i also have a domain controler. but i don’t know why i can’t join a computer to the domain with out removing the gateway (mikrotik) from the PC. i would like to know who i can set this network so i can keep using the internet with out any issue but allow the local network to resolve the domain controler DNS
Any help will be appreciate!
/command Use command at the base level
[admin@MikroTik] > export
# aug/12/2016 17:15:54 by RouterOS 6.28
# software id = 7WSX-N3V1
#
/interface ethernet
set [ find default-name=ether1 ] comment="OSNET - Port 1" name=ISP1
set [ find default-name=ether2 ] comment="Liberty - Port 2" name=ISP2
set [ find default-name=ether3 ] comment="LAN PORTS 3-5" name=LAN
set [ find default-name=ether4 ] master-port=LAN
set [ find default-name=ether5 ] master-port=LAN
/interface pptp-server
add name=pptp-in1 user=automation
/ip neighbor discovery
set ISP1 comment="OSNET - Port 1"
set ISP2 comment="Liberty - Port 2"
set LAN comment="LAN PORTS 3-5"
/ip pool
add name=dhcp_pool1 ranges=192.168.3.16-192.168.3.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool3 ranges=192.254.98.126
add name=DHCPPOOL_VPN ranges=192.168.4.0/24
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=LAN lease-time=3d name=dhcp1
/ppp profile
set 1 local-address=192.168.3.1 remote-address=DHCPPOOL_VPN
/ip firewall connection tracking
set enabled=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.3.1/24 comment=Lan interface=LAN network=192.168.3.0
add address=**.**.**.**/30 comment="OSNET Static" interface=ISP1 network=\
*.*.*.124
add address=**.**.**.**/30 comment="LIBERTY Static" interface=ISP2 network=\
*.*.*.224
/ip arp
add address=192.168.3.2 comment=ESXi interface=LAN mac-address=\
34:40:B5:93:B4:5C
add address=192.168.3.3 comment="Pano Manager" interface=LAN mac-address=\
00:0C:29:2E:1B:CC
add address=192.168.3.4 comment=AVG interface=LAN mac-address=00:0C:29:59:DB:D7
add address=192.168.3.5 comment=Ponchador interface=LAN mac-address=\
44:C2:33:02:AA:93
add address=192.168.3.6 comment=Printer interface=LAN mac-address=\
00:80:91:4E:04:77
add address=192.168.3.7 comment=Ruckus interface=LAN mac-address=\
C0:8A:DE:21:7D:40
add address=192.168.3.8 comment=DVR interface=LAN mac-address=00:11:14:0D:6E:83
add address=192.168.3.9 comment="Prophet21 - old server" interface=LAN \
mac-address=00:09:6B:BE:8A:50
add address=192.168.3.10 comment=SMTP interface=LAN mac-address=\
00:08:74:CC:D8:F5
add address=192.168.3.11 comment=DC interface=LAN mac-address=00:0C:29:50:F0:B0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid interface=ISP2
/ip dhcp-server lease
add address=192.168.3.6 comment=Printer mac-address=00:80:91:4E:04:77 server=\
dhcp1 use-src-mac=yes
add address=192.168.3.2 comment=ESXi mac-address=34:40:B5:93:B4:5C server=dhcp1 \
use-src-mac=yes
add address=192.168.3.11 comment=DC mac-address=00:0C:29:50:F0:B0 server=dhcp1 \
use-src-mac=yes
add address=192.168.3.10 comment=SMTP mac-address=00:08:74:CC:D8:F5 server=\
dhcp1 use-src-mac=yes
add address=192.168.3.8 comment=DVR mac-address=00:11:14:0D:6E:83 server=dhcp1 \
use-src-mac=yes
add address=192.168.3.9 comment="Prophet 21 - old" mac-address=\
00:09:6B:BE:8A:50 server=dhcp1 use-src-mac=yes
add address=192.168.3.5 comment=Ponchador mac-address=44:C2:33:02:AA:93 server=\
dhcp1 use-src-mac=yes
add address=192.168.3.3 comment="Pano Manager" mac-address=00:0C:29:2E:1B:CC \
server=dhcp1 use-src-mac=yes
add address=192.168.3.4 comment=AVG mac-address=00:0C:29:59:DB:D7 server=dhcp1 \
use-src-mac=yes
add address=192.168.3.7 comment=Ruckus mac-address=C0:8A:DE:21:7D:40 server=\
dhcp1 use-src-mac=yes
add address=192.168.3.39 client-id=1:0:27:22:8e:7c:7 comment="HTP-AP - A" \
mac-address=00:27:22:8E:7C:07 server=dhcp1
add address=192.168.3.47 client-id=1:0:27:22:8e:7e:5f comment="HTP-AP - B" \
mac-address=00:27:22:8E:7E:5F server=dhcp1
add address=192.168.3.48 client-id=1:f8:a9:63:80:68:ad comment="Sammy's Laptop" \
mac-address=F8:A9:63:80:68:AD server=dhcp1
add address=192.168.3.52 client-id=1:0:c:29:cb:37:a2 comment=\
"Spiceworks Server" mac-address=00:0C:29:CB:37:A2 server=dhcp1
add address=192.168.3.12 always-broadcast=yes client-id=1:44:a8:42:11:cb:37 \
comment="New Prophet 21 server" mac-address=44:A8:42:11:CB:37 server=dhcp1
add address=192.168.3.13 client-id=1:70:e2:84:13:17:69 comment="ESXi New" \
mac-address=70:E2:84:13:17:69 server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 dhcp-option=*FFFFFFFF dns-server=192.168.3.1 \
gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=drop chain=input comment="Telnet log in... warning" log=yes \
src-address=12.205.69.2
add action=drop chain=output comment="Telnet log in... warning out" \
dst-address=12.205.69.2 log=yes
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=4w2d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=4w2d chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=drop chain=forward comment="drop telnet brute downstream" dst-port=\
23 protocol=tcp src-address-list=telnet_blacklist
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input protocol=udp
add chain=input connection-state=invalid
/ip firewall mangle
add chain=prerouting dst-address=**.**.**.124/30 in-interface=LAN
add chain=prerouting dst-address=**.**.**.224/30 in-interface=LAN
add chain=prerouting disabled=yes dst-address=192.168.3.0/24 in-interface=LAN
add action=mark-routing chain=prerouting comment=\
"SSL Traffic - need to add route" dst-port=443 new-routing-mark=\
"SSL traffic" protocol=tcp
add action=mark-routing chain=prerouting comment=\
"web mail ip - need to add route" dst-address=**.**.**.235 \
new-routing-mark="mail ip" passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=\
"Hi-tech HTTP ip - need to add route" disabled=yes dst-address=\
**.**.**.221 new-routing-mark="Hi-Tech HTTP Liberty DHCP" passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=ISP1_conn \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=ISP2_conn \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting comment="2/2 liberty" \
connection-mark=no-mark dst-address-type=!local in-interface=LAN \
new-connection-mark=ISP2_conn per-connection-classifier=\
both-addresses-and-ports:2/2
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=LAN new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
in-interface=LAN new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=masquerade chain=srcnat comment=local disabled=yes log=yes \
out-interface=LAN
add action=masquerade chain=srcnat comment=VPN dst-address=!192.168.4.0/24 \
src-address=192.168.4.0/24
add action=dst-nat chain=dstnat comment=Safe@Ffice disabled=yes dst-port=981 \
protocol=tcp to-addresses=192.168.3.253 to-ports=981
add action=dst-nat chain=dstnat comment="ESXi vCenter" dst-port=197 protocol=\
tcp to-addresses=192.168.3.254 to-ports=443
add action=dst-nat chain=dstnat comment="ESXi vSphere Console" dst-port=902 \
protocol=tcp to-addresses=192.168.3.254 to-ports=902
add action=dst-nat chain=dstnat comment="ESXi vCenter vSpher web client" \
dst-port=9443 log=yes protocol=tcp to-addresses=192.168.3.254 to-ports=9443
add action=dst-nat chain=dstnat comment="Pano manager" dst-port=81 protocol=tcp \
to-addresses=192.168.3.3 to-ports=80
add action=dst-nat chain=dstnat comment="RDP Test AVG/Manage" disabled=yes \
dst-port=1389 protocol=tcp to-addresses=192.168.3.4 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP Prophet 21 New server" dst-port=\
1390 log=yes protocol=tcp to-addresses=192.168.3.12 to-ports=3389
add action=dst-nat chain=dstnat comment=\
"Prophet 21 New server POD - Testing on win7 VM" dst-port=3443 log=yes \
protocol=tcp to-addresses=192.168.3.100 to-ports=3443
add action=dst-nat chain=dstnat comment="NanoStation A" dst-port=82 protocol=\
tcp to-addresses=192.168.3.39 to-ports=80
add action=dst-nat chain=dstnat comment="NanoStation B" dst-port=83 protocol=\
tcp to-addresses=192.168.3.47 to-ports=80
add action=dst-nat chain=dstnat comment=Printer dst-port=8080 protocol=tcp \
to-addresses=192.168.3.6 to-ports=8080
add action=dst-nat chain=dstnat comment=Spiceworks dst-port=84 protocol=tcp \
to-addresses=192.168.3.52 to-ports=80
add action=dst-nat chain=dstnat comment="DVR " dst-port=195 protocol=tcp \
to-addresses=192.168.3.8 to-ports=195
add action=dst-nat chain=dstnat comment="DVR " dst-port=1600 protocol=tcp \
to-addresses=192.168.3.8 to-ports=1600
/ip route
add comment="Liberty bypass load balance for https -need to add mangle" \
distance=1 gateway=**.**.**.225 routing-mark="SSL traffic" scope=255
add comment="LIberty bypass load balance for web mail -need to add mangle" \
distance=1 gateway=**.**.**.225 routing-mark="mail ip" scope=255
add check-gateway=ping distance=1 gateway=**.**.**.125 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=**.**.**.225 routing-mark=to_ISP2
add comment="Osnet bypass load balance for web mail -need to add mangle" \
disabled=yes distance=1 gateway=**.**.**.125 routing-mark="mail ip osnet" \
scope=255
add comment="Osnet bypass load balance for https -need to add mangle" disabled=\
yes distance=1 gateway=**.**.**.125 routing-mark="SSL traffic osnet" \
scope=255
add comment="Liberty bypass load balance for Hi-Tech HTTPl -need to add mangle" \
disabled=yes distance=1 gateway=**.**.**.225 routing-mark="Hi-Tech HTTP" \
scope=255
add comment="Osnet bypass load balance for Hi-Tech HTTPl -need to add mangle" \
disabled=yes distance=1 gateway=**.**.**.125 routing-mark=\
"Hi-Tech HTTP osnet" scope=255
add comment="Liberty DHCP bypass load balance for web mail -need to add mangle" \
disabled=yes distance=1 gateway=104.244.180.129 routing-mark=\
"mail ip Liberty DHCP" scope=255
add comment="Liberty DHCP bypass load balance for https -need to add mangle" \
disabled=yes distance=1 gateway=104.244.180.129 routing-mark=\
"SSL traffic Liberty DHCP" scope=255
add comment=\
"Liberty DCHP bypass load balance for Hi-Tech HTTPl -need to add mangle" \
disabled=yes distance=1 gateway=104.244.180.129 routing-mark=\
"Hi-Tech HTTP Liberty DHCP" scope=255
add check-gateway=ping distance=1 gateway=**.**.**.125
add check-gateway=ping distance=2 gateway=**.**.**.225
add comment=Automation distance=1 dst-address=192.168.88.0/24 gateway=\
192.168.4.254
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ISP1 type=external
add interface=ISP2 type=external
add interface=LAN type=internal
/ppp aaa
set use-radius=yes
/ppp secret
add comment="Hi-Tech Automation - Mikrotik" name=automation password= \
profile=default-encryption
add name=ricky1 password= profile=default-encryption
add name=Wilfred password= profile=default-encryption
add name=Jmaldo password= profile=default-encryption
/radius
add address=192.168.3.12 domain=htp.local secret= service=ppp,login
/romon port
add disabled=no
/system clock
set time-zone-name=America/Puerto_Rico
/system ntp client
set enabled=yes primary-ntp=206.246.122.250 secondary-ntp=129.6.15.29
/system routerboard settings
set protected-routerboot=disabled
[admin@MikroTik] >