I have the following setup:
2 ISP 2 bridges
1 bridge is WiFi and LAN
2nd bridge is LAN for ipTV
At the moment I load balancing the two ISP over the 1st bridge for wifi and lan
But for 2nd bridge (TVs) I want to set it up, so it uses only 1 of the WAN (ISP1) connection.
Load balancing is achieved with mangle rules, but I can’t setup the rules for the 2nd bridge.
RoS works more efficiently with one bridge… If you need two subnets, use 2 vlans and one bridge.
Your firewall is crap…
Mangle rules are crap…
So basically you want to PCC HOME traffic between the two ISPs and the TV traffic you only want to use WAN2.
SHould we assume for whatever reason that if WAN2 is not availble (ISP issues etc.) that the TV should have access to WAN1 ??
Same goes for what happens to PCC traffic heading for WAN1 if WAN1 is down and vice versa…
So we need to handle all scenarios…
Why do you have upnp enabled any particular reason?? usually should not be required??
…
/interface bridge
add name=bridge-LAN
/interface vlan
add interface=bridge-lAN name=vlanhome10 vlan-id=10
add interface=bridge-lAN name=vlanTV20 vlan-id=20
/interface ethernet
set [ find default-name=ether1 ] mac-address= name=\
ether1-ISP1
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,2500M-full \
disabled=yes name=ether2-ISP2
set [ find default-name=ether3 ] name=ether3-TV
set [ find default-name=ether4 ] name=ether4-TV
set [ find default-name=ether5 ] name=ether5-LAN
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool2 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool_TV ranges=10.10.80.2-10.10.80.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=vlanhome10 name=dhcp1
add address-pool=dhcp_pool_TV interface=vlanTV20 name=dhcp2
/routing table
add disabled=no fib name=preferISP1
add disabled=no fib name=preferISP2
add disabled=no fib name=TV_only
/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3-TV pvid=20
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4-TV pvid=20
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5-LAN pvid=10
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi1 pvid=10
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi2 pvid=10
/interface bridge vlans
add bridge=bridge-LAN tagged=bridge-LAN untagged=ether3-TV,ether4-TV vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN untagged=ether5-LAN,wifi1,wifi3 vlan-ids=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether2-ISP2 list=WAN
add interface=vlanhome10 list=LAN
add interface=vlanTV20 list=LAN
/ip address
add address=10.10.20.1/24 interface=vlanhome10 network=10.10.20.0
add address=10.10.80.1/24 interface=vlanTV20 network=10.10.80.0
/ip dhcp-client
add add-default-route=no interface=ether1-ISP1 use-peer-dns=no use-peer-ntp=\
no
add add-default-route=no interface=ether2-ISP2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.10.20.0/24 dns-server=10.10.20.1 gateway=10.10.20.1
add address=10.10.80.0/24 dns-server=10.10.80.1 gateway=10.10.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=management
add action=accept chain=input comment="udp DNS traffic" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="tcp DNS traffic" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
{ handle traffic originating outside router to ensure goes out same WAN }
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=viaISP1 \
passthrough=yes in-interface=ether1-ISP1
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=viaISP2 \
passthrough=yes in-interface=ether2-ISP2
add action=mark-routing chain=output connection-mark=viaISP1 \
new-routing-mark=preferISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=viaISP2 \
new-routing-mark=preferISP2 passthrough=yes
{ handle traffic from vlanhome for PCC and ensure goes out correct WAN }
add action=mark-connection chain=prerouting comment=PCC connection-mark=no-mark \
dst-address-type=!local in-interface=vlanhome10 new-connection-mark=toISP1 passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=PCC connection-mark=no-mark \
dst-address-type=!local in-interface=vlanhome10 new-connection-mark=toISP2 passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing connection-mark=toISP1 passthrough=yes \
new-routing-mark=perferISP1
add action=mark-routing connection-mark=toISP2 passthrough=yes \
new-routing-mark=perferISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISP1
add action=masquerade chain=srcnat out-interface=ether2-ISP2
/ip route
{ ensures that pcc traffic will use the other WAN if one of them goes down }
add checkgateway=ping dst-address=0.0.0.0/0 gateway=ISP1 routing-table=main
add checkgateway=ping dst-address=0.0.0.0/0 gateway=ISP2 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=ISP1 routing-table=preferISP1
add distance=2 dst-address=0.0.0.0/0 gateway=ISP2 routing-table=preferISP1
add distance=1 dst-address=0.0.0.0/0 gateway=ISP2 routing-table=preferISP2
add distance=2 dst-address=0.0.0.0/0 gateway=ISP1 routing-table=preferISP2
now to address vlantv20 TWO options
Simply make distance=2 for the first rule for IPSP1 routing table=main. Then vlantv20 will always
select the shortest route (ISP2) of the two available routes but will use WAN1 if WAN2 is not available.
OR
create another route and routing rule
add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=TV_only
add src-address=10.10.80.0/24 action=lookup table=TV_only
/ip upnp
set enabled=NO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Please explain, can you help me with that? Do you have time for online consultation?
So basically you want to PCC HOME traffic between the two ISPs and the TV traffic you only want to use WAN2.
Yes that is the main goal, it is not required to have a fail over in case the ISP for TV is down – as I am not sure this will work well.
What do you think?
Why do you have upnp enabled any particular reason?? usually should not be required??
Not sure, I have more than on PC on my network, NAT, smart appliances etc. Is it needed for these to work?
Normally UPNP is not required.
The only reason do deviate from default firewall rules is if you know what you are doing.
I see copy and past from youtube or elsewhere and not proper application of firewall rules in play.
The mangle rules were all plain wrong, the fact that the pcc mangle rules itself used =local instead of =**!**local speaks volumes.
++++++++++++++++++++++++++++++++++++++++++++
A starting point for a viable solution has been provided.
Go through each line of the config carefully and write down any questions you have.
/interface list member
add interface=ether2-ISP2 list=WAN
add interface=vlanhome10 list=LAN
add interface=vlanTV20 list=LAN
Do I have to add ether1-ISP1 list=WAN as well?
/ip route
{ ensures that pcc traffic will use the other WAN if one of them goes down }
add checkgateway=ping dst-address=0.0.0.0/0 gateway=ISP1 routing-table=main
add checkgateway=ping dst-address=0.0.0.0/0 gateway=ISP2 routing-table=main
I did use similar setup previously, but every time 1 of the ISPs was down I did get additional entries in “/ip route” when the ISP got back online, that i needed to delete every time to restore proper functioning of the router. Don’t know why but was unusable. Any suggestions?
create another route and routing rule
add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=TV_only
here dst-address remains 0.0.0.0/0, that means all target IPs?
Why do you set IDs on the ports here? Standard for VLAN filtering. Identifying the pvid in /interface bridge ports tells the router that that an untagged vlan will be traversing the port.
It tells the reader that the port is likely an access port ( although it could be hybrid, but for hybrid one would not limit frame types ).
As for /interface bridge vlans we identify for each vlan, which ports are tagged or untagged.
Do I have to add ether1-ISP1 list=WAN as well? Yes my bad, one should include ether1-ISP
{ ensures that pcc traffic will use the other WAN if one of them goes down }
I did use similar setup previously, but every time 1 of the ISPs was down I did get additional entries in “/ip route” when the ISP got back online, that i needed to delete every time to restore proper functioning of the router. Don’t know why but was unusable. Any suggestions? Yes follow what I provided, your previous configs had so many flaws, no way to predict functionality…
create another route and routing rule
add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=TV_only
here dst-address remains 0.0.0.0/0, that means all target IPs? YES it means for any address trying to be reached by that vlan, use ISP2 gateway.
If you have any intervlan traffic expected then you need to state this as a requirement for traffic flow and the config would be adjusted.
Can you please check the mangle and route rules again, I’ve found errors in connection and routing marks.
Can you please check again the code for errors?
After finally finding time to work on the config again I did manage to troubleshoot it.
It was not working in routerOS 7.11.2 until I’ve set VLAN filtering=ON on the Bridge, but I am not sure now the mangle rules are working.
No connections are marked in /ip/firewall/connection. Also it seems like all the traffic is going trough ISP1, no load balancing.
(1) Why did you exclude LAN on this rule?
/ip neighbor discovery-settings
set discover-interface-list=**!**LAN
(2) Problem with the order of rules here…
The drop all else rule should be last because the port forwarding rule will, in its current location, never be seen by any traffic!!
I do note that you do not have any DST nat rules, so the rule is not that important, nonetheless for proper configuration it should be moved,
and then you could either disable it, or remove it altogether.
add action=drop chain=forward comment=“drop all else”
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
(3) So your situation is very clear, you do no need any connections between vlan10 and vlan20.
VLAN20 should only use WAN1
VLAN10 should use both in a PCC scenario.
What you dont make clear is what should happen if
a. WAN1 becomes unavailable?
b. WAN2 becomes unavailable?
fixed up a bit, the first four rules not required, that I can see.
change of interface we are not trying to capture vlan20 …so no need for bridge or LAN interface
just to be clear you want more traffic to go through WAN2 based on your PCC rules…
dont need connection-state=new, since you have the no mark qualifier, in some complex instances one may want both.
Nothing wrong with this rule that I can see except that there is no need to make up another table. You already have one for WAN1… /routing rule
add action=lookup disabled=no src-address=10.10.80.0/24 table=preferISP1
This rule is also useful in that the action is “lookup” which tells me if WAN1 is not available the router is permitted to go to the main table and find an alternate route and thus it will find and use WAN2 for tv traffic assuming WAN2 is available as well.
Nothing I see particularly off here except we no longer need the last extra rule so it has been removed. Also the check gateway ping is not required on the routes for PCC.
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=ISP1_gate routing-table= main suppress-hw-offload=no
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ISP2_gate pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=ISP2_gate pref-src=“”
routing-table=preferISP2
add distance=1 dst-address=0.0.0.0/0 gateway=ISP1_gate pref-src=“”
routing-table=preferISP1
NOTE: This seems okay but consider that if WAN1 goes down all it traffic due to PCC will in effect be dropped have no where to go, and same for WAN2 PCC traffic.
So once you have fixed all of the above stuff we can work on failover for PCC.
For security reasons. So it is only discoverable trough the LAN port, some times there are outside people with access to the Wi-Fi.
I know I should create guest Wi-Fi, but I don’t want it to be accessible all the time for all neighbors.