Hi there,
I was hoping someone could help me please. I need a fresh set of eyes on this configuration as its stopped working for no reason that I can see atleast.
At the moment I can only get data to flow through WAN1, WAN2/3 cannot ping from the RB to any address on the internet i.e. 8.8.8.8
eth 1=WAN 1 (192.168.0.X)
eth 2=WAN 2 (192.168.2.X)
eth 3=WAN 3 (192.168.1.X)
eth 4=Switch to Hotspot network
I would be grateful if someone could help me find the issue.
Firewall NAT
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN3
add action=accept chain=pre-hotspot comment="Hotspot bypass rule " disabled=no dst-address=!10.5.50.0/24 hotspot=auth
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
Firewall Mangle
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Routing for RADIUS" disabled=no dst-address=192.168.0.1 new-routing-mark=RAD_Route passthrough=no protocol=tcp
add action=mark-packet chain=input comment="# ICMP Packet Priority" disabled=no new-packet-mark=ICMP_PACK passthrough=no protocol=icmp
add action=mark-packet chain=forward disabled=no new-packet-mark=ICMP_PACK passthrough=no protocol=icmp
add action=change-ttl chain=prerouting comment="ICMP TTL Settings" disabled=no new-ttl=set:16 passthrough=yes protocol=icmp
add action=mark-routing chain=prerouting comment="Routing for Network Devices" disabled=no dst-address=192.168.11.0/24 new-routing-mark=NETWORK_DEVICES passthrough=no src-address-list=HOTSPOT_IP
add action=accept chain=prerouting comment="PCC Load Balancing" disabled=no dst-address-list=wanip
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0 src-address-list=HOTSPOT_IP
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1 src-address-list= HOTSPOT_IP
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2 src-address-list=HOTSPOT_IP
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
IP Route
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=RAD_Route scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=vlan11-ap-network routing-mark=NETWORK_DEVICES scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN3 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=bridge routing-mark=LOCAL_ROUTE scope=30 target-scope=10
IP DHCP Client
/ip dhcp-client
add default-route-distance=1 disabled=no interface=WAN1 ipv4=yes ipv6-pd=no
add default-route-distance=1 disabled=no interface=WAN2 ipv4=yes ipv6-pd=no
add default-route-distance=1 disabled=no interface=WAN3 ipv4=yes ipv6-pd=no
IP Firewall Filter
/ip firewall filter
add action=log chain=forward comment="Radius " connection-state=new disabled=no log-prefix="" protocol=tcp src-address=10.5.50.0/24
add action=log chain=forward comment=Radius connection-state=new disabled=no log-prefix="" protocol=udp src-address=10.5.50.0/24
add action=drop chain=forward disabled=no dst-address=10.5.50.0/24 src-address=10.5.50.0/24
add action=drop chain=forward disabled=no dst-address=192.168.11.0/24 src-address=10.5.50.0/24
add action=drop chain=forward disabled=no dst-address=192.168.0.0/24 src-address=10.5.50.0/24
add action=drop chain=forward disabled=no dst-address=192.168.100.0/24 src-address=10.5.50.0/24
add action=add-src-to-address-list address-list=VOIP_list address-list-timeout=0s chain=forward comment="Voip list" connection-type=sip disabled=no
add action=accept chain=forward comment="xbox live" disabled=no dst-port=88,3074 protocol=tcp src-port=88,3074
add action=accept chain=forward comment="xbox live" disabled=no dst-port=88,3074 protocol=udp src-port=88,3074
add action=accept chain=input disabled=no src-address-list=Trust
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=no
add action=drop chain=forward disabled=no src-mac-address=00:1B:11:E1:00:CC
add action=accept chain=icmp comment="allow established connections" disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="allow already established connections" disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=output content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/2m protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=forward comment="drop non authorised hs users" disabled=no hotspot=!from-client in-interface=vlan2-customers
add action=accept chain=forward disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list="" address-list-timeout=0s chain=forward connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=accept chain=icmp comment="drop invalid connections" disabled=no icmp-options=0:0 protocol=icmp
add action=drop chain=input comment="Drop FTP Brute Forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" disabled=no protocol=tcp
add action=drop chain=input comment="Drop SSH Brute Forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=0s chain=input connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=drop chain=forward comment="block other network" disabled=no src-address=192.168.1.0/24
add action=drop chain=forward comment="block other network" disabled=no dst-address=192.168.1.0/24
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=udp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp