In case of WAN1-LAN1 and WAN2-LAN2 connections, routing between LAN1 and LAN2

Alteran · March 25, 2025, 5:00am

Routing between LAN1 and LAN2 in case of WAN1-LAN1 and WAN2-LAN2 connection

Hello!

I have a problem. I have the setup mentioned in the subject. Two modems, with two public dynamic IP addresses. The WAN1-LAN1 and WAN2-LAN2 connections are set up, so everything is fine now.
However, communication between LAN1 and LAN2 would also be needed, unfortunately this cannot be solved. It is important that I would need it without mangle rules, because the fasttrack rule is needed for speed.
Router: RB3011
WAN1: SPF1
WAN2: Ether10

The configuration:

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge_main protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp1 ] auto-negotiation=no mac-address=XX:XX:XX:XX:XX:XX
/interface vlan
add interface=bridge_main name=vlan_private2 vlan-id=20
add interface=bridge_main name=vlan_private vlan-id=10
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=private_pool ranges=192.168.10.20-192.168.10.254
add name=private2_pool ranges=192.168.20.20-192.168.20.50
/ip dhcp-server
add address-pool=private_pool authoritative=after-2sec-delay interface=vlan_private lease-time=1w3d name=dhcp_private
add address-pool=private2_pool authoritative=after-2sec-delay interface=vlan_private2 lease-time=1h name=dhcp_private2
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WAN1
add disabled=no fib name=WAN2
/interface bridge port
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge_main frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge_main frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=10
/interface bridge vlan
add bridge=bridge_main tagged=ether2 untagged=ether1,ether3,ether4,ether5,ether6,ether7,ether8,ether9 vlan-ids=10
add bridge=bridge_main tagged=ether2 vlan-ids=20
/interface list member
add interface=sfp1 list=WAN
add interface=vlan_private list=VLAN
add interface=vlan_private2 list=VLAN
/ip address
add address=192.168.10.1/24 interface=vlan_private network=192.168.10.0
add address=192.168.20.1/24 interface=vlan_private2 network=192.168.20.0

/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add add-default-route=no interface=sfp1
add add-default-route=no interface=ether10
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="Allow Esteb & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow vlan_private Full Access" in-interface=vlan_private
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=192.168.10.0/24 hw-offload=yes
add action=fasttrack-connection chain=forward connection-state=established,related dst-address=192.168.20.0/24 hw-offload=yes
add action=accept chain=input comment=Private in-interface=!sfp1 src-address=192.168.10.0/24
add action=accept chain=input comment=Private2 in-interface=!ether10 src-address=192.168.20.0/24
add action=drop chain=input comment="Invalid packets drop" connection-state=invalid
add action=drop chain=forward comment="Invalid packets drop" connection-state=invalid
add action=add-src-to-address-list address-list=blacklist address-list-timeout=8w4d12h chain=input comment="Port scanners add to blacklist" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=blacklist address-list-timeout=2w1d chain=input dst-port=20-1023,8000,8080,8291 protocol=tcp src-address=!192.168.0.0/16
add action=add-src-to-address-list address-list=blacklist address-list-timeout=2w1d chain=input dst-port=20-122,124-499,501-1023,8000,8080,8291 protocol=udp src-address=!192.168.0.0/16
add action=drop chain=input comment="Blacklist packets drop" src-address-list=blacklist
add action=drop chain=forward comment="Blacklist packets drop" src-address-list=blacklist
add action=accept chain=output dst-port=1701 protocol=udp src-port=1701
add action=accept chain=output dst-port=500 protocol=udp src-port=500
add action=accept chain=forward comment="Allow Internet Traffic Private" out-interface=sfp1 src-address=ISP1
add action=accept chain=forward comment="Allow Internet Traffic Private2" out-interface=ether10 src-address=ISP2
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT_Private" out-interface=sfp1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="NAT_Private2" out-interface=ether10 src-address=192.168.20.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=main
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP1 routing-table=WAN1 scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=ISP2routing-table=WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no interface=vlan_private src-address=192.168.10.0/24 table=WAN1
add action=lookup-only-in-table disabled=no interface=vlan_private2 src-address=192.168.20.0/24 table=WAN2

I tried adding an additional routing rule to the main board, but probably incorrectly, the internet went down on both networks, if they could connect to each other.

Thanks in advance for your help!

CGGXANNX · March 25, 2025, 7:56am

Because you are using routing rules to do the WAN1-LAN1 and WAN2-LAN2 force-routing, add this following rule to the top of the routing rule table should re-enable routing between LAN1 and LAN 2

/routing rule
add action=lookup disabled=no min-prefix=0 table=main

Again, this rule must be above the two other rules in the routing rule table.

Alteran · March 25, 2025, 10:41pm

I created the rule and moved it to the beginning, it works flawlessly.
Thank you very much, I didn’t even think about this rule with this implementation.