Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

ZSam · July 30, 2018, 12:57pm

Hi all

I would like to load balance 2 x WAN connections (PPPoE Clients Dial out through DSL rotuers in Bridge mode), allowing internet access over both connections on the MT Bridge and PPPoE Server.

I have the current setup:

2 x DSL ROUTERS (BRIDGE) (Ether1, Ether 3) → RB750UP (DIAL PPPOE x 2) → UBNT SECTOR (ETHER2) → PPPoE Server on Bridge (Ether2, 4, 5).

When editing the script to match my topology, I still only have traffic on ONE WAN interface.

Anyone able to help find what the problem is please?

Thanks!

I found the following script:

/ ip firewall mangle
add chain=prerouting dst-address=111.111.111.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=222.222.222.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=111.111.111.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

----- MY CONFIG:

/interface bridge
add admin-mac=4C:5E:0C:A2:63:4C auto-mac=no comment=“To view all traffic:”
name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=“ALL ETHERNET” mtu=1492 name=WAN1
set [ find default-name=ether3 ] name=WAN2
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether4 ] name=“ether4-slave-local BASE HOUSE”
poe-out=off
set [ find default-name=ether5 ] name=ether5-slave-local

/interface pppoe-client
add add-default-route=yes allow=pap comment=“DSL CONNECTIONS” disabled=no
interface=WAN1 keepalive-timeout=60 max-mru=1400 max-mtu=1400 mrru=1600
name=ISP1 use-peer-dns=yes user=
add add-default-route=yes allow=pap disabled=no interface=WAN2 name=ISP2
use-peer-dns=yes user=

/interface pptp-client
add connect-to=154.117.185.86 mrru=1600 name=pptp-out1 user=“”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.40
add name=PPPoE ranges=192.168.88.100-192.168.88.200
add name=pool1 ranges=192.168.88.50-192.168.88.100

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=
bridge name=default

/ppp profile
set *0 bridge=bridge dns-server=192.168.88.2 local-address=PPPoE
use-encryption=no
set *FFFFFFFE bridge=bridge use-encryption=no

/queue tree
add limit-at=5M max-limit=5M name=queue1 packet-mark=streaming-video-out
parent=bridge priority=5
add burst-time=5s limit-at=7M max-limit=10M name=HTTP packet-mark=http-out
parent=bridge queue=hotspot-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=8Mbit name-for-users=“” override-shared-users=unlimited owner=admin
price=449 starts-at=logon validity=0s
add name=2Mbit name-for-users=“” override-shared-users=unlimited owner=admin
price=449 starts-at=logon validity=0s
add name=4Mbit name-for-users=“” override-shared-users=unlimited owner=admin
price=0 starts-at=logon validity=0s
add name=1Mbit name-for-users=“” override-shared-users=off owner=admin price=
0 starts-at=logon validity=0s
add name=“2MbnDavis " name-for-users=”" override-shared-users=off owner=admin
price=0 starts-at=logon validity=0s
add name=“2mb domingo” name-for-users=“” override-shared-users=off owner=
admin price=0 starts-at=logon validity=0s
add name=“2Mbit Salie” name-for-users=“” override-shared-users=1 owner=admin
price=0 starts-at=logon validity=0s
add name=Full name-for-users=“” override-shared-users=off owner=admin price=0
starts-at=logon validity=0s
add name=“2Mbit Bardien” name-for-users=“” override-shared-users=off owner=
admin price=0 starts-at=logon validity=0s
add name=“2Mbit Atta Mohamed” name-for-users=“” override-shared-users=off
owner=admin price=0 starts-at=logon validity=0s
add name=20Mbit name-for-users=“” override-shared-users=off owner=admin
price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list=“” download-limit=0B group-name=“” ip-pool=“” name=8Mbit
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B
rate-limit-priority=1 rate-limit-rx=10485760B rate-limit-tx=15728640B
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list=“” download-limit=0B group-name=“” ip-pool=“” name=2Mbit
owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=1048576B
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1843200B
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list=“” download-limit=0B group-name=“” ip-pool=“” name=4Mbit
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=4194304B
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list=“” download-limit=0B group-name=“” ip-pool=“” name=1Mbit
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=1048576B
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1048576B
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list=“” download-limit=0B group-name=“” ip-pool=“” name=20Mbit
owner=admin rate-limit-min-rx=20971520B rate-limit-min-tx=12582912B
rate-limit-rx=20971520B rate-limit-tx=20971520B transfer-limit=0B
upload-limit=0B uptime-limit=0s

/interface bridge filter
add action=accept chain=input in-bridge=bridge in-interface=
ether2-master-local mac-protocol=pppoe
add action=accept chain=input in-bridge=bridge in-interface=
ether2-master-local mac-protocol=pppoe-discovery
/interface bridge port
add bridge=bridge interface=ether5-slave-local
add bridge=bridge interface=ether2-master-local
add bridge=bridge interface=“ether4-slave-local BASE HOUSE”
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge max-mru=1360 max-mtu=1360
mrru=1600 one-session-per-host=yes service-name=Internet
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
add address=10.0.0.2 interface=WAN1 network=10.0.0.0
add address=192.168.88.4 interface=“ether4-slave-local BASE HOUSE” network=
192.168.88.4

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=WAN1
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=WAN2
/ip dhcp-server lease
add address=192.168.88.50 client-id=HOME mac-address=C8:3A:35:F3:7E:91
add address=192.168.88.60 mac-address=C4:E9:84:71:27:C3
add address=192.168.88.70 mac-address=F4:F2:6D:BB:11:96
/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.2 gateway=192.168.88.2 netmask=24

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” list=bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” list=bogons
add address=192.168.0.0/16 comment=“Private[RFC 1918] - CLASS C # Check if you
_need this subnet before enable it” disabled=yes list=bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
list=bogons
add address=192.168.88.0/24 comment=“Internal Subnet” list=internal-nets
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=input comment=
“Add Syn Flood IP to the list” connection-limit=30,32 protocol=tcp
tcp-flags=syn
add action=drop chain=input comment=“Drop to syn flood list”
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner
address-list-timeout=1w chain=input comment=“Port Scanner Detect”
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop to port scan list”
src-address-list=Port_Scanner
add action=jump chain=input comment=“Jump for icmp input flow” jump-target=
ICMP protocol=icmp
add action=drop chain=input comment=“Block all access to the winbox - except t
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP
PORT ADDRESS LIST” disabled=yes dst-port=8291 protocol=tcp
src-address-list=!support
add action=accept chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
add action=jump chain=forward comment=“Jump for icmp forward flow”
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
bogons
add action=drop chain=forward comment=“Avoid spammers action” dst-port=25,587
protocol=tcp src-address-list=spammers
add action=accept chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp
add action=accept chain=input comment=“Accept to established connections”
connection-state=established
add action=accept chain=input comment=“Accept to related connections”
connection-state=related
add action=accept chain=input comment=“Full access to SUPPORT address list”
src-address-list=support
add action=accept chain=input comment=
“Accept all connections from local network” in-interface=bridge
add action=accept chain=input comment=“Accept WinBox Access from Local”
dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment=“Accept WebFig Access from Local”
dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=ICMP comment=“Echo reply” icmp-options=0:0 protocol=
icmp
add action=accept chain=ICMP comment=“Time Exceeded” icmp-options=11:0
protocol=icmp
add action=accept chain=ICMP comment=“Destination unreachable” icmp-options=
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=“Drop to the other ICMPs” protocol=icmp
add action=accept chain=input connection-state=new connection-type=“”
dst-port=1812 in-interface=bridge protocol=tcp src-port=1812
add action=accept chain=input connection-state=new in-interface=bridge
protocol=icmp
add action=jump chain=output comment=“Jump for icmp output” jump-target=ICMP
protocol=icmp
add action=drop chain=input comment=“Drop anything else! # DO NOT ENABLE THIS
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED” disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment=
“internal-traffic packet mark” dst-address-list=internal-nets
new-packet-mark=internal-traffic passthrough=no src-address-list=
internal-nets
add action=mark-packet chain=prerouting comment=
“customer-servers-out packet mark” new-packet-mark=customer-servers-out
passthrough=no src-address-list=customer-servers
add action=mark-packet chain=prerouting comment=
“customer-servers-in packet mark” dst-address-list=customer-servers
new-packet-mark=customer-servers-in passthrough=no
add action=mark-packet chain=prerouting comment=“admin-in packet mark DNS”
in-interface=WAN1 new-packet-mark=admin-in passthrough=no protocol=udp
src-port=53
add action=mark-packet chain=prerouting comment=“admin-in packet mark snmp”
dst-port=161 in-interface=WAN1 new-packet-mark=admin-in passthrough=no
protocol=udp
add action=mark-connection chain=prerouting comment=
“Remote Protocols admin connection mark” new-connection-mark=admin
passthrough=yes port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=
“icmp connection mark as admin” new-connection-mark=admin passthrough=yes
protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=“admin-in packet mark”
connection-mark=admin in-interface=WAN1 new-packet-mark=admin-in
passthrough=no
add action=mark-packet chain=prerouting comment=“admin-out packet mark”
connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-packet chain=prerouting comment=
“streaming video in packet mark” connection-mark=streaming-video
in-interface=WAN1 new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment=
“streaming video out packet mark” connection-mark=streaming-video
new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment=
“http traffic connection mark” dst-port=80,443 new-connection-mark=http
passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=
“http traffic connection mark” connection-bytes=5000000-4294967295
dst-port=80,443 new-connection-mark=http-download passthrough=yes
protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=“http in packet mark”
connection-mark=http in-interface=WAN1 new-packet-mark=http-in
passthrough=no
add action=mark-packet chain=prerouting comment=“http out packet mark”
connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment=
“wow connetion mark as gaming” dst-port=
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games passthrough=
yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=
“eve online connetion mark as gaming” dst-address=87.237.38.200
new-connection-mark=games passthrough=yes src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=
“starcraft 2 connetion mark as gaming” dst-port=1119 new-connection-mark=
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=
“heros of newerth connetion mark as gaming” dst-port=11031,11235-11335
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=
internal-nets
add action=mark-connection chain=prerouting comment=
“steam connetion mark as gaming” dst-port=27014-27050
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=
internal-nets
add action=mark-connection chain=prerouting comment=
“xbox live connetion mark as gaming” dst-port=3074 new-connection-mark=
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=
“ps3 online connetion mark as gaming” dst-port=5223 new-connection-mark=
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=
“wii online connetion mark as gaming” dst-port=28910,29900,29901,29920
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=
internal-nets
add action=mark-packet chain=prerouting comment=
“games packet mark forever-saken-game” dst-address-list=external-nets
new-packet-mark=games-in passthrough=no src-address-list=
forever-saken-game
add action=mark-packet chain=prerouting comment=
“games packet mark starcraft2” dst-address-list=external-nets
new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment=“games packet mark wow”
dst-address-list=external-nets new-packet-mark=games-in passthrough=no
protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment=“games packet mark HoN”
dst-address-list=external-nets new-packet-mark=games-in passthrough=no
protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment=“games packet mark steam in”
dst-address-list=external-nets new-packet-mark=games-in passthrough=no
port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment=“games packet mark steam out”
dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960
new-packet-mark=games-out passthrough=no protocol=udp src-address-list=
internal-nets
add action=mark-packet chain=prerouting comment=“games packet mark xbox live”
dst-address-list=external-nets new-packet-mark=games-in passthrough=no
protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=
“games packet mark ps3 online” dst-address-list=external-nets
new-packet-mark=games-in passthrough=no protocol=udp src-port=
3478,3479,3658
add action=mark-packet chain=prerouting comment=“games packet mark in”
connection-mark=games dst-address-list=external-nets new-packet-mark=
games-in passthrough=no
add action=mark-packet chain=prerouting comment=“games packet mark out”
connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment=
“voip-in packet mark teamspeak” dst-address-list=external-nets
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=
“voip-out packet mark teamspeak” dst-port=9987 new-packet-mark=voip-out
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=
“voip-out packet mark teamspeak” dst-address-list=external-nets
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=
“voip-in packet mark ventrilo” dst-address-list=external-nets
new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=
“voip-out packet mark ventrilo” dst-port=3784 new-packet-mark=voip-out
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=
“voip-in packet mark ventrilo” dst-address-list=external-nets
new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=
“voip-out packet mark ventrilo” dst-port=3784 new-packet-mark=voip-out
passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=“voip-in packet mark SIP”
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no
port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment=“voip-out packet mark SIP”
new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=“voip-in packet mark udp SIP”
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no
port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=
“voip-out packet mark udp SIP” new-packet-mark=voip-out passthrough=no
port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=“voip-in packet mark RTP”
dst-address-list=internal-nets new-packet-mark=voip-in packet-size=
100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment=“voip-out packet mark RTP”
new-packet-mark=voip-in packet-size=100-400 passthrough=no port=
16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=“vpn-in packet mark GRE”
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment=“vpn-out packet mark GRE”
new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment=“vpn-in packet mark ESP”
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=
ipsec-esp
add action=mark-packet chain=prerouting comment=“vpn-out packet mark ESP”
new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=
“vpn-in packet mark VPN UDP ports” in-interface=WAN1 new-packet-mark=
vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=
“vpn-out packet mark VPN UDP ports” new-packet-mark=vpn-out passthrough=
no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=“vpn-in packet mark PPTP”
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=tcp
src-port=1723
add action=mark-packet chain=prerouting comment=“vpn-out packet mark PPTP”
new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment=“all in” in-interface=WAN1
new-packet-mark=in passthrough=no
add action=mark-packet chain=forward new-packet-mark=voip-in passthrough=yes
src-address=192.168.88.2
add action=mark-packet chain=forward dst-address=192.168.88.2
new-packet-mark=voip-out passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.88.2
dst-port=4569 new-connection-mark=VoIP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VoIP dst-address=
192.168.88.2 new-packet-mark=VoIP passthrough=no
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=
all-ppp
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=
all-ppp
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=all-ppp new-connection-mark=
ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=all-ppp new-connection-mark=
ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn
in-interface=all-ppp new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn
in-interface=all-ppp new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn
new-routing-mark=to_ISP2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2

/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=53281

/ip route
add check-gateway=ping distance=1 gateway=192.168.88.2 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.88.1
add check-gateway=ping distance=2 gateway=169.0.139.185
add distance=1 dst-address=10.0.0.2/32 gateway=WAN1
add distance=1 dst-address=192.168.88.0/24 gateway=bridge
add distance=1 dst-address=192.168.88.1/32 gateway=WAN1 pref-src=192.168.88.1
add distance=1 dst-address=192.168.88.2/32 gateway=bridge
add distance=1 dst-address=192.168.88.2/32 gateway=bridge pref-src=
192.168.88.50
add distance=1 dst-address=192.168.88.3/32 gateway=*F00002
add distance=1 dst-address=192.168.88.50/32 gateway=bridge

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes

/ppp aaa
set use-radius=yes

/radius
add address=192.168.88.2 service=ppp

/radius incoming
set accept=yes port=1700

/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg

/system routerboard settings
set silent-boot=no

/system script
add name=script1 owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“/ip fir
ewall filter\r
\n\r
\nadd action=drop chain=input comment="Drop to syn flood list" disabled=
no src-address-list=Syn_Flooder\r
\nadd action=add-src-to-address-list address-list=Port_Scanner address-lis
t-timeout=1w chain=input comment="Port Scanner Detect"\r
\ndisabled=no protocol=tcp psd=21,3s,3,1\r
\nadd action=drop chain=input comment="Drop to port scan list" disabled=
no src-address-list=Port_Scanner\r
\nadd action=jump chain=input comment="Jump for icmp input flow" disable
d=no jump-target=ICMP protocol=icmp\r
\nadd action=drop chain=input\r
\ncomment="Block all access to the winbox - except to support list # DO N
OT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\r
\ndisabled=yes dst-port=8291 protocol=tcp src-address-list=!support\r
\nadd action=jump chain=forward comment="Jump for icmp forward flow" dis
abled=no jump-target=ICMP protocol=icmp\r
\nadd action=drop chain=forward comment="Drop to bogon list" disabled=no
_dst-address-list=bogons\r
\nadd action=add-src-to-address-list address-list=spammers address-list-ti
meout=3h chain=forward comment="Add Spammers to the list for 3 hours"\r
\nconnection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protoco
l=tcp\r
\nadd action=drop chain=forward comment="Avoid spammers action" disabled
=no dst-port=25,587 protocol=tcp src-address-list=spammers\r
\nadd action=accept chain=input comment="Accept DNS - UDP" disabled=no p
ort=53 protocol=udp\r
\nadd action=accept chain=input comment="Accept DNS - TCP" disabled=no p
ort=53 protocol=tcp\r
\nadd action=accept chain=input comment="Accept to established connection
s" connection-state=established\r
\ndisabled=no\r
\nadd action=accept chain=input comment="Accept to related connections"
connection-state=related disabled=no\r
\nadd action=accept chain=input comment="Full access to SUPPORT address l
ist" disabled=no src-address-list=support\r
\nadd action=drop chain=input comment="Drop anything else! # DO NOT ENABL
E THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\r
\ndisabled=yes\r
\nadd action=accept chain=ICMP comment="Echo request - Avoiding Ping Floo
d" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp\r
\nadd action=accept chain=ICMP comment="Echo reply" disabled=no icmp-opt
ions=0:0 protocol=icmp\r
\nadd action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-
options=11:0 protocol=icmp\r
\nadd action=accept chain=ICMP comment="Destination unreachable" disable
d=no icmp-options=3:0-1 protocol=icmp\r
\nadd action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4
protocol=icmp\r
\nadd action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=
no protocol=icmp\r
\nadd action=jump chain=output comment="Jump for icmp output" disabled=n
o jump-target=ICMP protocol=icmp”

/tool user-manager database
set db-path=user-manager

/tool user-manager profile profile-limitation
add from-time=0s limitation=8Mbit till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=2Mbit till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=4Mbit profile=4Mbit till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Mbit profile=1Mbit till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=“2MbnDavis " till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=“2mb domingo” till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=“2Mbit Salie” till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=“2Mbit Bardien” till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=“2Mbit Atta Mohamed” till-time=
23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=8Mbit profile=8Mbit till-time=23h59m59s weekdays=
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=“2Mbit Bardien” till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=20Mbit profile=20Mbit till-time=23h59m59s
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.88.2 log=
auth-fail name=RB750UP shared-secret=”" use-coa=yes
/tool user-manager user
add customer=admin disabled=no ip-address=192.168.88.110 shared-users=
unlimited username=samodien@spiderweb wireless-enc-algo=none
wireless-enc-key=“” wireless-psk=“”
add customer=admin disabled=no ip-address=192.168.88.103 shared-users=
unlimited username=domingo@spiderweb wireless-enc-algo=none
wireless-enc-key=“” wireless-psk=“”
add customer=admin disabled=no ip-address=192.168.88.105 shared-users=
unlimited username=bardien@spiderweb wireless-enc-algo=none
wireless-enc-key=“” wireless-psk=“”
add customer=admin disabled=no ip-address=192.168.88.106 shared-users=
unlimited username=attamohamed@spiderweb wireless-enc-algo=none
wireless-enc-key=“” wireless-psk=“”
add customer=admin disabled=no ip-address=192.168.88.115 shared-users=
unlimited username=abdol2@spiderweb wireless-enc-algo=none
wireless-enc-key=“” wireless-psk=“”

Beone · September 1, 2018, 6:26am

even though your PPPoE server is connected to LAN, traffic from your PPPoE customers won’t match the mangle in-interface=LAN

Instead use in-interface=all-ppp but watchout as your uplinks are also PPPoE…

ADahi · September 1, 2018, 7:01am

better idea use
in-interface=all-ppp + src-address=customersIP/24

ZSam · September 3, 2018, 9:29am

Thank you for the responses.

I have tried what you suggested, but it still does not work .

sindy · September 3, 2018, 10:30am

What I can see in your configuration is that you use connection-marks to mark connections for further translation to packet-marks for prioritization (queueing). And to the end of this pre-existing list of mangle rules you have copy-pasted other mangle rules to implement the load distribution using per-connection-classifier.

However, these added rules only assign connection-marks to packets belonging to connections which don’t have any connection-mark assigned yet (because you use the connection-mark=no-mark condition in these rules). Therefore, no connection is ever marked with any of those connection-marks which would be translated to routing-marks by the subsequent rules, so no routing-marks are ever assigned, and so the default routing table is used for all packets.

Unfortunately, removing the condition connection-mark=no-mark from those rules wouldn’t resolve the issue plus it would break the assignment of packet-marks.

This is a limitation of the current firewall implementation. You would have to use combined connection-marks (like games-isp1, games-isp2), assign them in a complex manner (I would use chains to do that), and translate them to packet-marks and routing-marks appropriately, like (simplified!):

chain=prerouting action=jump jump-target=games ...conditions from the rule previously assiging new-connection-mark=games...
chain=prerouting action=jump jump-target=http ...conditions from the rule previously assiging new-connection-mark=http...
...
chain=prerouting action=mark-packet new-packet-mark=games-in connection-mark=games-isp1,games-isp2 passthrough=yes ...
...
chain=prerouting action=mark-routing new-routing-mark=isp1 connection-mark=http-isp1,games-isp1,... ...
...
chain=games action=mark-connection per-connection-classifier=both-addresses:2/0 new-connection-mark=games-isp1
chain=games action=mark-connection per-connection-classifier=both-addresses:2/1 new-connection-mark=games-isp2
..
chain=http action=mark-connection per-connection-classifier=both-addresses:2/0 new-connection-mark=http-isp1
chain=http action=mark-connection per-connection-classifier=both-addresses:2/1 new-connection-mark=http-isp2

That’s still not all, because you have to properly address also the issue of routes marked with routing marks being used also for packets with dst-addresses from connected subnets. As you use both the bridge and ppp interfaces as the LAN zone, in-interface-list=all-ppp is not the best choice as it doesn’t cover the bridge. So /ip route rule rules overriding the routing-marks for anything with dst-address matching any of your LAN zone subnets is a better approach.

ZSam · September 4, 2018, 9:02am

Thank you!

As much as this makes sense to me it also does not make sense lol.

I am not a MT guru as it seems you are.

Would you be able to assist me to get this working perhaps?

sindy · September 4, 2018, 10:50am

I believe in teaching how to fish, not in catering a free fish daily.

So: either you know that you need to have it done once forever, or you want to understand networking because you can use the knowledge for other purposes. In the first case, find a local friend/consultant to do it for you and take care of the fine tuning later on, in the second case, I can explain you how it all works.

ZSam · September 4, 2018, 1:36pm

I believe in learning how to fish. Apologies - this is what I meant by “helping me to get it to work”.

Thank you. How can we do this?

sindy · September 4, 2018, 2:18pm

When I have more time to concentrate, I’ll try to explain to you the magic behind connection-mark, packet-mark, and routing-mark relationship and use.

ZSam · September 4, 2018, 5:22pm

That would be great. Thanks.

sindy · September 4, 2018, 9:46pm

OK. So here comes the theory. While writing it, I’ve realized that you actually can do it in a simpler way, but never mind, once it’s been already written it will be useful

As a packet travels through the system, it is processed by various stages of the firewall, queuing, and routing. These processes take decisions how to handle the packet based on information contained in the packet itself and also some meta-fields - labels attached to the packet by previous processing stages which are not part of the packet contents but accompany it through all the subsequent processing once assigned.

When a packet comes in, one of the first processing stages to handle it is the connection tracker module. It maintains a list of existing communication exchanges like TCP sessions, bi-directional UDP flows, ICMP echo request/response flows, and compares each new packet to arrive with that list. If the packet’s source and destination IP address and some additional fields match one of the existing connections, the packet is considered part of it and its meta-field connection-state is set to established; if the packet doesn’t match any existing connection but is potentially able to establish a new one, its connection-state is set to new. This allows to set up complex firewall rules only for the “new” packets and assume that once a connection has been established, there is no need to check subsequent packets belonging to that connection.

Source NAT and destination NAT are also part of connection context. Every packet establishing a new connection is handled by a firewall table called nat, and if processing by this table results in assigning a new source and/or destination socket, this information is stored in that connection’s context and all subsequent packets of that connection are treated the same or symmetric way depending on their direction, starting from the step of matching the packet to the connection list. You can refer to this using a meta-field called connection-nat-state.

If you need that all packets of a given connection, or just some packets of a given connection depending on additional conditions, are systematically handled the same way, you can attach a text label - a connection-mark - to the connection as you handle one of its packets. This label gets also stored in the connection context, and all packets belonging to the same connection, starting already from the one during whose processing the connection-mark has been assigned to the connection, get this meta-field attached as they pass through the connection tracker, so you can refer to it in firewall rules’ match expressions when processing these packets. There are no tools available which would allow you to compute an individual label for each connection, so effectively you can create and use connection categories and handle the same way all connections belonging to the same category (i.e. marked with the same connection-mark) rather than a single individual connection.

You can replace the connection-mark previously assigned to a connection, but you cannot add another one.

To influence packet routing, you need to assign to it a routing-mark, which is another meta-field, and unlike the connection-mark, it is assigned just to a single packet. The routing-mark is then used in the routing stage to choose one of the routing tables.

To influence packet queuing, you need to assign a packet-mark which the queues match on.

A single packet can have both a routing-mark and a packet-mark assigned, but also at most one of each type.

A connection-mark can only be matched by firewall rules. If you need to use a connection-mark to influence routing, you have to use a firewall rule to assign a routing-mark to packets bearing a specific connection-mark, and the same applies for using _connection-mark_s to influence queuing.

When distributing the traffic among WAN interfaces which use NAT, it is essential that all packets of any given connection use the same WAN, so either the firewall rules which control the load distribution must assign the same routing-mark to all packets of the same direction of the same connection or, if this is not the case, the firewall rules which control the load distribution must assign a connection-mark when choosing the WAN for the initial packet and the routing-mark for all subsequent packets outbound packets of a connection must be assigned based on this connection-mark.

In your scenario, the problem is that you want to prioritize the traffic and at the same time distribute it among two WANs, and to do this independently of each other. Which actually means that

you need two independent queue sets for the upload traffic (one for each of the WANs) and one queue set for the download traffic (which you throttle using the queues as you send it to LAN)
as it is not possible to assign two independent _connection-mark_s to a single connection:
- if you would want to use traffic distribution classifiers like nth or random, or
- if you would want to establish connections to the Mikrotik itself or to devices on its LAN from the Internet via more than a single one out of all its WAN addresses, or
- if you would want to combine load distribution with a failover if one of the WANs fails,
  you would have to use _connection-mark_s which would bear both the information used to assign _packet-mark_s and the information used to assign _routing-mark_s, thus you would have to assign these composite _connection-mark_s using chained mangle rules.

Now we come back to what I wrote in the very beginning: if you are sure that you don’t need to connect from the Internet to more than one of the Mikrotik’s WAN interfaces, or if you simply cannot do it because at most a single WAN has a public IP address, and if per-connection-classifier is a satisfactory enough method of load distribution and you don’t need a WAN failover (which actually provides little advantage as compared to load distribution alone if NAT is in use), you can use the per-connection-classifier to assign _routing-mark_s directly, i.e. without any relationship to _connection-mark_s, so the _connection-mark_s may stay as they are and only the rules added to provide load distribution need to be changed accordingly.

What is your standpoint here?

ZSam · September 4, 2018, 11:35pm

A load to take in indeed!

It has provided some clarity, but will need some time to understand the workings better.

Re: my standpoint - I will not need to connect to the MT WAN via internet. Also, both WANs have public IPs.

Essentially, what I would like to do is distribute the load over the two WANs, and if possible, have failover. By distribute, I mean having a larger bandwidth available so as to accommodate more users. Both WANs are 10Mbit, and I am currently only making use of one. With the load distribution you mention in the latter part, would I be able to achieve this?

I may be understanding incorrectly, but are you saying that with the routing-mark method I would assign a specific “user” to a specific WAN, meaning that if that WAN is down, the user will not connect to the internet?

sindy · September 5, 2018, 10:11am

The choice of WAN is not done per user but per each connection of that user. So if the same device opens the same web page twice, it is well possible that each connection will use another WAN. It is not guaranteed for each pair of subsequent connections, but statistically 50 of 100 connections of that device should use one WAN and the other 50 connections should use the other one.

Yes for load distribution. For failover, the issue is whether it is worth the effort. If you use per-connection-classifier in a proper way (i.e. if you include proper fields into the hash), the individual connections from the same LAN device to the same remote server will be distributed among the WANs.

Assuming that your two uplinks are unrelated to each other, i.e. your ISP doesn’t know that if one of them is down, it should send the packets to you via the other one: if one of the WANs fails, all the connections currently running via that WAN fail, and no new connections routed via that WAN can establish. So in this state (one WAN down), the users will have to retry their requests until eventually one of them succeeds. The only thing you can achieve by adding a dedicated failover to the per-connection-classifier-based load distribution would be that when one WAN is down, connections which the per-connection-classifier sends to that WAN get established via the other one (so always already the first re-connection attempt after WAN failure succeeds), and will stay there even if their “proper” WAN gets back up. But to achieve this, you need to use the per-connection-classifier only for the initial packet of each connection, and use connection-mark to glue the connection to the WAN it actually used. But doing so makes the firewall rules a lot more complex (as the composite _connection-mark_s have to be used) and my personal opinion is that it is a too high price to pay for such a small improvement of user comfort.

ZSam · September 5, 2018, 10:29am

[/quote]
Yes for load distribution. For failover, the issue is whether it is worth the effort. If you use per-connection-classifier in a proper way (i.e. if you include proper fields into the hash), the individual connections from the same LAN device to the same remote server will be distributed among the WANs.

I follow your thoughts.

I believe I should then go with the routing-mark option.

Now the question remains - how do I begin to do this?

sindy · September 5, 2018, 11:29am

By simplifying the copy-pasted load distribution solution (btw, where have you found it? There is a mistake in it), replacing the original

add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=all-ppp new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=all-ppp new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=all-ppp new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=all-ppp new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2

by just

add action=mark-routing chain=prerouting in-interface=bridge new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=src-address-and-port:2/0
add action=mark-routing chain=prerouting in-interface=bridge new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=src-address-and-port:2/1

Also, you have to add

/ip route rule
add dst-address=192.168.88.0/24 action=lookup-only-in-table table=main

to avoid problems with return traffic (provided that your LAN subnet is 192.168.88.0/24)

And then you have to tidy up the routes, because I have no idea how your two WANs look like, but for sure your own IP address cannot be the gateway of WAN1 like it is now in the default route marked with to_ISP1.

So you need to change those two routes to

/ip route
add check-gateway=ping distance=1 gateway=xxxxx routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=yyyyy routing-mark=to_ISP2

where xxxxx is the gateway IP (or interface name if it is a PPPoE interface) of WAN1, and yyyyy is the gateway IP (or interface name if it is a PPPoE interface) of WAN2.

And you have to set passthrough=yes to all the other mangle rules which have any other action than accept or drop.

ZSam · September 5, 2018, 1:08pm

Okay, so I have added the above - I also do understand it somewhat. Thank you.

However, I still see no activity on ISP2. I think it may be a routes issue?

ZSam · September 5, 2018, 1:15pm

/ip route
add check-gateway=ping distance=1 gateway=192.168.88.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=ISP1
add check-gateway=ping distance=2 gateway=ISP2
/ip route rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main

sindy · September 5, 2018, 1:20pm

Post the complete current configuration export after all the modifications and the output of /ip route print, /ip address print, obfuscate any public IPs in a logical way (e.g. if your WAN1 address is 4.3.2.5 and the gateway you get from there is 4.3.2.1, translate both to wan.1.subnet.5 and wan.1.subnet.1).

And provide a diagram of how the two WANs are practically implemented, I am scared to see one of the gateways to be in the LAN subnet, as that at least makes the default firewall rules unsafe and may require some modifications to the rules.

ZSam · September 5, 2018, 1:46pm

/interface ethernet
set [ find default-name=ether1 ] comment="ALL ETHERNET" mtu=1492 name=\
    "ether1-gateway DSL 1"
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether3 ] name="ether3-slave-local DSL 2"
set [ find default-name=ether4 ] name="ether4-slave-local BASE HOUSE" \
    poe-out=off
set [ find default-name=ether5 ] name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes allow=pap comment="DSL CONNECTIONS" disabled=no \
    interface="ether1-gateway DSL 1" keepalive-timeout=60 max-mru=1400 \
    max-mtu=1400 mrru=1600 name=ISP1 user=HIDDEN
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    "ether3-slave-local DSL 2" name=ISP2 user=HIDDEN
/interface pptp-client
add connect-to=154.117.185.86 mrru=1600 name=pptp-out1 user="Cape Town"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.40
add name=PPPoE ranges=192.168.88.100-192.168.88.200
add name=pool1 ranges=192.168.88.50-192.168.88.100
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=default
/ppp profile
set *0 dns-server=192.168.88.2 local-address=PPPoE use-encryption=no
set *FFFFFFFE use-encryption=no
/queue tree
add limit-at=5M max-limit=5M name=queue1 packet-mark=streaming-video-out \
    parent=bridge priority=5
add burst-time=5s limit-at=7M max-limit=10M name=HTTP packet-mark=http-out \
    parent=bridge queue=hotspot-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=8Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=449 starts-at=logon validity=0s
add name=2Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=449 starts-at=logon validity=0s
add name=4Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=0 starts-at=logon validity=0s
add name=1Mbit name-for-users="" override-shared-users=off owner=admin price=\
    0 starts-at=logon validity=0s
add name="2MbnDavis " name-for-users="" override-shared-users=off owner=admin \
    price=0 starts-at=logon validity=0s
add name="2mb domingo" name-for-users="" override-shared-users=off owner=\
    admin price=0 starts-at=logon validity=0s
add name="2Mbit Salie" name-for-users="" override-shared-users=1 owner=admin \
    price=0 starts-at=logon validity=0s
add name=Full name-for-users="" override-shared-users=off owner=admin price=0 \
    starts-at=logon validity=0s
add name="2Mbit Bardien" name-for-users="" override-shared-users=off owner=\
    admin price=0 starts-at=logon validity=0s
add name="2Mbit Atta Mohamed" name-for-users="" override-shared-users=off \
    owner=admin price=0 starts-at=logon validity=0s
add name=20Mbit name-for-users="" override-shared-users=off owner=admin \
    price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=8Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
    rate-limit-priority=1 rate-limit-rx=10485760B rate-limit-tx=15728640B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=2Mbit \
    owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=1048576B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1843200B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=4Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=4194304B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=1Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=1048576B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1048576B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=20Mbit \
    owner=admin rate-limit-min-rx=20971520B rate-limit-min-tx=12582912B \
    rate-limit-rx=20971520B rate-limit-tx=20971520B transfer-limit=0B \
    upload-limit=0B uptime-limit=0s
/interface bridge port
add bridge=bridge interface=ether5-slave-local
add bridge=bridge interface=ether2-master-local
add bridge=bridge interface="ether4-slave-local BASE HOUSE"
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge max-mru=1360 max-mtu=1360 \
    mrru=1600 one-session-per-host=yes service-name=Internet
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
add address=10.0.0.2 interface="ether1-gateway DSL 1" network=10.0.0.0
add address=192.168.88.4 interface="ether4-slave-local BASE HOUSE" network=\
    192.168.88.4
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface="ether1-gateway DSL 1"
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface="ether3-slave-local DSL 2"
/ip dhcp-server lease
add address=192.168.88.50 client-id=HOME mac-address=C8:3A:35:F3:7E:91
add address=192.168.88.60 mac-address=C4:E9:84:71:27:C3
add address=192.168.88.70 mac-address=F4:F2:6D:BB:11:96
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.2 gateway=192.168.88.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=192.168.88.0/24 comment="Internal Subnet" list=internal-nets
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge
add action=accept chain=input comment="Accept WinBox Access from Local" \
    dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment="Accept WebFig Access from Local" \
    dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=accept chain=input connection-state=new connection-type="" \
    dst-port=1812 in-interface=bridge protocol=tcp src-port=1812
add action=accept chain=input connection-state=new in-interface=bridge \
    protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "internal-traffic packet mark" dst-address-list=internal-nets \
    new-packet-mark=internal-traffic passthrough=yes src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "customer-servers-out packet mark" new-packet-mark=customer-servers-out \
    passthrough=yes src-address-list=customer-servers
add action=mark-packet chain=prerouting comment=\
    "customer-servers-in packet mark" dst-address-list=customer-servers \
    new-packet-mark=customer-servers-in passthrough=yes
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=admin-in passthrough=\
    yes protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
    dst-port=161 in-interface="ether1-gateway DSL 1" new-packet-mark=admin-in \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=\
    "Remote Protocols admin connection mark" new-connection-mark=admin \
    passthrough=yes port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "icmp connection mark as admin" new-connection-mark=admin passthrough=yes \
    protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
    connection-mark=admin in-interface="ether1-gateway DSL 1" \
    new-packet-mark=admin-in passthrough=yes
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
    connection-mark=admin new-packet-mark=admin-out passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "streaming video in packet mark" connection-mark=streaming-video \
    in-interface="ether1-gateway DSL 1" new-packet-mark=streaming-video-in \
    passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "streaming video out packet mark" connection-mark=streaming-video \
    new-packet-mark=streaming-video-out passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" dst-port=80,443 new-connection-mark=http \
    passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" connection-bytes=5000000-4294967295 \
    dst-port=80,443 new-connection-mark=http-download passthrough=yes \
    protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
    connection-mark=http in-interface="ether1-gateway DSL 1" new-packet-mark=\
    http-in passthrough=yes
add action=mark-packet chain=prerouting comment="http out packet mark" \
    connection-mark=http new-packet-mark=http-out passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "wow connetion mark as gaming" dst-port=\
    1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games passthrough=\
    yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "eve online connetion mark as gaming" dst-address=87.237.38.200 \
    new-connection-mark=games passthrough=yes src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment=\
    "steam connetion mark as gaming" dst-port=27014-27050 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment=\
    "xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "games packet mark forever-saken-game" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes src-address-list=\
    forever-saken-game
add action=mark-packet chain=prerouting comment=\
    "games packet mark starcraft2" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark wow" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
    dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
    new-packet-mark=games-out passthrough=yes protocol=udp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
    "games packet mark ps3 online" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes protocol=udp src-port=\
    3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
    connection-mark=games dst-address-list=external-nets new-packet-mark=\
    games-in passthrough=yes
add action=mark-packet chain=prerouting comment="games packet mark out" \
    connection-mark=games new-packet-mark=games-out passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
    passthrough=yes protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=yes protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=yes \
    port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
    new-packet-mark=voip-out passthrough=yes port=5060 protocol=tcp \
    src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=yes \
    port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=yes \
    port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
    dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
    100-400 passthrough=yes port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
    new-packet-mark=voip-in packet-size=100-400 passthrough=yes port=\
    16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
    new-packet-mark=vpn-out passthrough=yes protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
    new-packet-mark=vpn-out passthrough=yes protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
    "vpn-in packet mark VPN UDP ports" in-interface="ether1-gateway DSL 1" \
    new-packet-mark=vpn-in passthrough=yes protocol=udp src-port=\
    500,1701,4500
add action=mark-packet chain=prerouting comment=\
    "vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
    yes protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
    new-packet-mark=vpn-out passthrough=yes protocol=tcp src-port=1723
add action=mark-routing chain=prerouting in-interface=bridge \
    new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-routing chain=prerouting in-interface=bridge \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:2/1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ISP1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ISP2
/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=53281
/ip route
add check-gateway=ping distance=1 gateway=ISP1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=ISP2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=ISP1
add check-gateway=ping distance=2 gateway=ISP2
add distance=1 dst-address=192.168.88.3/32 gateway=\
    <pppoe-attamohamed@spiderweb>
add distance=1 dst-address=192.168.88.50/32 gateway=bridge
/ip route rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/radius
add address=192.168.88.2 service=ppp
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/system routerboard settings
set silent-boot=no
/system script
add name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ip fir\
    ewall filter\r\
    \n\r\
    \nadd action=drop chain=input comment=\"Drop to syn flood list\" disabled=\
    no src-address-list=Syn_Flooder\r\
    \nadd action=add-src-to-address-list address-list=Port_Scanner address-lis\
    t-timeout=1w chain=input comment=\"Port Scanner Detect\"\r\
    \ndisabled=no protocol=tcp psd=21,3s,3,1\r\
    \nadd action=drop chain=input comment=\"Drop to port scan list\" disabled=\
    no src-address-list=Port_Scanner\r\
    \nadd action=jump chain=input comment=\"Jump for icmp input flow\" disable\
    d=no jump-target=ICMP protocol=icmp\r\
    \nadd action=drop chain=input\r\
    \ncomment=\"Block all access to the winbox - except to support list # DO N\
    OT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST\"\r\
    \ndisabled=yes dst-port=8291 protocol=tcp src-address-list=!support\r\
    \nadd action=jump chain=forward comment=\"Jump for icmp forward flow\" dis\
    abled=no jump-target=ICMP protocol=icmp\r\
    \nadd action=drop chain=forward comment=\"Drop to bogon list\" disabled=no\
    \_dst-address-list=bogons\r\
    \nadd action=add-src-to-address-list address-list=spammers address-list-ti\
    meout=3h chain=forward comment=\"Add Spammers to the list for 3 hours\"\r\
    \nconnection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protoco\
    l=tcp\r\
    \nadd action=drop chain=forward comment=\"Avoid spammers action\" disabled\
    =no dst-port=25,587 protocol=tcp src-address-list=spammers\r\
    \nadd action=accept chain=input comment=\"Accept DNS - UDP\" disabled=no p\
    ort=53 protocol=udp\r\
    \nadd action=accept chain=input comment=\"Accept DNS - TCP\" disabled=no p\
    ort=53 protocol=tcp\r\
    \nadd action=accept chain=input comment=\"Accept to established connection\
    s\" connection-state=established\r\
    \ndisabled=no\r\
    \nadd action=accept chain=input comment=\"Accept to related connections\" \
    connection-state=related disabled=no\r\
    \nadd action=accept chain=input comment=\"Full access to SUPPORT address l\
    ist\" disabled=no src-address-list=support\r\
    \nadd action=drop chain=input comment=\"Drop anything else! # DO NOT ENABL\
    E THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED\"\r\
    \ndisabled=yes\r\
    \nadd action=accept chain=ICMP comment=\"Echo request - Avoiding Ping Floo\
    d\" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=\"Echo reply\" disabled=no icmp-opt\
    ions=0:0 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=\"Time Exceeded\" disabled=no icmp-\
    options=11:0 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=\"Destination unreachable\" disable\
    d=no icmp-options=3:0-1 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 \
    protocol=icmp\r\
    \nadd action=drop chain=ICMP comment=\"Drop to the other ICMPs\" disabled=\
    no protocol=icmp\r\
    \nadd action=jump chain=output comment=\"Jump for icmp output\" disabled=n\
    o jump-target=ICMP protocol=icmp"
/tool graphing interface
add interface=bridge store-on-disk=no
/tool traffic-monitor
add interface="ether1-gateway DSL 1" name=tmon1 threshold=0
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=8Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=2Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=4Mbit profile=4Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Mbit profile=1Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2MbnDavis " till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2mb domingo" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Salie" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Atta Mohamed" till-time=\
    23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=8Mbit profile=8Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=20Mbit profile=20Mbit till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.88.2 log=\
    auth-fail name=RB750UP shared-secret="" use-coa=yes
/tool user-manager user
add customer=admin disabled=no ip-address=192.168.88.110 shared-users=\
    unlimited username=samodien@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.103 shared-users=\
    unlimited username=domingo@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.105 shared-users=\
    unlimited username=bardien@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.106 shared-users=\
    unlimited username=attamohamed@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.115 shared-users=\
    unlimited username=abdol2@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""

ZSam · September 5, 2018, 1:50pm

/ip route print

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 ISP1 1
1 A S 0.0.0.0/0 ISP2 1
2 A S 0.0.0.0/0 ISP1 1
3 S 0.0.0.0/0 ISP2 2
4 ADC 10.0.0.0/24 10.0.0.3 ether3-slave-lo… 0
5 ADC 10.0.0.0/32 10.0.0.2 ether1-gateway … 0
6 ADC 1.1.1.1 2.2.2.2 ISP2 0
ISP1
7 ADC 192.168.88.0/24 192.168.88.2 bridge 0
ether1-gateway …

Sorry, I am a bit confused with how you explained to translate public IP.