Hello Experts,

My configuration: Internet provider => modem (mode bridge) => switch => 2x cable to ether 1 and ether 2 in Mikrotik.

This was necessary because I have needed different MAC address for every public IP address from my provider.

Then I have set the first public IP using Winbox Quick Set form.

Then i set (using Winbox) the second public IP address using Winbox (IP => addresses). This address is assigned to Ether2.

Then i have set some NAT rules to forward traffic from the first public ip to my web server in local LAN.
What is working:

• my web server. I can ping 1st public IP.

What is not working

• the second public IP. I can ping to the 2 ip address from my local network but I can NOT ping form the Internet.

What is really strange that now that when I open the Quick Set form, I can see the second public IP address in the part Local Network of the form and not my formerly created local network 192.168.1.0.

I do not forward the traffic from the second public ip to any local PC. Is this the reason why ping is not working from outside the local network?

Thank you very much.

Tom

Please follow the instructions in my automatic signature below. The questions cannot be answered without seeing the complete configuration (don’t remove anything, just obfuscate the addresses as suggested).

Obviously it’s not what you are interested in, but the way with VRRP allows to leave the external switch between the Mikrotik and the modem out of the scheme.

Ok

I have replaced public ips.

I am posting my current configuration.
Two public ip addresses assigned by DHCP reserved using mac address (successfully).
The first ether1 11.22.33.44 - working. Traffic forwarded correctly.
The second Ether6-master 11.22.33.99 - not working (but successfully assigned).

I can not ping to 11.22.33.99 from outside or lan. I can ping from router itself. Tx traffic = 0. Rx traffic 50-60.

I need to forward traffic sent from internet to 11.22.33.99 to 192.168.1.2 and to send a response using the same interface. And i need to create one network 192.168.1.0/24.

I am not sure, if i am descriptive enough.

Do you need any more info, please?

Thank you very much.
Tom












MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.38.5 (c) 1999-2017 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export

nov/20/2019 15:33:15 by RouterOS 6.38.5

software id = VK2V-W1H1

/interface bridge
add admin-mac=64:D1:54:9B:57:E4 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] mac-address=64:D1:54:9B:57:E8 name=
ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] mac-address=64:D1:54:9B:57:E4 name=
ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether3 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=clientid,hostname disabled=no interface=ether6-master
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=213.46.172.36,213.46.172.37
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=
ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=
ether1
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=80 protocol=
tcp src-port=“” to-addresses=192.168.1.200 to-ports=80
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=443 protocol=
tcp to-addresses=192.168.1.200 to-ports=443
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=25 protocol=
tcp to-addresses=192.168.1.2 to-ports=25
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=110 protocol=
tcp to-addresses=192.168.1.2 to-ports=110
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=444 protocol=
tcp to-addresses=192.168.1.2 to-ports=444
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=995 protocol=
tcp src-port=“” to-addresses=192.168.1.2 to-ports=995
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=587 protocol=
tcp src-port=“” to-addresses=192.168.1.2 to-ports=587
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=993 protocol=
tcp src-port=“” to-addresses=192.168.1.2 to-ports=993
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=465 protocol=
tcp src-port=“” to-addresses=192.168.1.2 to-ports=465
add action=dst-nat chain=dstnat dst-address=11.22.33.44 dst-port=3391 protocol=
tcp to-addresses=192.168.1.24 to-ports=3391
add action=dst-nat chain=dstnat dst-address=11.22.33.99 to-addresses=
192.168.1.24
/ip route
add disabled=yes distance=1 gateway=84.42.247.1
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MikroTik] >

That’s strange because your firewall rules should actually do the reverse, so check the actual assignment of the addresses. chain=input of your /ip firewall filter says “drop anything new that comes in via ether1” but doesn’t drop new connections coming in via ether6, so your router is currently exposed to the whole internet and it’s pure luck that you still have admin access to it, and some šmejd ze sítě can already live on it.

So first, either add another rule to chain=input, copying the one dropping new connections coming in via ether1 but referring to ether6. Next, place a rule chain=input action=accept protocol=icmp just before the two action=drop ones, and do the same.

Then, copy the drop rule for ether1 also for ether6 also in chain=forward.

Then, check that now you can ping both your public IP addresses, which should now be possible.

As the next step, netinstall the router to 6.44.6 (the current long-term stable one). 6.38 is way too old so it has too many well-known vulnerabilities, and your configuration is so simple that there is no point in converting into the format suitable for 6.44.6 by doing intermediate upgrades and then netinstalling anyway due to the likely infection. Netinstall is the only way to be sure that no malware can survive, upgrades aren’t safe enough as the malware may protect itself.

Hello Sindy.

I am absolutely sure that i did not create any of these firewall rules. I did not know, how to create them.

I have update router os to the 6.44.6 version using netinstall.

The term “šmejd ze sítě” was really funny.

Now i am in the same state as before. the first public ip is working, the second is not. I would like to create firewall rules using your hints, but is too difficult for me. And now there are no rules at all in filter rules.

So can you please advice me, how to create these rules to allow SECOND_IP_ADDRESS to reach 192.198.1.2 please?



I am posting updated configuration:

nov/20/2019 19:55:35 by RouterOS 6.44.6

software id = VK2V-W1H1

model = 2011iL

serial number = 7DCF07693D14

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] mac-address=64:D1:54:9B:57:E8
set [ find default-name=ether6 ] mac-address=64:D1:54:9B:57:E4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=ether6
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=80 protocol=tcp to-addresses=192.168.1.200
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=443 protocol=tcp to-addresses=192.168.1.200 to-ports=443
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=3391 protocol=tcp to-addresses=192.168.1.24 to-ports=3391
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=25 protocol=tcp to-addresses=192.168.1.2 to-ports=25
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=993 protocol=tcp to-addresses=192.168.1.2 to-ports=993
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=465 protocol=tcp to-addresses=192.168.1.2 to-ports=465
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=587 protocol=tcp to-addresses=192.168.1.2 to-ports=587
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=995 protocol=tcp to-addresses=192.168.1.2 to-ports=995
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=444 protocol=tcp to-addresses=192.168.1.2 to-ports=444
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=143 protocol=tcp to-addresses=192.168.1.2 to-ports=143
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=110 protocol=tcp to-addresses=192.168.1.2 to-ports=110
add action=dst-nat chain=dstnat dst-address=SECOND_IP_ADDRESS dst-port=443 protocol=tcp to-addresses=192.168.1.2 to-ports=443
/ip route
add disabled=yes distance=1 gateway=84.42.247.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=Europe/Prague




Thank you very much.

Tom

Have you told netinstall to preserve the original configuration, or how did it happen that the current one is so similar to the previous one?

In any case, if you ran netinstall but then connected the machine to Internet with a public IP on it but with no /ip firewall filter rules in place, you’ll have to netinstall it again as the malware is usually really quick to squat in. Even though 6.44.6 has no publicly known vulnerability in Winbox, it does not mean that one doesn’t exist, and you have left Winbox open worldwide.

So I’d prefer you to disconnect the machine from the internet, run the netinstall again without telling it to preserve the configuration, and then only connect ether1 (and only ether1) to internet after checking that there are some rules in the /ip firewall filter table. If this table is empty even after a netinstall without preserving configuration, copy-paste the lines below into the terminal window before connecting ether1 to internet. And don’t connect ether6 to internet until you post the new export and I give you another set of lines to copy-paste.

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge
add action=drop chain=input
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=bridge
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward

Hello Sindy.

I have just entered all values manually again from screenshots.

But I will do exactly what you are telling me. I have been infected by ransomware just about one moth ago and it was really awful experience.

Thank you very much.

Tom

Hello Sindy.

Internet is not working… on purpose? The last firewall rule… The second connector to internet is not connected:

[admin@MikroTik] > /export

nov/20/2019 23:45:45 by RouterOS 6.44.6

software id = VK2V-W1H1

model = 2011iL

serial number = 7DCF07693D14

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] mac-address=64:D1:54:9B:57:E8
set [ find default-name=ether6 ] mac-address=64:D1:54:9B:57:E4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=25 protocol=tcp to-addresses=192.168.1.2 to-ports=25
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=993 protocol=tcp to-addresses=192.168.1.2 to-ports=993
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=465 protocol=tcp to-addresses=192.168.1.2 to-ports=465
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=587 protocol=tcp to-addresses=192.168.1.2 to-ports=587
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=995 protocol=tcp to-addresses=192.168.1.2 to-ports=995
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=444 protocol=tcp to-addresses=192.168.1.2 to-ports=444
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=143 protocol=tcp to-addresses=192.168.1.2 to-ports=143
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=110 protocol=tcp to-addresses=192.168.1.2 to-ports=110
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=80 protocol=tcp to-addresses=192.168.1.200 to-ports=80
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=3391 protocol=tcp to-addresses=192.168.1.24 to-ports=3391
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=443 protocol=tcp to-addresses=192.168.1.200 to-ports=443
/ip route
add disabled=yes distance=1 gateway=FIRST_IP_ADDRESS
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=Europe/Prague
[admin@MikroTik] >


So what shell I do now?

Thank you.
tom

I also can’t winbox to mikrotik using local IP…

Tom

Sorry, use bridge1 in the rules I gave instead of bridge as in-interface, and either remove all rules in filter before copy-pasting the whole corrected text again, or create just those two rules using winbox and move each one within its respective chain (input/forward) to be above the last “drop” one in that chain. I thought you get the default configuration after netinstall, not an empty one.

Hello Sindy.

It is working now. Internet working, I can connect to mikrotik IP using Winbox. Wwhat should i do now to be able to plug in the second cable from my internet provider?

Current config is:

command Use command at the base level
[admin@MikroTik] > /export

nov/21/2019 14:49:54 by RouterOS 6.44.6

software id = VK2V-W1H1

model = 2011iL

serial number = 123456789

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] mac-address=64:D1:54:9B:57:E8
set [ find default-name=ether6 ] mac-address=64:D1:54:9B:57:E4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge1
add action=drop chain=input
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=bridge1
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=25 protocol=tcp to-addresses=192.168.1.2 to-ports=25
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=993 protocol=tcp to-addresses=192.168.1.2 to-ports=993
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=465 protocol=tcp to-addresses=192.168.1.2 to-ports=465
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=587 protocol=tcp to-addresses=192.168.1.2 to-ports=587
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=995 protocol=tcp to-addresses=192.168.1.2 to-ports=995
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=444 protocol=tcp to-addresses=192.168.1.2 to-ports=444
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=143 protocol=tcp to-addresses=192.168.1.2 to-ports=143
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=110 protocol=tcp to-addresses=192.168.1.2 to-ports=110
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=80 protocol=tcp to-addresses=192.168.1.200 to-ports=80
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=3391 protocol=tcp to-addresses=192.168.1.24 to-ports=3391
add action=dst-nat chain=dstnat dst-address=FIRST_IP_ADDRESS dst-port=443 protocol=tcp to-addresses=192.168.1.200 to-ports=443
/ip route
add disabled=yes distance=1 gateway=FIRST_IP_ADDRESS
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system script
add dont-require-permissions=no name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“/ip firewall filter\r
\nadd action=accept chain=input connection-state=established,related,untracked\r
\nadd action=drop chain=input connection-state=invalid\r
\nadd action=accept chain=input protocol=icmp\r
\nadd action=accept chain=input in-interface=bridge1\r
\nadd action=drop chain=input\r
\nadd action=accept chain=forward connection-state=established,related,untracked\r
\nadd action=drop chain=forward connection-state=invalid\r
\nadd action=accept chain=forward in-interface=bridge1\r
\nadd action=accept chain=forward connection-nat-state=dstnat\r
\nadd action=drop chain=forward”
[admin@MikroTik] >
[admin@MikroTik] >


Thank you very much.

Tom

You haven’t answered regarding the IP address relationship to MAC addresses. Does the ISP map them statically? Or you don’t understand what I’m asking?

Yes, I understand you.

My Internet provider is using DHCP. But they need my MAC address to make a reservation. So my configuration was modem (bridge) one ethernet cable =>switch 2 ethernets => Mikrotik port 1 and 6. That is the reason why I am swapping mac addresses of ports 2 and 6 because I have send to my internet provider mac address of port 2 and not the one of port 6 (my mistake).

Using winbox => menu IP => DHCP client + (add new one). It is working. I have already tested that. I could see that expected ip address for the port 6 is leased.

But ping on the second public IP was not working. Only the fist one was “pingable”. And nat rule to forward all from the second public IP to my Exchange server on LAN was not working too.

May be I should add the port 6 to bridge1… or create some routing?

That is my problem.

Thank you very much.
Tom

OK, so you don’t want to use ether2 as uplink for some reason. Clear now.

Now as I can see that the firewall blocks anything coming from outside except icmp, you can add the dhcp client to ether6 and connect it using cable. But when setting up the configuration of the dhcp client for ether6, set default-route-distance to 2. After you do that, you should be able to ping both public IP addresses from outside (i.e. via internet); if you don’t, it means that the ISP is checking the mapping between IP address and MAC address not only to assign the address using DHCP but also to verify that the clients are not forging their source IP addresses. So first try pinging both your public IPs from outside with both DHCP clients enabled and both cables inserted. If it works, fine; if it doesn’t, try with both DHCP clients enabled but with only one cable inserted at a time (i.e. first with only the ether1 cable inserted and then with only the ether6 cable inserted), and describe the results. The thing is that your setup is really unusual (as you have two interfaces in the same subnet but not bridged together) and I am unable to predict from which interface RouterOS responds to the incoming pings.

LOl. Everything lost because i have lost internet connectivity.

So again:

Lan ping to both ports are always working . Test form internet:

both plugged in
1st public ip - ping working OK
2nd public ip - failed

2. nd disconnected
   1 - ok
   2 - failed

1st disconnected
1 - failed
2 - ok

I would like to have a more usual configuration. Should I use ether2 as uplink? The reason why i am not doing this is that I want to use my fast ports for local LAN.

Would that be more easy?

Thank you

Tom

So it seems my assumption was correct. To double-check, go to the terminal window (sorry, no way to avoid it), make it as wide as your screen allows (if necessary, extend also the Winbox window), and enter the following command there (replace 11.22.33.44 by the address assigned to ether6):
/tool sniffer quick ip-address=11.22.33.44
Then, ping 11.22.33.44 from outside while both cables are connected, press Ctrl-C to break the sniffer once you see three pings to fail, and copy-paste the result here and obfuscate the IP address again, keep MAC addresses unchanged (provided that it shows anything at all).

Next, disconnect ether1 and do those same steps one more time. The goal is to see whether the pings will at least come in while both cables will be connected.

There is no way with current RouterOS. You cannot attach two interfaces to the same bridge and attach a DHCP client to each. A DHCP client must run on an L2 interface, and the only virtual L2 interface is EoIP, which cannot be looped back to the same router because there is the tunnel-id field which must be unique.

That wouldn’t change anything.

Yes.

Both connected:

her6 6.737 1 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 185.143.223.184:56780 11.22.33.44:38585 ip:tcp 60 0 no
ether6 39.968 2 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 198.108.67.81:38663 11.22.33.44:97 ip:tcp 60 0 no
ether6 44.899 3 → 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether1 44.899 4 ← 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether6 104.901 5 → 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether1 104.901 6 ← 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether6 125.815 7 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 91.222.221.171:7336 11.22.33.44:8080 (http-alt) ip:tcp 60 0 no
ether6 149.761 8 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 211.150.70.18:59439 11.22.33.44:9600 ip:tcp 60 0 no
ether6 164.9 9 → 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether1 164.9 10 ← 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether6 180.958 11 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 92.119.160.143:42186 11.22.33.44:36249 ip:tcp 60 0 no
ether6 185.215 12 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 45.136.109.173:57123 11.22.33.44:1122 ip:tcp 60 0 no
ether6 224.896 13 → 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether1 224.896 14 ← 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether6 231.377 15 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 185.143.223.149:56585 11.22.33.44:33060 ip:tcp 60 0 no
ether6 263.797 16 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 103.89.87.230:61676 11.22.33.44:23 (telnet) ip:tcp 60 0 no
ether6 284.9 17 → 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
ether1 284.9 18 ← 64:D1:54:9B:57:E4 FF:FF:FF:FF:FF:FF 11.22.33.44:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 158 0 no
– [Q quit|D dump|C-z pause]

Ether1 disconnected:

INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
ether6 11.979 1 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 88.198.46.51 78.44.239.116 ip:icmp 98 0 no
ether6 11.979 2 → 64:D1:54:9B:57:E4 00:01:5C:B6:B8:46 11.22.33.44 88.198.46.51 ip:icmp 98 0 no
ether6 12.984 3 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 88.198.46.51 11.22.33.44 ip:icmp 98 0 no
ether6 12.984 4 → 64:D1:54:9B:57:E4 00:01:5C:B6:B8:46 11.22.33.44 88.198.46.51 ip:icmp 98 0 no
ether6 13.989 5 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 88.198.46.51 11.22.33.44 ip:icmp 98 0 no
ether6 13.989 6 → 64:D1:54:9B:57:E4 00:01:5C:B6:B8:46 11.22.33.44 88.198.46.51 ip:icmp 98 0 no
ether6 14.993 7 ← 00:01:5C:B6:B8:46 64:D1:54:9B:57:E4 88.198.46.51 11.22.33.44 ip:icmp 98 0 no
ether6 14.993 8 → 64:D1:54:9B:57:E4 00:01:5C:B6:B8:46 11.22.33.44 88.198.46.51 ip:icmp 98 0 no
– [Q quit|D dump|C-z pause]

IS this what you need?

In my opinion (i am not suer) my public ip address are not in the same subnet:

the first one is something like that:
24.24.247.3/29
78.22.239.118/29
I want to tell you that both are quit different.
IS this a problem?
My be i can get another one.
Thank you
Tom





Tom

Yes. I’m a bit surprised that there are no ICMP packets in the result, but since incoming TCP connection attempts through ether6 to its leased IP address can be seen there, I’ll hope that the ICMP just scrolled up before you could catch it. You can confirm that by adding ip-protocol=icmp to the /tool sniffer command and trying again, but let’s suppose it’s not necessary.

Rather the reverse, it is much better that they are in different subnets. So the situation is actually almost the standard one with two WANs - they are in distinct subnets which just “incidentally” share the same L2 segment which is nothing to really worry about.

Hence the whole issue is just that the routing doesn’t automatically route a response through the same interface through which its triggering request came, and you have to provide a firewall and routing configuration which ensures this. The complication is that it requires to place the default route provided by the DHCP server for ether6 into a dedicated routing table, which normally requires a script to be added to the /interface dhcp-client which is ran at every change (address lease/renewal/expiry). However, given that the address you get is static, we may suppose that the gateway will be static too, and hence we can do it in a simpler way.

So do the following to quickly check that there are no other issues than this one. Enter these commands the same way like you entered the /tool sniffer … one if you can copy-paste them into the text terminal window; if you cannot, better do it the same way like you’ve entered the firewall rules (open an edit window for a script, paste it there, then run the script; you can copy-paste both parts in the correct order to the same script):

/ip route {add routing-mark=via-ether6 dst-address=0.0.0.0/0 gateway=[get [find dst-address=0.0.0.0/0 distance=2] gateway]}

This will make a copy of the route created from the DHCP response in a routing table named via-ether6.

Then, add a routing rule causing packets whose source address is the one assigned to ether6 to use that other routing table, and an exception from it for LAN destinations:

/ip route rule
add action=lookup table=main dst-address=192.168.0.0/16
add action=lookup-only-in-table table=via-ether6 src-address=[/ip address get [find interface=ether6] address]

After these two steps, the pings from outside to each public address should start being responded even with both cables connected. If this is true, we can move further to the real thing.

Dear Sindy,

There is a some problem, i have go an error message:

/command Use command at the base level
[admin@MikroTik] > /ip route rule
[admin@MikroTik] /ip route rule> add action=lookup table=main dst-address=192.168.0.0/16
[admin@MikroTik] /ip route rule> add action=lookup-only-in-table table=via-ether6 src-address=[/ip address get [find interface=ether6] address]
value of src-address must have all host bits zero, as in SECOND.IP.3EGMENTS.112/29
[admin@MikroTik] /ip route rule>

Ping to the second public ip is not working. Should i try to do your desired tests with /tool sniffer quick ip-address=11.22.33.44 again?

current config:

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /ip route rule
[admin@MikroTik] /ip route rule> add action=lookup table=main dst-address=192.168.0.0/16
[admin@MikroTik] /ip route rule> add action=lookup-only-in-table table=via-ether6 src-address=[/ip address get [find interface=ether6] address]
value of src-address must have all host bits zero, as in 78.44.239.112/29
[admin@MikroTik] /ip route rule> /configuration
bad command name configuration (line 1 column 2)
[admin@MikroTik] /ip route rule> /export

nov/21/2019 21:41:48 by RouterOS 6.44.6

software id = VK2V-W1H1

model = 2011iL

serial number = 7DCF07693D14

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] mac-address=64:D1:54:9B:57:E8
set [ find default-name=ether6 ] mac-address=64:D1:54:9B:57:E4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
add default-route-distance=2 dhcp-options=clientid,hostname disabled=no interface=ether6
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=bridge1
add action=drop chain=input
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=bridge1
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=25 protocol=tcp to-addresses=192.168.1.2 to-ports=25
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=993 protocol=tcp to-addresses=192.168.1.2 to-ports=993
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=465 protocol=tcp to-addresses=192.168.1.2 to-ports=465
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=587 protocol=tcp to-addresses=192.168.1.2 to-ports=587
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=995 protocol=tcp to-addresses=192.168.1.2 to-ports=995
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=444 protocol=tcp to-addresses=192.168.1.2 to-ports=444
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=143 protocol=tcp to-addresses=192.168.1.2 to-ports=143
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=110 protocol=tcp to-addresses=192.168.1.2 to-ports=110
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=80 protocol=tcp to-addresses=192.168.1.200 to-ports=80
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=3391 protocol=tcp to-addresses=192.168.1.24 to-ports=3391
add action=dst-nat chain=dstnat dst-address=FIRST_IP dst-port=443 protocol=tcp to-addresses=192.168.1.200 to-ports=443
/ip route
add distance=1 gateway=SECOND_IP_GATEWAY routing-mark=via-ether6
add disabled=yes distance=1 gateway=FIRST_IP
/ip route rule
add dst-address=192.168.0.0/16 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system script
add dont-require-permissions=no name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“/ip firewall filter\r
\nadd action=accept chain=input connection-state=established,related,untracked\r
\nadd action=drop chain=input connection-state=invalid\r
\nadd action=accept chain=input protocol=icmp\r
\nadd action=accept chain=input in-interface=bridge1\r
\nadd action=drop chain=input\r
\nadd action=accept chain=forward connection-state=established,related,untracked\r
\nadd action=drop chain=forward connection-state=invalid\r
\nadd action=accept chain=forward in-interface=bridge1\r
\nadd action=accept chain=forward connection-nat-state=dstnat\r
\nadd action=drop chain=forward”
[admin@MikroTik] /ip route rule>
[admin@MikroTik]

Thank you

Tom

Sorry, this time I forgot that the address parameter of /ip address item has a form of ip.add.re.ss/mask-length

So please add the rule manually, replacing x.x.x.x by the IP address leased to ether6:
/ip route rule add action=lookup-only-in-table table=via-ether6 src-address=x.x.x.x

and try the ping test again.

Other than that, where did the other manually configured route in this export (gateway=FIRST_IP, now disabled) come from???