This could be a little bit complex network configuration. So let me begin with one diagram.
We have 3 offices that are in 3 different locations with mikrotik routers & internet connectivity.
And they have wireguard connections to 2 CHR routers (Office-1 & 2 to CHR router-2, and Office-1 &3 to CHR router-1)
We’re trying to create some standardized template (.rsc script) so we could deploy same configuration to other offices.
Let’s focus on Office-1, that’s the problem of the day. lol
The scenarios are as follows:
==Mikrotik Router==
- two ether ports (ether1, ether2) that connects to two LANs: ether1: 192.168.1.0/24 & ether2: 192.168.2.0/24
- one ether port(ether3) is connected to fiber ONT/ONU, using PPPoE dialups (pppoe-out1..8) connecting to WAN.
- Wireguard is configured (wg-1, wg-2) to connect to CHR-1 & CHR-2, and an additional interface (wg-dialin) to allow dial-in (ie. VPN) users to access office resources.
- With the connections to CHR-1 & CHR-2, Office-1 is able to reach Office-2 & Office-3’s 192.168.91.0/24, 192.168.92.0,24, 192.168.81.0/24, 192.168.82.0/24 via Wireguard connection.
- the router will establish all PPPoE connections(pppoe-out1..8)to obtain 8 different public IPs.
- the router will maintain a set of Address List (out-1..8) to mangle some connection from certain LAN IPs to go to WAN via a specific PPPoE connection (pppoe-out1..8 ). If not in Address List out-1..8, then use default main routing table.
- the main routing table use pppoe-out1..8 as gateway with different distance assignment as fail-over.
To achieve those demands, here’s my strategy:
- Define 3 additional address list: DialIn, LocalRealm, ForeignRealm. LocalRealm to define Office-1’s LAN subnets; ForeignRealm to define CHR subnets & LAN subnets in Office-2 & 3 (namely 172.31.32.0/24, 172.31.48.0/24, 192.168.91.0/24, 192.168.92.0/24, 192.168.81.0/24, 192.168.82.0/24).
- In /ip firewall mangle, I add a chain called CheckRealm. If dst-address-list matches LocalRealm/ForeignRealm/DialIn, then return, ignore the subsequent mark-routing task; or assign them to out-1..8 if match Address List out-1..8. And if the connection is marked by input-1..8 by different incoming PPPoE-out1..8 connections. it will be marked as out-1..8 to make the data flow out to the originating connection.
- As to NAT, only LocalRealm/ForeignRealm/DialIn to PPPoE connections(all-ppp) will perform srcnat.
I think I should cover most of edges…And I’ve come up with a configuration file to have all those in scripts.
Oddly enough, DNS doesn’t work at all.
I tried to ping an ip address from WAN (such as 8.8.8.8 ) it works.
[admin@MTx86@WY] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 118 2ms127us
1 8.8.8.8 56 118 2ms47us
2 8.8.8.8 56 118 2ms133us
3 8.8.8.8 56 118 2ms145us
4 8.8.8.8 56 118 2ms121us
sent=5 received=5 packet-loss=0% min-rtt=2ms47us avg-rtt=2ms114us max-rtt=2ms145us
[admin@MTx86@WY] >
but if I try to ping www.google.com, it hangs for a while and responded with
[admin@MTx86@WY] > ping www.google.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server
[admin@MTx86@WY] >
What’s more strange is that, if I connect the mikrotik router’s WAN to an home router’s LAN port, instead of ONT/ONU, and configure WAN with dhcp-client, IT WILL WORK…!!
[admin@MTx86@WY] > ping dns.google
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 53 17ms804us
1 8.8.8.8 56 53 18ms458us
2 8.8.8.8 56 53 17ms535us
3 8.8.8.8 56 53 19ms712us
4 8.8.8.8 56 53 17ms781us
5 8.8.8.8 56 53 17ms751us
sent=6 received=6 packet-loss=0% min-rtt=17ms535us avg-rtt=18ms173us max-rtt=19ms712us
[admin@MTx86@WY] >
I’m really confused…is there anything missing in my configuration…?
Do hope someone could shed some lights…
==Configuration==
/interface ethernet
set [ find default-name=ether1 ] comment="Local Network 192.168.1.0/24" \
disable-running-check=no
set [ find default-name=ether2 ] comment="Local Network 192.168.2.0/24" \
disable-running-check=no
set [ find default-name=ether3 ] comment="Connection to Fiber (PPPoE)" \
disable-running-check=no
/interface wireguard
add listen-port=13229 mtu=1420 name=wg-dialin
add listen-port=13232 mtu=1420 name=wg-2
add listen-port=13231 mtu=1420 name=wg-1
/interface list
add name=WireGuard
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-intra ranges=192.168.1.10-192.168.1.253
/ip dhcp-server
add address-pool=pool-intra interface=ether1 lease-time=1d name=dhcp-intra
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=pppoe-out_default on-down="/interface set disabled\
=yes [find name=\$interface]\r\
\ndelay 20\r\
\n/interface set disabled=no [find name=\$interface]\r\
\n" use-compression=yes use-encryption=yes use-ipv6=no
/interface pppoe-client
add disabled=no interface=ether3 name=pppoe-out1 profile=pppoe-out_default \
user=pppoeuser
add disabled=no interface=ether3 name=pppoe-out2 profile=pppoe-out_default \
user=pppoeuser
add disabled=no interface=ether3 name=pppoe-out3 profile=pppoe-out_default \
user=pppoeuser
add disabled=no interface=ether3 name=pppoe-out4 profile=pppoe-out_default \
user=pppoeuser
add disabled=no interface=ether3 name=pppoe-out5 profile=pppoe-out_default \
user=pppoeuser
add disabled=no interface=ether3 name=pppoe-out6 profile=pppoe-out_default user=\
pppoeuser
add disabled=no interface=ether3 name=pppoe-out7 profile=pppoe-out_default user=\
pppoeuser
add disabled=no interface=ether3 name=pppoe-out8 profile=pppoe-out_default user=\
pppoeuser
/routing table
add disabled=no fib name=out-1
add disabled=no fib name=out-2
add disabled=no fib name=out-3
add disabled=no fib name=out-4
add disabled=no fib name=out-5
add disabled=no fib name=out-6
add disabled=no fib name=out-7
add disabled=no fib name=out-8
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-redirects=yes accept-source-route=yes max-neighbor-entries=8192 \
tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface list member
add interface=wg-2 list=WireGuard
add interface=wg-1 list=WireGuard
add interface=wg-dialin list=WireGuard
add interface=pppoe-out1 list=WAN
add interface=pppoe-out2 list=WAN
add interface=pppoe-out3 list=WAN
add interface=pppoe-out4 list=WAN
add interface=pppoe-out5 list=WAN
add interface=pppoe-out6 list=WAN
add interface=pppoe-out7 list=WAN
add interface=pppoe-out8 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
/interface wireguard peers
add allowed-address=172.31.48.0/24,192.168.81.0/24,192.168.82.0/24 comment=chr-2 endpoint-address=\
somewhere.chr.router endpoint-port=13231 interface=wg-2 \
persistent-keepalive=25s public-key=\
"5YN3m9tWIdeW4zBa5oXe5EQAIFADiwJWup7PtHzCmjs="
add allowed-address=172.31.32.0/24,192.168.91.0/24,192.168.92.0/24 comment=chr-1 endpoint-address=\
somewhere.chr2.router endpoint-port=13231 interface=wg-1 \
persistent-keepalive=25s public-key=\
"CnyQ9+yv9hd4y1wpr18wD6Ue1VjKz1rGkg4DNn5dZVE="
add allowed-address=\
192.168.255.123/32 comment=jy interface=wg-dialin \
persistent-keepalive=25s public-key=\
"sj994QXhvmgucCv0kHnFx1CVEsD4vXE48AlRdOOdW20="
add allowed-address=192.168.255.253/32 comment=ych interface=\
wg-dialin persistent-keepalive=25s public-key=\
"wfYiug+5kjmvp5N4/5MoWvqgm3elgeE0URlCgBUniXo="
/ip address
add address=192.168.255.254/24 interface=wg-dialin network=192.168.255.0
add address=172.31.32.140/24 interface=wg-1 network=172.31.32.0
add address=172.31.48.140/24 interface=wg-2 network=172.31.48.0
add address=192.168.1.254/24 interface=ether1 network=192.168.1.0
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.254 \
ntp-server=216.239.35.8
/ip dns
set cache-size=8192KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=2000 servers=168.95.1.1
/ip firewall address-list
add address=192.168.255.0/24 list=DialIn
add address=192.168.1.0/24 list=LocalRealm
add address=192.168.11.0/24 list=ForeignRealm
add address=192.168.34.0/24 list=ForeignRealm
add address=172.31.32.0/24 list=ForeignRealm
add address=172.31.48.0/24 list=ForeignRealm
add address=172.31.64.0/24 list=ForeignRealm
add address=172.31.240.0/24 list=ForeignRealm
add address=172.31.241.0/24 list=ForeignRealm
/ip firewall filter
add action=drop chain=input comment="block port 445 SMB attack from WAN" \
dst-port=445 in-interface=all-ppp protocol=tcp
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Established, Related" \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=jump chain=forward comment="DDoS detection" disabled=yes \
in-interface-list=WAN jump-target=detect-ddos protocol=tcp
add action=return chain=detect-ddos comment=\
"Check if exceeding detection rate (SYN-ACK flood)" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=return chain=detect-ddos comment=\
"Check if exceeding detection rate" dst-limit=\
32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos
add action=accept chain=input comment="Allow WireGuard UDP Ports" dst-port=\
13229-13232 in-interface-list=WAN protocol=udp
add action=accept chain=forward comment="Allow DNS lookup" in-interface-list=\
WAN protocol=udp src-port=53
add action=accept chain=input comment="Allow DNS lookup" in-interface-list=\
WAN protocol=udp src-port=53
add action=add-src-to-address-list address-list=PortKnocking1 \
address-list-timeout=30s chain=input comment=PortKnocking1 dst-port=1234 \
in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=PortKnocking2 \
address-list-timeout=30s chain=input comment=PortKnocking2 dst-port=2345 \
protocol=tcp src-address-list=PortKnocking1
add action=add-src-to-address-list address-list=PortKnocking3 \
address-list-timeout=30s chain=input comment=PortKnocking3 dst-port=3456 \
protocol=tcp src-address-list=PortKnocking2
add action=add-src-to-address-list address-list=PortKnocking4 \
address-list-timeout=30s chain=input comment=PortKnocking4 dst-port=4567 \
protocol=tcp src-address-list=PortKnocking3
add action=add-src-to-address-list address-list=TrustedClient \
address-list-timeout=2h chain=input comment=PortKnocking5 dst-port=5678 \
protocol=tcp src-address-list=PortKnocking4
add action=accept chain=input comment=\
"Accept Trusted Clients from PortKnocking Procedure" dst-port=22,443,8291 \
protocol=tcp src-address-list=TrustedClient
add action=accept chain=input comment="Accept Trusted Clients from WireGuard" \
dst-port=22,443,8291 in-interface-list=WireGuard protocol=tcp
add action=drop chain=input comment="Drop SSH/WinBox connection from IP addres\
ses in Blockhole address list" dst-port=22,443,8291 \
in-interface-list=WAN protocol=tcp src-address-list=Blackhole
add action=add-src-to-address-list address-list=Blackhole \
address-list-timeout=2w6d chain=input comment=\
"Blocked IP address that attempted multiple SSH connections" \
connection-state=new dst-port=22,8291 protocol=tcp src-address-list=\
ssh_attempt_3
add action=add-src-to-address-list address-list=ssh_attempt_3 \
address-list-timeout=5m chain=input comment=\
"IP address that attempted to create 3 SSH connections" connection-state=\
new dst-port=22,8291 protocol=tcp src-address-list=ssh_attempt_2
add action=add-src-to-address-list address-list=ssh_attempt_2 \
address-list-timeout=5m chain=input comment=\
"IP address that attempted to create 2 SSH connections" connection-state=\
new dst-port=22,8291 protocol=tcp src-address-list=ssh_attempt_1
add action=add-src-to-address-list address-list=ssh_attempt_1 \
address-list-timeout=5m chain=input comment=\
"IP address that attempted to create an SSH connections" \
connection-state=new dst-port=22,8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="allow dhcp request" dst-address=\
255.255.255.255 dst-port=67 protocol=udp src-address=0.0.0.0 \
src-address-list=LocalRealm src-port=68
add action=accept chain=input comment="Allow LocalRealm Input" \
connection-state="" src-address-list=LocalRealm
add action=accept chain=input comment="Allow ForeignRealm Input" \
connection-state="" src-address-list=ForeignRealm
add action=accept chain=input comment="Allow WireGuard Input" \
connection-state="" in-interface-list=WireGuard
add action=accept chain=forward comment="Allow LocalRealm Forward" \
connection-state="" src-address-list=LocalRealm
add action=accept chain=forward comment="Allow ForeignRealm Forward" \
connection-state="" src-address-list=ForeignRealm
add action=accept chain=forward comment="Allow WireGuard Forward" \
connection-state="" in-interface-list=WireGuard
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=jump chain=input comment=\
"intrusBL: Check for bad stuff in \"Attack\" chain" jump-target=Attacks
add action=drop chain=Attacks comment=\
"intrusBL: Drop connections FROM blacklisted hosts" src-address-list=\
Blackhole
add action=drop chain=Attacks comment=\
"intrusBL: Drop connections TO blacklisted hosts" dst-address-list=\
Blackhole
add action=drop chain=Attacks comment=\
"intrusBL: Invalid packets (No valid current connection)" \
connection-state=invalid
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=fin,syn
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=fin,rst
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=fin,!ack
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=fin,urg
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=syn,rst
add action=drop chain=Attacks comment="intrusBL: Invalid TCP flag combo" \
protocol=tcp tcp-flags=rst,urg
add action=drop chain=Attacks comment="intrusBL: Invalid TCP source port (0)" \
protocol=tcp src-port=0
add action=drop chain=Attacks comment=\
"intrusBL: Invalid TCP destination port (0)" dst-port=0 protocol=tcp
add action=drop chain=Attacks comment="intrusBL: Invalid UDP source port (0)" \
protocol=udp src-port=0
add action=drop chain=Attacks comment=\
"intrusBL: Invalid UDP destination port (0)" dst-port=0 protocol=udp
add action=return chain=Attacks comment=\
"intrusBL: Return to the chain that jumped"
add action=passthrough chain=input comment=\
"Below are Beginning of Attack Chain..."
add action=drop chain=input comment=\
"intrusBL: Drop everything else by default(drop input to router)" \
in-interface-list=WAN log=yes log-prefix=input: \
protocol=tcp
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=all-ppp log=yes log-prefix=!NAT
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
#mark connection
add action=mark-connection chain=prerouting in-interface=pppoe-out1 \
connection-mark=no-mark new-connection-mark=input-1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out2 \
connection-mark=no-mark new-connection-mark=input-2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out3 \
connection-mark=no-mark new-connection-mark=input-3 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out4 \
connection-mark=no-mark new-connection-mark=input-4 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out5 \
connection-mark=no-mark new-connection-mark=input-5 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out6 \
connection-mark=no-mark new-connection-mark=input-6 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out7 \
connection-mark=no-mark new-connection-mark=input-7 passthrough=yes
add action=mark-connection chain=prerouting in-interface=pppoe-out8 \
connection-mark=no-mark new-connection-mark=input-8 passthrough=yes
#if traffic is from LocalRealm->LocalRealm/ForeignRealm/DialIn, then return; DO NOT do mark-routing
add action=jump chain=output jump-target=CheckRealm
add action=return chain=CheckRealm dst-address-list=LocalRealm
add action=return chain=CheckRealm dst-address-list=ForeignRealm
add action=return chain=CheckRealm dst-address-list=DialIn
add action=mark-routing chain=CheckRealm new-routing-mark=out-1 passthrough=\
no src-address-list=out-1
add action=mark-routing chain=CheckRealm new-routing-mark=out-2 passthrough=\
no src-address-list=out-2
add action=mark-routing chain=CheckRealm new-routing-mark=out-3 passthrough=\
no src-address-list=out-3
add action=mark-routing chain=CheckRealm new-routing-mark=out-4 passthrough=\
no src-address-list=out-4
add action=mark-routing chain=CheckRealm new-routing-mark=out-5 passthrough=\
no src-address-list=out-5
add action=mark-routing chain=CheckRealm new-routing-mark=out-6 passthrough=\
no src-address-list=out-6
add action=mark-routing chain=CheckRealm new-routing-mark=out-7 passthrough=\
no src-address-list=out-7
add action=mark-routing chain=CheckRealm new-routing-mark=out-8 passthrough=\
no src-address-list=out-8
# mark-routing: coming from ppoe-outX (labeled input-x) => go back to pppoe-outX
add action=mark-routing chain=CheckRealm connection-mark=input-1 \
new-routing-mark=out-1 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-2 \
new-routing-mark=out-2 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-3 \
new-routing-mark=out-3 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-4 \
new-routing-mark=out-4 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-5 \
new-routing-mark=out-5 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-6 \
new-routing-mark=out-6 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-7 \
new-routing-mark=out-7 passthrough=no
add action=mark-routing chain=CheckRealm connection-mark=input-8 \
new-routing-mark=out-8 passthrough=no
add action=return chain=CheckRealm
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
LocalRealm
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
DialIn
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
ForeignRealm
add action=masquerade chain=srcnat dst-address-list=ForeignRealm \
src-address-list=DialIn
/ip firewall raw
add action=drop chain=prerouting comment="drop DDoS connections" \
dst-address-list=ddos-targets src-address-list=ddos-attackers
add action=drop chain=prerouting comment="drop DDoS connections" \
dst-address-list=ddos-targets src-address-list=ddos-attackers
/ip route
#ForeignRealm=>go to CHR router
add disabled=no distance=1 dst-address=192.168.91.0/24 gateway=172.31.32.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
add disabled=no distance=1 dst-address=192.168.92.0/24 gateway=172.31.32.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
add disabled=no distance=1 dst-address=192.168.81.0/24 gateway=172.31.48.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
add disabled=no distance=1 dst-address=192.168.82.0/24 gateway=172.31.48.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
#for mark-routing
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=\
"" routing-table=out-1 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 pref-src=\
"" routing-table=out-2 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out3 pref-src=\
"" routing-table=out-3 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out4 pref-src=\
"" routing-table=out-4 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out5 pref-src=\
"" routing-table=out-5 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out6 pref-src=\
"" routing-table=out-6 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out7 pref-src=\
"" routing-table=out-7 scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out8 pref-src=\
"" routing-table=out-8 scope=30 suppress-hw-offload=no target-scope=11
#main default route to pppoe-out1 then to out2,3,4,5...8 if unreachable.
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add disabled=no distance=12 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=13 dst-address=0.0.0.0/0 gateway=pppoe-out3 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=14 dst-address=0.0.0.0/0 gateway=pppoe-out4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=15 dst-address=0.0.0.0/0 gateway=pppoe-out5 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=16 dst-address=0.0.0.0/0 gateway=pppoe-out6 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=17 dst-address=0.0.0.0/0 gateway=pppoe-out7 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=18 dst-address=0.0.0.0/0 gateway=pppoe-out8 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=10 dst-address=172.31.32.0/24 gateway=wg-1 \
routing-table=main scope=30 target-scope=10
add disabled=no distance=10 dst-address=172.31.48.0/24 gateway=wg-2 \
routing-table=main scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Taipei
/system hardware
set allow-x86-64=yes
/system identity
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.0
add address=216.239.35.4
