Need Help to solving a routing problem

RouterOS General
1

Hello, I have a problem that I cannot solve.

I will try to describe topology of a part of my network that I am working on.
I have a site consisting of three routers, A, B, and C, to which several devices are connected.
I have two routers on separate external sites (Z and X) from which I can access the site in question.

Router A acts as a gateway for the site...
Router A is connected via a tagged VLAN port to B via ether16 to ether15.
Router B is connected via a tagged VLAN port to C via ether16 to ether15.

Z arrives at C on port ether1 via radio bridges... subnet 10.10.64.120/29
IP on Z 10.10.64.126, IP on C 10.10.64.125

X arrives at A on port ether1 via radio bridges... subnet 10.10.64.128/29
IP on X 10.10.64.134, IP on A 10.10.64.133

On A-B-C I have a bridge with 4 VLANs

vlan100 - trunk to connect port 1 of router C and connect it to router A (where I have the address for the subnet) - I need it as exit via site Z

vlan101 - the same for the other one for the exit via site X

vlan200 contains the subnet of devices including the IP addresses to enter the routers (10.10.98.250-251-252)

vlan300 - another subnet for other devices

routers B and C only have the route to router A (0.0.0.0/0 >>> 10.10.98.250)
All other configuration is done on router A

On router A, I have 2 VRFs to isolate the output interfaces and avoid unwanted loops.

rtab-WAN1 - vlan100 interface
rtab-WAN2 - vlan101 interface

I have two route

0.0.0.0/0 >> gateway 10.10.64.126@rtabWAN1 on routing table rtab-WAN1
and
0.0.0.0/0 >> gateway 10.10.64.133@rtabWAN2 on routing table rtab-WAN2

I insert two routing rules with

destination 10.10.64.120/29 look only in table rtab-WAN1
and
destination 10.10.64.128/29 look only in table rtab-WAN2

then I make mangle rules....

first a rule to skip mangle for local traffic
src-address 10.10.98.0/24 - dst-address 10.10.98.0/24 action accept

then for dst-address 10.10.98.0/24 I mark new routing... pointing to main table
and for src-address 10.10.98.0/24 to dst-address 0.0.0.0/0 new routing to rtab-WAN1 table

...

works well... but I still cannot ping from Z or X to 10.10.98.250... but yes for rest of 10.10.98.0/24
and from 10.10.98.250 only i cannot ping external devices...

Some rules are still missing, but I can't figure out what they are.:::

please help me... :smile:

2

Ok, on the 2nd line:
please make an adequate network diagram.

3

Indeed because ...

... 2 cables in the same port on Router A ? Problematic.

4

router A ether16 to router B ether15
and
router B ether16 to router C ether15

router X .. .. .. . .. . . . . . . . . . router Z
. . ||......... . .. . . . .. . . . . . .. . . . ||
router A ---- router B ---- router C

ip router Z
10.10.64.126/29

ip router X
10.10.64.134/29

ip router A
vlan100 - 10.10.64.125/29
vlan101 - 10.10.64.133/29
vlan200 - 10.10.98.250/24
vlan300 - 10.10.99.250/24

ip router B
vlan200 - 10.10.98.251/24

ip router C
vlan200 - 10.10.98.252/24

5

image
image1760Ă—949 70.4 KB

image
image760Ă—314 9.08 KB

pictures are worth more than words...
also because my English isn't the best...

EDIT:

first mangle rule > mark routing to main table
second > mark routing to rtab-WAN1

6

Concur picture worth..................
Meaning please make a detailed network diagram sufficiently labelled to know which equipment is which, where the vlans go and where the wan inputs are etc.

7

I try again.... :sweat_smile:

Diagramma senza titolo.drawio
Diagramma senza titolo.drawio1141Ă—843 60 KB

8

I am looking at the diagram and wondering WHY........

Why is there no wan connection clearly shown

  • should I assume you have two ISPs coming into Router A??

Why do you have 4 other routers, when all you need is switches at these locations B/C/X/Z,
aka where is the justification for routers??

Why is the PC connected to two routers are they all in the same location??? and if so where is the internet for that network.........

How are routerX and routerY connecting to the location holding Router A,B,C which seem to be colocated.

9

image
image854Ă—423 18.2 KB

Perhaps because of the language difference, you think this is the construction of a home network...

In reality, this is part of a large network with several sites and thousands of devices...

In particular, I am trying to change the programming of some routers located on mountain sites in order to allow access in multiple ways...

Obviously, I can't draw a diagram of the entire structure...
But I don't think that, despite the language problems, I have failed to explain myself...

I have a site... in the mountain... where I have several devices... the network consists of three routers (yes, routers... not switches... because maybe tomorrow things will change and I'll have to adapt the programming!!!... and because maybe I'll need to act as a gateway for the underlying subnets)

I use a VLAN to connect at level 2 an Ethernet port where a radio link is connected (which goes to another site - site B)

another VLAN to do the same with another interface where a radio link is connected to yet another site (site C).

and 2 vlans for devices

I can reach the site via site B or site C... depending on how I want... maybe the radio link is faulty... maybe it's slower....

All IPs and routes are on the first router... obviously, if you see three routers in the diagram, it doesn't mean they are next to each other... one is in a pylon... another in another pylon... the third somewhere else...

The VLANs that carry the uplinks (output links... WAN links... call them what you will) are isolated via 2 VRFs.

This way, I have 3 routing tables to manage the routes...

one for output via WAN1... one for WAN2... and the two VLANs with the devices are on the main

To route the traffic, I created some rules at the mangle level...

Everything works except that I can't ping/contact the IP addresses belonging to router A (10.10.98.250 - 10.10.64.125 - 10.10.64.133).

From mangle, I use rules to decide which WAN I want to send each individual IP to if I want...

It doesn't seem that complicated to understand.

10

this is my mangle list...

0 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.96.40/29 log=no log-prefix=""

1 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.96.48/29 log=no log-prefix=""

2 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.96.56/29 log=no log-prefix=""

3 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.96.64/28 log=no log-prefix=""

4 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.97.0/24 log=no log-prefix=""

5 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.98.0/24 log=no log-prefix=""

6 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.110.0/23 log=no log-prefix=""

7 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.60.0/22 log=no log-prefix=""

8 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.30.212.0/24 log=no log-prefix=""

9 chain=prerouting action=mark-routing new-routing-mark=main passthrough=no dst-address=10.10.108.0/23 log=no log-prefix=""

10 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.96.40/29 log=no log-prefix=""

11 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.96.48/29 log=no log-prefix=""

12 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.96.56/29 log=no log-prefix=""

13 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.96.64/28 log=no log-prefix=""

14 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.97.0/24 log=no log-prefix=""

15 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.98.0/24 log=no log-prefix=""

16 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.110.0/23 log=no log-prefix=""

17 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.60.0/22 log=no log-prefix=""

18 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.30.212.0/24 log=no log-prefix=""

19 chain=prerouting action=mark-routing new-routing-mark=rtab-WAN1 passthrough=no src-address=10.10.108.0/23 log=no log-prefix=""

I think that something about input and/or output chain is missed... but I don't understand what...

11

Well it seems you dont know what you want yet. I cannot assist hypotheticals as changing a generic MT config for specific purposes that is efficient relies on knowing a complete and accurate set of requirements for traffic flow. Good luck, perhaps others can assist.

I have a site... in the mountain... where I have several devices... the network consists of three routers (yes, routers... not switches... because maybe tomorrow things will change and I'll have to adapt the programming!!!... and because maybe I'll need to act as a gateway for the underlying subnets)

12

Later I will try to make a more precise diagram with the IPs and connections clearly marked...

I won't say how I have currently configured the routers...
I will just explain my intentions and I would like to know how you would set things up...

Please be patient with those who are not used to writing on forums...

Thank you

13

I'll try again...

This is the organization of the sites I have to manage...
on this particular site, which I am using as a starting point, I have three routers connected to each other and located on three different towers... In some ports, I have devices (PCs, cameras, IoT peripherals), in other ports I have Wi-Fi access points to provide internet on the tower itself, in specific ports I have radio links that carry the incoming network (WAN1 and WAN2) and radio links that carry the network to other subsequent sites (PTP1, PTP2, etc.)...

For this reason, I have a VLAN for each purpose:
VLAN101 for WAN1, VLAN102 for WAN2, VLAN201 for peripherals, VLAN301 for Wi-Fi, and a VLAN for each PTP line to subsequent sites, VLAN501 for PTP1, VLAN502 for PTP2, etc.

I only use one router per site to manage all routing.

I need each VLAN to be isolated from each other at the beginning, but with the possibility of forwarding specific IP addresses if necessary.

The router must forward traffic to the previous sites, giving me the option to select the desired output WAN, either for technical reasons (for example, if a site needs to undergo maintenance) or to balance network traffic on the radio links. There should be no special automation; everything must be decided manually.

Sometimes a server may be located on a subsequent site, and therefore some devices must reach it.

I won't specify the subnets currently in use so as not to complicate things... what interests me is the logic to follow...

I currently have a VRF for each VLAN, leaving the main routing table for IoT devices and Wi-Fi.

Then I manage everything at the mangle rule level.
For each configuration, I have to enter many rules,
but it works... The only thing I can't do is access the router that manages the site via the IP addresses set to act as gateways to the VLANs... I only access it via the local IP address of the WAN I use to log in.

I don't know if this is the best choice... if it can be made simpler...

I would like to know your opinion and how you would set up the configuration to do this.

Thanks in advance
G.

Translated with DeepL.com (free version)

rete.drawio
rete.drawio1520Ă—1380 273 KB

14

I noticed while doing some debugging that if I do routing marking from mangle to a routing table different from the one I enter, the packet does not go to the INPUT chain but directly to FORWARD... whereas if I don't do routing marking, the packet goes to the INPUT chain but gets lost there... it doesn't return from the OUTPUT chain.

15

(after dst-nat here)

input = something destined to the device's CPU, not forwarded.

forward = something that passes THROUGH the system, not directed to the CPU, nor even generated by the CPU.

output = something that DIDN'T previously exist and is generated by the CPU.

(before src-nat here)

Study packet flow:

image-2025-3-24_9-59-25
image-2025-3-24_9-59-25850Ă—599 54.3 KB

16

I've almost got a fully functional configuration...

I'm forcing an IP address /32 that covers the LAN gateway on every VRF of the WANs...

The only thing I don't like is that I have to change the VRF connected to the Winbox and SSH services...

And then the DNS and NTP still don't work...

/interface bridge add name=bridge pvid=99 vlan-filtering=yes

/interface ethernet set [ find default-name=ether1 ] loop-protect=on rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether2 ] loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether3 ] loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether4 ] loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether5 ] comment="WAN 2" loop-protect=on poe-out=forced-on poe-priority=5 rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=sfp1 ] loop-protect=on rx-flow-control=on tx-flow-control=on

/interface vlan add comment="VLAN - WAN1" interface=bridge name=vlan101_WAN vlan-id=101
/interface vlan add comment="VLAN - WAN2" interface=bridge name=vlan102_WAN vlan-id=102
/interface vlan add comment="VLAN - LAN" interface=bridge name=vlan201_LAN vlan-id=201
/interface vlan add comment="VLAN - WIFI" interface=bridge name=vlan301_WIFI vlan-id=301
/interface vlan add comment="VLAN - PTP1" interface=bridge name=vlan501_PTP vlan-id=501
/interface vlan add comment="VLAN - PTP2" interface=bridge name=vlan502_PTP vlan-id=502
/interface vlan add comment="VLAN - PTP3" interface=bridge name=vlan503_PTP vlan-id=503
/interface vlan add comment="VLAN - PTP4" interface=bridge name=vlan504_PTP vlan-id=504

/interface list add name=WAN1_Ports
/interface list add name=WAN2_Ports
/interface list add name=LAN_Ports
/interface list add name=WIFI_Ports
/interface list add name=PTP1_Ports
/interface list add name=PTP2_Ports
/interface list add name=PTP3_Ports
/interface list add name=PTP4_Ports
/interface list add name=TAGGED_Ports

/ip vrf add interfaces=vlan101_WAN name=rtab-WAN1
/ip vrf add interfaces=vlan102_WAN name=rtab-WAN2
/ip vrf add interfaces=vlan501_PTP name=rtab-PTP1
/ip vrf add interfaces=vlan502_PTP name=rtab-PTP2
/ip vrf add interfaces=vlan503_PTP name=rtab-PTP3
/ip vrf add interfaces=vlan504_PTP name=rtab-PTP4

/system logging action set 0 memory-lines=3000
/system logging action set 1 disk-file-count=3 disk-lines-per-file=1500

/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WAN1_Ports pvid=101
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WAN2_Ports pvid=102
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=LAN_Ports pvid=201
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WIFI_Ports pvid=301
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP1_Ports pvid=501
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP2_Ports pvid=502
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP3_Ports pvid=503
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP4_Ports pvid=504

/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=TAGGED_Ports pvid=99

/ip neighbor discovery-settings set discover-interface-list=none
/ipv6 settings set disable-ipv6=yes

/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=101
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=102
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=201
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=301
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=501
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=502
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=503
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=504

/interface list member add interface=ether3 list=LAN_Ports
/interface list member add interface=ether4 list=TAGGED_Ports
/interface list member add interface=ether5 list=WAN2_Ports

/ip address add address=10.10.64.125/29 interface=vlan101_WAN network=10.10.64.120
/ip address add address=10.10.64.133/29 interface=vlan102_WAN network=10.10.64.128
/ip address add address=10.10.97.250/24 interface=vlan201_LAN network=10.10.97.0
/ip address add address=10.10.98.250/24 interface=vlan201_LAN network=10.10.98.0
/ip address add address=10.10.99.250/24 interface=vlan301_WIFI network=10.10.99.0
/ip address add address=10.10.96.46/29 interface=vlan501_PTP network=10.10.96.40
/ip address add address=10.10.96.54/29 interface=vlan502_PTP network=10.10.96.48
/ip address add address=10.10.96.78/28 interface=vlan504_PTP network=10.10.96.64
/ip address add address=10.10.96.62/29 interface=vlan503_PTP network=10.10.96.56

/ip address add address=10.10.98.250 interface=rtab-WAN1 network=10.10.98.250
/ip address add address=10.10.98.250 interface=rtab-WAN2 network=10.10.98.250

/ip dns set allow-remote-requests=yes servers=10.10.64.126

/ip firewall address-list add address=10.10.97.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.98.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.99.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.40/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.48/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.64/28 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.56/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.40/29 list=PTP1_Networks
/ip firewall address-list add address=10.10.110.0/23 list=PTP1_Networks
/ip firewall address-list add address=10.10.60.0/22 list=PTP2_Networks
/ip firewall address-list add address=10.30.212.0/24 list=PTP2_Networks
/ip firewall address-list add address=10.10.96.48/29 list=PTP2_Networks
/ip firewall address-list add address=10.10.96.56/29 list=PTP3_Networks
/ip firewall address-list add address=10.10.108.0/23 list=PTP3_Networks
/ip firewall address-list add address=10.10.96.64/28 list=PTP4_Networks
/ip firewall address-list add address=10.10.98.0/24 list=LAN_Networks
/ip firewall address-list add address=10.10.97.0/24 list=LAN_Networks

/ip firewall filter add action=drop chain=forward disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid


/ip firewall mangle add action=mark-connection chain=prerouting comment="MARCHIA CONNESSIONE x WAN1" connection-mark=no-mark connection-state=new in-interface=vlan101_WAN new-connection-mark=from_WAN1
/ip firewall mangle add action=mark-connection chain=prerouting comment="MARCHIA CONNESSIONE x WAN2" connection-mark=no-mark connection-state=new in-interface=vlan102_WAN new-connection-mark=from_WAN2

/ip firewall mangle add action=accept chain=prerouting connection-mark=!no-mark dst-address=10.10.98.250

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=!no-mark dst-address-list=LAN_Networks new-routing-mark=main passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=!no-mark dst-address-list=PTP1_Networks new-routing-mark=rtab-PTP1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=!no-mark dst-address-list=PTP2_Networks new-routing-mark=rtab-PTP2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=!no-mark dst-address-list=PTP3_Networks new-routing-mark=rtab-PTP3 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=!no-mark dst-address-list=PTP4_Networks new-routing-mark=rtab-PTP4 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=from_WAN1 in-interface=!vlan101_WAN new-routing-mark=rtab-WAN1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=from_WAN2 in-interface=!vlan102_WAN new-routing-mark=rtab-WAN2 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=no-mark connection-state=new dst-address-list=!LOCAL_IPs new-routing-mark=rtab-WAN1 passthrough=no src-address-list=LOCAL_IPs

/ip route add disabled=no distance=1 dst-address=10.10.110.0/23 gateway=10.10.96.45@rtab-PTP1 routing-table=rtab-PTP1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.10.60.0/22 gateway=10.10.96.53@rtab-PTP2 routing-table=rtab-PTP2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.30.212.0/24 gateway=10.10.96.53@rtab-PTP2 routing-table=rtab-PTP2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.10.108.0/23 gateway=10.10.96.61@rtab-PTP3 routing-table=rtab-PTP3 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.64.126@rtab-WAN1 routing-table=rtab-WAN1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.64.134@rtab-WAN2 routing-table=rtab-WAN2 scope=30 suppress-hw-offload=no target-scope=10

/ip service set ssh vrf=rtab-WAN1
/ip service set winbox vrf=rtab-WAN1

/system ntp client set enabled=yes vrf=rtab-WAN1
/system ntp server set broadcast=yes enabled=yes multicast=yes
/system ntp client servers add address=10.10.64.126

(after dst-nat here)

input = something destined to the device's CPU, not forwarded.

forward = something that passes THROUGH the system, not directed to the CPU, nor even generated > by the CPU.

output = something that DIDN'T previously exist and is generated by the CPU.

(before src-nat here)

I'm asking because I want to understand and learn...

I understand that once it arrives on the INPUT chain, the router will no longer route the flow... or am I wrong?

As soon as I change the routing mark, the router decides not to go to the INPUT chain anymore but goes to the FORWARD chain...

17

To bypass the problem of VRF management, DNS, and NTP, I tried putting both WANs on the main table while creating a VRF for vlan201

to ensure that each connection returns from the WAN it came from. I created two routing tables (rtab-WAN1 rtab-WAN2) and in each of them I entered the route 0.0.0.0/0 to the gateway for the corresponding WAN...

The problem is that even though I create the connection mark to check the incoming connection, I can't route the output... The connection doesn't go to the output chain.

It only works if I put the gateway on the main table.

But that way I could only make failover connections; I need to have the WANs in parallel.

18

Here I am again,
practically writing and replying to myself... :smile:

Anyway... this time I'm here, the configuration does exactly what I wanted

Can you just tell me if you notice any “problems” in the configuration?

It seems to work perfectly for me, but now I have to test it and see what happens.

If there are things that can be done differently and better, let me know, any advice is welcome.

especially if there is a risk of creating a network loop between the WANs
since they come from the same place.

Basically, I noticed that to manage the routing table shift of the OUTPUT chain, I have to set the Routing Rules... while for the shift concerning the FORWARD chain, I use mangle...

is this normal?

Thanks :beer_mug:

# model = RB960PGS

/interface bridge add name=bridge pvid=99 vlan-filtering=yes

/interface ethernet set [ find default-name=ether1 ] loop-protect=on rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether2 ] loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether3 ] loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether4 ] comment="TRUNK VS ROUTER B" loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether5 ] comment="WAN2" loop-protect=on poe-out=forced-on poe-priority=5 rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=sfp1 ] loop-protect=on rx-flow-control=on tx-flow-control=on

/interface list add name=WAN1_Ports
/interface list add name=WAN2_Ports
/interface list add name=LAN_Ports
/interface list add name=WIFI_Ports
/interface list add name=PTP1_Ports
/interface list add name=PTP2_Ports
/interface list add name=PTP3_Ports
/interface list add name=PTP4_Ports
/interface list add name=TAGGED_Ports

/interface vlan add comment="VLAN - WAN1" interface=bridge name=vlan101_WAN vlan-id=101
/interface vlan add comment="VLAN - WAN2" interface=bridge name=vlan102_WAN vlan-id=102
/interface vlan add comment="VLAN - LAN" interface=bridge name=vlan201_LAN vlan-id=201
/interface vlan add comment="VLAN - WIFI" interface=bridge name=vlan301_WIFI vlan-id=301
/interface vlan add comment="VLAN - PTP1" interface=bridge name=vlan501_PTP vlan-id=501
/interface vlan add comment="VLAN - PTP2" interface=bridge name=vlan502_PTP vlan-id=502
/interface vlan add comment="VLAN - PTP3" interface=bridge name=vlan503_PTP vlan-id=503
/interface vlan add comment="VLAN - PTP4" interface=bridge name=vlan504_PTP vlan-id=504

/ip vrf add interfaces=vlan201_LAN name=rtab-LAN
/ip vrf add interfaces=vlan301_WIFI name=rtab-WIFI
/ip vrf add interfaces=vlan501_PTP name=rtab-PTP1
/ip vrf add interfaces=vlan502_PTP name=rtab-PTP2
/ip vrf add interfaces=vlan503_PTP name=rtab-PTP3
/ip vrf add interfaces=vlan504_PTP name=rtab-PTP4


/routing table add disabled=no fib name=rtab-WAN1
/routing table add disabled=no fib name=rtab-WAN2

/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=TAGGED_Ports pvid=99
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WAN1_Ports pvid=101
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WAN2_Ports pvid=102
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=LAN_Ports pvid=201
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WIFI_Ports pvid=301
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP1_Ports pvid=501
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP2_Ports pvid=502
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP3_Ports pvid=503
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP4_Ports pvid=504

/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=101
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=102
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=201
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=301
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=501
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=502
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=503
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=504

/interface list member add interface=ether3 list=LAN_Ports
/interface list member add interface=ether4 list=TAGGED_Ports
/interface list member add interface=ether5 list=WAN2_Ports

/ip address add address=10.10.64.125/29 interface=vlan101_WAN network=10.10.64.120
/ip address add address=10.10.64.133/29 interface=vlan102_WAN network=10.10.64.128
/ip address add address=10.10.97.250/24 interface=vlan201_LAN network=10.10.97.0
/ip address add address=10.10.98.250/24 interface=vlan201_LAN network=10.10.98.0
/ip address add address=10.10.99.250/24 interface=vlan301_WIFI network=10.10.99.0
/ip address add address=10.10.96.46/29 interface=vlan501_PTP network=10.10.96.40
/ip address add address=10.10.96.54/29 interface=vlan502_PTP network=10.10.96.48
/ip address add address=10.10.96.78/28 interface=vlan504_PTP network=10.10.96.64
/ip address add address=10.10.96.62/29 interface=vlan503_PTP network=10.10.96.56

/ip dns set allow-remote-requests=yes servers=10.10.64.126

/ip firewall address-list add address=google.com list=test_dns

/ip firewall address-list add address=10.10.97.0/24 list=LAN_Networks
/ip firewall address-list add address=10.10.98.0/24 list=LAN_Networks
/ip firewall address-list add address=10.10.96.40/29 list=PTP1_Networks
/ip firewall address-list add address=10.10.110.0/23 list=PTP1_Networks
/ip firewall address-list add address=10.10.96.48/29 list=PTP2_Networks
/ip firewall address-list add address=10.10.60.0/22 list=PTP2_Networks
/ip firewall address-list add address=10.30.212.0/24 list=PTP2_Networks
/ip firewall address-list add address=10.10.96.56/29 list=PTP3_Networks
/ip firewall address-list add address=10.10.108.0/23 list=PTP3_Networks
/ip firewall address-list add address=10.10.96.64/28 list=PTP4_Networks

/ip firewall address-list add address=10.10.97.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.98.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.40/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.110.0/23 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.48/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.60.0/22 list=LOCAL_IPs
/ip firewall address-list add address=10.30.212.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.56/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.108.0/23 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.64/28 list=LOCAL_IPs

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

/ip firewall mangle add action=mark-connection chain=prerouting comment="MARK NEW CONNECTION FROM WAN1" connection-mark=no-mark connection-state=new in-interface=vlan101_WAN new-connection-mark=from_WAN1
/ip firewall mangle add action=mark-connection chain=prerouting comment="MARK NEW CONNECTION FROM WAN2" connection-mark=no-mark connection-state=new in-interface=vlan102_WAN new-connection-mark=from_WAN2
/ip firewall mangle add action=mark-connection chain=prerouting comment="MARK NEW CONNECTION FROM LAN OR PTPs NETWORK TO WAN WITH DEFAULT WAN (WAN1)" connection-mark=no-mark connection-state=new dst-address-list=!LOCAL_IPs new-connection-mark=to_WAN1 src-address-list=LOCAL_IPs
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN FIND LAN NETWORK IN TABLE RTAB-LAN" connection-mark=!no-mark dst-address-list=LAN_Networks new-routing-mark=rtab-LAN passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN FIND PTP1 NETWORK IN TABLE RTAB-PTP1" connection-mark=!no-mark dst-address-list=PTP1_Networks new-routing-mark=rtab-PTP1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN FIND PTP2 NETWORK IN TABLE RTAB-PTP2" connection-mark=!no-mark dst-address-list=PTP2_Networks new-routing-mark=rtab-PTP2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN FIND PTP3 NETWORK IN TABLE RTAB-PTP3" connection-mark=!no-mark dst-address-list=PTP3_Networks new-routing-mark=rtab-PTP3 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN FIND PTP4 NETWORK IN TABLE RTAB-PTP4" connection-mark=!no-mark dst-address-list=PTP4_Networks new-routing-mark=rtab-PTP4 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN1 REPLY TO WAN1" connection-mark=from_WAN1 in-interface=!vlan101_WAN new-routing-mark=rtab-WAN1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN2 REPLY TO WAN2" connection-mark=from_WAN2 in-interface=!vlan102_WAN new-routing-mark=rtab-WAN2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED WITH TO-WAN1 GO TO RTAB-WAN1 TABLE" connection-mark=to_WAN1 dst-address-list=!LOCAL_IPs new-routing-mark=rtab-WAN1 passthrough=no src-address-list=LOCAL_IPs
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED WITH TO-WAN2 GO TO RTAB-WAN2 TABLE" connection-mark=to_WAN2 dst-address-list=!LOCAL_IPs new-routing-mark=rtab-WAN2 passthrough=no src-address-list=LOCAL_IPs

/ip route add disabled=no distance=1 dst-address=10.10.110.0/23 gateway=10.10.96.45@rtab-PTP1 routing-table=rtab-PTP1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.10.60.0/22 gateway=10.10.96.53@rtab-PTP2 routing-table=rtab-PTP2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.30.212.0/24 gateway=10.10.96.53@rtab-PTP2 routing-table=rtab-PTP2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.10.108.0/23 gateway=10.10.96.61@rtab-PTP3 routing-table=rtab-PTP3 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.64.126@main routing-table=rtab-WAN1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.64.134@main routing-table=rtab-WAN2 scope=30 suppress-hw-offload=no target-scope=10

/routing rule add action=lookup-only-in-table disabled=no src-address=10.10.64.125/32 table=rtab-WAN1
/routing rule add action=lookup-only-in-table disabled=no src-address=10.10.64.133/32 table=rtab-WAN2
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.10.98.0/24 table=rtab-LAN
/routing rule add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 table=rtab-WAN1

/system ntp client set enabled=yes
/system ntp server set broadcast=yes enabled=yes multicast=yes
/system ntp client servers add address=10.10.64.126
19

It's always a pleasure to exchange a few words in this forum... :grinning_face_with_smiling_eyes:

20

Okay... finally my brain has taken a step forward and I understand... (given the limitations of VRF with regard to DNS and NTP)

I should be able to achieve the same result more easily by not using VRF but blocking forwarding directly from the firewall...

My goal is to have multiple output interfaces to the internet and servers that are not in failover but simultaneous.
The individual VLANs must all be separated from each other, and the only possible forwarding is to the external router (therefore to all subnets not present locally).

Each device must respond from the same interface from which the connection entered. It is therefore chosen based on the route created on the external router (if the gateway set on the route is the IP address of WAN1 or WAN2).

As for outgoing connections generated by the router's subnets, the default setting is that everything must exit through WAN1, but using mangle rules, it is possible to select criteria that allow me to have some devices exit through WAN2.

I also need to prevent possible network loops.

This is my new configuration:

If possible, I would like to hear your opinions and advice on how to optimize it and any potential critical issues.

Thank you very much.


/interface bridge add name=bridge pvid=99 vlan-filtering=yes

/interface ethernet set [ find default-name=ether1 ] loop-protect=on rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether2 ] loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether3 ] comment="" loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether4 ] comment="TRUNK PORT" loop-protect=on poe-out=off rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=ether5 ] comment="RADIO WAN2" loop-protect=on poe-out=forced-on poe-priority=5 rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=sfp1 ] loop-protect=on rx-flow-control=on tx-flow-control=on

/interface vlan add comment="VLAN - WAN1" interface=bridge name=vlan101_WAN vlan-id=101
/interface vlan add comment="VLAN - WAN2" interface=bridge name=vlan102_WAN vlan-id=102
/interface vlan add comment="VLAN - LAN" interface=bridge name=vlan201_LAN vlan-id=201
/interface vlan add comment="VLAN - WIFI" interface=bridge name=vlan301_WIFI vlan-id=301
/interface vlan add comment="VLAN - PTP1" interface=bridge name=vlan501_PTP vlan-id=501
/interface vlan add comment="VLAN - PTP2" interface=bridge name=vlan502_PTP vlan-id=502
/interface vlan add comment="VLAN - PTP3" interface=bridge name=vlan503_PTP vlan-id=503
/interface vlan add comment="VLAN - PTP4" interface=bridge name=vlan504_PTP vlan-id=504

/interface list add name=WAN1_Ports
/interface list add name=WAN2_Ports
/interface list add name=LAN_Ports
/interface list add name=WIFI_Ports
/interface list add name=TAGGED_Ports
/interface list add name=PTP1_Ports
/interface list add name=PTP2_Ports
/interface list add name=PTP3_Ports
/interface list add name=PTP4_Ports

/routing table add disabled=no fib name=rtab-WAN1
/routing table add disabled=no fib name=rtab-WAN2


/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=TAGGED_Ports pvid=99
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WAN1_Ports pvid=101
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WAN2_Ports pvid=102
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=LAN_Ports pvid=201
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=WIFI_Ports pvid=301
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP1_Ports pvid=501
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP2_Ports pvid=502
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP3_Ports pvid=503
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=PTP4_Ports pvid=504

/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=101
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=102
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=201
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=301
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=501
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=502
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=503
/interface bridge vlan add bridge=bridge tagged=bridge,TAGGED_Ports vlan-ids=504

/interface list member add interface=ether3 list=LAN_Ports
/interface list member add interface=ether4 list=TAGGED_Ports
/interface list member add interface=ether5 list=WAN2_Ports

/ip address add address=10.10.64.125/29 interface=vlan101_WAN network=10.10.64.120
/ip address add address=10.10.64.133/29 interface=vlan102_WAN network=10.10.64.128
/ip address add address=10.10.97.250/24 interface=vlan201_LAN network=10.10.97.0
/ip address add address=10.10.98.250/24 interface=vlan201_LAN network=10.10.98.0
/ip address add address=10.10.99.250/24 interface=vlan301_WIFI network=10.10.99.0
/ip address add address=10.10.96.46/29 interface=vlan501_PTP network=10.10.96.40
/ip address add address=10.10.96.54/29 interface=vlan502_PTP network=10.10.96.48
/ip address add address=10.10.96.78/28 interface=vlan504_PTP network=10.10.96.64
/ip address add address=10.10.96.62/29 interface=vlan503_PTP network=10.10.96.56

/ip dns set allow-remote-requests=yes servers=10.10.64.126
/ip firewall address-list add address=google.com list=test_dns
/ip firewall address-list add address=10.10.97.0/24 list=LAN_Networks
/ip firewall address-list add address=10.10.98.0/24 list=LAN_Networks
/ip firewall address-list add address=10.10.96.40/29 list=PTP1_Networks
/ip firewall address-list add address=10.10.110.0/23 list=PTP1_Networks
/ip firewall address-list add address=10.10.96.48/29 list=PTP2_Networks
/ip firewall address-list add address=10.10.60.0/22 list=PTP2_Networks
/ip firewall address-list add address=10.30.212.0/24 list=PTP2_Networks
/ip firewall address-list add address=10.10.96.56/29 list=PTP3_Networks
/ip firewall address-list add address=10.10.108.0/23 list=PTP3_Networks
/ip firewall address-list add address=10.10.96.64/28 list=PTP4_Networks
/ip firewall address-list add address=10.10.97.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.98.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.40/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.48/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.64/28 list=LOCAL_IPs
/ip firewall address-list add address=10.10.96.56/29 list=LOCAL_IPs
/ip firewall address-list add address=10.10.110.0/23 list=LOCAL_IPs
/ip firewall address-list add address=10.10.108.0/23 list=LOCAL_IPs
/ip firewall address-list add address=10.30.212.0/24 list=LOCAL_IPs
/ip firewall address-list add address=10.10.60.0/22 list=LOCAL_IPs

/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="accept forward with mark ( from_WAN\? / to_WAN\? )" connection-mark=!no-mark
/ip firewall filter add action=drop chain=forward comment="drop forward"

/ip firewall mangle add action=mark-connection chain=prerouting comment="MARK NEW CONNECTION FROM WAN1" connection-mark=no-mark connection-state=new in-interface=vlan101_WAN new-connection-mark=from_WAN1
/ip firewall mangle add action=mark-connection chain=prerouting comment="MARK NEW CONNECTION FROM WAN2" connection-mark=no-mark connection-state=new in-interface=vlan102_WAN new-connection-mark=from_WAN2
/ip firewall mangle add action=mark-connection chain=prerouting comment="MARK NEW CONNECTION FROM LAN OR PTPs NETWORK TO WAN WITH DEFAULT WAN (WAN1)" connection-mark=no-mark connection-state=new dst-address-list=!LOCAL_IPs new-connection-mark=to_WAN1 src-address-list=LOCAL_IPs
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN1 REPLY TO WAN1" connection-mark=from_WAN1 in-interface=!vlan101_WAN new-routing-mark=rtab-WAN1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED FROM WAN2 REPLY TO WAN2" connection-mark=from_WAN2 in-interface=!vlan102_WAN new-routing-mark=rtab-WAN2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED WITH TO-WAN1 GO TO RTAB-WAN1 TABLE" connection-mark=to_WAN1 dst-address-list=!LOCAL_IPs new-routing-mark=rtab-WAN1 passthrough=no src-address-list=LOCAL_IPs
/ip firewall mangle add action=mark-routing chain=prerouting comment="ALL CONNECTION MARKED WITH TO-WAN2 GO TO RTAB-WAN2 TABLE" connection-mark=to_WAN2 dst-address-list=!LOCAL_IPs new-routing-mark=rtab-WAN2 passthrough=no src-address-list=LOCAL_IPs

/ip route add disabled=no distance=1 dst-address=10.10.110.0/23 gateway=10.10.96.45 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.10.108.0/23 gateway=10.10.96.61 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.10.60.0/22 gateway=10.10.96.53 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=10.30.212.0/24 gateway=10.10.96.53 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.64.126@main routing-table=rtab-WAN1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.64.134@main routing-table=rtab-WAN2 scope=30 suppress-hw-offload=no target-scope=10

/routing rule add action=lookup-only-in-table disabled=no src-address=10.10.64.125/32 table=rtab-WAN1
/routing rule add action=lookup-only-in-table disabled=no src-address=10.10.64.133/32 table=rtab-WAN2
/routing rule add action=lookup-only-in-table disabled=yes dst-address=0.0.0.0/0 table=rtab-WAN1

/system ntp client set enabled=yes
/system ntp server set broadcast=yes enabled=yes multicast=yes
/system ntp client servers add address=10.10.64.126