Need help with 3011UiAS config for 2 LAN + DMZ and 2 WAN via recursive routes

RouterOS Beginner Basics
1

Hello dear,
I’ve been trying to finish the configuration for 3011UiAS for a week already.
I tried many options and edits, but it does not start.
Although I suppose that I do not correctly mark the traffic and / or the routes are not correctly constructed, but where exactly and what errors I will can’t find.

So, we have:

  • Mikrotik 3011UiAS;
  • WAN1 (ISP1-DataGroup): Public IP 93.xxx.xxx.94/24 via DHCP with mac binding.
  • WAN2 (ISP2-Lanet): Public IP 188.yyy.yy.126/24 via DHCP with mac binding.
  • LAN_Guest (192.168.1.0/24)
  • LAN_IT (192.168.2.0/24)
  • DMZ (192.168.3.0/24)

Need to implement:

  1. Services in the DMZ (At the moment there is one: 192.168.3.2:8090) should be accessible from local networks and the Internet by the above-mentioned public IP (these will be domains of the 3rd level).
  2. Some later added services will probably use dynamic ports (I assume to use UPnP).
  3. The 3011UiAS control must be implemented via Winbox from LAN_IT (by mac, by the IP gateway of the local subnet 192.168.2.1 and remotely via internet by public IP).
  4. LAN_IT output to the Internet - ISP1 by default, reserve - ISP2.
  5. LAN_Guest output to the Internet - ISP2 by default, ISP1 reserve.
  6. DMZ output to the Internet - ISP1 by default, ISP2 reserve.
  7. Isolate traffic between the LAN_Guest and LAN_IT subnets.

Does not work (or working incorrectly), the following:

  1. The most critical issue with DMZ.
  2. The service in DMZ is available only on IP 188.yyy.yy.126 via the Internet and is not available from the local subnet LAN_IT.
  3. I can connect via Winbox from LAN_IT via public IP or mac address, but I can’t through public IP over the Internet and through a subnet gateway.
  4. The clients of DMZ, LAN_IT and LAN_Guest can not ping their gateways (192.168.3.1, 192.168.2.1 and 192.168.1.1 respectively).
  5. 3011UiAS does not respond to ping via the Internet on IP 93.xxx.xxx.94 or 188.yyy.yy.126, but responds to ping from local networks (to public IP 93.xxx.xxx.94 and 188.yyy.yy. 126).

Dridges & Interfaces: WAN(1,2); DMZ(3,4); IT(5,8,9); Guest(6,7):

/interface bridge
add comment="Ports 3,4 for DMZ" fast-forward=no name=bridge_dmz
add comment="Ports 5,8,9 for IT" fast-forward=no name=bridge_it
add comment="Ports 6,7 for Guest" fast-forward=no name=bridge_guest
/interface ethernet
set [ find default-name=ether1 ] comment="Port1 DataGroup-IT" mac-address=B8:00:00:00:00:6E name=WAN1
set [ find default-name=ether2 ] comment="Port2 Lanet-Guest" mac-address=A0:00:00:00:00:A4 name=WAN2
set [ find default-name=ether3 ] comment=DMZ
set [ find default-name=ether4 ] comment=DMZ
set [ find default-name=ether5 ] comment=LAN_IT
set [ find default-name=ether6 ] comment="Guest 1C"
set [ find default-name=ether7 ] comment="Guest 1st floor"
set [ find default-name=ether8 ] comment=LAN_IT
set [ find default-name=ether9 ] comment=LAN_IT

/interface list
add name=WAN

/interface bridge port
add bridge=bridge_dmz interface=ether3
add bridge=bridge_dmz interface=ether4
add bridge=bridge_it interface=ether5
add bridge=bridge_guest interface=ether6
add bridge=bridge_guest interface=ether7
add bridge=bridge_it interface=ether8
add bridge=bridge_it interface=ether9

/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN

Addressing, subnets and dhcp:

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=WAN1
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=WAN2

/ip address
add address=192.168.1.1/24 comment="Guest LAN" interface=bridge_guest network=192.168.1.0
add address=192.168.2.1/24 comment="IT LAN" interface=bridge_it network=192.168.2.0
add address=192.168.3.1/24 comment="DMZ LAN" interface=bridge_dmz network=192.168.3.0

/ip pool
add comment="Guest LAN" name=dhcp_pool_guest ranges=192.168.1.2-192.168.1.254
add comment="IT LAN" name=dhcp_pool_it ranges=192.168.2.2-192.168.2.254
add comment="DMZ LAN" name=dhcp_pool_dmz ranges=192.168.3.2-192.168.3.254

/ip dhcp-server network
add address=192.168.1.0/24 comment="Guest LAN" dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 comment="IT LAN" dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 comment="DMZ LAN" dns-server=192.168.3.1 gateway=192.168.3.1

/ip dhcp-server
add address-pool=dhcp_pool_guest disabled=no interface=bridge_guest lease-time=1h name=dhcp_server_guest
add address-pool=dhcp_pool_it disabled=no interface=bridge_it lease-time=1d name=dhcp_server_it
add address-pool=dhcp_pool_dmz disabled=no interface=bridge_dmz lease-time=1d name=dhcp_server_dmz

ARP and mac-IP bindings:

/ip arp
add address=192.168.1.2 comment="Guest 1C Router" interface=bridge_rent mac-address=00:00:00:00:00:C6
add address=192.168.3.2 comment=GitLab interface=bridge_dmz mac-address=10:00:00:00:00:C9
add address=192.168.2.2 comment="IT InterTelecom Router" interface=bridge_it mac-address=EC:00:00:00:00:4F

/ip dhcp-server lease
add address=192.168.1.2 comment="Guest 1C Router" mac-address=00:00:00:00:00:C6 server=dhcp_server_guest
add address=192.168.2.2 comment="IT InterTelecom Router" mac-address=EC:00:00:00:00:4F server=dhcp_server_it
add address=192.168.3.2 comment=GitLab lease-time=1d mac-address=10:00:00:00:00:C9 server=dhcp_server_dmz

Firewall filter & NAT

/ip firewall nat
add action=masquerade chain=srcnat comment="Outgoing LANs masquerade from WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Outgoing LANs masquerade from WAN2" out-interface=WAN2
add action=netmap chain=dstnat comment="GitLab Lanet Port Forwarding" dst-address=188.yyy.yy.126 dst-port=8090 protocol=tcp to-addresses=\
    192.168.3.2 to-ports=8090
add action=netmap chain=dstnat comment="GitLab from DataGroup Port Forwarding" dst-address=93.xxx.xxx.94 \
    dst-port=8090 protocol=tcp to-addresses=192.168.3.2 to-ports=8090

/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/4 list=BOGONS
add address=240.0.0.0/4 list=BOGONS
add address=192.168.1.0/24 list=LocalNet
add address=192.168.2.0/24 list=LocalNet
add address=192.168.3.0/24 list=LocalNet

/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment=icmp protocol=icmp
add action=accept chain=forward comment="PortForward to GitLab" dst-address=192.168.3.2 dst-port=8090 protocol=tcp
add action=accept chain=input comment=Established_Wan_Accept connection-state=established
add action=drop chain=input comment="Drop DNS requests from internet" disabled=yes dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment=Established_Wan_Accept connection-state=established
add chain=input comment=Related_Wan_Accept connection-state=related
add action=drop chain=input comment=Bogon_Wan_Drop in-interface-list=WAN src-address-list=BOGONS

Firewall mangle

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=inWAN1 dst-address-list=!LocalNet dst-address-type="" log-prefix=skymr \
    new-routing-mark=1WAN passthrough=yes src-address-list=LocalNet
add action=mark-routing chain=prerouting connection-mark=inWAN2 dst-address-list=!LocalNet dst-address-type="" log-prefix=tktmr \
    new-routing-mark=2WAN passthrough=yes src-address-list=LocalNet
add action=mark-routing chain=output connection-mark=WAN1 dst-address-type=!local new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 dst-address-type=!local new-routing-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting dst-address=93.xxx.xxx.94 in-interface=WAN1 new-connection-mark=inWAN1 passthrough=yes
add action=mark-connection chain=input dst-address=93.xxx.xxx.94 in-interface=WAN1 new-connection-mark=inWAN1 passthrough=yes
add action=mark-connection chain=prerouting dst-address=188.yyy.yy.126 in-interface=WAN2 new-connection-mark=inWAN2 passthrough=yes
add action=mark-connection chain=input dst-address=188.yyy.yy.126 in-interface=WAN2 new-connection-mark=inWAN2 passthrough=yes

Recursive routes & rules

/ip route
add check-gateway=ping comment="WAN1 main" distance=1 gateway=8.8.8.8 routing-mark=WAN1 target-scope=15
add check-gateway=ping comment="WAN1 reserve" distance=2 gateway=8.8.4.4 routing-mark=WAN1 target-scope=15
add check-gateway=ping comment="WAN2 main" distance=1 gateway=8.8.4.4 routing-mark=WAN2 target-scope=15
add check-gateway=ping comment="WAN2 reserve" distance=2 gateway=8.8.8.8 routing-mark=WAN2 target-scope=15
add comment="WAN2 Lanet route" distance=1 dst-address=8.8.4.4/32 gateway=188.yyy.yy.1 scope=15
add comment="WAN1 DataGroup route" distance=1 dst-address=8.8.8.8/32 gateway=93.xxx.xxx.1 scope=15

/ip route rule
add comment="Guest LAN-WAN2 rule" src-address=192.168.1.0/24 table=WAN2
add comment="IT LAN-WAN1 rule" src-address=192.168.2.0/24 table=WAN1
add comment="DMZ LAN-WAN1 rule" src-address=192.168.3.0/24 table=WAN2

IP Service System & DNS

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system routerboard settings
set silent-boot=no

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
2

Try my favourite rule (make it the first one):

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

What happens is that anything coming from your LANs if forced by your other routing rules to use either WAN1 or WAN2 routing table, but neither of them contains routes to your other LANs.

Few more bits:

  • One of your static ARP entries uses interface=bridge_rent, but there’s no such thing in the rest of config.
  • I don’t understand why do you have these static ARP entries at all.
  • This rule is useless, because you don’t have any other rules in forward chain and by default, everything is allowed:
/ip firewall filter
add action=accept chain=forward comment="PortForward to GitLab" dst-address=192.168.3.2 dst-port=8090 protocol=tcp
  • It also means that you don’t have any firewall in forward chain at all, everything is wide open.
  • Route marking rules in chain=output use connection-marks not set anywhere.
  • Marking connection from WANs in chain=prerouting is enough, doing it again in chain=input it redundant. You might also want to add connection-mark=no-mark, you don’t need to mark connections over and over with each packet.
  • “local” in dst-address-type means only local addresses owned by router, not local subnets, so that condition is useless.