Onle some services allowed over Backup link (LTE)

RouterOS General
1

Heelo
I have mikrotik with LAN and LTE interface. Router is settup that primarl be LAN, and when there is no ping to external IP (9.9.9.9) LTE be used

[nemke@xxxxxxx] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S ;;; Primary
dst-address=0.0.0.0/0 gateway=9.9.9.9 gateway-status=9.9.9.9 recursive via 192.168.88.1 bridge check-gateway=ping distance=1 scope=30 target-scope=10

1 S ;;; Backup
dst-address=0.0.0.0/0 gateway=lte1 gateway-status=lte1 reachable distance=2 scope=30 target-scope=10

2 A S ;;; Validate Primary
dst-address=9.9.9.9/32 gateway=192.168.88.1 gateway-status=192.168.88.1 reachable via bridge distance=1 scope=10 target-scope=10

3 ADC dst-address=10.60.86.38/32 pref-src=10.60.86.38 gateway=lte1 gateway-status=lte1 reachable distance=0 scope=10

4 ADC dst-address=10.99.99.254/32 pref-src=10.99.99.1 gateway=VPN gateway-status=VPN reachable distance=0 scope=10

5 ADC dst-address=172.1.1.0/24 pref-src=172.1.1.2 gateway=bridge999 gateway-status=bridge999 reachable distance=0 scope=10

6 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.67 gateway=bridge gateway-status=bridge reachable distance=0 scope=10

BUT becouse of low amount of DATA in SIM card (in LTE interface) i like ONLY to allow VPN conection with main office router (CCR1009) and all other thing not to allow. All services will not work until ineternet from LAN start working.
In this case, Ruter can use LTE interface (when there is no main internet from LAN) only for VPN connection to main office, so we can still access it, and have some SNMP data.

How to setup this ?

Thank You

2

Firewall is your friend. Packets trying to use lte1 can be matched using out-interface=lte1. Allow what you want, block the rest. You can do it for both forwarded traffic from other devices (chain=forward) or router’s own traffic (chain=output).

3

Not so good in that part :slight_smile:
Some example ?

4

A supercharged introduction into how firewall works is here.

In your case, the rules in chain=forward of /ip firewall filter would use in-interface(-list) and src-address(-list) matching to restrict which local users can use the LTE, and dst-address(-list) to restrict which remote destinations may be accessed via the LTE. Distinction by remote port is almost pointless as today even obscure services can revert to use of TCP port 443 if other ports are blocked. Just bear in mind that large providers (Google, Facebook, Microsoft) often run different services with different domain names on same IP addresses, so e.g. allowing search using Google but disabling Youtube at the same time is almost a mission impossible.

At the time when the packet passes through the /ip firewall filter chain, it has already been routed so the out-interface has been determined, so the rules with o_ut-interface=your-lte-interface-name_ will only act on packets routed out through LTE. The download direction will follow because if you don’t connect to a remote server via the LTE, it will not respond through it.