Hello guys. First of all sorry for my ignorance, I’m not an IT expert and all my studies were in the field of geology. And it’s the first time using RouterOS!
I just converted my homelab from a (very power hungry) PFSense setup to a RB3011. I like it very much and have been able to replicate most of the stuff the PFSense firewall did, but then it all ground to a halt when I tried to implement the dual WAN setup.

Here is the network’s schematic.

PF_AIR is a 100/20 Mbit point to point wireless link.
PF_FTTC as the name implies is a 60/20 Mbit FTTC VDSL connection.
There is also a “last resort” LTE connection called TIM, but I’m honestly not that interested in that one for the moment (I’d like to sort the port forwarding before).

How I had implemented this on PFSense: PF_AIR and PF_FTTC had equal cost in the gateway parameters, and then I added normal port forwarding rules from both connections (so basically I had duplicate rules: one for port 80 for PF_FTTC; and another for port 80 for PF_AIR).

How I tried replicating this on RouterOS: I followed this guide: https://www.paolodaniele.it/mikrotik-aggregare-due-wan-con-pcc/ for PCC (I had to adjust the syntax because that guide was written for RouterOS 6), then I attempted to add port forwarding rules via the NAT tab in the firewall (dst-nat etc.). It appeared to work, but a day later it didn’t anymore (see below). So I searched in the forums and found this: http://forum.mikrotik.com/t/port-forwarding-using-pcc-help-required/70261/1 But that didn’t work either. Then, I tried another forum post: http://forum.mikrotik.com/t/big-confusion-pcc-with-nat-port-forwarding/115727/1 but to no avail either..

What works: The PCC appears to work as both connections get similar usage when looking at the statistics.
What does NOT work: Port forwarding is extremely erratic. Sometimes it works perfectly through both connections, sometimes only HTTP(S) works, sometimes it only works from PF_AIR, sometimes SSH works through PF_FTTC but not PF_AIR. And what’s even more troubling, is that when, for example, SSH works only through PF_FTTC for me, if I ask a friend, it might only work through PF_AIR for him! Same goes for HTTP.

This is the config:

# 2024-04-24 15:20:29 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = ##############
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes interface=ether1-PF_AIR name=PF-AIR user=\
    air218@pianetafibra.it
add add-default-route=yes disabled=no interface=sfp1 name=PF-FTTC \
    use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.160 client-id=1:d8:3a:dd:a7:d6:5e comment=Helios \
    mac-address=D8:3A:DD:A7:D6:5E server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment="PF-AIR Forward" disabled=\
    yes in-interface=PF-AIR new-connection-mark=AIR_conn passthrough=yes
add action=mark-connection chain=forward comment="PF-FTTC forward" disabled=\
    yes in-interface=PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PF-AIR PortForward" \
    disabled=yes dst-address-type=!local in-interface=PF-AIR \
    new-connection-mark=AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PF-FTTC PortForward" \
    disabled=yes dst-address-type=!local in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn passthrough=yes
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire FTP" dst-port=21 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=21
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 JVital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
add action=masquerade chain=srcnat out-interface=PF-FTTC
# PF-AIR not ready
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=\
    to_FTTC
add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=\
    to_AIR
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thank you a LOT in advance for any pointers you might give me!

Many config errors, but conceptually the biggest problem so far is that you assign VLANS, but dont assign them to any ports.
Why do you have them if they are not going to any ports?
You dont assign vlans to vlan ids in /interface bridge vlans, you assign (tagged or untagged bridge or wlan ports)

So right now you have what I call the bridge vlan to ports 5-spf1 untagged aka going to dumb devices that cannot read vlan tags.
Where do vlans 10,11,13 go? On which ports, to which devices?

Hi, and first of all thanks for the reply. Here is a diagram of the port setup:

The rationale for my setup:

• I have several managed switches that “untag” the VLANs as needed for that particular port
• I use Multi SSIDs on access points, so those needs tagged VLANs
• I never bothered to remove the internal switch of the Mikrotik, for two reasons: 1 the first time I tried, I locked myself out due to inexperience, and 2 because it is handy to have an extra port with all tagged VLANs so I can test stuff quickly with the laptop.

But the VLANs work fine (at least, I didn’t notice anything wrong with them?) The main problem is the port forwarding, and none of the servers in question are on a VLAN anyway!

Yup was just asking where the vlans went because it was a mystery LOL and your ether6 setting was misleading..

Since you have vpn connections coming to the router and also port forward to VLAN, and PCC
you need three sets of mangles.
One for VPN
One of PF
One for PCC

Another issue I see is duplicate use of 443, you have it seems an HTTPS server for port 443, but you attempt to also use SSTP on 443 to the router.
I have removed sstp to the router.

Yep, the only connection to the managed switch in normal circumstances is on eth6.

I’ve been told over on Reddit to add two rules, and my mangle rules look like this now. But that still doesn’t work…

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=PF-FTTC new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=PF-AIR new-connection-mark=AIR_conn
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-LAN new-connection-mark=\
    FTTC_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-LAN new-connection-mark=\
    AIR_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR

(PF-AIR is down otherwise people can’t access my website)

Working on it, on ip routes at the moment. To gain better control visibility of routes, not using default routes in pppoe settings…
Its not clear to me if you wanted ether2 to be PCCd as well ?? Its a separate LAN but did you want it PCCd??

Most mods/changed…

/interface vlan
add interface=bridge-LAN name=vlanbridge vlan-id=5
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13

/interface pppoe-client
add add-default-route=no interface=ether1-PF_AIR name=PF-AIR user=
air218@pianetafibra.it
add add-default-route=no interface=sfp1 name=PF-FTTC
use-peer-dns=yes user=fttc4250

/ip dhcp-server
add address-pool=dhcp interface=vlanbridge lease-time=23h59m59s name=LAN_DHCP

/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6 comment=“only trunk port”
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether9 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether10 pvid=5
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp1 pvid=5

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether6 vlan-ids=10,11,13
add bridge=bridge-LAN tagged=bridge-LAN,ether6 untagged=ether7,ether8,ether9,ether10,spf1 vlan-ids=5

/interface list member
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
add interface=vlanbridge list=LAN
ad vlan1–Ospiti list=LAN
add interface=vlan11-IoT list=LAN
add interface=vlan13-Inaffidabile list=LAN
add interface=ether5-LAN2 list=LAN

/ip address
add address=172.16.20.1/16 comment=LAN interface=vlanbridge network=
172.16.0.0

/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210
gateway=172.16.20.1 { netmask removed not required! }

/ip firewall address-list { mostly from static DHCP leases }
add address=adminIP1 list=Authorized comment=“Admin desktop”
add address=adminIP2 list=Authorized comment=“Admin laptop”
add address=adminIP3 list=Authorized comment=“Admin smartphone/ipad”
add address=adminIP4 list=Authorized comment=“Admin BTH remote”
add address=172.16.20.160/32 list=MyServers
add address=172.16.20.220/32 list=MyServers

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input src-address-list=Authorized comment=“Admin access only”
add action=accept chain=input comment=“DNS & NTP services” dst-port=53,123 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“DNS services” dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment=“Drop All Else” { put this rule in last so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

/ip firewall mangle { order is important }
{ Mangling for VPN Connection To the Router }
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-AIR
new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-FTTC
new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn
new-routing-mark=to_FTTC passthrough=no
{ Mangling for LAN Server Traffic }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF-AIR
dst-address-list=[color=#8000BFMyServers[/color] new-connection-mark=W1-2-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF=FTTC
dst-address-list=MyServers new-connection-mark=W2-2 Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-2-Servers
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-2-Servers
new-routing-mark=to_FTTC passthrough=no
{ Mangling for PCC }
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN
new-connection-mark=pcc-wan1 dst-address-type=!local
per-connection-classifier= both-addresses-and-ports:2/0 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN
new-connection-mark=pcc-wan2 dst-address-type=!local
per-connection-classifier= both-addresses-and-ports:2/1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pcc-wan1
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2
new-routing-mark=to_FTTC passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.89.0/24


/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0 gateway=PF-AIR routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0 gateway=PF-FTTC routing-table=main
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_AIR
add check-gateway=ping dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_FTTC

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hi and thanks for your work, I tried applying the config but that didn’t work (I didn’t touch the VLANs yet, but that shouldn’t affect stuff for the port forwarding).

Now, I can no longer reach the Internet at all (and port forwarding doesn’t work). It says, that the static routes are invalid. Here is the config:

/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PF-FTTC pref-src="" \
    routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-AIR new-connection-mark=AIR_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    W1-2-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    W2-2-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-2-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-2-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
    new-routing-mark=to_FTTC passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire FTP" dst-port=21 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=21
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
add action=dst-nat chain=dstnat comment="SSH Pi5 JVital" dst-port=52233 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22
    
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PF-FTTC pref-src="" \
    routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no

Regarding the TIM connection, since it’s bandwidth metered in the original PFSense setup it had a lower priority so it only became the default route if both unmetered PPPoEs failed. But it should accept port forwarding, because that allows me to troubleshoot stuff it stuff goes really wrong. But again, it’s something really optional… i’d rather get PCC and port forwarding on the PPPoEs working first…

Hi, I did a few more tries, but to no avail.
I though the problem lied here:

/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/32 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no

Because a destination address of 0.0.0.0**/32** doesn’t really make sense, but even after adjusting that to 0.0.0.0/0 it still doesn’t work at all. I’m at a loss

Thanks again

Hi, no ideas?

Not until you post a complete config, dont work from snippets

The config I initially tried was exactly as you provided it, minus the VLAN, IPSec and other LAN only parts. And I had to correct a few mistakes like I told in the post above. As I’ve said, I’d rather have first a working config for the actual topic title (PCC and port forwarding), and only later fix the VPNs and the rest which I don’t really need anyway.

Since the config you provided clearly didn’t work, I tried in a different manner, and that also didn’t work.

The current config is as follows:

# 2024-04-24 03:02:21 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add add-default-route=yes default-route-distance=2 interface=ether1-PF_AIR \
    name=PF-AIR user=air218@pianetafibra.it
add add-default-route=yes default-route-distance=2 disabled=no interface=sfp1 \
    name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1 netmask=16
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \
    in-interface-list=WAN protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    PF-AIR-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    PF-FTTC-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=input in-interface=PF-FTTC \
    new-connection-mark=FTTC_conn
# PF-AIR not ready
add action=mark-connection chain=input in-interface=PF-AIR \
    new-connection-mark=AIR_conn
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR
add action=mark-connection chain=prerouting comment="Ospiti solo AIR" \
    dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \
    dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\
    AIR_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=FTTC_conn \
    in-interface=bridge-LAN new-routing-mark=to_FTTC
add action=mark-routing chain=prerouting connection-mark=AIR_conn \
    in-interface=bridge-LAN new-routing-mark=to_AIR
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
# PF-AIR not ready
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=no
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

There is clearly a problem with the static routes, because when check-gateway is set to anything but none, the route is marked as unreachable as I wrote 4 days ago.

Now with the current config (the one I posted above) there is a different behavior:

• If the first two mangle routes (mark connections to MyServers) are DISABLED, and both PPPoEs are ENABLED, port forwarding works most of the times (e.g. maybe on HTTP it works, but next refresh might not load) and PCC works.
• If the first two mangle routes are ENABLED, and both PPPoEs are ENABLED, port forwarding NEVER works but PCC works
• If it’s set as currently (one PPPoE enabled, first two mangle routes disabled) port forwarding works but obviously PCC doesn’t.

Now I really don’t want to abuse the forum as a way to get a config done by others, so that’s why I concentrated on the PCC/Port forwarding side (I don’t get why I was ghosted tho…).
Really, I can fix the VLAN stuff later, once I know how to properly set PCC up for port forwarding… that’s the real hurdle now.

Well your setup is wrong with regard to the LAN and vlans so PCC doesnt matter at all until the LAN is fixed.
You are mixing up dhcp from bridge and then you have vlans going nowhere…
So Please be clear,
What are your ports connected to.
ether2 ( stand alone subnet not on the bridge )?
ether3-sfp1 [ which one(s) only have a single subnet going to a dumb device like a PC ] [ which one(s) are to smart devices and have one or more vlans tagged ]
+++++++++++++++

Once a coherent LAN exists then we can move forward.

Hi, Diagram below

• SFP1: No IP address, only used for PPPoE PF-FTTC. WAN
• ether1: No IP address, only used for PPPoE PF-AIR. WAN
• ether2: 192.168.2.1/24, this is connected to an LTE router. → TIM. WAN
• ether3: unused
• ether4: unused
• ether5: 192.168.12.1/24. This goes to a single access point in another apartment (hence the separated subnet, which I’ve called LAN2) 80 meters away. So that’s why it’s not a VLAN. → LAN2
• ether6 through ether10: all members of bridge-LAN. This is connected to a managed HP switch, and NEEDS to have both the untagged LAN (172.16.0.0/16; 172.16.20.1) as well as the 3 tagged VLANs 10, 11 and 13 that go to separate subnets.

I hope I’ve managed to explain it this time!

Thanks again

Okay so that is much clearer, thanks!
Ether2 is for a third wan connection but not in the mix at the moment.
Ether3,4 not used.
Ether5, separate subnet NOT on the bridge but part of the LAN overall.
Ether6-10 WHERE IT GOES WRONG.

First you should not attempt to have the bridge trying to give out DHCP on ports 6-10 and also expect to have vlans using eth6-10 at the same time.
Knowing that all are going to the SAME managed switch, means ONLY port is required.

/interface bridge ports
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6
/interface bridge vlans
add bridge=bridge tagged=bridge,ether6 vlan-ids=10,11,13,16

16 is basically taking your current bridge subnet construct and simply turning into a vlan… real quick and easy.

However, what is not clear to me is why have you separated out Ether 5 from being on the bridge??? I can sort of understand Eth5 being an off bridge way to access the router for backup config so that works for me.


++++++++++++++++++++++++++++++++++

Now in terms of PCC I can only recommend NOT using default routes, to access check-gateway=ping properly in manual routes.
with default routes = no
Only major changes noted:

\

model = RB3011UiAS

/interface vlan
add interface=bridge-LAN name=vlan16-bridge=16

/interface pppoe-client
add add-default-route=no default-route-distance=1 interface=ether1-PF_AIR
name=PF-AIR user=air218@pianetafibra.it
add add-default-route=no default-route-distance=1 disabled=no interface=sfp1
name=PF-FTTC use-peer-dns=yes user=fttc4250

/ip dhcp-server
add address-pool=dhcp interface=vlan16-bridge lease-time=23h59m59s name=LAN_DHCP
/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether6 vlan-ids=10,11,13,16

/interface list member
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
add interface=ether5-LAN2 list=LAN
add interface=vlan10-Ospiti list=LAN
add interface=vlan11-IoT list=LAN
add interface=vlan13-Inaffidabile list=LAN
add interface=vlan16-bridge list=LAN

/ip address
add address=172.16.20.1/16 comment=LAN interface=vlan16-bridge network=
172.16.0.0

/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210
gateway=172.16.20.1 netmask=16 <----- REMOVE NETMASK ENTRY!!!

/ip firewall address-list
add address=172.16.20.230 comment=“Sunfire” list=MyServers
add address=172.16.20.220 comment=“Minecraft” list=MyServers
add address=172.16.20.218 comment=“GLaDOS” list=MyServers
add address=172.16.20.211 comment=“DNS” list=DNServers
add address=172.16.20.210 comment=“DNS” list=DNServers

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“Drop All Else” { put this rule in last so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“access dns” in-interface-list=LAN dst-address-list=DNServers
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

/ip firewall mangle
{ Mangling for VPN Connection To the Router }
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-AIR
new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=PF-FTTC
new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn
new-routing-mark=to_FTTC passthrough=no
{ Mangling for External LAN Server Traffic }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF-AIR
dst-address-list=[color=#8000BFMyServers[/color] new-connection-mark=W1-to-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=PF=FTTC
dst-address-list=MyServers new-connection-mark=W2-to Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-to-Servers
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-to-Servers
new-routing-mark=to_FTTC passthrough=no
{ Mangling for PCC }
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN
new-connection-mark=pcc-wan1 dst-address-type=!local
per-connection-classifier= both-addresses-and-ports:2/0 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN
new-connection-mark=pcc-wan2 dst-address-type=!local
per-connection-classifier= both-addresses-and-ports:2/1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pcc-wan1
new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2
new-routing-mark=to_FTTC passthrough=no

/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=main
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

+++++++++++++++++++++++++++++++++++++++++++

Hi and thanks again for the config!

However, what is not clear to me is why have you separated out Ether 5 from being on the bridge??? I can sort of understand Eth5 being an off bridge way to access the router for backup config so that works for me.

It’s simply a historical situation, it was always like this. That 80m cable was directly connected to the old PFSense router (I ran out of ports on the old 24 port switch before I replaced it with the current 48 port HP switch, so I just connected it to a spare port on the quad NIC I had on the PFsense router).

I’ll replace the config tomorrow and let you know.

What I would do is keep ether5 for off bridge configuration of the router, No need for DHCP pools, etc, just keep the IP address only and ensure its part of managment interface and LAN interface.
Then just plug in PC or laptop change nic card ipv4 settings to an address within the range and you have access to config the router.

I think you’ve misunderstood the LAN structure again. Basically I need an untagged LAN which is the main one (172.16.0.0/16) and FOUR other separate LANs on their separate subnets (that being: vlan 10, vlan 11, vlan 13 AND the out of the bridge ether5) that need to talk to each other ONLY via firewall rules but are otherwise isolated (I’ve yet to setup these rules, because port forwarding still doesn’t work).I might as well remove all these and keep only 172.16.0.0/16 for now, if it makes it easier. The router config ports shouldn’t be reachable from any other LANs except 172.16.0.0/16!!

That’s why I still don’t get why you want me to create an extra tagged VLAN 16 when there clearly is no need. The LAN part works, it’s the WAN part that doesn’t.
And with your latest config, I can’t reach the Internet at all no matter what. Here it is. Again, please don’t fixate on the LAN, otherwise I’ll simply remove all other subnets for now until I can get PCC+port forward to work…

# 2024-04-24 16:59:46 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
set [ find default-name=ether2 ] name=ether2-TIM
set [ find default-name=ether5 ] name=ether5-LAN2
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10
add interface=bridge-LAN name=vlan11-IoT vlan-id=11
add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13
/interface pppoe-client
add disabled=no interface=ether1-PF_AIR name=PF-AIR user=\
    air218@pianetafibra.it
add disabled=no interface=sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254
add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254
add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
add address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCP
add address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCP
add address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCP
add address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\
    192.168.10.0/24
add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\
    192.16.12.0/24
add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\
    192.168.13.0/24
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \
    vlan-ids=10,11,13
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\
    192.168.12.0
add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\
    192.168.10.0
add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\
    192.168.11.0
add address=192.168.13.1/24 comment=Inaffidabile interface=\
    vlan13-Inaffidabile network=192.168.13.0
add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\
    192.168.2.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1
add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\
    192.168.13.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
add address=172.16.20.211 comment=DNS list=DNServers
add address=172.16.20.210 comment=DNS list=DNServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="access dns" dst-address-list=\
    DNServers in-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-AIR new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    W1-to-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    W2-to-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-to-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-to-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
    new-routing-mark=to_FTTC passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=none disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The routes get marked as unreachable as in the screenshot below

If I disable check-gateway=ping, the routes are no longer unreachable, but I still can’t browse the internet either.

Thanks

Hi, i’ve tried factory resetting everything and discarding all the VLANs and the 2nd LAN for now, (just as a test)
but that didn’t work either

tested config:

# 2024-04-24 16:59:46 by RouterOS 7.14.3
# software id = Y09A-7J23
#
# model = RB3011UiAS
# serial number = 8EED09900013
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "30 765 219 328" type=partition
/interface bridge
add admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-PF_AIR
/interface wireguard
add comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn
/interface pppoe-client
add disabled=no interface=ether1-PF_AIR name=PF-AIR user=\
    air218@pianetafibra.it
add disabled=no interface=sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=160 name=160_Polycom value=\
    "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"
/ip pool
add name=dhcp ranges=172.16.30.2-172.16.30.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCP
    Inaffidabile_DHCP
/ip smb users
add name=admin
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing table
add disabled=no fib name=to_FTTC
add disabled=no fib name=to_AIR
/ip smb
set comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=PF-FTTC list=WAN
add interface=PF-AIR list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=a-centauri cipher=\
    blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \
    redirect-gateway=def1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\
    172.16.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCP
add address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \
    mac-address=B8:27:EB:F7:41:9F server=LAN_DHCP
add address=172.16.30.244 dhcp-option=160_Polycom mac-address=\
    64:16:7F:0B:F6:FA server=LAN_DHCP
add address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\
    B8:27:EB:BE:70:8F server=LAN_DHCP
add address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\
    B8:27:EB:CF:86:71 server=LAN_DHCP
add address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\
    00:60:35:06:F0:16 server=LAN_DHCP
add address=172.16.22.100 client-id=\
    ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\
    BC:24:11:E4:49:24 server=LAN_DHCP
add address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\
    BC:24:11:9E:F2:03 server=LAN_DHCP
add address=172.16.20.211 client-id=\
    ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\
    BC:24:11:6E:18:77 server=LAN_DHCP
add address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \
    server=LAN_DHCP
add address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \
    server=LAN_DHCP
add address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\
    00:A0:C5:B9:35:B1 server=LAN_DHCP
/ip dhcp-server network
add address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \
    gateway=172.16.20.1
/ip dns static
add address=172.16.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.20.230 comment=Sunfire list=MyServers
add address=172.16.20.220 comment=Minecraft list=MyServers
add address=172.16.20.218 comment=GLaDOS list=MyServers
add address=172.16.20.211 comment=DNS list=DNServers
add address=172.16.20.210 comment=DNS list=DNServers
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="access dns" dst-address-list=\
    DNServers in-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-AIR new-connection-mark=Air_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    PF-FTTC new-connection-mark=FTTC_conn passthrough=yes
add action=mark-routing chain=output connection-mark=AIR_conn \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=output connection-mark=FTTC_conn \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\
    W1-to-Servers passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\
    W2-to-Servers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=W1-to-Servers \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=W2-to-Servers \
    new-routing-mark=to_FTTC passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    pcc-wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=pcc-wan1 \
    new-routing-mark=to_AIR passthrough=no
add action=mark-routing chain=prerouting connection-mark=pcc-wan2 \
    new-routing-mark=to_FTTC passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PF-FTTC
add action=masquerade chain=srcnat out-interface=PF-AIR
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    443
add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80
add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22
add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\
    10000
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    25565
add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\
    8123
/ip route
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PF-FTTC pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=none disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    PF-AIR pref-src="" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
/ip service
set www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\
    only-1.2
/ip smb shares
add directory=usb1-part1 name=USB1 valid-users=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PF-AIR type=external
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
add name=J2 profile=default-encryption
/radius
add accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\
    ppp,login,hotspot,ipsec,dot1x
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik-VR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.inrim.it
add address=ntp1.inrim.it
/tool graphing interface
add allow-address=172.16.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This could be the error we were not seeing…
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=
172.16.0.0

I think it should be:
/ip address
add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=
172.16.20.0 ???

I am not good with larger subnets but I think thats right.


Also this is not critical but should be modified from:
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
PF-FTTC pref-src=“” routing-table=main suppress-hw-offload=no
add check-gateway=none disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
PF-AIR pref-src=“” routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR
add check-gateway**=ping** distance=1 dst-address=0.0.0.0/0 gateway=
PF-FTTC pref-src=“” routing-table=main suppress-hw-offload=no
add check-gateway**=ping** distance=2 dst-address=0.0.0.0/0 gateway=
PF-AIR pref-src=“” routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=PF-FTTC routing-table=to_FTTC
add dst-address=0.0.0.0/0 gateway=PF-AIR routing-table=to_AIR