[problem] high ping latency - MultiWAN

hello,

i implement recently multiWAN on routeur : Mikrotik CCR1036-8G-2S+EM

i have two WAN ISP serving by PPoE, i use two external D-Link DSL-2890AL :

• D-Link DSL-2890AL for WAN-09 with this static address : 172.168.9.250 / 24 - internet speed 8Mbps
  
  
  
• D-Link DSL-2890AL for WAN-12 with this static address : 172.168.12.250 / 24 - internet speed 8Mbps

My goal is to combinate between WAN-09 & WAN-12 to try to get 8Mbps + 8Mbps = 16Mbps
MultiWAN Loadbalancing and Failover with same weight

mikrotik-bridge-MultiWAN.pdf (140 KB)
i use this configuration :
MultiWAN part :

/ interface
set ether3 name=WAN-09-ADAPTER
set ether4 name=WAN-12-ADAPTER

/ ip address
add interface=WAN-09-ADAPTER address=172.168.9.40/24
add interface=WAN-12-ADAPTER address=172.168.12.40/24

/ ip firewall mangle
add chain=prerouting dst-address=172.168.9.0/24  action=accept in-interface=bridge-trunk
add chain=prerouting dst-address=172.168.12.0/24  action=accept in-interface=bridge-trunk

add chain=prerouting in-interface=WAN-09-ADAPTER connection-mark=no-mark action=mark-connection new-connection-mark=WAN-09-CONNECTION
add chain=prerouting in-interface=WAN-12-ADAPTER connection-mark=no-mark action=mark-connection new-connection-mark=WAN-12-CONNECTION

add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-09-CONNECTION 
add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-12-CONNECTION

add chain=prerouting connection-mark=WAN-09-CONNECTION in-interface=bridge-trunk action=mark-routing new-routing-mark=to-WAN-09
add chain=prerouting connection-mark=WAN-12-CONNECTION in-interface=bridge-trunk action=mark-routing new-routing-mark=to-WAN-12

add chain=output connection-mark=WAN-09-CONNECTION action=mark-routing new-routing-mark=to-WAN-09    
add chain=output connection-mark=WAN-12-CONNECTION action=mark-routing new-routing-mark=to-WAN-12

/ ip route
add dst-address=0.0.0.0/0 gateway=172.168.9.250 routing-mark=to-WAN-09 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=172.168.12.250 routing-mark=to-WAN-12 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=172.168.9.250 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=172.168.12.250 distance=1 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=WAN-09-ADAPTER action=masquerade
add chain=srcnat out-interface=WAN-12-ADAPTER action=masquerade

do i need any chain=input rules ?

LAN Part :

/ interface bridge 
add name=bridge-trunk protocol-mode=mstp vlan-filtering=yes
port add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
port add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether6

/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5,ether6 vlan-ids=40
add bridge=bridge-trunk tagged=bridge-trunk,ether5,ether6 vlan-ids=50
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=17

/interface vlan 
add vlan-id=40 name=VLAN-40-INTERNE interface=bridge-trunk disabled=no
add vlan-id=50 name=VLAN-50-DIRECTION interface=bridge-trunk disabled=no
add vlan-id=17 name=VLAN-17-SRV interface=bridge-trunk disabled=no


/ ip address
add interface=VLAN-40-INTERNE address=192.168.40.254/24
add interface=VLAN-50-DIRECTION address=192.168.50.254/24
add interface=VLAN-17-SRV address=172.17.0.254/24


/ ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10
add address=192.168.50.0/24 gateway=192.168.50.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10
add address=172.17.0.0/24 gateway=172.17.0.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10


/ ip dhcp-server
add interface=VLAN-40-INTERNE name=dhcp-server-interne address-pool=static-only  lease-time=90d disabled=no
add interface=VLAN-50-DIRECTION name=dhcp-server-direction address-pool=static-only lease-time=90d disabled=no
add interface=VLAN-17-SRV name=dhcp-server-srv address-pool=static-only lease-time=90d disabled=no

/ ip dhcp-server lease
add address=192.168.40.40 mac-address=0c:7d:c4:3c:c7:00 server=dhcp-server-interne
add address=192.168.40.41 mac-address=0c:7d:c4:09:e1:00 server=dhcp-server-interne
add address=192.168.50.50 mac-address=0c:7d:c4:f7:a3:00 server=dhcp-server-direction
add address=192.168.50.51 mac-address=0c:7d:c4:55:f3:00 server=dhcp-server-direction
add address=172.17.0.17 mac-address=0c:7d:c4:54:7d:00 server=dhcp-server-srv

i have a high latency ping when i ping internet 8.8.8.8 with this config

Could you please help me and tell me where can i be wrong ?

Thank you per advance for your help

Best regards

Hello,

i think i find my mistake :

add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-09-CONNECTION 
add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-12-CONNECTION

perhaps i need to change it to this :

add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-09-CONNECTION 
add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN-12-CONNECTION

i don’t know if it is the only wrong configuration ?

hope you can share with me your knowledge for getting work this multiWAN

also , can i use both-addresses-and-ports rather than both-addresses ?

Thank you per advance for your help

Best regards

You can, but it might potentially break applications that rely on multiple parallel connections.

Thank you @xvo to your answer

i will stay with both-addresses

However, have you any idea why i have a problem with high latency ?

do i need any chain=input rules ?
or it is just a problem with per-connection-classifier=both-addresses:2/0 for WAN-09 and per-connection-classifier=both-addresses:2/1 for WAN-12 ?

Thank you per advance for your help

Best regards

Best regards

That is definitely a problem, and has to be corrected the way you figured out yourself.

Also be sure that you don’t have fasttrack enabled.
Apart from that I can’t see anything else.

Thank you @xvo you save my life ,

i will correct PCC with :

• per-connection-classifier=both-addresses:2/0 for WAN-09
  
  
  
• per-connection-classifier=both-addresses:2/1 for WAN-12

about [u]https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack[/u] i think i don’t use it. You can check on my full multiwan config in my first post

also , do you think i need chain=input rules ? because i use only prerouting and output chain’s ?

Thank you again for your help

Best regards

No, you don’t.
Prerouting covers both “input” and “forward” traffic.

Look at your firewall/filter’s forward chain to see if the rule with action “fasttrack” is present at the top.

hello @xvo ,

it is clear now , i understand for prerouting

you can see my full config

/ interface
set ether3 name=WAN-09-ADAPTER
set ether4 name=WAN-12-ADAPTER

/ ip address
add interface=WAN-09-ADAPTER address=172.168.9.40/24
add interface=WAN-12-ADAPTER address=172.168.12.40/24

/ ip firewall mangle
add chain=prerouting dst-address=172.168.9.0/24  action=accept in-interface=bridge-trunk
add chain=prerouting dst-address=172.168.12.0/24  action=accept in-interface=bridge-trunk

add chain=prerouting in-interface=WAN-09-ADAPTER connection-mark=no-mark action=mark-connection new-connection-mark=WAN-09-CONNECTION
add chain=prerouting in-interface=WAN-12-ADAPTER connection-mark=no-mark action=mark-connection new-connection-mark=WAN-12-CONNECTION

add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-09-CONNECTION 
add chain=prerouting  in-interface=bridge-trunk connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN-12-CONNECTION

add chain=prerouting connection-mark=WAN-09-CONNECTION in-interface=bridge-trunk action=mark-routing new-routing-mark=to-WAN-09
add chain=prerouting connection-mark=WAN-12-CONNECTION in-interface=bridge-trunk action=mark-routing new-routing-mark=to-WAN-12

add chain=output connection-mark=WAN-09-CONNECTION action=mark-routing new-routing-mark=to-WAN-09    
add chain=output connection-mark=WAN-12-CONNECTION action=mark-routing new-routing-mark=to-WAN-12

/ ip route
add dst-address=0.0.0.0/0 gateway=172.168.9.250 routing-mark=to-WAN-09 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=172.168.12.250 routing-mark=to-WAN-12 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=172.168.9.250 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=172.168.12.250 distance=1 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=WAN-09-ADAPTER action=masquerade
add chain=srcnat out-interface=WAN-12-ADAPTER action=masquerade

it is ok , i think i do not use https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack in full config above.

Last think please @xvo , for the 2 WAN , i use distance=1 for / ip route is it ok ?

Thank you again for all your precious help

Best regards

Actually I don’t see any firewall at all, which is not good, if the router is facing the internet, and there are public IPs on any of your Dlink DSL-modems.

It matters only for the two routes in the main table, and only if you want the specific route to be used by the router itself to reach the outside world (then you can change the distance on the other route to a higher value).
Anyway only one of them can be active at a time.

First, why is the ISPs’ CPE’s not put in bridge mode? You’re supposed to let the MikroTik router handle both WAN interfaces which is PPPoE as you have mentioned.

You have put yourself in a double NAT situation, why would you want that?
D-Link DSL-2890AL should be very easy to bridge, unlike some of the vendors we deal with in my country with PON links.

For load balancing with failover it’s simple, this should get you started:

/ip firewall mangle
###Accept LAN traffic###
add action=accept chain=prerouting dst-address-list=not_in_internet in-interface-list=LAN
###Accepts Traffic from CPEs###
add action=accept chain=prerouting dst-address-list=not_in_internet in-interface=ether1
add action=accept chain=prerouting dst-address-list=not_in_internet in-interface=ether2

###Redirect incoming WAN traffic to their corresponding WAN interface###
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=ISP2_conn passthrough=yes

#ForHTTPS
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-port=80,443 in-interface=bridge new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-port=80,443 in-interface=bridge new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1 protocol=tcp

###ForNormal connections, to get full speeds###
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet in-interface=bridge new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet in-interface=bridge new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1

###Sending marked connections to their destined ISPs###
add action=mark-routing chain=prerouting connection-mark=ISP1_conn dst-address-list=!not_in_internet in-interface=bridge new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn dst-address-list=!not_in_internet in-interface=bridge new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn dst-address-list=!not_in_internet new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn dst-address-list=!not_in_internet new-routing-mark=to_ISP2 passthrough=yes

###Add routes###
/ip route
add check-gateway=ping comment="Load Balancing Route to ISP 1" distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping comment="Load Balancing Route to ISP 2" distance=1 gateway=pppoe-out2 routing-mark=to_ISP2

###Failover###
add check-gateway=ping comment="Default Route for ISP2" distance=2 gateway=pppoe-out2
add check-gateway=ping comment="Default Route for ISP1" distance=1 gateway=pppoe-out1

Hello @DarkNate

Thank you very much for your precious share. You are right , i want to avoid double NAT
So, i will implement PPPoe client on routeur Mikrotik :

/ interface
set ether3 name=WAN-09-ADAPTER
set ether4 name=WAN-12-ADAPTER

/interface pppoe-client
add interface=WAN-09-ADAPTER name=pppoe-out1 user=user1 password=pass1 disabled=no 
add interface=WAN-12-ADAPTER name=pppoe-out2 user=user2 password=pass2 disabled=no

i will use your solution but i have a question about your local list named " not_in_internet "
This is my LOCAL subnets :

• VLAN40 : 192.168.40.0/24
  
  
  
• VLAN50 : 192.168.50.0/24
  
  
  
• VLAN17 : 172.17.0.0/24

i will convert my 02x Dlink router from PPPoE to Bridge. Dlink address are :

• Dlink WAN-09 : 172.168.9.250/24
  
  
  
• Dlink WAN-12 : 172.168.12.250/24

i have a doubt about " not_in_internet "


For my case , are this correct :

/ip firewall address-list
add address=192.168.40.0/24 list=not_in_internet
add address=192.168.50.0/24 list=not_in_internet
add address=172.17.0.0/24 list=not_in_internet

or , should i include the 02x dlink network :

/ip firewall address-list
add address=192.168.40.0/24 list=not_in_internet
add address=192.168.50.0/24 list=not_in_internet
add address=172.17.0.0/24 list=not_in_internet
add address=172.168.9.0/24 list=not_in_internet
add address=172.168.12.0/24 list=not_in_internet

Thank you per advance for your help

Best regards

RFC 6890 has all the “not_in_internet” subnets you need, add all of them because it includes multi-cast/broadcast addresses.
Source: https://tools.ietf.org/html/rfc6890#section-2.2.2

Hello @DarkNate

i follow your advise but i find a small problem with mangle

i can not connect to internet when i enable

add action=drop chain=forward  comment="DENY-ALL"

if i disable this DENY-ALL rule, internet is working

this my mangle configuration :

/interface pppoe-client
add interface=ether3 name=pppoe-wan1 user=021xxxx09 password=xxxxxx disabled=no
add interface=ether4 name=pppoe-wan2 user=021xxxx12 password=xxxxxx disabled=no

/ip firewall address-list
add address=0.0.0.0/8  list=local
add address=10.0.0.0/8 list=local
add address=100.64.0.0/10 list=local
add address=127.0.0.0/8 list=local
add address=169.254.0.0/16 list=local
add address=172.16.0.0/12 list=local
add address=192.0.0.0/24 list=local
add address=192.0.0.0/29 list=local
add address=192.0.2.0/24 list=local
add address=192.88.99.0/24 list=local
add address=192.168.0.0/16 list=local
add address=198.18.0.0/15 list=local
add address=198.51.100.0/24 list=local
add address=203.0.113.0/24 list=local
add address=240.0.0.0/4 list=local
add address=255.255.255.255/32 list=local

/ ip firewall mangle
add chain=prerouting dst-address-list=local  action=accept in-interface=bridge-trunk

add chain=prerouting dst-address-list=local  action=accept in-interface=pppoe-wan1
add chain=prerouting dst-address-list=local  action=accept in-interface=pppoe-wan2


add chain=prerouting in-interface=pppoe-wan1 connection-mark=no-mark action=mark-connection new-connection-mark=WAN-09-CONNECTION
add chain=prerouting in-interface=pppoe-wan2 connection-mark=no-mark action=mark-connection new-connection-mark=WAN-12-CONNECTION

add chain=prerouting in-interface=bridge-trunk connection-mark=no-mark dst-address-list=!local dst-port=80,443 per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-09-CONNECTION protocol=tcp 
add chain=prerouting in-interface=bridge-trunk connection-mark=no-mark dst-address-list=!local dst-port=80,443 per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN-12-CONNECTION protocol=tcp

add chain=prerouting in-interface=bridge-trunk connection-mark=no-mark dst-address-list=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN-09-CONNECTION 
add chain=prerouting in-interface=bridge-trunk connection-mark=no-mark dst-address-list=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN-12-CONNECTION

add chain=prerouting connection-mark=WAN-09-CONNECTION in-interface=bridge-trunk action=mark-routing new-routing-mark=to-WAN-09
add chain=prerouting connection-mark=WAN-12-CONNECTION in-interface=bridge-trunk action=mark-routing new-routing-mark=to-WAN-12

add chain=output connection-mark=WAN-09-CONNECTION action=mark-routing new-routing-mark=to-WAN-09    
add chain=output connection-mark=WAN-12-CONNECTION action=mark-routing new-routing-mark=to-WAN-12

/ ip route
add dst-address=0.0.0.0/0 gateway=pppoe-wan1 routing-mark=to-WAN-09 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan2 routing-mark=to-WAN-12 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan2 distance=1 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=pppoe-wan1 action=masquerade
add chain=srcnat out-interface=pppoe-wan2 action=masquerade

you can find attached full export from routeur :
config-25102020-1551.conf.rsc (20.7 KB)

please help me because i need to connect to internet and enable the DENY-ALL rules

any help will be appreciate

Best regards

What is the use of that rule?

I would delete the firewall filter rules and re-build from scratch. Follow all the recommendations here from MikroTik: https://help.mikrotik.com/docs/display/ROS/Basic+Concepts

Here’s my firewall which blocks anything inbound that’s not DST-NATted which I built using the official MikroTik guide with small tweaks here and there:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=AllNotFromLAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN src-address-list=not_in_internet
add action=jump chain=forward comment="Jump to DDoS detection" \
    connection-state=new in-interface-list=WAN jump-target=detect-ddos
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge \
    src-address=!192.168.88.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    protocol=tcp tcp-flags=syn,ack
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
    
    /ip firewall raw
add action=drop chain=prerouting dst-address-list=dddos-targets \
    src-address-list=ddos-attackers

Too much bloatware not required.
Paired down and with more efficient use of drop all rule…
I would start with this much cleaner and leaner approach. If you are having specific issues after that, then address them as applicable.

CONCEPT IS
A. DEFAULT RULES
B. RULES FOR TRAFFIC YOU WISH TO ALLOW
C. DROP ALL ELSE>

/ip firewall filter INPUT CHAIN
(A)
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(B)
add acction=accept chain=input in-interface=LAN source-address-list=ADMINACCESS (where that list comprises static IPs of all devices you will use to configure the router)
(There is no reason for any LAN users to be able to access the router!)
add action=accept chain=input [ADD ANY RULES FOR LAN USERS if they use ROUTER services, the main one eing DNS on port 53 for example]
(C)
add action=drop chain=input comment=‘drop all else’
++++++++++++++++++++++++++++++++++++++++++++++++++
/ip firewall filter FORWARD CHAIN
A.
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
B.
add action=accept chain=forward [where you put any traffic you wish to allow, ex. access to internet]
add action=accept chain=forward comment=“allow port forwarding” \ (You can remove this rule if you dont need port forwarding)
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
C.
add action=drop chain=forward comment=“Drop all else”