Greetings!
Scenario:
VLAN 10: 192.168.10.1/27
Load sharing between the 2 ISP are all fine, VLAN 10 and 20 gets its internet from ISP 1 and VLAN 40 from ISP 2 until one of the users from ISP 2 tries to connect/access file to/from the users of ISP 1 and vice versa.
I can ping all their gateway (e.g: 192.168.10.1,192.168.40.1) but not the actual ip addresses of the current users. I get that their connected from different ISP but is there a way that they can communicate even when their connected to different ISP?
I feel like I’m lacking in my routing. Can someone enlighten a novice like me?
anav
October 24, 2019, 1:38pm
2
Without looking at your config, all comments are pure conjecture!
In that case you need to add vlan to vlan access rules, which you will probably want to narrow down to perhaps specific devices, protocols/ports, schedule etc…
Without really knowing the requirements (in user work flow speak, not equipment, config solution speak) and hte contents of the config its hard to say more.
Hey. What you meant when you sad that users are connected to different ISP? First of all they are connected to your LANs with or without VLANs. They are on your router even without ISPs. Your router is well aware of all routing info of all of 3 networks connected to him directly. So he knows how to reach them. If any PC has a default route, you need to look into firewalls on them or on router firewall filter.
Sob
October 24, 2019, 3:15pm
4
Common problem is when routing is marked for anything coming from given LAN subnet and selected routing table only has default route, so for marked packets, router doesn’t know anymore about other LANs. Solution is to either not mark everything (exclude LANs), or use routing rules to look up LANs only in main routing table.
Without looking at your config, all comments are pure conjecture!
In that case you need to add vlan to vlan access rules, which you will probably want to narrow down to perhaps specific devices, protocols/ports, schedule etc…
Without really knowing the requirements (in user work flow speak, not equipment, config solution speak) and hte contents of the config its hard to say more.
I’m sorry. Here is my config:
/interface bridge
add admin-mac=CC:2D:E0:00:30:AF auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2
/interface vlan
add comment=Technical interface=bridge name=vlan5 vlan-id=5
add comment=Balai interface=bridge name=vlan10 vlan-id=10
add comment=Client interface=bridge name=vlan12 vlan-id=12
add comment=RSUO interface=bridge name=vlan20 vlan-id=20
add comment=Audit interface=bridge name=vlan30 vlan-id=30
add comment=VVH interface=bridge name=vlan40 vlan-id=40
add comment=AGRO interface=bridge name=vlan50 vlan-id=50
add comment=MIS interface=bridge name=vlan60 vlan-id=60
add comment=Veza interface=bridge name=vlan70 vlan-id=70
add comment="Unit 101" interface=bridge name=vlan80 vlan-id=80
add comment=Guests interface=bridge name=vlan90 vlan-id=90
add comment=Executive interface=bridge name=vlan100 vlan-id=100
add comment=Towers interface=bridge name=vlan110 vlan-id=110
add comment=CCTV interface=bridge name=vlan120 vlan-id=120
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=chiaanime regexp="^.+(chia-anime).*\$"
add name=downloader regexp="^.+(downloader|youtubedownloader|youtubnow|convert\
er|youtubedownloader|en.savefrom).*\$"
add name=ebay regexp="^.+(ebay).*\$"
add name=facebook regexp="^.+(www.facebook.com|facebook.com|login.facebook.com\
|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|st\
atic.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.net|www.\
connect.facebook.net|apps.facebook.com).*\$"
add name=insta regexp="^.+(instagram).*\$"
add name=kissanime regexp="^.+(kissanime).*\$"
add name=kissasian regexp="^.+(kissasian).*\$"
add name=newscommer regexp="^.+(newscommer|.exe).*\$"
add name=streaming regexp="^.+(3gp|mov|mpe|mpeg|mpeg2|mpeg3|mpeg4|mkv|avi|flv|\
f4v|f4p|f4a|f4b|x-flv|msi|wmv|mp2|mp3|mp4|swf|rm|rmvb|vcd|pdf|da\\\r\
\nt|iso|nrg|bin|cab|vcd|ogg|wma|divx|d2v|qt|0[0-9][0-9]).*\$"
add name=tinder regexp="^.+(tinder.com).*\$"
add name=torrentsites regexp="^.+(torrent|thepiratebay|isohunt|entertane|demon\
oid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bitto\
xic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|bt\
bot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
add name=viu regexp="^.+(viu).*\$"
add name=webtoon regexp="^.+(webtoon).*\$"
add name=youtube regexp="^.+(youtube|www.youtube.com|m.youtube.com|ytimg.com|s\
.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevide\
o.com|youtu.be).*\$"
add name=twitter regexp="^.+(twitter).*\$"
/ip pool
add name=dhcp ranges=192.168.1.101-192.168.1.254
add name=dhcp_technical ranges=10.10.5.2-10.10.5.14
add name=dhcp_balai ranges=192.168.10.2-192.168.10.30
add name=dhcp_client ranges=12.10.10.2-12.10.10.254
add name=dhcp_rsuo ranges=10.10.20.2-10.10.20.115
add name=dhcp_audit ranges=10.10.30.2-10.10.30.30
add name=dhcp_vvh ranges=192.168.40.31-192.168.40.254
add name=dhcp_agro ranges=192.168.50.21-192.168.50.254
add name=dhcp_mis ranges=10.10.60.2-10.10.60.126
add name=dhcp_unit101 ranges=10.10.80.2-10.10.80.62
add name=dhcp_guest ranges=192.168.90.2-192.168.90.254
add name=dhcp_executive ranges=10.10.10.2-10.10.10.126
add name=dhcp_towers ranges=10.10.0.31-10.10.0.254
add name=dhcp_cctv ranges=10.10.120.31-10.10.120.62
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_technical disabled=no interface=vlan5 lease-time=1h \
name=Technical
add address-pool=dhcp_balai disabled=no interface=vlan10 lease-time=1h name=\
"Balai Condo"
add address-pool=dhcp_client disabled=no interface=vlan12 lease-time=1h name=\
Client
add address-pool=dhcp_rsuo disabled=no interface=vlan20 lease-time=1h name=\
RSUO
add address-pool=dhcp_audit disabled=no interface=vlan30 lease-time=1h name=\
Audit
add address-pool=dhcp_vvh disabled=no interface=vlan40 lease-time=1h name=VVH
add address-pool=dhcp_agro disabled=no interface=vlan50 lease-time=1h name=\
Agro
add address-pool=dhcp_mis disabled=no interface=vlan60 lease-time=1h name=MIS
add address-pool=dhcp_unit101 disabled=no interface=vlan80 lease-time=1h \
name="Unit 101"
add address-pool=dhcp_guest disabled=no interface=vlan90 lease-time=1h name=\
Guest
add address-pool=dhcp_executive disabled=no interface=vlan100 lease-time=1h \
name=Executive
add address-pool=dhcp_towers disabled=no interface=vlan110 lease-time=1h \
name=Towers
add address-pool=dhcp_cctv disabled=no interface=vlan120 lease-time=1h name=\
CCTV
/queue simple
add disabled=yes max-limit=21M/21M name=LAN target=bridge
add max-limit=36M/36M name=Nissan target=192.168.1.16/32
add max-limit=24M/24M name=DMamaclay target=12.10.10.5/32
add max-limit=18M/18M name=Laundry target=10.10.0.20/32
add max-limit=10M/10M name="Balai Condo" target=vlan10
add max-limit=40M/30M name=RSUO target=vlan20
add max-limit=15M/10M name=Audit target=vlan30
add max-limit=40M/30M name=VVH target=vlan40
add max-limit=60M/60M name=Agro target=vlan50
add max-limit=30M/20M name="Unit 101" target=vlan80
add max-limit=10M/10M name=Guest target=vlan90
add max-limit=23M/23M name=Tower target=vlan110
add max-limit=10M/10M name=CCTV target=vlan120
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ISP1 list=WAN
add interface=ISP2 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=122.***.***.***/27 comment=I-gate interface=ISP1 network=\
122.***.***.***
add address=10.10.5.1/28 comment=Technical interface=vlan5 network=10.10.5.0
add address=192.168.10.1/27 comment=Balai interface=vlan10 network=\
192.168.10.0
add address=12.10.10.1/24 comment=Client interface=vlan12 network=12.10.10.0
add address=10.10.20.1/25 comment=RSUO interface=vlan20 network=10.10.20.0
add address=10.10.30.1/27 comment=Audit interface=vlan30 network=10.10.30.0
add address=192.168.40.1/24 comment=VVH interface=vlan40 network=192.168.40.0
add address=192.168.50.1/24 comment=AGRO interface=vlan50 network=\
192.168.50.0
add address=10.10.60.1/25 comment=MIS interface=vlan60 network=10.10.60.0
add address=10.10.70.1/24 comment=Veza interface=vlan70 network=10.10.70.0
add address=10.10.80.1/26 comment="Unit 101" interface=vlan80 network=\
10.10.80.0
add address=192.168.90.1/24 comment=Guests interface=vlan90 network=\
192.168.90.0
add address=10.10.10.1/25 comment=Executive interface=vlan100 network=\
10.10.10.0
add address=10.10.0.1/24 comment=Towers interface=vlan110 network=10.10.0.0
add address=10.10.120.1/26 comment=CCTV interface=vlan120 network=10.10.120.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ISP1
add dhcp-options=hostname,clientid disabled=no interface=ISP2
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.5.0/28 gateway=10.10.5.1
add address=10.10.10.0/25 gateway=10.10.10.1
add address=10.10.20.0/25 gateway=10.10.20.1
add address=10.10.30.0/27 gateway=10.10.30.1
add address=10.10.60.0/25 gateway=10.10.60.1
add address=10.10.80.0/26 gateway=10.10.80.1
add address=10.10.120.0/26 gateway=10.10.120.1
add address=12.10.10.0/24 gateway=12.10.10.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.10.0/27 gateway=192.168.10.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.90.0/24 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface=ISP1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related \
disabled=yes src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related \
disabled=yes dst-address=192.168.1.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related src-address=10.10.10.0/25
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related src-address=10.10.60.0/25
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes src-address=\
192.168.1.0/24
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="NA: Laptop LAN" src-mac-address=\
2C:FD:A1:85:7C:20
add action=accept chain=forward comment="NA: Phone" src-mac-address=\
80:BE:05:2A:DD:BA
add action=accept chain=forward comment="NA: Laptop WLAN" src-mac-address=\
40:9F:38:E2:6F:0D
add action=drop chain=forward comment=VDC/WAN dst-address=122.***.***.***
add action=accept chain=forward comment="EXECUTIVE LINE" src-address=\
10.10.10.0/25
add action=accept chain=forward comment=Technical src-address=10.10.5.0/28
add action=accept chain=forward comment="Client Access:" src-address=\
10.10.0.0/24
add action=accept chain=input comment="Client Access:" src-address=\
10.10.0.0/24
add action=drop chain=forward comment="Client Access:" disabled=yes protocol=\
icmp src-address=12.10.10.0/24
add action=accept chain=forward comment="Client Access:" src-address=\
192.168.1.69
add action=accept chain=forward comment="Client Access: Nissan" src-address=\
192.168.1.16
add action=accept chain=forward comment="Balai FO" src-mac-address=\
30:9C:23:08:F7:7C
add action=accept chain=forward comment=facebook packet-mark=facebook_packet \
src-address=10.10.60.0/25
add action=accept chain=forward comment=youtube packet-mark=youtube_packet \
src-address=10.10.60.0/25
add action=accept chain=forward comment=facebook packet-mark=facebook_packet \
src-address=192.168.50.0/24
add action=accept chain=forward comment=youtube packet-mark=youtube_packet \
src-address=192.168.50.0/24
add action=accept chain=forward comment=facebook packet-mark=facebook_packet \
src-address=192.168.1.253
add action=accept chain=forward comment=youtube packet-mark=youtube_packet \
src-address=192.168.40.0/24
add action=drop chain=input comment=mlbb packet-mark=mlbb_packet
add action=drop chain=forward comment=mlbb packet-mark=mlbb_packet
add action=drop chain=forward comment=youtube packet-mark=youtube_packet
add action=drop chain=input comment=youtube packet-mark=youtube_packet
add action=drop chain=forward comment=facebook packet-mark=facebook_packet
add action=drop chain=input comment=facebook packet-mark=facebook_packet
add action=drop chain=forward comment=torrent packet-mark=torrent_packet
add action=drop chain=input comment=torrent packet-mark=torrent_packet
add action=drop chain=input comment=instagram packet-mark=insta_packet
add action=drop chain=forward comment=instagram packet-mark=insta_packet
add action=drop chain=forward comment=downloader packet-mark=\
downloader_packet
add action=drop chain=input comment=downloader packet-mark=downloader_packet
add action=drop chain=forward comment=chiaanime packet-mark=chiaanime_packet
add action=drop chain=input comment=chiaanime packet-mark=chiaanime_packet
add action=drop chain=forward comment=ebay packet-mark=ebay_packet
add action=drop chain=input comment=ebay packet-mark=ebay_packet
add action=drop chain=forward comment=twiiter packet-mark=twitter_packet
add action=drop chain=input comment=twitter packet-mark=twitter_packet
add action=accept chain=forward protocol=icmp
add action=accept chain=forward comment=FTP dst-port=20 protocol=tcp
add action=accept chain=forward comment=FTP dst-port=21 protocol=tcp
add action=accept chain=forward comment=SSH dst-port=22 protocol=tcp
add action=accept chain=forward comment=DNS dst-port=53 protocol=tcp
add action=accept chain=forward comment=DNS dst-port=53 protocol=udp
add action=accept chain=forward comment="BOOTP Server" dst-port=67 protocol=\
udp
add action=accept chain=forward comment="BOOTP Client" dst-port=68 protocol=\
udp
add action=accept chain=forward comment=http dst-port=80 protocol=tcp
add action=accept chain=input comment=http dst-port=80 protocol=tcp
add action=accept chain=forward comment=NTP dst-port=123 protocol=udp
add action=accept chain=forward comment=SNMP dst-port=161 protocol=udp
add action=accept chain=forward comment=https dst-port=443 protocol=tcp
add action=accept chain=forward comment=ISAKMP dst-port=500 protocol=udp
add action=accept chain=forward comment=TCP/ip dst-port=587 protocol=tcp
add action=accept chain=forward comment=SOCKS dst-port=1080 protocol=tcp
add action=accept chain=forward comment=Email dst-port=2082 protocol=tcp
add action=accept chain=forward comment=Email dst-port=2083 protocol=tcp
add action=accept chain=forward comment=Email dst-port=2093 protocol=tcp
add action=accept chain=forward comment=Email dst-port=2095 protocol=tcp
add action=accept chain=forward comment="DB Freddo Online" dst-port=3306 \
protocol=tcp
add action=accept chain=forward comment="DB Freddo Online" dst-port=3306 \
protocol=udp
add action=accept chain=forward comment="DB NA System" dst-port=3307 \
protocol=udp
add action=accept chain=forward comment=WBT dst-port=3389 protocol=udp
add action=accept chain=forward comment=WBT dst-port=3389 protocol=tcp
add action=accept chain=forward comment=Unifi dst-port=3478 protocol=udp
add action=accept chain=forward comment="Team Viewer" dst-port=5938 protocol=\
tcp
add action=accept chain=forward comment="Team Viewer" dst-port=5938 protocol=\
udp
add action=accept chain=forward comment="NA System" dst-port=6661 protocol=\
tcp
add action=accept chain=forward comment="NA System" dst-port=6661 protocol=\
udp
add action=accept chain=forward comment=http dst-port=8000 protocol=tcp
add action=accept chain=forward comment=Unifi dst-port=8080 protocol=tcp
add action=accept chain=forward comment=Unifi dst-port=8443 protocol=tcp
add action=accept chain=forward comment=RSTP dst-port=10554 protocol=tcp
add action=accept chain=input comment=RSTP dst-port=10554 protocol=tcp
add action=accept chain=forward comment="Cloud Key" src-address=192.168.1.180
add action=accept chain=forward comment=Server dst-address=192.168.9.3
add action=accept chain=forward comment=Server dst-address=192.168.9.2
add action=accept chain=forward comment="VPN: MIS Line" dst-address=\
172.16.10.0/24 src-address=10.10.60.0/25
add action=accept chain=forward comment="Fit-out: NAS" dst-address=\
192.168.1.100 src-address=192.168.40.0/24
add action=accept chain=forward comment=\
"Routing: Unit 101 to VDC Acct Server" dst-address=172.20.10.10 \
src-address=10.10.80.0/26
add action=accept chain=forward comment=\
"Routing: Unit 101 to RSUO Acct Server" dst-address=10.10.20.120 \
src-address=10.10.80.0/26
add action=accept chain=forward comment="Routing: To Batching Plant Agro" \
dst-address=192.168.50.12
add action=accept chain=forward comment="CCTV Sir MIke" src-mac-address=\
4C:DD:31:73:19:A3
add action=accept chain=forward comment="CCTV: Balai Condo" src-address=\
192.168.10.0/27
add action=accept chain=forward comment="CCTV: Veza" src-address=10.10.0.2
add action=accept chain=forward comment="CCTV Subnet" src-address=\
10.10.120.0/26
add action=accept chain=forward dst-address=10.10.30.0/27 src-address=\
192.168.1.0/24
add action=accept chain=input dst-address=10.10.30.0/27 src-address=\
192.168.1.0/24
add action=drop chain=forward comment="drop everything else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Audit new-routing-mark=\
to_ISP1 passthrough=yes src-address=10.10.30.0/27
add action=mark-routing chain=prerouting comment=CCTV new-routing-mark=\
to_ISP1 passthrough=yes src-address=10.10.120.0/26
add action=mark-routing chain=prerouting comment=Guest new-routing-mark=\
to_ISP1 passthrough=yes src-address=192.168.90.0/24
add action=mark-routing chain=prerouting comment="Balai Condo" \
new-routing-mark=to_ISP1 passthrough=yes src-address=192.168.10.0/27
add action=mark-routing chain=prerouting comment="North Laundry" \
new-routing-mark=to_ISP1 passthrough=yes src-address=10.10.0.20
add action=mark-routing chain=prerouting comment=DMamaclay new-routing-mark=\
to_ISP1 passthrough=yes src-address=12.10.10.5
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
to_ISP1 passthrough=yes src-address=192.168.1.0/24
add action=mark-connection chain=prerouting comment=youtube connection-mark=\
no-mark dst-port=53 layer7-protocol=youtube new-connection-mark=\
youtube_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=youtube connection-mark=\
youtube_conn new-packet-mark=youtube_packet passthrough=yes
add action=mark-connection chain=prerouting comment=facebook connection-mark=\
no-mark dst-port=53 layer7-protocol=facebook new-connection-mark=\
facebook_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=facebook connection-mark=\
facebook_conn new-packet-mark=facebook_packet passthrough=yes
add action=mark-connection chain=prerouting comment=torrent connection-mark=\
no-mark dst-port=53 layer7-protocol=torrentsites new-connection-mark=\
torrent_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=torrent connection-mark=\
torrent_conn new-packet-mark=torrent_packet passthrough=yes
add action=mark-connection chain=prerouting comment=instagram \
connection-mark=no-mark dst-port=53 layer7-protocol=insta \
new-connection-mark=insta_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=instagram connection-mark=\
insta_conn new-packet-mark=insta_packet passthrough=yes
add action=mark-connection chain=prerouting comment=mlbb connection-mark=\
no-mark dst-port=30000-32000 new-connection-mark=mlbb_conn passthrough=\
yes protocol=tcp
add action=mark-packet chain=prerouting comment=mlbb connection-mark=\
mlbb_conn new-packet-mark=mlbb_packet passthrough=yes
add action=mark-connection chain=prerouting comment=downloader \
connection-mark=no-mark dst-port=53 layer7-protocol=downloader \
new-connection-mark=downloader_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=downloader connection-mark=\
downloader_conn new-packet-mark=downloader_packet passthrough=yes
add action=mark-connection chain=prerouting comment=chiaanime \
connection-mark=no-mark dst-port=53 layer7-protocol=chiaanime \
new-connection-mark=chiaanime_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=chiaanime connection-mark=\
chiaanime_conn new-packet-mark=chiaanime_packet passthrough=yes
add action=mark-connection chain=prerouting comment=ebay connection-mark=\
no-mark dst-port=53 layer7-protocol=ebay new-connection-mark=ebay_conn \
passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=ebay connection-mark=\
ebay_conn new-packet-mark=ebay_packet passthrough=yes
add action=mark-connection chain=prerouting comment=twiiter connection-mark=\
no-mark dst-port=53 layer7-protocol=twitter new-connection-mark=\
twitter_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment=twitter connection-mark=\
twitter_conn new-packet-mark=twitter_packet passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
/ip route
add distance=2 gateway=122.***.***.*** routing-mark=to_ISP1
add distance=1 gateway=192.168.9.1
add distance=2 gateway=122.***.***.***
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table dst-address=10.0.0.0/8 table=main
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Sob
October 25, 2019, 2:33am
6
Try this:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table dst-address=10.0.0.0/8 table=main
Oh my gosh! Thank you so much. I can ping it now.
Sob
October 25, 2019, 3:47am
9
It’s possible that target device’s firewall is configured to only allow access from same subnet. Clean solution is to reconfigure it. Quick and dirty solution is to add srcnat on router, so connections from other subnets would have source address changed to router’s address, which is part of target device’s subnet. But it really is ugly, and the less NATs you have, the better.
cudalrm
October 25, 2019, 6:16am
10
It’s possible that target device’s firewall is configured to only allow access from same subnet. Clean solution is to reconfigure it. Quick and dirty solution is to add srcnat on router, so connections from other subnets would have source address changed to router’s address, which is part of target device’s subnet. But it really is ugly, and the less NATs you have, the better.
Is that so?
cudalrm
October 25, 2019, 6:22am
11
you have a lan structure identified to the bridge, get rid of it if not required or create another vlan and set it up like the rest of your vlans.
get rid of IP DNS STATIC default setting
Where are Bridge VLANS? This is where you identify which etherports the vlans will go out on and according to the bridge port structure you do have, all the etherorts act as trunk ports??
Hi!
I needed it.
May I ask why do I need to get rid of it?
Well I’ll be only using 1-2 trunk ports so I didn’t bother to configure the other ports.
Thanks for responding by the way.
Sob
October 25, 2019, 11:25am
12
If it’s not possible to do anything with target device, there’s still the quick and dirty option, i.e.:
/ip firewall nat
add chain=srcnat src-address=<source> dst-address=<destination> action=masquerade
Downside is that everything coming from will have the address changed to router’s address. Which can solve the problem, but it’s not nice at the same time. But you can make rule(s) only for specific addresses and ports where it’s necessary and leave the rest untouched.
cudalrm
October 28, 2019, 1:12am
13
If it’s not possible to do anything with target device, there’s still the quick and dirty option, i.e.:
/ip firewall nat
add chain=srcnat src-address=<source> dst-address=<destination> action=masquerade
Downside is that everything coming from will have the address changed to router’s address. Which can solve the problem, but it’s not nice at the same time. But you can make rule(s) only for specific addresses and ports where it’s necessary and leave the rest untouched.
Okay, I’ll try it. Thank you!
Reconfiguration is not an option for me.