Hi,
i’ve tried to configure RB1100AHX2 with 2 Lan and 2 WAN.
Each lan use one’s WAN
I configure Mangle to mark_routing for each subnet.
Internet connection work fine, but VPN not working.
My configuration is:
/ip address
add address=10.10.8.253/24 disabled=no interface=LAN_2_O network=10.10.8.0
add address=99.88.111.202/29 disabled=no interface=WAN_9_O network=99.88.111.200
add address=10.10.9.253/24 disabled=no interface=LAN_3_IF network=10.10.9.0
add address=99.88.111.194/29 disabled=no interface=WAN_8_IF network=99.88.111.192
/ip firewall filter
add action=accept chain=input disabled=no protocol=icmp
add action=accept chain=input connection-state=established disabled=no in-interface=WAN_9_O
add action=accept chain=input connection-state=established disabled=no in-interface=WAN_8_IF
add action=accept chain=input connection-state=related disabled=no in-interface=WAN_9_O
add action=accept chain=input connection-state=related disabled=no in-interface=WAN_8_IF
add action=accept chain=input disabled=no protocol=ipsec-esp src-address=2.288.288.253
add action=accept chain=customer disabled=no dst-address=10.10.8.0/24 in-interface=WAN_9_O out-interface=LAN_2_O src-address=10.10.10.0/23
add action=accept chain=customer disabled=no dst-address=10.10.9.0/24 in-interface=WAN_8_IF out-interface=LAN_3_IF src-address=10.10.10.0/23
add action=drop chain=input disabled=no in-interface=WAN_9_O
add action=drop chain=input disabled=no in-interface=WAN_8_IF
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=10.10.10.0/23 src-address=10.10.8.0/24
add action=accept chain=srcnat disabled=no dst-address=10.10.10.0/23 src-address=10.10.9.0/24
add action=masquerade chain=srcnat disabled=no out-interface=WAN_9_O src-address=10.10.8.0/24
add action=masquerade chain=srcnat disabled=no out-interface=WAN_8_IF src-address=10.10.9.0/24
/ip ipsec peer
add address=2.288.288.253/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0
lifetime=1d my-id-user-fqdn=“” nat-traversal=no port=500 proposal-check=
obey secret=1234567890 send-initial-contact=yes
add address=2.288.288.253/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0
lifetime=1d my-id-user-fqdn=“” nat-traversal=no port=500 proposal-check=
obey secret=1234567890 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.10.10.0/23 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=2.288.288.253 sa-src-address=99.88.111.194
src-address=10.10.9.0/24 src-port=any tunnel=yes
add action=encrypt disabled=no dst-address=10.10.10.0/23 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=2.288.288.253 sa-src-address=99.88.111.202
src-address=10.10.8.0/24 src-port=any tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=99.88.111.193
pref-src=10.10.9.253 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=99.88.111.201
pref-src=10.10.8.253 scope=30 target-scope=10
Thank’s
Raffaele Spadaro