Hello, I have a problem on a customer site.
I configured a second ISP connection and recursive routing for failover connection.
From customer LAN this is working, when ISP1 fails ISP2 is used, as soon as ISP1 becomes available again it turns back to ISP1.
But I am unable to reach the routerboard from ISP2.
I ran tool sniffer and I can see that the answer comes from the wrong interface.
What I am missing ?
I am running ROS 7.18.1
Thanks
Leo
/interface bridge
add admin-mac=6C:3B:6B:5E:91:7D auto-mac=no comment=defconf name=bridge-LAN_CUSTOMER port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge
ssid=MikroTik-5E9181 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP2
set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] name=ether5-ISP1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profiloCUSTOMER supplicant-identity=“”
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip smb users
set [ find default=yes ] disabled=yes
/routing rip instance
add disabled=no name=rip_CUSTOMER redistribute=“”
/routing table
add disabled=no fib name=verso_ISP2
add disabled=no fib name=verso_ISP1
/routing bgp template
set default as=65510 disabled=no output.network=bgp_networks router-id=192.168.0.1 routing-table=main
/interface bridge port
add bridge=bridge-LAN_CUSTOMER comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN_CUSTOMER comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN_CUSTOMER comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN_CUSTOMER comment=defconf interface=wlan1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge-LAN_CUSTOMER list=LAN
add comment=defconf interface=ether1-ISP2 list=WAN
add interface=<ovpn-casa_leo> list=LAN
/interface ovpn-server server
add certificate=“CUSTOMER CA” cipher=blowfish128,aes128-cbc,aes256-cbc disabled=no mac-address=FE:E5:4D:EA:78:06 name=ovpn-server1
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge-LAN_CUSTOMER network=192.168.0.0
add address=m.n.o.186/30 interface=ether1-ISP2 network=m.n.o.184
add address=q.r.s.54/30 interface=ether5-ISP1 network=q.r.s.52
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-ISP2
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge-LAN_CUSTOMER lease-time=10m name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.222.220
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=a.b.c.d/24 list=IP_MANAGEMENT_ISP2
add address=a.b.c.e/24 list=IP_MANAGEMENT_ISP2
add address=z.y.x.w list=IP_MANAGEMENT_ISP2
add address=z.y.l.m/29 list=IP_MANAGEMENT_ISP2
add address=192.168.0.0/24 list=bgp_networks
add address=172.16.25.0/24 list=PEER_BGP
add address=192.168.178.0/24 list=IP_MANAGEMENT_ISP2
add address=192.168.168.0/24 list=IP_MANAGEMENT_ISP2
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input src-address-list=IP_MANAGEMENT_ISP2
add action=accept chain=input src-address-list=PEER_BGP
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=output connection-mark=Connessione_ISP1 disabled=yes new-routing-mark=verso_ISP1
add action=mark-routing chain=output connection-mark=Connessione_ISP2 disabled=yes new-routing-mark=verso_ISP2
add action=mark-connection chain=prerouting connection-mark=Connessione_ISP1 disabled=yes in-interface=ether5-ISP1 new-connection-mark=
Connessione_ISP1
add action=mark-connection chain=prerouting connection-mark=Connessione_ISP2 disabled=yes in-interface=ether1-ISP2 new-connection-mark=
Connessione_ISP2
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface=ether1-ISP2
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface=ether5-ISP1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=m.n.o.185 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=q.r.s.53 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=statica_verso_ISP1 distance=1 dst-address=1.0.0.1 gateway=q.r.s.53
add comment=statica_verso_ISP2 distance=1 dst-address=8.8.8.8 gateway=m.n.o186
add check-gateway=ping comment=default-route-main distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 target-scope=31
add check-gateway=ping comment=default-route-main distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 target-scope=31
add comment=statica_ISP1 distance=1 dst-address=1.0.0.1 gateway=q.r.s.53
add comment=statica_ISP2 distance=1 dst-address=8.8.8.8 gateway=m.n.o.186
add check-gateway=ping comment=default-route-main distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 target-scope=31
add check-gateway=ping comment=default-route-backupain distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 target-scope=31
add check-gateway=ping comment=default-route-backup distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 target-scope=31
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set forwarding-enabled=both
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/ppp secret
add local-address=172.16.25.1 name=casa_YYYYY remote-address=172.16.25.3 service=ovpn/snmp
set contact=CUSTOMER enabled=yes location=XXXXXXXXX
/system clock
set time-zone-name=Europe/Rome
/system logging
add disabled=yes topics=bgp
add disabled=yes topics=debug
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=trace_CUSTOMER.pcap filter-interface=ether5-ISP1 filter-ip-address=!192.168.178.0/24 filter-ip-protocol=tcp filter-port=winbox