Yo
I have two ISPs first fiber with several public IP addresses on subnet 20.20.20.20/29, second COAX with one public on 10.10.10.10/29.
On one of the fiber addresses I have an OVPN server to another webserver which also serves as a backup line because it is paradoxically slower but always available. I use COAX as my main line for internet access.
So I need both lines to be on and for people connecting to the webserver or VPN to route the connection over fiber, or to always connect over one GW - I use mangle for this. But I don’t think this is happening and MT seems to be picking the route randomly. This manifests itself in that the VPN sometimes can’t connect, but on the Xth try it will. Same with webserver or even l2tp, which cannot be connected to from one device from outside, but another device is “lucky” and the router directs it correctly, even when the COAX interface is disabled and only one GW is active. I suspect something must be terribly wrong with NAT or routing.
This is a poor description, please feel free to bombard me with clarifying questions.
I’m uploading the relevant part of the export.
Thanks for any help!
interface export
# 2023-09-27 17:47:38 by RouterOS 7.11.2
# software id = XNI8-LN0D
#
# model = RB4011iGS+
# serial number = xxxxxxxxxx
/interface ethernet
set [ find default-name=ether10 ] comment="== Trunk port backup ==" disabled=yes name=Ether10_TRUNK_Port_Backup
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment="== Trunk port SFP ==" name=SFP_TRUNK_Port rx-flow-control=on speed=1Gbps tx-flow-control=on
set [ find default-name=ether1 ] comment="==WAN UPC Coax==" disabled=yes mac-address=XXXXXXXXX name=ether1_WAN_Coax
set [ find default-name=ether2 ] comment="==WAN UPC Fiber==" mac-address=XXXXXXXXX name=ether2_WAN_Fiber
set [ find default-name=ether9 ] name=ether9_VRRP
/interface vrrp
add interface=ether9_VRRP name=VRRP vrid=50
/interface vlan
add interface=Root-Bridge name=Public-VLAN-2k vlan-id=2000
add interface=Root-Bridge name=Root-VLAN-15 vlan-id=15
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Root-Bridge interface=SFP_TRUNK_Port trusted=yes
add bridge=Root-Bridge interface=Ether10_TRUNK_Port_Backup trusted=yes
add bridge=Root-Bridge interface=Public-VLAN-2k
add bridge=Root-Bridge interface=Root-VLAN-15
/interface bridge vlan
add bridge=Root-Bridge disabled=yes tagged=Root-VLAN-15,Root-Bridge,SFP_TRUNK_Port vlan-ids=15
add bridge=Root-Bridge disabled=yes tagged=Public-VLAN-2k,Root-Bridge,SFP_TRUNK_Port vlan-ids=2000
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes keepalive-timeout=disabled use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=HT_OPENVPN_SERVER cipher=aes256-cbc,aes256-gcm default-profile=openvpn-profile enabled=yes require-client-certificate=yes
/interface bridge
add name=Root-Bridge
/interface bridge port
add bridge=Root-Bridge interface=SFP_TRUNK_Port trusted=yes
add bridge=Root-Bridge interface=Ether10_TRUNK_Port_Backup trusted=yes
add bridge=Root-Bridge interface=Public-VLAN-2k
add bridge=Root-Bridge interface=Root-VLAN-15
/interface bridge vlan
add bridge=Root-Bridge disabled=yes tagged=Root-VLAN-15,Root-Bridge,SFP_TRUNK_Port vlan-ids=15
add bridge=Root-Bridge disabled=yes tagged=Public-VLAN-2k,Root-Bridge,SFP_TRUNK_Port vlan-ids=2000
/ip address
add address=192.168.15.1/24 comment="==VLAN Network Kancl==" interface=Root-VLAN-15 network=192.168.15.0
add address=172.20.26.1/24 comment="==VLAN 2000 pro public wifi==" interface=Public-VLAN-2k network=172.20.26.0
add address=10.0.0.1 comment="==VRRP==" disabled=yes interface=VRRP network=10.0.0.1
add address=10.0.0.2/24 comment="==VRRP IFC==" disabled=yes interface=ether9_VRRP network=10.0.0.0
add address=10.10.10.10/34 comment="==WAN UPC COAX==" interface=ether1_WAN_COAX network=10.10.10.9
add address=20.20.20.20/29 comment="==Guest VLAN 2000 UPC Fiber==" interface=ether2_WAN_Fiber network=20.20.20.19
add address=20.20.20.21/29 comment="==WAN UPC Fiber==" interface=ether2_WAN_Fiber network=20.20.20.19
add address=20.20.20.xx/29 comment="==OpenVPN UPC Fiber==" interface=ether2_WAN_Fiber network=20.20.20.19
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=20.20.20.20 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=ether2_WAN_Fiber
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=20.20.20.20 pref-src="" routing-table=to_wan_fiber scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.10 pref-src="" routing-table=to_wan_coax scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing table
add disabled=no fib name=to_wan_fiber
add disabled=no fib name=to_wan_coax
/ip firewall mangle
ipadd action=mark-connection chain=input in-interface=ether1_WAN_Coax new-connection-mark=wan_coax_connection passthrough=yes
add action=mark-connection chain=input in-interface=ether2_WAN_Fiber new-connection-mark=wan_fiber_connection passthrough=yes
add action=mark-routing chain=output connection-mark=wan_coax_connection new-routing-mark=to_wan_coax passthrough=no
add action=mark-routing chain=output connection-mark=wan_fiber_connection new-routing-mark=to_wan_fiber passthrough=no
add action=mark-connection chain=forward in-interface=ether1_WAN_Coax new-connection-mark=wan_coax_connection_forward passthrough=no
add action=mark-connection chain=forward in-interface=ether2_WAN_Fiber new-connection-mark=wan_fiber_connection_forward passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan_coax_connection_forward in-interface=Root-VLAN-15 new-routing-mark=to_wan_coax passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan_fiber_connection_forward in-interface=Root-VLAN-15 new-routing-mark=to_wan_fiber passthrough=yes
/ip firewall filter
add action=accept chain=forward comment="Allow established a related" connection-state=established,related in-interface=ether1_WAN_Coax
add action=accept chain=forward comment="Allow established a related" connection-state=established,related in-interface=ether2_WAN_Fiber
add action=accept chain=input comment="Allow established a related" connection-state=established,related in-interface=ether1_WAN_Coax
add action=accept chain=input comment="Allow established a related" connection-state=established,related in-interface=ether2_WAN_Fiber
add action=drop chain=input comment="Drop invalid - coax" connection-state=invalid in-interface=ether1_WAN_Coax
add action=drop chain=input comment="Drop invalid - fiber" connection-state=invalid in-interface=ether2_WAN_Fiber
add action=drop chain=input comment="Drop blacklist" in-interface=ether1_WAN_Coax src-address-list=blacklist
add action=drop chain=input comment="Drop blacklist" in-interface=ether2_WAN_Fiber src-address-list=blacklist
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=ether1_WAN_Coax protocol=tcp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=ether1_WAN_Coax protocol=udp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=ether2_WAN_Fiber protocol=tcp
add action=drop chain=input comment="Drop dns" dst-port=53 in-interface=ether2_WAN_Fiber protocol=udp
add action=drop chain=forward comment="==Block Sites on backup connection==" disabled=yes dst-address-list=blocked-sites out-interface=ether2_WAN_Fiber src-address-list=!blocked-sites-allowed
add action=accept chain=input comment="Allow ping" in-interface=ether1_WAN_Coax limit=10/1m,5:packet protocol=icmp
add action=accept chain=input comment="Allow ping" in-interface=ether2_WAN_Fiber limit=10/1m,5:packet protocol=icmp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 in-interface=ether1_WAN_Coax protocol=tcp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 in-interface=ether1_WAN_Coax protocol=udp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 in-interface=ether2_WAN_Fiber protocol=tcp
add action=accept chain=input comment="allow open-vpn" dst-port=1194 in-interface=ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment="admin trusted" in-interface=ether1_WAN_Coax src-address-list=admin-trusted
add action=accept chain=input comment="admin trusted" in-interface=ether2_WAN_Fiber src-address-list=admin-trusted
add action=accept chain=input comment="Access from trusted IP's" in-interface=ether1_WAN_Coax src-address-list=trusted
add action=accept chain=input comment="Access from trusted IP's" in-interface=ether2_WAN_Fiber src-address-list=trusted
add action=accept chain=input comment=L2TP dst-port=1701 in-interface=ether1_WAN_Coax protocol=udp
add action=accept chain=input comment=L2TP dst-port=1701 in-interface=ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment=L2TP dst-port=500 in-interface=ether1_WAN_Coax protocol=udp
add action=accept chain=input comment=L2TP dst-port=500 in-interface=ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment=L2TP dst-port=4500 in-interface=ether1_WAN_Coax protocol=udp
add action=accept chain=input comment=L2TP dst-port=4500 in-interface=ether2_WAN_Fiber protocol=udp
add action=accept chain=input comment=L2TP in-interface=ether1_WAN_Coax protocol=ipsec-ah
add action=accept chain=input comment=L2TP in-interface=ether2_WAN_Fiber protocol=ipsec-ah
add action=accept chain=input comment=L2TP in-interface=ether1_WAN_Coax protocol=ipsec-esp
add action=accept chain=input comment=L2TP in-interface=ether2_WAN_Fiber protocol=ipsec-esp
add action=drop chain=input comment=PPTP dst-port=1723 in-interface=ether1_WAN_Coax protocol=tcp
add action=drop chain=input comment=PPTP dst-port=1723 in-interface=ether2_WAN_Fiber protocol=tcp
add action=accept chain=input comment="SNMP from Zabbix" dst-port=161 in-interface=ether1_WAN_Coax protocol=udp src-address=xx.233.xxx.1xx
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1d chain=input comment="log xx ssh - 1d blacklist" dst-port=xx in-interface=ether1_WAN_Coax protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1d chain=input comment="log xx ssh - 1d blacklist" dst-port=xx in-interface=ether2_WAN_Fiber protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1d chain=input comment="log xxx smb - 1d blacklist" dst-port=xxx in-interface=ether1_WAN_Coax protocol=tcp
add action=add-src-to-address-list address-list=blacklist address-list-timeout=1d chain=input comment="log xxx smb - 1d blacklist" dst-port=xxx in-interface=ether2_WAN_Fiber protocol=tcp
add action=drop chain=input comment="Block all access to the winbox - except to trusted list" dst-port=8291 in-interface=ether1_WAN_Coax protocol=tcp src-address-list=!trusted
add action=drop chain=input comment="Block all access to the winbox - except to trusted list" dst-port=8291 in-interface=ether2_WAN_Fiber protocol=tcp src-address-list=!trusted
add action=drop chain=input comment="Drop anything else!" in-interface=ether1_WAN_Coax
add action=drop chain=input comment="Drop anything else!" in-interface=ether2_WAN_Fiber
add action=accept chain=forward comment="Allow open-vpn users to LAN" dst-address=192.168.15.0/24 src-address=10.20.0.0/24
add action=drop chain=forward comment="Isolate networks" disabled=yes dst-address=192.168.15.0/24 log=yes src-address=172.20.26.0/24
add action=drop chain=forward comment="Deny Guest to housing services" dst-address=90.182.206.128/28 dst-port=!80,443 log=yes protocol=tcp src-address=172.20.26.0/24
add action=drop chain=forward comment="Deny Guest to housing services" dst-address=90.182.207.64/27 dst-port=!80,443 log=yes protocol=tcp src-address=172.20.26.0/24
add action=accept chain=forward comment="Access PublicWiFi to internet" out-interface=ether1_WAN_Coax src-address=172.20.26.0/24
add action=accept chain=forward comment="Access PublicWiFi to internet" out-interface=ether2_WAN_Fiber src-address=172.20.26.0/24
add action=drop chain=forward comment="Drop UPS kancelar a cloud" src-address=192.168.15.199
add action=drop chain=forward comment="povolit az po definovani portu, ktere jsou ve firewallu" disabled=yes in-interface=ether1_WAN_Coax
/ip firewall nat
add action=masquerade chain=srcnat comment="==Loopback NAT==" dst-address=192.168.15.0/24 src-address=192.168.15.0/24
add action=src-nat chain=srcnat comment="==Reverse DNS Vyvoj Coax==" disabled=yes out-interface=ether1_WAN_Coax src-address=192.168.15.13 to-addresses=10.10.10.10
add action=src-nat chain=srcnat comment="==Reverse DNS Vyvoj Optika==" out-interface=ether2_WAN_Fiber src-address=192.168.15.13 to-addresses=20.20.20.20
add action=src-nat chain=srcnat comment="==Reverse DNS OpenVPN Fiber==" out-interface=ether2_WAN_Fiber src-address=192.168.15.205 to-addresses=20.20.20.20
add action=src-nat chain=srcnat comment="==Reverse DNS PRGAERO 20.20.20.21==" disabled=yes out-interface=ether2_WAN_Fiber src-address=192.168.15.230 to-addresses=20.20.20.21
add action=src-nat chain=srcnat comment="==Reverse DNS DEV test merchant PL 20.20.20.21==" out-interface=ether2_WAN_Fiber src-address=192.168.15.81 to-addresses=20.20.20.21
add action=src-nat chain=srcnat comment="==Reverse DNS Guest network 20.20.20.21==" out-interface=ether2_WAN_Fiber src-address=172.20.26.0/24 to-addresses=20.20.20.21
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Coax==" out-interface=ether1_WAN_Coax src-address=192.168.15.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Fiber==" out-interface=ether2_WAN_Fiber src-address=192.168.15.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Fiber Guest==" out-interface=ether2_WAN_Fiber src-address=172.20.26.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada UPC Coax Guest==" out-interface=ether1_WAN_Coax src-address=172.20.26.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada z OpenVPN==" out-interface=ether1_WAN_Coax src-address=10.20.0.0/24
add action=masquerade chain=srcnat comment="==NAT - maskarada z OpenVPN==" out-interface=ether2_WAN_Fiber src-address=10.20.0.0/24
add action=dst-nat chain=dstnat comment="OpenVPN Server WAN fiber" dst-address=20.20.20.20 dst-port=1194 in-interface=ether2_WAN_Fiber protocol=udp to-addresses=192.168.15.205 to-ports=1194
add action=dst-nat chain=dstnat comment="OpenVPN Server WAN fiber" dst-address=20.20.20.20 dst-port=1194 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.205 to-ports=1194
add action=dst-nat chain=dstnat comment="OpenVPN Server WAN fiber" dst-address=20.20.20.20 dst-port=443 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.205 to-ports=443
add action=dst-nat chain=dstnat comment="OpenVPN Server Admin WAN fiber" dst-address=20.20.20.20 dst-port=943 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.205 to-ports=943
add action=dst-nat chain=dstnat comment="HTTP dev.OURCOMPANY.cz from WAN coax" dst-address=10.10.10.10 dst-port=80 in-interface=ether1_WAN_Coax protocol=tcp to-addresses=192.168.15.13 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP dev.OURCOMPANY.cz from LAN" dst-address=10.10.10.10 dst-port=80 protocol=tcp to-addresses=192.168.15.13 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS dev.OURCOMPANY.cz from WAN coax" dst-address=10.10.10.10 dst-port=443 in-interface=ether1_WAN_Coax protocol=tcp to-addresses=192.168.15.13 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS dev.OURCOMPANY.cz from LAN" dst-address=10.10.10.10 dst-port=443 protocol=tcp to-addresses=192.168.15.13 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from WAN coax" dst-address=10.10.10.10 dst-port=443 in-interface=ether1_WAN_Coax protocol=tcp to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from LAN" dst-address=10.10.10.10 dst-port=443 protocol=tcp to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from WAN fiber" dst-address=20.20.20.21 dst-port=443 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS Centurion Share from LAN" dst-address=20.20.20.21 dst-port=443 protocol=tcp to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS Centurion " dst-address=20.20.20.21 dst-port=5001 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.200 to-ports=5001
add action=dst-nat chain=dstnat comment="HTTPS PL Dev test for ADYEN from WAN fiber" dst-address=20.20.20.21 dst-port=80 protocol=tcp to-addresses=192.168.15.26 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS PL Dev SSL test for ADYEN from WAN fiber" dst-address=20.20.20.21 dst-port=443 protocol=tcp to-addresses=192.168.15.26 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS PRGAERO from WAN fiber" disabled=yes dst-address=20.20.20.21 dst-port=443 protocol=tcp to-addresses=192.168.15.210 to-ports=443
add action=dst-nat chain=dstnat comment="HTTP Vyvoj Coax" disabled=yes dst-address=10.10.10.10 dst-port=80 in-interface=ether1_WAN_Coax protocol=tcp src-address-list=trusted to-addresses=192.168.15.13 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS PRGAERO from WAN fiber" disabled=yes dst-address=20.20.20.21 dst-port=80 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.210 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP Vyvoj Fiber" disabled=yes dst-address=20.20.20.21 dst-port=80 in-interface=ether2_WAN_Fiber protocol=tcp src-address-list=trusted to-addresses=192.168.15.13 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS 8443 to vyvoj02 - pro SNAPT" disabled=yes dst-address=84.42.174.134 dst-port=8xxx in-interface=ether1_WAN_Coax protocol=tcp to-addresses=192.168.15.7 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS Centurion" disabled=yes dst-address=20.20.20.20 dst-port=80,443 in-interface=ether2_WAN_Fiber protocol=tcp to-addresses=192.168.15.200 to-ports=5000
add action=dst-nat chain=dstnat comment="RDP na vyvoj z trusted address listu" dst-port=3389 in-interface=ether1_WAN_Coax protocol=tcp src-address-list=trusted to-addresses=192.168.15.13 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP na vyvoj z trusted address listu" dst-port=3389 in-interface=ether2_WAN_Fiber protocol=tcp src-address-list=trusted to-addresses=192.168.15.13 to-ports=3389
add action=dst-nat chain=dstnat comment="Zabbix HV - HTVyvoj" dst-port=10053 in-interface=ether1_WAN_Coax protocol=tcp src-address=52.233.158.1xx to-addresses=192.168.15.15 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix VM-HTVyvojDB01" dst-port=10052 in-interface=ether1_WAN_Coax protocol=tcp src-address=52.233.158.1xx to-addresses=192.168.15.14 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix VM-HTVYVOJ2" dst-port=10050 in-interface=ether1_WAN_Coax protocol=tcp src-address=52.233.158.1xx to-addresses=192.168.15.15 to-ports=10050
add action=dst-nat chain=dstnat comment="Zabbix Centurion" dst-port=10051 in-interface=ether1_WAN_Coax protocol=udp src-address=52.233.158.1xx to-addresses=192.168.15.200 to-ports=161
add action=dst-nat chain=dstnat comment="Zabbix Centurion" dst-port=10051 in-interface=ether2_WAN_Fiber protocol=udp src-address=52.233.158.1xx to-addresses=192.168.15.200 to-ports=161
add action=src-nat chain=srcnat out-interface=ether2_WAN_Fiber src-address=192.168.15.167 to-addresses=10.0.10.1xx