ROS 6 To 7 migration help

0xflikz · March 1, 2025, 7:24pm

Good evening everyone, i have the following confing in ROS6 working flawlessly

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Fiber
set [ find default-name=ether2 ] name=ether2-IP
set [ find default-name=ether3 ] name=ether3-Local2
set [ find default-name=ether5 ] name=ether5-Local
/interface pppoe-client
add disabled=no interface=ether1-Fiber name=pppoe-Fiber password=1234 \
    service-name=new user=new.newmahal
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.30.101-10.20.30.149
/queue simple
add max-limit=1024M/1024M name="Cache Server" target=10.20.30.249/32
add max-limit=1024M/1024M name=DVR target=10.20.30.250/32
add max-limit=1024M/1024M name=Cam1 target=10.20.30.150/32
add max-limit=1024M/1024M name=Cam2 target=10.20.30.151/32
add max-limit=1024M/1024M name=Cam3 target=10.20.30.153/32
add max-limit=1024M/1024M name=PC01 target=10.20.30.99/32
add max-limit=1024M/1024M name=PC02 target=10.20.30.51/32
add max-limit=1024M/1024M name=Wifi target=10.20.30.21/32
/interface bridge port
add bridge=bridge1 interface=ether5-Local trusted=yes
add bridge=bridge1 interface=ether3-Local2 trusted=yes
/ip address
add address=10.20.30.254/24 interface=bridge1 network=10.20.30.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2-IP use-peer-dns=no \
    use-peer-ntp=no
/ip dns
set allow-remote-requests=yes cache-max-ttl=0s servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Cache Server" dst-port=80 \
    new-routing-mark=ISP2-IP passthrough=yes protocol=tcp src-address=\
    10.20.30.249
add action=mark-routing chain=prerouting dst-port=443 new-routing-mark=\
    ISP1-Fiber passthrough=no protocol=tcp src-address=10.20.30.249
add action=mark-routing chain=prerouting comment=PC01 new-routing-mark=\
    ISP1-Fiber passthrough=no src-address=10.20.30.99
add action=mark-routing chain=prerouting comment=PC02 new-routing-mark=\
    ISP1-Fiber passthrough=no src-address=10.20.30.51
add action=mark-routing chain=prerouting comment=WIFI new-routing-mark=\
    ISP1-Fiber passthrough=no src-address=10.20.30.21
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.6.1 routing-mark=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-mark=ISP1-Fiber
add distance=1 gateway=192.168.6.1
add distance=2 gateway=pppoe-Fiber

i tried ros7 with the new routing table, if i set pc01 to use isp2 for example no internet, same if i set it to use isp 1
but when i disable the rule and let it use default route it works
can somebody please explain why im having such issue with ros7 ? thanks in advance

tdw · March 1, 2025, 11:33pm

In v7 you have to explicitly declare the routing tables, so you will need
/routing table add name=ISP1-Fiber fib
/routing table add name=ISP2-IP fib

rextended · March 2, 2025, 1:23am

So I ask myself why change…

anav · March 2, 2025, 2:22am

Obvious, wants to use wireguard vpn!!

0xflikz · March 2, 2025, 8:10am

new models comes default with ros7.

0xflikz · March 2, 2025, 8:11am

Thank you for explaining, but i already tried this approach and it failed.

0xflikz · March 2, 2025, 8:12am

No sir, the config above is all i need. But i cant get it to work in ros 7

jaclaz · March 2, 2025, 10:57am

Besides adding the fib tables manually, in v7, these in /ip route

add distance=1 gateway=192.168.6.1 routing-mark=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-mark=ISP1-Fiber

should be:

add distance=1 gateway=192.168.6.1 routing-table=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-table=ISP1-Fiber

0xflikz · March 2, 2025, 12:22pm

Besides adding the fib tables manually, in v7, these in /ip route

add distance=1 gateway=192.168.6.1 routing-mark=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-mark=ISP1-Fiber

should be:

add distance=1 gateway=192.168.6.1 routing-table=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-table=ISP1-Fiber

tested and its not working

anav · March 2, 2025, 1:41pm

Perhaps its the mangle rules… and source nat and routes. ( tables needed of course as already provided)
Knowing that all traffic is by default going to go out the ether2 route due to distance, simplification can be provided.
Only need to push/force traffic to the pppoe wan.
What is annoying is he calls the primary WAN, ISP2 and the secondary WAN, ISP1 I would reverse that normally.

Option1: Replicating the OPS approach for ver7 ( no smarts other than address list added to the equation ) This approach actually makes more sense for an ECMP load balance useage of both WANS. This means that the mangles would ensure traffic as identified by the OP and the rest of the traffic would be shared roughly equally between the two WANs. The only thing required would be to make the main route distances the same. DONE!

/ip firewall address-list
add address=10.20.30.99 list=via-WAN1
add address=10.20.30.51 list=via-WAN1
add address=10.20.30.21 list=via-WAN1
/ip firewall mangle
add action=accept chain=prerouting src-address=10.20.30.0/24 dst-address=10.20.30.0/24
++++++++++++++++++
add action=mark-connections chain=forward connection-mark=no-mark new-connection-mark=to-ISP2
src-address=10.23.30.249 dst-port=80 protocol=tcp passthrough=yes comment=“Cache Server”
add action=mark-routing chain=prerouting connection-mark=to-ISP2
routing-mark=ISP2-IP passthrough=no
+++++++++++++++++
add action=mark-connections chain=forward connection-mark=no-mark new-connection-mark=to-ISP1
src-address=10.23.30.249 dst-port=443 protocol=tcp passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-ISP1
routing-mark=ISP1-Fiber passthrough=no
++++++++++++++++
add action=mark-connections chain=forward connection-mark=no-mark
new-connection-mark=to-WAN1 src-address-list=via-WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-WAN1
routing-mark=ISP1-Fiber passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-Fiber
add action=maquerade chain=srcnat out-interface=ether2-IP

/ip route
add distance=1 gateway=192.168.6.1 routing-table=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-table=ISP1-Fiber
add check-gateway=ping distance=1 gateway=192.168.6.1
add check-gateway=ping distance=2 gateway=pppoe-Fiber

=====================================================================

Option 2 - Now we will be smart and note that the ROUTES have a distance and traffic priority goes to ISP2, and thus only traffic to ISP1 needs to be forced !!! This means there is no need to mangle any traffic towards ISP2, its going there anyway. This removes one mangle rule and only one table required

/ip firewall address-list
add address=10.20.30.99 list=via-WAN1
add address=10.20.30.51 list=via-WAN1
add address=10.20.30.21 list=via-WAN1
/ip firewall mangle
add action=accept chain=prerouting src-address=10.20.30.0/24 dst-address=10.20.30.0/24
++++++++++++++++++
add action=mark-connections chain=forward connection-mark=no-mark new-connection-mark=to-ISP1
src-address=10.23.30.249 dst-port=443 protocol=tcp passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-ISP1
routing-mark=ISP1-Fiber passthrough=no
++++++++++++++++
add action=mark-connections chain=forward connection-mark=no-mark
new-connection-mark=to-WAN1 src-address-list=via-WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-WAN1
routing-mark=ISP1-Fiber passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-Fiber
add action=maquerade chain=srcnat out-interface=ether2-IP

/ip route
add distance=1 gateway=192.168.6.1 routing-table=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-table=ISP1-Fiber
add check-gateway=ping distance=1 gateway=192.168.6.1
add check-gateway=ping distance=2 gateway=pppoe-Fiber

=======================================================================

OPTION 3 - This will use mangle for the dst port going to ISP1 as that is not possible in routing rules and the rest will be routing rules. Only one table required.

/ip firewall mangle
add action=mark-connections chain=forward connection-mark=no-mark new-connection-mark=to-ISP1
src-address=10.23.30.249 dst-port=443 protocol=tcp passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-ISP1
routing-mark=ISP1-Fiber passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-Fiber
add action=maquerade chain=srcnat out-interface=ether2-IP

/ip route
add distance=1 gateway=192.168.6.1 routing-table=ISP2-IP
add distance=1 gateway=pppoe-Fiber routing-table=ISP1-Fiber
add check-gateway=ping distance=1 gateway=192.168.6.1
add check-gateway=ping distance=2 gateway=pppoe-Fiber

/routing rule
add action=lookup-only-in-table src-address=10.20.30.0/24 dst-address=10.20.30.0/24 table=main
add action=lookup src-address=10.20.30.99 table=ISP1-Fiber
add action=lookup src-address=10.20.30.51 table=ISP1-Fiber
add action=lookup src-address=10.20.30.21 table=ISP1-Fiber

EDIT: /ip route uses (for routes with special table) routing-table in Vers7, Vers6 used routing-mark in /ip route.

jaclaz · March 3, 2025, 4:14pm

@anav
v6,x → v7.x
routing-mark → routing-table

anav · March 3, 2025, 4:28pm

Effme for copy and paste and not noticing. Much thanks! Fixed.