Router configuration - basic

valyno · April 16, 2025, 5:45am

Hello Everyone,

I have been toying with my hEX POE for a while trying to understand and create a configuration that would suite my needs:

dualwan with failover with 2 ISP delivering dynamic addresses. I am not looking for lodd balancing as the second ISP is a 4G LTE router.
secured

Can I submit this config to your expert eyes and get your opinion?
For now, there is no WiFi configuration as my sandbox router has no wifi chip but it will come later with some CAPsMAN config.
I am a total beginner, with no IT training so be comprehensive for any obvious big mistakes…
Thank you!

Here is the config file:

/interface bridge
add name=bridge-lan
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-pool ranges=192.168.0.5-192.168.0.254
/ip dhcp-server
add address-pool=lan-pool interface=bridge-lan name=dhcp-lan
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.0.XXX/24 interface=bridge-lan network=192.168.0.0
/ip dhcp-client
# Interface not active
add add-default-route=no interface=ether1 script=":local rname \"ISP1_check\"\
    \n:local gwt [/ip route find where comment=\$rname]\
    \n:if (\$bound=1) do={\
    \n  /ip route set \$gwt gateway=\$\"gateway-address\"\
    \n} else={\
    \n  /ip route set \$gwt gateway=127.0.0.1\
    \n}" use-peer-ntp=no
add add-default-route=no interface=ether2 script=":local rname \"ISP2_check\"\
    \n:local gwt [/ip route find where comment=\$rname]\
    \n:if (\$bound=1) do={\
    \n  /ip route set \$gwt gateway=\$\"gateway-address\"\
    \n} else={\
    \n  /ip route set \$gwt gateway=127.0.0.1\
    \n}" use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.101 gateway=192.168.0.XXX
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=input comment="Drop known bad IPs" dst-port=22,23,8291 \
    protocol=tcp src-address-list=blocked-ips
add action=add-src-to-address-list address-list=blocked-ips \
    address-list-timeout=1d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=accept chain=input comment="Allow established/related" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow LAN access to router" \
    in-interface=bridge-lan
add action=drop chain=input comment="Drop everything else (WAN to router)"
add action=accept chain=forward comment="Allow established/related forward" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid forward" \
    connection-state=invalid
add action=accept chain=forward comment="Allow LAN to WAN" in-interface=\
    bridge-lan out-interface-list=WAN
add action=drop chain=forward comment="Drop all other forward traffic"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment=ISP1_check dst-address=8.8.8.8/32 gateway=127.0.0.1 scope=10
add comment=ISP2_check dst-address=1.1.1.1/32 gateway=10.0.0.1 scope=10
add check-gateway=ping distance=1 gateway=8.8.8.8 target-scope=11
add check-gateway=ping distance=2 gateway=1.1.1.1 target-scope=11
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no

jaclaz · April 16, 2025, 8:31am

You might want to succinctly describe your intended network setup, without such info it is difficult to say if your configuration is correct, as there are a few things that are different from the usual configurations.

I am not sure to understand the use you make of locallhost, why 127.0.0.1?

The:

Interface not active

should mean that you haven’t anything connected to ether1?

I would add bridge to the LAN category in interface list and use interface list in firewall (as opposed to bridge-lan) as it is more clear.

SFP is not used?

As well ether5?

Maybe you want to reserve ether5 as management port, adding a “TRUSTED” category to interface list and limiting to it Winbox access, etc.

valyno · April 16, 2025, 12:49pm

Hi jaclaz,
Thank you for your answer.

Some context:
I currently have an Asus router connected to my switch (CRS326) that is distributing the network.
I have a fiber connection as main, connected to WAN and and I have a 4G LTE router (bridge mode) that is plugged as a backup connection to the LAN 1 that is configured as a second WAN, to act as failover.

I want to upgrade my network to a 10GbE as my ISP is providing up to 8 GbE.
So I need a new router that can handle this. I have been looking to various models (Asus, OPNSense, MKTK) and I am tryinbg to pick the right one.
I have this hEX POE as testing machine to see if can achieve anything with RouterOS or not… much more compliacted than Asus-Merlin.

Coming back to my config, ether5 is not in the bridge because I just overlooked it for now in my tests.
ether1 is for WAN 1, ether2 for WAN2 and ether3 & 4 to plug my laptop for testing.
For my testing, I use my 4G LTE, my fiber modem is connected to my prod router/network and I plug it to the MKTK only to do the tests.
So you are right, the ether1 port is not connected except when running a quick test.
sfp port is not connected either as I don’t have any sfp modules at the moment, but ultimately with a MKTK router, SFP+1 would be the WAN1 port and the SFP+2 port would be connected to the CRS326 and be in the bridge-lan as any other port. I would keep an ethernet port to WAN 2 for the 4G LTE secondary connection for the failover.
I could keep the ether5 port for management ,but I usually connect to my router either from my laptop or desktop machine through the newtwork, so ether5 might be in the bridge-lan as well to connect another device.

AS for use of localhost, I have to admit it is a suggestion from Groke AI I used to configure my router with CLI…
Again, I am not network engineer so I have been following some tutorials on the internet or YouTube but so far, I have never been to obtain something functional. Grok was my first successful configuration.

This is a starting point for me, after that, I want to do IP reservation on the network, manage my WiFi APs (probably a mix with wAP AX and hAP AX3) using CAPsMAN, create a VLAN for guest WiFi network, have a VPN client on the router to connect some device to it, maybe a VPN server to connect from outside to my network (eventhiough in between I have been using a bit Tailscale).

I could continue with Asus-Merlin, or go with Ubiquiti or OPNSense, but since I have 2 MKTK items, I wanted to give it a try…even if it is much more complex for a newbie like me…

jaclaz · April 16, 2025, 2:11pm

Yep, but the 127.0.0.1 means localhost, and the script in the dhcp client?
They may be some (extremely convoluted) way to make dual wan failover in case the primary interface is disconnected and/or the router doesn’t provide a dhcp address, but I have no idea how they work, if they work.

In a case like yours I would use this (much simpler) approach:
http://forum.mikrotik.com/t/simpler-failover-for-two-gateways-i-found-working/169108/1
http://forum.mikrotik.com/t/simpler-failover-for-two-gateways-i-found-working/169108/1

Having an interface out of any bridge and authorized for management (normally not connected to anything) is only a common advice, particularly useful to newcomers, to have an “emergency” access if something goes wrong in some bridge setting when fiddling with them.

Typically there are two kind of new users:

those that will be scared by the complexity of router OS and by its steep learning curve and will leave (not before having been locked out a couple of times because they did something wrong, usually with firewall)
those that will like the possibility of router OS and that will experiment with more complex setups, typically the 2nd thing that happens when fiddling with VLANs on bridges is to get locked out of the device.

It is Rule #7:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

anav · April 16, 2025, 4:35pm

I hear wifi coming and CRS326 and assuming this router will replace the ASUS.
Thus I am assuming you will have more than just one flat network and are planning on vlans? [ if not, send me your CRS326 and I will send you my un-managed switch ]
Also there is nothing secret about your private IP addresses on the network and thus there is reason to leave them out its the public IP information that need be protected.

LawrencePatterson · May 7, 2025, 10:40am

Submit away! Happy to help review and provide some feedback!

valyno · May 25, 2025, 5:08pm

Hello,
Please apologize foe my silence, been busy at work.

So, after spending some time with the so-called GenAI to write a config file for my intended use, it fails miserably (import script will always fail with erros I could not decypher, I went back to the old ways.
I have reset the router with default config and tried to achieve the dual wan with failover.
I followed this tutorial on youtube but I can’t manage to get it working.
Here is my config file:

2025-05-25 18:45:08 by RouterOS 7.18.2

software id = 9C4A-KCVP

model = RB960PGS

serial number = xxxxxxx

/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.105-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1-WAN1 use-peer-dns=
no use-peer-ntp=no
add add-default-route=no interface=ether2-WAN2 use-peer-dns=no use-peer-ntp=
no
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=“Route 1” disabled=no distance=1 dst-address=8.8.8.8/32 gateway=
192.168.0.101 routing-table=main scope=10 suppress-hw-offload=no
target-scope=10
add comment=“Route 2” disabled=no distance=1 dst-address=1.1.1.1/32 gateway=
ether2-WAN2 routing-table=main scope=10 suppress-hw-offload=no
target-scope=10
add check-gateway=ping comment=“Recursive Route 2” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“Recursive Route 1” disabled=no distance=2
dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10
suppress-hw-offload=no target-scope=11
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute”
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack6”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I can’t obtain the interface in Routes to display the Recursice connection.
And the connection on WAN2 is not working if I unplug the WAN1 cable…
I thank you in advance for your help.
Valyno

valyno · May 25, 2025, 6:15pm

Hello,

I figured out thatmy secondary wan was not in the WAN list, now the router is switching from one one to the other.
IT WORKS !!
Now I have to manage the dynamic IP from my secondary wan and manage the static IP address for the primary ISP (for now, my MKTK router is behind my pirmary router, so I have set its IP address as gateway…

Next step is to configure CAPsMAN, net forwarding, IP reservation based on the mac address etc…