Hi everyone !
Newbie on the subject here trying to make it work !
I’m using a Hex Router which has 2 VRFs because my 2 WANs use the same type of IP. I am able to access the Internet with my router with the routes that I have but I’m unable to use the DNS servers with my router whereas my LAN can.
[admin@MikroTik] > /ip/route print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp
0 As dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=192.168.130.1@R_VRF1 immediate-gw=192.168.130.1%ether1 distance=1 scope=30
target-scope=10 suppress-hw-offload=no
1 As dst-address=0.0.0.0/0 routing-table=R_VRF2 pref-src="" gateway=192.168.130.1@R_VRF2 immediate-gw=192.168.130.1%ether2 distance=1
scope=30 target-scope=10 vrf-interface=ether2 suppress-hw-offload=no
DAc dst-address=192.168.130.0/24 routing-table=R_VRF2 gateway=ether2@R_VRF2 immediate-gw=ether2 distance=0 scope=10 suppress-hw-offload=no
local-address=192.168.130.253%ether2@R_VRF2
2 As dst-address=0.0.0.0/0 routing-table=R_VRF1 pref-src="" gateway=192.168.130.1@R_VRF1 immediate-gw=192.168.130.1%ether1 distance=1
scope=30 target-scope=10 vrf-interface=ether1 suppress-hw-offload=no
DAc dst-address=192.168.88.0/24 routing-table=R_VRF1 gateway=bridge-1@R_VRF1 immediate-gw=bridge-1 distance=0 scope=10
suppress-hw-offload=no local-address=192.168.88.1%bridge-1@R_VRF1
DAc dst-address=192.168.130.0/24 routing-table=R_VRF1 gateway=ether1@R_VRF1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no
local-address=192.168.130.131%ether1@R_VRF1
It bothers me because I need my Router to use DNS servers in order to update it. Note that my router can still ping any IP such as 8.8.8.8 as long as it’s not a domain.
[admin@MikroTik] > ping 8.8.8.8 count=10
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 115 10ms567us
0 8.8.8.8 56 115 10ms758us
1 8.8.8.8 56 115 10ms188us
1 8.8.8.8 56 115 10ms406us
2 8.8.8.8 56 115 10ms649us
2 8.8.8.8 56 115 10ms829us
3 8.8.8.8 56 115 10ms674us
3 8.8.8.8 56 115 10ms863us
4 8.8.8.8 56 115 11ms17us
4 8.8.8.8 56 115 11ms204us
sent=5 received=10 packet-loss=-100% min-rtt=10ms188us avg-rtt=10ms715us max-rtt=11ms204us
------------------------------------
[admin@MikroTik] > ping google.fr count=10
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server
Also I don’t understand why I receive the double that I send when I ping, it’s not too important but if you guys have an explanation it would be nice.
I tested a ton of things that didn’t work. I tried making firewall rules for tcp and udp protocols going though my vrf interface, making all sort of routes and much more…
Here’s my full config, it’s my test config so there’s a lot of stuff disabled.
# jun/21/2023 16:12:58 by RouterOS 7.9.1
# software id = ZLYE-A3CY
#
# model = RB750Gr3
# serial number = -
/interface bridge
add admin-mac=- auto-mac=no comment=1 name=bridge-1
add comment=2 disabled=yes name=bridge-2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=pool-1 ranges=192.168.88.10-192.168.88.254
add name=pool-2 ranges=192.168.130.10-192.168.130.254
/ip dhcp-server
add address-pool=pool-1 interface=bridge-1 name=DHCP-1
add address-pool=pool-2 interface=bridge-2 name=DHCP-2 server-address=\
192.168.130.1
/ip vrf
add interfaces=ether1,bridge-1 name=R_VRF1
add interfaces=ether2,bridge-1 name=R_VRF2
/port
set 0 name=serial0
/system logging action
set 1 disk-file-count=50
/interface bridge port
add bridge=bridge-2 comment=bridge-2 interface=ether5
add bridge=bridge-1 comment=bridge-1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-2 list=LAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment="Bridge 1" interface=bridge-1 network=\
192.168.88.0
add address=192.168.130.1/24 comment="Bridge 2" interface=bridge-2 network=\
192.168.130.0
/ip dhcp-client
add add-default-route=no comment="WAN 1" interface=ether1 use-peer-ntp=no
add add-default-route=no comment="WAN 2" interface=ether2 use-peer-ntp=no
add add-default-route=no comment="WAN 1-TEST" interface=ether3 use-peer-dns=\
no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment="Bridge 1" dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.88.1
add address=192.168.130.0/24 comment="Bridge 2" dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.130.1
/ip dns
set allow-remote-requests=yes servers=192.168.130.1
/ip dns static
add address=192.168.130.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=output comment="Desac 8.8.8.8" disabled=yes \
dst-address=8.8.8.8 protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=output dst-port=53 new-routing-mark=R_VRF1 \
out-interface=ether1 passthrough=yes protocol=udp
add action=mark-routing chain=output dst-port=53 new-routing-mark=R_VRF1 \
out-interface=ether1 passthrough=yes protocol=tcp
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting disabled=yes protocol=icmp src-address=\
192.168.130.0/24
add action=mark-routing chain=prerouting comment=Bridge-1 disabled=yes \
dst-address=0.0.0.0/0 new-routing-mark=R_VRF2 passthrough=yes \
src-address=192.168.88.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address=0.0.0.0/0 \
new-routing-mark=*1 passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address=\
192.168.88.0/24 new-routing-mark=main passthrough=yes src-address=\
0.0.0.0/0
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=R_VRF1 \
passthrough=yes src-address=192.168.130.0/24 src-address-type=""
add action=mark-routing chain=prerouting comment=Bridge-2 disabled=yes \
dst-address=0.0.0.0/0 new-routing-mark=R_VRF2 passthrough=yes \
src-address=192.168.130.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address=0.0.0.0/0 \
new-routing-mark=main passthrough=yes src-address=192.168.130.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address=\
192.168.130.0/24 new-routing-mark=main passthrough=yes src-address=\
0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.130.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=ether2
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.130.1@R_VRF1 \
pref-src="" routing-table=R_VRF1 scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=ether1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.130.1@R_VRF1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup disabled=no dst-address=0.0.0.0/0 routing-mark=main \
src-address=192.168.88.0%bridge-1/24 table=*1
add action=lookup disabled=no dst-address=192.168.88.0%bridge-1/24 \
routing-mark=*1 src-address=0.0.0.0/0 table=main
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add disabled=yes interval=1d name=delete-logs on-event="/*\$jour = 20 ;\r\
\n\$rep = /flash/log;\r\
\n\$time = \$rep->\"time\";\r\
\n\r\
\n:if (\$rep > \$jour) do={\r\
\n\r\
\n}*/\r\
\n\r\
\n:local jour 20;\r\
\n\r\
\n/log print where time<(\$now-\$jour * " policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/01/2023 start-time=17:40:37
add interval=5s name=ping-fail on-event=":global route;\r\
\n\r\
\n# route principale\r\
\n:if ([/ping 8.8.8.8 count=3] = 3 && \$route != \"a\") do={\r\
\n /ip/vrf/move 0 1;\r\
\n :set \$route \"a\";\r\
\n};\r\
\n\r\
\n# route secondaire\r\
\n:if ([/ping 8.8.8.8 count=3] = 0 && \$route != \"b\") do={\r\
\n /ip/vrf/move 1 0;\r\
\n :set \$route \"b\";\r\
\n};" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/20/2023 start-time=11:07:59
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="" host=8.8.8.8 http-codes="" interval=10s \
test-script="" type=icmp up-script=""
add disabled=yes down-script="" host=1.1.1.1 http-codes="" test-script="" \
type=simple up-script=""
I hope that I provided enough informations and that I was clear despite my lack of knowledge.