Hello,

I hope you can help me configure an option on my RouterOs v6.42.6 which I cannot understand.

I have configured 4 VLANS (10.10.0.0/22, 10.10.4.0/22, 10.10.8.0/22 and 10.20.0.0/22 on ether 6) and one separate network 192.168.0.0/24 (on ether 3). All of them have DHCP and everything set up.

All these networks are set in Firewall NAT to have destination address 0.0.0.0/0 (masquerade).

I have two WANS : 62.x.x.x and 85.x.x.x

In routes I set up 0.0.0.0/0 to gateway 85.x.x.x distance 2 and to gateway 62.x.x.x distance 3. So 85.x.x.x is primary connection and if something happens to it, then 62.x.x.x will take it’s place.

Everything works very good but I want to change something and I don’t know how.

I want to keep everything as it is but have an exception. Make the 192.168.0.0/24 network use the 62.x.x.x gateway. But also have redundancy with 0.0.0.0/0. So if something bad happens to 62.x.x.x it goes to 0.0.0.0/0

Can you help me with the configuration changes?

Thank you!

Without seeing the config its a complete guess.
/export hide-sensitive file=anynameyouwish

FIRST WAN Distance=5 check gateway etc.
SECOND WAN Distance=10
Add third Route
SECOND WAN Distance=2 routing-mark=use-second-wan
Add associated Route Rule
ROUTE RULE source-interface=VLANsubnet, action=LOOKUP IN TABLE, TABLE=use-second-wan

In this way if I am correct, the router will see the traffic coming the vlan subnet and note that it is identified for the TABLE =use-second-wan and because it has the shorter distance should go out this path.
IF Table use-second-lan is not available because SECOND WAN is down, the router will look at the available Tables and note hey FIRST WAN is up ,will use that instead.

Hi!

Thank you for taking the time to help me out! Below you can find the configuration time. Please when explaining keep in mind that I am a noob with mikrotik.

apr/16/2021 16:01:25 by RouterOS 6.42.6

software id = ZSVG-BBA9

model = CCR1036-8G-2S+

serial number = 742907E8144D

/interface bridge
add fast-forward=no name=“Line Out”
/interface ethernet
set [ find default-name=ether1 ] name=“ether1 - RCS WAN”
set [ find default-name=ether2 ] name=“ether2 - UPC WAN”
set [ find default-name=ether3 ] name=“ether3 - Breeze”
set [ find default-name=ether4 ] name=“ether4 - VPN”
set [ find default-name=ether5 ] name=“ether5 - Line out Bridge”
set [ find default-name=ether6 ] name=“ether6 - Line out Bridge”
set [ find default-name=ether7 ] name=“ether7 - Line out Bridge”
set [ find default-name=ether8 ] name=“ether8 - Brasovia”
/interface vlan
add interface=“Line Out” name=“VLAN 25 - CCTV” vlan-id=25
add interface=“Line Out” name=“VLAN 30 - Production” vlan-id=30
add interface=“Line Out” name=“VLAN 60 - Guests” vlan-id=60
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=“ether8 - Brasovia” name=brasovia
/ip hotspot profile
add dns-name=hotspot.xxxxxx.ro hotspot-address=10.20.0.1
html-directory=hotspot_xxxxx http-cookie-lifetime=1w login-by=
cookie,http-chap,mac-cookie name=hsprof1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=
none
/ip pool
add name=dhcp_pool_default_equipment ranges=10.10.8.200-10.10.11.200
add name=dhcp_pool_guests ranges=10.20.0.100-10.20.3.200
add name=dhcp_pool_breeze ranges=192.168.0.100-192.168.0.200
add name=dhcp_pool_cctv ranges=10.10.5.50-10.10.7.200
add name=dhcp_pool_VPN ranges=172.16.10.100-172.16.10.200
add name=dhcp_pool_conferinte_brasovia ranges=192.168.1.20-192.168.1.220
/ip dhcp-server
add address-pool=dhcp_pool_default_equipment disabled=no interface=“Line Out”
name=dhcp_server_default
add address-pool=dhcp_pool_cctv disabled=no interface=“VLAN 25 - CCTV” name=
dhcp_server_cctv
add address-pool=dhcp_pool_guests disabled=no interface=“VLAN 60 - Guests”
name=dhcp_server_guests
add address-pool=dhcp_pool_breeze disabled=no interface=“ether3 - Breeze”
name=dhcp_server_breeze
/ip hotspot
add address-pool=dhcp_pool_guests disabled=no idle-timeout=59m interface=
“VLAN 60 - Guests” name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp_pool_guests mac-cookie-timeout=1w
shared-users=unlimited
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=172.16.10.1 name=VPN-L2TP
remote-address=dhcp_pool_VPN use-encryption=required
set *FFFFFFFE dns-server=8.8.8.8 local-address=dhcp_pool_VPN
/queue simple
add disabled=yes max-limit=256k/256k name=test target=10.10.0.169/32
/interface bridge port
add bridge=“Line Out” hw=no interface=“ether5 - Line out Bridge”
add bridge=“Line Out” hw=no interface=“ether6 - Line out Bridge”
add bridge=“Line Out” hw=no interface=“ether7 - Line out Bridge”
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-L2TP enabled=yes
keepalive-timeout=disabled
/ip address
add address=85.x.x.x interface=“ether2 - UPC WAN” network=85.x.x.35
add address=192.168.0.2/24 interface=“ether3 - Breeze” network=192.168.0.0
add address=10.10.8.1/22 interface=“Line Out” network=10.10.8.0
add address=10.10.0.1/22 interface=“VLAN 30 - Production” network=10.10.0.0
add address=10.10.4.1/22 interface=“VLAN 25 - CCTV” network=10.10.4.0
add address=10.20.0.1/22 interface=“VLAN 60 - Guests” network=10.20.0.0
add address=62.x.x.x interface=“ether1 - RCS WAN” network=62.x.x.1
add address=172.16.10.0/24 interface=“ether4 - VPN” network=172.16.10.0
add address=192.168.1.2/24 interface=“ether8 - Brasovia” network=192.168.1.0
/ip dhcp-server lease
add address=10.10.8.211 client-id=1:f8:7b:20:7:58:79 mac-address=
F8:7B:20:07:58:79 server=dhcp_server_default
/ip dhcp-server network
add address=10.10.4.0/22 dns-server=8.8.8.8 gateway=10.10.4.1 netmask=22
add address=10.10.8.0/22 dns-server=8.8.8.8 gateway=10.10.8.1 netmask=22
add address=10.20.0.0/22 dns-server=8.8.8.8 gateway=10.20.0.1 netmask=22
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.2
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.2 netmask=24
/ip dns
set servers=8.8.8.8

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
192.168.0.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
10.10.0.0/22
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
10.20.0.0/22
add action=passthrough chain=srcnat dst-address=62.231.108.1 src-address=
10.30.0.0/22
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
10.10.4.0/22
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
10.10.8.0/22
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
172.16.10.0/24

/ip hotspot user
add name=admin
add name=client
/ip hotspot walled-garden
add comment=“place hotspot rules here” disabled=yes
add comment=
“Allow access to hotspot scripts on 10.10.0.5 before authentification”
dst-host=10.10.0.5 dst-port=80,8080 path=/hotspot/* server=hotspot1
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des
exchange-mode=main-l2tp generate-policy=port-override
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des
exchange-mode=main-l2tp generate-policy=port-override
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des
exchange-mode=main-l2tp generate-policy=port-override
/ip route
add distance=2 gateway=85.x.x.x
add distance=3 gateway=62.x.x.x
/system clock
set time-zone-name=Europe/Bucharest
/system routerboard settings
set silent-boot=no

(1) Just so I understand it appears you have a Bridge called lineout which has three vlans, so I dont understand why you see the need to have the bridge itself give out DHCP??
Just use the bridge as a bridge period is my recommendation and if you need to run more data on the bridge just call it vlanhome or something.
What is the purpose of the line out address and network??

(2) Remove this, its rarely needed and can cause issues. The normal firewall rules under IP firewall filter suffice for 98% of scenarios.
/interface bridge settings
set use-ip-firewall=yes

(3) Missing dhcp-server for ether8 brasovia

(4) Missing dhcp-server for production network (vlan30)

(5) Missing ip pool for production network (vlan30)

(6) Just confirming all the lineout bridge ports are heading to smart devices which can read vlan tags.

(7) I am not savvy with NAT rules but it seems to me you have way too many sourcnat rules.
Typically with two WANs one can
a. use a single rule,
add chain=srcnat action=masquerade out-interface-list=WAN
or
b. use two rules one per WAN
add chain=srcnnat action=masquerade out-interface=ether1 (the active interface which may be a pppoe-name or vlan associated interface)
add chain-srcnat action=masquerade out-interface=ether2

IF one or both of the WANIP is actually a static/fixed WANIP then be is a better approach and the static IP should look like
add chain=srcnat action=srcnat out-interface=etherx to-addressses=WANIP

For the most part that covers 98% of cases…

(8) Where are all the firewall rules. without them
a. You should not be connected to the internet
and
b. By not showing them the config being interrelated is not really of much use for me to see what is going on.

(9) Your IP routes, is one thing to be careful so dont use real numbers, and if necessary edit your previous post.

(a) So a very basic Dual wan setup is.
add dst-address=0.0.0.0/0 check-gateway=ping distance=5 gateway=IP of WAN1
add dst-address=0.0.0.0/0 distance=10 gateway=IP of WAN2 gateway

What this is saying is that the router will check your routing when traffic is headed outbound and it will see that both routes are reachable but will pick the one with the lower distance (WAN1).
If the lower distance table is not available it will pick the next available table and will switch to WAN2. In the meantime it will keep checking to see if WAN1 is up and when it is will switch back to WAN1.

(b) one can make this recursive and by that I mean the router checks that an internet address is reachable vice the router interface because on some occasions the link to the ISP works but the link to the internet from them does not and therefore your router thinks the route is up but in fact it is not. So its a superior method of route setting upl
In simple terms, recursive means using the gateway of the IP to check an internet address to see if the route is reachable.

add check-gateway=ping distance=5 gateway=9.9.9.9
add distance=5 dst-address=9.9.9.9/32 gateway=IP of WAN1 gateway.
add distance=10 gateway=IP of WAN2 gateway

(c) However I am currently lost on how to easily create the WAN1 bypass AND still use wan1 if wan 2 is down. The bypass is easy the second part I am not sure of.

Hi! Thank you for helping me!

1. I do have a bridge “Line out” which contains 4 VLANS (1,25,30,60). My intention was to leave with 3 cables directly from the router to other 3 switches in the building and give out all the VLANS. I set DHCP servers on each VLANS (even for VLAN 1 default which is the network for the equipment… this is where I access the switches which are on VLAN 1). This is how I thought it at that point. I greatly appreciate it if you give me a better way to configure it.

2. I changed it to “no”

3. It gives me an “Invalid” message. I don’t know why…

4 and 5. DHCP is covered by a different machine (domain controller)

6. Yes they go to managed switches (that support VLAN managing)

7. What you see is what I understood from reading over the internet of how the routing should be configured on mikrotik with dual WAN. It is possible that it is not the best way!

What I understand from you I could do to following :

a. add chain=srcnat (without selecting a source) action=masquerade out-interface-list=(all,dynamic,none : these are the available select options)
b. 2 x add chain=srcnat (without selecting a source) action=masquerade out-interface=ether1 or ether2
c. add chain=srcnat (without selecting a source) action=srcnat out-interface=etherx to-addresses=WANIP

I would like to understand better your recommendations :

a.1. If I don’t select a source for the NAT rule it means it applies for all sources?
a.2. out-interface-list gives me only these options: all/dynamic/none
b.1. If I create two rules, first rule will have out-interface ether1 and second will have ether2, will the redundancy work? When ether1 with WAN1 is down, ether2 with WAN2 will take it’s place?

8. I deleted some of the firewall rules but nothing important…

9. I’ve changed them. Thank you for pointing out and again, thank you for taking the time to help me out!

(1) Okay I should have referenced this article for reading.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

(2) Basically one does not use VLAN1 for anything but uses VLAN99 or any number you choose!
Do not worry, vlan1 is carried in the background and works with all other vendors equipment as all expect a management vlan.

(3) So simply change your VLAN numbering from 1 to 99, done!! WHOOPs you are using a vlan with nothing defined, OKAY,

(4) Creating the mgmt VLAN
(a) VLAN setup
/interface vlan
add interface=“Line Out” name=“VLAN 25 - CCTV” vlan-id=25
add interface=“Line Out” name=“VLAN 30 - Production” vlan-id=30
add interface=“Line Out” name=“VLAN 60 - Guests” vlan-id=60
add interface=“Line Out” name=“VLAN 99 - Mgmt” vlan-ids=99

b. IP POOL CLEANUP and missing vlan 30
ip pool
add name=dhcp_pool_default_equipment ranges=10.10.8.200-10.10.11.200 { should be 2, and 8}
add name=dhcp_pool_guests ranges=10.20.0.100-10.20.3.200 { should be 0}
add name=dhcp_pool_breeze ranges=192.168.0.100-192.168.0.200
add name=dhcp_pool_cctv ranges=10.10.5.50-10.10.7.200 { should be 5}
add name=dhcp_pool_VPN ranges=172.16.10.100-172.16.10.200
add name=dhcp_pool_conferinte_brasovia ranges=192.168.1.20-192.168.1.220
add name=dhcp_pool_production ranges=10.10.0.20-10.10.0.200
c. IP dhcp MISSING VLAN30
/ip dhcp-server
add address-pool=dhcp_pool_default_equipment disabled=no interface=“Line Out”
name=dhcp_server_default
add address-pool=dhcp_pool_cctv disabled=no interface=“VLAN 25 - CCTV” name=
dhcp_server_cctv
add address-pool=dhcp_pool_guests disabled=no interface=“VLAN 60 - Guests”
name=dhcp_server_guests
add address-pool=dhcp_pool_breeze disabled=no interface=“ether3 - Breeze”
name=dhcp_server_breeze
add address-pool=dhcp_pool_production disabled=no interface=“VLAN 30 - Production” name=
dhcp_server_production

d. CLEAN UP ADDRESS
/ip address
add address=85.x.x.x interface=“ether2 - UPC WAN” network=85.x.x.35
add address=192.168.0.2/24 interface=“ether3 - Breeze” network=192.168.0.0
add address=10.10.8.1/2**2?** interface=“Line Out” network=10.10.8.0 {Should be interface="VLAN 99 - Mgmt}
add address=10.10.0.1/2**2?** interface=“VLAN 30 - Production” network=10.10.0.0
add address=10.10.4.1/2**2?** interface=“VLAN 25 - CCTV” network=10.10.4.0 {should be 5 }
add address=10.20.0.1/2**2?** interface=“VLAN 60 - Guests” network=10.20.0.0
add address=62.x.x.x interface=“ether1 - RCS WAN” network=62.x.x.1
add address=172.16.10.0/24 interface=“ether4 - VPN” network=172.16.10.0
add address=192.168.1.2/24 interface=“ether8 - Brasovia” network=192.168.1.0

e. Clean up IP Server Network Missing vlan30
/ip dhcp-server network
add address=10.10.4.0/22 dns-server=8.8.8.8 gateway=10.10.1 netmask=22 {Should be 5 }
add address=10.10.8.0/22 dns-server=8.8.8.8 gateway=10.10.8.1 netmask=22
add address=10.20.0.0/22 dns-server=8.8.8.8 gateway=10.20.0.1 netmask=22
add address=10.10.0.0/22 dns-server=8.8.8.8 gateway=10.10.0.1 netmask=22

(5) Remove this unless you have a specific purpose, not communcated.
/interface bridge settings
set use-ip-firewall=yes

(6) I do not understand your SOURCE NAT RULES HERE>
Basically need a Source NAT rule applied TO ALL
OR per WAN INTERFACE.
I clearly do not understand the purpose of the source nat config in this setup ???

Using VLAN 1 is fine as long as you are aware of the limitations. Some manufacturers require their device management to be untagged so needing “hybrid” ports, others artificially restrict VLAN 1 to be untagged only.

The IP addresses and DHCP pool address ranges are perfectly OK for /22 subnets, there are cases where you need to support greater than 253 devices.

thanks tdw I will defer to your knowledge of sub-netting, I am still stuck in a paper bag on that one!

However I disagree on vlan1 usage. Dependency upon it to carry traffic and be a management vlan has not proven to be without troubles.
Whereas, using a management vlan separate from vlan1 has worked in all cases, with minimal fuss with TPLINK, NETGEAR, DLINK, etc devices.
As far as UNIFI goes if its true it needs the management VLAN arriving at its port in an untagged traffic flow, then one simply
un-tags vlan99 to that port and still push any other data vlans required as per usual in a HYBRID port setup.