Some sort of tunneling

liviu2004 · May 11, 2024, 6:34pm

Recently I got an old LTE4 device, which I need to install high in the house, to get some decent reception and speed.

But for the life of me, I cannot get an extra cable in the existing plastic tube. Tried for 3h today and damaged 10m of line.

Is there any logical way to use the same cable going to the Access Point with IP 192.168.1.4, which has a second port, to connect this second port to the LTE4 device and then route this data back to the router for PCC?

# 2024-05-11 20:33:04 by RouterOS 7.14.3
# software id = LRF1-VRV8
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mtu=1508 poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=IP_camera_nas vlan-id=40
add interface=bridge1 name=Internal_LAN vlan-id=10
add interface=bridge1 name=Internet_of_Things vlan-id=20
add interface=bridge1 name=Work_Devices vlan-id=30
add interface=ether1 mtu=1508 name=vlan6 vlan-id=6
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=Internal_LAN ranges=192.168.1.100-192.168.1.200
add name=Internet_of_Things ranges=10.0.20.100-10.0.20.200
add name=Work_Devices ranges=10.0.30.100-10.0.30.200
add name=dhcp_pool3 ranges=10.0.40.100-10.0.40.200
/ip dhcp-server
add address-pool=Internal_LAN interface=Internal_LAN lease-time=1d name=\
    Internal_LAN
add address-pool=Internet_of_Things interface=Internet_of_Things lease-time=\
    1d name=Internet_of_Things
add address-pool=Work_Devices interface=Work_Devices lease-time=1d name=\
    Work_Devices
add address-pool=dhcp_pool3 interface=IP_camera_nas lease-time=1d name=dhcp1
/ppp profile
set *FFFFFFFE only-one=yes use-upnp=no
/interface pppoe-client
add disabled=no interface=vlan6 keepalive-timeout=30 max-mru=1500 max-mtu=\
    1500 name=pppoe-out1 profile=default-encryption use-peer-dns=yes user=\
/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address
add kind=pcq name=pcq-upload pcq-classifier=src-address
/queue simple
add max-limit=70M/30M name=queue1 queue=pcq-download/pcq-upload target=\
    pppoe-out1
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus1 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=\
    ether2,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10,20,30,40
/interface list member
add interface=pppoe-out1 list=WAN
add interface=Internal_LAN list=VLAN
add interface=Internet_of_Things list=VLAN
add interface=Work_Devices list=VLAN
add interface=ether1 list=WAN
add interface=IP_camera_nas list=VLAN
add interface=ether8 list=WAN
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/24 interface=Internal_LAN network=192.168.1.0
add address=10.0.20.1/24 interface=Internet_of_Things network=10.0.20.0
add address=10.0.30.1/24 interface=Work_Devices network=10.0.30.0
add address=10.0.40.1/24 interface=IP_camera_nas network=10.0.40.0
/ip dhcp-client
add add-default-route=no interface=ether8 use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.20.196 mac-address=24:94:94:16:3C:F5 server=\
    Internet_of_Things
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall address-list
add address=192.168.1.0/24 list=connected_subnets
add address=10.0.20.0/24 list=connected_subnets
add address=10.0.30.0/24 list=connected_subnets
add address=10.0.40.0/24 list=connected_subnets
/ip firewall filter
add action=accept chain=input comment="Allow established, related, untracked" \
    connection-state=established,related,untracked
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-mark=no-mark disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Allow access to IP camera from Internal LAN" dst-address=10.0.40.64 \
    in-interface=Internal_LAN out-interface=IP_camera_nas
add action=accept chain=forward comment=\
    "Allow access to NAS surveillance from Internal LAN" dst-address=\
    10.0.40.182 in-interface=Internal_LAN out-interface=IP_camera_nas
add action=accept chain=forward comment=\
    "allow printer to VLAN30 Work Devices" dst-address=192.168.1.5 \
    dst-address-list="" in-interface=Work_Devices out-interface=Internal_LAN
add action=drop chain=forward comment=\
    "no outside access to IP_camera_nas VLAN" in-interface=IP_camera_nas \
    out-interface-list=WAN
add action=accept chain=forward comment="VLAN internet access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="VLAN no inter communication" \
    in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out1 new-connection-mark=\
    ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether8 new-connection-mark=ISP2_conn \
    passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-list=!connected_subnets \
    in-interface-list=VLAN new-connection-mark=ISP1_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-list=!connected_subnets \
    in-interface-list=VLAN new-connection-mark=ISP2_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface-list=VLAN new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface-list=VLAN new-routing-mark=ISP2 passthrough=yes
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=ether8 \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    195.190.228.96 routing-table=ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.10.1 pref-src="" routing-table=ISP2 scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    195.190.228.96 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.10.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=ipv6pool interface=Internal_LAN
add from-pool=ipv6pool interface=Work_Devices
add from-pool=ipv6pool interface=Internet_of_Things
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=ipv6pool request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes hop-limit=64 \
    managed-address-configuration=yes other-configuration=yes ra-preference=\
    low reachable-time=5m
add advertise-dns=no interface=pppoe-out1 ra-lifetime=none ra-preference=low \
    reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Internal_LAN \
    other-configuration=yes ra-preference=high reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Work_Devices \
    other-configuration=yes ra-preference=high reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Internet_of_Things \
    other-configuration=yes ra-preference=high reachable-time=5m
/system clock
set time-zone-name=Europe/Amsterdam
/system clock manual
set dst-delta=+01:00 dst-end="2024-10-27 03:00:00" dst-start=\
    "2024-03-31 02:00:00" time-zone=+01:00
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org

diagram.pdf (124 KB)

rplant · May 11, 2024, 11:55pm

Yes,

I like your diagram, what did you use to make that?

One relatively simple option is to put the lte device onto the vlan 10 IP range,
(no dhcp server enabled on lte device). Eg. 192.168.1.10/24

Then put a src-nat firewall rule onto the Router for all traffic going to 192.168.1.10
And a default route (with higher metric than to the VDSL2 modem) to 192.168.1.10

Then a way of detecting when the VDSL2 modem link is down.
Recursive routes with check gateway ping often work well in this situation.

You could also put the lte device on a completely different ip range, and put
a second matching IP onto the Router vlan10 interface, (also with Src nat rules).
(eg. router 192.168.2.1 and lte 192.168.2.2)

Note: This kind of hackery works much less well if the lte device is handing out IPv6 as well.

liviu2004 · May 12, 2024, 7:41am

I use draw.io which is for free as well.

Let me give some tries to your ideas. Thanks for suggestions.

liviu2004 · May 12, 2024, 8:37am

I think I got this working.

Access Point with 192.168.1.4 in the diagram is an EAP245v3, for which I assigned on second LAN port, VLAN ID 50.

On the router side:

Interface list VLAN with ID50, name LTE4, assigned to bridge1
Interface list, add on WAN the LTE4
Bridge VLANs, added 50 to VLAN IDs 50 list
IP Addresses added 192.168.10.2/24 to interface LTE4
corrected IP Firewall Mangle rule to go from previous ether8 (second WAN port) to LTE4 as in-interface
IP Firewall Address Lists added 192.168.10.0/24 range to connected_subnets.

So far it works, unsure this config is the most optimal, but it does the trick. I did not thought I pull this out. Thanks for the tips.

LTE4 modem does not hand out ipv6 traffic.

# 2024-05-12 10:36:57 by RouterOS 7.14.3
# software id = LRF1-VRV8
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mtu=1508 poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=bridge1 name=IP_camera_nas vlan-id=40
add interface=bridge1 name=Internal_LAN vlan-id=10
add interface=bridge1 name=Internet_of_Things vlan-id=20
add interface=bridge1 name=LTE4 vlan-id=50
add interface=bridge1 name=Work_Devices vlan-id=30
add interface=ether1 mtu=1508 name=vlan6 vlan-id=6
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=Internal_LAN ranges=192.168.1.100-192.168.1.200
add name=Internet_of_Things ranges=10.0.20.100-10.0.20.200
add name=Work_Devices ranges=10.0.30.100-10.0.30.200
add name=dhcp_pool3 ranges=10.0.40.100-10.0.40.200
/ip dhcp-server
add address-pool=Internal_LAN interface=Internal_LAN lease-time=1d name=\
    Internal_LAN
add address-pool=Internet_of_Things interface=Internet_of_Things lease-time=\
    1d name=Internet_of_Things
add address-pool=Work_Devices interface=Work_Devices lease-time=1d name=\
    Work_Devices
add address-pool=dhcp_pool3 interface=IP_camera_nas lease-time=1d name=dhcp1
/ppp profile
set *FFFFFFFE only-one=yes use-upnp=no
/interface pppoe-client
add disabled=no interface=vlan6 keepalive-timeout=30 max-mru=1500 max-mtu=\
    1500 name=pppoe-out1 profile=default-encryption use-peer-dns=yes user=\
  
/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address
add kind=pcq name=pcq-upload pcq-classifier=src-address
/queue simple
add max-limit=70M/30M name=queue1 queue=pcq-download/pcq-upload target=\
    pppoe-out1
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp-sfpplus1 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=\
    ether2,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10,20,30,40,50
/interface list member
add interface=pppoe-out1 list=WAN
add interface=Internal_LAN list=VLAN
add interface=Internet_of_Things list=VLAN
add interface=Work_Devices list=VLAN
add interface=ether1 list=WAN
add interface=IP_camera_nas list=VLAN
add interface=LTE4 list=WAN
/ip address
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
add address=192.168.1.1/24 interface=Internal_LAN network=192.168.1.0
add address=10.0.20.1/24 interface=Internet_of_Things network=10.0.20.0
add address=10.0.30.1/24 interface=Work_Devices network=10.0.30.0
add address=10.0.40.1/24 interface=IP_camera_nas network=10.0.40.0
add address=192.168.10.2/24 interface=LTE4 network=192.168.10.0
/ip dhcp-server lease
add address=10.0.20.196 mac-address=24:94:94:16:3C:F5 server=\
    Internet_of_Things
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall address-list
add address=192.168.1.0/24 list=connected_subnets
add address=10.0.20.0/24 list=connected_subnets
add address=10.0.30.0/24 list=connected_subnets
add address=10.0.40.0/24 list=connected_subnets
add address=192.168.10.0/24 list=connected_subnets
/ip firewall filter
add action=accept chain=input comment="Allow established, related, untracked" \
    connection-state=established,related,untracked
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=udp reject-with=icmp-network-unreachable
add action=reject chain=input comment="drop dns resolver" dst-port=53 \
    in-interface-list=WAN protocol=tcp reject-with=icmp-network-unreachable
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=drop chain=input comment="drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-mark=no-mark disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Allow access to LTE4 from Internal LAN" dst-address=192.168.10.1 \
    in-interface=Internal_LAN out-interface=LTE4
add action=accept chain=forward comment=\
    "Allow access to IP camera from Internal LAN" dst-address=10.0.40.64 \
    in-interface=Internal_LAN out-interface=IP_camera_nas
add action=accept chain=forward comment=\
    "Allow access to NAS surveillance from Internal LAN" dst-address=\
    10.0.40.182 in-interface=Internal_LAN out-interface=IP_camera_nas
add action=accept chain=forward comment=\
    "allow printer to VLAN30 Work Devices" dst-address=192.168.1.5 \
    dst-address-list="" in-interface=Work_Devices out-interface=Internal_LAN
add action=drop chain=forward comment=\
    "no outside access to IP_camera_nas VLAN" in-interface=IP_camera_nas \
    out-interface-list=WAN
add action=accept chain=forward comment="VLAN internet access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="VLAN no inter communication" \
    in-interface=all-vlan out-interface=all-vlan
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out1 new-connection-mark=\
    ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=LTE4 new-connection-mark=ISP2_conn \
    passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-list=!connected_subnets \
    in-interface-list=VLAN new-connection-mark=ISP1_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-list=!connected_subnets \
    in-interface-list=VLAN new-connection-mark=ISP1_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-list=!connected_subnets \
    in-interface-list=VLAN new-connection-mark=ISP2_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:3/2
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface-list=VLAN new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface-list=VLAN new-routing-mark=ISP2 passthrough=yes
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=LTE4 \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    195.190.228.96 routing-table=ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.10.1 pref-src="" routing-table=ISP2 scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    195.190.228.96 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.10.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add from-pool=ipv6pool interface=Internal_LAN
add from-pool=ipv6pool interface=Work_Devices
add from-pool=ipv6pool interface=Internet_of_Things
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=ipv6pool request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from VLAN" in-interface-list=\
    !VLAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes hop-limit=64 \
    managed-address-configuration=yes other-configuration=yes ra-preference=\
    low reachable-time=5m
add advertise-dns=no interface=pppoe-out1 ra-lifetime=none ra-preference=low \
    reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Internal_LAN \
    other-configuration=yes ra-preference=high reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Work_Devices \
    other-configuration=yes ra-preference=high reachable-time=5m
add dns=2a02:a47f:e000::54,2a02:a47f:e000::53 interface=Internet_of_Things \
    other-configuration=yes ra-preference=high reachable-time=5m
/system clock
set time-zone-name=Europe/Amsterdam
/system clock manual
set dst-delta=+01:00 dst-end="2024-10-27 03:00:00" dst-start=\
    "2024-03-31 02:00:00" time-zone=+01:00
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.nl.pool.ntp.org
add address=1.nl.pool.ntp.org
add address=2.nl.pool.ntp.org
add address=3.nl.pool.ntp.org

diagram.pdf (140 KB)

rplant · May 14, 2024, 6:53am

Cool,

On review, I have some reservations about the following though

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=
ether2,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10,20,30,40,50

I think you should remove the untagged= section.

I am fairly sure the pvid=10 on the interfaces will result in the appropriate untagged= entry being
automatically generated.

And the above configuration appears to be, all vlans 10,20,30,40,50 can send their traffic out ether2..sfpplus1
(untagged) you would likely only see broadcast/multicast traffic from these vlans on these ports.

Note: I could easily be wrong in this case.