Trying to get the VLANs to work

anav · October 5, 2022, 12:10am

You have to understand that the rules follow the order within a chain.
As I stated, the drop rule is the last rule so it stops any further traffic that didnt match on one of the above rules.
Put simply, if you didnt already allow it, then it aint going to happen.

We DO NOT NEED state is new, either, its redundant.

What we have allowed is in green besides default rules…

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“VLAN Internet Access only”
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

So if you want vlan10 to access all other vlans…
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“VLAN Internet Access only”
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“allow admin access to vlans”
in-interface=“vlan10-LAN Consultar” out-interface-list=VLAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

consultar · October 5, 2022, 3:40pm

This are my filter rules, and everything it’s working propperly except the access from vlan 10 to vlan 20, i’ve tryed different compinations, with the out-interface-list=VLAN, and in-interface-list=ADMIN, but none of them seems to work (cannot ping or access trought remote desktop)

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow VLAN” in-interface-list=ADMIN
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” dst-port=53
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries-TCP” dst-port=53
in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment=“drop all else”
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=forward comment=“VLAN Internet Access only”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“allow admin access to vlans”
in-interface=vlan10-LAN out-interface=vlan20-Clientes
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

anav · October 5, 2022, 4:03pm

are you sure you have the name of the vlan correct??

from:
in-interface=vlan10-LAN out-interface=vlan20-Clientes
TO:“vlan10-LAN Consultar”

As per…
/interface vlan
add interface=BridgeVLAN name=“vlan10-LAN Consultar” vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30

consultar · October 6, 2022, 3:19pm

Yes, i changed the name of the vlan to “vlan10-LAN”

# oct/06/2022 12:10:02 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-Trunk
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=mac-winbox
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
    interface=ether3 pvid=10
add bridge=BridgeVLAN interface=ether4 pvid=10
add bridge=BridgeVLAN interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether4,ether5 vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add list=mac-winbox
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN" in-interface-list=ADMIN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
    connection-state=new in-interface=vlan10-LAN out-interface=\
    vlan20-Clientes
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=cosag dst-port=5536 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=5536
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=3389 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=3389
add action=dst-nat chain=dstnat comment=des07 dst-port=5347 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=5347
add action=dst-nat chain=dstnat comment=w2019 dst-port=5550 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=5550
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=80
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/ip traffic-flow target
add dst-address=192.168.1.253 port=5536 version=5
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxxx@gmail.com port=587 start-tls=\
    yes user=xxx
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes

That’s the complete config… i don’t know why isn’t working…

anav · October 6, 2022, 5:25pm

(1) Your /interface bridge port and /interface bridge vlan settings are mierda, they contradict each other! This is the main issue!

You tell me which vlans are supposed to go over which ports.
Also what the port is connected to ( dumb device can only accept untagged traffic like PC), or smart device (like managed switch or another MT device which can accept vlans)

(2) Get rid of the not needed entries in yellow. They are not required plus duplicates.
/interface list member
add list=mac-winbox
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add list=mac-winbox
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN

(3) One Bizarre entry with weird format, in red, delete, and you dont need dhcp server on ether10!!
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=192.168.99.0/24 gateway=192.168.99.1

(4) You need to remove this old default entry, go to winbox, go to IP, go to DNS, select Static on the right hand side menu of the popup.
/ip dns static
add address=192.168.1.1 name=router

(5) Add some IP DNS servers, at the top of the IP DNS page, under SERVERS, add like 1.1.1.2 and 9.9.9.9

(6) Change comment to reflect reality
add action=accept chain=input comment="Allow VLAN" in-interface-list=ADMIN
TO:
add action=accept chain=input comment=“Allow admin to config router” in-interface-list=ADMIN

(7) Drop the bit about new, it is not required… read ---->
add action=accept chain=forward comment=“VLAN Internet Access only”
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“allow admin access to vlans”
connection-state=new in-interface=vlan10-LAN out-interface=
vlan20-Clientes
TO:
add action=accept chain=forward comment=“VLAN Internet Access only”
in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“allow admin access to vlans”
in-interface=vlan10-LAN out-interface=
vlan20-Clientes

(8) Set this to ADMIN
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

consultar · October 7, 2022, 2:02pm

Well, i hope to get rid of all the mierda left XD

On ether3 → Proxmox server (expects tagged traffic) - vlan 10 and 30
iether4- → unmanaged swutch (untagged vlan 10)
ether5 → Aruba switch (all vlan 10, 20, 30)

On the Aruba until now i’v got on port1 - a trunk port with all 3 vlans.
on port2 a proxmox server with vlans 10 and 20.
and on port 3 an access port where my PC is connected with vlan 10.

# oct/07/2022 y:45:29 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether7-Trunk
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment=BridgeVLAN frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4
add bridge=BridgeVLAN frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
    vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
    in-interface-list=ADMIN
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin access to vlans" \
    connection-state="" in-interface=vlan10-LAN out-interface=vlan20-Clientes
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=cosag dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=xxxx
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=3389 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=3389
add action=dst-nat chain=dstnat comment=des07 dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=xxx
add action=dst-nat chain=dstnat comment=w2019 dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=xxxx
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=80
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
	x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd interface
add
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxxx@gmail.com port=zzz start-tls=\
    yes user=xxxx
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes

anav · October 7, 2022, 8:34pm

Yup, your bridge ports and bridge vlans setting make 100% sense to me, good job!

consultar · October 9, 2022, 3:50am

Thanks a lot anav for all of your recommendations, and your time. they where more than helpfull… Thank you!!