Use MikroTik as second router

reevai · June 19, 2020, 7:37am

Hi I’ve mikrotik setup like this :

I have Zte f609 from ISP as router mode, and use mikrotik as DHCP server & DNS server (with Dns Over Https), and it’s work for now.
when i try setup mikrotik for bandwith limit (queue) it’s not work. Is my setup is not possible to use queue, mangle, etc?

The client is connecting from wifi (zte f609) and receive ip from dhcp server (mikrotik), and the gateway is mikrotik ip (192.168.100.1)

Note: I only have 1 lan cable

Jotne · June 19, 2020, 8:08am

To get queues to work traffic need to pass trough your Mikrotik.

ISP

Mikrotik

Clients

If you can not set ISP router in bridge mode, you will have double NAT, but other than that, most stuff should work.

reevai · June 19, 2020, 8:24am

Thanks for your reply,

If the client gateway is using mikrotik ip, the traffic still not pass trough the mikrotik?

mkx · June 19, 2020, 8:52am

If client uses MT IP as gateway, then traffic almost certainly passes MT. Whether queues etc. work very much depends on MT configuration. As there plenty of things which might go wrong, I suggest you to post MT’s configuration (all of it): run /export hide-sensitive and post result inside [__code] [/code] environment (left icon in the third group of buttons in post editing mode).

Jotne · June 19, 2020, 9:16am

If your ISP Router has default gw of 192.168.88.1
Mikrotik has IP 192.168.88.2 and as a route 0.0.0.0/0 → 192.168.88.1

Client with IP 192.168.88.55 has default gw 192.168.88.2

Then data going out will be redirected at MT to ISP router. When packet coming back inn, ISP will see the client on the same net and not send them to the MT router.

So until any confirms that it works, I am sceptical it will passes trough the Queue system.

mkx · June 19, 2020, 10:44am

@jotne: if the addresses were like in your example, then indeed there would be some weird stuff going on. However, OP’s diagram (in initial post) indicates completely separate IP subnets and in that case, the effects you’re describing don’t happen.

reevai · June 20, 2020, 1:16pm

Hi, this is my exported configuration, my mangle & queue was deleted yesterday

# jun/20/2020 20:08:48 by RouterOS 6.47
# software id = MD10-7QUJ
#
# model = 750
# serial number = 2F2C0120DA3C
/interface bridge
add admin-mac=00:0C:42:FD:82:8C auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-master
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.50
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.200
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name="Server Utama"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.1.200/24 comment=defconf interface=ether2-master network=192.168.1.0
add address=192.168.100.1/24 comment=Coba2 interface=ether2-master network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.100.200 client-id=1:68:c4:4d:30:cd:f2 comment="Moto G5S+" mac-address=68:C4:4D:30:CD:F2 server="Server Utama"
add address=192.168.100.199 client-id=1:f8:28:19:6a:16:7b comment=X260 mac-address=F8:28:19:6A:16:7B server="Server Utama"
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/xxxx
/ip dns static
add address=192.168.88.1 name=router type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=45.90.28.0 name=dns.nextdns.io type=A
add address=45.90.30.0 name=dns.nextdns.io type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=bridge1
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Asia/Jakarta
/system logging
add topics=dns
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

I want to use MT to make gaming not lagging while another client is browsing, I read some tutorial on internet to separate upload & download traffic with mangle and then queue, but in tutorial use 2 interface, so they can identify download & upload traffic by interface (CMIIW).

mkx · June 20, 2020, 2:40pm

Not necessarily a show stopper, but IP addresses are assigned to ether2 while src-nat is referring out-interface=bridge … as ether2 is member of the bridge, the right thing to do would be to transfer IP addressed to bridge, as well as DHCP server. Or (even better) take ether2 out of bridge and bind that src-nat rule to ether2 as well.

Mind that mixing LAN and WAN on the same logical interface (in your case it is at the same time actual physical interface) is something which is problematic at least … ideally you should place RB physically next to ISP’s router and connect LAN cables directly to RB, keeping that single cable between RB and ISP’s router for WAN only. That would as well allow you to use queues on interfaces.

anav · June 20, 2020, 2:44pm

that is one messed up config LOL

/ip address
add address=192.168.1.200/24 comment=defconf interface=ether2-master network=192.168.1.0
add address=192.168.100.1/24 comment=Coba2 interface=ether2-master network=192.168.100.0

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=“Server Utama”
/interface bridge port
add bridge=bridge1 interface=ether2-master

mutluit · June 20, 2020, 3:00pm

I have a similar setup like the OP, but the difference is that I let only run DNS server and NTP server (time server) on the WAN router, everything else runs on the 2nd router. There are also no other devices (clients) connected to the WAN router but the 2nd router. WiFi on 2nd router is used, WiFi on WAN router is disabled.
The WAN router does NAT (as all WAN routers do by default), but on the 2nd router (MikroTik with RouterOS) one can in the config disable NAT completely. I disabled it on the QuickSet page.
Ie. no “Double NAT Problem” anymore. “Bridge Mode” is not needed, “Router Mode” is ok.
But by this setup one has 2 LANs: LAN1 on WAN router, and LAN2 on the 2nd router. But this is ok and IMO is even more secure as the internal LAN2 traffic cannot be sniffed/captured/spied from the WAN router legally or illegally… See also:
https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
https://en.wikipedia.org/wiki/Lawful_interception

Jotne · June 21, 2020, 8:19am

Did not catch that, but you are right. I would not have mixed two different subnet on the same net, but instead go for double NAT

reevai · June 23, 2020, 1:50pm

Thank you guys for all your reply.

After buy more cable, and separate interface for WAN and LAN, my queue still not work. Then try to disable all Ip > Firewall > Filter Rule, then my queue work like as expected. The problem is, mikrotik default configuration create rule fastrack connection (i don’t know what is it)

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

after disabling that rule, my queue work. maybe work with my first setup (using single cable, and 2 ip in ether1) but i will keep this cable configuration.

reevai · June 23, 2020, 1:54pm

I don’t know why mikrotik create bridge after upgrade os version, previously i didn’t see bridge in my configuration.

Assigning 2 ip in 1 interface is bad?

anav · June 23, 2020, 1:58pm

They dont teach one the powerful master of observation and scrutiny of minutia skills and the development of ones sixth sense of a poor configuration, in normal MT accredited courses.
However it is a core principal of my MTUNA certification.
(now if i can only subnet myself out of a paper bag ;-0)