VLAN SWITCH

zhex900 · June 3, 2018, 11:57pm

Hi,

I want to use two Mikrotik rb2011 to connect two houses together with one cable. Each house has its own internet service. My goal is to use dual WAN on both routers. The attached diagram shows my setup.

Router A has two WAN ports, ETH_1 and ETH_2. ETH_2 uses Router B as a gateway for internet connection. The remaining 8 ports on Router A are bridged as Bridge-LAN. Bridge-LAN have IP address 192.168.80.0/24. This part is working fine. But I do have a question. Bridge-LAN is using software switching (this is my understanding). How do I use the switch chip in the bridge? RB2011 have two switch chips. Now there are no master or slave ports. What is the new way of configuring it?

Router B, ETH1 and ETH2 are there to serve as the second WAN to Router A. This part is working fine.

For Router B, I want it to use Router A as a gateway. For both routers, I have created a VLAN on ETH2. Router A VLAN has IP address 192.168.81.1. Router B VLAN has IP address 192.168.81.2. This part is working. I can use the IP addresses to ping each VLANs. This VLAN is to link Router A back to Router B. So Router B have internet traffic through this VLAN.

For the remaining 8 ports in Router B, I want it to be a switch to Router A’s Bridge-LAN. So the 8 ports in Router B are on the same subnet as Router A’s Bridge-LAN 192.168.80.0/24. I don’t know how to do this part. First, how do I setup Router B as a transparent bridge to Router A? Second, how I do use the hardware switch chip to do the switching on the remaining 8 ports?

Thank you for your help

Jake He

Chiverel · June 4, 2018, 2:55am

You won’t be able to fully switch your 8 remaining ports, because there are 2 physical switches in this RB.

There are for sure some workarounds. I’ve written recently some investigations here.

And regarding gateways. I assume it should be possible to add default routes via different interfaces using different metrics. Something like this:
0.0.0.0/0 via eth1 distance 1
0.0.0.0/0 via eth2 distance 5
With this setup each home would use it’s own RB to access internet via eth1, and use other RB as a fail-over connection to internet.

zhex900 · June 4, 2018, 3:03am

5 ports for the switch is fine with me too. Port eth6 to eth10. How do I do this? I will read you post soon.

acruhl · June 4, 2018, 3:08am

I can’t see the diagram. (EDIT: I can see it now) It says I’m not authorized to download it for whatever reason. Can you fix that?

A few things:

There’s no need to worry about if the hardware switch is being used as of 6.41. See the release notes for 6.41: https://mikrotik.com/download/changelogs

If both houses are using the same network, you don’t need a vlan unless there is other traffic you aren’t talking about here.

You’re talking about “dual lan” and 2 wan ports, but I’m not sure if that concept is correct based on your description.

From your description, this configuration is calling out for VRRP failover when one of the wan links fails to me. The physical link between the routers is ideal for that. Detecting that the wan link failed is the problem, you would have to script that or maybe someone has a better idea. Adding the ability to track an interface and have that trigger VRRP failover would be a really nice feature. Unless it already exists and I’m missing it…

acruhl · June 4, 2018, 3:16am

Yeah, looking at your description I think you should look into VRRP failover. You wouldn’t need the extra networks, you would just have the 2 wans and 1 subnet below connected by the link between the routers. Figuring out how to failover based on wan link failure is the problem you would have to work out.

I think what the other person said is your router has 2 separate hardware switches. One for the 10/100 ports, one for the gigabit ports (I think). As long as you use one or the other, they will be hardware switched. But you can use a software bridge and it would be fine as long as you’re not expecting maximum bandwidth.

Chiverel · June 4, 2018, 3:28am

Exactly

zhex900 · June 4, 2018, 3:59am

Thank you for your reply. Ok, I can stick with software bridge. How do I setup Router B Bridge-LANB as a switch to Router A? I mean, using VLAN-HOUSELINK as the link between the two routers. Do I need to set up a static route from Router B?

acruhl · June 4, 2018, 4:09am

Forget what I said about VRRP if you’re trying to use PCC. I didn’t see that.

If you absolutely need to use both uplinks to get enough bandwidth, then PCC is correct. If not, a master/backup failover setup would be more reliable.

I have much better luck with users if the know the uplink bandwidth is some given amount that everyone needs to share. Expecting both links to work reliably and then running across problems with one and getting half bandwidth for some period of time could be a worse problem depending on what you’re doing.

zhex900 · June 4, 2018, 4:29am

Basically, I want both houses to share their internet. Sometimes, the internet connection is slow on one of the houses. When the internet is slow I want the traffic to be routed to the better connection.

My thought is to use Router A as dual WAN for both houses. Router B does not directly get the internet connection from itself. It gets it from Router A via the VLAN. I guess this idea would not work right?

Anumrak · June 4, 2018, 12:54pm

Why not? In house A set route 0.0.0.0/0 to 192.168.0.1 and in house B set route 0.0.0.0/0 to 192.168.81.1. Router A will always sent packets to Internet through his ISP and B will always sent packets to Internet through vlan tag. Easy

zhex900 · June 5, 2018, 12:57pm

I finally, got it working. I have added a static route on Router B, 0.0.0.0 with gateway 192.168.81.1. Router B has an internet connection and are switching for Router A. But I am not sure PCC is working probably on Router A.

My understanding is that internet traffic is shared between wan1 and wan2. But I only can see wan1 having traffic and wan2 is idle. When I disconnect wan1. Wan2 gets traffic. What am I doing wrong?

/ip firewall mangle export
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge-local new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge-local new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2

/ip route export
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_wan1
add check-gateway=ping distance=2 gateway=192.168.88.1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=192.168.0.1

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat src-address=10.0.0.0/24

[admin@MT-MAIN] > /ip address print   
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                         
 0   ;;; default configuration
     192.168.80.1/24    192.168.80.0    bridge-local                                                                                                                                                      
 1   10.0.0.1/24        10.0.0.0        COOKST                                                                                                                                                                                                                                                                                                        
 3 D 192.168.0.20/24    192.168.0.0     ether1                                                                                                                                                            
 4 D 192.168.88.252/24  192.168.88.0    ether2

zhex900 · June 5, 2018, 2:02pm

I deleted my old routes and these again. Now I get more traffic on wan2, but little on wan1.

Create the unmarked default routes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.88.1 distance=2
Create the marked default routes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 check-gateway=ping distance=1 routing-mark=to_wan1
add dst-address=0.0.0.0/0 gateway=192.168.88.1 check-gateway=ping distance=1 routing-mark=to_wan2

sindy · June 5, 2018, 2:24pm

You have to add passthrough=yes to the rules with per-connection-classifier. Without it, the initial packet of outbound connection gets the connection mark but doesn’t get the routing mark, so the connections establish through one WAN and continue through the other one, so they fail.

zhex900 · June 5, 2018, 9:59pm

Hi,

I have added the passthrough. But I only see traffic on WAN1. Nothing on WAN2.

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.80.0/24 in-interface=bridge-local
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=bridge-local
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge-local new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge-local new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2

Screen Shot 2018-06-06 at 8.00.13 am.png

sindy · June 6, 2018, 4:30am

I’m afraid I’d have to see the complete configurations from both machines to spot any issue. The PCC handling seems fine to me, so I suspect some routing problem at the other router which causes packets intended to go out its uplink to get lost or, more likely, looped.

The idea is that WAN1 is the physical WAN of router X, and WAN2 is locally represented at X by the VLAN towards the other router Y. Router Y must make sure that packets which come from router X through that VLAN will not be handled the same like packets from local LAN but will be routed straight to its own physical WAN.

zhex900 · June 6, 2018, 6:35am

I really appreciate your help. Kindly look at my configures.

Router B is a simple configure. I started with reset configurations. I selected a standard router configuration with NAT and bridged all ports.
I added a new bridge. Rename the bridges into bridge-wan and bridge-lan. bridge-wan have eth1, eth2, and wlan1. All other ports belong to bridge-lan. My thought is to separate the traffic by using these two bridges.

In bridge-wan, eth1 is the wan port. eth2 is to direct internet to router A. bridge-wan are in the ip range 192.168.88.0/24.

in bridge-lan, only vlan-200 have an ip address 192.168.83.3. This is used to talk to the vlan in router A. This is done by a static router, dst-address 0.0.0.0/0 with gateway 192.168.83.2

Router A and Router B are connected by eth2.

I have CapsMAN enabled on Router A. When I connect APs on Router B ports, CapsMAN can register them.

Router B

[admin@MikroTik] /ip> /interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1598       4074 00:0C:42:F8:A5:77
 1  RS ether2                              ether            1500  1598       4074 00:0C:42:F8:A5:78
 2   S ether3                              ether            1500  1598       4074 00:0C:42:F8:A5:79
 3   S ether4                              ether            1500  1598       4074 00:0C:42:F8:A5:7A
 4   S ether5                              ether            1500  1598       4074 00:0C:42:F8:A5:7B
 5   S ether6                              ether            1500  1598       2028 00:0C:42:F8:A5:7C
 6   S ether7                              ether            1500  1598       2028 00:0C:42:F8:A5:7D
 7   S ether8                              ether            1500  1598       2028 00:0C:42:F8:A5:7E
 8   S ether9                              ether            1500  1598       2028 00:0C:42:F8:A5:7F
 9   S ether10                             ether            1500  1598       2028 00:0C:42:F8:A5:80
10     sfp1                                ether            1500  1598       4074 00:0C:42:F8:A5:76
11   S wlan1                               wlan             1500  1600       2290 00:0C:42:F8:A5:81
12  R  bridge-lan                          bridge           1500  1594            00:0C:42:F8:A5:7A
13  R  bridge-wan                          bridge           1500  1598            00:0C:42:F8:A5:78
14  RS vlan-200                            vlan             1500  1594            00:0C:42:F8:A5:78

interface bridge print

 0 R name="bridge-lan" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled arp-timeout=auto mac-address=00:0C:42:F8:A5:7A protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no 

 1 R name="bridge-wan" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=00:0C:42:F8:A5:78 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=00:0C:42:F8:A5:78 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no

interface bridge port print

Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                        BRIDGE               HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON 
 0       ether2                         bridge-wan                     no     1     0x80         10                 10       none 
 1 I     ether3                         bridge-wan                     no     1     0x80         10                 10       none 
 2 I H  ether4                        bridge-lan                       yes    1     0x80         10                 10       none 
 3 I H  ether5                        bridge-lan                      yes    1     0x80         10                 10       none 
 4 I      ether6                       bridge-lan                      no     1     0x80         10                 10       none 
 5 I H  ether7                        bridge-lan                      yes    1     0x80         10                 10       none
 6 I H  ether8                        bridge-lan                      yes    1     0x80         10                 10       none
 7 I H  ether9                        bridge-lan                      yes    1     0x80         10                 10       none
 8 I     wlan1                         bridge-wan                              1     0x80         10                 10       none
 9 I    ether10                       bridge-lan                       no     1     0x80         10                 10       none
10     vlan-200                      bridge-lan                               1     0x80         10                 10       none

ip address

[admin@MikroTik] > /ip address print  
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                        
 0   192.168.88.1/24    192.168.88.0    bridge-wan                                                                                                                                                       
 1   192.168.88.1/24    192.168.88.0    ether2                                                                                                                                                           
 2   192.168.83.3/24    192.168.83.0    vlan-200                                                                                                                                                         
 3 D 192.168.0.18/24    192.168.0.0     ether1  
 
 [admin@MikroTik] /ip> route print  
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.0.1               1
 1 A S  0.0.0.0/0                         192.168.83.2              1
 2 ADC  192.168.0.0/24     192.168.0.18    ether1                    0
 3 ADC  192.168.83.0/24    192.168.83.3    bridge-lan                0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge-wan                0

zhex900 · June 6, 2018, 6:41am

Router A

COOKST bridge is used for CapsMAN. All ports are on the bridge-local. I am not sure whether vlan should also be on it. For now, I disabled it. I don’t see any difference.

[admin@MT-MAIN] /interface bridge port> print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE            BRIDGE              HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON 
 0 I   ether3                  bridge-local         no     1     0x80         10                 10       none 
 1 I   ether4                 bridge-local          no     1     0x80         10                 10       none 
 2 I   ether5                bridge-local           no     1     0x80         10                 10       none 
 3 I   ether6                bridge-local           no     1     0x80         10                 10       none 
 4 I   wlan1                bridge-local                     1     0x80         10                 10       none 
 5 I H ether7              bridge-local           yes    1     0x80         10                 10       none
 6 I H ether8              bridge-local           yes    1     0x80         10                 10       none
 7 I H ether9              bridge-local           yes    1     0x80         10                 10       none
 8 XI   vlan-200           bridge-local                   1     0x80         10                 10       none
 9  D  MT-MAIN-1        COOKST                      1     0x80         10                 10       none

routes

[admin@MT-MAIN] > /ip route print  
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.0.1               1
 1 A S  0.0.0.0/0                          192.168.88.1              1
 2 A S  0.0.0.0/0                          192.168.0.1               1
 3  DS  0.0.0.0/0                          192.168.0.1               1
 4  DS  0.0.0.0/0                          192.168.88.1              1
 5   S  0.0.0.0/0                          192.168.88.1              2
 6 ADC  10.0.0.0/24        10.0.0.1        COOKST                    0
 7 ADC  192.168.0.0/24     192.168.0.20    ether1                    0
 8 ADC  192.168.80.0/24    192.168.80.1    bridge-local              0
 9 ADC  192.168.83.0/24    192.168.83.2    vlan-200                  0
10 ADC  192.168.88.0/24    192.168.88.252  ether2                    0

sindy · June 6, 2018, 6:44am

Instead of print and description in own words, please post the output of /export hide-sensitive from both devices, it is really much easier to understand the configurations and their interaction from the standard format. hide-sensitive only removes passwords from the output, so if there are any public IP addresses you don’t want to publish, systematically replace all occurrences of each of them with a distinctive pattern like my.public.ip.1.

zhex900 · June 6, 2018, 6:47am

Router A

[admin@MT-MAIN] > export hide-sensitive  
# jun/06/2018 16:47:11 by RouterOS 6.42.3
# software id = 6I1X-92CP
#
# model = 2011UAS-2HnD
# serial number = 402602239286
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2G
add band=5ghz-a/n/ac control-channel-width=20mhz name=5G
/interface bridge
add fast-forward=no name=COOKST
add admin-mac=D4:CA:6D:97:45:9F auto-mac=no fast-forward=no mtu=1500 name=bridge-local
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(36dBm), SSID: COOKST, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=australia distance=indoors frequency=auto mode=ap-bridge ssid=EDEN wireless-protocol=802.11
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes name=sfp1-gateway
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 use-peer-dns=yes user=30cookstreet
/interface vlan
add interface=ether2 name=vlan-200 vlan-id=200
/caps-man datapath
add bridge=COOKST name=COOKST
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment=jesusislord encryption=aes-ccm,tkip name=COOKST
/caps-man configuration
add channel=2G country=australia datapath=COOKST distance=indoors mode=ap name=COOKST-2G security=COOKST ssid=COOKST
add channel=5G country=australia datapath=COOKST distance=indoors mode=ap name=COOKST-5G security=COOKST ssid=COOKST
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.254
add name=COOKST ranges=10.0.0.10-10.0.0.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
add address-pool=COOKST disabled=no interface=COOKST lease-time=20h10m name=COOKST
/queue type
add kind=pcq name=DSL-download pcq-classifier=dst-address
add kind=pcq name=DSL-upload pcq-classifier=src-address
/queue tree
add max-limit=2030k name=Download parent=ether1 priority=2 queue=DSL-download
add name=Q_Download packet-mark=users parent=Download
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=COOKST-2G name-format=identity name-prefix=COOKST
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=COOKST-5G name-format=identity
/interface bridge port
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local hw=no interface=ether6
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=vlan-200
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1-gateway list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=ether2 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether3 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether6 list=mac-winbox
add interface=wlan1 list=mactel
add interface=wlan1 list=mac-winbox
add interface=sfp1-gateway list=mactel
add interface=sfp1-gateway list=mac-winbox
add interface=ether1 list=WAN
add interface=bridge-local list=mactel
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1
/ip accounting web-access
set address=192.168.80.2/32
/ip address
add address=192.168.80.1/24 comment="default configuration" interface=bridge-local network=192.168.80.0
add address=10.0.0.1/24 interface=COOKST network=10.0.0.0
add address=192.168.83.2/24 interface=vlan-200 network=192.168.83.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server lease
add address=192.168.80.253 client-id=1:8c:85:90:86:a6:1d mac-address=8C:85:90:86:A6:1D server=default
add address=192.168.80.248 client-id=1:cc:2d:e0:6f:53:3d mac-address=CC:2D:E0:6F:53:3D server=default
add address=192.168.80.249 client-id=1:cc:2d:e0:6f:50:79 mac-address=CC:2D:E0:6F:50:79 server=default
add address=192.168.80.247 client-id=1:cc:2d:e0:6f:53:b mac-address=CC:2D:E0:6F:53:0B server=default
add address=192.168.80.246 client-id=1:cc:2d:e0:6f:50:6f mac-address=CC:2D:E0:6F:50:6F server=default
add address=192.168.80.245 client-id=1:cc:2d:e0:6f:53:6f mac-address=CC:2D:E0:6F:53:6F server=default
add address=192.168.80.244 client-id=1:4c:5e:c:f8:8d:42 mac-address=4C:5E:0C:F8:8D:42 server=default
add address=192.168.80.243 client-id=1:0:c:42:f8:a5:77 mac-address=00:0C:42:F8:A5:77 server=default
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1
add address=192.168.80.0/24 comment="default configuration" dns-server=192.168.80.1 gateway=192.168.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.88.1 src-address=192.168.88.1
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.80.0/24 in-interface=bridge-local
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=bridge-local
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge-local new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge-local new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat src-address=10.0.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=192.168.88.1 routing-mark=to_wan2
add distance=1 gateway=192.168.0.1
add distance=2 gateway=192.168.88.1
/ip service
set ssh address=0.0.0.0/0
/lcd
set time-interval=weekly
/system clock
set time-zone-name=Australia/Sydney
/system identity
set name=MT-MAIN
/system ntp client
set enabled=yes primary-ntp=150.101.176.226 secondary-ntp=45.76.113.31
/system routerboard settings
set auto-upgrade=yes silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

zhex900 · June 6, 2018, 6:48am

Router B

[admin@MikroTik] > /export hide-sensitive  
# jun/06/2018 16:48:06 by RouterOS 6.42.1
# software id = YSFQ-H9GG
#
# model = 2011UAS-2HnD
# serial number = 419E0125FDC1
/interface bridge
add fast-forward=no name=bridge-lan
add admin-mac=00:0C:42:F8:A5:78 auto-mac=no comment=defconf name=bridge-wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-F8A581 wireless-protocol=802.11
/interface vlan
add interface=ether2 name=vlan-200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-wan name=defconf
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge-wan comment=defconf hw=no interface=ether2
add bridge=bridge-wan comment=defconf hw=no interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf hw=no interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=ether9
add bridge=bridge-wan comment=defconf interface=wlan1
add bridge=bridge-lan hw=no interface=ether10
add bridge=bridge-lan interface=vlan-200
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-wan list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
set discovery-interfaces=vlan-200 interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-wan network=192.168.88.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.83.3/24 interface=vlan-200 network=192.168.83.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.80.0/24 gateway=192.168.80.14 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=192.168.83.2
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Australia/Sydney
/system routerboard settings
set auto-upgrade=yes silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager