Hi to all,
i’m Francesco, i’m Italian and sorry for my bad english, i have found a very strange behaviour with this configuration:
I have 3 WAN with PPPoE Connections, all the 3 connections are managed by RouterOS (hAP ac^2) the connections are respectively:
- WAN1 = 60Mb/20Mb
- WAN2 = 120Mb/20Mb
- WAN3 = 120Mb/20Mb
So i balanced the WAN with 1/5 f the connections to WAN1 and the 2/5 of the connections to WAN2 and WAN3.
There are a WAN Interface List for collect the three PPPoE interface for simplify the rules, inside the firewall/filter there is a rule for allow ICMP traffic from internet.
The unexpected behaviour is when the WAN1 and WAN2 PPPoE interface are UP i cannot Ping WAN1 IP from internet. With WAN1 and WAN3 all works correctly.
The almost strangest thing is the HTTPS port, on the the HTTPS ports are open always on all the three ips without any problems.
I cannot figure where i do the error on configuration, if someone can and want to help i will be very thankful and happy.
This the configuration:
# jan/22/2021 00:01:42 by RouterOS 6.48
#
# model = RouterBOARD D52G-5HacD2HnD-TC
/interface bridge
add admin-mac=CC:2D:E0:C2:91:B4 auto-mac=no name=DMZ
/interface ethernet
set [ find default-name=ether1 ] comment=WANs
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
/interface vlan
add comment=Gabri interface=DMZ name=vLAN15 vlan-id=15
add comment="CAN Routing" interface=DMZ name=vLAN49 vlan-id=49
add comment="Clouditalia Modem" interface=ether1 name=vLAN50 vlan-id=50
add comment="Infostrada Fede Modem" interface=ether1 name=vLAN51 vlan-id=51
add comment="Infostrada Fra Modem" interface=ether1 name=vLAN53 vlan-id=53
add comment=Manage interface=DMZ name=vLAN300 vlan-id=300
/interface list
add name=WAN
add name=MNG
add name=LAN
add name=Modem
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=WPA supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] country=italy disabled=no frequency=auto \
mode=ap-bridge security-profile=WPA ssid=Wireless@CAN station-roaming=\
enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac country=italy disabled=no \
frequency=auto mode=ap-bridge security-profile=WPA ssid=Wireless@CAN \
station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled \
wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=10.90.78.128-10.90.79.254
add name=Manage ranges=172.30.0.240-172.30.0.254
add name=Loredana ranges=172.20.14.200-172.20.14.254
add name=dhcp_pool3 ranges=172.20.15.150-172.20.15.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=vLAN15 name=DHCP
/ppp profile
add change-tcp-mss=yes name=Clouditalia use-encryption=yes
add change-tcp-mss=yes name="Infostrada Fede" on-up=\
"/system script run \"Cloudflare Update Infostrada Fede\"" \
use-encryption=yes
add change-tcp-mss=yes name="Infostrada Fra" on-up=\
"/system script run \"Cloudflare Update Infostrada Fra\"" use-encryption=\
yes
/interface pppoe-client
add comment="[WAN1] Clouditalia WAN" disabled=no interface=vLAN50 max-mtu=\
1480 name="PPPoE Clouditalia" profile=Clouditalia user=e0089906@netadsl
add comment="[WAN3] Infostrada WAN" interface=vLAN53 max-mtu=1480 name=\
"PPPoE Infostrada Fede" profile="Infostrada Fra" user=benvenuto
add comment="[WAN2] Infostrada WAN" disabled=no interface=vLAN51 max-mtu=1480 \
name="PPPoE Infostrada Fra" profile="Infostrada Fede" user=benvenuto
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-2 \
redistribute-connected=as-type-2 redistribute-static=as-type-2 router-id=\
172.30.49.1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=DMZ interface=wlan1
add bridge=DMZ interface=wlan2
add bridge=DMZ interface=ether4
add bridge=DMZ interface=ether5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="PPPoE Clouditalia" list=WAN
add interface="PPPoE Infostrada Fra" list=WAN
add interface=DMZ list=LAN
add interface=vLAN49 list=LAN
add interface=vLAN50 list=LAN
add interface=vLAN51 list=LAN
add interface=vLAN300 list=LAN
add interface=vLAN15 list=LAN
add interface="PPPoE Infostrada Fede" list=WAN
add interface=ether1 list=Modem
add interface=vLAN50 list=Modem
add interface=vLAN51 list=Modem
add interface=vLAN53 list=Modem
/interface pptp-server server
set default-profile="Infostrada Fede"
/ip address
add address=172.30.50.1/24 comment="Modem Draytek CloudItalia" interface=\
vLAN50 network=172.30.50.0
add address=10.90.78.2/23 comment="DMZ IP" interface=DMZ network=10.90.78.0
add address=172.30.0.1/24 comment="Management Interface" interface=vLAN300 \
network=172.30.0.0
add address=172.30.49.1/24 comment="Routing Interface" interface=vLAN49 \
network=172.30.49.0
add address=172.30.51.1/24 comment="Modem Infostrada Fede" interface=vLAN51 \
network=172.30.51.0
add address=10.90.77.2/24 comment="Modem Draytek CloudItalia" interface=\
vLAN50 network=10.90.77.0
add address=172.20.15.1/24 comment="Gabri " interface=vLAN15 network=\
172.20.15.0
add address=172.30.53.1/24 comment="Modem Infostrada Fra" interface=vLAN53 \
network=172.30.53.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-relay
add add-relay-info=yes dhcp-server=10.90.78.101,10.90.78.2 disabled=no \
interface=vLAN300 name=vLAN300 relay-info-remote-id=300
/ip dhcp-server network
add address=172.20.15.0/24 dns-server=10.90.78.90,10.90.78.91 domain=\
guerrini.vr.it gateway=172.20.15.1 ntp-server=10.90.78.101,10.90.78.103
/ip dns
set allow-remote-requests=yes servers=10.90.78.90,10.90.78.91
/ip firewall address-list
#OMITTED
/ip firewall filter
add action=accept chain=input comment="ICMP Pass" in-interface-list=WAN \
packet-size=0-257 protocol=icmp
add action=accept chain=input comment=Whitelist src-address-list=Whitelist
add action=accept chain=forward comment=Whitelist src-address-list=Whitelist
add action=accept chain=forward comment="HTTPS" dst-port=443 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=\
"Mantieni Connessioni Stabilite ed accetta Relative" connection-state=\
established,related in-interface-list=WAN
add action=accept chain=forward comment=\
"Mantieni Connessioni Stabilite ed accetta Relative" connection-state=\
established,related in-interface-list=WAN
add action=accept chain=forward comment="PBX Accept" dst-address=10.90.78.205 \
in-interface-list=WAN
add action=reject chain=input comment="Blocca Pacchetti" in-interface-list=\
WAN reject-with=icmp-admin-prohibited
add action=reject chain=forward comment="Blocca Pacchetti" in-interface-list=\
WAN reject-with=icmp-admin-prohibited
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS if necessary" new-mss=\
clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp \
tcp-flags=syn
add action=change-mss chain=forward comment="Clamp MSS if necessary" \
in-interface-list=WAN new-mss=clamp-to-pmtu passthrough=yes protocol=tcp \
tcp-flags=syn
add action=accept chain=prerouting comment="Escludi Traffico LAN da Mangle" \
dst-address-list=LAN in-interface-list=LAN
add action=mark-connection chain=input comment="Mark WAN1" connection-mark=\
no-mark in-interface="PPPoE Clouditalia" new-connection-mark=WAN1 \
passthrough=no
add action=mark-connection chain=input comment="Mark WAN2" connection-mark=\
no-mark in-interface="PPPoE Infostrada Fra" new-connection-mark=WAN2 \
passthrough=no
# PPPoE Infostrada Fede not ready
add action=mark-connection chain=input comment="Mark WAN3" connection-mark=\
no-mark in-interface="PPPoE Infostrada Fede" new-connection-mark=WAN3 \
passthrough=no
add action=mark-connection chain=prerouting comment="Mark Clouditalia List" \
connection-mark=no-mark new-connection-mark=WAN1 passthrough=yes \
src-address-list=Clouditalia
add action=mark-connection chain=prerouting comment=\
"Mark Infostrada Fede List" connection-mark=no-mark new-connection-mark=\
WAN2 passthrough=yes src-address-list="Infostrada Fra"
add action=mark-connection chain=prerouting comment=\
"Mark Infostrada Fra List" connection-mark=no-mark new-connection-mark=\
WAN3 passthrough=yes src-address-list="Infostrada Fede"
add action=mark-routing chain=output comment="Mark Routing WAN1" \
connection-mark=WAN1 new-routing-mark=WAN1 out-interface=\
"PPPoE Clouditalia" passthrough=no
add action=mark-routing chain=output comment="Mark Routing WAN2" \
connection-mark=WAN2 new-routing-mark=WAN2 out-interface=\
"PPPoE Infostrada Fra" passthrough=no
# PPPoE Infostrada Fede not ready
add action=mark-routing chain=output comment="Mark Routing WAN3" \
connection-mark=WAN3 new-routing-mark=WAN3 out-interface=\
"PPPoE Infostrada Fede" passthrough=no
add action=mark-connection chain=prerouting comment="PCC Classifier 5/0" \
connection-mark=no-mark dst-address-type=!local fragment=no \
in-interface-list=LAN new-connection-mark=WAN1 passthrough=yes \
per-connection-classifier=both-addresses:5/0
add action=mark-connection chain=prerouting comment="PCC Classifier 5/1" \
connection-mark=no-mark dst-address-type=!local fragment=no \
in-interface-list=LAN new-connection-mark=WAN2 passthrough=yes \
per-connection-classifier=both-addresses:5/1
add action=mark-connection chain=prerouting comment="PCC Classifier 5/2" \
connection-mark=no-mark dst-address-type=!local fragment=no \
in-interface-list=LAN new-connection-mark=WAN2 passthrough=yes \
per-connection-classifier=both-addresses:5/2
add action=mark-connection chain=prerouting comment="PCC Classifier 5/3" \
connection-mark=no-mark dst-address-type=!local fragment=no \
in-interface-list=LAN new-connection-mark=WAN3 passthrough=yes \
per-connection-classifier=both-addresses:5/3
add action=mark-connection chain=prerouting comment="PCC Classifier 5/4" \
connection-mark=no-mark dst-address-type=!local fragment=no \
in-interface-list=LAN new-connection-mark=WAN3 passthrough=yes \
per-connection-classifier=both-addresses:5/4
add action=mark-routing chain=prerouting comment="Mark Routing WAN1" \
connection-mark=WAN1 in-interface-list=LAN new-routing-mark=WAN1 \
passthrough=no
add action=mark-routing chain=prerouting comment="Mark Routing WAN2" \
connection-mark=WAN2 in-interface-list=LAN new-routing-mark=WAN2 \
passthrough=no
add action=mark-routing chain=prerouting comment="Mark Routing WAN3" \
connection-mark=WAN3 in-interface-list=LAN new-routing-mark=WAN3 \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet Masquerade Rule" \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="Masquerade per Modem" \
out-interface=vLAN50
add action=masquerade chain=srcnat comment="Masquerade per Modem" \
out-interface=vLAN51
add action=masquerade chain=srcnat comment="Masquerade per Modem" \
out-interface=vLAN53
add action=dst-nat chain=dstnat comment="NTP Redirect for Modem" \
in-interface-list=Modem log=yes protocol=udp to-addresses=193.204.114.105
add action=dst-nat chain=dstnat comment=Plex dst-port=443 in-interface-list=\
WAN protocol=tcp to-addresses=10.90.78.215 to-ports=443
add action=dst-nat chain=dstnat comment="RDP Attilino" dst-port=7823 \
in-interface-list=WAN protocol=tcp to-addresses=10.90.79.120 to-ports=\
3389
add action=dst-nat chain=dstnat comment="3CX SIP UDP" dst-port=25055 \
protocol=udp to-addresses=10.90.78.205 to-ports=25055
add action=dst-nat chain=dstnat comment="3CX SIP TCP" dst-port=25055 \
protocol=tcp to-addresses=10.90.78.205 to-ports=25055
add action=dst-nat chain=dstnat comment="3CX Media UDP" dst-port=9000-10999 \
protocol=udp to-addresses=10.90.78.205 to-ports=9000-10999
add action=dst-nat chain=dstnat comment="3CX Tunnel TCP" dst-port=25054 \
protocol=tcp to-addresses=10.90.78.205 to-ports=25054
add action=dst-nat chain=dstnat comment="3CX Tunnel UDP" dst-port=25054 \
protocol=udp to-addresses=10.90.78.205 to-ports=25054
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping comment="[LB] WAN1" distance=10 gateway=\
"PPPoE Clouditalia" routing-mark=WAN1
add check-gateway=ping comment="[LB] WAN2" distance=10 gateway=\
"PPPoE Infostrada Fra" routing-mark=WAN2
add check-gateway=ping comment="[LB] WAN3" distance=10 gateway=\
"PPPoE Infostrada Fede" routing-mark=WAN3
add check-gateway=ping comment="Infostrada Fede Gateway" distance=50 gateway=\
"PPPoE Infostrada Fra"
add check-gateway=ping comment="Infostrada Fra Gateway" distance=51 gateway=\
"PPPoE Infostrada Fede"
add check-gateway=ping comment="Clouditalia Gateway" distance=52 gateway=\
"PPPoE Clouditalia"
add check-gateway=ping comment="4G Ambrogio (Beta RouterOS)" distance=60 \
gateway=172.30.49.5
add check-gateway=ping comment="Validate Infostrada Fra" distance=1 \
dst-address=4.2.2.2/32 gateway="PPPoE Infostrada Fra"
add check-gateway=ping comment="Validate Infostrada Fede" distance=1 \
dst-address=4.2.2.4/32 gateway="PPPoE Infostrada Fede"
add check-gateway=ping comment="Validate Clouditalia" distance=1 dst-address=\
4.2.2.8/32 gateway="PPPoE Clouditalia"
add check-gateway=ping comment="Raggiungibilit\E0 Chiavetta Amborgio 4G" \
distance=1 dst-address=192.168.8.1/32 gateway=172.30.49.5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=DMZ
/ip traffic-flow target
add dst-address=10.90.78.100
/ip upnp interfaces
add interface="PPPoE Clouditalia" type=external
add interface=DMZ type=internal
add interface="PPPoE Infostrada Fra" type=external
/routing ospf interface
add authentication=md5 interface=vLAN49 network-type=broadcast use-bfd=yes
/routing ospf network
add area=backbone network=172.30.49.0/24
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=WAN-Fra
/system ntp client
set enabled=yes
/system routerboard settings
set auto-upgrade=yes
/system script
#OMITTED
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=MNG
/tool romon port
add disabled=no interface=vLAN49
Thanks a lot and have a nice day!