Page 1 of 1

RB3011UiAS-RM Configuration WITH IPSEC

Posted: Fri Jul 13, 2018 4:29 am
by rivedansanchez19
Greetings

I purchased this router, and wanted to do this configuration:
ETH1 = WAN ISP
ETH2= WAN ISP Backup

ETH3= WIRELESS SECTOR1 IP 192.168.0.1
ETH4= WIRELESS SECTOR2 IP 192.168.0.2
ETH5= WIRELESS SECTOR3 IP 192.168.0.3

ETH6= PTZ CAM IP 192.168.0.6

MIKRTIK LOCAL IP 192.168.0.2

I want to use this scope to devices that connect to any of my sectors
interfaces ETH3 to 5 What do i have to do in the mikrotik ?
I also want to do a load balance between interfaces ETH1 & 2 with my 2 ISPs

could be avaible to make IPSEC VPN from my public address from non public?

office(201.191.46.196) to office(none public)??

thanks in advnace

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Sat Jul 14, 2018 7:59 pm
by CZFan
Hire a Mikrotik Consultant in your area, https://mikrotik.com/consultants

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Sat Jul 14, 2018 8:40 pm
by Steveocee
This is all very possible. what are you asking for? Will it do it? Yes. Have you tried and it is broken? Post your config. Can someone write you a full script to do this? Hire a consultant.

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Wed Jul 18, 2018 8:10 pm
by rivedansanchez19
Instead of attac why first dont ask why i currently had?
/interface bridge
add admin-mac=D4:CA:6D:3F:D6:E8 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=PSJ-ETH2
set [ find default-name=ether3 ] master-port=PSJ-ETH2 name=\-ETH3
set [ find default-name=ether1 ] name=WAN1-ETH1
set [ find default-name=ether5 ] comment="SERVER PORT" master-port=PSJ-ETH2
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set WAN1-ETH1 discover=no
set ether5 comment="SERVER PORT"
set bridge comment=defconf
/interface ethernet
set [ find default-name=ether4 ] master-port=PSJ-ETH2 name=AWC-SECT01-ETH4
/ip pool
add name=default-dhcp-awcgurabo ranges=192.168.0.10-192.168.0..250
/ip dhcp-server
add address-pool=default-dhcp-awcgurabo disabled=no interface=bridge name=\
defconf
/ppp profile
add local-address=default-dhcp-awcgurabo name=PPOE_10MB
/queue type
add kind=pcq name=10M_Download pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
add kind=pcq name=5M_Upload pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=5M pcq-src-address6-mask=64
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=PSJ-ETH2
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
/interface pppoe-server server
add default-profile=PPOE_10MB disabled=no interface=AWC-SECT01-ETH4 \
one-session-per-host=yes service-name=service1
/ip address
add address=10.20.0.1/24 comment=defconf interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
WAN1-ETH1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.2 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" log-prefix="" \
protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related log-prefix=""
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
WAN1-ETH1 log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related log-prefix=""
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related log-prefix=""
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log-prefix=""
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN1-ETH1 log-prefix=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" \
out-interface=WAN1-ETH1
/ip route
add distance=1 dst-address=10.20.1.0/24 gateway=PTP-GUR-CANABONSITO-ETH3
/ip upnp
set enabled=yes
/lcd
set default-screen=stats-all
/ppp secret
add name=milton password=melina2009 profile=PPOE_10MB service=pppoe
/system clock
set time-zone-name=America/Costa_Rica
/system identity
set name=PSJ-BODEGA
/system ntp client
set enabled=yes primary-ntp=50.116.55.65 secondary-ntp=52.0.56.137
/system package update
set channel=release-candidate
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Wed Jul 18, 2018 8:11 pm
by rivedansanchez19
This is all very possible. what are you asking for? Will it do it? Yes. Have you tried and it is broken? Post your config. Can someone write you a full script to do this? Hire a consultant.
why you don't ask what i am missing or had currently? instead of thinking

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Wed Jul 18, 2018 8:11 pm
by rivedansanchez19
Hire a Mikrotik Consultant in your area, https://mikrotik.com/consultants
If i am asking is because something no? , If you are not gonna help why you post?

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Wed Jul 18, 2018 10:08 pm
by Steveocee
This is all very possible. what are you asking for? Will it do it? Yes. Have you tried and it is broken? Post your config. Can someone write you a full script to do this? Hire a consultant.
why you don't ask what i am missing or had currently? instead of thinking
I clearly stated that if you have tried and it isn’t working to post your config.

Your initial post was not very informative, and my response was not an attack.

If you have more information available why have you not posted your config attempt?

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Wed Jul 18, 2018 11:21 pm
by rivedansanchez19
because i am learning how to, the main issue that i is the
failover and load balancing
over both ISPS , plus don't know how to make the VPN
currently i setup it as

MIKROTIK 192.168.0.1

ISP --> 192.168.0.2
ISP --> 192.168.0.3

CISCO ROUTER AP --> 192.168.0.4
CISCO ROUTER AP --> 192.168.0.5

how can i make balancing over those

the main issue is when i disable on ISP1 DHCP the whole building is without internet but the DHCP from the server works..

This is all very possible. what are you asking for? Will it do it? Yes. Have you tried and it is broken? Post your config. Can someone write you a full script to do this? Hire a consultant.
why you don't ask what i am missing or had currently? instead of thinking
I clearly stated that if you have tried and it isn’t working to post your config.

Your initial post was not very informative, and my response was not an attack.

If you have more information available why have you not posted your config attempt?

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Thu Jul 19, 2018 1:49 am
by LinuxLoader
Hello ,
First both ISP to have IP addresses with the same network .. didn`t seem real.
Second . For load balancing you need to make the firewall to mark the incoming and outgoing connections.
https://wiki.mikrotik.com/wiki/ECMP_loa ... masquerade - example how can be done.
https://wiki.mikrotik.com/wiki/Load_Balancing - several other ways to accomplish similar things.
Third Cisco AP`s also within the same ip address range ... total ....
You need to think to separate both uplink ports ( ISP`s ) with different ip ranges ( if it`s possible ) , then to split the Cisco AP`s in other bridge or switching with master port and gave them other IP range.And at the end for those VPNs ipsec or some other , to work from Internet you need real IP addresses.

Re: RB3011UiAS-RM Configuration WITH IPSEC

Posted: Fri Jul 20, 2018 8:11 am
by rivedansanchez19
Hello ,
First both ISP to have IP addresses with the same network .. didn`t seem real.
Second . For load balancing you need to make the firewall to mark the incoming and outgoing connections.
https://wiki.mikrotik.com/wiki/ECMP_loa ... masquerade - example how can be done.
https://wiki.mikrotik.com/wiki/Load_Balancing - several other ways to accomplish similar things.
Third Cisco AP`s also within the same ip address range ... total ....
You need to think to separate both uplink ports ( ISP`s ) with different ip ranges ( if it`s possible ) , then to split the Cisco AP`s in other bridge or switching with master port and gave them other IP range.And at the end for those VPNs ipsec or some other , to work from Internet you need real IP addresses.
yes , i found that mistake both can be on same network
mostly the current problem is

ISP1 - 192.168.1.1
ISP2 - 192.168.0.1 - > i need to change this one ...
----
Local is on 192.168.0.X

but when i config the
address,nat,firewall there is not still network.