1 config
Code: Select all
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=eth1
set [ find default-name=ether2 ] comment=LAN1 name=eth2
set [ find default-name=ether3 ] comment=WAN2 name=eth3
set [ find default-name=ether4 ] comment=LAN2 name=eth4
set [ find default-name=ether5 ] name=eth5
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth3 name=* password=* use-peer-dns=yes \
user=*
add add-default-route=yes disabled=no interface=eth1 name=* password=* use-peer-dns=yes \
user=*
/interface wireless
set [ find default-name=wlan2 ] country=russia disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik wpa-pre-shared-key=* wpa2-pre-shared-key=*
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=profile1 supplicant-identity="" wpa2-pre-shared-key=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no mode=ap-bridge \
security-profile=profile1 ssid=MikroTik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_LAN1 ranges=192.168.0.10-192.168.0.110
add name=pool_LAN2 ranges=192.168.0.130-192.168.0.230
/ip dhcp-server
add address-pool=pool_LAN1 disabled=no interface=bridge-local name=server1
add address-pool=pool_LAN2 disabled=no interface=eth4 name=server2
/interface bridge port
add bridge=bridge-local interface=eth2
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=wlan2
/interface list member
add interface=bridge-local list=LAN
add interface=TEK list=WAN
/ip address
add address=192.168.0.1/25 interface=bridge-local network=192.168.0.0
add address=192.168.0.129/25 interface=eth4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid interface=wlan2
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop ssh forcers" dst-port=22,23 protocol=tcp src-address-list=\
login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=TEK new-connection-mark=in_WAN1 passthrough=no
add action=mark-connection chain=input in-interface=FORT new-connection-mark=in_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=in_WAN1 new-routing-mark=rt_WAN1 passthrough=no
add action=mark-routing chain=output new-routing-mark=rt_WAN2 passthrough=no routing-mark=in_WAN2
add action=mark-routing chain=prerouting in-interface=bridge-local new-routing-mark=rt_LAN1-WAN1 \
passthrough=no
add action=mark-routing chain=prerouting in-interface=eth4 new-routing-mark=rt_LAN2-WAN2 passthrough=\
no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_WAN1
add distance=2 gateway=FORT routing-mark=rt_WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_WAN2
add distance=2 gateway=TEK routing-mark=rt_WAN2
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_LAN1-WAN1
add distance=2 gateway=TEK routing-mark=rt_LAN1-WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_LAN2-WAN2
add distance=2 gateway=FORT routing-mark=rt_LAN2-WAN2
add action=mark-routing chain=prerouting in-interface=bridge-local out-interface!=eth4 new-routing-mark=rt_LAN1-WAN1 assthrough=no
add action=mark-routing chain=prerouting in-interface=eth4 out-interface!=bridge-local new-routing-mark=rt_LAN2-WAN2 passthrough=no
but it didnt work, it shows me an error "Couldn't change Mangle Rule - outgoing interface matching not possible in input and prerouting chains (6)"
then i tried this way
add action=mark-routing chain=prerouting in-interface=bridge-local dst-address=!192.168.0.128/25 new-routing-mark=rt_LAN1-WAN1 passthrough=no
add action=mark-routing chain=prerouting in-interface=eth4 dst-address=!192.168.0.0/25 new-routing-mark=rt_LAN2-WAN2 passthrough=no
add action=mark-routing chain=prerouting dst-address=192.168.0.0/24 new-routing-mark=main passthrough=no
so it looks like this
Code: Select all
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=eth1
set [ find default-name=ether2 ] comment=LAN1 name=eth2
set [ find default-name=ether3 ] comment=WAN2 name=eth3
set [ find default-name=ether4 ] comment=LAN2 name=eth4
set [ find default-name=ether5 ] name=eth5
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth3 name=* password=* use-peer-dns=yes \
user=*
add add-default-route=yes disabled=no interface=eth1 name=* password=* use-peer-dns=yes \
user=*
/interface wireless
set [ find default-name=wlan2 ] country=russia disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik wpa-pre-shared-key=* wpa2-pre-shared-key=*
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=profile1 supplicant-identity="" wpa2-pre-shared-key=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no mode=ap-bridge \
security-profile=profile1 ssid=MikroTik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_LAN1 ranges=192.168.0.10-192.168.0.110
add name=pool_LAN2 ranges=192.168.0.130-192.168.0.230
/ip dhcp-server
add address-pool=pool_LAN1 disabled=no interface=bridge-local name=server1
add address-pool=pool_LAN2 disabled=no interface=eth4 name=server2
/interface bridge port
add bridge=bridge-local interface=eth2
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=wlan2
/interface list member
add interface=bridge-local list=LAN
add interface=TEK list=WAN
/ip address
add address=192.168.0.1/25 interface=bridge-local network=192.168.0.0
add address=192.168.0.129/25 interface=eth4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid interface=wlan2
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop ssh forcers" dst-port=22,23 protocol=tcp src-address-list=\
login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=TEK new-connection-mark=in_WAN1 passthrough=no
add action=mark-connection chain=input in-interface=FORT new-connection-mark=in_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=in_WAN1 new-routing-mark=rt_WAN1 passthrough=no
add action=mark-routing chain=output new-routing-mark=rt_WAN2 passthrough=no routing-mark=in_WAN2
add action=mark-routing chain=prerouting dst-address=!192.168.0.128/25 in-interface=bridge-local \
new-routing-mark=rt_LAN1-WAN1 passthrough=no
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/25 in-interface=eth4 \
new-routing-mark=rt_LAN2-WAN2 passthrough=no
add action=mark-routing chain=prerouting dst-address=192.168.0.0/24 new-routing-mark=main \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_WAN1
add distance=2 gateway=FORT routing-mark=rt_WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_WAN2
add distance=2 gateway=TEK routing-mark=rt_WAN2
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_LAN1-WAN1
add distance=2 gateway=TEK routing-mark=rt_LAN1-WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_LAN2-WAN2
add distance=2 gateway=FORT routing-mark=rt_LAN2-WAN2
Code: Select all
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 name=eth1
set [ find default-name=ether2 ] comment=LAN1 name=eth2
set [ find default-name=ether3 ] comment=WAN2 name=eth3
set [ find default-name=ether4 ] comment=LAN2 name=eth4
set [ find default-name=ether5 ] name=eth5
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth3 name=* password=* use-peer-dns=yes \
user=*
add add-default-route=yes disabled=no interface=eth1 name=* password=* use-peer-dns=yes \
user=*
/interface wireless
set [ find default-name=wlan2 ] country=russia disabled=no mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
MikroTik wpa-pre-shared-key=* wpa2-pre-shared-key=*
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys \
name=profile1 supplicant-identity="" wpa2-pre-shared-key=*
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no mode=ap-bridge \
security-profile=profile1 ssid=MikroTik wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_LAN1 ranges=192.168.0.10-192.168.0.110
add name=pool_LAN2 ranges=192.168.0.130-192.168.0.230
/ip dhcp-server
add address-pool=pool_LAN1 disabled=no interface=bridge-local name=server1
add address-pool=pool_LAN2 disabled=no interface=eth4 name=server2
/interface bridge port
add bridge=bridge-local interface=eth2
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=wlan2
/interface list member
add interface=bridge-local list=LAN
add interface=TEK list=WAN
/ip address
add address=192.168.0.1/25 interface=bridge-local network=192.168.0.0
add address=192.168.0.129/25 interface=eth4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid interface=wlan2
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.129
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop ssh forcers" dst-port=22,23 protocol=tcp src-address-list=\
login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=input \
connection-state=new dst-port=22,23 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=TEK new-connection-mark=in_WAN1 passthrough=no
add action=mark-connection chain=input in-interface=FORT new-connection-mark=in_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=in_WAN1 new-routing-mark=rt_WAN1 passthrough=no
add action=mark-routing chain=output new-routing-mark=rt_WAN2 passthrough=no routing-mark=in_WAN2
add action=mark-routing chain=prerouting dst-address=!192.168.0.230-192.168.0.250 in-interface=\
bridge-local new-routing-mark=rt_LAN1-WAN1 passthrough=no
add action=mark-routing chain=prerouting dst-address=!192.168.0.2-192.168.0.9 in-interface=eth4 \
new-routing-mark=rt_LAN2-WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_WAN1
add distance=2 gateway=FORT routing-mark=rt_WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_WAN2
add distance=2 gateway=TEK routing-mark=rt_WAN2
add check-gateway=ping distance=1 gateway=TEK routing-mark=rt_LAN1-WAN1
add distance=2 gateway=TEK routing-mark=rt_LAN1-WAN1
add check-gateway=ping distance=1 gateway=FORT routing-mark=rt_LAN2-WAN2
add distance=2 gateway=FORT routing-mark=rt_LAN2-WAN2