Community discussions

MikroTik App
 
n3phron
just joined
Topic Author
Posts: 5
Joined: Tue Mar 30, 2021 9:15 pm

Multiple wan without failover but routing different lans through their own connection

Wed Mar 31, 2021 1:01 pm

Hello there!
I'd like to begin by mentioning I'm not even remotely good at networking, I'm a web dev by trade and I don't even remember why I thought this was a good idea... My end goal is to have some domains hosted on some "servers" that are in my house, accessible by me and everyone else using a static IP from my second isp, while my house has internet provided by first isp
The setup is as follows:
ISP1 -> 1000/500mbps up/down pppoe connection. Really good connection but will not provide static ips to home users.
ISP2 -> 1000/500mbps up/down dhcp connection. Decent connection and are providing static ip to home users.
Both the isps have fiber in my house and that fiber gets converted to copper through their gpons. The connections come in to my HEXs on ports eth1 and eth2 respectively.
Following that, port eth3 has a dhcp server configured to serve out 10.10.1.0/24 ips and a 8 port switch connected, that then has my servers.
Ports eth4 and eth5 are bridged as my home lan with their own dhcp server configured to serve out 10.10.0.0/24. Port 4 has another 8 port switch and port 5 has a tplink wifi router in access point mode. All my personal devices are on this network.

Ideally I would like these two networks to be separated from each other, and the router to not even allow me to connect to 10.10.1.x from 10.10.0.x, but not send the requests that come in to isp2's public ip from my home network through the internet. Right now I have it somewhat working, but it's not what I wanted, and I seem to be stumped. There are a lot of weird issues that I don't know where they come from. The only thing that properly works so far is that every lan uses their designated connection for accessing the internet. A list of issues so far:
- public ips are not responding to ping even though I have the accept incoming icmp rule.
- connecting to isp2's public ip from any lan just hangs. Tried hairpin nat, masquerading lan when connecting directly to static ip, I can't seem to get it to work.
- tried configuring local dns entries to route my domains to servers lan on the mikrotik, that did nothing. Mikrotik's dns server forwarded me directly when accessing those.

I'm doing this mostly to learn docker swarm, kubernetes, ci/cd, networking, security, but right now I'm only met with frustration trying to understand low level details in networking that I feel I understand but when trying to put these in practice I'm shooting myself in the head. I've probably made life more difficult for me by running this weird config.

Any new idea, criticism is welcome. I've reached a point where I'm about to just throw everything out and keep the connections separate on their own routers and deal with the latency, that right now I can't even measure...

I'll attach my config here.
/interface bridge
add name=bridge1-home
/interface ethernet
set [ find default-name=ether2 ] name=WAN-ether2-isp2
set [ find default-name=ether1 ] name=ether1-isp1
set [ find default-name=ether3 ] name=ether3-servers
set [ find default-name=ether4 ] name=ether4-home-wifi
set [ find default-name=ether5 ] name=ether5-home-switch
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add disabled=no interface=ether1-isp1 name=WAN-pppoe-isp1 password=xxxxxxx user=xxxxxxx
/interface list
add name=LAN
add name=WAN
/ip pool
add name=home ranges=10.10.0.2-10.10.0.254
add name=servers ranges=10.10.1.2-10.10.1.254
/ip dhcp-server
add add-arp=yes address-pool=home disabled=no interface=bridge1-home lease-time=1d name=dhcp-home
add add-arp=yes address-pool=servers disabled=no interface=ether3-servers lease-time=1w name=dhcp-server
/interface bridge port
add bridge=bridge1-home interface=ether4-home-wifi
add bridge=bridge1-home interface=ether5-home-switch
/ip neighbor discovery-settings
set discover-interface-list=*2000014
/interface list member
add interface=WAN-ether2-isp2 list=WAN
add interface=WAN-pppoe-isp1 list=WAN
add interface=ether3-servers list=LAN
add interface=bridge1-home list=LAN
/ip address
add address=10.10.0.1/24 interface=bridge1-home network=10.10.0.0
add address=10.10.1.1/24 interface=ether3-servers network=10.10.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN-ether2-isp2 use-peer-dns=no
/ip dhcp-server lease
add address=10.10.0.254 client-id=1:b0:95:75:7e:fb:f7 mac-address=B0:95:75:7E:FB:F7 server=dhcp-home
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.1.0/24 gateway=10.10.1.1
add address=x.x.x.0/26 dns-server=1.1.1.1 gateway=x.x.x.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.10.0.1 name=home.lan
add address=10.10.1.1 name=servers.lan
/ip firewall address-list
add address=10.10.0.0/24 list=LAN-dst
add address=10.10.1.0/24 list=LAN-dst
/ip firewall filter
add action=accept chain=input comment=" defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment=" defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" src-address-list=!LAN-dst
add action=accept chain=forward connection-state=new src-address-list=LAN-dst
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark home LAN connections" dst-address-list=!LAN-dst \
    new-routing-mark=home-LAN-route-mark passthrough=no src-address=10.10.0.0/24
add action=mark-routing chain=prerouting comment="mark servers LAN connections" dst-address-list=!LAN-dst \
    new-routing-mark=servers-LAN-route-mark passthrough=no src-address=10.10.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-pppoe-isp1
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-ether2-isp2
/ip route
add distance=1 gateway=WAN-pppoe-isp1 routing-mark=home-LAN-route-mark
add distance=1 gateway=x.x.x.1 routing-mark=servers-LAN-route-mark
/ip service
set telnet address=10.10.0.0/24
set ftp address=10.10.0.0/24
set www disabled=yes
set ssh address=10.10.0.0/24
set api address=10.10.0.0/24
set winbox address=10.10.0.0/24
set api-ssl address=10.10.0.0/24
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple wan without failover but routing different lans through their own connection

Thu Apr 01, 2021 2:54 pm

Interesting project, my reccomendations:

(1) Just for completeness add ether1 interface to the WAN list.
/interface list member
add interface=ether1-isp1

(2) I am confused why do you only have one CLIENT noted below???? Are you saying the pppoe connection on ether1 is a static WANIP and ether2 ISP is a dynamic WANIP??
Further you do not have an IP address for any of the WAN connections (if static should be one right?)
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN-ether2-isp2 use-peer-dns=no


(3) Do not understand the third entry here????
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.1.0/24 gateway=10.10.1.1

add address=x.x.x.0/26 dns-server=1.1.1.1 gateway=x.x.x.1 ???


(4) what is the purpose of this rule??? its not standard and doesnt add anything to the default ruleset.
/ip firewall filter
add action=accept chain=forward connection-state=new src-address-list=LAN-dst ????

(5) I have recommendations to make your router firewall rules better, cleaner more secure, with minimal changes but will wait for next iteration. One thing not done is separating the two subnets at layer 3.

(6) Dont think you need any mangling....... as ensuring subnet delivery to the right WANIP can be all done in routing.

(7) Depending on answers in 2, may change your source nat rules but will wait.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-pppoe-isp1
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-ether2-isp2

(8) These will change as per the (6) above.
First you NEED normal ROUTES without any modification.
/ip route
add distance=1 gateway=WAN-pppoe-isp1 distance=5 check-gateway=ping
add distance=1 gateway=x.x.x.1 distance=10
Then you add two more routes that look similar
add distance=1 gateway=WAN-pppoe-isp1 distance=5 check gateway=ping routing-mark=USE_ISP1
add distance=1 gateway=x.x.x.1 distance=10 routing-mark=USE_ISP2
Then you add two route RULES
src-address=10.10.0.0/24 Action--> Lookup ONLY in table table=USE_ISP1
src-address=10.10.2.0/24 Action--> Lookup ONLY in table table=USE_ISP2

Done, all outgoing traffic from home lan will go out ISP1 and all server traffic from the server lan will go out ISP2 and no mangling.

(9) For security reasons it is recommended that all services be turned off except winbox and possibly SSH. The rest are not considered secure.
/ip service
 
n3phron
just joined
Topic Author
Posts: 5
Joined: Tue Mar 30, 2021 9:15 pm

Re: Multiple wan without failover but routing different lans through their own connection

Fri Apr 02, 2021 12:11 am

ISP1 is pppoe with dynamic IP with a different IP address every 2 weeks/reconnection. I would have rather kept this connection for both, but I really wanted a public IP I can point my domains to so I can play around with email servers and dns records. This is why I had to get ISP2 that actually provides me a public IP that won't change, which they are providing me with from DHCP.

To answer point two, I don't think I need a dhcp client entry for ISP1 because the pppoe connection already has the public ip I'm getting from them. Also they don't seem to have a dhcp server in their network. The connection works as is.

On point three, the third entry is something I tried because ISP2 dhcp client IP address is x.x.x.36/26. I may have tried to "steal" some more public ips from them... I thought, and now I think wrongly, that since I can see the subnet they have that ip in, would mean that I could provide more ips in the subnet to my servers... As I said, I'm still learning networking on this level...

On point four, I don't really remember, but I think I had some issues with traffic not being properly forwarded between my devices... I disabled it now and everything still seems to work.

On point 8, I already have some of the routes, but they are dynamic. I'm guessing I'll have to disable most of them, right?
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          WAN-pppoe-ISP1            1
 1 A S  0.0.0.0/0                          xxx.xxx.xx.1              1
 2 ADC  10.0.0.1/32        yy.yyy.yy.203   WAN-pppoe-ISP1            0
 3 ADC  10.10.0.0/24       10.10.0.1       bridge1-home              0
 4 ADC  10.10.1.0/24       10.10.1.1       ether3-servers            0
 5 ADC  xxx.xxx.xx.0/26    xxx.xxx.xx.36   WAN-ether2-ISP2           0

Thank you for the tips. I will start reconfiguring the lan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple wan without failover but routing different lans through their own connection

Fri Apr 02, 2021 1:33 am

Post the config again when you get stuck or have made progress either way.
/export hide-sensitive file=anynameyouwish
 
n3phron
just joined
Topic Author
Posts: 5
Joined: Tue Mar 30, 2021 9:15 pm

Re: Multiple wan without failover but routing different lans through their own connection

Sun Apr 04, 2021 1:05 pm

Thanks anav!

The router now partially works as I thought it should from the beginning. There was only one small issue with the routing rules you suggested, namely I was unable to connect to the router using it's lan ip. I had to connect through one of the public ips, but I added a rule to send the internal network traffic in the internal network. I'll be disabling the first rule once I'm done with configuring the servers... I budgeted poorly and I'm out of switch ports on the servers lan and all my other router ports are full except the sfp port, but I don't have a cage for it at the moment.
/ip route rule
add dst-address=10.10.0.0/23 src-address=10.10.0.0/23 table=main
add disabled=yes dst-address=10.10.1.0/24 src-address=10.10.0.0/24 table=main
Also, when pinging my public ips from my phone's hotspot ISP1 responds but drops 25% of the packages and ISP2 doesn't respond at all. I'm guessing it's the routes and route rules that are interfering... I'll be investigating why a bit later.

I'll post my config as well maybe it will help someone else in the future.
# apr/04/2021 12:38:22 by RouterOS 6.48
# software id = ZZY1-W7KP
#
# model = RB760iGS
# serial number = 
/interface bridge
add igmp-snooping=yes name=bridge1-home
/interface ethernet
set [ find default-name=ether2 ] name=WAN-ether2-ISP2
set [ find default-name=ether1 ] name=ether1-ISP1
set [ find default-name=ether3 ] name=ether3-servers
set [ find default-name=ether4 ] name=ether4-home-wifi
set [ find default-name=ether5 ] name=ether5-home-switch
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add disabled=no interface=ether1-ISP1 name=WAN-pppoe-ISP1 password=xxxxx user=xxxxx
/interface list
add name=LAN
add name=WAN
/ip pool
add name=home ranges=10.10.0.2-10.10.0.254
add name=servers ranges=10.10.1.2-10.10.1.254
/ip dhcp-server
add add-arp=yes address-pool=home disabled=no interface=bridge1-home lease-time=1d name=dhcp-home
add add-arp=yes address-pool=servers disabled=no interface=ether3-servers lease-time=1w name=dhcp-server
/interface bridge port
add bridge=bridge1-home interface=ether4-home-wifi
add bridge=bridge1-home interface=ether5-home-switch
/ip neighbor discovery-settings
set discover-interface-list=*2000014
/interface list member
add interface=WAN-ether2-ISP2 list=WAN
add interface=WAN-pppoe-ISP1 list=WAN
add interface=ether3-servers list=LAN
add interface=bridge1-home list=LAN
add interface=ether1-ISP1 list=WAN
add interface=ether5-home-switch list=LAN
add interface=ether4-home-wifi list=LAN
/ip address
add address=10.10.0.1/24 interface=bridge1-home network=10.10.0.0
add address=10.10.1.1/24 interface=ether3-servers network=10.10.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN-ether2-ISP2 use-peer-dns=no
add add-default-route=no disabled=no interface=ether1-ISP1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.10.0.254 client-id=1:b0:95:75:7e:fb:f7 mac-address=B0:95:75:7E:FB:F7 server=dhcp-home
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.1.0/24 gateway=10.10.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.10.0.1 name=home.lan
add address=10.10.1.1 name=servers.lan
/ip firewall filter
add action=accept chain=input comment=" defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment=" defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-pppoe-ISP1
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-ether2-ISP2
/ip route
add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1 routing-mark=USE_ISP1
add distance=10 gateway=x.x.x.1 routing-mark=USE_ISP2
add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1
add distance=10 gateway=x.x.x.1
/ip route rule
add dst-address=10.10.0.0/23 src-address=10.10.0.0/23 table=main
add disabled=yes dst-address=10.10.1.0/24 src-address=10.10.0.0/24 table=main
add action=lookup-only-in-table dst-address=0.0.0.0/0 src-address=10.10.0.0/24 table=USE_ISP1
add action=lookup-only-in-table dst-address=0.0.0.0/0 src-address=10.10.1.0/24 table=USE_ISP2
/ip service
set telnet address=10.10.0.0/24 disabled=yes
set ftp address=10.10.0.0/24 disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=10.10.0.0/24 disabled=yes
set winbox address=10.10.0.0/24
set api-ssl address=10.10.0.0/24 disabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple wan without failover but routing different lans through their own connection

Sun Apr 04, 2021 3:22 pm

With a quick look, cannot see anything grossly in error??

The IP routes do look a bit out of sorts though..
/ip route
add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1 routing-mark=USE_ISP1
add distance=10 gateway=x.x.x.1 routing-mark=USE_ISP2
add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1
add distance=10 gateway=x.x.x.1
/ip route rule
add dst-address=10.10.0.0/23 src-address=10.10.0.0/23 table=main
add disabled=yes dst-address=10.10.1.0/24 src-address=10.10.0.0/24 table=main

add action=lookup-only-in-table dst-address=0.0.0.0/0 src-address=10.10.0.0/24 table=USE_ISP1
add action=lookup-only-in-table dst-address=0.0.0.0/0 src-address=10.10.1.0/24 table=USE_ISP2


I thought should look a bit more like (need two NORMAL route rules, then ADD two extra rules with routing marks!!!! (and remove extra stuff)
/ip route
add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1
add distance=10 gateway=x.x.x.1

add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1 routing-mark=USE_ISP1
add distance=10 gateway=x.x.x.1 routing-mark=USE_ISP2
/ip route rule
add action=lookup-only-in-table src-address=10.10.0.0/24 table=USE_ISP1
add action=lookup-only-in-table src-address=10.10.1.0/24 table=USE_ISP2
 
n3phron
just joined
Topic Author
Posts: 5
Joined: Tue Mar 30, 2021 9:15 pm

Re: Multiple wan without failover but routing different lans through their own connection

Mon Apr 05, 2021 7:18 pm

I don't understand what you're saying... I've removed and readded the rules in the order that you're saying... I was still unable to access 10.10.0.1 without the route rule regarding 10.10.0.0/23.

The order in which the routes appear on export is independent of the order I'm adding them. They don't have an order. The route rules however do have an order.

I also removed dst address from rules, still the same thing.
/ip route
add check-gateway=ping comment="added third" distance=5 gateway=WAN-pppoe-ISP1 routing-mark=USE_ISP1
add comment="added fourth" distance=10 gateway=x.x.x.1 routing-mark=USE_ISP2
add check-gateway=ping comment="added first" distance=5 gateway=WAN-pppoe-ISP1
add comment="added second" distance=10 gateway=x.x.x.1
/ip route rule
add dst-address=10.10.0.0/23 src-address=10.10.0.0/23 table=main
add disabled=yes dst-address=10.10.1.0/24 src-address=10.10.0.0/24 table=main
add action=lookup-only-in-table src-address=10.10.0.0/24 table=USE_ISP1
add action=lookup-only-in-table src-address=10.10.1.0/24 table=USE_ISP2
I think regardless of what else I'm gonna do I still need the route rule for internal traffic, otherwise the traffic gets marked as supposed to be going out through the specific connection, and then the router just does its job routing, and sends my 10.10.0.1 winbox login out through isp1. Am I wrong on this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple wan without failover but routing different lans through their own connection

Mon Apr 05, 2021 8:14 pm

Just out of curiosity is the 10.10.1.0 traffic going out ISP2??
Routes and Route rules are for going out the router, not internal routing so I have no clue of what you are trying to accomplish with winbox??

Going back to first post......
IdeallyI would like these two networks to be separated from each other, and the router to not even allow me to connect to 10.10.1.x from 10.10.0.x, but not send the requests that come in to isp2's public ip from my home network through the internet.

a. want two subnets not to talk to each other - accomplished in firewall rules.
b. but not send the requests that come in to isp2's public ip from my home network through the internet. - NEEDS explanation, it makes no sense.
I read it as, I want my home network to be attached to ISP2 only and not let any internet traffic from home go out to the internet ???????????????????????????

In the meantime,
this needs to change
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-pppoe-ISP1
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-ether2-ISP2

T0:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-pppoe-ISP1

add action=src-nat chain=srcnat to-addresses=WANIP2 out-interface=WAN-ether2-ISP2
/ip route
 
n3phron
just joined
Topic Author
Posts: 5
Joined: Tue Mar 30, 2021 9:15 pm

Re: Multiple wan without failover but routing different lans through their own connection

Mon Apr 05, 2021 10:10 pm

What I mean is that devices from my home network should not see the 10.10.1.0/24 subnet and not allow connections from home network lan to servers lan, BUT I want traffic that would go to ISP2 public IP from home lan to not take a detour through the ISP1 to ISP2 link point which is maybe in another city...

Right now with the routes and rules you mentioned my home lan traffic goes out through ISP1 and my servers lan traffic goes out through ISP2 as intened, BUT without the ip route rule add dst-address=10.10.0.0/23 src-address=10.10.0.0/23 table=main, either my home network or my servers network can no longer ping the gateways, and neither can connect to the router config interface using 10.10.0.1 or 10.10.1.1 respectively. To regain access to the router interface I had to use my public ips to connect to winbox.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple wan without failover but routing different lans through their own connection

Mon Apr 05, 2021 11:58 pm

Okay so its working for the most part.
(1) Did you fix the sourcenat rules as suggested?

(2) HERE could be the issue!
From
From
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.1.0/24 gateway=10.10.1.1

TO
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1 dns-server=10.10.0.1
add address=10.10.1.0/24 gateway=10.10.1.1 dns-server=10.10.1.1

(3) No one I know uses IP address to connect from LAN to winbox.
I fire up winbox and connect on mac address.
To connect on IP, I think one has to also use the specific port (I hope you dont use the default port LOL)
192.168.10.1:xxxx for example.

(4) Can you connect to winbox from a wifi connection (as this does not go through the switch - attempting to eliminate the switch as a possible issue (assume it has a LANIP on the home subnet?)
Remove this in case its an issue.
igmp-snooping=yes in your bridge rule ( I dont use it)

(5) What is 20000014 referring to???? not sure the purpose here......
/ip neighbor discovery-settings
set discover-interface-list=*2000014

(6) add NEW LIST item see 7 for why............
/interface list
add name=LAN
add name=WAN

add name=HOME

add members
/interface list member
add interface=ether5-home-switch list=HOME
add interface=ether4-home-wifi list=HOME

(7) Modify the firewall to add blocking rules to the current config...........
/ip firewall filter
add action=accept chain=input comment=" defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment=" defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=drop chain=forward comment="block home to server traffic" in-interface-list=HOME out-interface=ether3-servers
add actioin=drop chain=forward comment="block server to home traffic" in-interface=ether3-servers out-interface-list=HOME


(8) However I would approach this differently, take the last three rules above AND REPLACE!!!
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="block home --<-->-- server traffic" in-interface-list=HOME out-interface=ether3-servers
add actioin=drop chain=forward comment="block server to home traffic" in-interface=ether3-servers out-interface-list=HOME


add action=accept chain=forward comment="allow lan to wan traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN {disable if not required}
add action=drop chain=forward comment="drop all else"


Basically makes all of forward chain to accept rules - so only stuff allowed is what you state is allowed the rest is dropped by the last rule (such as lan to lan traffic at L3). Only exception is drop invalid traffic buts a good thing.

Who is online

Users browsing this forum: No registered users and 26 guests