Community discussions

MikroTik App
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Setting two ISP connections on 2 vlans, same ISP cable

Sat May 22, 2021 5:53 pm

I need help please (I am kind of a beginner I guess).

ISP gave me two separate PPPoE accounts but they are both set on same ISP ethernet cable, I get a dedicated public IP on each connection.
I want to separate the two connections so that I have one group of computers for home use and the other group of computers for office/business use, each group using a different public IP (and local ip class I guess ?!).

It works OK if I put a switch at the ISP cable, then have one PPPOE on the Mikrotik and one PPPOE on another router (see attached image), but I want to just use the mikrotik and remove the switch and the extra router.

Image

I assume I need to create two vlans for this ? (unless there is an easier and more reliable way), I also did it with connection marking but I thought it was too complicated (now I find vlans method complicated).

- made two different dhcp servers, two different classes of local IPs: 192.168.3.0/16 192.168.4.0/16, I thought /16 instead of /24 would also allow computers from two networks to see each other, I am lost here.
- made two bridges and added second vlan on the second bridge
- tried to move the internet ISP eth port/interface on the second bridge, but it doesn't work in "slave" mode, I am lost :/
- under main menu bridge > ports, I linked one ETH (eth3) port with bridge-2, expecting for computers connected here to get second ISP connection (not working).

Maybe without getting in the details...
- does the "one cable" thing prevent me from properly separating these two connections ?
- do I (can I) somehow mirror the actual cable port into two and then associate each one with one of the vlans ?
- is "tagged port" something that should be used in this case ?
- what do I need in order for computers from the two subnets see each other ? (e.g 192.168.3.11 and 192.168.4.11) ?

This one is a HAPac2, another one I have appears to have two separate hardware "switches" in it, that might help in this case ?!

Edit, the config, I tried to edit-out some parts for simplicity and privacy:
/interface bridge
add admin-mac=48:8F:XX:XX:XX:28 auto-mac=no comment=defconf name=bridge-1-home
add name=bridge-2-for-vlan-business
/interface ethernet
set [ find default-name=ether1 ] name=ether1-rds
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full disabled=yes \
    mac-address=B0:95:XX:XX:XX:62 name=ether2-SOME-OTHER-ISP
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=\
    pppoe-rds-business user=CRPTM13592XXXX
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home \
    user=TM18839XXXX
/interface vlan
add interface=bridge-2-for-vlan-business name=vlan-2-business vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=adr-dhcp-pool ranges=192.168.3.101-192.168.3.255
add name=adr-dhcp-pool-business ranges=192.168.4.100-192.168.4.255
/ip dhcp-server
add address-pool=adr-dhcp-pool disabled=no interface=bridge-1-home name=\
    adr-dhcp-server-1
add address-pool=adr-dhcp-pool-business disabled=no interface=\
    bridge-2-for-vlan-business name=adr-dhcp-server-2-business
/ppp profile
set *FFFFFFFE local-address=adr-dhcp-pool remote-address=adr-dhcp-pool
/interface bridge port
add bridge=bridge-2-for-vlan-business interface=ether3
add bridge=bridge-1-home interface=ether4
add bridge=bridge-1-home interface=ether5
add bridge=bridge-1-home disabled=yes interface=wlan1_2g_interface
add bridge=bridge-1-home disabled=yes interface=wlan2_5g_interface
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set allow-fast-path=yes enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge-1-home list=LAN
add interface=ether2-SOME-OTHER-ISP list=WAN
add list=WAN
add list=WAN
add interface=pppoe-rds-home list=WAN
add interface=ether1-rds list=WAN
add interface=pppoe-rds-business list=WAN
add list=WAN
/interface ovpn-server server
set certificate=EXAMPLE_cert.pem_0 cipher=blowfish128,aes128,aes256 \
    enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-1-home network=\
    192.168.88.0
add address=192.168.3.1/24 interface=bridge-1-home network=192.168.3.0
add address=192.168.4.1/24 interface=bridge-2-for-vlan-business network=\
    192.168.4.0
/ip arp
add address=192.168.3.10 interface=bridge-1-home mac-address=64:76:XX:XX:XX:02
add address=192.168.3.16 interface=bridge-1-home mac-address=88:D7:F6:XX:XX:D1
add address=192.168.3.9 interface=bridge-1-home mac-address=D0:37:XX:XX:XX:85
add address=192.168.3.100 interface=bridge-1-home mac-address=B0:95:XX:XX:XX:B1
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=ether2-SOME-OTHER-ISP use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.3.10 mac-address=64:76:XX:XX:XX:02 server=adr-dhcp-server-1
add address=192.168.3.16 client-id=1:88:D7:F6:XX:XX:D1 mac-address=\
    88:D7:F6:XX:XX:D1 server=adr-dhcp-server-1
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.4.1 netmask=16
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8,1.1.1.1 gateway=\
    192.168.88.1 netmask=16
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow OpenVPN  ?!" dst-port=1194 \
    protocol=tcp
add action=accept chain=input comment="UDP vpn ports  ?!" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="UDP vpn ports  ?!" dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment=\
    "UDP vpn port with additional IPsec condition ?!" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-port="" protocol=udp src-address=\
    192.168.0.0/16 src-port=67
add action=drop chain=forward dst-port="" protocol=udp src-address=\
    192.168.0.0/16 src-port=68
add action=drop chain=forward comment="trying to block a rogue UPC dhcp server" \
    disabled=yes src-mac-address=90:5C:XX:XX:XX:F1
add action=drop chain=input disabled=yes src-address-type="" src-mac-address=\
    90:5C:XX:XX:XX:F1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade for wifi repeater" \
    disabled=yes ipsec-policy=out,none out-interface=bridge-1-home
Last edited by adrianTNT on Sun May 23, 2021 12:51 am, edited 2 times in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sat May 22, 2021 7:03 pm

I assume you can use a simple setup ....

- you have one ISP ethernet cable (this will support the PPPoE connections)
- you have 2 independent PPPoe client interfaces, one each for your ISP PPPoE accounts
- This is your WAN side, with 2 interfaces. WAN and LAN normally are not bridged. So this ethernet interface, nor the 2 PPPoe interfaces are connected to a bridge

The traversal from LAN to WAN is with the default NAT rules of the firewall. You will need 2 NAT rules instead of one. You will also need 2 default routes.

- If you need a bridge or VLAN for the LAN side of the network, depends on the design there.
Many possibilities for the LAN side. It can perfectly be done with just 2 ethernet interfaces , or 2 bridges with some ethernet interfaces, or one bridge with or without 2 VLAN

-Take 2 LAN interfaces ....

- one IP address per interface (192.168.3.1 and 192.168.4.1)
- one DHCP server per ethernet interface (serving 192.168.3.0/24 and 192.168.4.0/24)
- 2 NAT rules in firewall with source IP address filter
- 2 default IP routes with source IP address filter

- 2 bridges ... very similar setup (LAN IP address and DHCP server on the bridges)

- bridge with VLAN also similar

- bridge without VLAN or just one ethernet ... a bid more complicated to handle the DHCP leases , as there is only one DHCP server


You can have a smarter setup, with preferred and failover PPPoE paths (but they probably fail both at the same time) viewtopic.php?f=23&t=157048
There are many variations on this. Some ideas here ... https://mum.mikrotik.com/presentations/US12/tomas.pdf
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sat May 22, 2021 10:53 pm

To use vlans, is dependent upon the use of your router ports more than anything, but since you want to use them please read this reference...............
to understand the config!!
viewtopic.php?f=23&t=143620
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP
/interface vlan
add interface=bridge name=home_users10 vlan-id=10
add interface=bridge name=work_office20 vlan-id=20
/interface bridge
add  name=bridge vlan-filtering=no  {until config is complete and then enable}
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISP name=pppoe1-home profile=\
    MyhomePPPoE user=xxxxx@xxxxx.xxx
/interface pptp-client
add add-default-route=yes disabled=no interface=ether1-ISp name=pppoe2-work profile=\
    MyworkPPPoE user=yyyyy@xxxxx.xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-home ranges=192.168.10.2-192.168.10.150
add name=pool-work ranges=192.168.20.2-192.168.20.150
/ip dhcp-server
add address-pool=pool-home disabled=no interface=home_users10
add address-pool=pool-work disabled=no interface=work_office20
/interface bridge port  {settings depend upon the purpose of each port --> what devices traffic on port is going to}
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-type=only allow tagged frames   {goes to a smart switch for both vlans}
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame-type=only allow untagged and priority frames pvid=10  {goes to a home device}
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-type=only allow untagged and priority frames pvid=10
add bridge=bridge comment=defconf interface=ether5 ingress-filtering=yes frame-type=only allow untagged and priority frames pvid=20
/interface bridge vlan  {depend on bridge port settings}
add bridge=bridge tagged=bridge,ether2  untagged=ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether2, untagged=ether3,ether4 vlan-ids=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe1-home list=WAN
add interface=pppoe2-work list=WAN
/ip address
add address=192.168.10.1/24 interface=home_users10 network=192.168.10.0
add address=192.168.20.1/24 interface=work_office20 network=192.168.20.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe1-home
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe2-work
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You will note that there is one important piece missing in the config and that is ip routes and it should be discussed separately.
You need two routes, they will be created by the config pppoe client setup in the config.
Not sure of their view but will call them generically.

router created pppoe1-home route
router created pppoe2-work route

Next create two identical copies and
add a "Routing Mark" entry of home-network for the ppoe1-home copy
add a "Routing Mark" entry of work-network for the ppoe2-work copy

Then you will need two create two route rules.
In the first one make the selections:
"interface" = home-users10
"Table" = home-network
"Action" lookup

In the second one,
"interface" = work-office20
"Table" = work-network
"Action" lookup

What this should do is tell the router, to use the specified table based on which vlan is being utilized and thus routing.
If the table is unavailable, lets say you had a different ISP, then the router would divert the traffic to any other available route in the main table.
IN this case they are the same ISP so makes not difference.

The other option for 'Action" is Lookup ONLY in TABLE. My understanding here is that if you do that and the table you created is unavailable (the ISP is offline), the router will NOT route the traffic at all (it will not then look for the next available route in the main table.

So in this case there is no difference between LOOKUP and LOOKUP ONLY IN< because its the same ISP.
If you do find that LOOKUP does not work then use LOOKUP ONLY IN and this should only be the case where I have misunderstood how the router uses these special route rules.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sat May 22, 2021 11:36 pm

@anav : coincidence or not? I see two times in a short time an example with 2 ppp interfaces : ppoe-out1 and pptp-out1 (your example, and the referenced text from Chupaka on "Routing failover without scripting")
Let's suppose that we have two uplinks: GW1, GW2. It can be addresses of ADSL modems (like 192.168.1.1 and 192.168.2.1), or addresses of PPP interfaces (like pppoe-out1 and pptp-out1).
Is there a reason that I don't see right now to use pppoe and pptp , and not just 2 times pppoe-out (1&2) . Or is "pptp-client" just a typo ?

Thanks for the code anyway. Would not try this (yet) without the example :-) .
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sat May 22, 2021 11:53 pm

hi bpwl
No this was from scratch basically
I have no idea how pppoe works so I made some assumptions.
I am assuming each distributed public IP needs a client identification/assignment ??
I know that like a vlan ISP connection,
its separate and has to be included in the interface members list for example

Without the ops config, not much to work with :-(
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 12:44 am

I appreciate the help, but I am so lost, I understand just small fragments of your recommendations.
And I work with the WinBox UI, I am trying to translate/understand what the console commands do.
What Anav posted looks a bit like my config, I edited my initial post and included my current config at the end, maybe I can get tips on what looks wrong, or what I need to add.
I think this part could be wrong:
add bridge=bridge-2-for-vlan-business interface=ether3
And I probably need to edit the firewall rules ? I didn't touch these since I tried this vlan thing.
I know you both mentioned firewall rules but I guess I am asking if that is the next step or anything else is very wrong.
In my config, ether3 is the one port I attempt to associate with vlan2, that is actually the single vlan that I created in attempt to separate from default network.
The ether3 has wifi AP and more computers attached.
And on ether2 there is another isp that should be ignored.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 1:04 am

On short, your config is total mess for me, but before you continue, two things:

1) both pppoe-client can't be master at same time, one must have "default route distance different" (like main 10, other 20)
(really connection with "lower" IP is selected as main)

2) for my knowledge, can't be two pppoe-client on same interface, because have same MAC address and the remote pppoe-server can't accept two username for the same MAC
(MRRU is another question, have same username)

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-business user=CRPTM13592XXXX inherit from default: default-route-distance=1
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home user=TM18839XXXX inherit from default: default-route-distance=1

And if, at the end, for some reason both work, the next step is the routing...
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 1:20 am

1) both pppoe-client can't be master at same time, one must have "default route distance different" (like main 10, other 20)
(really connection with "lower" IP is selected as main)
you meant "connection with lower distance" ?
I was unsure on what "distance" does. I now set one to "1" and another to "2" under pppoe connection settings.

2) for my knowledge, can't be two pppoe-client on same interface, because have same MAC address and the remote pppoe-server can't accept two username for the same MAC
(MRRU is another question, have same username)
That part seems to work fine, I was surprised to see that it also works if one router has a pppoe connected to ISP and another computer connected to that router (so already connected to internet) can also make a separate PPPOE connection under the parent one.

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-business user=CRPTM13592XXXX inherit from default: default-route-distance=1
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home user=TM18839XXXX inherit from default: default-route-distance=1
And if, at the end, for some reason both work, the next step is the routing...
These are now set to distance 1 and 2, above were you pointing my mistakes or is it a recommended setup ? Not sure what "inherit from default" is/does.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 1:51 am

DID You read the reference for vlans??

post your config
/export hide-sensitive file=anynameyouwish

If you are uneasy about information presented, I believe the only thing to worry about is
the actual WANIP and gateway IP of you router connections.

With hide-sensitive there should be no username or wifi security information etc. as these are stripped.
Also just start on the first line of the config no need to see serial number of router etc...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 1:56 am

>>>you meant "connection with lower distance" ?
no, I mean what I have writed: connection with "lower" IP is selected as main
for example 145.23.25.71 is selected against 205.48.75.61 because first have "lower" IP value

>>>I was surprised to see that it also works if one router has a pppoe connected to ISP and another computer connected to that router (so already connected to internet) can also make a separate PPPOE connection under the parent one.<<<
ANOTHER, not the same interface, but is another pppoe or is pptp on PC?

>>>recommended setup ?
I reccomend 10 and 20 because you can add also 9,8,7,6.... 12,13,14... without change 10 and 20, you can't add lower than 1 or between 1 and 2.
Better have space

>>>Not sure what "inherit from default" is/does
Is the value, if you do not change them, when create a pppoe-client
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:06 am

I'll try to understand .... and eliminate what I can (there is no need for a VLAN, nor for a second bridge as there is only ether3 connected)

ether1-rds : ethernet connection to your ISP
ppoe-rds-home: your first account interface
ppoe-rds-work: your second account interface

ether3 : ethernet to your business environment
bridge-1 : with ether4,ether5,wlan1, wlan2 ports for your home environment.

OK not all details (it's late here, over midnight)
1. Interface lists
- ether1,ppoe-rds-home, ppoe-rds-work should be member of the WAN interface list
- bridge1 and ether3 should be member of the LAN interface list
This is because WAN and LAN words are used in the firewall and other lines in the config. (If you insist on using a second bridge, bridge2 should be in the LAN interface list. Ports follow the bridge value not their own value) Actually bridge2 or ether3 (if no 2nd bridge) is missing in the interface lists membership. There are also some empty lines.

2. IP firewall NAT
- the out interfaces are ppoe-rds-home and ppoe-rds-work.
Not the bridge as out interface, and the interface list WAN might work for the NAT of both interfaces, but you can specify the output interfaces separately in 2 rules.

3. Policy routing
- routing rules must route the LAN home range to the pppoe-rds-home interface, and the LAN work range to the pppoe-rds-work interface.
There are no static routes in your config yet. See viewtopic.php?t=124762 where setting routing marks with mangle rules is not needed.

4 Separate home and work.
- using VLANs here does not make much sense to me, as the work and home traffic goes to different ethernet interfaces.
- the router and firewall will connect (route and NAT) the 'home LAN to the home pppoe interface', and the 'work LAN to the work pppoe interface'
- however the router will route what it can , and if not blocked by the firewall the 'work' and 'home' LAN will have a working route to each other.
- So the forwarding between LAN subnets (or interfaces) must be stopped in the firewall.
(Even with a VLAN , the router would route to and from the defined VLAN if not denied to do so).
- Rule with the IP address ranges or the interfaces. Something like : "chain=forward action=drop in-interface=ether3 out-interface=bridge-1-home" , and the reverse rule also, both high enough in the forward rules to be selected before the accept rule, that could allow the route between both LAN's.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:26 am

Is there a reason that I don't see right now to use pppoe and pptp , and not just 2 times pppoe-out (1&2) . Or is "pptp-client" just a typo ?
Aaaarg, never used PPPoE on Mikrotik or 2 PPPoE to the same provider. I see the problem, and the workaround is not so easy: viewtopic.php?t=153089
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:26 am

HI bpwl concur if there is only one use per port!!
However the vlan structure allows one to add a smart Access point or smart switch at any time with ease.

If I was to do this with only four ports and two subnets and no vlans, in use as depicted it would look like.
........................
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP

/interface bridge
add  name=bridgehome
add  name=bridgework
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISP name=pppoe1-home profile=\
    MyhomePPPoE user=xxxxx@xxxxx.xxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISp name=pppoe2-work profile=\
    MyworkPPPoE user=yyyyy@xxxxx.xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-home ranges=192.168.10.2-192.168.10.150
add name=pool-work ranges=192.168.20.2-192.168.20.150
/ip dhcp-server
add address-pool=pool-home disabled=no interface=bridgehome
add address-pool=pool-work disabled=no interface=bridgework
/interface bridge port  
add bridge=bridgehome comment=defconf interface=ether2   {pc 1 home}
add bridge=bridgehome comment=defconf interface=ether3   {pc 2 home}
add bridge=bridgework comment=defconf interface=ether4   {pc 3 work}
add bridge=bridgework  comment=defconf interface=ether5   {pc 4 work}
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=bridgehome list=LAN
add interface=bridgework list=LAN
add interface=ether1 list=WAN
add interface=pppoe1-home list=WAN
add interface=pppoe2-work list=WAN
/ip address
add address=192.168.10.1/24 interface=bridgehome network=192.168.10.0
add address=192.168.20.1/24 interface=bridgework network=192.168.20.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe1-home
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe2-work
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:35 am

Uhm... what the hell... nice Idea to add virtual ethernet... instead to add a switch and plug ether1 for pppoe-out1 and ether2 for pppoe-out2

ros code

/interface vrrp
add interface=ether1 name=vrrp1 v3-protocol=ipv6 vrid=1
and add the second pppoe-client on vrrp1 instead of ether1

Just tested and is working!!!
Thanks to all, I find a solution after years...
Last edited by rextended on Sun May 23, 2021 2:51 am, edited 3 times in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:41 am

Nice @anav.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:53 am

ros code

/interface vrrp
add interface=vlan1 name=vrrp1 v3-protocol=ipv6 vrid=1
Just tested and work also on vlan
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 3:01 am

VERY THANKS bpwl !!!

I use VRRP from 2007 and I've not notice that use till now...

THANKS!!!
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 3:50 am

Maybe I should have mentioned that the two groups of computers (home vs office) do get the right IPs from different subnets and both connect to internet, the only thing left was for each use separate pppoe.

Just to rule this out: ISP does allow both pppoe to connect on same cable, and I get the public IP in status of both pppoe connections.

@anav you said to post the config, I am not sure if you seen the config I later added to my first post.

@bpwl I corrected the interface lists as you mentioned.

Now from what you said afterwards at 2,3,4 ...
I thought vlans would help in a way that it would simplify things and simply by bridging each pppoe with it's own vlan, I would have separate public IP on each.
But if I still need to create routing rules, then vlans are not needed. I think that is also what you said.

I actually did this before with multiple pppoe (no vlans) and used routing marks to associate with different computers, but I thought that is too complicated (silly me), that is why I turned to vlans.
I think vlans might have been the wrong approach and not worth the complications for me.
The image attached is how I did this without vlans, I don't think vlans can make it simpler than that, no ?
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 4:07 am

[...] vlan structure allows one to add a smart Access point or smart switch at any time with ease.
If I was to do this with only four ports and two subnets and no vlans, in use as depicted it would look like [...]
@anav the code you attached above, is the same approach I was advised to setup here, no ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 4:36 am

To be frank I dont understand the VRRR application I would need to see diagrams and config to understand it but it does seem cool.........


Okay I see now that the PPOE Client setting pages includes everything you need its a combo page that is also like the dhcp client page.
So except the defaults and ensure that default route is set to YES for both.

Please show me the route as per a jpeg from winbox
and also the as per config text for ip routes.

and the address block.(but change the numbers so we dont see the actual ones...........)

What i suspect is that you will have two entries for address in IP address that look like.
address=172.16.1.250 gateway=172.16.1.213 interface=pppoe-1out
address=172.16.1.249 gateway=172.16.1.213 interface=pppoe-2out

You will have two default routes that look like.
0.0.0.0/0 gateway=172.16.1.213 reachable pppoe-1out distance=1
0.0.0.0/0 gateway=172.16.1.213 reachable pppoe-2out distance=1

Please confirm this is the format shown, obviously the numbers will be different
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:28 pm

Do you think I can still do this (associate the vlan with certain pppoe) without connection marks and routes based on marks I did in that another setup I mentioned ? If I still need these, then I could do just that without the vlans.

I attached the ip and routes from winbox, but when I exported the config, I do not have any routes or public ips in the text, I think it is because these are all set dynamically and I don't have set any rules for them.

The pppoe interface (if needed) is this:
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-business user=TM123
add add-default-route=yes default-route-distance=2 disabled=no interface=ether1-rds name=pppoe-rds-home user=TM234
You do not have the required permissions to view the files attached to this post.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:33 pm

Dear OP. I think you have almost all possible combinations (routing rules, routing marks, bridges, VLAN). All configurations (both posts) can work.

(On the VLAN: study the complex theory in Mikrotik as @anav mentioned (documents the bridge method). Normally you bring all involved ethernet interfaces to the same bridge, if you use the "bridge method", the other way of doing it is the "switch method". Methods cannot be mixed). VLAN's can be of benefit in the WAN (upstream) and LAN (downstream) hybrid connections, where you separate the VLANs later, in a Switch, Router, Server or AP.)
Do you think I can still do this (associate the vlan with certain pppoe) without connection marks and routes based on marks
You have the link to this: viewtopic.php?t=124762#p620481
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 2:40 pm

@bpwl is this what the link recommends (like I added in the image) ?
Not sure what distance to set there in my case.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable  [SOLVED]

Sun May 23, 2021 3:37 pm

Okay adrian, you can relax, it all makes sense..........

If you look at your routes, one is distance1 and the other is distance 2
The default for both is one, but you entered 2 I believe for rds-home and thats why rds-work is reachable and BLACK font (being used as Main table route).
while rds-home is reachable and BLUE FONT (not being used)
It also shows you the DAC line of the network the active route is using 10.0.0.1 via rds-business and the preferred source (the IP of the rds-work)

What this means is that all traffic will go out rds work at the moment as expected due to your setup (having the shorter distance)
Now we want to move to a slightly different model........ and forget adding preferred source, not the way to do it!
First step is to change the pppe client setting for distance to be 1 for the rds-home so both are equal.

Then I would create copies of the two existing routes.
Add comment to each copy so you can tell one from the original (Directing Home Users, and Directing Work Devices for example)

For the Directing home users
destination address = 0.0.0.0/0 gateway= pppoe-rds-home distance=1 Routing Mark=4_home

For the Directing work devices
destination address = 0.0.0.0/0 gateway = pppoe-rds-work distance=1 Routing Mark = 4_work

Now create two Route Rules
For Directing home users
source address = 192.168.3.0/24
Table= 4_home
Action= lookup in table

For Direction work devices
source address = 192.168.4.0/24
Table = 4_work
Action = lookup in table.

The result will be that the appropriate group of users will go out the table assigned.
Alternatively in the Route Rules you could use the bridge interface,
aka use INTERFACE vice SOURCE ADDRESS ( bridgehome, bridgework )
Last edited by anav on Sun May 23, 2021 3:39 pm, edited 1 time in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 3:39 pm

For working without the need for mangle rules to set routing marks ....

Still missing the ISP2 routing table, with ISP2 distance =1 (and if you want failover ISP1 distance=2)

Main routing table with ISP1 distance=1 and ISP2 distance=2 is OK

Remark: you can change the distance of the DHCP-client inherited default routes to a higher distance in the DHCP-client setting
"Then make a static default GW route with dst=pppoe2 as the main route (lowest distance value) and optionally a second one with pppoe1 as a backup default GW (higher admin distance value) for the "isp2" routing table. (routing-mark=isp2)
Once those exist, you can make a route rule which says if the source IP is from lan2, then action=lookup-only-in-table table=isp2"
Last edited by bpwl on Sun May 23, 2021 3:47 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 3:40 pm

bpwl you are clouding issues.

The routes picture he showed is correct, he is not missing anything.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 3:46 pm

Yep, there are 2 options. Two dedicated routing tables , or using the main table and one dedicated routing table.(@ZeroByte s way of doing)

So far there were no dedicated routing tables yet .... but it changes fast
Last edited by bpwl on Sun May 23, 2021 10:44 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 3:47 pm

The main table is a routing table LOL.
In the main table there can be many routes.

The simple, clean, direct way to meet the requirements of the poster is two create two route marks and direct users to the appropriately created tables 4_home and 4_work.
Case closed.

In the alternative scenario where the OP wants to play with vlans, there is no difference required for the approach to the IP Routes solution,
other than the person would use (in the route rule) vlan interfaces vice bridge interfaces, IF, the op decided not to use source address

Note that if this was two separate ISPs, not related, then the recommendation would still stand.
In the case, if one ISP went offline, the router would see that the offline Table (be it 4-work or 4-home) is not routable and would move all the associated users to the next available route in the main table., which would the default route for rds-work or rds-home depending upon which associated ISP was offfline. So backup is automatic.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 9:34 pm

So I added the two routes and created two rules (this is under routes window > rules, correct ?!)
With the attached setup, both 192.168.3.x computers and 192.168.4.x computers seem to use the "home" connection.
I tried setting the interface under rules, associating with each of the two bridges, but I didn't see a difference.
Any ideas ? Maybe the value after action "lookup only in table" is wrong ? Do I select the mark name after that ? Or "main" ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 9:48 pm

First thing, one should use look up in table vice look up ONLY in table, because then if one ISP is offline the other one will not be used for traffic.
In this case it doesnt matter same provider, but it does go to show that you have been a naughty boy not following instructions LOL.

I am not sure why its choosing the home connection everytime but the routes table does show only in black whereas with equal distance they both should be,
neverthelless that is the main table and if the router wants or needs to choose one a primary thats fine that should not affect your routing mark selections.
I will have to think about it.....
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 10:01 pm

I didn't understand the expressions you used in first part, can you please tell me again what should be the "action" and the "table" after it ?

And I think you assumed the ISP connections would always be online or offline, but I often see the home connection having issues, while the "business" plan still works (from my ISP's end).
I guess this part is not important for now.

Edit: it kept using home connection, then I disabled the home-pppoe, it instantly used the work connection, when I enabled both, it remained on the work one. It seems to remember routes and stick to what works, if that makes any sense.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 10:13 pm

Good to know for troubleshooting why it wont use the route mark setting.
Dont worry about the route rules, the ones you have are fine,
It may be some thing about two pppoe accounts coming on the same ethernet interface but I cannot find that documented anywhere,

Would be good to see your config as it stands now with all rules.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 10:15 pm

So I added the two routes and created two rules (this is under routes window > rules, correct ?!)
With the attached setup, both 192.168.3.x computers and 192.168.4.x computers seem to use the "home" connection.
I tried setting the interface under rules, associating with each of the two bridges, but I didn't see a difference.
Any ideas ? Maybe the value after action "lookup only in table" is wrong ? Do I select the mark name after that ? Or "main" ?
What is wrong is that on an /ip route rule row, routing-mark is a match field, whereas table is an output parameter to be set if all the match fields match.

routing-mark and routing table name are almost synonyms everywhere else in the configuration, but not here, as the /ip route rule rows can be used to translate one routing-mark (which has been assigned by vrf or by a mangle rule) to another one (specified in the table column).

So you rules never match, because nothing before them assigns any routing-mark to the packets. Just make the routing-mark column empty in both rules and keep the rest as you've shown, and it should start doing what you want.

The interface column matches on in-interface; since you match on src-address, there's no need to match also on interface in this simple setup.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 10:31 pm

[...]What is wrong is that on an /ip route rule row, routing-mark is a match field, whereas table is an output parameter to be set if all the match fields match.[...]
If I understand correctly it is like seeing a box named "routing mark" and is confusion because it doesn't say "routing mark to set" or "routing mark to match". Did I get this right ? I noticed this problem with the interface and it makes it a pain for beginners to set things up.

Edit: I tried clearing the values under routing-mark column in rules window, rest is as in above image. It didn't change anything and set it back as in image above.

Maybe this points something out: I noticed if I uncheck the "add default route" in my two pppoe interfaces, then it doesn't connect to internet at all, I thought it should use the two routes I manually set (as in above image).

Maybe if you all agree this needs mangle to set some connection marks and then setup the routes based on that, then I will try that :)
I thought it can be done without.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 10:56 pm

No you need to follow directions properly.
As sindy astutely pointed out (he has four eyes while us mere mortals have two!!.
You added the extra routing mark entry in the route rule.....

READ MY INSTRUCTIONS AGAIN!!!

For the Directing home users
destination address = 0.0.0.0/0 gateway= pppoe-rds-home distance=1 Routing Mark=4_home

For the Directing work devices
destination address = 0.0.0.0/0 gateway = pppoe-rds-work distance=1 Routing Mark = 4_work

Now create two Route Rules
For Directing home users
source address = 192.168.3.0/24
Table= 4_home
Action= lookup in table


For Direction work devices
source address = 192.168.4.0/24
Table = 4_work
Action = lookup in table.


Does it say anywhere to add a routing mark entry LOL.
Simply remove those and it will work.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting two ISP connections on 2 vlans, same ISP cable

Sun May 23, 2021 11:54 pm

Maybe this points something out: I noticed if I uncheck the "add default route" in my two pppoe interfaces, then it doesn't connect to internet at all, I thought it should use the two routes I manually set (as in above image).
This could be a DNS issue. Whereas the devices in 192.168.3.0/24 and in 192.168.4.0/24 use the routes with the respective routing-mark values thanks to the rules, the Mikrotik itself uses the routes in routing table main (i.e. those with no routing-mark values) for its own traffic. So if the "home" and "business" devices use the Mikrotik as their DNS server, the Mikrotik needs to forward their DNS queries, but it cannot if add-default-route is set to no on the /interface pppoe client rows (and no, there is no way to let Mikrotik forward home DNS queries via one PPPoE and business DNS queries via the other one, so if you want to separate this too, you have to tell the hosts to use external DNS servers, so their DNS queries will be routed just like any other traffic).

Maybe if you all agree this needs mangle to set some connection marks and then setup the routes based on that, then I will try that :)
I thought it can be done without.
Mangle rules are a fine tool to select the WAN based on source and destination ports etc., not necessary for your simple case.

Remove the routing-mark values from the rules again, and once you do that, post the proper text export of the configuration rather than the screenshots.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 12:18 am

it works now, after removing the routing marks you two mentioned :D Thanks !

Now I want to mess things up :) ...
Besides this ISP with two separate connections, I also have another ISP on ether2-telekom, it would be nice if this would remain as a backup connection in case the other two from same ISP fail.
I seen I can setup distance to "2" for this "Telekom" ISP, then (for testing) I disable the two pppoe of first ISP, and now this Telekom ISP only works if I also disable the two rules in "routes rules" tab.
Maybe there is an easy way to get this working ? By adjusting the two rules maybe ?

I set that distance=2 for "telekom" isp by DHCP client, because that is how I connect that one, not by PPPOE.

The current config is ...
/interface bridge
add admin-mac=48:8F:XX:XX:XX:28 auto-mac=no comment=defconf name=bridge-1-home
add name=bridge-2-for-vlan-work
/interface ethernet
set [ find default-name=ether1 ] name=ether1-rds
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full mac-address=B0:95:XX:XX:XX:62 name=ether2-telekom
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home user=TM123
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-work user=TM234
/interface vlan
add interface=bridge-2-for-vlan-work name=vlan-2-work vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=adr-dhcp-pool ranges=192.168.3.101-192.168.3.255
add name=adr-dhcp-pool-business ranges=192.168.4.100-192.168.4.255
/ip dhcp-server
add address-pool=adr-dhcp-pool disabled=no interface=bridge-1-home name=adr-dhcp-server-1
add address-pool=adr-dhcp-pool-business disabled=no interface=bridge-2-for-vlan-work name=adr-dhcp-server-2-business
/ppp profile
set *FFFFFFFE local-address=adr-dhcp-pool remote-address=adr-dhcp-pool
/interface bridge port
add bridge=bridge-2-for-vlan-work interface=ether3 pvid=2
add bridge=bridge-1-home interface=ether4
add bridge=bridge-1-home interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-2-for-vlan-work vlan-ids=2
/interface l2tp-server server
set allow-fast-path=yes enabled=yes use-ipsec=required
/interface list member
add interface=bridge-1-home list=LAN
add interface=ether2-telekom list=WAN
add interface=pppoe-rds-home list=WAN
add interface=ether1-rds list=WAN
add interface=pppoe-rds-work list=WAN
add interface=bridge-2-for-vlan-work list=LAN
add comment="ether3 as LAN, as user bpwl advised" interface=ether3 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-1-home network=192.168.88.0
add address=192.168.3.1/24 interface=bridge-1-home network=192.168.3.0
add address=192.168.4.1/24 interface=bridge-2-for-vlan-work network=192.168.4.0
/ip arp
add address=192.168.3.10 interface=bridge-1-home mac-address=64:76:XX:XX:XX:02
add address=192.168.3.16 interface=bridge-1-home mac-address=88:D7:XX:XX:XX:D1
add address=192.168.3.9 interface=bridge-1-home mac-address=D0:37:XX:XX:XX:71
add address=192.168.3.100 interface=bridge-1-home mac-address=B0:95:XX:XX:XX:51
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add default-route-distance=2 disabled=no interface=ether2-telekom use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=192.168.3.1,8.8.8.8,1.1.1.1 gateway=192.168.3.1 netmask=16
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8,1.1.1.1 gateway=192.168.4.1 netmask=16
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8,1.1.1.1 gateway=192.168.88.1 netmask=16
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip route
add comment="manually created" distance=1 gateway=pppoe-rds-home routing-mark=home-connection-mark
add comment="manually created" distance=1 gateway=pppoe-rds-work routing-mark=work-connection-mark
/ip route rule
add action=lookup-only-in-table dst-address=0.0.0.0/0 interface=bridge-1-home src-address=192.168.3.0/24 table=home-connection-mark
add action=lookup-only-in-table dst-address=0.0.0.0/0 interface=bridge-2-for-vlan-work src-address=192.168.4.0/24 table=work-connection-mark
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 12:34 am

By means of the rules, you choose a dedicated routing table for each source subnet. So one possibility is to add a backup default route via "Telekom" to both routing tables, home-connection-mark as well as work-connection-mark, with distance=2. Another possibility is to change the action=lookup-only-in-table in the rules to just action=lookup, which means that if no matching active route can be found in the routing table indicated, a matching route in routing table main is used. And the DHCP client adds the route to routing table main.

None of the ways above provides a backup against a problem at ISP side, where the PPPoE connection is OK but ISP's own connection to internet is broken, as in such a situation, the primary route via PPPoE stays active, so the backup one is not used. To eliminate this, you need a more advanced setup (but you still don't need mangle rules ;) ).

The fact that the primary routes are PPPoE ones complicates that setup a bit. Too late here, won't say more today.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 12:57 am

Nice, that worked, adding a "distance 2" route for my Telekom backup ISP, and changed the existent rules from "lookup only in tables" to "lookup".
It now switches to my backup isp if the other two fail.

Thanks !

I will search a bit to see what "lookup" vs "lookup only in tables" does.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 3:29 am

Nice, that worked, adding a "distance 2" route for my Telekom backup ISP, and changed the existent rules from "lookup only in tables" to "lookup".
It now switches to my backup isp if the other two fail.

Thanks !

I will search a bit to see what "lookup" vs "lookup only in tables" does.
As I explained, LOOKUP tells the router for the source address traffic or interface identified, to use the table identified in the route rule instead of the main table.
If the table being pointed too is not available, lets say the ISP is offline, then the router will revert to the next available route in the main table for that traffic (with source address or interface).

LOOKUP ONLY in table is a stronger command in the sense that EVEN IF the ISP is down, the router will NOT revert to the main table to look for a reachable route to pass the traffic.
In other words, there is no backup potential, use only this table and nothing else.
Last edited by anav on Mon May 24, 2021 4:33 am, edited 2 times in total.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 4:03 am

Got it. Thank you.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 6:00 pm

I have a different question, I didn't know if it needs a new topic, might be quick...

I tried to do same thing but without separate bridges or vlans, just by two subnets, grouping work computers in 192.168.4.x and home computers in 192.168.3.x.
It works well, each use it's own internet connection.
But as soon as I applied these rules, both computer groups cannot access the gateway (192.168.3.1 and 192.168.4.1), I can only access the router by it's default address 192.168.88.1.

Most probably these rules are causing this but not sure how to fix it, do I need new rules with higher priority and pointing to router IP ?
488484787345.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 7:43 pm

The rules say "use routing table xyz for anything with source address a.b.c.0/24".

Whereas packets for the router itself (192.168.3.1, 192.168.4.1) are not affected by these rules (that's how linux kernel works, quite logically matching of the destination address of a received packet to own IPs of the router takes place before outbound routing), packets sent by the router itself are handled by these rules just like the forwarded ones. So if you send a request to e.g. 192.168.3.1, the router responds from that address, and thus the response gets marked with home-connection-mark and is therefore routed out via the corresponding WAN.

The easiest remedy is yet another pair of routing rules:
src-address=192.168.3.1 dst-address=192.168.3.0/24 action=lookup table=main
src-address=192.168.4.1 dst-address=192.168.4.0/24 action=lookup table=main

or, as you only access internet via the WANs, you can simplify that into a single rule:
src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=lookup table=main
In any case, this rule or rules must be placed before (above) the ones assigning home-connection-mark and work-connection-mark; like firewall rules and many other match lists in RouterOS, the routing rules are matched from the topmost to the bottommost one until first match (or until exhaustion of the list of course). So this rule or rules will shadow the subsequent ones and prevent them from acting on the packets sent by the router itself or, if you use the single rule with wider src-address and dst-address prefixes, on any packets sent between private IPs in the 192.168.0.0/16 range.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Setting two ISP connections on 2 vlans, same ISP cable

Mon May 24, 2021 8:36 pm

Worked nicely, thank you :D

Who is online

Users browsing this forum: Bing [Bot], cmmike and 51 guests