I am new here and i am using MikroTik products for about a year and i must say i am very satisfied
I am running a micro-datacenter/home lab type of environment where i host some websites and play around with new tech (k8s, proxmox etc.) and for the past 5 years everything is running very well. Now i decided to get a second static IP from my ISP to migrate all services to that IP and leave the old IP for web-surfing. Both IP's are configured via two PPPOE clients listening on eth1 interface.
Everything looks good, i have internet connectivity on both IP/connections, but i have a hard time routing/NAT-ing traffic to my servers from the second IP.
I searched google for a few days now and tried a bunch of config, but nothing seems to work properly. I used the config listed here: https://serverfault.com/questions/66091 ... n-internet with partial success, it works but the "performance" is very bad, it takes a few seconds to load a basic html page.
My knowledge of networks is limited, but i managed to figure everything out using google in the past but this situation is a bit to much, can somebody help me with some configuration and maybe some explanation?
Here is the config dump:
Code: Select all
# sep/20/2021 18:24:31 by RouterOS 6.48.4
# software id = US0R-A0TX
#
# model = RB750Gr3
# serial number = CC210DE0CC7C
/interface bridge
add admin-mac=08:55:31:36:57:72 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=PPPOE
set [ find default-name=ether4 ] comment=SWITCH
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=WAN1 \
use-peer-dns=yes user=
add disabled=no interface=ether1 keepalive-timeout=disabled name=WAN2 user=\
/interface vlan
add comment="Unsafe/Guest VLAN" interface=ether4 name=UNSAFE vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.0.0.60-10.0.0.100
add name=dhcp_pool3 ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool3 disabled=no interface=UNSAFE name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=OVPN-server.crt_0 cipher=aes256 \
require-client-certificate=yes
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2 network=10.0.0.0
add address=10.0.10.1/24 interface=UNSAFE network=10.0.10.0
/ip arp
add address=10.0.0.2 comment="D-Link Switch/Router/AP" interface=bridge \
mac-address=10:FE:ED:E6:5B:7E
add address=10.0.0.40 comment=Truenas interface=bridge mac-address=\
0C:C4:7A:74:F0:3C
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.0.10.254 client-id=1:b8:27:eb:79:d0:c9 mac-address=\
B8:27:EB:79:D0:C9 server=dhcp1
add address=10.0.10.252 mac-address=C4:4F:33:8E:C7:A2 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.102,10.0.0.1 \
gateway=10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=10.0.0.102,1.1.1.1 gateway=10.0.10.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.102,1.1.1.1
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="PIHOLE DNS Query UDP" dst-address=\
10.0.0.102 dst-port=53 in-interface=UNSAFE protocol=udp
add action=accept chain=forward comment="PIHOLE DNS Query TCP" dst-address=\
10.0.0.102 dst-port=53 in-interface=UNSAFE protocol=tcp
add action=accept chain=forward comment=SMB dst-address=10.0.0.40 dst-port=\
445 in-interface=UNSAFE protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=forward in-interface=UNSAFE out-interface=bridge \
reject-with=icmp-network-unreachable
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=wan2 passthrough=\
yes src-address=10.0.0.150
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN1 protocol=tcp \
to-addresses=10.0.0.205 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN1 protocol=tcp \
to-addresses=10.0.0.205 to-ports=443
add action=dst-nat chain=dstnat dst-port=22 in-interface=WAN1 protocol=tcp \
to-addresses=10.0.0.205 to-ports=2200
add action=dst-nat chain=dstnat dst-port=51820 in-interface=WAN1 protocol=udp \
to-addresses=10.0.0.210 to-ports=51820
add action=dst-nat chain=dstnat dst-port=80 in-interface=WAN2 protocol=tcp \
to-addresses=10.0.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN2 protocol=tcp \
to-addresses=10.0.0.150 to-ports=443
/ip route
add check-gateway=ping distance=10 gateway=WAN2 routing-mark=wan2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh address=10.0.0.0/24 disabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name="MikroTik Router hEX"
/system ntp client
set enabled=yes server-dns-names=\
0.europe.pool.ntp.org,1.europe.pool.ntp.org,2.europe.pool.ntp.org
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN