I have a rb2011 and want to enable the second modem/router (as gw to another ISP) and struggle a bit as I need the actively used dhcp interface to "switch over" or similar. Of course both links could or will work most of the times, but internet link 1 is a bit bigger than internet link2 (by factor of roughly 500 )
So following basic setup. (only relevant infos pasted . Rest hidden or left out by [...] sign).
- sfp, ether1-ether5 as a bridge
- sfp is main gw (dhcp-client1)
- ether9 is second gw (also dhcp-client), without master port
Q1: In /ip dhcp-server network - I add the DNServers directly. Can I use the ones supplied by the dhcp-client supplied DNS somehow?
Code: Select all
/interface bridge add l2mtu=1598 name=bridge1 protocol-mode=none /interface ethernet set [ find default-name=ether2 ] master-port=ether1 set [ find default-name=ether3 ] master-port=ether1 set [ find default-name=ether4 ] master-port=ether1 set [ find default-name=ether5 ] master-port=ether1 [...] set [ find default-name=ether9 ] comment=UPC /ip pool add name=dhcp-cmb ranges=192.168.133.10-192.168.133.99 /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 disabled=yes interface=ether6 /ip address add address=192.168.133.1/24 interface=bridge1 network=192.168.133.0 /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=sfp1 add-default-route=no add dhcp-options=clientid,hostname disabled=no interface=ether9 add-default-route=no use-peer-ntp=no /ip route add gateway=sfp1 dst-address=0.0.0.0/0 check-gateway=ping add gateway=ether9 dst-address=0.0.0.0/0 distance=2 /ip dhcp-server network add address=192.168.133.0/24 dns-server=312.441.921.02,22.214.171.124 gateway=192.168.133.1 [.. FW rules left out..these are mostly for access to the webfig GUI) /ip firewall nat add action=masquerade chain=srcnat out-interface=sfp1 to-addresses=0.0.0.0 add action=masquerade chain=srcnat out-interface=ether9 to-addresses=0.0.0.0 /ip dhcp-server network add address=192.168.133.0/24 dns-server=312.441.921.02,126.96.36.199 gateway=192.168.133.1
Else I use google dns (188.8.131.52) but I do not really want to use those. (BTW the main DNS I obfuscated the address a bit)
Q2: Do I need the to-addresses=0.0.0.0 in the /ip firewall nat statements?
Q3: How would I handle the incoming requests (MASq)? Following will not work when first link is down (as it has sfp1 in it):
Is there a way to use a variable for the actually used interface (where all the traffic is going out)?
Code: Select all
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.133.3 to-ports=80
Or can I leave out the "in-interface"?
(I could define both rules throuth ether9 and sfp1 though...)
Q4: I use a bridge(1) for ether1-ether5 (ehter 6-10 are disabled and should not see traffic from ether1-5). Can I do all this above without configuring a bridge and so just use he built-in switch"part" (as this should be routing faster, yes?)?
Q5: (unrelated): To connect to the webfig GUI through one of the etherX ports, I need Firewall rules anyway? (serial console is not so common anymore on nowadays PC).
Thanks a lot