Community discussions

MUM Europe 2020
just joined
Topic Author
Posts: 2
Joined: Fri Nov 28, 2014 9:39 am

Howto set up 2 (def) gw (2 ISPs) with dhcp -> DNS/MASq how?

Fri Nov 28, 2014 4:36 pm

Hello all

I have a rb2011 and want to enable the second modem/router (as gw to another ISP) and struggle a bit as I need the actively used dhcp interface to "switch over" or similar. Of course both links could or will work most of the times, but internet link 1 is a bit bigger than internet link2 (by factor of roughly 500 :D )
So following basic setup. (only relevant infos pasted . Rest hidden or left out by [...] sign).
  • sfp, ether1-ether5 as a bridge
  • sfp is main gw (dhcp-client1)
  • ether9 is second gw (also dhcp-client), without master port
/interface bridge
add l2mtu=1598 name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether9 ] comment=UPC
/ip pool
add name=dhcp-cmb ranges=
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 disabled=yes interface=ether6
/ip address
add address= interface=bridge1 network=
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1 add-default-route=no
add dhcp-options=clientid,hostname disabled=no interface=ether9 add-default-route=no use-peer-ntp=no
/ip route
add gateway=sfp1 dst-address= check-gateway=ping
add gateway=ether9 dst-address= distance=2
/ip dhcp-server network
add address= dns-server=312.441.921.02, gateway=

[.. FW rules left out..these are mostly for access to the webfig GUI)
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1 to-addresses=
add action=masquerade chain=srcnat out-interface=ether9 to-addresses=

/ip dhcp-server network
add address= dns-server=312.441.921.02, gateway=
Q1: In /ip dhcp-server network - I add the DNServers directly. Can I use the ones supplied by the dhcp-client supplied DNS somehow?
Else I use google dns ( but I do not really want to use those. (BTW the main DNS I obfuscated the address a bit)

Q2: Do I need the to-addresses= in the /ip firewall nat statements?

Q3: How would I handle the incoming requests (MASq)? Following will not work when first link is down (as it has sfp1 in it):
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=sfp1 protocol=tcp to-addresses= to-ports=80
Is there a way to use a variable for the actually used interface (where all the traffic is going out)?
Or can I leave out the "in-interface"?
(I could define both rules throuth ether9 and sfp1 though...)

Q4: I use a bridge(1) for ether1-ether5 (ehter 6-10 are disabled and should not see traffic from ether1-5). Can I do all this above without configuring a bridge and so just use he built-in switch"part" (as this should be routing faster, yes?)?

Q5: (unrelated): To connect to the webfig GUI through one of the etherX ports, I need Firewall rules anyway? (serial console is not so common anymore on nowadays PC).

Thanks a lot

Who is online

Users browsing this forum: ceylan, chilliflakes, Google [Bot], nescafe2002 and 52 guests