Mon Jul 30, 2018 3:57 pm
Hi all
I would like to load balance 2 x WAN connections (PPPoE Clients Dial out through DSL rotuers in Bridge mode), allowing internet access over both connections on the MT Bridge and PPPoE Server.
I have the current setup:
2 x DSL ROUTERS (BRIDGE) (Ether1, Ether 3) --> RB750UP (DIAL PPPOE x 2) --> UBNT SECTOR (ETHER2) --> PPPoE Server on Bridge (Ether2, 4, 5).
When editing the script to match my topology, I still only have traffic on ONE WAN interface.
Anyone able to help find what the problem is please?
Thanks!
I found the following script:
/ ip firewall mangle
add chain=prerouting dst-address=111.111.111.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=222.222.222.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
/ ip route
add dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=111.111.111.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 distance=2 check-gateway=ping
/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade
----- MY CONFIG:
/interface bridge
add admin-mac=4C:5E:0C:A2:63:4C auto-mac=no comment="To view all traffic:" \
name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="ALL ETHERNET" mtu=1492 name=WAN1
set [ find default-name=ether3 ] name=WAN2
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether4 ] name="ether4-slave-local BASE HOUSE" \
poe-out=off
set [ find default-name=ether5 ] name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes allow=pap comment="DSL CONNECTIONS" disabled=no \
interface=WAN1 keepalive-timeout=60 max-mru=1400 max-mtu=1400 mrru=1600 \
name=ISP1 use-peer-dns=yes user=
add add-default-route=yes allow=pap disabled=no interface=WAN2 name=ISP2 \
use-peer-dns=yes user=
/interface pptp-client
add connect-to=154.117.185.86 mrru=1600 name=pptp-out1 user=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.40
add name=PPPoE ranges=192.168.88.100-192.168.88.200
add name=pool1 ranges=192.168.88.50-192.168.88.100
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge name=default
/ppp profile
set *0 bridge=bridge dns-server=192.168.88.2 local-address=PPPoE \
use-encryption=no
set *FFFFFFFE bridge=bridge use-encryption=no
/queue tree
add limit-at=5M max-limit=5M name=queue1 packet-mark=streaming-video-out \
parent=bridge priority=5
add burst-time=5s limit-at=7M max-limit=10M name=HTTP packet-mark=http-out \
parent=bridge queue=hotspot-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=8Mbit name-for-users="" override-shared-users=unlimited owner=admin \
price=449 starts-at=logon validity=0s
add name=2Mbit name-for-users="" override-shared-users=unlimited owner=admin \
price=449 starts-at=logon validity=0s
add name=4Mbit name-for-users="" override-shared-users=unlimited owner=admin \
price=0 starts-at=logon validity=0s
add name=1Mbit name-for-users="" override-shared-users=off owner=admin price=\
0 starts-at=logon validity=0s
add name="2MbnDavis " name-for-users="" override-shared-users=off owner=admin \
price=0 starts-at=logon validity=0s
add name="2mb domingo" name-for-users="" override-shared-users=off owner=\
admin price=0 starts-at=logon validity=0s
add name="2Mbit Salie" name-for-users="" override-shared-users=1 owner=admin \
price=0 starts-at=logon validity=0s
add name=Full name-for-users="" override-shared-users=off owner=admin price=0 \
starts-at=logon validity=0s
add name="2Mbit Bardien" name-for-users="" override-shared-users=off owner=\
admin price=0 starts-at=logon validity=0s
add name="2Mbit Atta Mohamed" name-for-users="" override-shared-users=off \
owner=admin price=0 starts-at=logon validity=0s
add name=20Mbit name-for-users="" override-shared-users=off owner=admin \
price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=8Mbit \
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
rate-limit-priority=1 rate-limit-rx=10485760B rate-limit-tx=15728640B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=2Mbit \
owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=1048576B \
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1843200B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=4Mbit \
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=4194304B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=1Mbit \
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=1048576B \
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1048576B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=20Mbit \
owner=admin rate-limit-min-rx=20971520B rate-limit-min-tx=12582912B \
rate-limit-rx=20971520B rate-limit-tx=20971520B transfer-limit=0B \
upload-limit=0B uptime-limit=0s
/interface bridge filter
add action=accept chain=input in-bridge=bridge in-interface=\
ether2-master-local mac-protocol=pppoe
add action=accept chain=input in-bridge=bridge in-interface=\
ether2-master-local mac-protocol=pppoe-discovery
/interface bridge port
add bridge=bridge interface=ether5-slave-local
add bridge=bridge interface=ether2-master-local
add bridge=bridge interface="ether4-slave-local BASE HOUSE"
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge max-mru=1360 max-mtu=1360 \
mrru=1600 one-session-per-host=yes service-name=Internet
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
add address=10.0.0.2 interface=WAN1 network=10.0.0.0
add address=192.168.88.4 interface="ether4-slave-local BASE HOUSE" network=\
192.168.88.4
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=WAN1
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=WAN2
/ip dhcp-server lease
add address=192.168.88.50 client-id=HOME mac-address=C8:3A:35:F3:7E:91
add address=192.168.88.60 mac-address=C4:E9:84:71:27:C3
add address=192.168.88.70 mac-address=F4:F2:6D:BB:11:96
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.2 gateway=192.168.88.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=192.168.88.0/24 comment="Internal Subnet" list=internal-nets
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=input comment=\
"Accept all connections from local network" in-interface=bridge
add action=accept chain=input comment="Accept WinBox Access from Local" \
dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment="Accept WebFig Access from Local" \
dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=accept chain=input connection-state=new connection-type="" \
dst-port=1812 in-interface=bridge protocol=tcp src-port=1812
add action=accept chain=input connection-state=new in-interface=bridge \
protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
"internal-traffic packet mark" dst-address-list=internal-nets \
new-packet-mark=internal-traffic passthrough=no src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment=\
"customer-servers-out packet mark" new-packet-mark=customer-servers-out \
passthrough=no src-address-list=customer-servers
add action=mark-packet chain=prerouting comment=\
"customer-servers-in packet mark" dst-address-list=customer-servers \
new-packet-mark=customer-servers-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
in-interface=WAN1 new-packet-mark=admin-in passthrough=no protocol=udp \
src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
dst-port=161 in-interface=WAN1 new-packet-mark=admin-in passthrough=no \
protocol=udp
add action=mark-connection chain=prerouting comment=\
"Remote Protocols admin connection mark" new-connection-mark=admin \
passthrough=yes port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
"icmp connection mark as admin" new-connection-mark=admin passthrough=yes \
protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
connection-mark=admin in-interface=WAN1 new-packet-mark=admin-in \
passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-packet chain=prerouting comment=\
"streaming video in packet mark" connection-mark=streaming-video \
in-interface=WAN1 new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment=\
"streaming video out packet mark" connection-mark=streaming-video \
new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"http traffic connection mark" dst-port=80,443 new-connection-mark=http \
passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"http traffic connection mark" connection-bytes=5000000-4294967295 \
dst-port=80,443 new-connection-mark=http-download passthrough=yes \
protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
connection-mark=http in-interface=WAN1 new-packet-mark=http-in \
passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \
connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"wow connetion mark as gaming" dst-port=\
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games passthrough=\
yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"eve online connetion mark as gaming" dst-address=87.237.38.200 \
new-connection-mark=games passthrough=yes src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
internal-nets
add action=mark-connection chain=prerouting comment=\
"steam connetion mark as gaming" dst-port=27014-27050 \
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
internal-nets
add action=mark-connection chain=prerouting comment=\
"xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment=\
"games packet mark forever-saken-game" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no src-address-list=\
forever-saken-game
add action=mark-packet chain=prerouting comment=\
"games packet mark starcraft2" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark wow" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
new-packet-mark=games-out passthrough=no protocol=udp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
"games packet mark ps3 online" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=\
3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
connection-mark=games dst-address-list=external-nets new-packet-mark=\
games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \
connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no \
port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
new-packet-mark=voip-in packet-size=100-400 passthrough=no port=\
16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=\
ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
"vpn-in packet mark VPN UDP ports" in-interface=WAN1 new-packet-mark=\
vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=\
"vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=tcp \
src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=WAN1 \
new-packet-mark=in passthrough=no
add action=mark-packet chain=forward new-packet-mark=voip-in passthrough=yes \
src-address=192.168.88.2
add action=mark-packet chain=forward dst-address=192.168.88.2 \
new-packet-mark=voip-out passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.88.2 \
dst-port=4569 new-connection-mark=VoIP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VoIP dst-address=\
192.168.88.2 new-packet-mark=VoIP passthrough=no
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=\
all-ppp
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=\
all-ppp
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=all-ppp new-connection-mark=\
ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=all-ppp new-connection-mark=\
ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=all-ppp new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
in-interface=all-ppp new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=53281
/ip route
add check-gateway=ping distance=1 gateway=192.168.88.2 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.88.1
add check-gateway=ping distance=2 gateway=169.0.139.185
add distance=1 dst-address=10.0.0.2/32 gateway=WAN1
add distance=1 dst-address=192.168.88.0/24 gateway=bridge
add distance=1 dst-address=192.168.88.1/32 gateway=WAN1 pref-src=192.168.88.1
add distance=1 dst-address=192.168.88.2/32 gateway=bridge
add distance=1 dst-address=192.168.88.2/32 gateway=bridge pref-src=\
192.168.88.50
add distance=1 dst-address=192.168.88.3/32 gateway=*F00002
add distance=1 dst-address=192.168.88.50/32 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/radius
add address=192.168.88.2 service=ppp
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/system routerboard settings
set silent-boot=no
/system script
add name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ip fir\
ewall filter\r\
\n\r\
\nadd action=drop chain=input comment=\"Drop to syn flood list\" disabled=\
no src-address-list=Syn_Flooder\r\
\nadd action=add-src-to-address-list address-list=Port_Scanner address-lis\
t-timeout=1w chain=input comment=\"Port Scanner Detect\"\r\
\ndisabled=no protocol=tcp psd=21,3s,3,1\r\
\nadd action=drop chain=input comment=\"Drop to port scan list\" disabled=\
no src-address-list=Port_Scanner\r\
\nadd action=jump chain=input comment=\"Jump for icmp input flow\" disable\
d=no jump-target=ICMP protocol=icmp\r\
\nadd action=drop chain=input\r\
\ncomment=\"Block all access to the winbox - except to support list # DO N\
OT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST\"\r\
\ndisabled=yes dst-port=8291 protocol=tcp src-address-list=!support\r\
\nadd action=jump chain=forward comment=\"Jump for icmp forward flow\" dis\
abled=no jump-target=ICMP protocol=icmp\r\
\nadd action=drop chain=forward comment=\"Drop to bogon list\" disabled=no\
\_dst-address-list=bogons\r\
\nadd action=add-src-to-address-list address-list=spammers address-list-ti\
meout=3h chain=forward comment=\"Add Spammers to the list for 3 hours\"\r\
\nconnection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protoco\
l=tcp\r\
\nadd action=drop chain=forward comment=\"Avoid spammers action\" disabled\
=no dst-port=25,587 protocol=tcp src-address-list=spammers\r\
\nadd action=accept chain=input comment=\"Accept DNS - UDP\" disabled=no p\
ort=53 protocol=udp\r\
\nadd action=accept chain=input comment=\"Accept DNS - TCP\" disabled=no p\
ort=53 protocol=tcp\r\
\nadd action=accept chain=input comment=\"Accept to established connection\
s\" connection-state=established\r\
\ndisabled=no\r\
\nadd action=accept chain=input comment=\"Accept to related connections\" \
connection-state=related disabled=no\r\
\nadd action=accept chain=input comment=\"Full access to SUPPORT address l\
ist\" disabled=no src-address-list=support\r\
\nadd action=drop chain=input comment=\"Drop anything else! # DO NOT ENABL\
E THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED\"\r\
\ndisabled=yes\r\
\nadd action=accept chain=ICMP comment=\"Echo request - Avoiding Ping Floo\
d\" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=\"Echo reply\" disabled=no icmp-opt\
ions=0:0 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=\"Time Exceeded\" disabled=no icmp-\
options=11:0 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=\"Destination unreachable\" disable\
d=no icmp-options=3:0-1 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 \
protocol=icmp\r\
\nadd action=drop chain=ICMP comment=\"Drop to the other ICMPs\" disabled=\
no protocol=icmp\r\
\nadd action=jump chain=output comment=\"Jump for icmp output\" disabled=n\
o jump-target=ICMP protocol=icmp"
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=8Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=2Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=4Mbit profile=4Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Mbit profile=1Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2MbnDavis " till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2mb domingo" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Salie" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Atta Mohamed" till-time=\
23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=8Mbit profile=8Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=20Mbit profile=20Mbit till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.88.2 log=\
auth-fail name=RB750UP shared-secret="" use-coa=yes
/tool user-manager user
add customer=admin disabled=no ip-address=192.168.88.110 shared-users=\
unlimited username=samodien@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.103 shared-users=\
unlimited username=domingo@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.105 shared-users=\
unlimited username=bardien@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.106 shared-users=\
unlimited username=attamohamed@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.115 shared-users=\
unlimited username=abdol2@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""