I have the following configuration at this moment:
RB760iGS - x1 as main router (Eth0 for the main PPPoE link and Eth1 for the backup link which is behind ADSL modem)
hAP ac^2 - x2 as AP bridges
Both Main ISP and the BackUP ISP are providing static public addresses. Till now I was using WAN failover with multiple gateway ping check alongside with masquerade. So far so good - everything worked perfectly and I had 22 days up time without problems (I'm using netwatch to log any main link failure).
Few days ago a fellow forum member posted a link to an interesting presentation in which it was pointed that using masquerade + failover would be a bad practice which on top of all could have security problems (https://mum.mikrotik.com/presentations/ ... 639302.pdf - starting from p27). So after reading this I thought it would be a good idea to try to implement the "good practice" Could you please guys check my current configuration and point out if there are any problems or things I should change/improve?
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN \
protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT MainLink" out-interface=pppoe
to-addresses=main ISP public address
add action=src-nat chain=srcnat comment="SRC-NAT BackUp" out-interface=eth1
to-addresses=192.168.x.x (Static address from the ADSL modem of the backup ISP)
add action=dst-nat chain=dstnat comment="OpenVPN " dst-address=ISP public address dst-port=\
1194 in-interface-list=WAN log=yes protocol=udp to-addresses=Internal server address
Code: Select all
/ip route
add distance=1 gateway=10.1.1.1
add distance=2 gateway=10.2.2.2
add distance=1 dst-address=8.8.4.4/32 gateway=ADSL_modem scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=ISP1_public_address scope=10
add distance=1 dst-address=208.67.220.220/32 gateway=ISP1_public_address scope=10
add distance=1 dst-address=208.67.222.222/32 gateway=ADSL_modem scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=8.8.4.4 scope=10
Also ,should I add blackhole route? Additionally everything except winbox is disabled (www,SSH,Telnet, etc.)