Community discussions

MikroTik App
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

distribute Two Wan that exist on same interface

Thu May 21, 2020 2:07 pm

hi. i need distribute my two different internet in my local network as i showed in pdf file. can anyone help me to solve my problem. i appreciate your help.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 2:37 pm

If all the Mikrotik devices on the picture are under your control, you can use two VLANs to host two intermediate IP subnets on the link between the two routers, or you can even run the PPPoE clients on the bottom router if you use two VLANs to bridge the PPPoE frames between the two routers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 2:43 pm

If all the Mikrotik devices on the picture are under your control, you can use two VLANs to host two intermediate IP subnets on the link between the two routers, or you can even run the PPPoE clients on the bottom router if you use two VLANs to bridge the PPPoE frames between the two routers.
all of them are under my control. i tried to use vlan but I did not succeed please show me what can i do with detail . thank you.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 3:06 pm

please show me what can i do with detail . thank you.
To do so, I need exports of the current configurations of both routers and the radios (as they may theoretically be blocking VLAN traffic). My automatic signature right below suggests how to do that and how to anonymise the sensitive contents of the exports which is not removed by the hide-sensitive parameter.

And your preference (PPPoE clients to run on the upper device or on the lower device) - the models of the routers are important for the actual choice, though. If they have similar CPUs, it may even make sense to let each run a single PPPoE client and firewall to spread the CPU-intensive tasks among them. If you plan to use things like failover or load distribution (same LAN host using two WANs), it is also worth mentioning, as well as eventual traffic shaping.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 5:00 pm

please show me what can i do with detail . thank you.
To do so, I need exports of the current configurations of both routers and the radios (as they may theoretically be blocking VLAN traffic). My automatic signature right below suggests how to do that and how to anonymise the sensitive contents of the exports which is not removed by the hide-sensitive parameter.

And your preference (PPPoE clients to run on the upper device or on the lower device) - the models of the routers are important for the actual choice, though. If they have similar CPUs, it may even make sense to let each run a single PPPoE client and firewall to spread the CPU-intensive tasks among them. If you plan to use things like failover or load distribution (same LAN host using two WANs), it is also worth mentioning, as well as eventual traffic shaping.
unfortunately i don't have access to bridged radio but i send you the upper mikrotik and bottom mikrotik config that showed in the picture .the model of router is specified in the config. thank you


upper mikrotik:

# may/21/2020 17:21:37 by RouterOS 6.46.4
# software id = ***
#
# model = RB750Gr3
# serial number = ***
/interface bridge
add disabled=yes name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Parsian
set [ find default-name=ether4 ] name=ether4-Shatel speed=100Mbps
set [ find default-name=ether5 ] name=ether5-Local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Parsian name=\
    pppoe-Parsian password=*** user=***
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    ether4-Shatel name=pppoe-Shatel password=*** user=***
/interface vlan
add interface=ether5-Local name=vlan1 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether4-Shatel
add bridge=bridge1 disabled=yes interface=ether5-Local
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 disabled=yes tagged=ether4-Shatel untagged=*C vlan-ids=2
/ip address
add address=192.168.10.10/24 interface=ether5-Local network=192.168.10.0
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-Parsian src-address=\
    192.168.10.0/24
add action=masquerade chain=srcnat out-interface=pppoe-Shatel src-address=\
    192.168.10.0/24
add action=dst-nat chain=dstnat dst-address=my.public.ip.1 dst-port=21 \
    protocol=tcp to-addresses=192.168.10.30 to-ports=21
add action=dst-nat chain=dstnat comment="Shatel FTP" dst-address=my.public.ip.2 \
    dst-port=21 protocol=tcp to-addresses=192.168.10.30 to-ports=21
add action=dst-nat chain=dstnat dst-address=my.public.ip.1 dst-port=*** \
    protocol=tcp to-addresses=192.168.10.30 to-ports=***
add action=dst-nat chain=dstnat comment="Shatel FTP " dst-address=\
    my.public.ip.2 dst-port=*** protocol=tcp to-addresses=192.168.10.30 \
    to-ports=***
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes




Bottom Mikrotik:

# may/12/2020 03:08:56 by RouterOS 6.46.5
# software id = ***
#
# model = 2011UAS-2HnD
# serial number = ***
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity="" unicast-ciphers=\
    tkip wpa2-pre-shared-key=***
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=5mhz disabled=no frequency=2477 hide-ssid=yes mode=ap-bridge security-profile=profile1 ssid=***
/ip hotspot profile
set [ find default=yes ] login-by=http-chap
add dns-name=*** hotspot-address=192.168.2.26 login-by=http-chap name=hsprof3 radius-interim-update=2m use-radius=yes
/ip hotspot
add disabled=no idle-timeout=3d interface=ether2 keepalive-timeout=3d name=hotspot1 profile=hsprof3
/ip hotspot user profile
set [ find default=yes ] idle-timeout=3d keepalive-timeout=3d shared-users=4 status-autorefresh=2h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=hs-pool-3 ranges=192.168.2.1-192.168.2.56,192.168.2.58-192.168.2.254
add name=dhcp_pool1 ranges=0.0.0.2-255.255.255.254
add name=pool1 ranges=192.168.4.5-192.168.4.255
add name=pool-Wan ranges=192.168.5.2-192.168.5.100
/ip dhcp-server
add address-pool=pool-Wan authoritative=after-2sec-delay disabled=no interface=wlan1 name=server2
add address-pool=hs-pool-3 authoritative=after-2sec-delay disabled=no interface=ether2 lease-time=2h name=dhcp2
/queue simple
add disabled=yes max-limit=9M/9M name=*** target=192.168.2.13/32
add disabled=yes max-limit=4M/4M name=*** target=192.168.2.176/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=""
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw password=*** time-zone=+03:30
add access=own-routers,own-users,own-profiles,own-limits,config-payment-gw,parent-routers,parent-users,parent-profiles,parent-limits,parent-payment-gw backup-allowed=no \
    disabled=no login=*** parent=admin password=*** paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=full signup-allowed=no \
    time-zone=+04:30
add access=own-routers,own-users,own-profiles,own-limits,config-payment-gw,parent-routers,parent-users,parent-profiles,parent-limits,parent-payment-gw backup-allowed=no \
    disabled=no login=*** parent=admin password=*** paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=full signup-allowed=no time-zone=\
    -00:00
/tool user-manager profile
***
/tool user-manager profile limitation
***
/ip address
add address=192.168.2.26/24 interface=ether2 network=192.168.2.0
add address=192.168.5.1/24 interface=wlan1 network=192.168.5.0
add address=192.168.10.30/24 interface=ether3 network=192.168.10.0
/ip dhcp-server lease
***
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=***,192.168.2.26,8.8.8.8 domain=*** gateway=192.168.2.26 netmask=24
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=8.8.8.8 gateway=192.168.5.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.2.44 list="Internet Shatel"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward comment="***" disabled=yes dst-address=91.108.4.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.168.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.167.0/24 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.175.0/24 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.16.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.56.0/23 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.160.0/20 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.164.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.56.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.8.0/22 src-address=192.168.2.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=*** passthrough=no src-address-list="***"
add action=mark-routing chain=prerouting new-routing-mark=*** passthrough=no src-address-list="***"
add action=mark-routing chain=prerouting new-routing-mark=*** passthrough=no src-address-list="***"
/ip firewall nat
add action=dst-nat chain=dstnat comment="FTP Server - command" dst-address=192.168.10.30 dst-port=21 protocol=tcp to-addresses=192.168.2.3 to-ports=21
add action=dst-nat chain=dstnat comment="FTP Server - command" dst-address=192.168.10.30 dst-port=*** protocol=tcp to-addresses=192.168.2.3 to-ports=***
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=ether3 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=ether3 src-address=192.168.5.0/24
/ip hotspot ip-binding
***
/ip hotspot user
add name=admin password=***
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=192.168.2.0/24 !dst-port !protocol server=hotspot1 !src-address
/ip proxy
set enabled=yes
/ip route
add distance=1 gateway=192.168.10.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=***
set ssh disabled=yes
set api address=***
set winbox address=***
set api-ssl address=***
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp aaa
set use-radius=yes
/radius
add address=127.0.0.1 secret=*** service=hotspot timeout=3s
/radius incoming
set accept=yes

/system ntp client
set enabled=yes primary-ntp=4.2.2.4 secondary-ntp=207.46.232.182
/system scheduler
add disabled=yes interval=1d name=data-reset-counter on-event=reset-counter policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/22/2015 \
    start-time=20:00:00
add interval=1d name=Reset on-event=" /tool user-manager user reset-counters [/tool user-manager user find where customer=\"***\"]" policy=\
    reboot,read,write,policy,test,password,sniff,sensitive start-date=dec/08/2015 start-time=00:01:00
/system script
add dont-require-permissions=no name=reset-counter owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/tool user-manager user reset-counters numbers=11,12,13,15,16,17,18,19,20,21,23,24"
add dont-require-permissions=no name=Reset-allcounter owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    " /tool  user-manager  user  reset-counters  [/tool  user-manager  user  find]"
/tool romon port
add
/tool user-manager database
set db-path=/user-manager2
/tool user-manager profile profile-limitation
add from-time=8h till-time=9h weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="time limit" profile=Edit till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="Download limit" profile=Graphics till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=*** customer=admin disabled=no ip-address=127.0.0.1 log=auth-ok,auth-fail,acct-fail name=mikro shared-secret=*** use-coa=no
/tool user-manager user
***
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 6:06 pm

unfortunately i don't have access to bridged radio
So the first step to do is a test whether the radio is transparent for VLANs.

the model of router is specified in the config
well, the hEX is just a small bit more powerful than the 2011, so depending on the available WAN bandwidth, it might or might not make sense to let each handle PPPoE, NAT and firewall for one WAN; the fact that you use the hotspot functionality effectively prevents this approach as the firewall & nat needs to be colocated with the hotspot.


So to quickly check the VLAN transparency of the wireless path, do the following:
  • on the hEX:
    /ip address add address=192.168.222.10/24 interface=vlan1
  • on the 2011:
    /interface vlan add name=vlan1 interface=ether3 vlan-id=99
    /ip address add address=192.168.222.30/24 interface=vlan1
    :ping 192.168.222.10
If you get ping responses, the bridge is VLAN-transparent, and we may move further. If the bridge is not VLAN-transparent, it is still possible to do some ugly tricks to distinguish the traffic on the bridge so that you could control which WAN will be used for what using policy routing at the 2011.

And if you cannot see the ping responses, use /tool sniffer quick interface=ether3 at the 2011, and /tool sniffer quick interface=ether5 at the hEX while pinging, to see whether the frames tagged with VID 99 do not leave the 2011 (which would be a configuration mistake) or do not arrive to the hEX (which would mean that the wireless link is not VLAN-transparent).

If the link is not transparent for 802.1Q VLAN tags, you may also set use-service-tag=yes at the /interface vlan at both machines, to make them use 802.1ad tags instead, and try again.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 8:31 pm

So the first step to do is a test whether the radio is transparent for VLANs.
well, the hEX is just a small bit more powerful than the 2011, so depending on the available WAN bandwidth, it might or might not make sense to let each handle PPPoE, NAT and firewall for one WAN; the fact that you use the hotspot functionality effectively prevents this approach as the firewall & nat needs to be colocated with the hotspot.


So to quickly check the VLAN transparency of the wireless path, do the following:
I have already tested it. i could ping ip from vlan interface. Now what should i do
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Thu May 21, 2020 9:07 pm

It depends on what you want to do :)

The least complicated way forward from the current setup is is the following:
On the hEX, add a VRF setup for Shatel: /ip route vrf add routing-mark=shatel interfaces=pppoe-Shatel,vlan1
On the 2011, routes through Parsian will stay as they are, and routes via Shatel must have 192.168.222.10 as gateway. You'll have to add an chain=srcnat out-interface=vlan1 action=masquerade rule to follow the same approach you have now. I would set up routes towards the 2011's subnets at hEX, but you may have other reasons to do the NAT also at the 2011 (the hotspot? I don't use it anywhere so I can't tell).

How will you distribute traffic between Shatel and Parsian on the 2011 is up to you. The above is just one way how to make it possible to do that using just routes at the 2011.

Some things could be improved, the first one is the fact that Winbox access to the hEX is open for for anyone in the internet.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Sat May 23, 2020 2:38 pm

It depends on what you want to do :)

The least complicated way forward from the current setup is is the following:
On the hEX, add a VRF setup for Shatel: /ip route vrf add routing-mark=shatel interfaces=pppoe-Shatel,vlan1
On the 2011, routes through Parsian will stay as they are, and routes via Shatel must have 192.168.222.10 as gateway. You'll have to add an chain=srcnat out-interface=vlan1 action=masquerade rule to follow the same approach you have now. I would set up routes towards the 2011's subnets at hEX, but you may have other reasons to do the NAT also at the 2011 (the hotspot? I don't use it anywhere so I can't tell).

How will you distribute traffic between Shatel and Parsian on the 2011 is up to you. The above is just one way how to make it possible to do that using just routes at the 2011.

Some things could be improved, the first one is the fact that Winbox access to the hEX is open for for anyone in the internet.
thanks. after your guide i can add route to vlan1(192.168.222.10) but i cant ping 8.8.8.8 through that in 2011
(the hotspot? I don't use it anywhere so I can't tell)
what is your advice ?
Some things could be improved, the first one is the fact that Winbox access to the hEX is open for for anyone in the internet.
is anything else for improvement .can you tell me other ones?
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Sat May 23, 2020 2:54 pm

after your guide i can add route to vlan1(192.168.222.10) but i cant ping 8.8.8.8 through that in 2011
What means "I can't ping through that"? From where do you ping? How do you enforce that the ping takes that route, and how did you verify that the ping actually did take that route?

In addition to the answers, show me also the current exports (after the modifications).

what is your advice ?
I cannot give any advice if I don't understand the goals and reasons why things are done the way they are done now.

is anything else for improvement .can you tell me other ones?
I forgot, but I'll probably notice them again in the new exports.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Sat May 23, 2020 3:33 pm

What means "I can't ping through that"? From where do you ping? How do you enforce that the ping takes that route, and how did you verify that the ping actually did take that route?

In addition to the answers, show me also the current exports (after the modifications).
i can ping 8.8.8.8 from 2011 and through vlan1 interface .by selecting vlan1 interface

new config :

upper Mikrotik :

# may/21/2020 17:21:37 by RouterOS 6.46.4
# software id = ***
#
# model = RB750Gr3
# serial number = ***
/interface bridge
add disabled=yes name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Parsian
set [ find default-name=ether4 ] name=ether4-Shatel speed=100Mbps
set [ find default-name=ether5 ] name=ether5-Local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Parsian name=\
    pppoe-Parsian password=*** user=***
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    ether4-Shatel name=pppoe-Shatel password=*** user=***
/interface vlan
add interface=ether5-Local name=vlan1 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether4-Shatel
add bridge=bridge1 disabled=yes interface=ether5-Local
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 disabled=yes tagged=ether4-Shatel untagged=*C vlan-ids=2
/ip address
add address=192.168.10.10/24 interface=ether5-Local network=192.168.10.0
add address=192.168.222.10/24 interface=vlan1 network=192.168.222.0
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-Parsian src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=pppoe-Shatel src-address=192.168.222.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-Shatel src-address=\
    192.168.10.0/24
add action=dst-nat chain=dstnat dst-address=my.public.ip.1 dst-port=21 \
    protocol=tcp to-addresses=192.168.10.30 to-ports=21
add action=dst-nat chain=dstnat comment="Shatel FTP" dst-address=my.public.ip.2 \
    dst-port=21 protocol=tcp to-addresses=192.168.10.30 to-ports=21
add action=dst-nat chain=dstnat dst-address=my.public.ip.1 dst-port=*** \
    protocol=tcp to-addresses=192.168.10.30 to-ports=***
add action=dst-nat chain=dstnat comment="Shatel FTP " dst-address=\
    my.public.ip.2 dst-port=*** protocol=tcp to-addresses=192.168.10.30 \
    to-ports=***
/ip route vrf
add interfaces=pppoe-Shatel,vlan1 routing-mark=shatel
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.30
set api-ssl disabled=yes

bottom Mikrotik:

# may/12/2020 03:08:56 by RouterOS 6.46.5
# software id = ***
#
# model = 2011UAS-2HnD
# serial number = ***
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether3 name=vlan1 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity="" unicast-ciphers=\
    tkip wpa2-pre-shared-key=***
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=5mhz disabled=no frequency=2477 hide-ssid=yes mode=ap-bridge security-profile=profile1 ssid=***
/ip hotspot profile
set [ find default=yes ] login-by=http-chap
add dns-name=*** hotspot-address=192.168.2.26 login-by=http-chap name=hsprof3 radius-interim-update=2m use-radius=yes
/ip hotspot
add disabled=no idle-timeout=3d interface=ether2 keepalive-timeout=3d name=hotspot1 profile=hsprof3
/ip hotspot user profile
set [ find default=yes ] idle-timeout=3d keepalive-timeout=3d shared-users=4 status-autorefresh=2h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=hs-pool-3 ranges=192.168.2.1-192.168.2.56,192.168.2.58-192.168.2.254
add name=dhcp_pool1 ranges=0.0.0.2-255.255.255.254
add name=pool1 ranges=192.168.4.5-192.168.4.255
add name=pool-Wan ranges=192.168.5.2-192.168.5.100
/ip dhcp-server
add address-pool=pool-Wan authoritative=after-2sec-delay disabled=no interface=wlan1 name=server2
add address-pool=hs-pool-3 authoritative=after-2sec-delay disabled=no interface=ether2 lease-time=2h name=dhcp2
/queue simple
add disabled=yes max-limit=9M/9M name=*** target=192.168.2.13/32
add disabled=yes max-limit=4M/4M name=*** target=192.168.2.176/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=""
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw password=*** time-zone=+03:30
add access=own-routers,own-users,own-profiles,own-limits,config-payment-gw,parent-routers,parent-users,parent-profiles,parent-limits,parent-payment-gw backup-allowed=no \
    disabled=no login=*** parent=admin password=*** paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=full signup-allowed=no \
    time-zone=+04:30
add access=own-routers,own-users,own-profiles,own-limits,config-payment-gw,parent-routers,parent-users,parent-profiles,parent-limits,parent-payment-gw backup-allowed=no \
    disabled=no login=*** parent=admin password=*** paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no permissions=full signup-allowed=no time-zone=\
    -00:00
/tool user-manager profile
***
/tool user-manager profile limitation
***
/ip address
add address=192.168.2.26/24 interface=ether2 network=192.168.2.0
add address=192.168.5.1/24 interface=wlan1 network=192.168.5.0
add address=192.168.10.30/24 interface=ether3 network=192.168.10.0
add address=192.168.222.30/24 interface=vlan1 network=192.168.222.0
/ip dhcp-server lease
***
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.100,192.168.2.26,8.8.8.8 domain=maaref.tv gateway=192.168.2.26 netmask=24
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=8.8.8.8 gateway=192.168.5.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.2.44 list="Internet Shatel"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward comment="***" disabled=yes dst-address=91.108.4.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.168.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.167.0/24 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.175.0/24 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.16.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.56.0/23 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.160.0/20 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=149.154.164.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.56.0/22 src-address=192.168.2.0/24
add action=drop chain=forward disabled=yes dst-address=91.108.8.0/22 src-address=192.168.2.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=*** passthrough=no src-address-list="***"
add action=mark-routing chain=prerouting new-routing-mark=*** passthrough=no src-address-list="***"
add action=mark-routing chain=prerouting new-routing-mark=*** passthrough=no src-address-list="***"
/ip firewall nat
add action=dst-nat chain=dstnat comment="FTP Server - command" dst-address=192.168.10.30 dst-port=21 protocol=tcp to-addresses=192.168.2.3 to-ports=21
add action=dst-nat chain=dstnat comment="FTP Server - command" dst-address=192.168.10.30 dst-port=*** protocol=tcp to-addresses=192.168.2.3 to-ports=***
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=vlan1
add action=masquerade chain=srcnat out-interface=ether3 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=ether3 src-address=192.168.5.0/24
/ip hotspot ip-binding
***
/ip hotspot user
add name=admin password=***
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=192.168.2.0/24 !dst-port !protocol server=hotspot1 !src-address
/ip proxy
set enabled=yes
/ip route
add distance=1 gateway=192.168.10.10
add distance=1 gateway=192.168.222.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=***
set ssh disabled=yes
set api address=***
set winbox address=***
set api-ssl address=***
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp aaa
set use-radius=yes
/radius
add address=127.0.0.1 secret=*** service=hotspot timeout=3s
/radius incoming
set accept=yes

/system ntp client
set enabled=yes primary-ntp=4.2.2.4 secondary-ntp=207.46.232.182
/system scheduler
add disabled=yes interval=1d name=data-reset-counter on-event=reset-counter policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/22/2015 \
    start-time=20:00:00
add interval=1d name=Reset on-event=" /tool user-manager user reset-counters [/tool user-manager user find where customer=\"***\"]" policy=\
    reboot,read,write,policy,test,password,sniff,sensitive start-date=dec/08/2015 start-time=00:01:00
/system script
add dont-require-permissions=no name=reset-counter owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/tool user-manager user reset-counters numbers=11,12,13,15,16,17,18,19,20,21,23,24"
add dont-require-permissions=no name=Reset-allcounter owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    " /tool  user-manager  user  reset-counters  [/tool  user-manager  user  find]"
/tool romon port
add
/tool user-manager database
set db-path=/user-manager2
/tool user-manager profile profile-limitation
add from-time=8h till-time=9h weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="time limit" profile=Edit till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="Download limit" profile=Graphics till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=*** customer=admin disabled=no ip-address=127.0.0.1 log=auth-ok,auth-fail,acct-fail name=mikro shared-secret=456741 use-coa=no
/tool user-manager user
***
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Sat May 23, 2020 9:47 pm

You can't add both routes to the same routing table (i.e. give them the same routing-mark, none in this case, which is equal to explicitly stating main) with the same distance and expect that by indicating the interface for :ping, the proper route matching that interface will be chosen. RouterOS does not work this way.

So set routing-mark=via-Shatel to the route with gateway=192.168.222.10, and then do :ping 8.8.8.8 routing-table=via-Shatel. That way it should work.

If it does not work, you'll have to make the command line window for the hEX as wide as your screen allows, run /tool sniffer quick ip-address=8.8.8.8 ip-protocol=icmp there, and run the :ping command as above at the 2011. It should show you the path of the packets through the hEX.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Mon May 25, 2020 9:29 pm

You can't add both routes to the same routing table (i.e. give them the same routing-mark, none in this case, which is equal to explicitly stating main) with the same distance and expect that by indicating the interface for :ping, the proper route matching that interface will be chosen. RouterOS does not work this way.

So set routing-mark=via-Shatel to the route with gateway=192.168.222.10, and then do :ping 8.8.8.8 routing-table=via-Shatel. That way it should work.
i did this but still get timeout
If it does not work, you'll have to make the command line window for the hEX as wide as your screen allows, run /tool sniffer quick ip-address=8.8.8.8 ip-protocol=icmp there, and run the :ping command as above at the 2011. It should show you the path of the packets through the hEX.
and i did this too .and this is the result:
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Mon May 25, 2020 9:53 pm

So the packets do arrive to the hEX but don't get further (even the requests don't). What does /ip route print detail show at the hEX?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Mon May 25, 2020 10:19 pm

So the packets do arrive to the hEX but don't get further (even the requests don't). What does /ip route print detail show at the hEX?
here is it:
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface  [SOLVED]

Mon May 25, 2020 11:11 pm

Hm, great, so there is a bug in the VRF handling of PPPoE interfaces... the default route is not being added with the proper routing-mark.

So you will need to work this around using the following:

/ppp profile add copy-from=default on-up="/ip route add gateway=\$interface routing-mark=shatel" on-down="/ip route remove [find dst-address=0.0.0.0/0 routing-mark=shatel]" name=pppoe-vrf
/interface pppoe-client set pppoe-Shatel profile=pppoe-vrf add-default-route=no


After that, try the ping test again.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Tue May 26, 2020 7:14 pm

Hm, great, so there is a bug in the VRF handling of PPPoE interfaces... the default route is not being added with the proper routing-mark.

So you will need to work this around using the following:

/ppp profile add copy-from=default on-up="/ip route add gateway=\$interface routing-mark=shatel" on-down="/ip route remove [find dst-address=0.0.0.0/0 routing-mark=shatel]" name=pppoe-vrf
/interface pppoe-client set pppoe-Shatel profile=pppoe-vrf add-default-route=no


After that, try the ping test again.
thank you .this config solved my problem . but i wanna know if there is another solution for my problem.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Tue May 26, 2020 7:46 pm

thank you .this config solved my problem . but i wanna know if there is another solution for my problem.
Man, I understand that English is not your native language (same case at my end), but please use sentences which contain more information. What exactly is the "problem" you want to "solve another way"? And what makes the current solution unsatisfactory, i.e. in what regard should the "another one" be better so that it would make sense for you?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
enshem
just joined
Topic Author
Posts: 10
Joined: Thu May 21, 2020 1:56 pm

Re: distribute Two Wan that exist on same interface

Wed May 27, 2020 4:28 pm

Man, I understand that English is not your native language (same case at my end)
sorry for my bad English :? . i,ll try improve it asap. what is your native language?
but please use sentences which contain more information. What exactly is the "problem" you want to "solve another way"? And what makes the current solution unsatisfactory, i.e. in what regard should the "another one" be better so that it would make sense for you?
i mean a simpler way. e.g is it possible to bridge vlan and pppoe interface in routers and distinct traffic? i mean create two vlan in same interface and bridge each one with a pppoe connection and repeat this in second router. or is this possible to run two pppoe connection in bottom mikrotik on same interface(Ether3)?
or another solution like this. again sorry for my bad English .
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: distribute Two Wan that exist on same interface

Wed May 27, 2020 5:46 pm

In a very simplified view, the /interface pppoe-client is a translator between an L2 interface (addressed by MAC) and the L3 (addressed by IP). The L3 end of this translator cannot be bridged with anything.

The IP address is assigned to the /interface pppoe-client by the remote PPPoE server. So there is no simpler way how to use the VLANs to let the 2011 choose the WAN than the one I've suggested if the two /interface pppoe-client stay at the hEX. Use of VRF was the simplest one available, the bug has made the setup more complex, its appearance was a surprise for me. But even with the workaround for the bug, it is the simplest way for the L3 approach (one interconnection L3 subnet per WAN between the two devices).

Instead, you could extend the L2 part of the path from the hEX to the 2011 by bridging each ISP-facing interface of the hEX into one VLAN and running the /interface pppoe-client on the 2011, but it won't make things much simpler, plus it would put all the load to the 2011 - the processing of PPPoE also takes some CPU. The switch chip on hEX does not support VLAN tagging/untagging in hardware, so you'd have to use a bridge-with-vlans configuration on both the hEX and the 2011

2011:
/interface vlan add name=vlan0 vlan-id=77 interface=ether3
/interface pppoe-client add name=pppoe-Parsian interface=vlan0 user= ...
/interface pppoe-client add name=pppoe-Shatel interface=vlan1 user= ...

/ip address remove [find interface~"vlan1"]

hEX:
/interface pppoe remove [find]
/interface bridge add br-pppoe vlan-filtering=yes
/interface bridge vlan add vlan-ids=77,99 tagged=ether5-Local
/interface bridge port add bridge=br-pppoe interface=ether1-Parsian pvid=77
/interface bridge port add bridge=br-pppoe interface=ether4-Shatel pvid=99
/interface bridge port add bridge=br-pppoe interface=ether5-Local
/ip address set [find interface~"ether5"] interface=br-pppoe


This way, you would have the L3 WAN interfaces directly on the 2011, but the only positives I can see here is easier port forwarding, the rest are the negatives mentioned above plus possible complications if using the scriptless failover between the WAN based on recursive next-hop search.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: arfcz, Chupaka, ivanxx, Jotne, jvanhambelgium, sohel07 and 95 guests