Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

lte backuplink over trunk

Tue May 11, 2021 1:26 pm

Hi guys,

I ma just curious is my configuration correct and safe i have 2 routers here:

Primary circuit via rb4011 port one, Internet is on ISP VLAN 10 (PHYSICAL PORT 1 )

4g back up is on RB33G ((PHYSICAL PORT 1 AS WELL)

isp1 -- {port 1} rb4011 {port 10} <--trunk--> {port 1} RB33G --> isp 2 (via 4g)


I am using LTE PASS THOUGHT to VLAN 100 created on both devices to vlan 100 Interface

trunk ports between rb4011 and RB33G allow my internal vlan 10, vlan 20 , vlan 100


I have a firewall list and vlan 100 is in the WAN LIST

So my question is is this a relatively safe configuration?





MAIN



[admin@MikroTik_RB4011] > export hide-sensitive 
# may/11/2021 22:32:27 by RouterOS 6.48.2
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=Secondary_WAN_VLAN_100 interface=bridge name=2Degrees_ISP vlan-id=\
    100
add comment=Primary_WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 slaves=\
    sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=\
    sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 \
    pfs-group=none
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.254
add name=pool_vlan20_guest ranges=10.20.0.30-10.20.0.254
add name=pool_ikev2_vpn ranges=10.88.0.1-10.88.0.254
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=vlan10_main lease-time=\
    23h59m59s name=dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=\
    vlan20_guest lease-time=23h59m59s name=dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=\
    no
/queue simple
add comment="Shapped Internet Traffic Only via ISP 1" dst=Orcon_ISP max-limit=\
    20M/20M name=guest_network_queue_over_primary_ISP target=10.20.0.0/24
/interface bridge port
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=ether9-trunk
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=qnap_bonding pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether9-trunk,bridge,ether10 untagged=\
    ether3,ether4,ether5,ether6,ether7,qnap_bonding vlan-ids=10
add bridge=bridge tagged=ether9-trunk,ether10,bridge untagged=ether8 vlan-ids=\
    20
add bridge=bridge tagged=bridge,ether10 vlan-ids=100
/interface list member
add interface=Orcon_ISP list=WAN
add interface=2Degrees_ISP list=WAN
add interface=vlan10_main list=LAN
add interface=vlan20_guest list=LAN
/ip address
add address=10.10.0.1/24 interface=vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20_guest network=10.20.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=Orcon_ISP use-peer-dns=no
add default-route-distance=2 disabled=no interface=2Degrees_ISP use-peer-dns=no
/ip dhcp-server lease
add address=10.10.0.4 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC_wired \
    mac-address=9C:5C:8E:20:B8:C6 server=dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=\
    dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb \
    mac-address=D0:73:D5:24:52:2F server=dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=\
    50:EC:50:3A:F7:C5 server=dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=\
    D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer \
    mac-address=C0:B5:D7:5B:D7:4E server=dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 \
    server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=\
    dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV \
    mac-address=AC:D5:64:94:DB:DD server=dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=\
    MikroTik_Audience_VLAN_20 mac-address=76:4D:28:F4:F7:F3 server=\
    dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=\
    MikroTik_Audience_VLAN_10 mac-address=74:4D:28:F4:F7:F2 server=\
    dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir \
    mac-address=38:F9:D3:52:A6:BE server=dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTV_Tuner \
    mac-address=00:18:DD:24:1C:FA server=dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader \
    mac-address=00:0A:F5:45:BF:EC server=dhcp_vlan10_main
add address=10.10.0.6 comment=VOIP_PHONE mac-address=00:0B:82:EA:D2:C4 server=\
    dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=\
    24:5E:BE:1A:4F:37 server=dhcp_vlan10_main
add address=10.10.0.21 client-id=1:2c:26:17:82:8e:2b comment=Oculus_Quest \
    mac-address=2C:26:17:82:8E:2B server=dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:82 comment=Raspberry_Pi \
    mac-address=DC:A6:32:0E:48:82 server=dhcp_vlan10_main
add address=10.10.0.7 client-id=1:88:78:73:d0:27:12 comment=MainPC_wireless \
    mac-address=88:78:73:D0:27:12 server=dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:57:4:93 comment=MikroTik_RBM33G \
    mac-address=C4:AD:34:57:04:93 server=dhcp_vlan10_main
add address=10.10.0.11 client-id=1:dc:41:a9:f9:65:c8 comment=Dell_XPS \
    mac-address=DC:41:A9:F9:65:C8 server=dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 dns-server=10.20.0.1 gateway=10.20.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=\
    94.140.14.14,94.140.15.15
/ip dns static
add address=10.10.0.8 name=printer.lan
add address=10.10.0.6 name=phone.lan
add address=10.10.0.12 name=tv.lan
add address=10.10.0.1 name=router1.lan
add address=10.10.0.2 name=router2.lan
add address=10.10.0.3 name=router3.lan
add address=10.10.0.1 name=media.lan
add address=10.10.0.1 name=qnap.lan
/ip firewall address-list
add address=10.20.0.0/24 list=guest_simple_queue
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" \
    dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=\
    22,80,88,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=\
    in,ipsec protocol=udp
add action=drop chain=input comment=\
    "drop all requests from guest network to management ports of this router" \
    dst-address=10.10.0.1 dst-port=22,88,8291 protocol=tcp src-address=\
    10.20.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "allow emby to respond back to guest network" dst-address=10.20.0.0/24 \
    protocol=tcp src-address=10.10.0.5 src-port=8096
add action=accept chain=forward comment="allow acess emby from guest network" \
    dst-address=10.10.0.5 dst-port=8096 protocol=tcp src-address=10.20.0.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule  for guest network" \
    connection-state=established,related dst-address-list=guest_simple_queue
add action=fasttrack-connection chain=forward comment=\
    "fasttrack with guest network exclusion" connection-state=\
    established,related src-address=!10.20.0.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "drop all else coming from main to guest " dst-address=10.20.0.0/24 \
    src-address=10.10.0.0/24
add action=drop chain=forward comment="drop all else coming from guest to main" \
    dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=\
    2Degrees_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=\
    port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
    ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=\
    0.0.0.0/0 template=yes
/ip proxy
set enabled=yes port=80
/ip proxy access
add action=deny dst-host=media.lan redirect-to=10.10.0.5:8096
add action=deny dst-host=qnap.lan redirect-to=10.10.0.5:19019
add action=deny dst-address=10.10.0.1 dst-port=80 redirect-to=10.10.0.1:88
add action=deny
/ip route
add comment="for netwatch monitoring" distance=1 dst-address=1.1.1.1/32 \
    gateway=121.99
add comment="for netwatch monitoring" distance=200 dst-address=1.1.1.1/32 type=\
    unreachable
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=88
set api disabled=yes
set api-ssl disabled=yes
/queue simple
add comment="Shapped Internet Traffic Only via ISP 2" dst=*13 max-limit=5M/5M \
    name=guest_network_queue_over_secondary_ISP target=10.20.0.0/24
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=8w4d name=monthly_reboot on-event="/system reboot" policy=reboot \
    start-date=mar/29/2021 start-time=03:00:00
[admin@MikroTik_RB4011] > 




//////////////////////




secondary

[admin@MikroTik_RBM33G] > export hide-sensitive 
# may/11/2021 22:33:05 by RouterOS 6.48.2
# software id = NVWD-MPDZ
#
# model = RBM33G
# serial number = A2FD0B35515A
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=MikroTik_RB4011_Uplink name=\
    ether1-trunk
set [ find default-name=ether2 ] comment=IPTV_Tuner
set [ find default-name=ether3 ] comment=SonyTV
/interface lte
set [ find ] allow-roaming=no band=1,3,8 name=lte1
/interface vlan
add comment=lte_passthrough_via_vlan_100 interface=bridge name=\
    2degress_vlan_100 vlan-id=100
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface lte apn
set [ find default=yes ] apn=direct passthrough-interface=2degress_vlan_100 \
    passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1-trunk
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether1-trunk,bridge untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether1-trunk vlan-ids=100
add bridge=bridge tagged=ether1-trunk,bridge vlan-ids=20
/ip dhcp-client
add disabled=no interface=vlan20_guest
add disabled=no interface=vlan10_main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RBM33G
/system scheduler
add interval=8w4d name=monthly_reboot policy=reboot start-date=mar/29/2021 \
    start-time=03:30:00
/tool netwatch
add down-script=":local CurDate ([:pick [/system clock get date] 4 6] . \"/\" . \
    [:pick [/system clock get date] 0 3] . \"/\" . [:pick [/system clock get dat\
    e] 7 11])\r\
    \n:local CurTime [/system clock get time]\r\
    \n:local HostName \"Primary ISP link\"\r\
    \n\r\
    \n/tool sms send lte1 \"+64211139090\" message=\"\$HostName is DOWN at \$Cur\
    Date \$CurTime\"" host=1.1.1.1 interval=30s up-script=":local CurDate ([:pic\
    k [/system clock get date] 4 6] . \"/\" . [:pick [/system clock get date] 0 \
    3] . \"/\" . [:pick [/system clock get date] 7 11])\r\
    \n:local CurTime [/system clock get time]\r\
    \n:local HostName \"Primary ISP link\"\r\
    \n\r\
    \n/tool sms send lte1 \"+642\" message=\"\$HostName is UP at \$CurDa\
    te \$CurTime\""
[admin@MikroTik_RBM33G] > 

thanks a lot
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: lte backuplink over trunk

Tue May 11, 2021 2:39 pm

Just puzzling my way through this............
I think your WAN and VLAN structure is confused!!!

(1) Ether10 is a WAN port, should not normally be on the bridge but okay
(2) VLAN 100 for WAN2 is associated to the bridge okay
(3) Primary WAN is also on a vlan but associated to ether1, again weird but okay
(4) But why is WAN Primary on the same VLAN as your Main LAN?? id=10 for both???

Furthermore you identified ether10 as your secondary wan yet in bridge ports you give it a pVId of 10????


Please draw a network diagram to see were internet is coming from etc..........
Also do the ISP provide their data on vlans and thats why you are assigning vlans to the WAN connections??

Who is online

Users browsing this forum: almdandi, Bing [Bot], korg, ptoump and 76 guests