I am new to Mikrotik and are trying to setup a multi-wan load balancing network, got the load balancing working, and trying to setup wireguard with ip cloud, this is when i found out that the router can't ping outside, while pc on network can. Can someone help me have a look at this, and maybe give me some suggestion on the firewall as well? Don't know if that is enough.
Thanks.
Code: Select all
# 2024-02-01 02:12:55 by RouterOS 7.10.2
# software id = **ELIDED**
#
# model = RB5009UG+S+
# serial number = **ELIDED**
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] disabled=yes name=LAN2
set [ find default-name=ether3 ] disabled=yes name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=sfp-sfpplus1 ] name=LANs
set [ find default-name=ether5 ] name=WAN1
set [ find default-name=ether6 ] name=WAN2
set [ find default-name=ether7 ] name=WAN3
set [ find default-name=ether8 ] name=WAN4
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN_list
add name=LAN_list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool interface=bridge lease-time=10m name=dhcp
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=to_WAN4
/interface bridge port
add bridge=bridge interface=LAN_list
/ip neighbor discovery-settings
set discover-interface-list=LAN_list
/interface list member
add interface=WAN1 list=WAN_list
add interface=WAN2 list=WAN_list
add interface=WAN3 list=WAN_list
add interface=WAN4 list=WAN_list
add interface=LANs list=LAN_list
add interface=LAN1 list=LAN_list
add interface=LAN2 list=LAN_list
add interface=LAN4 list=LAN_list
add interface=LAN3 list=LAN_list
add interface=wireguard1 list=LAN_list
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=WAN1 script=":local cWANIP [/ip address get [find interface=\"WA\
N1\"] address];\r\
\n/ip firewall mangle remove [find comment=\"##firewallwan1##\"];\r\
\n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\
ace-list=LAN_list action=accept comment=\"##firewallwan1##\";\r\
\n/ip firewall mangle move [find comment=\"##firewallwan1##\"] 4;\r\
\n\r\
\n/ip route\r\
\nremove [find comment=\"##routewan1##\"];\r\
\nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\
eway-address\" routing-table=to_WAN1 suppress-hw-offload=no comment=\"##ro\
utewan1##\";\r\
\nadd distance=1 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\
nt=\"##routewan1##\";\r\
\n"
add interface=WAN2 script=":local cWANIP [/ip address get [find interface=\"WA\
N2\"] address];\r\
\n/ip firewall mangle remove [find comment=\"##firewallwan2##\"];\r\
\n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\
ace-list=LAN_list action=accept comment=\"##firewallwan2##\";\r\
\n/ip firewall mangle move [find comment=\"##firewallwan2##\"] 4;\r\
\n\r\
\n/ip route\r\
\nremove [find comment=\"##routewan2##\"];\r\
\nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\
eway-address\" routing-table=to_WAN2 suppress-hw-offload=no comment=\"##ro\
utewan2##\";\r\
\nadd distance=2 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\
nt=\"##routewan2##\";\r\
\n"
add interface=WAN3 script=":local cWANIP [/ip address get [find interface=\"WA\
N3\"] address];\r\
\n/ip firewall mangle remove [find comment=\"##firewallwan3##\"];\r\
\n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\
ace-list=LAN_list action=accept comment=\"##firewallwan3##\";\r\
\n/ip firewall mangle move [find comment=\"##firewallwan3##\"] 4;\r\
\n\r\
\n/ip route\r\
\nremove [find comment=\"##routewan3##\"];\r\
\nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\
eway-address\" routing-table=to_WAN3 suppress-hw-offload=no comment=\"##ro\
utewan3##\";\r\
\nadd distance=3 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\
nt=\"##routewan3##\";"
add interface=WAN4 script=":local cWANIP [/ip address get [find interface=\"WA\
N4\"] address];\r\
\n/ip firewall mangle remove [find comment=\"##firewallwan4##\"];\r\
\n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\
ace-list=LAN_list action=accept comment=\"##firewallwan4##\";\r\
\n/ip firewall mangle move [find comment=\"##firewallwan4##\"] 4;\r\
\n\r\
\n/ip route\r\
\nremove [find comment=\"##routewan4##\"];\r\
\nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\
eway-address\" routing-table=to_WAN4 suppress-hw-offload=no comment=\"##ro\
utewan4##\";\r\
\nadd distance=4 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\
nt=\"##routewan4##\";"
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.88.0/24 list=ipool
add address=192.168.100.0/24 list=ipool
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address-list=ipool
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN_list
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface-list=LAN_list log=yes log-prefix=\
!public_from_LAN out-interface-list=!LAN_list
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=LAN_list log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
LAN_list log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface-list=\
LAN_list log=yes log-prefix=LAN_!LAN src-address-list=!ipool
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=RFC1918 src-address-list=\
RFC1918
add action=accept chain=prerouting comment=##firewallwan3## dst-address=\
218.250.160.0/24 in-interface-list=LAN_list
add action=accept chain=prerouting comment=##firewallwan1## dst-address=\
42.98.99.0/24 in-interface-list=LAN_list
add action=accept chain=prerouting comment=##firewallwan2## dst-address=\
112.119.218.0/24 in-interface-list=LAN_list
add action=accept chain=prerouting comment=##firewallwan4## dst-address=\
218.250.160.0/24 in-interface-list=LAN_list
add action=mark-connection chain=input connection-state=new in-interface=WAN1 \
new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=input connection-state=new in-interface=WAN2 \
new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=input connection-state=new in-interface=WAN3 \
new-connection-mark=WAN3_conn passthrough=no
add action=mark-connection chain=input connection-state=new in-interface=WAN4 \
new-connection-mark=WAN4_conn passthrough=no
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN3_conn passthrough=yes \
per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN4_conn passthrough=yes \
per-connection-classifier=both-addresses:4/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN_list \
new-connection-mark=WAN1_conn passthrough=no per-connection-classifier=\
both-addresses:4/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN_list \
new-connection-mark=WAN2_conn passthrough=no per-connection-classifier=\
both-addresses:4/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN_list \
new-connection-mark=WAN3_conn passthrough=no per-connection-classifier=\
both-addresses:4/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN_list \
new-connection-mark=WAN4_conn passthrough=no per-connection-classifier=\
both-addresses:4/3
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_conn \
new-routing-mark=to_WAN3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4_conn \
new-routing-mark=to_WAN4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface-list=LAN_list new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface-list=LAN_list new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
in-interface-list=LAN_list new-routing-mark=to_WAN3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
in-interface-list=LAN_list new-routing-mark=to_WAN4 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1 src-address-list=\
RFC1918
add action=masquerade chain=srcnat out-interface=WAN2 src-address-list=\
RFC1918
add action=masquerade chain=srcnat out-interface=WAN3 src-address-list=\
RFC1918
add action=masquerade chain=srcnat out-interface=WAN4 src-address-list=\
RFC1918
/ip route
add check-gateway=ping comment=##routewan3## disabled=no dst-address=\
0.0.0.0/0 gateway=218.250.160.254 routing-table=to_WAN3 \
suppress-hw-offload=no
add comment=##routewan3## distance=3 dst-address=0.0.0.0/0 gateway=\
218.250.160.254
add check-gateway=ping comment=##routewan1## disabled=no dst-address=\
0.0.0.0/0 gateway=42.98.99.254 routing-table=to_WAN1 suppress-hw-offload=\
no
add comment=##routewan1## distance=1 dst-address=0.0.0.0/0 gateway=\
42.98.99.254
add check-gateway=ping comment=##routewan2## disabled=no dst-address=\
0.0.0.0/0 gateway=112.119.218.254 routing-table=to_WAN2 \
suppress-hw-offload=no
add comment=##routewan2## distance=2 dst-address=0.0.0.0/0 gateway=\
112.119.218.254
add check-gateway=ping comment=##routewan4## disabled=no dst-address=\
0.0.0.0/0 gateway=218.250.160.254 routing-table=to_WAN4 \
suppress-hw-offload=no
add comment=##routewan4## distance=4 dst-address=0.0.0.0/0 gateway=\
218.250.160.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="allow allowed addresses" \
src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=\
yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface-list=!LAN_list \
protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface-list=\
!LAN_list src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
/system clock
set time-zone-name=Asia/Hong_Kong
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN_list
/tool mac-server mac-winbox
set allowed-interface-list=LAN_list