Currently I have 2 ISPs, (ISP1 - higher bandwidth & private IP, ISP2 - Lower bandwidth and Dynamic public IP).
With that being said, I have already set up Failover configuration using ISP1 as primary and ISP2 as secondary.
Expected behaviour
Having the failover configuration, would like to set up a Wireguard VPN and Port forwarding ONLY using ISP2.
Actual behaviour
When ISP1 is up, there is no packet responses. As soon as there is not ISP1 set as priority everything works, I did the PF and works, Wireguard VPN works.
Code: Select all
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] loop-protect=off
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
set usb1 type=hardware
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=\
defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=*9 list=WAN
add interface=*A list=WAN
/interface wireguard peers
add allowed-address=10.20.1.2/32 interface=wireguard1 public-key=\
"VnTNWEPEIGe4ehffWqtG8GdIb+HKxcpSvACRekuVa1I="
add allowed-address=10.20.1.3/32 interface=wireguard1 public-key=\
"D2bLdRCWi8QS/xznIUHNzufVZOpwX2pVdnf+0WcNr1k="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.20.1.1/24 interface=wireguard1 network=10.20.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.252 client-id=1:d8:32:14:e4:1c:88 mac-address=\
D8:32:14:E4:1C:88 server=defconf
add address=192.168.88.247 mac-address=08:00:27:A1:50:F7 server=defconf
add address=192.168.88.253 client-id=1:90:61:ae:16:b0:1b mac-address=\
90:61:AE:16:B0:1B server=defconf
add address=192.168.88.251 client-id=1:3c:19:cb:6e:7:2f mac-address=\
3C:19:CB:6E:07:2F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.0/16 list=Access
add address=190.0.0.0/8 list=Access
add address=186.0.0.0/8 list=Access
add address=200.0.0.0/8 list=Access
/ip firewall filter
add action=reject chain=forward dst-address-list=Ads protocol=tcp reject-with=icmp-network-unreachable src-address-list=Access
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
10.20.1.0/24
add action=accept chain=input in-interface=ether2 src-address-list=Access
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=23000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.252 to-ports=80
add action=dst-nat chain=dstnat dst-port=24000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.247 to-ports=443
add action=dst-nat chain=dstnat dst-port=25000 in-interface=ether1 protocol=\
udp to-addresses=192.168.88.247 to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-port=10000-20000 \
in-interface=ether1 protocol=udp to-addresses=192.168.88.247 to-ports=\
10000-20000