[b]Mangle Rules:[/b]
/ip firewall mangle
add action=mark-connection chain=prerouting comment="For PCC" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=NEED_PCC new-connection-mark=to_wan1 passthrough=yes \
per-connection-classifier=both-addresses:10/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan2 passthrough=yes per-connection-classifier=\
both-addresses:10/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan3 passthrough=yes per-connection-classifier=\
both-addresses:10/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan4 passthrough=yes per-connection-classifier=\
both-addresses:10/3
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan5 passthrough=yes per-connection-classifier=\
both-addresses:10/4
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan6 passthrough=yes per-connection-classifier=\
both-addresses:10/5
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan7 passthrough=yes per-connection-classifier=\
both-addresses:10/6
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan8 passthrough=yes per-connection-classifier=\
both-addresses:10/7
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan9 passthrough=yes per-connection-classifier=\
both-addresses:10/8
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan10 passthrough=yes per-connection-classifier=\
both-addresses:10/9
add action=mark-connection chain=forward comment="For Sonar" \
dst-address-list="Standard Internet" new-connection-mark=\
Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list=\
"Standard Internet"
add action=mark-connection chain=forward dst-address-list=\
"High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=High_Capacity_Traffic_Up passthrough=yes \
src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" connection-mark=\
Standard_Traffic_Down new-packet-mark=Standard_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up \
in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=\
yes
add action=mark-packet chain=forward connection-mark=\
High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up \
in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up \
passthrough=yes
[b]Routes:[/b]
/ip route
add disabled=no dst-address=192.168.132.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.133.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-1-wan1 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-2-wan2 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-3-wan3 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-4-wan4 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-5-wan5 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-6-wan6 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-7-wan7 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-8-wan8 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-9-wan9 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-10-wan10 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-1-wan1 \
routing-table=to_wan1 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-2-wan2 \
routing-table=to_wan2 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-3-wan3 \
routing-table=to_wan3 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-4-wan4 \
routing-table=to_wan4 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-5-wan5 \
routing-table=to_wan5 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-6-wan6 \
routing-table=to_wan6 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-7-wan7 \
routing-table=to_wan7 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-8-wan8 \
routing-table=to_wan8 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-9-wan9 \
routing-table=to_wan9 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-10-wan10 \
routing-table=to_wan10 suppress-hw-offload=no
[b]Routing Tables:[/b]
/routing table
add fib name=to_wan1
add fib name=to_wan2
add fib name=to_wan3
add fib name=to_wan4
add fib name=to_wan5
add fib name=to_wan6
add fib name=to_wan7
add fib name=to_wan8
add fib name=to_wan9
add fib name=to_wan10
ECMP works fine V7 – it relies on connection tracking to store the routing decision for future packets. I'm not sure that's the problem here. I suspect it just the variable the speed of starlink sats moving is going to be same across all 10 terminals (e.g. one is slow, all will likely be slow)ECMP used to be working on RouterOS 6 where a routing cache existed, so if a connection started using a particular gateway, it continued using it until the routing cache was flushed. I'm not sure whether ECMP can be used on RouterOS 7, which uses a kernel that does not support routing cache any more, when src-nat is engaged
So I finally got to reading through it, and I am trying to put the bits together.
You wrote that the public IP addresses assigned by Starlink with the high priority subscription were changing but now they are not, but if I get it right, the L2TP/IPsec tunnel still keeps disconnecting (or is not connecting at all)?
Second, I cannot see any L2TP configuration in the export nor a dst-nat rule for IPsec ports, so I figure the L2TP/IPsec client is running in Alaska on some device connected to the 2216's LAN and connecting to a server at your HQ location, is that correct?
ECMP used to be working on RouterOS 6 where a routing cache existed, so if a connection started using a particular gateway, it continued using it until the routing cache was flushed. I'm not sure whether ECMP can be used on RouterOS 7, which uses a kernel that does not support routing cache any more, when src-nat is engaged, because I don't know how a Starlink terminal treats packets with a wrong source address. But since you encounter problems, I would first dig in this direction. The thing is that the firewall rules assign the "external" address of a src-nated connection (officialy, the reply-dst-address) once for good while handling the initial packet of the connection. So if ECMP sends a subsequent packets belonging to the same connection via another gateway, that packets will leave with an address that does not belong to the one of the out-interface, so if the Starlink network is picky about it, it will not reach the destination.
If my assumptions above regarding the L2TP/IPsec topology, Starlink behavior, and ECMP behavior in ROS 7 are correct, you need to make sure that the L2TP/IPsec connection keeps using the same WAN all the time; to do that, you need to make it use a dedicated routing table that prefers a particular WAN and only uses another one if the primary one fails, so that the tunnel could re-establish.
Before proceeding, please confirm or correct my understanding.
Thanks. I was wondering about this for some time already.ECMP works fine V7 – it relies on connection tracking to store the routing decision for future packets.
That was the previous satellite operator, and I can easily imagine they haven't got any LEO satellites that high to the north. Starlink has a few satellites on polar orbits specially to cover these areas.The LTE being 600ms would imply the cell networks backhaul is using GEO sat, which at a full transponder would be ~50-100Mb capacity range.
Then something must have gone wrong in the process of posting the configuration, because I can see no /interface l2tp-client section there.The L2TP client is running directly on the Mikrotik router in Alaska and it connects to another Mikrotik router at our HQ in Oregon running the L2TP server.
If the L2TP client is running directly on the 2216, no dst-nat rule is necessary, it's just that there absence of the client configuration in the export made me think it is running on another device so I was thinking of possible topologies (an L2TP server in LAN in Alaska would require a dst-nat rule).we have no dst-nat rule for L2TP setup
Then something must have gone wrong in the process of posting the configuration, because I can see no /interface l2tp-client section there.The L2TP client is running directly on the Mikrotik router in Alaska and it connects to another Mikrotik router at our HQ in Oregon running the L2TP server.
There are also multiple routing tables but just two static routes in the configuration.
If the L2TP client is running directly on the 2216, no dst-nat rule is necessary, it's just that there absence of the client configuration in the export made me think it is running on another device so I was thinking of possible topologies (an L2TP server in LAN in Alaska would require a dst-nat rule).we have no dst-nat rule for L2TP setup
Sorry, I ran out of today here, so I'll be back online in 8-10 hours from now.
# 2023-11-14 14:51:49 by RouterOS 7.12
# software id = DVNU-PTAC
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HE808NY9TF8
/interface bridge
add admin-mac=48:A9:8A:85:65:FB auto-mac=no comment="Link to NV1560 Port 1" \
name=bridge-lan
add name=bridge-oob
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfp28-1-1 ] disabled=yes
set [ find default-name=qsfp28-1-2 ] disabled=yes
set [ find default-name=qsfp28-1-3 ] disabled=yes
set [ find default-name=qsfp28-1-4 ] disabled=yes
set [ find default-name=qsfp28-2-1 ] disabled=yes
set [ find default-name=qsfp28-2-2 ] disabled=yes
set [ find default-name=qsfp28-2-3 ] disabled=yes
set [ find default-name=qsfp28-2-4 ] disabled=yes
set [ find default-name=sfp28-1 ] comment="Link to Starlink Terminal 1" name=\
sfp28-1-wan1
set [ find default-name=sfp28-2 ] comment="Link to Starlink Terminal 2" name=\
sfp28-2-wan2
set [ find default-name=sfp28-3 ] comment="Link to Starlink Terminal 3" name=\
sfp28-3-wan3
set [ find default-name=sfp28-4 ] comment="Link to Starlink Terminal 4" name=\
sfp28-4-wan4
set [ find default-name=sfp28-5 ] comment="Link to Starlink Terminal 5" name=\
sfp28-5-wan5
set [ find default-name=sfp28-6 ] comment="Link to Starlink Terminal 6" name=\
sfp28-6-wan6
set [ find default-name=sfp28-7 ] comment="Link to Starlink Terminal 7" name=\
sfp28-7-wan7
set [ find default-name=sfp28-8 ] comment="Link to Starlink Terminal 8" name=\
sfp28-8-wan8
set [ find default-name=sfp28-9 ] comment="Link to Starlink Terminal 9" name=\
sfp28-9-wan9
set [ find default-name=sfp28-10 ] comment="Link to Starlink Terminal 10" \
name=sfp28-10-wan10
set [ find default-name=sfp28-11 ] comment="Link to OOB PC" name=sfp28-11-oob
set [ find default-name=sfp28-12 ] comment="Link to Adtran Switch Port 1" \
name=sfp28-12-lan
[b] /interface l2tp-client
add connect-to=vpn.richesineng.com disabled=no name=RE use-ipsec=yes user=\
unalakleet [/b]
/interface vlan
add comment=Customers interface=sfp28-12-lan name=vlan2 vlan-id=2
/interface list
add comment="contains WAN interfaces" name=WAN
add comment="contains LAN interfaces" name=LAN
add comment="Contains VPN interfaces" name=VPN
add name=WAN1
add name=NEED_PCC
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay interface=bridge-lan lease-time=5m name=\
vlan2-dhcp
/ip pool
add name=vlan2-pool ranges=10.130.2.10-10.130.3.254
add name=oob-pool ranges=10.130.0.2-10.130.0.254
/ip dhcp-server
add address-pool=oob-pool interface=bridge-oob name=oob-dhcp
/port
set 0 name=serial0
/queue type
add kind=pcq name=MaxDownloadSpeed pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=MaxUploadSpeed pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=Standard_Download_Speed pcq-burst-rate=30M pcq-burst-time=\
15s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=25M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=Standard_Upload_Speed pcq-burst-rate=3600k pcq-burst-time=\
15s pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Download_Speed pcq-burst-rate=30M \
pcq-burst-time=15s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-rate=25M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Upload_Speed pcq-burst-rate=3600k \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=3M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
/queue tree
add max-limit=300M name=Standard_Download_Speed packet-mark=\
Standard_Traffic_Down parent=bridge-lan priority=7 queue=\
Standard_Download_Speed
add max-limit=50M name=Standard_Upload_Speed packet-mark=Standard_Traffic_Up \
parent=bridge-lan priority=7 queue=Standard_Upload_Speed
add max-limit=300M name=High_Capacity_Download_Speed packet-mark=\
High_Capacity_Traffic_Down parent=bridge-lan priority=7 queue=\
High_Capacity_Download_Speed
add max-limit=50M name=High_Capacity_Upload_Speed packet-mark=\
High_Capacity_Traffic_Up parent=bridge-lan priority=7 queue=\
High_Capacity_Upload_Speed
/routing table
add fib name=to_wan1
add fib name=to_wan2
add fib name=to_wan3
add fib name=to_wan4
add fib name=to_wan5
add fib name=to_wan6
add fib name=to_wan7
add fib name=to_wan8
add fib name=to_wan9
add fib name=to_wan10
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=atbunal
/interface bridge port
add bridge=bridge-lan interface=vlan2
add bridge=bridge-oob interface=sfp28-11-oob
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=sfp28-1-wan1 list=WAN
add interface=sfp28-2-wan2 list=WAN
add comment="RE VPN" interface=RE list=VPN
add interface=sfp28-3-wan3 list=WAN
add interface=sfp28-4-wan4 list=WAN
add interface=sfp28-5-wan5 list=WAN
add interface=sfp28-6-wan6 list=WAN
add interface=sfp28-7-wan7 list=WAN
add interface=sfp28-8-wan8 list=WAN
add interface=sfp28-9-wan9 list=WAN
add interface=sfp28-10-wan10 list=WAN
/ip address
add address=10.130.1.1/24 comment="Servers - vlan1" interface=sfp28-12-lan \
network=10.130.1.0
add address=10.130.2.1/23 comment="Subscribers - CPE" interface=vlan2 \
network=10.130.2.0
add address=10.130.4.1/23 comment="Subscribers - SM" interface=vlan2 network=\
10.130.4.0
add address=10.130.0.1/24 interface=bridge-oob network=10.130.0.0
/ip dhcp-client
add interface=sfp28-1-wan1 use-peer-dns=no
add interface=sfp28-2-wan2 use-peer-dns=no
add interface=sfp28-3-wan3 use-peer-dns=no
add interface=sfp28-4-wan4 use-peer-dns=no
add interface=sfp28-5-wan5 use-peer-dns=no
add interface=sfp28-6-wan6 use-peer-dns=no
add interface=sfp28-7-wan7 use-peer-dns=no
add interface=sfp28-8-wan8 use-peer-dns=no
add interface=sfp28-9-wan9 use-peer-dns=no
add interface=sfp28-10-wan10 use-peer-dns=no
/ip dhcp-server alert
add comment="Rogue DHCP Detect" disabled=no interface=bridge-lan on-alert=\
":log error message=\"Rogue DHCP Server Discovered\"" valid-server=\
48:A9:8A:85:65:FB
/ip dhcp-server lease
add address=10.130.3.3 mac-address=BC:A9:93:46:C5:D9 server=vlan2-dhcp
add address=10.130.2.10 mac-address=BC:A9:93:47:A2:D9 server=vlan2-dhcp
add address=10.130.2.11 mac-address=BC:A9:93:47:2A:C1 server=vlan2-dhcp
add address=10.130.2.12 mac-address=BC:A9:93:46:94:39 server=vlan2-dhcp
add address=10.130.2.13 mac-address=BC:A9:93:46:7A:59 server=vlan2-dhcp
add address=10.130.2.14 mac-address=BC:A9:93:46:90:99 server=vlan2-dhcp
add address=10.130.3.29 mac-address=BC:A9:93:47:58:11 server=vlan2-dhcp
add address=10.130.2.251 mac-address=BC:A9:93:47:A2:E9 server=vlan2-dhcp
add address=10.130.2.147 mac-address=BC:A9:93:46:85:F9 server=vlan2-dhcp
add address=10.130.2.52 mac-address=BC:A9:93:46:83:71 server=vlan2-dhcp
add address=10.130.2.16 mac-address=BC:A9:93:46:70:21 server=vlan2-dhcp
add address=10.130.2.17 mac-address=BC:A9:93:47:2B:B1 server=vlan2-dhcp
add address=10.130.2.20 mac-address=BC:A9:93:47:99:09 server=vlan2-dhcp
add address=10.130.2.21 mac-address=BC:A9:93:46:7A:61 server=vlan2-dhcp
add address=10.130.2.22 mac-address=BC:A9:93:47:9B:B9 server=vlan2-dhcp
add address=10.130.2.23 mac-address=BC:A9:93:47:2B:A9 server=vlan2-dhcp
add address=10.130.2.24 mac-address=BC:A9:93:46:BC:89 server=vlan2-dhcp
add address=10.130.2.26 mac-address=BC:A9:93:46:94:29 server=vlan2-dhcp
add address=10.130.2.27 mac-address=BC:A9:93:46:9E:D1 server=vlan2-dhcp
add address=10.130.2.28 mac-address=BC:A9:93:46:88:61 server=vlan2-dhcp
add address=10.130.2.29 mac-address=BC:A9:93:46:EF:89 server=vlan2-dhcp
add address=10.130.2.30 mac-address=BC:A9:93:47:10:B9 server=vlan2-dhcp
add address=10.130.2.31 mac-address=BC:A9:93:46:6D:19 server=vlan2-dhcp
add address=10.130.2.32 mac-address=BC:A9:93:47:2C:99 server=vlan2-dhcp
add address=10.130.2.33 mac-address=BC:A9:93:47:9B:41 server=vlan2-dhcp
add address=10.130.2.35 mac-address=BC:A9:93:46:C6:91 server=vlan2-dhcp
add address=10.130.2.37 mac-address=BC:A9:93:47:1A:81 server=vlan2-dhcp
add address=10.130.2.38 mac-address=BC:A9:93:46:71:41 server=vlan2-dhcp
add address=10.130.2.39 mac-address=BC:A9:93:46:A7:09 server=vlan2-dhcp
add address=10.130.2.40 mac-address=BC:A9:93:46:A7:69 server=vlan2-dhcp
add address=10.130.2.41 mac-address=BC:A9:93:46:84:B1 server=vlan2-dhcp
add address=10.130.2.42 mac-address=BC:A9:93:46:90:49 server=vlan2-dhcp
add address=10.130.2.43 mac-address=BC:A9:93:47:1E:01 server=vlan2-dhcp
add address=10.130.2.44 mac-address=BC:A9:93:47:A3:49 server=vlan2-dhcp
add address=10.130.2.45 mac-address=BC:A9:93:46:6F:29 server=vlan2-dhcp
add address=10.130.2.46 mac-address=BC:A9:93:46:90:01 server=vlan2-dhcp
add address=10.130.2.50 mac-address=BC:A9:93:46:8D:99 server=vlan2-dhcp
add address=10.130.2.51 mac-address=BC:A9:93:46:EC:B1 server=vlan2-dhcp
add address=10.130.2.53 mac-address=BC:A9:93:46:86:61 server=vlan2-dhcp
add address=10.130.2.54 mac-address=BC:A9:93:46:86:71 server=vlan2-dhcp
add address=10.130.2.55 mac-address=BC:A9:93:46:C5:89 server=vlan2-dhcp
add address=10.130.2.56 mac-address=BC:A9:93:46:90:51 server=vlan2-dhcp
add address=10.130.2.57 mac-address=BC:A9:93:47:2D:B9 server=vlan2-dhcp
add address=10.130.2.59 mac-address=BC:A9:93:46:C6:D9 server=vlan2-dhcp
add address=10.130.2.60 mac-address=BC:A9:93:46:87:89 server=vlan2-dhcp
add address=10.130.2.61 mac-address=BC:A9:93:46:C6:81 server=vlan2-dhcp
add address=10.130.2.62 mac-address=BC:A9:93:46:A6:31 server=vlan2-dhcp
add address=10.130.2.64 mac-address=BC:A9:93:46:C5:F9 server=vlan2-dhcp
add address=10.130.2.66 mac-address=BC:A9:93:46:C6:E9 server=vlan2-dhcp
add address=10.130.2.67 mac-address=BC:A9:93:46:ED:29 server=vlan2-dhcp
add address=10.130.2.68 mac-address=BC:A9:93:46:DB:49 server=vlan2-dhcp
add address=10.130.2.69 mac-address=BC:A9:93:46:97:21 server=vlan2-dhcp
add address=10.130.2.71 mac-address=BC:A9:93:46:CF:71 server=vlan2-dhcp
add address=10.130.2.74 mac-address=BC:A9:93:47:5E:11 server=vlan2-dhcp
add address=10.130.2.76 mac-address=BC:A9:93:47:2B:21 server=vlan2-dhcp
add address=10.130.2.77 mac-address=BC:A9:93:46:BC:11 server=vlan2-dhcp
add address=10.130.2.78 mac-address=BC:A9:93:46:84:C9 server=vlan2-dhcp
add address=10.130.2.79 mac-address=BC:A9:93:46:6F:39 server=vlan2-dhcp
add address=10.130.2.81 mac-address=BC:A9:93:46:84:D9 server=vlan2-dhcp
add address=10.130.2.86 mac-address=BC:A9:93:47:29:61 server=vlan2-dhcp
add address=10.130.2.72 mac-address=BC:A9:93:46:ED:39 server=vlan2-dhcp
add address=10.130.2.73 mac-address=BC:A9:93:46:B2:69 server=vlan2-dhcp
add address=10.130.2.80 mac-address=BC:A9:93:46:C9:79 server=vlan2-dhcp
add address=10.130.2.87 mac-address=BC:A9:93:47:1E:09 server=vlan2-dhcp
add address=10.130.2.88 mac-address=BC:A9:93:47:9F:E9 server=vlan2-dhcp
add address=10.130.2.89 mac-address=BC:A9:93:47:9F:D9 server=vlan2-dhcp
add address=10.130.2.90 mac-address=BC:A9:93:46:87:59 server=vlan2-dhcp
add address=10.130.2.92 mac-address=BC:A9:93:47:A2:F9 server=vlan2-dhcp
add address=10.130.2.93 mac-address=BC:A9:93:47:2B:D1 server=vlan2-dhcp
add address=10.130.2.19 mac-address=BC:A9:93:46:C5:69 server=vlan2-dhcp
add address=10.130.2.94 mac-address=BC:A9:93:47:A3:E9 server=vlan2-dhcp
add address=10.130.2.96 mac-address=BC:A9:93:46:F4:51 server=vlan2-dhcp
add address=10.130.2.58 mac-address=BC:A9:93:46:F4:41 server=vlan2-dhcp
add address=10.130.2.98 mac-address=BC:A9:93:47:1D:D9 server=vlan2-dhcp
add address=10.130.2.99 mac-address=BC:A9:93:46:AE:49 server=vlan2-dhcp
add address=10.130.2.82 mac-address=BC:A9:93:46:ED:31 server=vlan2-dhcp
add address=10.130.2.100 mac-address=BC:A9:93:47:2B:C9 server=vlan2-dhcp
add address=10.130.2.95 mac-address=BC:A9:93:47:6A:19 server=vlan2-dhcp
add address=10.130.2.252 mac-address=BC:A9:93:46:D0:39 server=vlan2-dhcp
add address=10.130.2.25 mac-address=BC:A9:93:47:A1:F9 server=vlan2-dhcp
add address=10.130.2.91 mac-address=BC:A9:93:47:86:01 server=vlan2-dhcp
add address=10.130.2.34 mac-address=BC:A9:93:46:C9:71 server=vlan2-dhcp
/ip dhcp-server network
add address=10.130.0.0/24 comment=OOB gateway=10.130.0.1
add address=10.130.1.0/24 comment=Servers gateway=10.130.1.1
add address=10.130.2.0/23 comment="Subscribers - CPE" dns-server=\
8.8.8.8,1.1.1.1 gateway=10.130.2.1
add address=10.130.4.0/23 comment="Subscribers - SM" dns-server=\
8.8.8.8,1.1.1.1 gateway=10.130.4.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=mark-connection chain=prerouting comment="For PCC" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=NEED_PCC new-connection-mark=to_wan1 passthrough=yes \
per-connection-classifier=both-addresses:10/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan2 passthrough=yes per-connection-classifier=\
both-addresses:10/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan3 passthrough=yes per-connection-classifier=\
both-addresses:10/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan4 passthrough=yes per-connection-classifier=\
both-addresses:10/3
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan5 passthrough=yes per-connection-classifier=\
both-addresses:10/4
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan6 passthrough=yes per-connection-classifier=\
both-addresses:10/5
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan7 passthrough=yes per-connection-classifier=\
both-addresses:10/6
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan8 passthrough=yes per-connection-classifier=\
both-addresses:10/7
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan9 passthrough=yes per-connection-classifier=\
both-addresses:10/8
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan10 passthrough=yes per-connection-classifier=\
both-addresses:10/9
add action=mark-connection chain=forward comment="For Sonar" \
dst-address-list="Standard Internet" new-connection-mark=\
Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list=\
"Standard Internet"
add action=mark-connection chain=forward dst-address-list=\
"High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=High_Capacity_Traffic_Up passthrough=yes \
src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" connection-mark=\
Standard_Traffic_Down new-packet-mark=Standard_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up \
in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=\
yes
add action=mark-packet chain=forward connection-mark=\
High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up \
in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Cacti HTTP" dst-port=180 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="Cacti HTTPS" dst-port=1443 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=443
add action=dst-nat chain=dstnat comment="Preseem SSH" dst-port=22222 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=22
add action=dst-nat chain=dstnat comment="Preseem Cockpit" dst-port=9090 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=192.168.132.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.133.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-1-wan1 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-2-wan2 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-3-wan3 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-4-wan4 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-5-wan5 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-6-wan6 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-7-wan7 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-8-wan8 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-9-wan9 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-10-wan10 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-1-wan1 \
routing-table=to_wan1 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-2-wan2 \
routing-table=to_wan2 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-3-wan3 \
routing-table=to_wan3 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-4-wan4 \
routing-table=to_wan4 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-5-wan5 \
routing-table=to_wan5 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-6-wan6 \
routing-table=to_wan6 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-7-wan7 \
routing-table=to_wan7 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-8-wan8 \
routing-table=to_wan8 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-9-wan9 \
routing-table=to_wan9 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-10-wan10 \
routing-table=to_wan10 suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=myCa disabled=no port=8443
set api-ssl certificate=myCa
/ip ssh
set strong-crypto=yes
/snmp
set contact="Richesin Engineering <jaysen@richesinengineering.com>" enabled=\
yes location="Communications Shelter, Unalakleet, AK [63.89890275724056, -\
160.7788028412428]" trap-community=atbunal
/system clock
set time-zone-autodetect=no time-zone-name=America/Anchorage
/system identity
set name=UnalakleetRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add disabled=yes interval=5m name=QueueTreeUsageCheck on-event=":log info \"Qu\
eueTreeUsageCheck script started\"\r\
\nQueueTreeUsageCheck\r\
\n:log info \"QueueTreeUsageCheck script finished\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-03 start-time=11:04:00
add disabled=yes interval=4w2d name=datareset on-event=\
"/queue tree reset-counters numbers=[find]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-01 start-time=09:33:17
add disabled=yes interval=5m name=runThrottle on-event=\
"/system script run throttle;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-23 start-time=00:00:00
/system script
add dont-require-permissions=no name=rogue-dhcp-scan owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Found rogue DHCP server at \$[/system clock get date] \$[/syste\
m clock get time] on interface bridge-trunk]\"\r\
\n#Email\r\
\n/tool e-mail send to=\"jaysen@richesinengineering.com\" subject=\"Found \
rogue DHCP server at \$[/system clock get date] \$[/system clock get time]\
\_on interface bridge-trunk\""
add dont-require-permissions=no name=throttle owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thresholdBytes 161061273600; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"Standard_Download_Sp\
eed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"Standard_Upload_Speed\
\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}\r\
\n\r\
\n:local thresholdBytes 268435456000; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"High_Capacity_Downlo\
ad_Speed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"High_Capacity_Upload_S\
peed\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from="Unalakleet Router" port=2525 server=mail.smtp2go.com tls=yes user=\
alerts@richesinengineering.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=sfp28-3-wan3 name=tmon1
# 2023-11-14 14:51:49 by RouterOS 7.12
# software id = DVNU-PTAC
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HE808NY9TF8
/interface bridge
add admin-mac=48:A9:8A:85:65:FB auto-mac=no comment="Link to NV1560 Port 1" \
name=bridge-lan
add name=bridge-oob
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfp28-1-1 ] disabled=yes
set [ find default-name=qsfp28-1-2 ] disabled=yes
set [ find default-name=qsfp28-1-3 ] disabled=yes
set [ find default-name=qsfp28-1-4 ] disabled=yes
set [ find default-name=qsfp28-2-1 ] disabled=yes
set [ find default-name=qsfp28-2-2 ] disabled=yes
set [ find default-name=qsfp28-2-3 ] disabled=yes
set [ find default-name=qsfp28-2-4 ] disabled=yes
set [ find default-name=sfp28-1 ] comment="Link to Starlink Terminal 1" name=\
sfp28-1-wan1
set [ find default-name=sfp28-2 ] comment="Link to Starlink Terminal 2" name=\
sfp28-2-wan2
set [ find default-name=sfp28-3 ] comment="Link to Starlink Terminal 3" name=\
sfp28-3-wan3
set [ find default-name=sfp28-4 ] comment="Link to Starlink Terminal 4" name=\
sfp28-4-wan4
set [ find default-name=sfp28-5 ] comment="Link to Starlink Terminal 5" name=\
sfp28-5-wan5
set [ find default-name=sfp28-6 ] comment="Link to Starlink Terminal 6" name=\
sfp28-6-wan6
set [ find default-name=sfp28-7 ] comment="Link to Starlink Terminal 7" name=\
sfp28-7-wan7
set [ find default-name=sfp28-8 ] comment="Link to Starlink Terminal 8" name=\
sfp28-8-wan8
set [ find default-name=sfp28-9 ] comment="Link to Starlink Terminal 9" name=\
sfp28-9-wan9
set [ find default-name=sfp28-10 ] comment="Link to Starlink Terminal 10" \
name=sfp28-10-wan10
set [ find default-name=sfp28-11 ] comment="Link to OOB PC" name=sfp28-11-oob
set [ find default-name=sfp28-12 ] comment="Link to Adtran Switch Port 1" \
name=sfp28-12-lan
/interface l2tp-client
add connect-to=vpn.richesineng.com disabled=no name=RE use-ipsec=yes user=\
unalakleet
/interface vlan
add comment=Customers interface=sfp28-12-lan name=vlan2 vlan-id=2
/interface list
add comment="contains WAN interfaces" name=WAN
add comment="contains LAN interfaces" name=LAN
add comment="Contains VPN interfaces" name=VPN
add name=WAN1
add name=NEED_PCC
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay interface=bridge-lan lease-time=5m name=\
vlan2-dhcp
/ip pool
add name=vlan2-pool ranges=10.130.2.10-10.130.3.254
add name=oob-pool ranges=10.130.0.2-10.130.0.254
/ip dhcp-server
add address-pool=oob-pool interface=bridge-oob name=oob-dhcp
/port
set 0 name=serial0
/queue type
add kind=pcq name=MaxDownloadSpeed pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=MaxUploadSpeed pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=Standard_Download_Speed pcq-burst-rate=30M pcq-burst-time=\
15s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=25M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=Standard_Upload_Speed pcq-burst-rate=3600k pcq-burst-time=\
15s pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Download_Speed pcq-burst-rate=30M \
pcq-burst-time=15s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-rate=25M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Upload_Speed pcq-burst-rate=3600k \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=3M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
/queue tree
add max-limit=300M name=Standard_Download_Speed packet-mark=\
Standard_Traffic_Down parent=bridge-lan priority=7 queue=\
Standard_Download_Speed
add max-limit=50M name=Standard_Upload_Speed packet-mark=Standard_Traffic_Up \
parent=bridge-lan priority=7 queue=Standard_Upload_Speed
add max-limit=300M name=High_Capacity_Download_Speed packet-mark=\
High_Capacity_Traffic_Down parent=bridge-lan priority=7 queue=\
High_Capacity_Download_Speed
add max-limit=50M name=High_Capacity_Upload_Speed packet-mark=\
High_Capacity_Traffic_Up parent=bridge-lan priority=7 queue=\
High_Capacity_Upload_Speed
/routing table
add fib name=to_wan1
add fib name=to_wan2
add fib name=to_wan3
add fib name=to_wan4
add fib name=to_wan5
add fib name=to_wan6
add fib name=to_wan7
add fib name=to_wan8
add fib name=to_wan9
add fib name=to_wan10
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=atbunal
/interface bridge port
add bridge=bridge-lan interface=vlan2
add bridge=bridge-oob interface=sfp28-11-oob
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=sfp28-1-wan1 list=WAN
add interface=sfp28-2-wan2 list=WAN
add comment="RE VPN" interface=RE list=VPN
add interface=sfp28-3-wan3 list=WAN
add interface=sfp28-4-wan4 list=WAN
add interface=sfp28-5-wan5 list=WAN
add interface=sfp28-6-wan6 list=WAN
add interface=sfp28-7-wan7 list=WAN
add interface=sfp28-8-wan8 list=WAN
add interface=sfp28-9-wan9 list=WAN
add interface=sfp28-10-wan10 list=WAN
/ip address
add address=10.130.1.1/24 comment="Servers - vlan1" interface=sfp28-12-lan \
network=10.130.1.0
add address=10.130.2.1/23 comment="Subscribers - CPE" interface=vlan2 \
network=10.130.2.0
add address=10.130.4.1/23 comment="Subscribers - SM" interface=vlan2 network=\
10.130.4.0
add address=10.130.0.1/24 interface=bridge-oob network=10.130.0.0
/ip dhcp-client
add interface=sfp28-1-wan1 use-peer-dns=no
add interface=sfp28-2-wan2 use-peer-dns=no
add interface=sfp28-3-wan3 use-peer-dns=no
add interface=sfp28-4-wan4 use-peer-dns=no
add interface=sfp28-5-wan5 use-peer-dns=no
add interface=sfp28-6-wan6 use-peer-dns=no
add interface=sfp28-7-wan7 use-peer-dns=no
add interface=sfp28-8-wan8 use-peer-dns=no
add interface=sfp28-9-wan9 use-peer-dns=no
add interface=sfp28-10-wan10 use-peer-dns=no
/ip dhcp-server alert
add comment="Rogue DHCP Detect" disabled=no interface=bridge-lan on-alert=\
":log error message=\"Rogue DHCP Server Discovered\"" valid-server=\
48:A9:8A:85:65:FB
/ip dhcp-server lease
add address=10.130.3.3 mac-address=BC:A9:93:46:C5:D9 server=vlan2-dhcp
add address=10.130.2.10 mac-address=BC:A9:93:47:A2:D9 server=vlan2-dhcp
add address=10.130.2.11 mac-address=BC:A9:93:47:2A:C1 server=vlan2-dhcp
add address=10.130.2.12 mac-address=BC:A9:93:46:94:39 server=vlan2-dhcp
add address=10.130.2.13 mac-address=BC:A9:93:46:7A:59 server=vlan2-dhcp
add address=10.130.2.14 mac-address=BC:A9:93:46:90:99 server=vlan2-dhcp
add address=10.130.3.29 mac-address=BC:A9:93:47:58:11 server=vlan2-dhcp
add address=10.130.2.251 mac-address=BC:A9:93:47:A2:E9 server=vlan2-dhcp
add address=10.130.2.147 mac-address=BC:A9:93:46:85:F9 server=vlan2-dhcp
add address=10.130.2.52 mac-address=BC:A9:93:46:83:71 server=vlan2-dhcp
add address=10.130.2.16 mac-address=BC:A9:93:46:70:21 server=vlan2-dhcp
add address=10.130.2.17 mac-address=BC:A9:93:47:2B:B1 server=vlan2-dhcp
add address=10.130.2.20 mac-address=BC:A9:93:47:99:09 server=vlan2-dhcp
add address=10.130.2.21 mac-address=BC:A9:93:46:7A:61 server=vlan2-dhcp
add address=10.130.2.22 mac-address=BC:A9:93:47:9B:B9 server=vlan2-dhcp
add address=10.130.2.23 mac-address=BC:A9:93:47:2B:A9 server=vlan2-dhcp
add address=10.130.2.24 mac-address=BC:A9:93:46:BC:89 server=vlan2-dhcp
add address=10.130.2.26 mac-address=BC:A9:93:46:94:29 server=vlan2-dhcp
add address=10.130.2.27 mac-address=BC:A9:93:46:9E:D1 server=vlan2-dhcp
add address=10.130.2.28 mac-address=BC:A9:93:46:88:61 server=vlan2-dhcp
add address=10.130.2.29 mac-address=BC:A9:93:46:EF:89 server=vlan2-dhcp
add address=10.130.2.30 mac-address=BC:A9:93:47:10:B9 server=vlan2-dhcp
add address=10.130.2.31 mac-address=BC:A9:93:46:6D:19 server=vlan2-dhcp
add address=10.130.2.32 mac-address=BC:A9:93:47:2C:99 server=vlan2-dhcp
add address=10.130.2.33 mac-address=BC:A9:93:47:9B:41 server=vlan2-dhcp
add address=10.130.2.35 mac-address=BC:A9:93:46:C6:91 server=vlan2-dhcp
add address=10.130.2.37 mac-address=BC:A9:93:47:1A:81 server=vlan2-dhcp
add address=10.130.2.38 mac-address=BC:A9:93:46:71:41 server=vlan2-dhcp
add address=10.130.2.39 mac-address=BC:A9:93:46:A7:09 server=vlan2-dhcp
add address=10.130.2.40 mac-address=BC:A9:93:46:A7:69 server=vlan2-dhcp
add address=10.130.2.41 mac-address=BC:A9:93:46:84:B1 server=vlan2-dhcp
add address=10.130.2.42 mac-address=BC:A9:93:46:90:49 server=vlan2-dhcp
add address=10.130.2.43 mac-address=BC:A9:93:47:1E:01 server=vlan2-dhcp
add address=10.130.2.44 mac-address=BC:A9:93:47:A3:49 server=vlan2-dhcp
add address=10.130.2.45 mac-address=BC:A9:93:46:6F:29 server=vlan2-dhcp
add address=10.130.2.46 mac-address=BC:A9:93:46:90:01 server=vlan2-dhcp
add address=10.130.2.50 mac-address=BC:A9:93:46:8D:99 server=vlan2-dhcp
add address=10.130.2.51 mac-address=BC:A9:93:46:EC:B1 server=vlan2-dhcp
add address=10.130.2.53 mac-address=BC:A9:93:46:86:61 server=vlan2-dhcp
add address=10.130.2.54 mac-address=BC:A9:93:46:86:71 server=vlan2-dhcp
add address=10.130.2.55 mac-address=BC:A9:93:46:C5:89 server=vlan2-dhcp
add address=10.130.2.56 mac-address=BC:A9:93:46:90:51 server=vlan2-dhcp
add address=10.130.2.57 mac-address=BC:A9:93:47:2D:B9 server=vlan2-dhcp
add address=10.130.2.59 mac-address=BC:A9:93:46:C6:D9 server=vlan2-dhcp
add address=10.130.2.60 mac-address=BC:A9:93:46:87:89 server=vlan2-dhcp
add address=10.130.2.61 mac-address=BC:A9:93:46:C6:81 server=vlan2-dhcp
add address=10.130.2.62 mac-address=BC:A9:93:46:A6:31 server=vlan2-dhcp
add address=10.130.2.64 mac-address=BC:A9:93:46:C5:F9 server=vlan2-dhcp
add address=10.130.2.66 mac-address=BC:A9:93:46:C6:E9 server=vlan2-dhcp
add address=10.130.2.67 mac-address=BC:A9:93:46:ED:29 server=vlan2-dhcp
add address=10.130.2.68 mac-address=BC:A9:93:46:DB:49 server=vlan2-dhcp
add address=10.130.2.69 mac-address=BC:A9:93:46:97:21 server=vlan2-dhcp
add address=10.130.2.71 mac-address=BC:A9:93:46:CF:71 server=vlan2-dhcp
add address=10.130.2.74 mac-address=BC:A9:93:47:5E:11 server=vlan2-dhcp
add address=10.130.2.76 mac-address=BC:A9:93:47:2B:21 server=vlan2-dhcp
add address=10.130.2.77 mac-address=BC:A9:93:46:BC:11 server=vlan2-dhcp
add address=10.130.2.78 mac-address=BC:A9:93:46:84:C9 server=vlan2-dhcp
add address=10.130.2.79 mac-address=BC:A9:93:46:6F:39 server=vlan2-dhcp
add address=10.130.2.81 mac-address=BC:A9:93:46:84:D9 server=vlan2-dhcp
add address=10.130.2.86 mac-address=BC:A9:93:47:29:61 server=vlan2-dhcp
add address=10.130.2.72 mac-address=BC:A9:93:46:ED:39 server=vlan2-dhcp
add address=10.130.2.73 mac-address=BC:A9:93:46:B2:69 server=vlan2-dhcp
add address=10.130.2.80 mac-address=BC:A9:93:46:C9:79 server=vlan2-dhcp
add address=10.130.2.87 mac-address=BC:A9:93:47:1E:09 server=vlan2-dhcp
add address=10.130.2.88 mac-address=BC:A9:93:47:9F:E9 server=vlan2-dhcp
add address=10.130.2.89 mac-address=BC:A9:93:47:9F:D9 server=vlan2-dhcp
add address=10.130.2.90 mac-address=BC:A9:93:46:87:59 server=vlan2-dhcp
add address=10.130.2.92 mac-address=BC:A9:93:47:A2:F9 server=vlan2-dhcp
add address=10.130.2.93 mac-address=BC:A9:93:47:2B:D1 server=vlan2-dhcp
add address=10.130.2.19 mac-address=BC:A9:93:46:C5:69 server=vlan2-dhcp
add address=10.130.2.94 mac-address=BC:A9:93:47:A3:E9 server=vlan2-dhcp
add address=10.130.2.96 mac-address=BC:A9:93:46:F4:51 server=vlan2-dhcp
add address=10.130.2.58 mac-address=BC:A9:93:46:F4:41 server=vlan2-dhcp
add address=10.130.2.98 mac-address=BC:A9:93:47:1D:D9 server=vlan2-dhcp
add address=10.130.2.99 mac-address=BC:A9:93:46:AE:49 server=vlan2-dhcp
add address=10.130.2.82 mac-address=BC:A9:93:46:ED:31 server=vlan2-dhcp
add address=10.130.2.100 mac-address=BC:A9:93:47:2B:C9 server=vlan2-dhcp
add address=10.130.2.95 mac-address=BC:A9:93:47:6A:19 server=vlan2-dhcp
add address=10.130.2.252 mac-address=BC:A9:93:46:D0:39 server=vlan2-dhcp
add address=10.130.2.25 mac-address=BC:A9:93:47:A1:F9 server=vlan2-dhcp
add address=10.130.2.91 mac-address=BC:A9:93:47:86:01 server=vlan2-dhcp
add address=10.130.2.34 mac-address=BC:A9:93:46:C9:71 server=vlan2-dhcp
/ip dhcp-server network
add address=10.130.0.0/24 comment=OOB gateway=10.130.0.1
add address=10.130.1.0/24 comment=Servers gateway=10.130.1.1
add address=10.130.2.0/23 comment="Subscribers - CPE" dns-server=\
8.8.8.8,1.1.1.1 gateway=10.130.2.1
add address=10.130.4.0/23 comment="Subscribers - SM" dns-server=\
8.8.8.8,1.1.1.1 gateway=10.130.4.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=mark-connection chain=prerouting comment="For PCC" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=NEED_PCC new-connection-mark=to_wan1 passthrough=yes \
per-connection-classifier=both-addresses:10/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan2 passthrough=yes per-connection-classifier=\
both-addresses:10/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan3 passthrough=yes per-connection-classifier=\
both-addresses:10/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan4 passthrough=yes per-connection-classifier=\
both-addresses:10/3
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan5 passthrough=yes per-connection-classifier=\
both-addresses:10/4
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan6 passthrough=yes per-connection-classifier=\
both-addresses:10/5
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan7 passthrough=yes per-connection-classifier=\
both-addresses:10/6
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan8 passthrough=yes per-connection-classifier=\
both-addresses:10/7
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan9 passthrough=yes per-connection-classifier=\
both-addresses:10/8
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface-list=NEED_PCC \
new-connection-mark=to_wan10 passthrough=yes per-connection-classifier=\
both-addresses:10/9
add action=mark-connection chain=forward comment="For Sonar" \
dst-address-list="Standard Internet" new-connection-mark=\
Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list=\
"Standard Internet"
add action=mark-connection chain=forward dst-address-list=\
"High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=High_Capacity_Traffic_Up passthrough=yes \
src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" connection-mark=\
Standard_Traffic_Down new-packet-mark=Standard_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up \
in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=\
yes
add action=mark-packet chain=forward connection-mark=\
High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up \
in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Cacti HTTP" dst-port=180 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="Cacti HTTPS" dst-port=1443 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=443
add action=dst-nat chain=dstnat comment="Preseem SSH" dst-port=22222 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=22
add action=dst-nat chain=dstnat comment="Preseem Cockpit" dst-port=9090 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=192.168.132.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.133.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-1-wan1 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-2-wan2 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-3-wan3 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-4-wan4 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-5-wan5 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-6-wan6 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-7-wan7 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-8-wan8 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-9-wan9 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-10-wan10 \
routing-table=main suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-1-wan1 \
routing-table=to_wan1 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-2-wan2 \
routing-table=to_wan2 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-3-wan3 \
routing-table=to_wan3 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-4-wan4 \
routing-table=to_wan4 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-5-wan5 \
routing-table=to_wan5 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp28-6-wan6 \
routing-table=to_wan6 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-7-wan7 \
routing-table=to_wan7 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-8-wan8 \
routing-table=to_wan8 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-9-wan9 \
routing-table=to_wan9 suppress-hw-offload=no
add disabled=yes dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp28-10-wan10 \
routing-table=to_wan10 suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=myCa disabled=no port=8443
set api-ssl certificate=myCa
/ip ssh
set strong-crypto=yes
/snmp
set contact="Richesin Engineering <jaysen@richesinengineering.com>" enabled=\
yes location="Communications Shelter, Unalakleet, AK [63.89890275724056, -\
160.7788028412428]" trap-community=atbunal
/system clock
set time-zone-autodetect=no time-zone-name=America/Anchorage
/system identity
set name=UnalakleetRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add disabled=yes interval=5m name=QueueTreeUsageCheck on-event=":log info \"Qu\
eueTreeUsageCheck script started\"\r\
\nQueueTreeUsageCheck\r\
\n:log info \"QueueTreeUsageCheck script finished\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-03 start-time=11:04:00
add disabled=yes interval=4w2d name=datareset on-event=\
"/queue tree reset-counters numbers=[find]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-01 start-time=09:33:17
add disabled=yes interval=5m name=runThrottle on-event=\
"/system script run throttle;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-23 start-time=00:00:00
/system script
add dont-require-permissions=no name=rogue-dhcp-scan owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Found rogue DHCP server at \$[/system clock get date] \$[/syste\
m clock get time] on interface bridge-trunk]\"\r\
\n#Email\r\
\n/tool e-mail send to=\"jaysen@richesinengineering.com\" subject=\"Found \
rogue DHCP server at \$[/system clock get date] \$[/system clock get time]\
\_on interface bridge-trunk\""
add dont-require-permissions=no name=throttle owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thresholdBytes 161061273600; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"Standard_Download_Sp\
eed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"Standard_Upload_Speed\
\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}\r\
\n\r\
\n:local thresholdBytes 268435456000; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"High_Capacity_Downlo\
ad_Speed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"High_Capacity_Upload_S\
peed\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from="Unalakleet Router" port=2525 server=mail.smtp2go.com tls=yes user=\
alerts@richesinengineering.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=sfp28-3-wan3 name=tmon1
Clear.I had removed some sensitive data in the config before posting it. That's likely why it wasn't in there.
/system/script/add name=lease-script source=":if (\$bound=1) do={\
\n /ip route {\
\n :if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole routing-table=main]]=0) do={\
\n add gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n }\
\n :foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole] do={\
\n set \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n }\
\n }\
\n}\
\n"
Maybe consider adding some monitoring of the starlink performance — which is kinda annoying since it use gRPC, not SNMP. I know there is starlink plugin for Prometheus, but if you have some other NMS somewhere... imagine there are plugins for starlink. The terminal's gRPC data includes stuff like max speed, # sats, etc. if you know that it be easier to find where fault lies down the road.All the above is still just an intermediary step. My feeling is that with all uplinks served by the same satellite constellation, most of the outages will be affected by poor satellite visibility and will thus affect all of them, yet still we'll have to add means to notice and stop using a broken terminal, but that's for later.
All the Starlinks I happen to deal with are remote ones so I never delved into monitoring of the terminal, assuming that the owner's app shows you something. What I had in mind was the "good old" monitoring of uplink transparency all the way to internet, preventing the situation where the WAN interface is physically up so the router keeps using it although the packets sent through that interface get nowhere due to an outage further in the ISP network.Maybe consider adding some monitoring of the starlink performance — which is kinda annoying since it use gRPC, not SNMP. I know there is starlink plugin for Prometheus, but if you have some other NMS somewhere... imagine there are plugins for starlink. The terminal's gRPC data includes stuff like max speed, # sats, etc. if you know that it be easier to find where fault lies down the road.
Thank you Sindy for the script. I was starting to wonder how I was going to handle changing the routes in the event our IP addresses change. I didn't want to do it manually especially if any change occurred in the middle of the night or otherwise working with other clients and out of reach so this is very helpful. I am going to create that now.So here's how to make the DHCP clients add/modify the routes the necessary way.
First, copy-paste the following script to the command line window of the router. The exported form looks awful, but it is not invoked until you change other things in the configuration, so you can paste the creation script from and then open the created script named lease-script in the GUI or command line editor to see it in a more user friendly way.
Once the script is added and you make yourself comfortable with what it does, you can test the following steps for one of the DHCP clients (choose the N in the command as required):Code: Select all/system/script/add name=lease-script source=":if (\$bound=1) do={\ \n /ip route {\ \n :if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole routing-table=main]]=0) do={\ \n add gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\ \n }\ \n :foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole] do={\ \n set \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\ \n }\ \n }\ \n}\ \n"
/ip/dhcp-client/set [find where interface=sfp28-N-wanN] script=lease-script add-default-route=no
/ip/dhcp-client/release [find where interface=sfp28-N-wanN]
In the last configuration you've posted, the statically configured routes are already present even in table main, so they will get only updated, not added (unless you remove them before). But as the dynamically added one will be removed due to the change of add-default-route to no, you'll have to enable the disabled static route in main.
There may be a catch - you have renamed the sfp28-N interfaces to sfp-28-N-wanN, and I had some fun with that when testing it here. I have created and assigned the dhcp script while the interface had a custom name, but then decided to reset the custom name back to the default one. Nevertheless, the script kept using the old custom one; deleting and recreating the dhcp client was not enough to sort that out, but disabling and re-enabling the inteface did. Any questions that might arise are not to me, thank you
If you can see the expected outcome, which is to have a route via sfp28-N-wanN with the correct gateway address in the configuration as a static one, you can do the same for one more DHCP client. My plan is to let the L2TP client use those two before eventually extending the approach to all of them.
All the above is still just an intermediary step. My feeling is that with all uplinks served by the same satellite constellation, most of the outages will be affected by poor satellite visibility and will thus affect all of them, yet still we'll have to add means to notice and stop using a broken terminal, but that's for later.
# 2023-11-14 19:10:35 by RouterOS 7.12
# software id = DVNU-PTAC
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HE808NY9TF8
/interface bridge
add admin-mac=48:A9:8A:85:65:FB auto-mac=no comment="Link to NV1560 Port 1" \
name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfp28-1-1 ] disabled=yes
set [ find default-name=qsfp28-1-2 ] disabled=yes
set [ find default-name=qsfp28-1-3 ] disabled=yes
set [ find default-name=qsfp28-1-4 ] disabled=yes
set [ find default-name=qsfp28-2-1 ] disabled=yes
set [ find default-name=qsfp28-2-2 ] disabled=yes
set [ find default-name=qsfp28-2-3 ] disabled=yes
set [ find default-name=qsfp28-2-4 ] disabled=yes
set [ find default-name=sfp28-1 ] comment="Link to Starlink Terminal 1" name=\
sfp28-1-wan1
set [ find default-name=sfp28-2 ] comment="Link to Starlink Terminal 2" name=\
sfp28-2-wan2
set [ find default-name=sfp28-3 ] comment="Link to Starlink Terminal 3" name=\
sfp28-3-wan3
set [ find default-name=sfp28-4 ] comment="Link to Starlink Terminal 4" name=\
sfp28-4-wan4
set [ find default-name=sfp28-5 ] comment="Link to Starlink Terminal 5" name=\
sfp28-5-wan5
set [ find default-name=sfp28-6 ] comment="Link to Starlink Terminal 6" name=\
sfp28-6-wan6
set [ find default-name=sfp28-7 ] comment="Link to Starlink Terminal 7" name=\
sfp28-7-wan7
set [ find default-name=sfp28-8 ] comment="Link to Starlink Terminal 8" name=\
sfp28-8-wan8
set [ find default-name=sfp28-9 ] comment="Link to Starlink Terminal 9" name=\
sfp28-9-wan9
set [ find default-name=sfp28-10 ] comment="Link to Starlink Terminal 10" \
name=sfp28-10-wan10
set [ find default-name=sfp28-11 ] comment="Link to OOB PC" name=sfp28-11-oob
set [ find default-name=sfp28-12 ] comment="Link to Adtran Switch Port 1" \
name=sfp28-12-lan
/interface l2tp-client
add connect-to=vpn.richesineng.com disabled=no name=RE use-ipsec=yes user=\
unalakleet
/interface vlan
add comment=Customers interface=sfp28-12-lan name=vlan2 vlan-id=2
/interface list
add comment="contains WAN interfaces" name=WAN
add comment="contains LAN interfaces" name=LAN
add comment="Contains VPN interfaces" name=VPN
add name=WAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay interface=bridge-lan lease-time=5m name=\
vlan2-dhcp
/ip pool
add name=vlan2-pool ranges=10.130.2.10-10.130.3.254
/port
set 0 name=serial0
/queue type
add kind=pcq name=MaxDownloadSpeed pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=MaxUploadSpeed pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=Standard_Download_Speed pcq-burst-rate=30M pcq-burst-time=\
15s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=25M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=Standard_Upload_Speed pcq-burst-rate=3600k pcq-burst-time=\
15s pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Download_Speed pcq-burst-rate=30M \
pcq-burst-time=15s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-rate=25M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Upload_Speed pcq-burst-rate=3600k \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=3M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
/queue tree
add max-limit=300M name=Standard_Download_Speed packet-mark=\
Standard_Traffic_Down parent=bridge-lan priority=7 queue=\
Standard_Download_Speed
add max-limit=50M name=Standard_Upload_Speed packet-mark=Standard_Traffic_Up \
parent=bridge-lan priority=7 queue=Standard_Upload_Speed
add max-limit=300M name=High_Capacity_Download_Speed packet-mark=\
High_Capacity_Traffic_Down parent=bridge-lan priority=7 queue=\
High_Capacity_Download_Speed
add max-limit=50M name=High_Capacity_Upload_Speed packet-mark=\
High_Capacity_Traffic_Up parent=bridge-lan priority=7 queue=\
High_Capacity_Upload_Speed
/routing table
add fib name=to_wan1
add fib name=to_wan2
add fib name=to_wan3
add fib name=to_wan4
add fib name=to_wan5
add fib name=to_wan6
add fib name=to_wan7
add fib name=to_wan8
add fib name=to_wan9
add fib name=to_wan10
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=atbunal
/interface bridge port
add bridge=bridge-lan interface=vlan2
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=sfp28-1-wan1 list=WAN
add interface=sfp28-2-wan2 list=WAN
add comment="RE VPN" interface=RE list=VPN
add interface=sfp28-3-wan3 list=WAN
add interface=sfp28-4-wan4 list=WAN
add interface=sfp28-5-wan5 list=WAN
add interface=sfp28-6-wan6 list=WAN
add interface=sfp28-7-wan7 list=WAN
add interface=sfp28-8-wan8 list=WAN
add interface=sfp28-9-wan9 list=WAN
add interface=sfp28-10-wan10 list=WAN
/ip address
add address=10.130.1.1/24 comment="Servers - vlan1" interface=sfp28-12-lan \
network=10.130.1.0
add address=10.130.2.1/23 comment="Subscribers - CPE" interface=vlan2 \
network=10.130.2.0
add address=10.130.4.1/23 comment="Subscribers - SM" interface=vlan2 network=\
10.130.4.0
/ip dhcp-client
add interface=sfp28-1-wan1 use-peer-dns=no
add interface=sfp28-2-wan2 use-peer-dns=no
add interface=sfp28-3-wan3 use-peer-dns=no
add interface=sfp28-4-wan4 use-peer-dns=no
add interface=sfp28-5-wan5 use-peer-dns=no
add interface=sfp28-6-wan6 use-peer-dns=no
add interface=sfp28-7-wan7 use-peer-dns=no
add interface=sfp28-8-wan8 use-peer-dns=no
add interface=sfp28-9-wan9 use-peer-dns=no
add interface=sfp28-10-wan10 use-peer-dns=no
/ip dhcp-server alert
add comment="Rogue DHCP Detect" disabled=no interface=bridge-lan on-alert=\
":log error message=\"Rogue DHCP Server Discovered\"" valid-server=\
48:A9:8A:85:65:FB
/ip dhcp-server lease
add address=10.130.3.3 mac-address=BC:A9:93:46:C5:D9 server=vlan2-dhcp
add address=10.130.2.10 mac-address=BC:A9:93:47:A2:D9 server=vlan2-dhcp
add address=10.130.2.11 mac-address=BC:A9:93:47:2A:C1 server=vlan2-dhcp
add address=10.130.2.12 mac-address=BC:A9:93:46:94:39 server=vlan2-dhcp
add address=10.130.2.13 mac-address=BC:A9:93:46:7A:59 server=vlan2-dhcp
add address=10.130.2.14 mac-address=BC:A9:93:46:90:99 server=vlan2-dhcp
add address=10.130.3.29 mac-address=BC:A9:93:47:58:11 server=vlan2-dhcp
add address=10.130.2.251 mac-address=BC:A9:93:47:A2:E9 server=vlan2-dhcp
add address=10.130.2.147 mac-address=BC:A9:93:46:85:F9 server=vlan2-dhcp
add address=10.130.2.52 mac-address=BC:A9:93:46:83:71 server=vlan2-dhcp
add address=10.130.2.16 mac-address=BC:A9:93:46:70:21 server=vlan2-dhcp
add address=10.130.2.17 mac-address=BC:A9:93:47:2B:B1 server=vlan2-dhcp
add address=10.130.2.20 mac-address=BC:A9:93:47:99:09 server=vlan2-dhcp
add address=10.130.2.21 mac-address=BC:A9:93:46:7A:61 server=vlan2-dhcp
add address=10.130.2.22 mac-address=BC:A9:93:47:9B:B9 server=vlan2-dhcp
add address=10.130.2.23 mac-address=BC:A9:93:47:2B:A9 server=vlan2-dhcp
add address=10.130.2.24 mac-address=BC:A9:93:46:BC:89 server=vlan2-dhcp
add address=10.130.2.26 mac-address=BC:A9:93:46:94:29 server=vlan2-dhcp
add address=10.130.2.27 mac-address=BC:A9:93:46:9E:D1 server=vlan2-dhcp
add address=10.130.2.28 mac-address=BC:A9:93:46:88:61 server=vlan2-dhcp
add address=10.130.2.29 mac-address=BC:A9:93:46:EF:89 server=vlan2-dhcp
add address=10.130.2.30 mac-address=BC:A9:93:47:10:B9 server=vlan2-dhcp
add address=10.130.2.31 mac-address=BC:A9:93:46:6D:19 server=vlan2-dhcp
add address=10.130.2.32 mac-address=BC:A9:93:47:2C:99 server=vlan2-dhcp
add address=10.130.2.33 mac-address=BC:A9:93:47:9B:41 server=vlan2-dhcp
add address=10.130.2.35 mac-address=BC:A9:93:46:C6:91 server=vlan2-dhcp
add address=10.130.2.37 mac-address=BC:A9:93:47:1A:81 server=vlan2-dhcp
add address=10.130.2.38 mac-address=BC:A9:93:46:71:41 server=vlan2-dhcp
add address=10.130.2.39 mac-address=BC:A9:93:46:A7:09 server=vlan2-dhcp
add address=10.130.2.40 mac-address=BC:A9:93:46:A7:69 server=vlan2-dhcp
add address=10.130.2.41 mac-address=BC:A9:93:46:84:B1 server=vlan2-dhcp
add address=10.130.2.42 mac-address=BC:A9:93:46:90:49 server=vlan2-dhcp
add address=10.130.2.43 mac-address=BC:A9:93:47:1E:01 server=vlan2-dhcp
add address=10.130.2.44 mac-address=BC:A9:93:47:A3:49 server=vlan2-dhcp
add address=10.130.2.45 mac-address=BC:A9:93:46:6F:29 server=vlan2-dhcp
add address=10.130.2.46 mac-address=BC:A9:93:46:90:01 server=vlan2-dhcp
add address=10.130.2.50 mac-address=BC:A9:93:46:8D:99 server=vlan2-dhcp
add address=10.130.2.51 mac-address=BC:A9:93:46:EC:B1 server=vlan2-dhcp
add address=10.130.2.53 mac-address=BC:A9:93:46:86:61 server=vlan2-dhcp
add address=10.130.2.54 mac-address=BC:A9:93:46:86:71 server=vlan2-dhcp
add address=10.130.2.55 mac-address=BC:A9:93:46:C5:89 server=vlan2-dhcp
add address=10.130.2.56 mac-address=BC:A9:93:46:90:51 server=vlan2-dhcp
add address=10.130.2.57 mac-address=BC:A9:93:47:2D:B9 server=vlan2-dhcp
add address=10.130.2.59 mac-address=BC:A9:93:46:C6:D9 server=vlan2-dhcp
add address=10.130.2.60 mac-address=BC:A9:93:46:87:89 server=vlan2-dhcp
add address=10.130.2.61 mac-address=BC:A9:93:46:C6:81 server=vlan2-dhcp
add address=10.130.2.62 mac-address=BC:A9:93:46:A6:31 server=vlan2-dhcp
add address=10.130.2.64 mac-address=BC:A9:93:46:C5:F9 server=vlan2-dhcp
add address=10.130.2.66 mac-address=BC:A9:93:46:C6:E9 server=vlan2-dhcp
add address=10.130.2.67 mac-address=BC:A9:93:46:ED:29 server=vlan2-dhcp
add address=10.130.2.68 mac-address=BC:A9:93:46:DB:49 server=vlan2-dhcp
add address=10.130.2.69 mac-address=BC:A9:93:46:97:21 server=vlan2-dhcp
add address=10.130.2.71 mac-address=BC:A9:93:46:CF:71 server=vlan2-dhcp
add address=10.130.2.74 mac-address=BC:A9:93:47:5E:11 server=vlan2-dhcp
add address=10.130.2.76 mac-address=BC:A9:93:47:2B:21 server=vlan2-dhcp
add address=10.130.2.77 mac-address=BC:A9:93:46:BC:11 server=vlan2-dhcp
add address=10.130.2.78 mac-address=BC:A9:93:46:84:C9 server=vlan2-dhcp
add address=10.130.2.79 mac-address=BC:A9:93:46:6F:39 server=vlan2-dhcp
add address=10.130.2.81 mac-address=BC:A9:93:46:84:D9 server=vlan2-dhcp
add address=10.130.2.86 mac-address=BC:A9:93:47:29:61 server=vlan2-dhcp
add address=10.130.2.72 mac-address=BC:A9:93:46:ED:39 server=vlan2-dhcp
add address=10.130.2.73 mac-address=BC:A9:93:46:B2:69 server=vlan2-dhcp
add address=10.130.2.80 mac-address=BC:A9:93:46:C9:79 server=vlan2-dhcp
add address=10.130.2.87 mac-address=BC:A9:93:47:1E:09 server=vlan2-dhcp
add address=10.130.2.88 mac-address=BC:A9:93:47:9F:E9 server=vlan2-dhcp
add address=10.130.2.89 mac-address=BC:A9:93:47:9F:D9 server=vlan2-dhcp
add address=10.130.2.90 mac-address=BC:A9:93:46:87:59 server=vlan2-dhcp
add address=10.130.2.92 mac-address=BC:A9:93:47:A2:F9 server=vlan2-dhcp
add address=10.130.2.93 mac-address=BC:A9:93:47:2B:D1 server=vlan2-dhcp
add address=10.130.2.19 mac-address=BC:A9:93:46:C5:69 server=vlan2-dhcp
add address=10.130.2.94 mac-address=BC:A9:93:47:A3:E9 server=vlan2-dhcp
add address=10.130.2.96 mac-address=BC:A9:93:46:F4:51 server=vlan2-dhcp
add address=10.130.2.58 mac-address=BC:A9:93:46:F4:41 server=vlan2-dhcp
add address=10.130.2.98 mac-address=BC:A9:93:47:1D:D9 server=vlan2-dhcp
add address=10.130.2.99 mac-address=BC:A9:93:46:AE:49 server=vlan2-dhcp
add address=10.130.2.82 mac-address=BC:A9:93:46:ED:31 server=vlan2-dhcp
add address=10.130.2.100 mac-address=BC:A9:93:47:2B:C9 server=vlan2-dhcp
add address=10.130.2.95 mac-address=BC:A9:93:47:6A:19 server=vlan2-dhcp
add address=10.130.2.252 mac-address=BC:A9:93:46:D0:39 server=vlan2-dhcp
add address=10.130.2.25 mac-address=BC:A9:93:47:A1:F9 server=vlan2-dhcp
add address=10.130.2.91 mac-address=BC:A9:93:47:86:01 server=vlan2-dhcp
add address=10.130.2.34 mac-address=BC:A9:93:46:C9:71 server=vlan2-dhcp
/ip dhcp-server network
add address=10.130.1.0/24 comment=Servers gateway=10.130.1.1
add address=10.130.2.0/23 comment="Subscribers - CPE" dns-server=\
8.8.8.8,1.1.1.1 gateway=10.130.2.1
add address=10.130.4.0/23 comment="Subscribers - SM" dns-server=\
8.8.8.8,1.1.1.1 gateway=10.130.4.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=98.97.64.0/21 \
in-interface=bridge-lan
add action=accept chain=prerouting disabled=yes dst-address=98.97.96.0/21 \
in-interface=bridge-lan
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-1-wan1 new-connection-mark=to_wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-2-wan2 new-connection-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-3-wan3 new-connection-mark=to_wan3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-4-wan4 new-connection-mark=to_wan4 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-5-wan5 new-connection-mark=to_wan5 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-6-wan6 new-connection-mark=to_wan6 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-7-wan7 new-connection-mark=to_wan7 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-8-wan8 new-connection-mark=to_wan8 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-9-wan9 new-connection-mark=to_wan9 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes in-interface=sfp28-10-wan10 new-connection-mark=to_wan10 passthrough=\
yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan1 passthrough=yes per-connection-classifier=both-addresses:10/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan2 passthrough=yes per-connection-classifier=both-addresses:10/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan3 passthrough=yes per-connection-classifier=both-addresses:10/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan4 passthrough=yes per-connection-classifier=both-addresses:10/3
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan5 passthrough=yes per-connection-classifier=both-addresses:10/4
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan6 passthrough=yes per-connection-classifier=both-addresses:10/5
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan7 passthrough=yes per-connection-classifier=both-addresses:10/6
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan8 passthrough=yes per-connection-classifier=both-addresses:10/7
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan9 passthrough=yes per-connection-classifier=both-addresses:10/8
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan10 passthrough=yes per-connection-classifier=both-addresses:10/9
add action=mark-routing chain=prerouting connection-mark=to_wan1 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan2 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan3 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan4 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan5 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan5 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan6 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan6 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan7 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan7 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan8 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan8 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan9 disabled=yes \
in-interface=bridge-lan new-routing-mark=to_wan9 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to_wan10 disabled=\
yes in-interface=bridge-lan new-routing-mark=to_wan10 passthrough=yes
add action=mark-connection chain=forward comment="For Sonar" \
dst-address-list="Standard Internet" new-connection-mark=\
Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list=\
"Standard Internet"
add action=mark-connection chain=forward dst-address-list=\
"High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=High_Capacity_Traffic_Up passthrough=yes \
src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" connection-mark=\
Standard_Traffic_Down new-packet-mark=Standard_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up \
in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=\
yes
add action=mark-packet chain=forward connection-mark=\
High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up \
in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-1-wan1
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-2-wan2
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-3-wan3
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-4-wan4
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-5-wan5
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-6-wan6
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-7-wan7
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-8-wan8
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-9-wan9
add action=masquerade chain=srcnat disabled=yes out-interface=sfp28-10-wan10
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Cacti HTTP" dst-port=180 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="Cacti HTTPS" dst-port=1443 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=443
add action=dst-nat chain=dstnat comment="Preseem SSH" dst-port=22222 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=22
add action=dst-nat chain=dstnat comment="Preseem Cockpit" dst-port=9090 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=192.168.132.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.133.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-1-wan1 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-2-wan2 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-3-wan3 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=4 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-4-wan4 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=5 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-5-wan5 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=6 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-6-wan6 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=7 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-7-wan7 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=8 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-8-wan8 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=9 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-9-wan9 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=10 dst-address=0.0.0.0/0 \
gateway=98.97.96.1%sfp28-10-wan10 routing-table=main suppress-hw-offload=\
no
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-1-wan1 routing-table=to_wan1 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-2-wan2 routing-table=to_wan2 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-3-wan3 routing-table=to_wan3 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=4 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-4-wan4 routing-table=to_wan4 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=5 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-5-wan5 routing-table=to_wan5 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=6 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-6-wan6 routing-table=to_wan6 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=7 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-7-wan7 routing-table=to_wan7 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=8 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-8-wan8 routing-table=to_wan8 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=9 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-9-wan9 routing-table=to_wan9 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=10 dst-address=0.0.0.0/0 \
gateway=98.97.96.1%sfp28-10-wan10 routing-table=to_wan10 \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=myCa disabled=no port=8443
set api disabled=yes
set api-ssl certificate=myCa
/ip ssh
set strong-crypto=yes
/snmp
set contact="Richesin Engineering <jaysen@richesinengineering.com>" enabled=\
yes location="Communications Shelter, Unalakleet, AK [63.89890275724056, -\
160.7788028412428]" trap-community=atbunal
/system clock
set time-zone-autodetect=no time-zone-name=America/Anchorage
/system identity
set name=UnalakleetRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add disabled=yes interval=5m name=QueueTreeUsageCheck on-event=":log info \"Qu\
eueTreeUsageCheck script started\"\r\
\nQueueTreeUsageCheck\r\
\n:log info \"QueueTreeUsageCheck script finished\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-03 start-time=11:04:00
add disabled=yes interval=4w2d name=datareset on-event=\
"/queue tree reset-counters numbers=[find]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-01 start-time=09:33:17
add disabled=yes interval=5m name=runThrottle on-event=\
"/system script run throttle;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-23 start-time=00:00:00
/system script
add dont-require-permissions=no name=rogue-dhcp-scan owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Found rogue DHCP server at \$[/system clock get date] \$[/syste\
m clock get time] on interface bridge-trunk]\"\r\
\n#Email\r\
\n/tool e-mail send to=\"jaysen@richesinengineering.com\" subject=\"Found \
rogue DHCP server at \$[/system clock get date] \$[/system clock get time]\
\_on interface bridge-trunk\""
add dont-require-permissions=no name=throttle owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thresholdBytes 161061273600; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"Standard_Download_Sp\
eed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"Standard_Upload_Speed\
\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}\r\
\n\r\
\n:local thresholdBytes 268435456000; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"High_Capacity_Downlo\
ad_Speed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"High_Capacity_Upload_S\
peed\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from="Unalakleet Router" port=2525 server=mail.smtp2go.com tls=yes user=\
alerts@richesinengineering.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=sfp28-3-wan3 name=tmon1
Depending on the order of creating the DHCP client, renaming the interface it is attached to, and possibly rebooting the router in the past the result may be different. The lease script uses the interface name to find, add, and modify the routes, and on my test router it was remembering the previous name. So forcing the DHCP client to renew an address after adding the script using /interface/ethernet/disable sfp28-N-wanN ; delay 2s ; /interface/ethernet/enable sfp28-N-wanN rather than /ip/dhcp-client/release [find where interface=sfp28-N-wanN] may be a better choice after renaming the interface or if you are not certain.I had just added -wanN to the end of the default names but willing to rename them to simplify things if necessary.
Frankly speaking the simulation at starlink.sx has scared me a lot as it is showing long (as in tens of minutes) outages in coverage for Unalakleet, so I hope they are using outdated/inaccurate data. LEO satellites are superior to geostationary ones for both delay and throughput per square mile of coverage. Far lower distance to travel so far lower delay, far lower attenuation to compensate, and far bigger area to cover by a single antenna with a given throughput. But in these areas, polar trajectories seem to be mandatory so it's more or less a separate (from the main one covering the belt from 52°S to 52°N) Starlink constellation. And OneWeb probably didn't get that far (yet) so geostationary is their only choice for those areas.Good news about the satellite visibility ... OneWeb can't even begin to compete ...
From my experience with other Starlink installations in "bypass" mode, the gateway is probably redundant - if you look into the ARP table, you will probably see the MAC addresses of all (currently "both") the gateway IPs to begin with 00:00:5E:00:. So it is more likely that all your terminals lose connection than that a gateway in just one of the subnets becomes unreachable.I did have a question about the failover section and while I did set the distances in the routes. I am starting to wonder whether I even need to do that since all the gateways are the same on most of the terminals so if it goes down then it seems like it would be down for every connection that uses the same gateway?
/routing/table/add name=for-l2tp fib
/ip/route/add routing-table=for-l2tp gateway=1.1.1.1%sfp28-10-wan10 distance=1
/ip/route/add routing-table=for-l2tp gateway=1.1.1.1%sfp28-9-wan9 distance=2
Hello Sindy,Depending on the order of creating the DHCP client, renaming the interface it is attached to, and possibly rebooting the router in the past the result may be different. The lease script uses the interface name to find, add, and modify the routes, and on my test router it was remembering the previous name. So forcing the DHCP client to renew an address after adding the script using /interface/ethernet/disable sfp28-N-wanN ; delay 2s ; /interface/ethernet/enable sfp28-N-wanN rather than /ip/dhcp-client/release [find where interface=sfp28-N-wanN] may be a better choice after renaming the interface or if you are not certain.I had just added -wanN to the end of the default names but willing to rename them to simplify things if necessary.
Frankly speaking the simulation at starlink.sx has scared me a lot as it is showing long (as in tens of minutes) outages in coverage for Unalakleet, so I hope they are using outdated/inaccurate data. LEO satellites are superior to geostationary ones for both delay and throughput per square mile of coverage. Far lower distance to travel so far lower delay, far lower attenuation to compensate, and far bigger area to cover by a single antenna with a given throughput. But in these areas, polar trajectories seem to be mandatory so it's more or less a separate (from the main one covering the belt from 52°S to 52°N) Starlink constellation. And OneWeb probably didn't get that far (yet) so geostationary is their only choice for those areas.Good news about the satellite visibility ... OneWeb can't even begin to compete ...
From my experience with other Starlink installations in "bypass" mode, the gateway is probably redundant - if you look into the ARP table, you will probably see the MAC addresses of all (currently "both") the gateway IPs to begin with 00:00:5E:00:. So it is more likely that all your terminals lose connection than that a gateway in just one of the subnets becomes unreachable.I did have a question about the failover section and while I did set the distances in the routes. I am starting to wonder whether I even need to do that since all the gateways are the same on most of the terminals so if it goes down then it seems like it would be down for every connection that uses the same gateway?
So I maintain my previouos position that we have to deal with issues we have to capacity to deal with, i.e. a breakdown of a single terminal. The only satellite within reach gone bonkers does not fit into this category.
As for route distances - these determine the priority among routes whose dst-address and routing-table parameters are identical. If multiple such routes are eligible for being active, those with the lowest value of distance are actually made active, and if there are multiple such ones, they are used in a round-robin manner (ECMP). So as @anav probably wrote earlier - in order that failover and load distribution worked in accord, you need to have one routing table per uplink that is used for traffic that should prefer that uplink but can send the traffic via other uplinks if the preferred one becomes unusable. In the simplest to configure case, you define just one backup uplink for each preferred one, so if the preferred one dies, the backup one has to bear its full load on top of its own one. In the optimized case, the load of the failed link is evenly distributed among all the remaining ones. So much more lines of configuration with much more room for mistakes but potentially less impact on customers if a terminal eventually fails. Choose your poison.
So for starters, let me give you an example for the L2TP, which is the most wanted functionality right now I gather.
You'll add a routing table named for-l2tp with two routes, one with distance=1 and the other one with distance=2, using the two WANs for which you have modified the DHCP client behavior. Let's say you've chosen WAN 9 and WAN 10:
By forcing a release followed by a re-lease (pun intended) of the DHCP address as described above, you'll trigger the lease script that should replace the 1.1.1.1 by the correct addresses of the respective gateways in these routes.Code: Select all/routing/table/add name=for-l2tp fib /ip/route/add routing-table=for-l2tp gateway=1.1.1.1%sfp28-10-wan10 distance=1 /ip/route/add routing-table=for-l2tp gateway=1.1.1.1%sfp28-9-wan9 distance=2
There are multiple possible ways to make the L2TP connection use this table; since the own WAN addresses of the Mikrotik are dynamic and since you identify the VPN server by its fqdn, so I assume its IP address may also change, all these ways require that the routing table to be used was assigned using mangle rules in chain output.
So let's make any connection from the router itself to your VPN server use this routing table. To make sure it won't break once the server migrates to another IP address, we'll add an address list to track the fqdn:
/ip/firewall/address-list/add list=re-vpn address=vpn.richesineng.com
It should create a dynamic item in the same address list but with the actual IP address as address. If it doesn't, something is wrong with the DNS setting.
Then, you add a single rule to the very top of chain output in mangle (which is easy as that chain is totally empty now):
/ip/firewall/mangle/add chain=output dst-address-list=re-vpn action=mark-routing new-routing-mark=for-l2tp passthrough=no
It seems this should be it; there is an additional issue, though. A packet sent by the router itself must first be routed using routing table main before it can get to mangle chain output, so it gets assigned some source address depending on the out-interface chosen by main. If mangle assigns a routing-mark to it, the routing is done again, but the source address remains the same. So a src-nat (or masquerade) rule must replace it by the address of the out-interface. This is OK until the uplink connected to that out-interface stops working without the interface going physically down. The connection tracking only removes the connection from its inventory if it has been src-nated using a masquerade rule and if the reply-dst-address assigned by the masquerade rule goes missing. Starlink seems to lease the addresses for 5 minutes (but that's for CGNAT ones, the public ones may be treated in a different way); if you are happy with the L2TP connection being re-established some 5 minutes after the preferred uplink goes down, nothing else needs to be done. If not, it requires a housekeeping script that removes the address as soon as it detects the failure of the uplink. But again, step by step. Right now I'll be glad if you make the L2TP work without fancy stuff.
If these settings won't get the L2TP going, I'll have to see it online.
A big fat NO for this. Firewall is the first thing to deal with when you connect something directly to the internet, always, no exceptions. The filth from the net is incredibly fast to squat in. Since the VPN works, you should be able to only allow connection to the router itself via the VPN and via LAN as backup and block everything else except what you know needs to be open.Currently I have no filter rules that would block incoming connections, Firewall is wide open until I get it working then I will work on the security.
Great.I am pleased to say that our VPN connection is working again and I have verified that I can access all local devices in Unalakleet remotely.
The router always answers incoming connections from the same address to which they have arrived, but you need to make sure it will also send them via the correct interface because it does not choose a routing table up to a source address automatically. We need to let it use a routing table that contains a single route through the correct interface or at least has such a "correct" route as the most preferred one. If the WAN addresses were static, you could use routing rules for that, but that's not possible here (unless we would make the lease script update them as well) so we need mangle rules again. The generic way to do this is to use connection marking where we save the information about the in-interface of the initial packet of the incoming connection to the context of that connection maintained by the connection tracking module and use it to assign a routing mark to the response packets. So add a rule to the top of chain prerouting of mangle, and keep the rest of rules in that chain disabled for now so that none of them would overwrite the connection mark assigned by this one.Now I just need to get our Sonar Billing instance re-established...
The only settings needed for the MikroTik are: WAN IP, Username, Password and Port Number as shown in attached screenshot. This was all working prior just like the VPN so just need some guidance on what to change on the MikroTik. The difference is this is a connection coming into the MikroTik.
I assume I will need separate routing table and address list so those I have already created. I would like to use the same interfaces 9 and 10 to keep things simple if possible.
/ip firewall mangle print chain=prerouting where !dynamic
/ip/firewall/mangle/add chain=prerouting place-before=0 in-interface=sfp28-10-wan10 connection-state=new action=mark-connection new-connection-mark=use-wan10
/ip/firewall/mangle add chain=output connection-mark=use-wan10 action=mark-routing new-routing-mark=for-l2tp passthrough=no
Hello Sindy,A couple of questions regarding Sonar:
- can it use an FQDN of the router it manages rather than an IPv4 number?
- does it require a continuous connection or it is not an issue if it loses contact for minutes?
Thank you for the suggestion. I will look into them. In the meantime, I hope to get the rest of these routes working today and the rest of the terminals into my NMS monitor. I do appreciate everyone's patience and assistance with all of these issues but progress is being made and client is happy. I have approx 14+ more villages in Alaska coming up so this is quite a learning experience. Unalakleet is the first 2.5 Ghz broadband installation in the state of Alaska (So I've been told) so they are going to be the example that we showcase to the rest of the villages. This is huge and people's lives are going to be positively impacted due to all this work. This will enable access to distance learning opportunities, Access to TeleMedicine and of course the occasional Call of Duty match.I would look at BigLeaf.
Let them Bond and Distribute Across the feeds back to their VPS. Then on to the internet.
The reason for the question was that the router could update a DNS record in your company DNS if the latter has an API for that, or using the Mikrotik "ip cloud" service, or using some 3rd party dynamic DNS service that has a simple enough API. The Mikrotik service has a limitation of a single IP address per device, a fixed hostname generated from the serial number of the device (so to stay safe when using the FQDN to reach that device from too many other devices or if a VPN connection established towards that FQDN is the only way how those other devices can be reached, you still need another DNS with a CNAME pointing to that fixed FQDN based on device serial number), and I have seen it to be down for days in the past which apparently wasn't Mikrotik's fault but for some it was a really tough time.Unfortunately it does not have the capability to use FQDN and not sure if they will add that in future updates.
Well, my question was whether it was a provisioning tool (which your explanation seems to confirm) or whether it directly controlled the traffic (in terms of e.g. cutting off a client if they run off their quota, I have no clue what your business offer is up there). A provisioning tool only has to work when you actively use it, so you can manually change the address if the currently configured one changes or dies; a traffic policing tool needs a constant connection.I don't think a few minutes would be too big of an issue but it's preferred that it be continuous as it controls the DHCP server leases and plan speeds. When it's offline I have to do everything manually on the MIkroTik when adding/removing customers.
Unfortunately it does not have the capability to use FQDN and not sure if they will add that in future updates.The reason for the question was that the router could update a DNS record in your company DNS if the latter has an API for that, or using the Mikrotik "ip cloud" service, or using some 3rd party dynamic DNS service that has a simple enough API. The Mikrotik service has a limitation of a single IP address per device, a fixed hostname generated from the serial number of the device (so to stay safe when using the FQDN to reach that device from too many other devices or if a VPN connection established towards that FQDN is the only way how those other devices can be reached, you still need another DNS with a CNAME pointing to that fixed FQDN based on device serial number), and I have seen it to be down for days in the past which apparently wasn't Mikrotik's fault but for some it was a really tough time.
The use case here would be that if the chosen terminal would fail, the router would use a backup one to update the dynamic DNS with the public address of the public one, and the Sonar could reconnect.
Sonar Support has said that everything that I see in Sonar can be controlled via webhooks so I am wondering if there is some way to automate updating the IP address via a webhook should it change. I don't have much experience with that but I will reach out to Sonar to see if that is possible.
I don't think a few minutes would be too big of an issue but it's preferred that it be continuous as it controls the DHCP server leases and plan speeds. When it's offline I have to do everything manually on the MIkroTik when adding/removing customers.Well, my question was whether it was a provisioning tool (which your explanation seems to confirm) or whether it directly controlled the traffic (in terms of e.g. cutting off a client if they run off their quota, I have no clue what your business offer is up there). A provisioning tool only has to work when you actively use it, so you can manually change the address if the currently configured one changes or dies; a traffic policing tool needs a constant connection.
Correct, Sonar is an all-in-one solution that handles provisioning and it ties in with the Mikrotik and a Preseem appliance to apply shaping to keep customers on their provision package speeds as well as cut off delinquent customers. The only thing Preseem does not do is throttle down a customer when they exceed their data cap. However, I am working with Sonar and have a set of scripts that work with address lists and queues to do the Throttling which I will be implementing at a later time once all the rest of this is setup.
The way I currently handle any IP change is by creating multiple inline device and dhcp server entries in sonar. I would add all the terminal IP addresses in there and leave all disabled except for the current active one. Then all I need to do should a change happen is switch between them. Sonar says this is fine to do but to not have more than one enabled at a time as that could cause problems with having duplicate leases. I've only had to do it once when we still had OneWeb and a backup Starlink set as a failover. The OneWeb terminal failed and the Mikrotik failed over to the Starlink as expected. I then disabled the OneWeb and enabled the Starlink in Sonar and all was good.
What you can do to make VPN traffic switch to a backup WAN far sooner than the VPN client detects an outage and re-establishes the connection via the backup WAN is to establish two VPN tunnels, one using strictly the preferred WAN and the other one using strictly the backup one, and let one of these VPN tunnels be a backup for the other one. This approach doesn't suffer from the issue of src-nated connection surviving an outage of the uplink until the lease is lost as mentioned earlier, but it requires a compatible setup at the VPN server side.
With such a setup, you can also set up port forwarding for Sonar on one of your machines in a datacenter with a static public address to the CCR in Unalakleet via this pair of VPN tunnels. But it is still only a protection against failure of a terminal, it cannot handle an absence of a functional satellite within reach or a failure of the gateway machine.
We have been exploring this option of providing a static via VPN tunnels and do own several blocks of IP addresses that we could use but we are not quite ready to set that up yet. We are in the process of building a new NOC in Anchorage that will house monitoring systems and the ability to provide these static addresses. With so many projects going on in multiple states, that process has been slowed down.
Totally unrelated, you have mentioned that people keep getting security warnings. Some web sites like to handle requests within the same application session by different servers at their end, but check whether all the requests come from the same public address at client side and either reject them or at least issue security warnings if not. To avoid this, the hash in the per-connection-classifier matcher must be calculated solely from the src-address. This means that all outgoing connections of a given LAN address will always get mapped to the same WAN address (unless it fails of course), so the traffic will not be distributed as evenly as when you hash both addresses and ports, but it may be bearable (and also controllable to some extent, you can change the addresses of the clients that generate most traffic to evenly distribute them over the WANs manually).
Could you provide some assistance with getting this going? I have read a bit about PCC and started working on it with the help of anov who was the first to respond to my post. I do have many mangle rules and static routes created but they are currently disabled until I am certain they are configured correctly. I think my most recent config that I provided will show them but if not I can provide it again.
Thank You!
I can assist, just bear in mind the time shift. But your last config posted should work if you enable the mangle rules and the routes and redo the QoS-related mangle rules in chain forward so that they would not use connection marks, because they overwrite those assigned in prerouting.Could you provide some assistance with getting this going? I have read a bit about PCC and started working on it with the help of anov who was the first to respond to my post. I do have many mangle rules and static routes created but they are currently disabled until I am certain they are configured correctly. I think my most recent config that I provided will show them but if not I can provide it again.
Hi Sindy,I can assist, just bear in mind the time shift. But your last config posted should work if you enable the mangle rules and the routes and redo the QoS-related mangle rules in chain forward so that they would not use connection marks, because they overwrite those assigned in prerouting.Could you provide some assistance with getting this going? I have read a bit about PCC and started working on it with the help of anov who was the first to respond to my post. I do have many mangle rules and static routes created but they are currently disabled until I am certain they are configured correctly. I think my most recent config that I provided will show them but if not I can provide it again.
To do so, take all the match conditions of the mangle forward rule that assigns the connection mark, add them to the mangle forward rule that currently translates that connection mark to a packet mark, remove the match on connection mark from the latter rule, and remove the former rule completely. Do this 4 times and that's it.
If no route is active in a routing table indicated by the routing mark, the system uses routing table main instead (unless a routing rule explicitly prohibits that). So the existing configuration does contain a backup for the case that a single Starlink terminal stops working.
As I wrote earlier, it is better to replace both-addresses by src-address in the per-connection-classifier.
Speedify has a lab that ran that at one point.gotsprings looks like your trying to put mikrotik wan solutions under the bus LOL. Here I am trying to figure out optimal failover WAN approaches and it turns out I just need to use BigLeaf.....................
Please send $$$$
Let's go that way if you like, but I'd prefer a more interactive communication channel than the forum. This kind of "share the wisdom" sites is great to describe typical setups and principles so that others could follow them, but there are so many topics dealing with load distribution&backup here that I can't see any point in documenting the process here for the 500th time, so only the waste of time remains. So please consider following this post.It might be best to start fresh with the mangle rules.
Awesome, I'll take a look at it. Thanks for sharingFWIW the PCC youtube vid made by MT is quite good.
https://www.youtube.com/watch?v=nlb7XAv57tw
Used it again to clean up an AC3 LTE setup for PCC sharing across VDSL and LTE.
Only, THIS time I disabled the subtitles which all of a sudden made me see a couple of important things I missed the previous time I saw that video.
And now it works stable and reliably
Just saying ...
Actually, I just viewed this video and I think it has some serious flaws LOL, and no I am not just saying that to contradict holvoe, as much as fun as that is. .FWIW the PCC youtube vid made by MT is quite good.
https://www.youtube.com/watch?v=nlb7XAv57tw
Used it again to clean up an AC3 LTE setup for PCC sharing across VDSL and LTE.
Only, THIS time I disabled the subtitles which all of a sudden made me see a couple of important things I missed the previous time I saw that video.
And now it works stable and reliably
Just saying ...
To be precise, it is meant to be placed just once into the /system script section, and its name to be placed to the script item of each DHCP client. You could put the complete script to the script item of each DHCP client (that item is interpreted in a contextual way, i.e. if the contents is a single word, it is interpreted as a script name, otherwise it is interpreted as a script code), but that would be a maintenance nightmare.A question I have on that lease script. I assume that is meant to be placed inside the script section in each DHCP client? It makes sense to me that it would be appropriate to put it there but figured I would ask.
# 2023-11-17 10:43:01 by RouterOS 7.12
# software id = DVNU-PTAC
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HE808NY9TF8
/interface bridge
add admin-mac=48:A9:8A:85:65:FB auto-mac=no comment="Link to NV1560 Port 1" \
name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfp28-1-1 ] disabled=yes
set [ find default-name=qsfp28-1-2 ] disabled=yes
set [ find default-name=qsfp28-1-3 ] disabled=yes
set [ find default-name=qsfp28-1-4 ] disabled=yes
set [ find default-name=qsfp28-2-1 ] disabled=yes
set [ find default-name=qsfp28-2-2 ] disabled=yes
set [ find default-name=qsfp28-2-3 ] disabled=yes
set [ find default-name=qsfp28-2-4 ] disabled=yes
set [ find default-name=sfp28-1 ] comment="Link to Starlink Terminal 1" name=\
sfp28-1-wan1
set [ find default-name=sfp28-2 ] comment="Link to Starlink Terminal 2" name=\
sfp28-2-wan2
set [ find default-name=sfp28-3 ] comment="Link to Starlink Terminal 3" name=\
sfp28-3-wan3
set [ find default-name=sfp28-4 ] comment="Link to Starlink Terminal 4" name=\
sfp28-4-wan4
set [ find default-name=sfp28-5 ] comment="Link to Starlink Terminal 5" name=\
sfp28-5-wan5
set [ find default-name=sfp28-6 ] comment="Link to Starlink Terminal 6" name=\
sfp28-6-wan6
set [ find default-name=sfp28-7 ] comment="Link to Starlink Terminal 7" name=\
sfp28-7-wan7
set [ find default-name=sfp28-8 ] comment="Link to Starlink Terminal 8" name=\
sfp28-8-wan8
set [ find default-name=sfp28-9 ] comment="Link to Starlink Terminal 9" name=\
sfp28-9-wan9
set [ find default-name=sfp28-10 ] comment="Link to Starlink Terminal 10" \
name=sfp28-10-wan10
set [ find default-name=sfp28-11 ] disabled=yes
set [ find default-name=sfp28-12 ] comment="Link to Adtran Switch Port 1" \
name=sfp28-12-lan
/interface l2tp-client
add connect-to=vpn.richesineng.com disabled=no name=RE use-ipsec=yes user=\
unalakleet
/interface vlan
add comment=Customers interface=sfp28-12-lan name=vlan2 vlan-id=2
/interface list
add comment="contains WAN interfaces" name=WAN
add comment="contains LAN interfaces" name=LAN
add comment="Contains VPN interfaces" name=VPN
add name=WAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay interface=bridge-lan lease-time=5m name=\
vlan2-dhcp
/ip pool
add name=vlan2-pool ranges=10.130.2.10-10.130.3.254
/port
set 0 name=serial0
/queue type
add kind=pcq name=MaxDownloadSpeed pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=MaxUploadSpeed pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=Standard_Download_Speed pcq-burst-rate=30M pcq-burst-time=\
15s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=25M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=Standard_Upload_Speed pcq-burst-rate=3600k pcq-burst-time=\
15s pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Download_Speed pcq-burst-rate=30M \
pcq-burst-time=15s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-rate=25M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Upload_Speed pcq-burst-rate=3600k \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=3M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
/queue tree
add max-limit=300M name=Standard_Download_Speed packet-mark=\
Standard_Traffic_Down parent=bridge-lan priority=7 queue=\
Standard_Download_Speed
add max-limit=50M name=Standard_Upload_Speed packet-mark=Standard_Traffic_Up \
parent=bridge-lan priority=7 queue=Standard_Upload_Speed
add max-limit=300M name=High_Capacity_Download_Speed packet-mark=\
High_Capacity_Traffic_Down parent=bridge-lan priority=7 queue=\
High_Capacity_Download_Speed
add max-limit=50M name=High_Capacity_Upload_Speed packet-mark=\
High_Capacity_Traffic_Up parent=bridge-lan priority=7 queue=\
High_Capacity_Upload_Speed
/routing table
add fib name=to_wan1
add fib name=to_wan2
add fib name=to_wan3
add fib name=to_wan4
add fib name=to_wan5
add fib name=to_wan6
add fib name=to_wan7
add fib name=to_wan8
add fib name=to_wan9
add fib name=to_wan10
add disabled=no fib name=for_l2tp
add disabled=no fib name=for_sonar
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=atbunal
/interface bridge port
add bridge=bridge-lan interface=vlan2
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=sfp28-1-wan1 list=WAN
add interface=sfp28-2-wan2 list=WAN
add comment="RE VPN" interface=RE list=VPN
add interface=sfp28-3-wan3 list=WAN
add interface=sfp28-4-wan4 list=WAN
add interface=sfp28-5-wan5 list=WAN
add interface=sfp28-6-wan6 list=WAN
add interface=sfp28-7-wan7 list=WAN
add interface=sfp28-8-wan8 list=WAN
add interface=sfp28-9-wan9 list=WAN
add interface=sfp28-10-wan10 list=WAN
/ip address
add address=10.130.1.1/24 comment="Servers - vlan1" interface=sfp28-12-lan \
network=10.130.1.0
add address=10.130.2.1/23 comment="Subscribers - CPE" interface=vlan2 \
network=10.130.2.0
add address=10.130.4.1/23 comment="Subscribers - SM" interface=vlan2 network=\
10.130.4.0
/ip dhcp-client
add add-default-route=no interface=sfp28-1-wan1 use-peer-dns=no
add add-default-route=no interface=sfp28-2-wan2 use-peer-dns=no
add add-default-route=no interface=sfp28-3-wan3 use-peer-dns=no
add add-default-route=no interface=sfp28-4-wan4 use-peer-dns=no
add add-default-route=no interface=sfp28-5-wan5 use-peer-dns=no
add add-default-route=no interface=sfp28-6-wan6 use-peer-dns=no
add add-default-route=no interface=sfp28-7-wan7 use-peer-dns=no
add add-default-route=no interface=sfp28-8-wan8 use-peer-dns=no
add add-default-route=no interface=sfp28-9-wan9 use-peer-dns=no
add add-default-route=no interface=sfp28-10-wan10 use-peer-dns=no
/ip dhcp-server alert
add comment="Rogue DHCP Detect" disabled=no interface=bridge-lan on-alert=\
":log error message=\"Rogue DHCP Server Discovered\"" valid-server=\
48:A9:8A:85:65:FB
/ip firewall filter
add action=accept chain=input comment=\
"Accept established,related connections" connection-state=\
established,related disabled=yes
add action=accept chain=input comment=\
"Accept all connections from allowed_to_router address list" disabled=yes \
src-address-list=allowed_to_router
add action=accept chain=input comment="Accept ICMP connections" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Accept SNMP connections" disabled=yes \
dst-port=161 protocol=udp
add action=accept chain=input comment=\
"Accept L2TP/IPSEC connections (500,1701,4500/udp)" disabled=yes \
dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="Accept WinBox connections (8291/tcp)" \
disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"For L2TP/IPSEC Encryption and Authentication" disabled=yes protocol=\
ipsec-esp
add action=drop chain=input comment="Drop everything else" disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-1-wan1 new-connection-mark=to_wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-2-wan2 new-connection-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-3-wan3 new-connection-mark=to_wan3 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-4-wan4 new-connection-mark=to_wan4 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-5-wan5 new-connection-mark=to_wan5 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-6-wan6 new-connection-mark=to_wan6 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-7-wan7 new-connection-mark=to_wan7 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-8-wan8 new-connection-mark=to_wan8 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-9-wan9 new-connection-mark=to_wan9
add action=mark-connection chain=prerouting connection-state=new \
in-interface=sfp28-10-wan10 new-connection-mark=to_wan10 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan1 passthrough=yes per-connection-classifier=src-address:10/0
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan2 passthrough=yes per-connection-classifier=src-address:10/1
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan3 passthrough=yes per-connection-classifier=src-address:10/2
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan4 passthrough=yes per-connection-classifier=src-address:10/3
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan5 passthrough=yes per-connection-classifier=src-address:10/4
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan6 passthrough=yes per-connection-classifier=src-address:10/5
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan7 passthrough=yes per-connection-classifier=src-address:10/6
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan8 passthrough=yes per-connection-classifier=src-address:10/7
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan9 passthrough=yes per-connection-classifier=src-address:10/8
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=\
to_wan10 passthrough=yes per-connection-classifier=src-address:10/9
add action=mark-routing chain=prerouting connection-mark=to_wan1 \
in-interface=bridge-lan new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan2 \
in-interface=bridge-lan new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan3 \
in-interface=bridge-lan new-routing-mark=to_wan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan4 \
in-interface=bridge-lan new-routing-mark=to_wan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan5 \
in-interface=bridge-lan new-routing-mark=to_wan5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan6 \
in-interface=bridge-lan new-routing-mark=to_wan6 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan7 \
in-interface=bridge-lan new-routing-mark=to_wan7 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan8 \
in-interface=bridge-lan new-routing-mark=to_wan8 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan9 \
in-interface=bridge-lan new-routing-mark=to_wan9 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_wan10 \
in-interface=bridge-lan new-routing-mark=to_wan10 passthrough=no
add action=mark-connection chain=forward comment="For Sonar" \
dst-address-list="Standard Internet" new-connection-mark=\
Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list=\
"Standard Internet"
add action=mark-connection chain=forward dst-address-list=\
"High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=High_Capacity_Traffic_Up passthrough=yes \
src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" connection-mark=\
Standard_Traffic_Down new-packet-mark=Standard_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up \
in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=\
yes
add action=mark-packet chain=forward connection-mark=\
High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up \
in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up \
passthrough=yes
add action=mark-routing chain=output connection-mark=to_wan1 \
new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan2 \
new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan3 \
new-routing-mark=to_wan3 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan4 \
new-routing-mark=to_wan4 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan5 \
new-routing-mark=to_wan5 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan6 \
new-routing-mark=to_wan6 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan7 \
new-routing-mark=to_wan7 passthrough=no
add action=mark-routing chain=output connection-mark=to_wan8 \
new-routing-mark=to_wan8 passthrough=no
add action=mark-routing chain=output dst-address-list=re-vpn \
new-routing-mark=for_l2tp passthrough=no
add action=mark-routing chain=output connection-mark=to_wan9 \
new-routing-mark=for_sonar passthrough=no
add action=mark-routing chain=output connection-mark=to_wan10 \
new-routing-mark=to_wan10 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp28-1-wan1
add action=masquerade chain=srcnat out-interface=sfp28-2-wan2
add action=masquerade chain=srcnat out-interface=sfp28-3-wan3
add action=masquerade chain=srcnat out-interface=sfp28-4-wan4
add action=masquerade chain=srcnat out-interface=sfp28-5-wan5
add action=masquerade chain=srcnat out-interface=sfp28-6-wan6
add action=masquerade chain=srcnat out-interface=sfp28-7-wan7
add action=masquerade chain=srcnat out-interface=sfp28-8-wan8
add action=masquerade chain=srcnat out-interface=sfp28-9-wan9
add action=masquerade chain=srcnat out-interface=sfp28-10-wan10
add action=dst-nat chain=dstnat comment="Cacti HTTP" dst-port=180 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=80
add action=dst-nat chain=dstnat comment="Cacti HTTPS" dst-port=1443 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.10 to-ports=443
add action=dst-nat chain=dstnat comment="Preseem SSH" dst-port=22222 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=22
add action=dst-nat chain=dstnat comment="Preseem Cockpit" dst-port=9090 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=192.168.132.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.133.0/24 gateway=192.168.133.1 \
routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-1-wan1 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-2-wan2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-3-wan3 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-4-wan4 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-5-wan5 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-6-wan6 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-7-wan7 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-8-wan8 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-9-wan9 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-10-wan10 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-1-wan1 routing-table=to_wan1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-2-wan2 routing-table=to_wan2 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-3-wan3 routing-table=to_wan3 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-4-wan4 routing-table=to_wan4 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-5-wan5 routing-table=to_wan5 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp28-6-wan6 routing-table=to_wan6 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-7-wan7 routing-table=to_wan7 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-8-wan8 routing-table=to_wan8 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-9-wan9 routing-table=to_wan9 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-10-wan10 routing-table=to_wan10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp28-9-wan9 pref-src="" routing-table=for_l2tp scope=30 \
suppress-hw-offload=no target-scope=10
add distance=1 gateway=98.97.96.1%sfp28-9-wan9 routing-table=for_sonar
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=myCa disabled=no port=8443
set api disabled=yes
set api-ssl certificate=myCa
/ip ssh
set strong-crypto=yes
/snmp
set contact="Richesin Engineering <jaysen@richesinengineering.com>" enabled=\
yes location="Communications Shelter, Unalakleet, AK [63.89890275724056, -\
160.7788028412428]" trap-community=atbunal
/system clock
set time-zone-autodetect=no time-zone-name=America/Anchorage
/system identity
set name=UnalakleetRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add disabled=yes interval=5m name=QueueTreeUsageCheck on-event=":log info \"Qu\
eueTreeUsageCheck script started\"\r\
\nQueueTreeUsageCheck\r\
\n:log info \"QueueTreeUsageCheck script finished\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-03 start-time=11:04:00
add disabled=yes interval=4w2d name=datareset on-event=\
"/queue tree reset-counters numbers=[find]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-01 start-time=09:33:17
add disabled=yes interval=5m name=runThrottle on-event=\
"/system script run throttle;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-23 start-time=00:00:00
/system script
add dont-require-permissions=no name=rogue-dhcp-scan owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Found rogue DHCP server at \$[/system clock get date] \$[/syste\
m clock get time] on interface bridge-trunk]\"\r\
\n#Email\r\
\n/tool e-mail send to=\"jaysen@richesinengineering.com\" subject=\"Found \
rogue DHCP server at \$[/system clock get date] \$[/system clock get time]\
\_on interface bridge-trunk\""
add dont-require-permissions=no name=throttle owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thresholdBytes 161061273600; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"Standard_Download_Sp\
eed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"Standard_Upload_Speed\
\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}\r\
\n\r\
\n:local thresholdBytes 268435456000; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"High_Capacity_Downlo\
ad_Speed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"High_Capacity_Upload_S\
peed\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}"
add dont-require-permissions=no name=lease-script owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="i\
f (\$bound=1) do={\
\n \r\
\n/ip route {\
\n \r\
\n\r\
\n:if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interfac\
e\") !dynamic !blackhole routing-table=main]]=0) do={\
\n \r\
\nadd gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n \r\
\n}\
\n \r\
\n\r\
\n:foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"inter\
face\") !dynamic !blackhole] do={\
\n \r\
\nset \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n \r\
\n}\
\n \r\
\n}\r\
\n\
\n}\
\n"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from="Unalakleet Router" port=2525 server=mail.smtp2go.com tls=yes user=\
alerts@richesinengineering.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=sfp28-3-wan3 name=tmon1
I've sent you an e-mail, check your spam folder if you haven't received it.Hello Sindy,
Hello Sindy,I've sent you an e-mail, check your spam folder if you haven't received it.Hello Sindy,
The only way how disabling only the mangle rules in forward chain could affect the L2TP would be that it would stop limiting the LAN->WAN traffic and therefore the L2TP packets would get lost due to bandwidth exhaustion caused by the user traffic now not throttled by the QoS queues, and even that is just a speculation.I ... tried disabling the forward mangles as you suggested. ... in any case it seems to have broken our VPN connection as the logs are showing it trying but failing to establish a connection.
A very important question here is whether Sonar needs just the effect of these rules or these rules must be there literally because Sonar's API scripts check or even manipulate them.... tried disabling the forward mangles as you suggested. Although those are needed for Sonar per their documentation ...
What helps a lot are the live counters that show you the traffic volume on the individual interfaces and on the firewall rules, and also the possibility to list the tracked connections up to multiple criteria. So if you can see that the action=mark-routing rules handle about the same amount of packets like the action=per-connection-classifier rules, it clearly indicates a problem as the former ones should handle way more than the latter ones, as the former ones handle each LAN->WAN packet of every connection whereas the latter ones only handle the first packet of each connection.have been looking at it and can't seem to figure out what might have caused this problem
As for src-nating the same user always to the same public IP address when spreading the load across WANs, per-connection-classifier taking only src-address into account is sufficient. Failures and WAN address changes are another thing of course. In my experience so far, WiFi calling normally recovers quite fast from a public address change, incoming SIP calls to phones with long re-registration intervals may be a different story indeed.With every single page these days pulling in feeds from multiple locations... And sites requiring log ins from a specific IP address... And if the IP changes... You have to log back in. I mean voip and video calling take it the worst, actually wifi calling takes it the worst.
This would work of course, the VPS being the SPOF (but that's not a big deal as decent data centers automatically respawn VMs on another hardware in case of a failure). What might be a problem would be running out of ephemeral TCP ports on a single public IP if too many clients would access the same service.I really fight to get some sort of dynamic stryping to a VPS provider. That way all connections come from the same public IP. And if a feed fails or doesn't work... The other feeds pick up the slack and the other side still sees the one singular connection. This keeps calls from dropping. Services from seeing an IP change and dropping the connection. Etc.
Hello Sindy,A very important question here is whether Sonar needs just the effect of these rules or these rules must be there literally because Sonar's API scripts check or even manipulate them.... tried disabling the forward mangles as you suggested. Although those are needed for Sonar per their documentation ...
The very purpose of a connection mark is to be stored in the context data of a connection only once, when handling any of its packets, and be given as an additional attribute to match on to the firewall rules handling all subsequent packets of the same connection, regardless their direction. Its uses are basically two:The connection marks assigned by the rules in prerouting that match on per-connection-classifier represent the first case (although if the per connection classification rules were the only element of the configuration to be used to choose a routing table, the connection marking would not be necesary); the connection marks assigned by the rules in prerouting that match on in-interface represent the second case (but they are actually only required in setups where you use port forwarding of requests coming in from the internet to some servers in the LAN, which doesn't seem to be your case).
- to speed up the processing of packets in the firewall by only evaluating a complex set of match conditions once, typically when handling the initial packet of each connection, and storing the result in the form of a connection mark. This becomes even more important if connections whose packets match different sets of match conditions need to be treated the same, so instead of having e.g. three mangle rules handling every packets of every connection, you have a single rule for mid-connection packets that matches on the connection mark alone and the three ones matching on complex sets of conditions only handle the initial ones.
- to "remember" information that can only be obtained when handling some of the packets of the connection so that you could handle other packets of that connection according to that information.
The issue with RouterOS is that although the netfilter itself can treat the connection mark attribute as a bitmap, Mikrotik uses it as a scalar value, so you can have many distinct connection marks but only one can be assigned to a given connection at a time; if you assign a new one, you rewrite the previous one.
In your particular setup, the overwriting does not affect the own traffic of the router because it doesn't pass through mangle chain forward.
Now back to the question regarding Sonar, if it is enough that the firewall assigns the proper packet marks and it is not important how exactly it does so, you can simplify the Sonar rules from the existing
add action=mark-connection chain=forward comment="For Sonar" dst-address-list="Standard Internet" new-connection-mark=Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list="Standard Internet"
add action=mark-connection chain=forward dst-address-list="High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan new-connection-mark=High_Capacity_Traffic_Up passthrough=yes src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" connection-mark=Standard_Traffic_Down new-packet-mark=Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up passthrough=yes
to just
add action=mark-packet chain=forward comment="For Sonar" dst-address-list="Standard Internet" new-packet-mark=Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=yes src-address-list="Standard Internet"
add action=mark-packet chain=forward dst-address-list="High Capacity Internet" new-packet-mark=High_Capacity_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up passthrough=yes src-address-list="High Capacity Internet"
The effect will be the same except that they will not destroy the function of the use of connection marks for choice of WAN.
You can also save some extra nanoseconds per packet if you arrange the rules assigning a packet mark in such an order that most packets only got handled by least rules and set passthrough to no; this is possible because there are (currently!) no additional rules in mangle chain forward that would have to be applied once the packet mark has been assigned. We assume there will be more download packets than upload ones, and we want to handle the "High Capacity Internet" ones even a tiny bit faster than the "Standard Internet" ones, so the outcome would look as follows:
add action=mark-packet chain=forward dst-address-list="High Capacity Internet" new-packet-mark=High_Capacity_Traffic_Down out-interface=bridge-lan passthrough=no
add action=mark-packet chain=forward in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up passthrough=no src-address-list="High Capacity Internet"
add action=mark-packet chain=forward comment="For Sonar" dst-address-list="Standard Internet" new-packet-mark=Standard_Traffic_Down out-interface=bridge-lan passthrough=no
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=no src-address-list="Standard Internet"
What helps a lot are the live counters that show you the traffic volume on the individual interfaces and on the firewall rules, and also the possibility to list the tracked connections up to multiple criteria. So if you can see that the action=mark-routing rules handle about the same amount of packets like the action=per-connection-classifier rules, it clearly indicates a problem as the former ones should handle way more than the latter ones, as the former ones handle each LAN->WAN packet of every connection whereas the latter ones only handle the first packet of each connection.have been looking at it and can't seem to figure out what might have caused this problem
Sniffing the traffic of a particular public address that is rarely used by any of the customers (like one of a web site about Egyptian pyramids hosted in a small data center in southern America) without limiting the sniff to a particular interface can show you whether all the traffic of a TCP sesssion indeed uses the same WAN interface as required - of course in cooperation with a real or simulated customer who will access that site for you.
It does. The good news is that as they ask you to create the rules manually, they are interested in their ultimate effect, not in the particular rules themselves.This is the documentation ... I am not sure if it answers your question but this is all I really know about it.
The fact that you can work with the people there suggests that at least a telephone service is available. Is there a chance to use that service to get a good old dial-up channel to be able to access the network if something like this happens, or is it a satellite phone as well so data service is not available, or at least not quickly?Apparently all of our 10 Starlink terminals are offline so I have no remote access. I am working with the village to find out more on what happened there.
Unfortunately not, The phone service there is VOIP and normally runs on our network but had to be switched over to their very slow backup GCI cellular link. The tower site is about 3 miles away and does not have any phone lines into the shelter. I suspect the starlink issue is something physical either with power or cabling and I hope to have the other tech on-site this morning to work with him on bringing those back online. I do have the Remote PC at the site and another single Starlink which can get me access. We have tried to get the village to pay for a GCI connection to use as an OOB circuit but that was not approved. Hopefully after this experience they change their mind. I am sick of not having redundancy in place for these reasons alone.It does. The good news is that as they ask you to create the rules manually, they are interested in their ultimate effect, not in the particular rules themselves.This is the documentation ... I am not sure if it answers your question but this is all I really know about it.
The fact that you can work with the people there suggests that at least a telephone service is available. Is there a chance to use that service to get a good old dial-up channel to be able to access the network if something like this happens, or is it a satellite phone as well so data service is not available, or at least not quickly?Apparently all of our 10 Starlink terminals are offline so I have no remote access. I am working with the village to find out more on what happened there.
Event better, strictly speaking it even isn't a reconnection - if the peer on the static address receives a packet from the remote peer from a different address than before, it still recognizes it belongs to an already existing session and updates the peer address in its configuration so it sends the subsequent packets to the new address, no renegotiation etc. is required.1) I would use Wireguard (if possible) for the management VPN. If one end (your office) has a static IP, the remote end(s) (the router(s) behind Starlink) can be configured to always connect to that IP, and it reconnects really fast.
No problem with this on my sideSindy's offered some amazing assistance, so I don't want to step on any toes.
(1) Personally recommend you dont use the same entry names for connection marks and routing marks. It gets terribly hard to read.
For instance.
For the initial set of rules use connection marks incoming-WAN1 ( reflect traffic is originating from outside the router )
For the PCC traffic use connection marks : through-WAN1 (reflect traffic going through each wan to www )
All the Routing Marks are fine ( use is accurate ))
In the end it doesn't matter as all that traffic will be going to the same Route-Marks and thus personal preference.
(It probably is slightly more efficient not to ask the router to keep track of a different set of connection marks?)
(2) Missing one line in the mangle config
add action=mark-routing chain=output connection-mark=to_wan9 \
new-routing-mark=to_wan9 passthrough=no[/b]
Well, I don't like that idea, and we already had a private discussion about it with @anav.(1) I like that idea and I am implementing that now.
I can certainly see both sides of this and while I do like things to be easier to read. I need things to be simple and not increase load on the router so I will have to go with Sindy's recommendation on this issue. Since I only manage this network. I want to set it up for success in the event something happens to me and someone else takes over. I still appreciate all input on this. Thank You! I'll post an updated config once I finish cleaning things up so we can review and make any adjustments before I activate it again. I still need to figure out how to do the mangles for Sonar as they were clearly an issue yesterday and village wasn't happy. Plus the power issue certainly didn't make things any better but at least I got that worked out.Well, I don't like that idea, and we already had a private discussion about it with @anav.(1) I like that idea and I am implementing that now.
Your configuration is already complicated enough, and creating multiple connection marks and routing marks/tables that get ultimately translated to the same route set is just and additional level of complication to me, which doesn't even improve readability (here we disagree with @anav) and creates additional load to the router.
The namespaces for connection marks and routing marks are isolated so the same string used in both causes no conflict. If the ultimate goal of assigning a connection mark is that packets with that connection mark would be sent via WAN 1, there is little point in having the connection mark indicate not only that WAN 1 should be used but also why it should be used. Nor is there any point in stressing out that it is a connection mark. But OK, that's still an issue of personal preferences, but if you use two different connection marks that get translated to the same routing mark, you need two different rules to perform the translation, as a single rule can only match on a single connection mark.
So in the simplest case, assigning connection mark "wan1" based on in-interface=wan1 for connections to the router itself initiated by clients in the internet that have to be responded via wan1 and assigning the same connection mark "wan1" to connections to servers in the internet initiated by LAN clients based on the per-connection-classifier "dispatching", and later translating connection mark "wan1" to a routing mark "wan1" regardless why the former one has been assigned just makes things more clear to me, rather than having to bear in mind that two connection mark to routing mark translation rules are necessary for each WAN. And forcing every single packet to run through twice more mangle rules would cause a pointless extra CPU load.
Having even multiple routing tables with a single default route via wan1, i.e. only differing by name, is again just adding more space for an error which, in my personal opinion, the "better readability" cannot justify.
ZeroTier is a great tool/service for automagically creating Wireguard tunnels between peers, especially for management & telemetry, as opposed to doing it manually. But it's overkill if you only need a simple PTP link and have control and stability at least at one end.Fwiw, ZeroTier is already integrated into ROS v.7. As for remote management, I’d choose ZeroTier anytime over WireGuard but the latter might serve well as backup access.
# 2023-11-18 17:22:41 by RouterOS 7.12
# software id = DVNU-PTAC
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HE808NY9TF8
/interface bridge
add admin-mac=48:A9:8A:85:65:FB auto-mac=no comment="Access Bridge" name=\
bridge-lan
/interface ethernet
set [ find default-name=ether1 ] comment="Not Used" disabled=yes
set [ find default-name=qsfp28-1-1 ] disabled=yes
set [ find default-name=qsfp28-1-2 ] disabled=yes
set [ find default-name=qsfp28-1-3 ] disabled=yes
set [ find default-name=qsfp28-1-4 ] disabled=yes
set [ find default-name=qsfp28-2-1 ] disabled=yes
set [ find default-name=qsfp28-2-2 ] disabled=yes
set [ find default-name=qsfp28-2-3 ] disabled=yes
set [ find default-name=qsfp28-2-4 ] disabled=yes
set [ find default-name=sfp28-1 ] comment="Link to Starlink Terminal 1" name=\
sfp1-wan1
set [ find default-name=sfp28-2 ] comment="Link to Starlink Terminal 2" name=\
sfp2-wan2
set [ find default-name=sfp28-3 ] comment="Link to Starlink Terminal 3" name=\
sfp3-wan3
set [ find default-name=sfp28-4 ] comment="Link to Starlink Terminal 4" name=\
sfp4-wan4
set [ find default-name=sfp28-5 ] comment="Link to Starlink Terminal 5" name=\
sfp5-wan5
set [ find default-name=sfp28-6 ] comment="Link to Starlink Terminal 6" name=\
sfp6-wan6
set [ find default-name=sfp28-7 ] comment="Link to Starlink Terminal 7" name=\
sfp7-wan7
set [ find default-name=sfp28-8 ] comment="Link to Starlink Terminal 8" name=\
sfp8-wan8
set [ find default-name=sfp28-9 ] comment="Link to Starlink Terminal 9" name=\
sfp9-wan9
set [ find default-name=sfp28-10 ] comment="Link to Starlink Terminal 10" \
name=sfp10-wan10
set [ find default-name=sfp28-11 ] comment="Not Used" disabled=yes name=sfp11
set [ find default-name=sfp28-12 ] comment=\
"Attached to bridge-lan. Link to NV1560 Switch - Port 1" name=sfp12-lan
/interface l2tp-client
add comment="Link to Richesin Engineering VPN" connect-to=vpn.richesineng.com \
disabled=no name=RE use-ipsec=yes user=unalakleet
/interface vlan
add comment="Customer VLAN" interface=sfp12-lan name=vlan2 vlan-id=2
/interface list
add comment="contains WAN interfaces" name=WAN
add comment="contains LAN interfaces" name=LAN
add comment="Contains VPN interfaces" name=VPN
add name=WAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay comment="Controlled by Sonar" interface=\
bridge-lan lease-time=5m name=vlan2-dhcp
/port
set 0 name=serial0
/queue type
add kind=pcq name=MaxDownloadSpeed pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=MaxUploadSpeed pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=Standard_Download_Speed pcq-burst-rate=30M pcq-burst-time=\
15s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=25M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=Standard_Upload_Speed pcq-burst-rate=3600k pcq-burst-time=\
15s pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Download_Speed pcq-burst-rate=30M \
pcq-burst-time=15s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-rate=25M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Upload_Speed pcq-burst-rate=3600k \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=3M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
/queue tree
add max-limit=300M name=Standard_Download_Speed packet-mark=\
Standard_Traffic_Down parent=bridge-lan priority=7 queue=\
Standard_Download_Speed
add max-limit=50M name=Standard_Upload_Speed packet-mark=Standard_Traffic_Up \
parent=bridge-lan priority=7 queue=Standard_Upload_Speed
add max-limit=300M name=High_Capacity_Download_Speed packet-mark=\
High_Capacity_Traffic_Down parent=bridge-lan priority=7 queue=\
High_Capacity_Download_Speed
add max-limit=50M name=High_Capacity_Upload_Speed packet-mark=\
High_Capacity_Traffic_Up parent=bridge-lan priority=7 queue=\
High_Capacity_Upload_Speed
/routing table
add disabled=no fib name=wan1
add disabled=no fib name=wan2
add disabled=no fib name=wan3
add disabled=no fib name=wan4
add disabled=no fib name=wan5
add disabled=no fib name=wan6
add disabled=no fib name=wan7
add disabled=no fib name=wan8
add disabled=no fib name=wan9
add disabled=no fib name=wan10
add disabled=no fib name=l2tp-sonar
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=atbunal
/interface bridge port
add bridge=bridge-lan interface=vlan2
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=sfp1-wan1 list=WAN
add interface=sfp2-wan2 list=WAN
add comment="RE VPN" interface=RE list=VPN
add interface=sfp3-wan3 list=WAN
add interface=sfp4-wan4 list=WAN
add interface=sfp5-wan5 list=WAN
add interface=sfp6-wan6 list=WAN
add interface=sfp7-wan7 list=WAN
add interface=sfp8-wan8 list=WAN
add interface=sfp9-wan9 list=WAN
add interface=sfp10-wan10 list=WAN
/ip address
add address=10.130.1.1/24 comment="Servers - vlan1" interface=sfp12-lan \
network=10.130.1.0
add address=10.130.2.1/23 comment="Subscribers - CPE" interface=vlan2 \
network=10.130.2.0
add address=10.130.4.1/23 comment="Subscribers - SM" interface=vlan2 network=\
10.130.4.0
/ip dhcp-client
add add-default-route=no interface=sfp1-wan1 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp2-wan2 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp3-wan3 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp4-wan4 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp5-wan5 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp6-wan6 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp7-wan7 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp8-wan8 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp9-wan9 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp10-wan10 script=lease-script \
use-peer-dns=no
/ip firewall filter
add action=accept chain=input comment=\
"Accept established,related connections" connection-state=\
established,related disabled=yes
add action=accept chain=input comment=\
"Accept all connections from allowed_to_router address list" disabled=yes \
src-address-list=allowed_to_router
add action=accept chain=input comment="Accept ICMP connections" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Accept SNMP connections" disabled=yes \
dst-port=161 protocol=udp
add action=accept chain=input comment=\
"Accept L2TP/IPSEC connections (500,1701,4500/udp)" disabled=yes \
dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="Accept WinBox connections (8291/tcp)" \
disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"For L2TP/IPSEC Encryption and Authentication" disabled=yes protocol=\
ipsec-esp
add action=drop chain=input comment="Drop everything else" disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Incoming in-interface=\
sfp1-wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp2-wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp3-wan3 new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp4-wan4 new-connection-mark=wan4 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp5-wan5 new-connection-mark=wan5 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp6-wan6 new-connection-mark=wan6 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp7-wan7 new-connection-mark=wan7 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp8-wan8 new-connection-mark=wan8 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp9-wan9 new-connection-mark=wan9 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp10-wan10 new-connection-mark=wan10 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC connection-state=new \
disabled=yes dst-address-type=!local in-interface=bridge-lan \
new-connection-mark=wan1 passthrough=yes per-connection-classifier=\
src-address:10/0
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan2 \
passthrough=yes per-connection-classifier=src-address:10/1
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan3 \
passthrough=yes per-connection-classifier=src-address:10/2
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan4 \
passthrough=yes per-connection-classifier=src-address:10/3
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan5 \
passthrough=yes per-connection-classifier=src-address:10/4
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan6 \
passthrough=yes per-connection-classifier=src-address:10/5
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan7 \
passthrough=yes per-connection-classifier=src-address:10/6
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan8 \
passthrough=yes per-connection-classifier=src-address:10/7
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan9 \
passthrough=yes per-connection-classifier=src-address:10/8
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan10 \
passthrough=yes per-connection-classifier=src-address:10/9
add action=mark-routing chain=prerouting connection-mark=wan1 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan4 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan5 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan5 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan6 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan6 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan7 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan7 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan8 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan8 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan9 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan9 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan10 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan10 passthrough=yes
add action=mark-connection chain=forward comment="For Sonar" \
dst-address-list="Standard Internet" new-connection-mark=\
Standard_Traffic_Down out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=Standard_Traffic_Up passthrough=yes src-address-list=\
"Standard Internet"
add action=mark-connection chain=forward dst-address-list=\
"High Capacity Internet" new-connection-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-connection chain=forward in-interface=bridge-lan \
new-connection-mark=High_Capacity_Traffic_Up passthrough=yes \
src-address-list="High Capacity Internet"
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Down \
new-packet-mark=Standard_Traffic_Down out-interface=bridge-lan \
passthrough=yes
add action=mark-packet chain=forward connection-mark=Standard_Traffic_Up \
in-interface=bridge-lan new-packet-mark=Standard_Traffic_Up passthrough=\
yes
add action=mark-packet chain=forward connection-mark=\
High_Capacity_Traffic_Down new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=yes
add action=mark-packet chain=forward connection-mark=High_Capacity_Traffic_Up \
in-interface=bridge-lan new-packet-mark=High_Capacity_Traffic_Up \
passthrough=yes
add action=mark-routing chain=output comment=Outgoing connection-mark=wan1 \
new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=\
wan2 passthrough=no
add action=mark-routing chain=output connection-mark=wan3 new-routing-mark=\
wan3 passthrough=no
add action=mark-routing chain=output connection-mark=wan4 new-routing-mark=\
wan4 passthrough=no
add action=mark-routing chain=output connection-mark=wan5 new-routing-mark=\
wan5 passthrough=no
add action=mark-routing chain=output connection-mark=wan6 new-routing-mark=\
wan6 passthrough=no
add action=mark-routing chain=output connection-mark=wan7 new-routing-mark=\
wan7 passthrough=no
add action=mark-routing chain=output connection-mark=wan8 new-routing-mark=\
wan8 passthrough=no
add action=mark-routing chain=output connection-mark=wan9 new-routing-mark=\
wan9 passthrough=no
add action=mark-routing chain=output connection-mark=wan10 new-routing-mark=\
wan10 passthrough=no
add action=mark-routing chain=output connection-mark=wan10 dst-address-list=\
l2tp-sonar new-routing-mark=l2tp-sonar passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1-wan1
add action=masquerade chain=srcnat out-interface=sfp2-wan2
add action=masquerade chain=srcnat out-interface=sfp3-wan3
add action=masquerade chain=srcnat out-interface=sfp4-wan4
add action=masquerade chain=srcnat out-interface=sfp5-wan5
add action=masquerade chain=srcnat out-interface=sfp6-wan6
add action=masquerade chain=srcnat out-interface=sfp7-wan7
add action=masquerade chain=srcnat out-interface=sfp8-wan8
add action=masquerade chain=srcnat out-interface=sfp9-wan9
add action=masquerade chain=srcnat out-interface=sfp10-wan10
add action=dst-nat chain=dstnat comment="Preseem SSH" dst-port=22222 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=22
add action=dst-nat chain=dstnat comment="Preseem Cockpit" dst-port=9090 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.132.0/24 gateway=192.168.133.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.133.0/24 gateway=192.168.133.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp1-wan1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp2-wan2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp3-wan3 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp4-wan4 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp5-wan5 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp6-wan6 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp7-wan7 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp8-wan8 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp9-wan9 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp10-wan10 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp1-wan1 \
pref-src="" routing-table=wan1 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp2-wan2 \
pref-src="" routing-table=wan2 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp3-wan3 \
pref-src="" routing-table=wan3 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp4-wan4 \
pref-src="" routing-table=wan4 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp5-wan5 \
pref-src="" routing-table=wan5 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp6-wan6 \
pref-src="" routing-table=wan6 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp7-wan7 \
pref-src="" routing-table=wan7 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp8-wan8 \
pref-src="" routing-table=wan8 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp9-wan9 \
pref-src="" routing-table=wan9 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp10-wan10 pref-src="" routing-table=wan10 scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp5-wan5 \
pref-src="" routing-table=*40C scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp10-wan10 \
routing-table=l2tp-sonar suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=myCa disabled=no port=8443
set api disabled=yes
set api-ssl certificate=myCa
/ip ssh
set strong-crypto=yes
/snmp
set contact="Richesin Engineering <jaysen@richesinengineering.com>" enabled=\
yes location="Communications Shelter, Unalakleet, AK [63.89890275724056, -\
160.7788028412428]" trap-community=atbunal
/system clock
set time-zone-autodetect=no time-zone-name=America/Anchorage
/system identity
set name=UnalakleetRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add disabled=yes interval=5m name=QueueTreeUsageCheck on-event=":log info \"Qu\
eueTreeUsageCheck script started\"\r\
\nQueueTreeUsageCheck\r\
\n:log info \"QueueTreeUsageCheck script finished\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-03 start-time=11:04:00
add disabled=yes interval=4w2d name=datareset on-event=\
"/queue tree reset-counters numbers=[find]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-01 start-time=09:33:17
add disabled=yes interval=5m name=runThrottle on-event=\
"/system script run throttle;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-23 start-time=00:00:00
/system script
add dont-require-permissions=no name=rogue-dhcp-scan owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Found rogue DHCP server at \$[/system clock get date] \$[/syste\
m clock get time] on interface bridge-trunk]\"\r\
\n#Email\r\
\n/tool e-mail send to=\"jaysen@richesinengineering.com\" subject=\"Found \
rogue DHCP server at \$[/system clock get date] \$[/system clock get time]\
\_on interface bridge-trunk\""
add dont-require-permissions=no name=throttle owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thresholdBytes 161061273600; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"Standard_Download_Sp\
eed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"Standard_Upload_Speed\
\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}\r\
\n\r\
\n:local thresholdBytes 268435456000; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"High_Capacity_Downlo\
ad_Speed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"High_Capacity_Upload_S\
peed\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}"
add dont-require-permissions=no name=lease-script owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="i\
f (\$bound=1) do={\
\n \r\
\n/ip route {\
\n \r\
\n\r\
\n:if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interfac\
e\") !dynamic !blackhole routing-table=main]]=0) do={\
\n \r\
\nadd gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n \r\
\n}\
\n \r\
\n\r\
\n:foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"inter\
face\") !dynamic !blackhole] do={\
\n \r\
\nset \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n \r\
\n}\
\n \r\
\n}\r\
\n\
\n}\
\n"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from="Unalakleet Router" port=2525 server=mail.smtp2go.com tls=yes user=\
alerts@richesinengineering.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=sfp3-wan3 name=tmon1
What I can see is that you have decided to use a common routing table for both the outbound L2TP connection and the inbound Sonar connection. A good idea as such, a bit degraded by the fact that the way how I proposed linking the Sonar connection to a WAN was a bandaid one intended to quickly restore that connection until the final configuration would have been done. A minor collateral damage of this change is that you have removed one of the original routing tables from the list before removing a route that belonged to that table; in such cases, RouterOS doesn't automatically wipe the dependent objects from the configuration, so now you have an orphaned route with routing-table=*40C. No big deal, just remove it manually.I am sure there is some changes I could make to improve things so please do let me know what you find that needs to be changed. I kept the PCC mangles for the bridge-lan disabled for now until those can be fixed but so far I don't see any problems at this time.
I am sure there is some changes I could make to improve things so please do let me know what you find that needs to be changed. I kept the PCC mangles for the bridge-lan disabled for now until those can be fixed but so far I don't see any problems at this time.What I can see is that you have decided to use a common routing table for both the outbound L2TP connection and the inbound Sonar connection. A good idea as such, a bit degraded by the fact that the way how I proposed linking the Sonar connection to a WAN was a bandaid one intended to quickly restore that connection until the final configuration would have been done. A minor collateral damage of this change is that you have removed one of the original routing tables from the list before removing a route that belonged to that table; in such cases, RouterOS doesn't automatically wipe the dependent objects from the configuration, so now you have an orphaned route with routing-table=*40C. No big deal, just remove it manually.
The orphaned route and table have been removed. I saw that right after I posted the config and took care of it. To ensure I understand correctly. Once final configuration is done, I shouldn't need to link Sonar and the VPN to a WAN?
Unfortunately there will always be a manual adjustment on the Sonar side due to the IP address being hard coded and currently no support for FQDN and DDNS. I plan to submit feedback to Sonar to hopefully add this feature in future releases. The way I've been advised by Sonar is to create multiple, identical inline device and DHCP server entries for each WAN IP and leave all but the current active one disabled. Should the IP address change then I go into Sonar and toggle them on and off as needed. Personally I hate this approach because it requires me to keep an eye on it. The plan we have been discussing is to use a VPN tunnel back to our office to assign a static IP as we have our own IP allocations from ARIN. Then we point Sonar to that which should solve that issue. I think I also failed to mention earlier in this conversation that our VPN address is in fact on a static IP. It was assumed that it was dynamic hence the reason we used an address list and FQDN and that's my fault for not stating that. It's working the way it is setup now but will change it if necessary.
You also seem to have moved to the route backup concept used in the Mikrotik video - if the WAN chosen by mangle rules is unavailable, the backup route becomes whichever one is currently active (based on distance and availability) in table main. This concept is based on the fact that if no route to a destination is available in the requested table, the routing automatically uses table main as a backup for that destination unless you explicitly prohibit that using a routing rule.
For inbound connections to a WAN address of the router coming from the internet (like the Sonar one), it doesn't matter how exactly a backup route is chosen for a given routing mark, because if that WAN goes down or its IP address changes/is lost, no backup route can keep such an inbound connection alive and a new connection has to be established via another WAN (Wireguard is one of few exceptions here, which is extremely useful in some cases and extremely annoying in others). But it may affect the L2TP client - when pure ECMP was used, the client was unable to connect, so explicitly indicating a backup route within table l2tp-sonar (with a higher distance than the one via WAN 10) might be a more reliable approach. It is still not fully clear to me what exactly the problem was in that ECMP-only case, but I'm waiting for the more important issues to get resolved before asking you to investigate this using a test L2TP server.
The backup route has been put back in place. That was simply an oversight but has been fixed.
The purpose of the mangle/prerouting rules that assign connection marks based on in-interface is to let any inbound connection from the internet (like the Sonar one) be responded via the same WAN through which the initial request has arrived (because leaving other aspects aside, the TCP client would be unable to change the address of the responder within an existing session). Once these rules start working, the individual treatment of the Sonar connection based on an address list will not be required any more. If you look at it from another perspective, if you don't expect any other inbound connections from the internet than the Sonar one to ever be used, you don't need to assign connection marks based on in-interface at all, which in turn means you don't need to use the connection marks as an intermediate step between the PCC and the routing marks - always the same per-connection-classified condition matches on all packets of a given direction of any given connection. Which, in summary, would mean that you wouldn't need connection marks for routing at all.
That's great!!! I don't expect any other inbound connections. We don't plan on hosting any servers so if I am understanding correctly. I can remove those and are we talking about all of the connection marks that I've labeled "incoming" and "PCC"? What about connections to our NMS monitor that use ICMP and SNMP? It's currently on a cloud-hosted VPS but my plan is to move that into our office so it will be on our VPN. That will also allow us to monitor the customer devices which our current NMS setup can't do as those devices are all on private IP ranges. I have made attempts to connect the cloud VPS to our VPN but haven't had much success with that Also, the Preseem engineer who supports the QoE appliance uses an ssh connection and it also has a web GUI called cockpit which I have port forwards for but that can also be reached over VPN. There is a cnMaestro server running on-site that controls all the Cambium equipment which is accessible only by VPN but I am also working to migrate that to the cloud hosted version like our other clients in Oregon.
In any case, before starting to use the connection marks for routing by enabling the mark-connection rules that are currently disabled, the mandatory first step is to get rid of the Sonar mark-connection rules the way I've suggested in this post. If you opt for not using connection marks for routing, it is still a good idea to simplify the Sonar rules just to lower the CPU load per packet. Just to be clear - matching a packet against the full list of tracked connections, which is an essential step of connection tracking, is way more CPU intensive than processing the packet by any single rule, but every drop counts in the grand total.
My plan today is to modify the Sonar rules to your suggestions so I can get those tested and working. Getting ready to do that now. I would prefer to not use connection marks if it simplifies things and makes it easier on the router.
Also, I still deem both the ideas of @sirbryan outlined in this post worth considering. The first one did not come to my mind at all as I am a little biased against Wireguard, but in this particular case replacing L2TP by Wireguard would elegantly solve the issue of the potentially changing IP address of the peer (pity that Mikrotik still has not implemented MOBIKE, which does the same thing for IPsec); the second one did but given your lukewarm reaction to my suggestion to use an external server on a fixed IP to provide a stable IP for the Sonar to connect to, I did not dare to suggest spawning a VPS with double the aggregate bandwidth of the 10 Starlinks just to provide the comfort of client sessions not breaking if one Starlink terminal dies. On the other hand, the fact that you need to run housekeeping scripts to remove NATed UDP connections if their reply-dst-address disappears from the router in order that WiFi calling/VoWiFi (Apple/Android name), SIP phone connections to PBXes in the internet, and other perpetually updated UDP connections could ever recover is annoying. What holds me back is the price of bandwith in the data centers as I don't know what the traffic volumes will be once people start using the full potential of the service. Except that I would use L2TP tunnels rather than Wireguard ones for this purpose, for several reasons I will name if you eventually start thinking in that direction.
My apologies if my reaction was lukewarm. I was most likely distracted by other issues. This week was a crazy one and I was being pulled in multiple directions by just about every client. Phone just kept ringing. I am open to either VPN option whichever will best solve that issue. I have thought about setting up the Wireguard seeing that it's supported. I never noticed it in Winbox until I upgraded to the latest RouterOS. Has that always been supported? We have always used L2TP but certainly open to change. However, the VPS option might not get a great reaction from our Owner/CTO solely based on cost. He's a little conservative when it comes to money and I admit I can be as well. He is family but my influence only goes so far.
On another note, I noticed an issue this morning when our NMS was showing a couple of the starlink terminals as down. Looking through the router logs it appears the terminals lost their lease temporarily and received a CGNAT IP. I am not sure why they obtain a CGNAT IP as we have public IP policy enabled on all terminals. I've seen this happen before when starlink is doing software updates and reboots the terminals. When they came back up. They did keep their same public IP and the lease-script did trigger. However, I noticed when it updated the gateway, it only put in the interface name (ie: sfp1-wan1) and there were several of these in the routing table. It looks like it also did create the correct gateway (ie: x.x.x.x%sfp1-wan1) but the routes with just the interface name were not removed. It was easy to fix by manually correcting the static routes and removing the incorrect ones but I was wondering if there was something in the script that needs adjusting to fix that problem? I've already had to manually fix the routes twice this morning. Log file screenshot is attached for context.
Thank You!
# 2023-11-19 08:10:59 by RouterOS 7.12
# software id = DVNU-PTAC
#
# model = CCR2216-1G-12XS-2XQ
# serial number = HE808NY9TF8
/interface bridge
add admin-mac=48:A9:8A:85:65:FB auto-mac=no comment="Access Bridge" name=\
bridge-lan
/interface ethernet
set [ find default-name=ether1 ] comment="Not Used" disabled=yes
set [ find default-name=qsfp28-1-1 ] disabled=yes
set [ find default-name=qsfp28-1-2 ] disabled=yes
set [ find default-name=qsfp28-1-3 ] disabled=yes
set [ find default-name=qsfp28-1-4 ] disabled=yes
set [ find default-name=qsfp28-2-1 ] disabled=yes
set [ find default-name=qsfp28-2-2 ] disabled=yes
set [ find default-name=qsfp28-2-3 ] disabled=yes
set [ find default-name=qsfp28-2-4 ] disabled=yes
set [ find default-name=sfp28-1 ] comment="Link to Starlink Terminal 1" name=\
sfp1-wan1
set [ find default-name=sfp28-2 ] comment="Link to Starlink Terminal 2" name=\
sfp2-wan2
set [ find default-name=sfp28-3 ] comment="Link to Starlink Terminal 3" name=\
sfp3-wan3
set [ find default-name=sfp28-4 ] comment="Link to Starlink Terminal 4" name=\
sfp4-wan4
set [ find default-name=sfp28-5 ] comment="Link to Starlink Terminal 5" name=\
sfp5-wan5
set [ find default-name=sfp28-6 ] comment="Link to Starlink Terminal 6" name=\
sfp6-wan6
set [ find default-name=sfp28-7 ] comment="Link to Starlink Terminal 7" name=\
sfp7-wan7
set [ find default-name=sfp28-8 ] comment="Link to Starlink Terminal 8" name=\
sfp8-wan8
set [ find default-name=sfp28-9 ] comment="Link to Starlink Terminal 9" name=\
sfp9-wan9
set [ find default-name=sfp28-10 ] comment="Link to Starlink Terminal 10" \
name=sfp10-wan10
set [ find default-name=sfp28-11 ] comment="Not Used" disabled=yes name=sfp11
set [ find default-name=sfp28-12 ] comment=\
"Attached to bridge-lan. Link to NV1560 Switch - Port 1" name=sfp12-lan
/interface l2tp-client
add comment="Link to Richesin Engineering VPN" connect-to=vpn.richesineng.com \
disabled=no name=RE use-ipsec=yes user=unalakleet
/interface vlan
add comment="Customer VLAN" interface=sfp12-lan name=vlan2 vlan-id=2
/interface list
add comment="contains WAN interfaces" name=WAN
add comment="contains LAN interfaces" name=LAN
add comment="Contains VPN interfaces" name=VPN
add name=WAN1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add authoritative=after-2sec-delay comment="Controlled by Sonar" interface=\
bridge-lan lease-time=5m name=vlan2-dhcp
/port
set 0 name=serial0
/queue type
add kind=pcq name=MaxDownloadSpeed pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=MaxUploadSpeed pcq-classifier=dst-address pcq-rate=1M
add kind=pcq name=Standard_Download_Speed pcq-burst-rate=30M pcq-burst-time=\
15s pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=25M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=Standard_Upload_Speed pcq-burst-rate=3600k pcq-burst-time=\
15s pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=3M \
pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Download_Speed pcq-burst-rate=30M \
pcq-burst-time=15s pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-rate=25M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
add kind=pcq name=High_Capacity_Upload_Speed pcq-burst-rate=3600k \
pcq-burst-time=15s pcq-classifier=src-address pcq-dst-address6-mask=64 \
pcq-rate=3M pcq-src-address6-mask=64 pcq-total-limit=250000KiB
/queue tree
add max-limit=300M name=Standard_Download_Speed packet-mark=\
Standard_Traffic_Down parent=bridge-lan priority=7 queue=\
Standard_Download_Speed
add max-limit=50M name=Standard_Upload_Speed packet-mark=Standard_Traffic_Up \
parent=bridge-lan priority=7 queue=Standard_Upload_Speed
add max-limit=300M name=High_Capacity_Download_Speed packet-mark=\
High_Capacity_Traffic_Down parent=bridge-lan priority=7 queue=\
High_Capacity_Download_Speed
add max-limit=50M name=High_Capacity_Upload_Speed packet-mark=\
High_Capacity_Traffic_Up parent=bridge-lan priority=7 queue=\
High_Capacity_Upload_Speed
/routing table
add disabled=no fib name=wan1
add disabled=no fib name=wan2
add disabled=no fib name=wan3
add disabled=no fib name=wan4
add disabled=no fib name=wan5
add disabled=no fib name=wan6
add disabled=no fib name=wan7
add disabled=no fib name=wan8
add disabled=no fib name=wan9
add disabled=no fib name=wan10
add disabled=no fib name=l2tp-sonar
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=atbunal
/interface bridge port
add bridge=bridge-lan interface=vlan2
/ip neighbor discovery-settings
set discover-interface-list=none lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=sfp1-wan1 list=WAN
add interface=sfp2-wan2 list=WAN
add comment="RE VPN" interface=RE list=VPN
add interface=sfp3-wan3 list=WAN
add interface=sfp4-wan4 list=WAN
add interface=sfp5-wan5 list=WAN
add interface=sfp6-wan6 list=WAN
add interface=sfp7-wan7 list=WAN
add interface=sfp8-wan8 list=WAN
add interface=sfp9-wan9 list=WAN
add interface=sfp10-wan10 list=WAN
/ip address
add address=10.130.1.1/24 comment="Servers - vlan1" interface=sfp12-lan \
network=10.130.1.0
add address=10.130.2.1/23 comment="Subscribers - CPE" interface=vlan2 \
network=10.130.2.0
add address=10.130.4.1/23 comment="Subscribers - SM" interface=vlan2 network=\
10.130.4.0
/ip dhcp-client
add add-default-route=no interface=sfp1-wan1 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp2-wan2 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp3-wan3 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp4-wan4 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp5-wan5 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp6-wan6 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp7-wan7 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp8-wan8 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp9-wan9 script=lease-script \
use-peer-dns=no
add add-default-route=no interface=sfp10-wan10 script=lease-script \
use-peer-dns=no
/ip firewall filter
add action=accept chain=input comment=\
"Accept established,related connections" connection-state=\
established,related disabled=yes
add action=accept chain=input comment=\
"Accept all connections from allowed_to_router address list" disabled=yes \
src-address-list=allowed_to_router
add action=accept chain=input comment="Accept ICMP connections" disabled=yes \
protocol=icmp
add action=accept chain=input comment="Accept SNMP connections" disabled=yes \
dst-port=161 protocol=udp
add action=accept chain=input comment=\
"Accept L2TP/IPSEC connections (500,1701,4500/udp)" disabled=yes \
dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="Accept WinBox connections (8291/tcp)" \
disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"For L2TP/IPSEC Encryption and Authentication" disabled=yes protocol=\
ipsec-esp
add action=drop chain=input comment="Drop everything else" disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Incoming in-interface=\
sfp1-wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp2-wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp3-wan3 new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp4-wan4 new-connection-mark=wan4 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp5-wan5 new-connection-mark=wan5 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp6-wan6 new-connection-mark=wan6 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp7-wan7 new-connection-mark=wan7 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp8-wan8 new-connection-mark=wan8 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp9-wan9 new-connection-mark=wan9 passthrough=yes
add action=mark-connection chain=prerouting connection-state="" in-interface=\
sfp10-wan10 new-connection-mark=wan10 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC connection-state=new \
disabled=yes dst-address-type=!local in-interface=bridge-lan \
new-connection-mark=wan1 passthrough=yes per-connection-classifier=\
src-address:10/0
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan2 \
passthrough=yes per-connection-classifier=src-address:10/1
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan3 \
passthrough=yes per-connection-classifier=src-address:10/2
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan4 \
passthrough=yes per-connection-classifier=src-address:10/3
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan5 \
passthrough=yes per-connection-classifier=src-address:10/4
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan6 \
passthrough=yes per-connection-classifier=src-address:10/5
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan7 \
passthrough=yes per-connection-classifier=src-address:10/6
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan8 \
passthrough=yes per-connection-classifier=src-address:10/7
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan9 \
passthrough=yes per-connection-classifier=src-address:10/8
add action=mark-connection chain=prerouting connection-state=new disabled=yes \
dst-address-type=!local in-interface=bridge-lan new-connection-mark=wan10 \
passthrough=yes per-connection-classifier=src-address:10/9
add action=mark-routing chain=prerouting connection-mark=wan1 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan4 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan5 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan5 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan6 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan6 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan7 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan7 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan8 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan8 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan9 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan9 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan10 disabled=yes \
in-interface=bridge-lan new-routing-mark=wan10 passthrough=yes
add action=mark-packet chain=forward comment="For Sonar" dst-address-list=\
"High Capacity Internet" new-packet-mark=High_Capacity_Traffic_Down \
out-interface=bridge-lan passthrough=no
add action=mark-packet chain=forward in-interface=bridge-lan new-packet-mark=\
High_Capacity_Traffic_Up passthrough=no src-address-list=\
"High Capacity Internet"
add action=mark-packet chain=forward dst-address-list="Standard Internet" \
new-packet-mark=Standard_Traffic_Down out-interface=bridge-lan \
passthrough=no
add action=mark-packet chain=forward in-interface=bridge-lan new-packet-mark=\
Standard_Traffic_Up passthrough=no src-address-list="Standard Internet"
add action=mark-routing chain=output comment=Outgoing connection-mark=wan1 \
new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=\
wan2 passthrough=no
add action=mark-routing chain=output connection-mark=wan3 new-routing-mark=\
wan3 passthrough=no
add action=mark-routing chain=output connection-mark=wan4 new-routing-mark=\
wan4 passthrough=no
add action=mark-routing chain=output connection-mark=wan5 new-routing-mark=\
wan5 passthrough=no
add action=mark-routing chain=output connection-mark=wan6 new-routing-mark=\
wan6 passthrough=no
add action=mark-routing chain=output connection-mark=wan7 new-routing-mark=\
wan7 passthrough=no
add action=mark-routing chain=output connection-mark=wan8 new-routing-mark=\
wan8 passthrough=no
add action=mark-routing chain=output connection-mark=wan9 new-routing-mark=\
wan9 passthrough=no
add action=mark-routing chain=output connection-mark=wan10 new-routing-mark=\
wan10 passthrough=no
add action=mark-routing chain=output connection-mark=wan10 dst-address-list=\
l2tp-sonar new-routing-mark=l2tp-sonar passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1-wan1
add action=masquerade chain=srcnat out-interface=sfp2-wan2
add action=masquerade chain=srcnat out-interface=sfp3-wan3
add action=masquerade chain=srcnat out-interface=sfp4-wan4
add action=masquerade chain=srcnat out-interface=sfp5-wan5
add action=masquerade chain=srcnat out-interface=sfp6-wan6
add action=masquerade chain=srcnat out-interface=sfp7-wan7
add action=masquerade chain=srcnat out-interface=sfp8-wan8
add action=masquerade chain=srcnat out-interface=sfp9-wan9
add action=masquerade chain=srcnat out-interface=sfp10-wan10
add action=dst-nat chain=dstnat comment="Preseem SSH" dst-port=22222 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=22
add action=dst-nat chain=dstnat comment="Preseem Cockpit" dst-port=9090 \
in-interface-list=WAN protocol=tcp to-addresses=10.130.1.20 to-ports=9090
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.132.0/24 gateway=192.168.133.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.133.0/24 gateway=192.168.133.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp1-wan1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp2-wan2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp3-wan3 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp4-wan4 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp5-wan5 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.64.1%sfp6-wan6 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp7-wan7 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp8-wan8 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp9-wan9 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp10-wan10 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp1-wan1 \
pref-src="" routing-table=wan1 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp2-wan2 \
pref-src="" routing-table=wan2 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp3-wan3 \
pref-src="" routing-table=wan3 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp4-wan4 \
pref-src="" routing-table=wan4 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp5-wan5 \
pref-src="" routing-table=wan5 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.64.1%sfp6-wan6 \
pref-src="" routing-table=wan6 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp7-wan7 \
pref-src="" routing-table=wan7 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp8-wan8 \
pref-src="" routing-table=wan8 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp9-wan9 \
pref-src="" routing-table=wan9 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
98.97.96.1%sfp10-wan10 pref-src="" routing-table=wan10 scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp10-wan10 \
routing-table=l2tp-sonar suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=98.97.96.1%sfp9-wan9 \
routing-table=l2tp-sonar suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=myCa disabled=no port=8443
set api disabled=yes
set api-ssl certificate=myCa
/ip ssh
set strong-crypto=yes
/snmp
set contact="Richesin Engineering <jaysen@richesinengineering.com>" enabled=\
yes location="Communications Shelter, Unalakleet, AK [63.89890275724056, -\
160.7788028412428]" trap-community=atbunal
/system clock
set time-zone-autodetect=no time-zone-name=America/Anchorage
/system identity
set name=UnalakleetRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add disabled=yes interval=5m name=QueueTreeUsageCheck on-event=":log info \"Qu\
eueTreeUsageCheck script started\"\r\
\nQueueTreeUsageCheck\r\
\n:log info \"QueueTreeUsageCheck script finished\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-03 start-time=11:04:00
add disabled=yes interval=4w2d name=datareset on-event=\
"/queue tree reset-counters numbers=[find]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-01 start-time=09:33:17
add disabled=yes interval=5m name=runThrottle on-event=\
"/system script run throttle;" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-10-23 start-time=00:00:00
/system script
add dont-require-permissions=no name=rogue-dhcp-scan owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"Found rogue DHCP server at \$[/system clock get date] \$[/syste\
m clock get time] on interface bridge-trunk]\"\r\
\n#Email\r\
\n/tool e-mail send to=\"jaysen@richesinengineering.com\" subject=\"Found \
rogue DHCP server at \$[/system clock get date] \$[/system clock get time]\
\_on interface bridge-trunk\""
add dont-require-permissions=no name=throttle owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local thresholdBytes 161061273600; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"Standard_Download_Sp\
eed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"Standard_Upload_Speed\
\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}\r\
\n\r\
\n:local thresholdBytes 268435456000; \r\
\n\r\
\n:local downloadQueue [/queue tree find where name=\"High_Capacity_Downlo\
ad_Speed\"]\r\
\n:local downloadBytes [/queue tree get \$downloadQueue bytes]\r\
\n:if (\$downloadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$downloadQueue max-limit=12M\r\
\n}\r\
\n\r\
\n:local uploadQueue [/queue tree find where name=\"High_Capacity_Upload_S\
peed\"]\r\
\n:local uploadBytes [/queue tree get \$uploadQueue bytes]\r\
\n:if (\$uploadBytes > \$thresholdBytes) do={\r\
\n /queue tree set \$uploadQueue max-limit=1M\r\
\n}"
add dont-require-permissions=no name=lease-script owner=sysadm policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="i\
f (\$bound=1) do={\
\n \r\
\n/ip route {\
\n \r\
\n\r\
\n:if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interfac\
e\") !dynamic !blackhole routing-table=main]]=0) do={\
\n \r\
\nadd gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n \r\
\n}\
\n \r\
\n\r\
\n:foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"inter\
face\") !dynamic !blackhole] do={\
\n \r\
\nset \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n \r\
\n}\
\n \r\
\n}\r\
\n\
\n}\
\n"
/tool bandwidth-server
set enabled=no
/tool e-mail
set from="Unalakleet Router" port=2525 server=mail.smtp2go.com tls=yes user=\
alerts@richesinengineering.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=sfp3-wan3 name=tmon1
Yes for the Sonar if you keep connection marks in use (which is what I was expecting), maybe for the VPN. I cannot say why the L2TP was struggling initially and then later after you enabled some mangle rules until we do some tests with an L2TP server dedicated for the testing. The difference between the two is that Sonar is an "inbound call" (Sonar is the initiator, the 2216 is a responder) whereas the L2TP transport session is an "outbounnd call" (the 2216 is an initiator, your company VPN server is a responder). So I have my theories why the outgoing call was struggling before but I want to see them confirmed or denied before giving out my speculations to the internet to remember them forever.To ensure I understand correctly. Once final configuration is done, I shouldn't need to link Sonar and the VPN to a WAN?
This is what I was suggesting and saw the "lukewarm reaction" So apparently it was just a misunderstanding.The plan we have been discussing is to use a VPN tunnel back to our office to assign a static IP as we have our own IP allocations from ARIN. Then we point Sonar to that which should solve that issue.
It's not necessary, as changing that to a numeric IP address would not simplify anything due to other factors. Plus this way you can change the VPN server address if needed without losing the L2TP VPN, even if you may not plan on doing in foreseeable future.I think I also failed to mention earlier in this conversation that our VPN address is in fact on a static IP. ... It's working the way it is setup now but will change it if necessary.
It's again a question how much foreseeable the future is.If you don't mind identifying Sonar connections by the Sonar IP address as you do now, and no requirement for incoming connections landing directly on the WAN IPs will arise, then yes, you can remove connection marks used for routing. In such case yes, we are talking about all the rules that assign connection marks up to in-interface and up to per-connection-classifier. The former can be removed completely, the latter can be changed to assign routing marks directly instead of connection marks. But given what you write just below, let's postpone that change.I don't expect any other inbound connections. We don't plan on hosting any servers so if I am understanding correctly. I can remove those and are we talking about all of the connection marks that I've labeled "incoming" and "PCC"?
Inbound connections via VPN are still inbound connections that need to be responded via the correct interface, but it may be possible to handle this using normal routing so it may not require connection marking; in any case, as soon as private addresses come into play, the issue of overlapping private ranges may pop up and require a solution. No idea what Preseem and QoE is, but SSH from the support guy is an inbound connection, and a cnMaestro in the cloud is another couple of incoming connections. All of them better served if port-forwarded from a fixed IP via the VPN tunnel. SNMP and ICMP may be actually both - traps would likely be sent from 2216 to your NMS server, GETs would be sent by the NMS server to the 2216 so inbound connections to 2216 again. ICMP - I guess this means that the NMS actively pings the 2216 (as I cannot see any pinging of the NMS from the 2216) so yet another inbound connection.What about connections to our NMS monitor that use ICMP and SNMP? It's currently on a cloud-hosted VPS but my plan is to move that into our office so it will be on our VPN. That will also allow us to monitor the customer devices which our current NMS setup can't do as those devices are all on private IP ranges. I have made attempts to connect the cloud VPS to our VPN but haven't had much success with that Also, the Preseem engineer who supports the QoE appliance uses an ssh connection and it also has a web GUI called cockpit which I have port forwards for but that can also be reached over VPN. There is a cnMaestro server running on-site that controls all the Cambium equipment which is accessible only by VPN but I am also working to migrate that to the cloud hosted version like our other clients in Oregon.
No need to apologize, I know this so well...My apologies if my reaction was lukewarm. I was most likely distracted by other issues.
Wireguard has been added early in RouterOS 7, if not from the very beginning. So on a 2216 that cannot run RouterOS 6 I guess it must have been available since unpacking.I am open to either VPN option whichever will best solve that issue. I have thought about setting up the Wireguard seeing that it's supported. I never noticed it in Winbox until I upgraded to the latest RouterOS. Has that always been supported?
Distinguish between the two applications - the VPN for management purposes would benefit from Wireguard's ability to accommodate to the IP address changes on the Unalakleet end, and would not require a dedicated VPS with a high bandwidth. The tunnel for providing a static public IP for everything behind the 2216 (I hesitate to call it a VPN because I think there is no need for privacy as its payload traffic would go directly to internet anyway if not for the tunnel) would require a dedicated VPS or physical server with enough bandwidth and monthly allowance, hence the additional OPEX.We have always used L2TP but certainly open to change. However, the VPS option might not get a great reaction from our Owner/CTO solely based on cost.
It is not a CGNAT address (only 100.64.0.0/10 are Carrier Grade NAT addresses, it's a dedicated range), it is a mere private one, and yes, it looks like the case when the connection to the satellite has not been established yet. I assume the DHCP lease simply contains no default gateway item at all, which I did not anticipate when writing the script. So most likely the $"gateway-address" variable is empty and the rest is a consequence.On another note,... I noticed when it updated the gateway, it only put in the interface name (ie: sfp1-wan1) and there were several of these in the routing table.
Now hold up. The 10.5 GiB of data shown in most mark-routing rules in chain output mean that your device itself is sending tons of its own traffic (not one forwarded from the customers); as it has no reason to do that actively, and as these rules translate connection marks to routing marks so connection marks must have been assigned and they are only assigned up to in-interface, it must be responses to some incoming requests. The concluion is that as you forgot to enable the firewall rules, your 2216 is now probably taking part in DDoS attacks (such as sending long answers to short DNS queries, except that the DNS proxy function is disabled so it must be something else). Fix that ASAP, please, but it may still be too late and those public addresses may have already made it to some public blacklists.screenshot attached.
Remove the existing lease-script and copy-paste the following to the terminal:I'll have to imitate that case and give you an update for the script.
/system script add name=lease-script source=":if (\$bound=1) do={\
\n /ip route {\
\n :if ([:typeof \$\"gateway-address\"]!=\"nothing\") do={\
\n :if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole routing-table=main]]=0) do={\
\n add gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n }\
\n :foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole] do={\
\n set \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\
\n }\
\n }\
\n }\
\n}\
\n"
Hello Sindy,Now hold up. The 10.5 GiB of data shown in most mark-routing rules in chain output mean that your device itself is sending tons of its own traffic (not one forwarded from the customers); as it has no reason to do that actively, and as these rules translate connection marks to routing marks so connection marks must have been assigned and they are only assigned up to in-interface, it must be responses to some incoming requests. The concluion is that as you forgot to enable the firewall rules, your 2216 is now probably taking part in DDoS attacks (such as sending long answers to short DNS queries, except that the DNS proxy function is disabled so it must be something else). Fix that ASAP, please, but it may still be too late and those public addresses may have already made it to some public blacklists.screenshot attached.
I'll comment on the rest once this is resolved.
This has been done. Thank YouRemove the existing lease-script and copy-paste the following to the terminal:I'll have to imitate that case and give you an update for the script.Code: Select all/system script add name=lease-script source=":if (\$bound=1) do={\ \n /ip route {\ \n :if ([:typeof \$\"gateway-address\"]!=\"nothing\") do={\ \n :if ([:len [find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole routing-table=main]]=0) do={\ \n add gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\ \n }\ \n :foreach r in=[find where dst-address=0.0.0.0/0 gateway~(\"%\".\$\"interface\") !dynamic !blackhole] do={\ \n set \$r gateway=(\$\"gateway-address\".\"%\".\$\"interface\")\ \n }\ \n }\ \n }\ \n}\ \n"
If you haven't changed anything in chain input of /ip/firewall/filter since the last export you've posted, please do the following steps until the first unexpected outcome (or till the end which we hope will be the case).Do you have any recommendations on other firewall rules that may be required that are not on the Wiki or will the defaults be sufficient enough?
That's all done and nothing unexpected happened. Everything appears to be working.If you haven't changed anything in chain input of /ip/firewall/filter since the last export you've posted, please do the following steps until the first unexpected outcome (or till the end which we hope will be the case).Do you have any recommendations on other firewall rules that may be required that are not on the Wiki or will the defaults be sufficient enough?Let me know the outcome before proceeding.
- enable "safe mode"
- enable all the action=accept rules in chain input of filter (i.e. all of them except the last action=drop chain=input comment="Drop everything else" one)
- without closing the existing one or logging off, run another instance of Winbox and connect to the 2216 from there; if successful, close it again
- in the first Winbox instance, check that the rule action=accept chain=input comment="Accept WinBox connections (8291/tcp)" dst-port=8291 protocol=tcp or the action=accept chain=input comment="Accept all connections from allowed_to_router address list" src-address-list=allowed_to_router one did count at least one packet
- if it did, enable the action=drop chain=input comment="Drop everything else" rule
- once again without closing the existing one or logging off, run another instance of Winbox and connect to the 2216 from there; if successful, close it again
- disable "safe mode" in the first Winbox instance
OK. So now, move the action=mark-routing chain=output connection-mark=wan10 dst-address-list=l2tp-sonar new-routing-mark=l2tp-sonar passthrough=no rule to the top of the chain output. Then you can enable all the action=mark-routing rules in prerouting, but keep the action=mark-connection ones matching on per-connection-classifier still disabled. Then enter /ip/firewall/mangle/reset-counters-all on the command line and watch the mangle rule counters grow on the GUI.
Most of the ones in chain output should now grow only slowly, the one now on the top (for l2tp-sonar) should grow faster than the rest.
The action=mark-routing ones in prerouting should stay at 0 packets, 0 bytes at this stage.
The next step will be to enable the action=mark-connection rules matching on per-connection-classifier. I would recommend to start with only one of them (e.g. for WAN 1); its counters should start growing slowly and those of the corresponding mark-routing rule in prerouting should start growing much faster.
/ip/firewall/connection/print interval=1s where connection-mark=wan1 repl-packets>0 should show some live connections, and no complaints should start coming from Unalakleet.
So much about a low-profile testing with minimum impact on the trafficthe action=mark-routing ones in prerouting do not stay at 0 and I lost my connection. I had safe mode enabled so I am back in.
So much about a low-profile testing with minimum impact on the trafficthe action=mark-routing ones in prerouting do not stay at 0 and I lost my connection. I had safe mode enabled so I am back in.
I've missed a small difference between the action=mark-connection rules. In the ones that match on in-interface, the connection-state=new condition is missing. However, while this explains why the action=mark-routing rules did count, it does not explain why you have lost your connection, since the connections have been marked properly - as the per-connection-classifier rules and the mark-routing rules were disabled, the LAN->internet initial packet of each connection went out via some interface chosen by ECMP, so it got src-nated (by masquerade) to the IP of that interface, so the response came in via that interface and the connection got marked accordingly. Hence enforcing that interface by means of the corresponding action=mark-routing rule and the default route in the corresponding routing table should have had no impact on the connection.
How are you connecting the Winbox? Via L2TP, via one of the public IP addresses, or via the PC on the LAN?
I'm afraid I'll have to see it live to understand what is going on.
Haven't you by chance saved the configuration while these rules were in place? Referring to a manual only gives a rough idea but there may have been some minor mistake in what you have actually set.The reason my customer SMs lost connection as did I was due to firewall being too restrictive. I had gone further in the Mikrotik Wiki https://help.mikrotik.com/docs/display/ ... t+Firewall and added in the rules under Protect the LAN devices. Turns out I probably shouldn't have done that yet. Removing those rules restored customer connectivity and I kept the ones under Protect the router enabled.
If you connect Winbox to the private IP assigned to the L2TP client by your VPN server, I can see no way how forward filter rules could affect that path, as both the L2TP payload and the L2TP transport packets are received and sent by the router itself, so they run through input and output chains, respectively. Mystery.I re-enabled all the mark routing rules under prerouting and this time I remain connected.
As to how I connect to the router. I connect to our VPN and then connect to WinBox using it's private IP. I also have a windows jumpbox at the site running remote-pc as a backup
Haven't you by chance saved the configuration while these rules were in place? Referring to a manual only gives a rough idea but there may have been some minor mistake in what you have actually set.The reason my customer SMs lost connection as did I was due to firewall being too restrictive. I had gone further in the Mikrotik Wiki https://help.mikrotik.com/docs/display/ ... t+Firewall and added in the rules under Protect the LAN devices. Turns out I probably shouldn't have done that yet. Removing those rules restored customer connectivity and I kept the ones under Protect the router enabled.
There are ways how to send traffic to devices on private addresses behind a NAT but they require a very cooperative ISP, so normally, the fact that everyting on LAN is on a private address should prevent the LAN devices from getting involved in a DDoS attack as reflectors/amplifiers of traffic getting to them via WAN.
If you connect Winbox to the private IP assigned to the L2TP client by your VPN server, I can see no way how forward filter rules could affect that path, as both the L2TP payload and the L2TP transport packets are received and sent by the router itself, so they run through input and output chains, respectively. Mystery.I re-enabled all the mark routing rules under prerouting and this time I remain connected.
As to how I connect to the router. I connect to our VPN and then connect to WinBox using it's private IP. I also have a windows jumpbox at the site running remote-pc as a backup
Going offline for next few hours.
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
( admin rules )
add action=accept chain=input src-address-list=Admin comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain}
(default rules to keep)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(user rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
I tried to get him to just subscribe to a service that can actually strype connections down multiple links and provides him a public IP.I know this is throwing a bunch of your work out the window, but this might make your life a lot simpler....
I don't know about simpler by adding 10 more routers to the network. However, that does look like it would be fun to setup in a lab. I might do that sometime just not with so many WANs. Unfortunately changing everything up at this stage isn't an option.I know this is throwing a bunch of your work out the window, but this might make your life a lot simpler....
Have you thought about buying 10 more small mikrotik routers?
- one for each starlink.
Then put the big router you are using for load balancing and traffic management behind them?
That way each WAN interface on your load balancer could have a different gateway IP, you could more easily assign static routes for traffic you only want to go out one interface, etc etc.
Just a thought...
Screenshot 2023-11-20 094932.png
That's was for a geosynchronous (GEO) satellite transponder (~36Mhz), which be in the ballpark. We use GEO for temp internet and satellite time cost $300-500/hour if not a TDMA shared service.You typed before that the Monthly used to be $36,000 for 100Mb.
To your point, Bigfoot isn't doing anything different here, they just hide the config for you.I am still confused why my idea was rejected out of hand. I must be missing something.
Mikrotik does the same thing as Big Leaf?
To your point, BIGLEAF isn't doing anything different here, they just hide the config for you.
Now you do have a point if was $36k/month...that would cover something like a Pepwave at either end, although they are expensive, you at least own them. Although L2TP (or other VPN) with a VPS/datacenter and Mikrotik does same thing, it's obviously just more config to manage yourself on Mikrotik.
In any bonded/striped multi-wan approach...Mikrotik does the same thing as Big Leaf?
Totally. I'm sure it's fine. Only complaint is there website was light on algorithms/protocol they use, performance specs, and pricing... I just find "SD-WAN" is so loosely-defined to be meaningless & BigLeaf lack of technical details beyond that is what worries me. e.g. If Mikrotik marketing was more aggressive, you could call RouterOS tunnels+mangle+scripts as a "software-defined WAN" too .@Amm0, BigLeaf is just a regular SD-WAN solution with options like public internet access branded “cloud routing”.
If Mikrotik marketing was more aggressive, you could call RouterOS tunnels+mangle+scripts as a "software-defined WAN" too .
I had been hoping that somehow Zerotier would have give me some sort of load balanced single IP..... If Mikrotik marketing was more aggressive, you could call RouterOS tunnels+mangle+scripts as a "software-defined WAN" too .@Amm0, BigLeaf is just a regular SD-WAN solution with options like public internet access branded “cloud routing”.
OK. So now, move the action=mark-routing chain=output connection-mark=wan10 dst-address-list=l2tp-sonar new-routing-mark=l2tp-sonar passthrough=no rule to the top of the chain output. Then you can enable all the action=mark-routing rules in prerouting, but keep the action=mark-connection ones matching on per-connection-classifier still disabled. Then enter /ip/firewall/mangle/reset-counters-all on the command line and watch the mangle rule counters grow on the GUI.
Most of the ones in chain output should now grow only slowly, the one now on the top (for l2tp-sonar) should grow faster than the rest.
The action=mark-routing ones in prerouting should stay at 0 packets, 0 bytes at this stage.
The next step will be to enable the action=mark-connection rules matching on per-connection-classifier. I would recommend to start with only one of them (e.g. for WAN 1); its counters should start growing slowly and those of the corresponding mark-routing rule in prerouting should start growing much faster.
/ip/firewall/connection/print interval=1s where connection-mark=wan1 repl-packets>0 should show some live connections, and no complaints should start coming from Unalakleet.
We finally made it work. What's your current issue with that setup, and what do you need to achieve besides the basic load distribution?How did it end up going?