Community discussions

MikroTik App
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Two internet and set which client use which one

Tue Mar 15, 2022 10:37 pm

I have two internet modem, modem A and modem B, they get internet from different service providers
(Actually they are modem/router!)
Also, I have an access point that Wi-Fi devices may connect to that.
My router is a hap lite MikroTik router, Wi-Fi access point and modem A and modem B and one PC connects to my router four ethernet ports. And Wi-Fi devices connect to Wi-Fi access point or router Wi-Fi (depends on signal strength, Wi-Fi clients may connect to Wi-Fi access point SSID or router Wi-Fi SSID)

I want to do this: Divide devices in two group, group A and group B, all of the clients in group A should access to clients group B and vice versa, but their internet gateway is different:
  • Group A should connect to internet just by modem A, if modem A failed to connect to internet, group A shouldn't have access to internet,
    Group B should connect to internet by modem B, but if modem B failed to connect to internet, group B should have access to internet by modem A.
How can I do that? can I assign different gateways to different devices into the router settings!? remember that I don't want to set any IP settings on devices, everything should be done in router side.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Mar 16, 2022 6:33 pm

Everything stated seems reasonable except for this part............... remember that I don't want to set any IP settings on devices, everything should be done in router side.
Thats not how networking works, all the devices will get leased an IP address on their respective LAN. The access point also requires and IP address.

Now its clear that you really dont want TWO LANS, otherwise, why have each totally accessing each other. I can see that it may be an advantageous approach in terms of separating traffic for the internet as you desire. Finally perhaps there is some other reason for having two networks but I dont know that answer..........

Start with a firewall approach that is basic and clean.
I made some adjustments for your scenario.

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment"allow intervlan traffic" in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
either
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
OR
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WANA1
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WANB2

If your WANIPs provided by the modem/router are fixed private IPs then the format would be
/ip firewall nat
add action=srcnat chain=srcnat out-interface=WANA1 to-addresses=IP_WanA1
add action=srcnat chain=srcnat out-interface=WANB2 to-addresses=IP_WanB2

Note: Since at least one of the subnets should be capable of using both, there is no point in using source addresses for them.

Ensure the WAN interface includes members WANA1 and WANB2
Ensure the LAN interface includes members vlanAA and vlanBB

Create your two vlans for the subnets (will be easy to implement especially on the wifi side).
interface for vlans is bridge
vlans get ip pool, ip address, dhcp-server, dhcp-server network

Complete /interface bridge port setup (where you assign vlan to WLAN port (access port) for local wifi, assign vlan to local users via etherport (access port) and trunk port to smart devices.
Complete /interface bridge vlan setup
Turn bridge vlan filtering on.

The real magic will be done on IP Routes.
Assuming you have public IPs then you dont even need IP DHCP client
Just assign the two WANIPs in the IP ADDRESS location in the config
add address=10.10.10.1/24 interface=ether1 network=10.10.10.0
add address=20.20.20.1/24 interface=ether2 network=20.20.20.0


/ip routes
dst-address=0.0.0.0/0 gwy=10.10.10.1 table=main distance=10
dst-address=0.0.0.0/0 gwy=20.20.20.1 table=main distance=5 check-ping=gateway

This construct basically say ALL TRAFFIC will go to WanB because it has a shorter distance.
If Wan B is not available all traffic will be switched to WanA, but the router will keep checking to see if WanB comes backup on line and if does then all traffic will go there.

Thus we are partially there. We use simple failover to create the conditions for WANB that meet your requirements. Since all traffic goes to WANB, all WANB users go there.
If WANB fails, they will move to WANA. Check.
Now what about WANA users. We dont want them going to WANB, so we create a special FORCING route for them and thus require a third IP route.

ON version 7 firmware its something like

dst=address=0.0.0.0/0 gwy=10.10.10.1 table=useWAN-A
/routing table fib add name=useWAN-A
/routing rule add src-address=VLANAA/24 action=lookup-only-in-table table=useWAN-A

ON version 6 firmware its something like
dst-address=0.0.0.0/0 gwy=10.10.10.1 routing-mark=useWAN-A
/ip route rule
add action=lookup-only-in-table src-address=VLANAA/24 table=useWAN-A

Note: In both cases if you DID want VLANAA users to be able to access WAN B, if WANA goes down, then simply change action to LOOKUP (vice lookup-only-in table).
They will still be forced to use WANA all the time, unless its down.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

To clarify you will have two subnets on your router, is one of them trusted and not guests etc or IOT devices on it etc..........
The trusted one should be the one that the admin resides on and where the admin will configure the devices from and all smart devices will get their IP from this subnet.
If both those vlans are not trusted, then consider a management vlan .
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Mar 16, 2022 6:42 pm

To setup the MT access point switch have a look at this link & example.
viewtopic.php?t=182276
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Thu Mar 17, 2022 8:38 pm

well, I did it finally, this is my config:
Both modem A and modem B are in PPPoE mode and their DHCP is on.
"Irancell" and "Sabanet" are two service provider names
/interface bridge
add name=NULL
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether2 ] name=Irancell
set [ find default-name=ether3 ] name=Laptop
set [ find default-name=ether4 ] name=MiWiFi
set [ find default-name=ether1 ] name=Sabanet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.1-192.168.3.99,192.168.3.101-192.168.3.254
add name=dhcp_pool1 ranges=192.168.4.1-192.168.4.99,192.168.4.101-192.168.4.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Laptop name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=MiWiFi name=dhcp2
/ip address
add address=192.168.1.100/24 interface=Sabanet network=192.168.1.0
add address=192.168.2.100/24 interface=Irancell network=192.168.2.0
add address=192.168.3.100/24 interface=Laptop network=192.168.3.0
add address=192.168.4.100/24 interface=MiWiFi network=192.168.4.0
/ip dhcp-server lease
add address=192.168.4.93 client-id=1:24:18:1d:cf:c0:69 mac-address=\
    24:18:1D:CF:C0:69 server=dhcp2
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.100
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.100
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=Sabanet_SUBNET
add address=192.168.2.0/24 list=Irancell_SUBNET
add address=192.168.3.0/24 list=Irancell_users
add address=192.168.4.0/24 list=Sabanet_users
add address=192.168.4.93 list=Irancell_users
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Irancell_SUBNET
add action=accept chain=prerouting dst-address-list=Sabanet_SUBNET
add action=mark-routing chain=prerouting new-routing-mark=TO_IRANCELL \
    passthrough=no src-address-list=Irancell_users
add action=mark-routing chain=prerouting new-routing-mark=TO_SABANET \
    passthrough=no src-address-list=Sabanet_users
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=Sabanet_users
add action=masquerade chain=srcnat src-address-list=Irancell_users
/ip route
add check-gateway=ping comment="Irancell Route" distance=1 gateway=192.168.2.1 \
    routing-mark=TO_IRANCELL
add check-gateway=ping comment="Irancell failover" distance=2 gateway=\
    192.168.1.1 routing-mark=TO_IRANCELL
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=TO_SABANET
add check-gateway=ping disabled=yes distance=1 gateway=192.168.1.1
add check-gateway=ping disabled=yes distance=2 gateway=192.168.2.1
add distance=1 dst-address=4.2.2.1/32 gateway=192.168.2.1
add distance=2 dst-address=4.2.2.1/32 gateway=NULL
/system clock
set time-zone-name=Asia/Tehran
/tool netwatch
add down-script="/ip route set [find comment=\"Irancell failover\"] distance=1\r\
    \n/ip route set [find comment=\"Irancell Route\"] distance=2" host=4.2.2.1 \
    interval=5s up-script="/ip route set [find comment=\"Irancell failover\"] dis\
    tance=2\r\
    \n/ip route set [find comment=\"Irancell Route\"] distance=1"
New problem raised :(
When I'm connected to router and using modem B internet, checking speed using fast.com says the speed is 10mbps. while when I connect directly to modem B, the speed is about 20mbps...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Thu Mar 17, 2022 9:12 pm

Sorry I cant help you.
The config I provided allows one to keep Fastrack and is far simpler.
As soon as you use mangling, one has to disable Fastrack.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Thu Mar 17, 2022 9:32 pm

Sorry I cant help you.
The config I provided allows one to keep Fastrack and is far simpler.
As soon as you use mangling, one has to disable Fastrack.
Thank you anav, honestly I couldn't find out your config completely.
Can you explain it a little bit more?
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Thu Mar 17, 2022 9:48 pm

Create your two vlans for the subnets (will be easy to implement especially on the wifi side).
interface for vlans is bridge
vlans get ip pool, ip address, dhcp-server, dhcp-server network

Complete /interface bridge port setup (where you assign vlan to WLAN port (access port) for local wifi, assign vlan to local users via etherport (access port) and trunk port to smart devices.
Complete /interface bridge vlan setup
Turn bridge vlan filtering on.

The real magic will be done on IP Routes.
Assuming you have public IPs then you dont even need IP DHCP client
Just assign the two WANIPs in the IP ADDRESS location in the config
add address=10.10.10.1/24 interface=ether1 network=10.10.10.0
add address=20.20.20.1/24 interface=ether2 network=20.20.20.0


/ip routes
dst-address=0.0.0.0/0 gwy=10.10.10.1 table=main distance=10
dst-address=0.0.0.0/0 gwy=20.20.20.1 table=main distance=5 check-ping=gateway

This construct basically say ALL TRAFFIC will go to WanB because it has a shorter distance.
If Wan B is not available all traffic will be switched to WanA, but the router will keep checking to see if WanB comes backup on line and if does then all traffic will go there.

Thus we are partially there. We use simple failover to create the conditions for WANB that meet your requirements. Since all traffic goes to WANB, all WANB users go there.
If WANB fails, they will move to WANA. Check.
Now what about WANA users. We dont want them going to WANB, so we create a special FORCING route for them and thus require a third IP route.

ON version 7 firmware its something like

dst=address=0.0.0.0/0 gwy=10.10.10.1 table=useWAN-A
/routing table fib add name=useWAN-A
/routing rule add src-address=VLANAA/24 action=lookup-only-in-table table=useWAN-A

ON version 6 firmware its something like
dst-address=0.0.0.0/0 gwy=10.10.10.1 routing-mark=useWAN-A
/ip route rule
add action=lookup-only-in-table src-address=VLANAA/24 table=useWAN-A

Note: In both cases if you DID want VLANAA users to be able to access WAN B, if WANA goes down, then simply change action to LOOKUP (vice lookup-only-in table).
They will still be forced to use WANA all the time, unless its down.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

To clarify you will have two subnets on your router, is one of them trusted and not guests etc or IOT devices on it etc..........
The trusted one should be the one that the admin resides on and where the admin will configure the devices from and all smart devices will get their IP from this subnet.
If both those vlans are not trusted, then consider a management vlan .
I didn't understand this:
interface for vlans is bridge
My 4G modem can not be on bridge mode, it is just support PPPoE mode, what do you mean of bridge interface? We have just 4 interfaces here:
  • WAN1
    WAN2
    LAN1
    LAN2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Thu Mar 17, 2022 10:40 pm

DONT WORRY ABOUT VLANS, no need as you have two simple subnets and two etherports for those LANS and two separate internet connections.

Okay let me get this straight
You have two internet providers giving you fixed private IPs??? on ether1 and ether 2 respectively
You have two active ethernet ports ether3 to a laptop and ether 4 to an access point ??

You want the ether3 users (LAPTOP) to use the IranCell internet all the time unless it fails and they should switch to Sabanet.
You want the ether4 users (MiWIFI) to ONLY use the Sabanet connection and if that fails, then they have no internet.
One exception. You have one user on the MWIFI network 192.168.4.93/32 that should also access the Irancell internet vice sabat.

You have no Firewall rules for the input chain and forward chain ??????
If not i cannot help as I dont provide assistance if the setup is not secure.
I will assume you simply elected not to show them, which is bad because all the rules are inter-related.
I need to see the complete config.

In any case..................

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Sabanet
add action=masquerade chain=srcnat out-interface=Irancell
-------
If they are indeed fixed IPs this is better.
-------
add action=src-nat chain=srcnat out-interface=Sabanet to-addresses=192.168.1.100
add action=src-nat chain=srcnat out-interface=Irancell to-addresses=192.168.2.100

(need two normal routes and two special routes)
/ip route (items to enter or to configure in winbox)
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway routing-mark=use-Irancell
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10 routing-mark=use-Sabat

/ip route (resultant export view)
add check-gateway=ping comment="Irancell Route" distance=5 gateway=192.168.2.1
add comment="Saban Route" distance=10 gateway=192.168.1.1
add check-gateway=ping comment="Irancell Route" distance=5 gateway=192.168.2.1 routing-mark=use-Irancell
add comment="Saban Route" distance=10 gateway=192.168.1.1 routing-mark=use-Sabat

The two standard IP routes as shown apply to all traffic.
Thus, all traffic will use IranCell as the ISP provider because it has a lower distance. If Irancell is not available all users will be passed to SABAT. The ping check command means the router will keep checking to see when Irancell comes back on line and if it does, will send all users back to the Irancell for internet. This is exactly what you want for ETHER3 laptop users. So far so good.
But we dont want ether4 to use the Irancell internet. Dont fear we will create two more IP routes to ensure LAN traffic goes where it should.

We have two additional routes for specific traffic
The first one associates a route mark to a table we create in a subsequent Routing rule for IranCell
The second one associates a route mark to a table we create in a subsequent Routing rule for Sabat.

(need two route rules associated with special routes - here ORDER is important)
/ip route rule (items to enter or to configure in winbox)
src-address=192.168.4.93/32 action=lookup table=use-Irancell
src-address=192.168.4.0/24 interface=MiWiFi action=lookup-only-in-table table=use-Sabanet

/ip route rule (resultant export view)
add action=lookup src-address=192.168.4.93/32 table=use-Irancell
add action=lookup-only-in-table src-address=192.168.4.0/24 interface=MiWiFi table=use-Sabanet

++++++++++++++++++++++++++++++++++++++++++++++++++

In the Second Route rule what we are saying is that for any traffic from the MiWIFI ethernet (with subnet as shown), do NOT use the standard IP routes in the main table but instead
use the Table we identified by Route Marking in the special IP Route. Thus all miwifi traffic will go out the Sabat WAN.
By using the action "lookup only in table" this means that if Sabat WAN is not available, no traffic will pass, as the router is told DONT find another route for this source of traffic.

Now the first rule should make more sense. Before we tell ALL users on Miwifi to go to Sabat, we have to RESCUE the single user in Ether4, so that they follow the LAPTOP users in terms of internet access. So we tell the Router, for any traffic from that user, send that user through the IranCell internet connection.
By using the lesser restrictive action of only "lookup", this tells the router that if the special IranCell connection is down, the router can look for an alternate routing on the main table. Thus if Sabat is up, the user will go through the Sabat WAN, like the rest of the Irancell users on ether3.
Last edited by anav on Fri Apr 15, 2022 6:11 pm, edited 1 time in total.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Thu Mar 17, 2022 11:45 pm

DONT WORRY ABOUT VLANS, no need as you have two simple subnets and two etheports for those LANS and two separate internet connections.

Okay let me get this straight
You have two internet providers giving you fixed private IPs??? on ether1 and ether 2 respectively
You have two active ethernet ports ether3 to a laptop and ether 4 to an access point ??

You want the ether3 users (LAPTOP) to use the IranCell internet all the time unless it fails and they should switch to Sabanet.
You want the ether4 users (MiWIFI) to ONLY use the Sabanet connection and if that fails, then they have no internet.
One exception. You have one user on the MWIFI network 192.168.4.93/32 that should also access the Irancell internet vice sabat.

You have no Firewall rules for the input chain and forward chain ??????
If not i cannot help as I dont provide assistance if the setup is not secure.
I will assume you simply elected not to show them, which is bad because all the rules are inter-related.
I need to see the complete config.

In any case..................

/ip firewall nat
add action=masquerade chain=srcnat out-interface=Sabanet
add action=masquerade chain=srcnat out-interface=Irancell
-------
If they are indeed fixed IPs this is better.
-------
add action=src-nat chain=srcnat out-interface=Sabanet to-addresses=192.168.1.100
add action=src-nat chain=srcnat out-interface=Irancell to-addresses=192.168.2.100

(need two normal routes and two special routes)
/ip route (items to enter or to configure in winbox)
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway routing-mark=use-Irancell
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10 routing-mark=use-Sabat

/ip route (resultant export view)
add check-gateway=ping comment="Irancell Route" distance=5 gateway=192.168.2.1
add comment="Saban Route" distance=10 gateway=192.168.1.1
add check-gateway=ping comment="Irancell Route" distance=5 gateway=192.168.2.1 routing-mark=use-Irancell
add comment="Saban Route" distance=10 gateway=192.168.1.1 routing-mark=use-Sabat

The two standard IP routes as shown apply to all traffic.
Thus, all traffic will use IranCell as the ISP provider because it has a lower distance. If Irancell is not available all users will be passed to SABAT. The ping check command means the router will keep checking to see when Irancell comes back on line and if it does, will send all users back to the Irancell for internet. This is exactly what you want for ETHER3 laptop users. So far so good.
But we dont want ether4 to use the Irancell internet. Dont fear we will create two more IP routes to ensure LAN traffic goes where it should.

We have two additional routes for specific traffic
The first one associates a route mark to a table we create in a subsequent Routing rule for IranCell
The second one associates a route mark to a table we create in a subsequent Routing rule for Sabat.

(need two route rules associated with special routes - here ORDER is important)
/ip route rule (items to enter or to configure in winbox)
src-address=192.168.4.93/32 action=lookup table=use-Irancell
src-address=192.168.4.0/24 interface=MiWiFi action=lookup-only-in-table table=use-Sabanet

/ip route rule (resultant export view)
add action=lookup src-address=192.168.4.93/32 table=use-Irancell
add action=lookup-only-in-table src-address=192.168.4.0/24 interface=MiWiFi table=use-Sabanet

++++++++++++++++++++++++++++++++++++++++++++++++++

In the Second Route rule what we are saying is that for any traffic from the MiWIFI ethernet (with subnet as shown), do NOT use the standard IP routes in the main table but instead
use the Table we identified by Route Marking in the special IP Route. Thus all miwifi traffic will go out the Sabat WAN.
By using the action "lookup only in table" this means that if Sabat WAN is not available, no traffic will pass, as the router is told DONT find another route for this source of traffic.

Now the first rule should make more sense. Before we tell ALL users on Miwifi to go to Sabat, we have to RESCUE the single user in Ether4, so that they follow the LAPTOP users in terms of internet access. So we tell the Router, for any traffic from that user, send that user through the IranCell internet connection.
By using the lesser restrictive action of only "lookup", this tells the router that if the special IranCell connection is down, the router can look for an alternate routing on the main table. Thus if Sabat is up, the user will go through the Sabat WAN, like the rest of the Irancell users on ether3.

Thank you.
I will try that. the config you provided no need to mangle and it's very better than my current config.

I didn't decide to not show input chain and forward chain. I use the link below for configuration:
https://aacable.wordpress.com/2011/10/2 ... p-address/

and he didn't set any input chain or forward chain rule.

Also I have another question, your failover is good when our PPPoE connection down or when modem couldn't connect to ISP.
But sometimes modem can connect to ISP but got an invalid ip from ISP, (for example when my bandwidth ends)
We need another strategy for failover in order to concern about above case, I use netwatch and change distances in this case, do you have any better idea?

Regards
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 12:05 am

Lets walk before running!
Get the config working the easy way and then we can mess with the IP routes and IP DHCP clients and netwatch after........ One step at a time.
I would much rather get the config working right and the firewall rules right First. Then we have a solid config to build on.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 12:13 am

Lets walk before running!
Get the config working the easy way and then we can mess with the IP routes and IP DHCP clients and netwatch after........ One step at a time.
I would much rather get the config working right and the firewall rules right First. Then we have a solid config to build on.
Everything is great!
I used your config and everything is working as just it should be :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 12:19 am

More importantly did you understand all that we did??

Now can you confirm if you have static fixed WANIPs, never changes??

To see if one truly has a viable internet connection (past the ISP) one needs to invoke recursive routes.
They are a bit tricky.
Basically you say to the router I would to connect to all internet addresses through the google gateway
At the same time you say to the router I would like to connect to google through my ISP.
The Router is smart enough to figure out that to ensure all internet access can be provided by checking to see if the Google gateway is UP/available,
so it uses the ISP gateway to check if google is indeed up. If so, then traffic flows.

Winbox configuration.
dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=5 scope=30
dst-address=8.8.8.8/32 gateway=ISP gatewayIP distance=5

What it looks like in export config
add check-gateway=ping distance=5 gateway=1.0.0.1 scope=30
add distance=5 dst-address=8.8.8.8/32 gateway=47.54.56.1 scope=10

What it looks like on IP Print > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

AS dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via ISP_Gateway_IP ISP-interface-Name check-gateway=ping>
distance=5 scope=30 target-scope=10

AS dst-address=8.8.8.8/32 gateway=ISP_Gateway_IP gateway-status=ISP_Gateway_IP reachable via ISP-interface-Name distance=5 scope=10
target-scope=10
Last edited by anav on Fri Mar 18, 2022 12:52 am, edited 3 times in total.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 12:20 am

More importantly did you understand all that we did??
Yes.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 12:50 am

To apply to at least the IranCell try this.........
As per my example above!!

Winbox configuration.
dst-address=0.0.0.0/0 gateway=1.0.0.1 check-gateway=ping distance=5 scope=30
dst-address=1.0.0.1/32 gateway=192.168.2.1 distance=5

dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway routing-mark=use-Irancell
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10 routing-mark=use-Sabat
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:03 am

To apply to at least the IranCell try this.........
As per my example above!!

Winbox configuration.
dst-address=0.0.0.0/0 gateway=1.0.0.1 check-gateway=ping distance=5 scope=30
dst-address=1.0.0.1/32 gateway=192.168.2.1 distance=5

dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway routing-mark=use-Irancell
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10 routing-mark=use-Sabat
I did that but when I turn of Irancell internet (not the modem itself) failvoer doesn't work.
/ip route
add check-gateway=ping comment="Irancell Route" distance=5 gateway=192.168.2.1 \
    routing-mark=use-Irancell
add comment="Sabanet Route" distance=10 gateway=192.168.1.1 routing-mark=\
    use-Sabanet
add distance=5 gateway=1.0.0.1
add check-gateway=ping comment="Irancell Route" distance=5 gateway=192.168.2.1
add comment="Sabanet Route" distance=10 gateway=192.168.1.1
add check-gateway=ping distance=5 dst-address=1.0.0.1/32 gateway=192.168.2.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:13 am

I cannot work from snippets,
Please post the entire config.
/export hide-sensitive file=anynameyouwish

Just ensure that you put the config in notepad++ and if applicable , change any ISP WAN IP or WAN gateway IP, so they are not the real ones.......
ex gatewayIP=24.234.56.3 put aa.123.rt.5 but keep it consistent for every such entry, so everything is relatable.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:24 am

I cannot work from snippets,
Please post the entire config.
/export hide-sensitive file=anynameyouwish

Just ensure that you put the config in notepad++ and if applicable , change any ISP WAN IP or WAN gateway IP, so they are not the real ones.......
ex gatewayIP=24.234.56.3 put aa.123.rt.5 but keep it consistent for every such entry, so everything is relatable.
I attached.
fullconfig.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:40 am

/interface bridge
add name=NULL

nice choice...
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:57 am

/interface bridge
add name=NULL

nice choice...
dude, modern problems require modern solutions.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 2:24 am

To apply to at least the IranCell try this.........
As per my example above!!

Winbox configuration.
dst-address=0.0.0.0/0 gateway=1.0.0.1 check-gateway=ping distance=5 scope=30
dst-address=1.0.0.1/32 gateway=192.168.2.1 distance=5

dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway routing-mark=use-Irancell
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10 routing-mark=use-Sabat
I exactly use these 5 rules. I don't know about other rules scope.
Image
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 2:38 am

The dynamics rules are added automatically for reach each subnet from the right port.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 2:55 am

To apply to at least the IranCell try this.........
As per my example above!!

Winbox configuration.
dst-address=0.0.0.0/0 gateway=1.0.0.1 check-gateway=ping distance=5 scope=30
dst-address=1.0.0.1/32 gateway=192.168.2.1 distance=5

dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10
dst-address=0.0.0.0/0 gwy=192.168.2.1 distance=5 check-ping=gateway routing-mark=use-Irancell
dst-address=0.0.0.0/0 gwy=192.168.1.1 distance=10 routing-mark=use-Sabat
I exactly use these 5 rules. I don't know about other rules scope.
Sorry, my bad, the failover works. but it takes more than 1 or even 2 minutes to switch to other internet and this is a big time.
I need this to be faster, about 10 seconds or even shorter...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 3:12 am

Heheh funny extended...... nice avatar byline, with you brother!!

First error is easy to spot,you forgot the ACTION in the first route rule.
Route Rules
add action=lookup src-address=192.168.4.252/32 table=use-Irancell
add action=lookup-only-in-table interface=ether4 src-address=192.168.4.0/24 \
table=use-Sabanet


On the routes, you need to add the higher scope for the first rule and you have an extra rule in GREY not required.
I colour mapped the script so you can see the differences more clearly.

The first Route prior to Recursive routing becomes TWO ROUTES (original standard route for irancell)
The second Route prior to Recursive routing remains the same and is now third. (keep standard route for sabanet).
The third and fourth routes remain the same (except now 4th and 5th).
The Routing rules remain the same.

IP Routes
1-add check-gateway=ping distance=5 gateway=8.8.8.8 scope=30
2-add distance=5 dst-address=8.8.8.8/32 gateway=IP (Irancell gateway ip) scope=10
3-add comment="Sabenet Route" distance=10 gateway=IP (sabanet gateway ip)
+++++++++++++++++++++++++++++++++++++++++++++++++++++
4-add comment="Irancell Route" distance=5 gateway=IP (irancell gateway ip) routing-mark=use-Irancell
5-add comment="Sabanet Route" distance=10 gateway=IP (sabanet gateway ip) routing mark=use-Sabanet

+++++++++++++++++++++++++++++++++
for reference your config
/ip route
4-add check-gateway=ping comment="Irancell Route" distance=5 gateway=\
192.168.2.1 routing-mark=use-Irancell

5-add comment="Sabanet Route" distance=10 gateway=192.168.1.1 routing-mark=\
use-Sabanet

extra?-add check-gateway=ping comment="Irancell Route" distance=5 gateway=\
192.168.2.1

1-add check-gateway=ping distance=5 gateway=8.8.8.8
3-add comment="Sabanet Route" distance=10 gateway=192.168.1.1
2-add check-gateway=ping distance=5 dst-address=8.8.8.8/32 gateway=192.168.2.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 3:13 am

Fix your script and republish here for viewing..............
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 3:44 am

Fix your script and republish here for viewing..............
I set the action for 192.168.4.252 and 192.168.4.249 but I think it wont show in export. anyway:

/ip route
add comment="Irancell Route" distance=5 gateway=192.168.2.1 routing-mark=\
use-Irancell
add comment="Sabanet Route" distance=10 gateway=192.168.1.1 routing-mark=\
use-Sabanet
add check-gateway=ping distance=5 gateway=1.0.0.1
add comment="Sabenet Route" distance=10 gateway=192.168.1.1
add distance=5 dst-address=1.0.0.1/32 gateway=192.168.2.1 scope=10
/ip route rule
add src-address=192.168.4.252/32 table=use-Irancell
add src-address=192.168.4.249/32 table=use-Irancell
add action=lookup-only-in-table interface=ether4 src-address=192.168.4.0/24 \
table=use-Sabanet

It works for ether3 but for wireless devices, their connection lost when Irancell internet goes down and failover not respond to them
Capture.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 5:49 am

Your Routes look good,
The routing rule is still missing the action?? That is not normal in any display, it should show!!
It shows in one rule, so why not the other two makes no sense.

Try in Terminal
/ip route rule print

The part that concerns me is that the first route for irancell is in blue, it should be black text which shows its active. Blue does not.........
Will have to think about this tomorrow.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 5:55 am

It works for ether3 but for wireless devices, their connection lost when Irancell internet goes down and failover not respond to them
Remember ether3 is the laptop group which should use irancell all the time and if that fails move to sabanet.
Is this working??

The other group ether4, is the wifi group and they ONLY get internet from sabanet
Is this working??
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 12:17 pm

It works for ether3 but for wireless devices, their connection lost when Irancell internet goes down and failover not respond to them
Remember ether3 is the laptop group which should use irancell all the time and if that fails move to sabanet.
Is this working??

The other group ether4, is the wifi group and they ONLY get internet from sabanet
Is this working??
group ether4, when irancell fails, the wifi users that connected to iracell should switch to sabanet
This is the config now, failover is ok.
but now the problem is that I can not ping ether4 devices through ether3...
for example when I ping an ip from ether4 through ether3 (192.168.4.241) I faced with request timeout error.

It is strange, because dynamic route should route these cases
Capture.PNG
------
I FIND WHY IT HAPPENS
When I disable these three routing list, I can ping, but when they are enabled, I can not ping the src addresses through ether3
This is /io route rule print output:
Flags: X - disabled, I - inactive
0 src-address=192.168.4.252/32 action=lookup table=use-Irancell

1 src-address=192.168.4.249/32 action=lookup table=use-Irancell

2 src-address=192.168.4.0/24 interface=ether4 action=lookup-only-in-table
table=use-Sabane
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:18 pm

Well pinging is not a use case but more a testing tool.
What is it that you need the users to be able to do.
That will help assess any changes needed.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Mar 18, 2022 1:33 pm

Well pinging is not a use case but more a testing tool.
What is it that you need the users to be able to do.
That will help assess any changes needed.
I have a DVR that I connected to AP by LAN cable. and AP is connected to router by ether4
I want to see DVR cameras through my laptop (ether3)
So I need to ping 192.168.4.241 through ether3.

Also, sometimes I want to download some of files in my laptop (ether3) through wifi devices which are connected to ether4.
I started a local server on my laptop. assume that my laptop IP is 192.168.3.245, I need to can go to 192.168.3.245:80 from all wifi devices and see my local host and the files in that
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Fri Apr 15, 2022 4:45 pm

Well pinging is not a use case but more a testing tool.
What is it that you need the users to be able to do.
That will help assess any changes needed.
I have a DVR that I connected to AP by LAN cable. and AP is connected to router by ether4
I want to see DVR cameras through my laptop (ether3)
So I need to ping 192.168.4.241 through ether3.

Also, sometimes I want to download some of files in my laptop (ether3) through wifi devices which are connected to ether4.
I started a local server on my laptop. assume that my laptop IP is 192.168.3.245, I need to can go to 192.168.3.245:80 from all wifi devices and see my local host and the files in that
Any Idea?
I still have this problem and no solution found
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Fri Apr 15, 2022 6:18 pm

Ether3 to Ether4 has nothing to do with IP routes but is simple LAN to LAN traffic.
Since the firewall rules (you do not have any) do not stop the router from routing between them at layer 3 there is no reason for that traffic to be blocked.

Also, the routes are available in your IP routes for ether3 and ether4 to send traffic back and forth so there is no blockage there either.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Sat Apr 16, 2022 8:44 pm

Ether3 to Ether4 has nothing to do with IP routes but is simple LAN to LAN traffic.
Since the firewall rules (you do not have any) do not stop the router from routing between them at layer 3 there is no reason for that traffic to be blocked.

Also, the routes are available in your IP routes for ether3 and ether4 to send traffic back and forth so there is no blockage there either.
Well this is my config, when I ping ether3 devices through ether4 devices or vice-versa I can not get response
Update: When I disable the two route rules everything is ok but when I enable it I can not ping
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether4 name=dhcp2
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add disabled=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=1.1.1.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.1 gateway=192.168.4.1
/ip dns
set servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=5 gateway=192.168.2.1 routing-mark=\
    use-Irancell
add check-gateway=ping distance=10 gateway=192.168.1.1 routing-mark=\
    use-Sabanet
add check-gateway=ping distance=5 gateway=192.168.2.1
add distance=10 gateway=192.168.1.1
/ip route rule
add src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table interface=ether4 src-address=192.168.4.0/24 \
    table=use-Sabanet
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Sat Apr 16, 2022 9:17 pm

Probably not related but modify the routes slightly (the secondary route and associate duplicate with route marking dont need check ping etc..)
add check-gateway=ping distance=5 gateway=192.168.2.1
add distance=10 gateway=192.168.1.1
add check-gateway=ping distance=5 gateway=192.168.2.1 routing-mark=\
use-Irancell
add distance=10 gateway=192.168.1.1 routing-mark=use-Sabanet


This route is still missing the action??
/ip route rule
add
action=???? src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table interface=ether4 src-address=192.168.4.0/24 \
table=use-Sabanet


Also you dont necessarily need interface=ether4 in the second route rule, remove that, just to see if it makes any difference (grasping at straws here).

The config does not look complete, do you have any /Interface or /interface members entries???
Also want to have another look at firewall rules........
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Sat Apr 16, 2022 10:00 pm

Probably not related but modify the routes slightly (the secondary route and associate duplicate with route marking dont need check ping etc..)
add check-gateway=ping distance=5 gateway=192.168.2.1
add distance=10 gateway=192.168.1.1
add check-gateway=ping distance=5 gateway=192.168.2.1 routing-mark=\
use-Irancell
add distance=10 gateway=192.168.1.1 routing-mark=use-Sabanet


This route is still missing the action??
/ip route rule
add
action=???? src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table interface=ether4 src-address=192.168.4.0/24 \
table=use-Sabanet


Also you dont necessarily need interface=ether4 in the second route rule, remove that, just to see if it makes any difference (grasping at straws here).

The config does not look complete, do you have any /Interface or /interface members entries???
Also want to have another look at firewall rules........
I don't know why config is not complete, I use /export compact
But this time I used /export verbose, here is the output:
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    DC:2C:6E:03:BC:C4 mtu=1500 name=ether1 orig-mac-address=DC:2C:6E:03:BC:C4 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    DC:2C:6E:03:BC:C5 mtu=1500 name=ether2 orig-mac-address=DC:2C:6E:03:BC:C5 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    DC:2C:6E:03:BC:C6 mtu=1500 name=ether3 orig-mac-address=DC:2C:6E:03:BC:C6 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    DC:2C:6E:03:BC:C7 mtu=1500 name=ether4 orig-mac-address=DC:2C:6E:03:BC:C7 \
    rx-flow-control=off speed=100Mbps tx-flow-control=off
/interface pwr-line
set [ find default-name=pwr-line1 ] arp=enabled arp-timeout=auto bandwidth=\
    unlimited/unlimited disabled=no l2mtu=1598 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    DC:2C:6E:03:BC:C8 mtu=1500 name=pwr-line1 orig-mac-address=\
    DC:2C:6E:03:BC:C8 rx-flow-control=off tx-flow-control=off
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" disable-pmkid=no \
    eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \
    interim-update=0s management-protection=disabled \
    management-protection-key="" mode=none mschapv2-password="" \
    mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
    none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
    "" wpa2-pre-shared-key=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    2 area="" arp=enabled arp-timeout=auto band=2ghz-b/g basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20mhz \
    compression=no country=etsi default-ap-tx-limit=0 default-authentication=\
    yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=yes disconnect-timeout=3s distance=\
    dynamic frame-lifetime=0 frequency=2412 frequency-mode=regulatory-domain \
    frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=any \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=DC:2C:6E:03:BC:C9 max-station-count=2007 mode=station mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \
    noise-floor-threshold=default nv2-cell-radius=30 nv2-downlink-ratio=50 \
    nv2-mode=dynamic-downlink nv2-noise-floor-offset=default \
    nv2-preshared-key="" nv2-qos=default nv2-queue-count=2 nv2-security=\
    disabled nv2-sync-secret="" on-fail-retry-time=100ms preamble-mode=both \
    radio-name=DC2C6E03BCC9 rate-selection=advanced rate-set=default \
    rx-chains=0,1 scan-list=default secondary-channel="" security-profile=\
    default skip-dfs-channels=disabled ssid=MikroTik \
    station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=disabled \
    supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 \
    tx-chains=0,1 tx-power-mode=default update-stats-interval=disabled \
    vlan-id=1 vlan-mode=no-tag wds-cost-range=50-150 wds-default-bridge=none \
    wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
    wireless-protocol=any wmm-support=disabled wps-mode=push-button
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=yes disabled=no interface=ether3 \
    lease-script="" lease-time=10m name=dhcp1 use-radius=no
add address-pool=dhcp_pool1 authoritative=yes disabled=no interface=ether4 \
    lease-script="" lease-time=10m name=dhcp2 use-radius=no
/ppp profile
set *0 address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default on-down="" on-up="" only-one=default !outgoing-filter \
    !parent-queue !queue-type !rate-limit !remote-address !session-timeout \
    use-compression=default use-encryption=default use-mpls=default use-upnp=\
    default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon !bridge-path-cost \
    !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default-encryption on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
    !session-timeout use-compression=default use-encryption=yes use-mpls=\
    default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set pwr-line1 queue=only-hardware-queue
set wlan1 queue=wireless-default
/routing bgp instance
set default as=65530 client-to-client-reflection=yes !cluster-id \
    !confederation disabled=no ignore-as-path-len=no name=default out-filter=\
    "" redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=\
    no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
    routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never !domain-id \
    !domain-tag in-filter=ospf-in metric-bgp=auto metric-connected=20 \
    metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 \
    !mpls-te-area !mpls-te-router-id name=default out-filter=ospf-out \
    redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
    redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
    !routing-table !use-dn
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-password="" \
    authentication-protocol=MD5 disabled=no encryption-password="" \
    encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
    0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
    bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude" skin=\
    default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude" skin=\
    default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,tikapp,!dude" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
    mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
    require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=static
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\
    yes send-redirects=yes tcp-syncookies=no
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 \
    caller-id-type=ip-address default-profile=default-encryption enabled=no \
    ipsec-secret="" keepalive-timeout=30 max-mru=1450 max-mtu=1450 \
    max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface ovpn-server server
set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=\
    no keepalive-timeout=60 mac-address=FE:D1:A5:26:D4:E9 max-mtu=1500 mode=\
    ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no force-aes=no keepalive-timeout=60 max-mru=1500 \
    max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any \
    verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
    caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
    interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.3.1/24 disabled=no interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 disabled=no interface=ether4 network=192.168.4.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options=\
    hostname,clientid disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=yes default-route-distance=1 dhcp-options=\
    hostname,clientid disabled=no interface=ether2 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server config
set accounting=yes interim-update=0s store-leases-disk=5m
/ip dhcp-server network
add address=192.168.3.0/24 caps-manager="" dhcp-option="" dns-server=1.1.1.1 \
    gateway=192.168.3.1 ntp-server="" wins-server=""
add address=192.168.4.0/24 caps-manager="" dhcp-option="" dns-server=1.1.1.1 \
    gateway=192.168.4.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \
    max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
    servers=1.1.1.1 use-doh-server="" verify-doh-cert=no
/ip firewall nat
add action=masquerade chain=srcnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list out-interface=ether1 \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-mss !time !tls-host !to-addresses !to-ports !ttl
add action=masquerade chain=srcnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-bridge-port-list out-interface=ether2 \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !routing-table \
    !src-address !src-address-list !src-address-type !src-mac-address \
    !src-port !tcp-mss !time !tls-host !to-addresses !to-ports !ttl
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
    !bgp-med !bgp-origin !bgp-prepend check-gateway=ping disabled=no \
    distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.1 !route-tag \
    routing-mark=use-Irancell scope=30 target-scope=10
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
    !bgp-med !bgp-origin !bgp-prepend !check-gateway disabled=no distance=10 \
    dst-address=0.0.0.0/0 gateway=192.168.1.1 !route-tag routing-mark=\
    use-Sabanet scope=30 target-scope=10
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
    !bgp-med !bgp-origin !bgp-prepend check-gateway=ping disabled=no \
    distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.1 !route-tag \
    !routing-mark scope=30 target-scope=10
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
    !bgp-med !bgp-origin !bgp-prepend !check-gateway disabled=no distance=10 \
    dst-address=0.0.0.0/0 gateway=192.168.1.1 !route-tag !routing-mark scope=\
    30 target-scope=10
/ip route rule
add action=lookup disabled=no !dst-address !interface !routing-mark \
    src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table disabled=no !dst-address !interface \
    !routing-mark src-address=192.168.4.0/24 table=use-Sabanet
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \
    host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=8k enabled=no \
    inactive-flow-timeout=15s interfaces=all
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=\
    yes packets=yes protocol=yes src-address=yes src-address-mask=yes \
    src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes \
    tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
    lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
    use-radius=no
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-community=public \
    trap-generators=temp-exception trap-target="" trap-version=1
/system clock
set time-zone-autodetect=yes time-zone-name=Asia/Tehran
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 server-dns-names=""
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=\
    bootp force-backup-booter=no protected-routerboot=disabled \
    reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
    100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 start-tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00 secrets=""
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all \
    secrets=""
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no \
    secret="" sim-pin=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-interface="" filter-ip-address="" filter-ip-protocol="" \
    filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
    filter-operator-between-entries=or filter-port="" filter-size="" \
    filter-stream=no memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Sat Apr 16, 2022 10:32 pm

tiridano, you should disable all those unsecure router services, telnet, FTP, www etc,
if you are going to use SSH, make sure its set to strong crypto!

also all the /ip firewall service-port ports should be disabled.......if not being used!!


Worked this time, just use export, no need to state compact, verbose is really hard on the eyes LOL.
/ip route rule
add action=lookup disabled=no \
src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table disabled=no \
src-address=192.168.4.0/24 table=use-Sabanet

Your INTERFACE LIST is empty
Your INTERFACE LIST members is empty
YOU HAVE NO FIREWALL RULES??

However, I dont see what would block traffic between different subnets with no firewall rules.
One would assume the router would be able to route between them at layer 3??
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Sun Apr 17, 2022 7:39 pm

tiridano, you should disable all those unsecure router services, telnet, FTP, www etc,
if you are going to use SSH, make sure its set to strong crypto!

also all the /ip firewall service-port ports should be disabled.......if not being used!!


Worked this time, just use export, no need to state compact, verbose is really hard on the eyes LOL.
/ip route rule
add action=lookup disabled=no \
src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table disabled=no \
src-address=192.168.4.0/24 table=use-Sabanet

Your INTERFACE LIST is empty
Your INTERFACE LIST members is empty
YOU HAVE NO FIREWALL RULES??

However, I dont see what would block traffic between different subnets with no firewall rules.
One would assume the router would be able to route between them at layer 3??
Yes I don't have interface list and I don't have any firewall rules...
Should I have?

I really don't know why I can not ping other subnet, this is really annoying, I'm thinking to switch to using mangle rule
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Sun Apr 17, 2022 8:02 pm

if the router is facing the internet directly YES!!!
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Sun Apr 17, 2022 8:08 pm

if the router is facing the internet directly YES!!!
The router is not facing the internet directly.
It connected to modem A and modem B through LAN 1 and LAN 2 port and get IP from modem A and modem B (I run two dhcp client on LAN 1 and LAN 2 port)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Sun Apr 17, 2022 8:52 pm

Well they are not modems, they are at least modem/routers giving you a private IP address.
I would like to assume they have some firewall in place and at least you have some nat protection but personally I would setup mine up as router with full firewall,
otherwise one could just use the MT device as a switch LOL.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Sun Apr 17, 2022 11:10 pm

Well they are not modems, they are at least modem/routers giving you a private IP address.
I would like to assume they have some firewall in place and at least you have some nat protection but personally I would setup mine up as router with full firewall,
otherwise one could just use the MT device as a switch LOL.
When I remove 2 ip route rules everything is ok and I can do ping
So the problem is not from firewall...
The problem is in route rules...
Or maybe we should add some extra route
 
marysmithd
just joined
Posts: 1
Joined: Mon Apr 18, 2022 11:28 pm

Re: Two internet and set which client use which one

Mon Apr 18, 2022 11:35 pm

tiridano, you should disable all those unsecure router services, telnet, FTP, www etc,
if you are going to use SSH, make sure its set to strong crypto!

also all the /ip firewall service-port ports should be disabled.......if not being used!!


Worked this time, just use export, no need to state compact, verbose is really hard on the eyes LOL.
/ip route rule
add action=lookup disabled=no \
src-address=192.168.4.237/32 table=use-Irancell
add action=lookup-only-in-table disabled=no \
src-address=192.168.4.0/24 table=use-Sabanet

Your INTERFACE LIST is empty
Your INTERFACE LIST members is empty
YOU HAVE NO FIREWALL RULES??

However, I dont see what would block traffic between different subnets with no firewall rules.
One would assume the router would be able to route between them at layer 3??
Is it help to resolve the issue?
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Wed Apr 20, 2022 12:18 am

Well they are not modems, they are at least modem/routers giving you a private IP address.
I would like to assume they have some firewall in place and at least you have some nat protection but personally I would setup mine up as router with full firewall,
otherwise one could just use the MT device as a switch LOL.
When I remove 2 ip route rules everything is ok and I can do ping
So the problem is not from firewall...
The problem is in route rules...
Or maybe we should add some extra route
Eureka!!
As I said the problem was from two route rules, every packet from 192.168.4.0/0 was routing through one of "use-Irancell" or "use-Sabanet" table, but we need add a first route for packets that goes through local devices this solves the problem!
As you see, I add the dst-address specified route before all of routes and everything is ok :)

/ip route rule
add dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table src-address=192.168.4.230/32 table=\
use-Irancell
add src-address=192.168.4.0/24 table=use-Sabanet
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Apr 20, 2022 12:36 am

But why.
For instance you have two standard route rules for your two ISP gateways.
add check-gateway=ping distance=5 gateway=192.168.2.1 table=main
add distance=10 gateway=192.168.1.1 table=main


Therefore you were not missing anything for external outbound traffic.
The problem could be that you were missing routes for internal traffic................ that is what you are explaining I think.

But that is not possible because the internal routes for traffic although they wouldnt show up on a config would show up on the IP Route page of winbox...
They have to be there due to this....... as this is where the router will pull the internal routes from!!
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0


Therefore what I would like to see is two pictures of your IP ROUTES PAGE
ONE WITH THAT RULE INSERTED and ONE WITHOUT to see what actually shows up for all routes...........

If you dont use winbox, then use CLI on New Terminal and take a picture of that LOL.

/ip route print detail
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Wed Apr 20, 2022 1:11 am

But why.
For instance you have two standard route rules for your two ISP gateways.
add check-gateway=ping distance=5 gateway=192.168.2.1 table=main
add distance=10 gateway=192.168.1.1 table=main


Therefore you were not missing anything for external outbound traffic.
The problem could be that you were missing routes for internal traffic................ that is what you are explaining I think.

But that is not possible because the internal routes for traffic although they wouldnt show up on a config would show up on the IP Route page of winbox...
They have to be there due to this....... as this is where the router will pull the internal routes from!!
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0


Therefore what I would like to see is two pictures of your IP ROUTES PAGE
ONE WITH THAT RULE INSERTED and ONE WITHOUT to see what actually shows up for all routes...........

If you dont use winbox, then use CLI on New Terminal and take a picture of that LOL.

/ip route print detail

here you go:
Capture.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Apr 20, 2022 1:26 am

Okay and what about the same picture that includes the new routes you created,

Also something doesnt look right to me,
I am wondering why your WAN routes are showing up as DAC???
specifically the
192.168.1.0
192.168.2.0

Thats messed up they shouldnt be there - those normally come from the IP address part of the config????
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Apr 20, 2022 1:36 am

Okay this might be part of the problem,
Remember we created the four routes manually.....

One for each route and then one to tie in with route rules....
The problem is we have extra ones............

Those two DAC rules for ether1 and ether2.
DUE TO THIS

/ip dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options=\
hostname,clientid disabled=no interface=ether1 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=yes default-route-distance=1 dhcp-options=\
hostname,clientid disabled=no interface=ether2 use-peer-dns=no \
use-peer-ntp=no



Go into IP DHCP client and change those to NO!

I will bet those extra rules you came with will NOT be needed.
Also print another picture with the fixes made!!
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Wed Apr 20, 2022 1:42 am

Okay and what about the same picture that includes the new routes you created,

Also something doesnt look right to me,
I am wondering why your WAN routes are showing up as DAC???
specifically the
192.168.1.0
192.168.2.0

Thats messed up they shouldnt be there - those normally come from the IP address part of the config????
I didn't add any new route, I add new rules
Capture.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Apr 20, 2022 2:13 am

Remove the 192.168.0.0/16 RULE,
you dont need it.............

Instead go to IP DHCP client and set the add default routes to NO, for both WAN entries, ---> that is what is interfering...
You have six routes, four manual and two dynamic, and you only need the four manual ones that you created.

...
extraR.jpg
You do not have the required permissions to view the files attached to this post.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Two internet and set which client use which one

Wed Apr 20, 2022 2:39 am

Remove the 192.168.0.0/16 RULE,
you dont need it.............

Instead go to IP DHCP client and set the add default routes to NO, for both WAN entries, ---> that is what is interfering...
You have six routes, four manual and two dynamic, and you only need the four manual ones that you created.

...
extraR.jpg
I did what you said but even when I disable add-default-route option the default route added to router
Capture.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Apr 20, 2022 2:41 am

As long as NO is selected under IP DHCP settings, that is fine.
Do you still need to add the extra route rule, now??

and to confirm, the problem is that you cannot reach LAN-A from LAN-B or LAN-B from LAN-A?

If that is the case it makes little sense to me because as you can see you have available routes for 192.168.3.0/24 and 192.168.4.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Two internet and set which client use which one

Wed Apr 20, 2022 2:48 am

Repost your latest config once done.

/export hide-sensitive file=anynameyouwish ( do not use compact or verbose)

Who is online

Users browsing this forum: 0xAA55, adrianmartin16, donmunyak and 49 guests