Community discussions

MikroTik App
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

RouterOS v7.5 Basic Question: /Routing/Rules

Fri Sep 16, 2022 3:32 pm

Hi all,

Just upgraded my hEX from v6.49 to v7.5 and found it is little bit different regarding dual ISP handling.

I've read routing tutorial here https://help.mikrotik.com/docs/display/ROS/Routing and also some other examples on Youtube, but still don't get the basic concept of routing rules. Here some silly questions:

mikrotik - routing rules.jpg

1. Does routing rules applied sequentially? (see picture above)
2. If I don't use mangle, how do I get "Routing Mark"? In this tutorial https://help.mikrotik.com/docs/display/ ... cy+Routing its said that "It is not recommended to use both methods (mangle and rules) at the same time or you should know exactly what you are doing.". To be honest, I don't know what should I do :?
3. If I access MK from WAN trough pppoe-WAN1, do I still need mangle to mark my connection?

I tried some examples to make Policy Based Routing works in RoS v7.5 as I did in RoS v6, but I feel not satisfied with the result. I also tried PBR + failover + recursive routing without success. So, now I have only applied PBR on my hEX.

Thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Fri Sep 16, 2022 5:09 pm

Cannot comment unless
a. full config ( less any public wanip info or serial number)
b. network diagram
c. Most important ---> Requirements, why are you mangling in the first place ?????? Use case needs, could care less about config minutia at this point.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 5:47 am

Hi, thanks Anav...
Here my RouterOS v7.5 setup on hEX RB750Gr3. This RB router connected directly to CRS326-24G-2S+ as the main switch-router.


###############################################################################
# RouterOS 7.5 on hEX RB750Gr3
###############################################################################

#######################################
# BASIC
#######################################

/system identity set name="OFFICE-ROUTER"

/system clock
set time-zone-name=Asia/Jakarta

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

#######################################
# INTERFACE, BRIDGE, VLAN
#######################################
# Overview:
# 99   = MGMT - 10.199.99.0/25
# 5    = NDI HOST/STREAMING CHANNEL - 10.199.155.0/24
# 10+  = OFFICE        - 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/22
# 100+ = JUNIOR HIGH SCHOOL - 192.168.100.0/24, 192.168.110.0/24 (teacher), 192.168.120.0/22 (student)
# 200+ = SENIOR HIGH SCHOOL - 192.168.100.0/24, 192.168.210.0/24 (teacher), 192.168.220.0/22 (student)
# 345  = GUEST-OFFICE - 172.23.45.0/23
# 789  = GUEST-SCHOOL - 172.27.89.0/23
# 1777 = Voice - 172.17.77.0/24
# 1888 = IoT   - 172.18.88.0/24
# 1999 = CCTV  - 172.19.99.0/24
# 
#######################################

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-bondCRS
set [ find default-name=ether4 ] name=ether4-bondCRS
set [ find default-name=ether5 ] name=ether5-backup

/interface bonding
add name=portBond_3-4 mode=802.3ad slaves=ether3-bondCRS,ether4-bondCRS

/interface bridge
add name=BR-BACKBONE protocol-mode=mstp pvid=99 vlan-filtering=no

/interface bridge port
add bridge=BR-BACKBONE pvid=99 interface=portBond_3-4
add bridge=BR-BACKBONE pvid=99 interface=ether5-backup

/interface bridge vlan
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=99
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=5
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=10
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=20
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=30
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=100
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=110
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=120
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=200
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=210
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=220
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=345
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=789
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=1777
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=1888
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=1999

/interface vlan
add interface=BR-BACKBONE name=VLAN_MGMT vlan-id=99
add interface=BR-BACKBONE name=VLAN_5    vlan-id=5
add interface=BR-BACKBONE name=VLAN_10   vlan-id=10
add interface=BR-BACKBONE name=VLAN_20   vlan-id=20
add interface=BR-BACKBONE name=VLAN_30   vlan-id=30
add interface=BR-BACKBONE name=VLAN_100  vlan-id=100
add interface=BR-BACKBONE name=VLAN_110  vlan-id=110
add interface=BR-BACKBONE name=VLAN_120  vlan-id=120
add interface=BR-BACKBONE name=VLAN_200  vlan-id=200
add interface=BR-BACKBONE name=VLAN_210  vlan-id=210
add interface=BR-BACKBONE name=VLAN_220  vlan-id=220
add interface=BR-BACKBONE name=VLAN_345  vlan-id=345
add interface=BR-BACKBONE name=VLAN_789  vlan-id=789
add interface=BR-BACKBONE name=VLAN_1777 vlan-id=1777
add interface=BR-BACKBONE name=VLAN_1888 vlan-id=1888
add interface=BR-BACKBONE name=VLAN_1999 vlan-id=1999

#######################################
# IP addresses
#######################################

/ip address 
add interface=VLAN_MGMT address=10.199.99.1/25
add interface=VLAN_5    address=10.199.155.1/24
add interface=VLAN_10   address=192.168.10.1/24
add interface=VLAN_20   address=192.168.20.1/24
add interface=VLAN_30   address=192.168.30.1/23
add interface=VLAN_100  address=192.168.100.1/24
add interface=VLAN_110  address=192.168.110.1/24
add interface=VLAN_120  address=192.168.120.1/22
add interface=VLAN_200  address=192.168.200.1/24
add interface=VLAN_210  address=192.168.210.1/24
add interface=VLAN_220  address=192.168.220.1/22
add interface=VLAN_345  address=172.23.45.1/23
add interface=VLAN_789  address=172.27.89.1/23
add interface=VLAN_1777 address=172.17.77.1/24
add interface=VLAN_1888 address=172.18.18.1/24
add interface=VLAN_1999 address=172.19.19.1/24

/ip pool 
add name=POOL_99   ranges=10.199.99.30-10.199.99.99
add name=POOL_5    ranges=10.199.155.10-10.199.155.200
add name=POOL_10   ranges=192.168.10.10-192.168.10.254
add name=POOL_20   ranges=192.168.20.10-192.168.20.254
add name=POOL_30   ranges=192.168.30.10-192.168.31.254
add name=POOL_100  ranges=192.168.100.10-192.168.100.254
add name=POOL_110  ranges=192.168.110.10-192.168.110.254
add name=POOL_120  ranges=192.168.120.10-192.168.122.254
add name=POOL_200  ranges=192.168.200.10-192.168.200.254
add name=POOL_210  ranges=192.168.210.10-192.168.210.254
add name=POOL_220  ranges=192.168.220.10-192.168.222.254
add name=POOL_345  ranges=172.23.44.1-172.23.45.0,172.23.45.2-172.23.45.254
add name=POOL_789  ranges=172.27.88.1-172.27.89.0,172.27.89.2-172.27.89.254
add name=POOL_1777 ranges=172.17.17.10-172.17.17.254
add name=POOL_1888 ranges=172.18.18.10-172.18.18.254
add name=POOL_1999 ranges=172.19.19.10-172.19.19.254

/ip dhcp-server 
add address-pool=POOL_99   interface=VLAN_MGMT name=DHCP_MGMT disabled=no
add address-pool=POOL_5    interface=VLAN_5    name=DHCP_VL5    disabled=no
add address-pool=POOL_10   interface=VLAN_10   name=DHCP_VL10   disabled=no
add address-pool=POOL_20   interface=VLAN_20   name=DHCP_VL20   disabled=no
add address-pool=POOL_30   interface=VLAN_30   name=DHCP_VL30   disabled=no
add address-pool=POOL_100  interface=VLAN_100  name=DHCP_VL100  disabled=no
add address-pool=POOL_110  interface=VLAN_110  name=DHCP_VL110  disabled=no
add address-pool=POOL_120  interface=VLAN_120  name=DHCP_VL120  disabled=no
add address-pool=POOL_200  interface=VLAN_200  name=DHCP_VL200  disabled=no
add address-pool=POOL_210  interface=VLAN_210  name=DHCP_VL210  disabled=no
add address-pool=POOL_220  interface=VLAN_220  name=DHCP_VL220  disabled=no
add address-pool=POOL_345  interface=VLAN_345  name=DHCP_VL345  disabled=no
add address-pool=POOL_789  interface=VLAN_789  name=DHCP_VL789  disabled=no
add address-pool=POOL_1777 interface=VLAN_1777 name=DHCP_VL1777 disabled=no
add address-pool=POOL_1888 interface=VLAN_1888 name=DHCP_VL1888 disabled=no
add address-pool=POOL_1999 interface=VLAN_1999 name=DHCP_VL1999 disabled=no      

/ip dhcp-server network 
add address=10.199.99.0/25   dns-server=10.199.99.1 gateway=10.199.99.1
add address=10.199.155.0/24  dns-server=10.199.99.1 gateway=10.199.155.1
add address=192.168.10.0/24  dns-server=10.199.99.1 gateway=192.168.10.1
add address=192.168.20.0/24  dns-server=10.199.99.1 gateway=192.168.20.1
add address=192.168.30.0/24  dns-server=10.199.99.1 gateway=192.168.30.1
add address=192.168.100.0/24 dns-server=10.199.99.1 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=10.199.99.1 gateway=192.168.110.1
add address=192.168.120.0/24 dns-server=10.199.99.1 gateway=192.168.120.1
add address=192.168.200.0/24 dns-server=10.199.99.1 gateway=192.168.200.1
add address=192.168.210.0/24 dns-server=10.199.99.1 gateway=192.168.210.1
add address=192.168.220.0/24 dns-server=10.199.99.1 gateway=192.168.220.1
add address=172.23.45.0/23   dns-server=10.199.99.1 gateway=172.23.45.1
add address=172.27.89.0/23   dns-server=10.199.99.1 gateway=172.27.89.1
add address=172.17.77.0/24   dns-server=10.199.99.1 gateway=172.17.77.1
add address=172.18.18.0/24   dns-server=10.199.99.1 gateway=172.18.18.1
add address=172.19.19.0/24   dns-server=10.199.99.1 gateway=172.19.19.1

#######################################
# WAN Setup & DNS
#######################################

# WAN1: PPPoE (Static Public IP 200.xxx.xxx.xxx)
/interface pppoe-client
add ac-name=********** interface=ether1-WAN1 name=pppoe-WAN1 profile=default-encryption use-peer-dns=yes

# WAN2: DHCP MODEM (IP gateway 10.2.2.1, Dynamic Public IP 36.xxx.xxx.xxx - random)
/ip dhcp-client
add add-default-route=no interface=ether2-WAN2 use-peer-ntp=no

/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3,8.8.8.8,8.8.4.4

/ip dns static
add address=10.199.99.XX name=unifi


#######################################     
# Interface List
#######################################

/interface list
add name=VLANs
add name=BASEs
add name=WANs
add name=LANs
add name=VLANs_to_WAN1
add name=VLANs_to_WAN2
add name=VLANs_DEVICES
add name=VLANs_GUEST

/interface list member
add list=WANs interface=ether1-WAN1 disabled=yes
add list=WANs interface=pppoe-WAN1
add list=WANs interface=ether2-WAN2
add list=LANs interface=BR-BACKBONE
add list=BASEs interface=VLAN_MGMT
add list=BASEs interface=VLAN_5
add list=VLANs_to_WAN1 interface=VLAN_5
add list=VLANs_to_WAN1 interface=VLAN_10
add list=VLANs_to_WAN1 interface=VLAN_100
add list=VLANs_to_WAN1 interface=VLAN_110
add list=VLANs_to_WAN1 interface=VLAN_200
add list=VLANs_to_WAN1 interface=VLAN_210
add list=VLANs_to_WAN2 interface=VLAN_MGMT
add list=VLANs_to_WAN1 interface=VLAN_20
add list=VLANs_to_WAN2 interface=VLAN_30
add list=VLANs_to_WAN2 interface=VLAN_120
add list=VLANs_to_WAN2 interface=VLAN_220
add list=VLANs_to_WAN2 interface=VLAN_345
add list=VLANs_to_WAN2 interface=VLAN_789
add list=VLANs_DEVICES interface=VLAN_1777
add list=VLANs_DEVICES interface=VLAN_1888
add list=VLANs_DEVICES interface=VLAN_1999
add list=VLANs_GUEST interface=VLAN_345
add list=VLANs_GUEST interface=VLAN_789


#######################################
# IP Firewall
#######################################
/ip firewall address-list
add list=VLANtoWAN1 address=10.199.155.0/24
add list=VLANtoWAN1 address=192.168.10.0/24
add list=VLANtoWAN1 address=192.168.100.0/24
add list=VLANtoWAN1 address=192.168.200.0/24
add list=VLANtoWAN1 address=192.168.110.0/24
add list=VLANtoWAN1 address=192.168.210.0/24
add list=VLANtoWAN2 address=10.199.99.0/25
add list=VLANtoWAN2 address=192.168.20.0/24
add list=VLANtoWAN2 address=192.168.30.0/24
add list=VLANtoWAN2 address=192.168.120.0/24
add list=VLANtoWAN2 address=192.168.220.0/24
add list=VLANtoWAN2 address=172.23.45.0/23
add list=VLANtoWAN2 address=172.27.89.0/23
add list=VLAN_DEVICES address=172.17.77.0/24
add list=VLAN_DEVICES address=172.18.88.0/24
add list=VLAN_DEVICES address=172.19.99.0/24
add list=LocalSubnet address=10.0.0.0/8
add list=LocalSubnet address=172.16.0.0/12
add list=LocalSubnet address=192.168.0.0/16
add list=Mikrotik address=159.148.147.0/24 comment="Mikrotik cloud"
add list=Mikrotik address=159.148.172.0/24 comment="Mikrotik cloud"
add list=DNS address=8.8.8.8
add list=DNS address=8.8.4.4
add list=DNS address=1.1.1.1
add list=DNS address=1.0.0.1
add list=DNS address=1.1.1.2
add list=DNS address=1.0.0.2
add list=DNS address=1.1.1.3
add list=DNS address=1.0.0.3

# NAT
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=pppoe-WAN1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2-WAN2
add action=redirect chain=dstnat dst-port=53 in-interface=all-vlan protocol=udp

# Firewall RAW
/ip firewall raw
add action=drop chain=prerouting src-address-list=Blacklist
add action=drop chain=prerouting src-address-list=Blacklisted
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=udp src-address-type=!local
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=tcp src-address-type=!local

# Firewall Filter
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes hw-offload=yes disabled=yes
add action=drop chain=forward comment="Port 139,445" connection-state="" dst-port="" log=yes log-prefix=Wanacry port=137,138,139,445,3389 protocol=tcp
add chain=input in-interface-list=VLANs_DEVICES action=drop
add chain=forward in-interface-list=VLANs_GUEST out-interface=all-vlan action=drop
add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=accept connection-state=new in-interface-list=VLANs_to_WAN1 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add chain=forward action=accept connection-state=new in-interface-list=VLANs_to_WAN2 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add chain=input action=accept connection-state=established,related
add chain=input action=accept in-interface-list=BASEs comment="Allow VLAN_MGMT Full Access"
add action=drop chain=forward connection-state=invalid 
add action=drop chain=input connection-state=invalid

# Mangle: most of it disabled
/ip firewall mangle
add action=accept chain=prerouting comment="Accept inter VLANs" dst-address-list=LocalSubnet in-interface=all-vlan
add action=mark-connection chain=input comment="INPUT: WAN1_conn" dst-address-type=!local in-interface=pppoe-WAN1 new-connection-mark=WAN1_conn passthrough=no src-address-list=!LocalSubnet disabled=yes
add action=mark-connection chain=input comment="INPUT: WAN2_conn" dst-address-type=!local in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=no src-address-list=!LocalSubnet disabled=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn dst-address-list=!LocalSubnet new-routing-mark=rtab-ISP1 passthrough=no disabled=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn dst-address-list=!LocalSubnet new-routing-mark=rtab-ISP2 passthrough=no disabled=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=rtab-ISP2 out-interface=ether2-WAN2 passthrough=no disabled=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=rtab-ISP1 out-interface=pppoe-WAN1 passthrough=no disabled=yes


#######################################
# ROUTING
#######################################
/routing table
add comment="to WAN1" disabled=no fib name=rtab-ISP1
add comment="to WAN2" disabled=no fib name=rtab-ISP2

/ip route
add comment="WAN1 (default rtab-ISP1)" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 pref-src="" routing-table=rtab-ISP1 scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN2 (default rtab-ISP2)" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 pref-src="" routing-table=rtab-ISP2 scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN2 (backup main table)" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN1 (backup main table)" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10

/routing rule
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=10.199.99.0/25 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=pppoe-WAN1 src-address=10.199.155.0/24 table=rtab-ISP1
add action=lookup disabled=no dst-address=::/0 interface=pppoe-WAN1 src-address=192.168.10.0/24 table=rtab-ISP1
add action=lookup disabled=no dst-address=::/0 interface=pppoe-WAN1 src-address=192.168.100.0/24 table=rtab-ISP1
add action=lookup disabled=no dst-address=::/0 interface=pppoe-WAN1 src-address=192.168.110.0/24 table=rtab-ISP1
add action=lookup disabled=no dst-address=::/0 interface=pppoe-WAN1 src-address=192.168.200.0/24 table=rtab-ISP1
add action=lookup disabled=no dst-address=::/0 interface=pppoe-WAN1 src-address=192.168.210.0/24 table=rtab-ISP1
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=192.168.20.0/24 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=192.168.30.0/23 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=192.168.120.0/22 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=192.168.220.0/22 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.23.45.0/23 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.27.89.0/23 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.17.77.0/24 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.18.18.0/24 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.19.19.0/24 table=rtab-ISP2
add action=lookup-only-in-table disabled=yes dst-address=::/0 routing-mark=rtab-ISP2 src-address=172.16.0.0/12 table=rtab-ISP2
add action=lookup-only-in-table disabled=yes dst-address=::/0 routing-mark=rtab-ISP1 src-address=192.168.0.0/16 table=rtab-ISP1


#######################################
# Scheduler and Script
#######################################
/system scheduler
add interval=1d name=blacklisted_update on-event=\
    ":delay 360;\r\
    \n/system script run blacklisted" policy=\
    ftp,read,write,policy,test,password,sniff,romon start-time=startup

/system script
add dont-require-permissions=no name=blacklisted policy=\
    ftp,read,write,policy,test,password,sniff source=":log warning \"starting \
    Blacklisted update from joshaven.com\";\r\
    \n:delay 20;\r\
    \n:log warning \"downloading Blacklisted\";\r\
    \n:local hostScriptUrl \"https://joshaven.com/genlist.php/\?lists=spamhaus\
    ,dshield,bruteforce&prefix=add%20list=Blacklisted%20timeout=1d%20address=\
    \";\r\
    \n:local scriptName \"Blacklisted\";\r\
    \ndo {\r\
    \n /tool fetch mode=http url=\$hostScriptUrl dst-path=(\"./\".\$scriptName\
    );\r\
    \n :delay 20;\r\
    \n :if ([:len [/file find name=\$scriptName]] > 0) do={\r\
    \n  :log warning \"removing old Blacklisted list\";\r\
    \n  /ip firewall address-list remove [/ip firewall address-list find list=\
    Blacklisted];\r\
    \n  :log warning \"importing new Blacklisted list\";\r\
    \n  /system logging action set [/system logging action find name=memory] m\
    emory-stop-on-full=yes\r\
    \n  /import file-name=\$scriptName;\r\
    \n  /file remove \$scriptName;\r\
    \n  :log warning \"Blacklisted list imported\";\r\
    \n  /system logging action set [/system logging action find name=memory] m\
    emory-stop-on-full=no\r\
    \n } else={\r\
    \n  :log warning \"Blacklisted list not downloaded, script stopped\";\r\
    \n }\r\
    \n} on-error={\r\
    \n :log warning \"Blacklisted list download FAILED\";\r\
    \n}\
;"

    
#######################################
# Turn on VLAN mode
#######################################
/ip neighbor discovery-settings set discover-interface-list=BASEs
/tool mac-server mac-winbox set allowed-interface-list=BASEs
/tool mac-server set allowed-interface-list=BASEs

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR-BACKBONE ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=portBond_3-4]
set bridge=BR-BACKBONE ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5-backup]

/interface bridge set BR-BACKBONE vlan-filtering=yes




This configuration works for now. But.. not perfect. If I disable all backup route (distance=2), all VLAN got no internet. So, it's seem the routing rule did not stores data into rtab-ISP1 or rtab-ISP2, only in main table.

/ip route
#disable distance=2
add comment="WAN2 (backup main table)" distance=2 ... disabled=yes
add comment="WAN1 (backup main table)" distance=2 ... disabled=yes

Thank you
Last edited by Lokamaya on Sat Sep 17, 2022 5:26 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 1:24 pm

Hi there, so let me understand this correctly.
The router connected to the internet is the CRS ?
The hex is behind the CRS and not connected directly to the internet.

IF so what is the purpose of the hex? Do you need it to do routing or just switching?
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 3:44 pm

Hi there, so let me understand this correctly.
The router connected to the internet is the CRS ?
hEX connected to internet
CRS for internal switching
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 3:45 pm

Here the network layout. CRS as a root bridge connected to 2 CSS switches in other buildings using SFP+ port in this ring topology.

I've tried connected internet directly into CRS and make it as main router, but this device seem not suitable for routing and WAN (CPU load was high and I run out of disk). So I added hEX to this network.

network-3.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Lokamaya on Sun Sep 18, 2022 10:44 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 4:06 pm

Awesome, now one needs to know the requirements or in your case how you expect to use the WAN connections.
For example.
a. wan1 primary and wan2 secondary
b. load balanced PCC
other less frequent options are
c. wan1 primary and wan2 secondary but some user, groups of users, or subnet should use WAN2
d. one school uses wan1 and one school uses wan2, with failover in case one of the wans goes down.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 4:19 pm

Awesome, now one needs to know the requirements or in your case how you expect to use the WAN connections.
For example.
a. wan1 primary and wan2 secondary
b. load balanced PCC
other less frequent options are
c. wan1 primary and wan2 secondary but some user, groups of users, or subnet should use WAN2
d. one school uses wan1 and one school uses wan2, with failover in case one of the wans goes down.

a. WAN1: classroom, teacher, staff, PCs/laptop, some server (computer stuff) (VLAN5, VLAN10, VLAN100, VLAN110, VLAN200, VLAN210).
b. WAN2: all student, most handphone devices, guest (VLAN20, VLAN30, VLAN120, VLAN220, VLAN345, VLAN789, VLAN_MGMT/99)

If WAN1 is down WAN2 as backup/failover, and vice versa.

Thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules  [SOLVED]

Sat Sep 17, 2022 8:46 pm

Sweet, have some time to look at the config....... (will add as I read through and will state done when finished looking at it).

Overview............
# 200+ = SENIOR HIGH SCHOOL - 192.168.100.0/24, 192.168.210.0/24 (teacher), 192.168.220.0/22 (student)
should that not be .200 ?

(1) Okay I am not sure what you are doing with the management interface..........?
Typically this is a vlan that only the Admin can access for the purposes of configuring all smart devices etc.
Therefore I do not understand why you are treating it like an untagged flow of traffic to the CRS switch.

a. It should be a VLAN trunked to the switch along with the other data vlans.
(i) for the purpose of assigning the IP address of all smart devices on the management vlan
(ii) potentially you want the admin VLAN to be accessible to you FROM a particular CRS SWITCH port. ( like to your desk )
(if one is the admin typically they dont necessarily have the hex on their desk but they may have one or two ethernet jacks at the wall or in my case a small managed switch at my desk so that I can quickly plug into any network from my PC, including the management network).

B. All to say is that I understand ether5-backup being a management only accessible port, but I would use this as a configuration port and an emergency access port OFF THE BRIDGE.
In other words with any complex setup that has a bridge, its not hard for it to get frozen up during config changes.............. hence I now do my configs involving bridge changes from off the bridge.
In other words to be a viable backup, recommend taking it off the bridge..

What I mean is illustrated here: viewtopic.php?t=181718

(2) Thus the bridge port could look like............
/interface bridge port
add bridge=BR-BACKBONE interface=portBond_3-4 ingress-filtering=yes frame-types=admit-only-vlan-tagged


If so for an ether5 access just assign an IP address and add ether5 to the management interface list!
192.168.5.5.1/24
add interface=ether5-backup list=BASEs
add interface=VLAN_MGMT list=BASEs


(3) What I dont understand is why your vlan5 is included in BASEs ?? Its not a management vlan??
If you want access to it as the admin thats easy...... just use a forward chain rule.

add chain=forward action=accept in-interface-list=BASEs out-interface=vlan_5

(4) REMOVE MSTP from bridge config entry, keep RSTP as per default. Unless you have a specific reason to use it ???

(5) Lets look at interface bridge vlans, if you take the suggestion of running vlan99 as part of the trunk port, as you should. :-)
Then this also works
/interface bridge vlan
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4 vlan-ids=99,5,10,20,30,100,110,120,200,210,220,.345,789,1777,1888,1999


By the way where your config really goes astray is the fact that you assign vlan99 as an access port to ether5 BUT THEN assign as a tagged port. (see below)
/interface bridge port
add bridge=BR-BACKBONE pvid=99 interface=ether5-backup

/interface bridge vlan
add bridge=BR-BACKBONE tagged=BR-BACKBONE,portBond_3-4,ether5-backup vlan-ids=99

It also appears you wanted to send every vlan to ether5, WHY? You just need the management vlan or the off bridge network?
a. you need to be able to reach your desk on management vlan from a CRS port etc...
b. then you have a firewall rule allowing access to all vlans one way.
add chain=forward action=accept in-interface-list=BASEs out-interface-list=VLANs

Oops you dont have all the vlans identified as members to your INTERFACE LIST entry ---> VLANs ??

(6) Lets fix your interface lists and firewall address list. USE of firewall address lists is BEST SUITED for when you have a few users in one subnet or across subnets or groups of users from within a subnet or across subnets or if combined with whole subnets. Use of Interface lists is BEST SUITED for usually TWO OR MORE WHOLE Subnets. The only exception is the management interface list which often contains only the single management vlan.

Therefore the firewall address lists entries, FOR WAN1, FOR WAN2 and DEVICES, is NOT required, and you can keep the interface list ones.
However looking at the two different entries for the same thing, I discovered that you have a discrepancy!
7 entries-WAN1 (interface list) VLAN 20 is mistakenly assigned to WAN1 in interface list for WAN1.
6 entries-WAN2 (interface list)
6 entries-WAN1 (firewall address list)
7 entries -WAN2 (firewall address list)

SOLUTION: Fix error on interface list, add then populate the interface list entry VLANs with the members..........

(7) SOURCE NAT RULE is not configged properly , first there is no such interface as all-vlan, its bound to be a list anyway and I think you meant in-interface-list=VLANs
add action=redirect chain=dstnat dst-port=53 in-interface=all-vlan protocol=udp
Why only udp and not TCP??

(8) Raw rules are really not required, suggest just use drop all rule at end of input chain (and forward chain). aka remove.
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=udp src-address-type=!local
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=tcp src-address-type=!local


(9) Your firewall rules leave much to be desired NOT organized, incomplete and not efficient............. (put chains together....)

Suggest the following.....

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=BASEs
add action=accept chain=input in-interface-list=VLANs dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=VLANs dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related ( disable if you need to mangle )
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add chain=forward action=accept in-interface-list=VLANs_to_WAN1 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add chain=forward action=accept in-interface-list=VLANs_to_WAN2 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat (disable if not doing port forwarding)
add action=drop chain=forward

***** ensure this is the last rule put in place at least after allowing management access, otherwise you will lock yourself out.

With the above rules in place all traffic is effectively blocked, typically no one blocks ports like you did with no specific direction. Dont see the value in these rules.
Have you seen this as an issue?
add action=drop chain=forward comment="Port 139,445" connection-state="" dst-port="" log=yes log-prefix=Wanacry port=137,138,139,445,3389 protocol=tcp ???

Assuming your not running SMB servers, email servers or RDP servers etc..........
All school computers etc should be patched up for latest concerns anyway and that was is 2017..........

You would be far better off using some sort of service to stop users from accessing bad WANIPs out there vice rules no one else uses.
like these two..........
https://itexpertoncall.com/promotional/moab.html
OR
https://axiomcyber.com/shield/

(10) If, these three vlans do not go out the internet, in accordance with your firewall rules (not included in FOR WAN1, or FOR WAN2), why are they on the ROUTING RULES for WAN ACCESS????
# 1777 = Voice - 172.17.77.0/24
# 1888 = IoT - 172.18.88.0/24
# 1999 = CCTV - 172.19.99.0/24


add chain=forward action=accept connection-state=new in-interface-list=VLANs_to_WAN1 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"
add chain=forward action=accept connection-state=new in-interface-list=VLANs_to_WAN2 out-interface-list=WANs comment="Add VLANs internet access, exclude 1777,1888,1999"


add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.17.77.0/24 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.18.18.0/24 table=rtab-ISP2
add action=lookup disabled=no dst-address=::/0 interface=ether2-WAN2 src-address=172.19.19.0/24 table=rtab-ISP2

(11) ROUTES amended.......... (will assume above routing rules added in error). REMOVE ANY mangle rules............. not required as far as I can see.

/ip route
add comment="WAN1 (directed to WAN1 Table: rtab-ISP1)" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 pref-src="" routing-table=rtab-ISP1 scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN2 (directed to WAN2 Table: rtab-ISP2)" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 pref-src="" routing-table=rtab-ISP2 scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN2 (main table available WAN2)" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
add comment="WAN1 (main table available WAN1)" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
....................
/routing rule
add action=lookup disabled=no  src-address=10.199.155.0/24 table=rtab-ISP1  comment=Streaming-VLAN_5
add action=lookup disabled=no src-address=192.168.10.0/24 table=rtab-ISP1  comment=Office-VLAN_10
add action=lookup disabled=no src-address=192.168.100.0/24 table=rtab-ISP1  comment=JH-VLAN_100
add action=lookup disabled=no  src-address=192.168.110.0/24 table=rtab-ISP1  comment=JH-Teacher-VLAN_110
add action=lookup disabled=no src-address=192.168.200.0/24 table=rtab-ISP1  comment=SH-VLAN_200
add action=lookup disabled=no  src-address=192.168.210.0/24 table=rtab-ISP1 comment=SH-Teacher-VLAN_210
add action=lookup disabled=no src-address=10.199.99.0/25 table=rtab-ISP2  comment=Management-VLAN_99
add action=lookup disabled=no src-address=192.168.20.0/24 table=rtab-ISP2  comment=Office-VLAN_20
add action=lookup disabled=no src-address=192.168.30.0/23 table=rtab-ISP2  comment=Office-VLAN_30
add action=lookup disabled=no  src-address=192.168.120.0/22 table=rtab-ISP2  comment=JH-Student-VLAN_120
add action=lookup disabled=no  src-address=192.168.220.0/22 table=rtab-ISP2  comment=SH-Student-VLAN_220
add action=lookup disabled=no src-address=172.23.45.0/23 table=rtab-ISP2  comment=Guest-Office-VLAN_345
add action=lookup disabled=no src-address=172.27.89.0/23 table=rtab-ISP2  comment=Guest-School-VLAN_789
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sat Sep 17, 2022 9:39 pm

If you were doing this recursively, I THINK, not 100% certain, it could look like this for IP routes:

/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=ppoe-WAN1 scope=11 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=10.2.2.1 scope=11 target-scope=11
add distance=2 dst-address=0.0.0.0/0 gateway=pppoe-WAN1 routing-table=rtab-ISP1
add distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-table=rtab-ISP2

In this version, the router checks to see if WAN1 is available through DNS server from cloudfare
and checks to see if WAN2 is available through quad9.

This is done typically because it does happen where the gateway and the ISP is available from the ROUTER side, but the ISP is having issues and not connected itself to the WWW.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 2:19 am

Sweet, have some time to look at the config....... (will add as I read through and will state done when finished looking at it).

Amazing. I have to look into your suggestion line by line. I'll be back soon.
Thank you
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 3:22 am

I've been locked out from RB several time... tbh :shock:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 5:36 am

That is why I highly recommend configuring the router off bridge!
viewtopic.php?t=181718
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 5:42 am

PART 01

# 200+ = SENIOR HIGH SCHOOL - 192.168.100.0/24, 192.168.210.0/24 (teacher), 192.168.220.0/22 (student)
should that not be .200 ?

Typo. You are right, it's should be 200.

(1) Okay I am not sure what you are doing with the management interface..........?
Typically this is a vlan that only the Admin can access for the purposes of configuring all smart devices etc.
Therefore I do not understand why you are treating it like an untagged flow of traffic to the CRS switch.

a. It should be a VLAN trunked to the switch along with the other data vlans.
(i) for the purpose of assigning the IP address of all smart devices on the management vlan
(ii) potentially you want the admin VLAN to be accessible to you FROM a particular CRS SWITCH port. ( like to your desk )
(if one is the admin typically they dont necessarily have the hex on their desk but they may have one or two ethernet jacks at the wall or in my case a small managed switch at my desk so that I can quickly plug into any network from my PC, including the management network).

:) :) this is what I've got so far. The first vlan setup, the first bonding setup, the first switchos setup. I'm familiar with Unifi for several years and Mikrotik for 2 years. Only familiar, not a network veteran. As a teacher, we love learning.

B. All to say is that I understand ether5-backup being a management only accessible port, but I would use this as a configuration port and an emergency access port OFF THE BRIDGE.

Ether5-backup used as main port to CRS before I found that 802.3ad (LACP) the most suitable for portBond_3-4. I've try several other mode and use ether5 ( if something bad happen) as a backup. As your suggestion, I'll convert it to emergency access.

(3) What I dont understand is why your vlan5 is included in BASEs ?? Its not a management vlan??
If you want access to it as the admin thats easy...... just use a forward chain rule.

I've not managed to make vlan99 works on UniFi SSID (I've got no ip address when I choose vlan99 as network access point). Sometime I need access (i.e. to Unifi Controller) while I'm off the office or walking around at other building, then I setup hidden SSID using vlan5. Until I've managed proper configuration between CRS -> EdgeSwitch -> Unifi Controller, I use vlan5 as backup to access the devices.

(4) REMOVE MSTP from bridge config entry, keep RSTP as per default. Unless you have a specific reason to use it ???

Have no specific reason. I read somewhere that MSTP has backward compatibility with RSTP, and the EdgeSwitch also support MSTP.


(to be continued)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 6:09 am

For UNIFI, they are a strange breed and in defaut expect the managament vlan to be untagged and the data vlans tagged, vice all tagged.
In other words tthey requirea hybrid port coming into the unifi vice the more standard trunk port.

So whatever switches you have directly connected to the UNIFI,
the port to any unifi AP will have to be hybrid, vlan99 untagged on the port and any other vlans tagged on the port.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 7:53 am

PART 02

Oops you dont have all the vlans identified as members to your INTERFACE LIST entry ---> VLANs ??

(6) Lets fix your interface lists and firewall address list. USE of firewall address lists is BEST SUITED for when you have a few users in one subnet or across subnets or groups of users from within a subnet or across subnets or if combined with whole subnets. Use of Interface lists is BEST SUITED for usually TWO OR MORE WHOLE Subnets. The only exception is the management interface list which often contains only the single management vlan.

Therefore the firewall address lists entries, FOR WAN1, FOR WAN2 and DEVICES, is NOT required, and you can keep the interface list ones.
However looking at the two different entries for the same thing, I discovered that you have a discrepancy!
7 entries-WAN1 (interface list) VLAN 20 is mistakenly assigned to WAN1 in interface list for WAN1.
6 entries-WAN2 (interface list)
6 entries-WAN1 (firewall address list)
7 entries -WAN2 (firewall address list)

SOLUTION: Fix error on interface list, add then populate the interface list entry VLANs with the members..........

Here the fix for poin 6: interface list and address list (vlan1777,1888,1999 added to VLANs but disabled)

/interface list
add name=VLANs
add name=BASEs
add name=WANs
add name=LANs
add name=VLANs_to_WAN1
add name=VLANs_to_WAN2
add name=VLANs_DEVICES
add name=VLANs_GUEST

/interface list member
add list=WANs interface=ether1-WAN1 disabled=yes
add list=WANs interface=pppoe-WAN1
add list=WANs interface=ether2-WAN2
add list=LANs interface=BR-BACKBONE
add list=BASEs interface=VLAN_MGMT
add list=BASEs interface=VLAN_5
add list=VLANs interface=VLAN_MGMT
add list=VLANs interface=VLAN_5
add list=VLANs interface=VLAN_10
add list=VLANs interface=VLAN_20
add list=VLANs interface=VLAN_30
add list=VLANs interface=VLAN_100
add list=VLANs interface=VLAN_110
add list=VLANs interface=VLAN_120
add list=VLANs interface=VLAN_200
add list=VLANs interface=VLAN_210
add list=VLANs interface=VLAN_220
add list=VLANs interface=VLAN_345
add list=VLANs interface=VLAN_789
add list=VLANs interface=VLAN_1777 disabled=yes
add list=VLANs interface=VLAN_1888 disabled=yes
add list=VLANs interface=VLAN_1999 disabled=yes
add list=VLANs_to_WAN1 interface=VLAN_5
add list=VLANs_to_WAN1 interface=VLAN_10
add list=VLANs_to_WAN1 interface=VLAN_100
add list=VLANs_to_WAN1 interface=VLAN_110
add list=VLANs_to_WAN1 interface=VLAN_200
add list=VLANs_to_WAN1 interface=VLAN_210
add list=VLANs_to_WAN2 interface=VLAN_MGMT
add list=VLANs_to_WAN2 interface=VLAN_20
add list=VLANs_to_WAN2 interface=VLAN_30
add list=VLANs_to_WAN2 interface=VLAN_120
add list=VLANs_to_WAN2 interface=VLAN_220
add list=VLANs_to_WAN2 interface=VLAN_345
add list=VLANs_to_WAN2 interface=VLAN_789
add list=VLANs_DEVICES interface=VLAN_1777
add list=VLANs_DEVICES interface=VLAN_1888
add list=VLANs_DEVICES interface=VLAN_1999
add list=VLANs_GUEST interface=VLAN_345
add list=VLANs_GUEST interface=VLAN_789

/ip firewall address-list
add list=VLANtoWAN1 address=10.199.155.0/24
add list=VLANtoWAN1 address=192.168.10.0/24
add list=VLANtoWAN1 address=192.168.100.0/24
add list=VLANtoWAN1 address=192.168.200.0/24
add list=VLANtoWAN1 address=192.168.110.0/24
add list=VLANtoWAN1 address=192.168.210.0/24
add list=VLANtoWAN2 address=10.199.99.0/25
add list=VLANtoWAN2 address=192.168.20.0/24
add list=VLANtoWAN2 address=192.168.30.0/24
add list=VLANtoWAN2 address=192.168.120.0/24
add list=VLANtoWAN2 address=192.168.220.0/24
add list=VLANtoWAN2 address=172.23.45.0/23
add list=VLANtoWAN2 address=172.27.89.0/23
add list=VLAN_DEVICES address=172.17.77.0/24
add list=VLAN_DEVICES address=172.18.88.0/24
add list=VLAN_DEVICES address=172.19.99.0/24
add list=LocalSubnet address=10.0.0.0/8
add list=LocalSubnet address=172.16.0.0/12
add list=LocalSubnet address=192.168.0.0/16
add list=Mikrotik address=159.148.147.0/24 comment="Mikrotik cloud"
add list=Mikrotik address=159.148.172.0/24 comment="Mikrotik cloud"
add list=DNS address=8.8.8.8
add list=DNS address=8.8.4.4
add list=DNS address=1.1.1.1
add list=DNS address=1.0.0.1
add list=DNS address=1.1.1.2
add list=DNS address=1.0.0.2
add list=DNS address=1.1.1.3
add list=DNS address=1.0.0.3

Thank you
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 10:36 am

PART 03

(7) SOURCE NAT RULE is not configged properly , first there is no such interface as all-vlan, its bound to be a list anyway and I think you meant in-interface-list=VLANs
add action=redirect chain=dstnat dst-port=53 in-interface=all-vlan protocol=udp
Why only udp and not TCP??

Done

(8) Raw rules are really not required, suggest just use drop all rule at end of input chain (and forward chain). aka remove.
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=udp src-address-type=!local
add action=drop chain=prerouting dst-port=53 in-interface-list=WANs port="" protocol=tcp src-address-type=!local

Done

(9) Your firewall rules leave much to be desired NOT organized, incomplete and not efficient............. (put chains together....)

Suggest the following.....

With the above rules in place all traffic is effectively blocked, typically no one blocks ports like you did with no specific direction. Dont see the value in these rules.
Have you seen this as an issue?
add action=drop chain=forward comment="Port 139,445" connection-state="" dst-port="" log=yes log-prefix=Wanacry port=137,138,139,445,3389 protocol=tcp ???

Done. The firewall filter now look slick and consistent.
Never had any issue with wanacry worm.

(10) If, these three vlans do not go out the internet, in accordance with your firewall rules (not included in FOR WAN1, or FOR WAN2), why are they on the ROUTING RULES for WAN ACCESS????
# 1777 = Voice - 172.17.77.0/24
# 1888 = IoT - 172.18.88.0/24
# 1999 = CCTV - 172.19.99.0/24

Done

(11) ROUTES amended.......... (will assume above routing rules added in error). REMOVE ANY mangle rules............. not required as far as I can see.

Done
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 18, 2022 10:43 am

My hEX is running flawlessly right now.
Thank you Anav for your time. Bless you, keep happy and healthy.

I leave the Unifi' thing for next day....
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Mon Sep 19, 2022 12:53 pm

TRIVIA: RouterOS 7.5

  1. I moved one Unifi AP to different subnet (192.168.10.10, vlan10) and try to adopt it from Unifi Controller (10.199.99.10, vlan99) but failed;
  2. Trying to ping the AP (192.168.10.10) from my PC (10.199.99.30, vlan99) also failed-> Request timed out;
  3. Trying to ping the AP (192.168.10.10) from RouterOS (10.199.99.1, vlan99) -> Succeed;
  4. Add firewall filter to give vlan99 all access to to other vlans, still failed -> Request timed out;
  5. Fastrack disabled, then add NAT to Unifi Controller (10.199.99.10, vlan99), still failed -> Request timed out;
  6. Add NAT to AP (192.168.10.10, vlan10), still failed -> Request timed out;
  7. NATs deleted... looking for another options;
  8. Trying to add /IP/Route/ to both direction, still failed, route list removed -> Request timed out;
  9. Looking into /Routing/Rules/ print:
    ...
    ;;; VLAN_99: MGMT
    src-address=10.199.99.0/25 action=lookup table=rtab-ISP2
    ;;; VLAN_10: Office-1
    src-address=192.168.10.0/24 action=lookup table=rtab-ISP1
    ... 
    
  10. Trying to add new rule -> Request timed out;
    
    /routing rule
    add action=lookup disabled=no  src-address=10.199.99.0/25 dst-address=192.168.10.0/24 table=main comment=Local-Routes
    
    
  11. Adding new rule -> Succeed;
    
    /routing rule
    add action=lookup disabled=no  src-address=192.168.10.0/24 dst-address=10.199.99.0/25 table=main comment=Local-Routes
    
    

So, because the routing table moved to rtab-ISP1 or rtab-ISP2, then I need to manually add specific src-address and dst-address with the same routing table (main) in both direction. Is it the right way in RoS v7 to achieve this? Maybe we would not have this problem if we only have single WAN, but with dual WAN and changing routing table?

This solve the problem
/routing rule
add action=lookup disabled=no  src-address=10.199.99.0/25 dst-address=192.168.10.0/24 table=main comment=Local-Routes
add action=lookup disabled=no  src-address=192.168.10.0/24 dst-address=10.199.99.0/25 table=main comment=Local-Routes

Thank you
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Mon Sep 19, 2022 1:22 pm

I even can not ping from any subnet to it's own gateway:
  • ping 192.168.20.1 -> request timed out (from 192.168.20.x)
  • ping 192.168.30.1 -> request timed out (from 192.168.30.x)

So here the simplest solution with 3 lines of code:
/routing/rule/
add dst-address=10.0.0.0/8     action=lookup-only-in-table table=main comment=SUBNET
add dst-address=172.16.0.0/12  action=lookup-only-in-table table=main comment=SUBNET
add dst-address=192.168.0.0/16 action=lookup-only-in-table table=main comment=SUBNET

Place it above the rest.
Also watch your firewall filter!
Last edited by Lokamaya on Mon Sep 19, 2022 3:30 pm, edited 4 times in total.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Mon Sep 19, 2022 2:07 pm

I guess these are both the same: src-address==interface (interface===in-interface, but be careful because src-address!==interface).
There is no out-interface, only in-interface.

Capture.JPG

If we can write script like this, there will be no confusion where to look for routing table:

/routing/rule/
add src-address=10.199.99.0/25 dst-address=0.0.0.0/0 out-interface=pppoe-WAN1 action=lookup table=rtab-ISP1 disabled=no comment=To-WAN1


Maybe in the future version of RoS.

Thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Mon Sep 19, 2022 4:06 pm

Not sure what you are getting at but
a. order in routing rules is important
b. the table you reference is what should decide which wan is being used..........
c. the inner selections ( of src, dest, mark) decide which traffic is going out the table.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Tue Sep 20, 2022 11:46 am

I also not so sure. Back to mangle for the live RB.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Tue Sep 20, 2022 1:57 pm

So everything works except the UNIFI??
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Tue Sep 20, 2022 5:43 pm

So everything works except the UNIFI??
Just finished the EdgeSwitch configuration, and have to dig deep into legacy interface to change trunk port from 1 to 99.
Maybe this would be helpful for anyone: Switches > VLAN > Port Summary.

Or, using CLI here https://help.ui.com/hc/en-us/articles/1 ... uting-Mode
Last edited by Lokamaya on Tue Sep 27, 2022 10:29 am, edited 1 time in total.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: RouterOS v7.5 Basic Question: /Routing/Rules

Sun Sep 25, 2022 10:00 pm

I'll post my finding in another thread.

Thanks

Who is online

Users browsing this forum: Agencepro and 42 guests