Community discussions

MikroTik App
 
jamie398
just joined
Topic Author
Posts: 13
Joined: Sat Mar 25, 2017 10:39 pm

Dual Wan Marking Connections with VLAN

Fri Sep 23, 2022 10:28 pm

Hi, I'm reasonably new to Mikrotik. I have an RB2011 that will only ever have two WAN's at a time. I want to connect some unifi AP's and VLAN tag the traffic but with VLAN 20 going out of WAN2 (Starlink in bypass mode). WAN1 needs to be a DHCP client as I would not be in control of the IP's on that side. This is my attempt and it does kinda work but looking for some advice on best practices or if I have missed something or general advice. Also there device connected to ETH10 that always routes via Starlink.
# sep/23/2022 20:11:43 by RouterOS 7.4
# software id = QX7H-822A
#
# model = RB2011UiAS
/interface bridge
add admin-mac=08:55:31:4F:0F:09 auto-mac=no comment=defconf name=\
    "Starlink Bridge"
add admin-mac=08:55:31:4F:0F:09 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=08:55:31:4F:0F:08 name=WAN1
set [ find default-name=ether2 ] mac-address=08:55:31:4F:0F:09 name=\
    WAN2_STARLINK
set [ find default-name=sfp1 ] disabled=yes mac-address=08:55:31:4F:0F:07 \
    name=WAN3_SFP
set [ find default-name=ether3 ] mac-address=08:55:31:4F:0F:0A
set [ find default-name=ether4 ] mac-address=08:55:31:4F:0F:0B
set [ find default-name=ether5 ] mac-address=08:55:31:4F:0F:0C
set [ find default-name=ether6 ] mac-address=08:55:31:4F:0F:0D
set [ find default-name=ether7 ] mac-address=08:55:31:4F:0F:0E
set [ find default-name=ether8 ] mac-address=08:55:31:4F:0F:0F
set [ find default-name=ether9 ] mac-address=08:55:31:4F:0F:10
set [ find default-name=ether10 ] mac-address=08:55:31:4F:0F:11 poe-out=off
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan80 vlan-id=80
add interface=bridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.10.0.100-10.10.100.100
add name=vlan40_pool ranges=10.40.40.20-10.40.255.250
add name=vlan60_pool ranges=10.60.60.20-10.60.255.250
add name=vlan80_pool ranges=10.80.80.20-10.80.255.250
add name=vlan20_pool ranges=10.20.20.20-10.20.255.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
add address-pool=vlan40_pool interface=vlan40 lease-time=1d name=vlan40_dhcp
add address-pool=vlan60_pool interface=vlan60 lease-time=1d name=vlan60_dhcp
add address-pool=vlan80_pool interface=vlan80 lease-time=1d name=vlan80_dhcp
add address-pool=vlan20_pool interface="Starlink Bridge" lease-time=1d name=\
    vlan20_dhcp
/port
set 0 baud-rate=115200 name=serial0
/queue simple
add max-limit=20M/20M name="VLAN 80" target=10.80.0.0/16
add max-limit=10M/10M name="VLAN 60" target=10.60.0.0/16
add max-limit=10M/10M name="VLAN40" target=10.40.0.0/16

/queue type
add kind=pcq name=vlan40-pcq pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=Download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-rate=2M pcq-src-address6-mask=64
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=ToStarlink
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=*C
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge="Starlink Bridge" interface=ether10
add bridge="Starlink Bridge" interface=vlan20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2_STARLINK list=WAN
add interface=WAN3_SFP list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.10.0.1/16 comment=defconf interface=bridge network=10.10.0.0
add address=10.40.0.1/16 interface=vlan40 network=10.40.0.0
add address=10.60.0.1/16 interface=vlan60 network=10.60.0.0
add address=10.80.0.1/16 interface=vlan80 network=10.80.0.0
add address=10.20.0.1/16 interface=vlan20 network=10.20.0.0
add address=100.94.216.66/10 disabled=yes interface=WAN2_STARLINK network=\
    100.64.0.0
/ip dhcp-client
add comment="WAN1_DHCP Client" interface=WAN1
add comment="WAN2_DHCP Client" default-route-distance=2 interface=\
    WAN2_STARLINK
add comment="WAN3 SFP_DHCP Client" interface=WAN3_SFP

/ip dhcp-server network
add address=10.10.0.0/16 comment=defconf dns-server=10.10.0.1 gateway=\
    10.10.0.1 netmask=16
add address=10.20.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
    gateway=10.20.0.1
add address=10.40.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
    gateway=10.40.0.1
add address=10.60.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
    gateway=10.60.0.1
add address=10.80.0.0/16 comment="Google DNS" dns-server=8.8.8.8,8.8.4.4 \
    gateway=10.80.0.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=30m
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "Block UDP on port 80 for Starlink to load full web pages correctly." \
    dst-port=80 out-interface=WAN2_STARLINK protocol=udp
add action=drop chain=forward comment=\
    "Block UDP on port 80 for Starlink to load full web pages correctly." \
    dst-port=443 out-interface=WAN2_STARLINK protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=80 protocol=tcp

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=ToStarlink \
    passthrough=yes src-address=10.20.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="Static Route To Starlink" disabled=no \
    distance=1 dst-address=0.0.0.0/0 gateway=100.64.0.1 pref-src=0.0.0.0 \
    routing-table=ToStarlink suppress-hw-offload=no
/lcd interface pages
set 0 interfaces="WAN3_SFP,WAN1,WAN2_STARLINK,ether3,ether4,ether5,ether6,ethe\
    r7,ether8,ether9,ether10"
/system clock
set time-zone-name=Europe/London
/system identity
set name="MikroTik"
/system ntp client
set mode=broadcast

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan Marking Connections with VLAN

Fri Sep 23, 2022 10:36 pm

This is the basic VPN guidance. - See Para C first link: viewtopic.php?t=182373

Understand that starlink even in bypass mode doesnt give you a true public IP, its CG NAT, which should be illegal. ( so to me its about as useful as a private IP )
and that your WAN1 ISP modem gives you a public IP.

By the way, for the new way of bridge vlan filtering, its
one bridge, all subnets as vlans with interface the bridge, bridge does no heavy dhcp lifting.
vlans get ip pool, ip address, dhcp server, dhcp server network

assign /interface bridge ports and /interface bridge vlans and then apply firewall routes to mach.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Dual Wan Marking Connections with VLAN

Sun Sep 25, 2022 6:55 pm

If you want traffic to flow out a second interface...

You have the mark the packets as they come on on that interface.
You need to mark the packets you want to use that interface.
Then you need an output rule for thos packets.
Then you need a route with those marks.

This also assumes you have the basics done already.
 
jamie398
just joined
Topic Author
Posts: 13
Joined: Sat Mar 25, 2017 10:39 pm

Re: Dual Wan Marking Connections with VLAN

Sun Sep 25, 2022 10:31 pm

If you want traffic to flow out a second interface...

You have the mark the packets as they come on on that interface.
You need to mark the packets you want to use that interface.
Then you need an output rule for thos packets.
Then you need a route with those marks.

This also assumes you have the basics done already.
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=ToStarlink \
    passthrough=yes src-address=10.20.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="Static Route To Starlink" disabled=no \
    distance=1 dst-address=0.0.0.0/0 gateway=100.64.0.1 pref-src=0.0.0.0 \
    routing-table=ToStarlink suppress-hw-offload=no




Is this not correct then?
 
jamie398
just joined
Topic Author
Posts: 13
Joined: Sat Mar 25, 2017 10:39 pm

Re: Dual Wan Marking Connections with VLAN

Sun Sep 25, 2022 10:33 pm

By the way, for the new way of bridge vlan filtering, its
one bridge, all subnets as vlans with interface the bridge, bridge does no heavy dhcp lifting.
vlans get ip pool, ip address, dhcp server, dhcp server network

assign /interface bridge ports and /interface bridge vlans and then apply firewall routes to mach.
Thanks, I will change this.

Who is online

Users browsing this forum: A9691, stefanau and 76 guests