The question is whether you really need some clients to send packets to a given destination via the L2TP tunnel and some other clients to send them to the very same destination using the usual gateway or Eth1 instead. If yes, you do need the mangle rule as you have found out. If you just need an exception from the default route for that destination, for any client, just add a dedicated route there to the routing table, as a route with a more precisely defined dst-address (longer prefix, i.e. mask with more 1 bits) always beats a route with less precisely defined dst-address (shorter prefix, i.e. mask with less 1 bits).Question: How can I identify specific clients (static IP's) to ALWAYS follow the less preferable default route of direct out of the WAN regardless if the L2TP is up or not.
From where do you traceroute? From the client or from the Mikrotik?It seems that with this in place, everything 'routes' like its supposed to, but if I run a traceroute it goes out the correct interface but never passes the next hop (which I think is the ISP gateway - but thats a guess).
Am I going about this the right way? or am I missing something do with the way the pre-routing mangle and the routing process is working when I specify the Eth1 as the gateway?
It wasn't clear to me from the wording that "gateway of Eth1" means "Eth1 as route's gateway".So I think anav pointed out the minor flaw in my plan - if I point the mark-routing static route at the ISP gateway via the ISP gateway IP address then everything works (thanks anav!!)
There is but it seems that Mikrotik doesn't use it. It is called ICMP router discovery. This is what permits most linux machines to set an interface as a gateway of a route. In Mikrotik, you can use the interface as a gateway of a route only on point-to-point links such as tunnels.I was originally routing the static route at the Eth1 interface, on the understanding that the IP address at the other end might be dynamic. I dont suppose there's some smart way to say 'via whatever the gateway address is on Eth1' from another static route?
@anav,First step marks new connections for those source LANIP addresses.
Second step route marks them.
and then make the necessary route rule........
Maybe this two step is unnecessary but maybe more efficient??
Sure there is. But to do that, it is not sufficient to use only routing marks, you have to use connection marking. And once you do, it is best to base routing marking on connection marking as well.Follow up question Sindy. As I understand it , as soon as I touch policy based routing with a mark-routing mangle rule, I can’t use the fasttrack feature (hence I have that default firewall rule disabled).
Is there any way I can still leverage fasttrack for the non-marked packets or am I just stuck with CPU handling of every packet to match the mangle rule on the prerouting?
/ip firewall mangle
add chain=prerouting connection-state=established,related connection-mark=no-mark action=accept # if a mid-connection packet has no connection mark, it needs the default handling
add chain=prerouting connection-state=established,related in-interface=your-wan action=accept # download packets MUST NOT be routing-marked
add chain=prerouting connection-mark=handling-A action=mark-routing new-routing-mark=handling-A # passthrough=no is a default behaviour but you can state it explicitly
add chain=prerouting connection-mark=handling-B action=mark-routing new-routing-mark=handling-B # same like above
#only initial packets of connections (plus some garbage) get here past the rules above
add chain=prerouting ...list of classifying match conditions for handling A... connection-state=new action=mark-connection new-connection-mark=handling-A passthrough=yes
add chain=prerouting ...list of classifying match conditions for handling B... connection-mark=no-mark connection-state=new action=mark-connection new-connection-mark=handling-B passthrough=yes
#initial packets of connections which evaded both the rules above get here with no connection mark; we just repeat the mark-routing rules above
add chain=prerouting connection-state=established,related in-interface=your-wan action=accept # download packets MUST NOT be routing-marked
add chain=prerouting connection-mark=handling-A action=mark-routing new-routing-mark=handling-A
add chain=prerouting connection-mark=handling-B action=mark-routing new-routing-mark=handling-B
/ip firewall mangle
add action=accept chain=prerouting comment="Process mid-connection with no connection mark" connection-mark=no-mark connection-state=established,related
add action=mark-routing chain=prerouting comment="MarkRouting BypassVPN Early" connection-mark=Bypass-VPNconn new-routing-mark=BYPASSVPNroute passthrough=no
add action=mark-connection chain=prerouting comment="Connection-Mark for Clients Bypassing the VPN" connection-state=new new-connection-mark=Bypass-VPNconn passthrough=yes src-address=192.168.118.132
add action=mark-routing chain=prerouting comment="MarkRouting BypassVPN Late" connection-mark=Bypass-VPNconn new-routing-mark=BYPASSVPNroute passthrough=no
May I see the complete /ip firewall export (with public addresses substituted ny something meaningful if needed)? The marking rules seem fine to me too.So my interpretation is that any new connections from 192.168.113.132, will get a new connection mark which in turn will become a new routing mark. However, for some reason when I run like this, that client works for some sites and then fails on others. If I change it back to a simple mark-routing with the fasttrack disabled then it works. Weird. I might try some reboots in between config changes - it could be that I'm running on the latest RC version of routerOS I guess. More testing needed!! Thanks again.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" dst-limit=30,30,dst-address/1m40s limit=30,30:packet protocol=icmp src-address=192.168.118.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Process mid connection with no connection mark" connection-mark=no-mark connection-state=established,related
add action=mark-routing chain=prerouting comment="MarkRouting BypassVPN Early" connection-mark=BYPASSVPN-conn new-routing-mark=BYPASSVPN-route passthrough=no
add action=mark-connection chain=prerouting comment="Connection-Mark for Clients Bypassing the VPN" connection-state=new disabled=yes new-connection-mark=BYPASSVPN-conn passthrough=yes src-address=\
192.168.118.143
add action=mark-routing chain=prerouting comment="MarkRouting BypassVPN Late" connection-mark=BYPASSVPN-conn new-routing-mark=BYPASSVPN-route passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=192.168.118.0/24 src-address=192.168.118.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade for ISP routed traffic" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="srcnat for HideIPVPN routed traffic" out-interface=l2tp-out1
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S ;;; Static route via local ISP for BYPASSVPN-route
0.0.0.0/0 70.95.64.99 1
1 ADS 0.0.0.0/0 l2tp-out1 1
2 DS 0.0.0.0/0 70.95.64.99 2
3 ADC 10.0.0.2/32 10.7.4.199 l2tp-out1 0
4 ADC 70.95.64.0/19 70.95.93.199 ether1-EXTERNAL 0
5 ADS 104.237.61.2/32 70.95.64.99 0
6 ADC 192.168.118.0/24 192.168.118.1 bridge-LAN 0
/ip firewall connection remove [find src-address~"192.168.118.143"]
No, it's my fault.Back to your original comment, I suspect this is a firewall filter issue - I guess I have to eliminate them one by one.
3 D ;;; upnp 192.168.118.99: WD2go
chain=dstnat action=dst-nat to-addresses=192.168.118.99 to-ports=80 protocol=tcp dst-address=70.95.93.99 in-interface=ether1-EXTERNAL dst-port=9091
4 D ;;; upnp 192.168.118.99: WD2goSSL
chain=dstnat action=dst-nat to-addresses=192.168.118.99 to-ports=443 protocol=tcp dst-address=70.95.93.99 in-interface=ether1-EXTERNAL dst-port=443
Well, if you know what is necessary to do to force-synchronize an Oracle database cluster after it has diverged...do you have an Amazon wish-list or something I can see?
Gadgets opening ports for http access from outside, hmmm Are they at least decent enough to look like those big hollow wooden animals?Obviously in this case, the in-interface is eternal - so do I just need a separate connection-mark for 'new' connections where the internal client address is the destination rather than the source? Or is there something I can easily do to the existing rules to accomodate any dstnat like the above.
add action=mark-connection chain=prerouting comment="Connection-Mark for Clients Bypassing the VPN" connection-state=new new-connection-mark=Bypass-VPNconn passthrough=no in-interface=ether1-EXTERNAL
Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue..Well, if you know what is necessary to do to force-synchronize an Oracle database cluster after it has diverged...
All low risk stuff - I'm trying to become more automated operations driven, so I can live without manually managing port-forwards for a livingGadgets opening ports for http access from outside, hmmm Are they at least decent enough to look like those big hollow wooden animals?
Thanks again - I feel like I've actually achieved something today!To the question, as you've guessed, it is enough to mark the connections with the same connection-mark if their initial packets come in via the respective WAN port. Just add the rule below right before or right after the other
I suppose a Data Guard, one Primary and one Standby with all those flashbacks, managed recovery, "restore" and "recover" commands in RMAN which have to be done both (and restore succeeds but recovery fails), and it was enough to shut down everything and then start it again to end up with an "unresolvable gap" and "restore required" (after shutting down the application first so the database didn't actually get updated). For me everything there is new and different from other database engines I've seen so far, so maybe it is all clear and best of breed but I'm totally lost in that and it drives me mad. I will not lose any actual data now, only time, if I reinstall everything from scratch, but I'm afraid what would I do should something similar eventually happen later.Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue..
... but I'm totally lost in that and it drives me mad....Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue..
My bet is on highly advanced AIWow, so you are human after all... but I'm totally lost in that and it drives me mad....Depends - is it a RAC cluster thats divided, or has Data Guard gone rogue..
On a serious note, the best gift would be fuel/petrol vouchers/coupons if such things exist, otherwise.......Sindy - do you have an Amazon wish-list or something I can see?
Correct. You need the connection tracking to "remember" that the initial request of a connection came in via WAN 2 and thus response packets within that connection must be routed out via WAN 2.As far as I know (and I may be wrong here), I have to connection-mark (and route-mark) the incoming destination NATted traffic too in order to get it to work.
Not correct. In the prerouting chain, mangle is done before nat, so the rule will never match because dst-address is still WAN2 IP when the packet is matched to this rule. But you don't need to match on dst-address at all - for this particular purpose, it is enough to match on in-interface=WAN2 alone.I tried to add this rule in mangle (positioned in the section after Sindy's comment only initial packets...):
add chain=prerouting in-interface=WAN2 dst-address=server's_LAN_IP connection-state=new action=mark-connection new-connection-mark=2nd-routing-table-handler passthrough=yes
So the reason why it doesn't work must be something else.I also tried with server's public IP as dst-address, but it doesn't work either.
A connection mark is assigned by a rule handling a single packet, but unless intentionally changed or removed while handling another packet, it is remembered in the connection tracking module and automatically re-assigned to all subsequent packets belonging to the same connection, regardless their direction. Unlike that, a routing mark is assigned to a single packet and not remembered - it just tells the router which routing table to use for that single packet.I'm especially confused by Sindy's comment in his solution that "download packets MUST NOT be routing-marked".
new is not a connection mark, it is a connection state. This label is assigned to packets that do not match any existing connection, so they initiate a new one.Can I route-mark only download packets with connection mark "new"?
Thank you for the clarification.Not correct. In the prerouting chain, mangle is done before nat, so the rule will never match because dst-address is still WAN2 IP when the packet is matched to this rule. But you don't need to match on dst-address at all - for this particular purpose, it is enough to match on in-interface=WAN2 alone.
Any idea what else could it be? I've been monitoring packet counts on the before-mentioned mangle rule, and also on the dst-nat rule. Whenever I refresh the web page in the browser, packet counts go up a few ticks on both mangle and dst-nat. Browser says "connection aborted". I also see on connection tracker that server is constantly trying to reach public NTP server on UDP 123, and that connections have the proper connection mark.So the reason why it doesn't work must be something else.
I see. Makes sense. Thank you again.Since the routing table "via WAN 2" only contains a default route, if packets coming in via WAN 2 got a routing-mark "via WAN 2", they would get routed via WAN 2 to the internet (and dropped there or delivered to unrelated destination) rather than getting delivered to the proper recipient in LAN.
Yes, that's what I meant. It just came out wrong.new is not a connection mark, it is a connection state. This label is assigned to packets that do not match any existing connection, so they initiate a new one.
Not without seeing your actual configuration. See my automatic signature for a hint on how to export and anonymize it. Remove serial number, keep RouterOS version.Any idea what else could it be?
/ip firewall mangle
add chain=prerouting connection-state=established,related connection-mark=no-mark action=accept # if a mid-connection packet has no connection mark, it needs the default handling
add chain=prerouting connection-state=established,related in-interface=your-wan # download packets MUST NOT be routing-marked
add chain=prerouting connection-mark=handling-A action=mark-routing new-routing-mark=handling-A # passthrough=no is a default behaviour but you can state it explicitly
#only initial packets of connections (plus some garbage) get here past the rules above
add chain=prerouting ...list of classifying match conditions for handling A... connection-state=new action=mark-connection new-connection-mark=handling-A passthrough=yes
#this is my part for connection-marking connections coming from WAN2
add chain=prerouting in-interface=WAN2 connection-state=new action=mark-connection new-connection-mark=handling-A passthrough=yes
#initial packets of connections which evaded both the rules above get here with no connection mark; we just repeat the mark-routing rules above
add chain=prerouting connection-mark=handling-A action=mark-routing new-routing-mark=handling-A
Yes, it will, but there must be something wrong in the subsequent rules as they must also avoid assigning routing-mark to packets arriving via WAN. And indeed, the rules in my example above are wrong in this regard, so I have to edit that post again (they were fine initially, but I forgot to update them when editing the post to include your scenario).Will simply putting passthrough=no on my line in the code solve the problem?Code: Select all#this is my part for connection-marking connections coming from WAN2 add chain=prerouting in-interface=WAN2 connection-state=new action=mark-connection new-connection-mark=handling-A passthrough=yes
Yes, as said above, the mistake is already in my template rules. Just a remark to the wording as others will read this as well - the connections initiated from WAN do not get a routing-mark, their initial packets do.If I get this correctly, my mistake here is that connections initiated from WAN are getting their connection-mark, but are also getting their route-mark (the next rule applies it).
Am I getting this right?
Tried your new rules. Works without a hitch.
BTW, I currently use a different arrangement of rules:
chain=prerouting action=accept connection-state=established,related connection-mark=no-mark
chain=prerouting connection-state=established,related in-interface=ether02-WAN
chain=prerouting action=mark-routing new-routing-mark=rtab-ether02-WAN connection-mark=connection-WAN2
chain=prerouting action=mark-connection new-connection-mark=connection-WAN2 passthrough=no connection-state=new in-interface=ether02-WAN
chain=prerouting action=mark-routing new-routing-mark=rtab-ether02-WAN connection-mark=connection-WAN2
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=prerouting action=jump jump-target=mark-connections connection-state=new
4 chain=prerouting action=accept in-interface=ether01-WAN
5 chain=prerouting action=mark-routing new-routing-mark=rtab-ether02-WAN passthrough=no connection-mark=connection-WAN2
6 chain=mark-connections action=mark-connection new-connection-mark=connection-WAN2 in-interface=ether02-WAN
Not without seeing the rest of the configuration. If connection from outside is not possible, modification of filter or nat rules may be necessary, not just of mangle ones.Can anybody help?
As written above - a complete configuration export, anonymized in terms of the serial number (which can be used to find the public IP of the router if you have the Mikrotik cloud DNS service enabled), any passwords/pre-shared keys (these are not exported automatically if you use hide-sensitive when exporting from ROS 6 and id you do not use show-sensitive when exporting from ROS 7), any login names for external VPN servers, and any public addresses. And any comments that may help identify you - bots never sleep. Also you can usually remove any static DHCP leases.What information do you need to see to find the problem in my router settings?
# oct/22/2022 09:45:01 by RouterOS 7.5
# software id = DIE2-NY0V
#
# model = 1100AHx2
# serial number = <serialnummer>
/interface bridge
add disabled=yes name=bridge-10.6.0.0
add fast-forward=no name=bridge-broadcast
add admin-mac=<aMacAddress> auto-mac=no fast-forward=no name=\
bridge-company
add fast-forward=no name=bridge-guest
/interface ethernet
set [ find default-name=ether1 ] comment=www.company.eu name=ether01-WAN \
speed=100Mbps
set [ find default-name=ether2 ] comment=vpn.company.eu name=ether02-WAN \
speed=100Mbps
set [ find default-name=ether3 ] name=ether03-WAN speed=100Mbps
set [ find default-name=ether4 ] name=ether04-WAN speed=100Mbps
set [ find default-name=ether5 ] name=ether05-bonding56 speed=100Mbps
set [ find default-name=ether6 ] name=ether06-bonding56 speed=100Mbps
set [ find default-name=ether7 ] name="ether07-trunk(10.1.4.2)" speed=100Mbps
set [ find default-name=ether8 ] name="ether08-trunk(10.1.4.3)" speed=100Mbps
set [ find default-name=ether9 ] disabled=yes name=ether09-nc speed=100Mbps
set [ find default-name=ether10 ] name="ether10-company(switch)" speed=\
100Mbps
set [ find default-name=ether11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"ether11-trunk(10.1.4.13)"
set [ find default-name=ether12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"ether12-trunk(10.1.4.4)"
set [ find default-name=ether13 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"ether13-trunk(10.1.4.5)"
/interface eoip
add disabled=yes !keepalive mac-address=<aMacAddress> name=eoip-10.2.1.1 \
remote-address=10.2.1.1 tunnel-id=3
/interface vlan
add interface=ether04-WAN name=vlan04-company vlan-id=1
add interface=ether04-WAN name=vlan04-guest vlan-id=2
add interface="ether07-trunk(10.1.4.2)" name=vlan07-company vlan-id=1
add interface="ether07-trunk(10.1.4.2)" name=vlan07-guest vlan-id=2
add interface="ether08-trunk(10.1.4.3)" name=vlan08-broadcast vlan-id=3
add interface="ether08-trunk(10.1.4.3)" name=vlan08-company vlan-id=1
add interface="ether08-trunk(10.1.4.3)" name=vlan08-guest vlan-id=2
add interface="ether11-trunk(10.1.4.13)" name=vlan11-company vlan-id=1
add interface="ether11-trunk(10.1.4.13)" name=vlan11-guest vlan-id=2
add disabled=yes interface="ether12-trunk(10.1.4.4)" name=vlan12-broadcast \
vlan-id=3
add interface="ether12-trunk(10.1.4.4)" name=vlan12-company vlan-id=1
add interface="ether12-trunk(10.1.4.4)" name=vlan12-guest vlan-id=2
add interface="ether13-trunk(10.1.4.5)" name=vlan13-company vlan-id=1
add interface="ether13-trunk(10.1.4.5)" name=vlan13-guest vlan-id=2
/interface bonding
add mode=802.3ad name=bonding56-company slaves=\
ether05-bonding56,ether06-bonding56
/interface list
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=8h
/ip pool
add name=pool-10.1.254.0 ranges=10.1.254.100-10.1.254.199
add name=pool-10.1.0.0 ranges=10.1.1.100-10.1.1.199
add name=pool-10.254.0.0 ranges=10.254.1.100-10.254.1.199
add name=pool-192.168.1.0 ranges=192.168.1.100-192.168.1.199
add name=pool-10.5.0.0 ranges=10.5.1.100-10.5.1.199
/ip dhcp-server
add address-pool=pool-10.1.0.0 authoritative=after-2sec-delay bootp-support=\
dynamic interface=bridge-company name=dhcp-10.1.0.0
add address-pool=pool-192.168.1.0 authoritative=after-2sec-delay interface=\
bridge-guest name=dhcp-192.168.1.0
add address-pool=pool-10.5.0.0 disabled=yes interface=ether02-WAN name=\
dhcp-10.5.0.0
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=10.1.1.1 name=VPN use-encryption=yes
add local-address=10.1.1.1 name=iPhone remote-address=pool-10.254.0.0
add local-address=192.168.22.1 name=L2TP_IPSEC use-compression=yes \
use-encryption=required
add local-address=10.1.1.1 name=cczzz01
add local-address=10.1.1.1 name=profile-openvpn
add local-address=10.1.1.1 name=test use-encryption=no
set *FFFFFFFE local-address=10.1.1.1 use-ipv6=no
/interface l2tp-client
add allow=mschap2 connect-to=bbyyy01.company.eu max-mru=1400 max-mtu=1400 \
name=l2tp-10.2.1.1 profile=VPN use-ipsec=yes user=10.1.1.1
add allow=mschap2 allow-fast-path=yes connect-to=cczzz01.company.eu max-mru=\
1400 max-mtu=1400 name=l2tp-10.3.1.1 profile=VPN use-ipsec=yes user=\
10.1.1.1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2 router-id=10.1.1.1
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=rtab-WAN
add disabled=no fib name=rtab-guest
add fib name=masquerade-guest
add fib name=yyyy
add disabled=no fib name=rtab-ether02-WAN
add disabled=no fib name=rtab-ether03-WAN
add disabled=no fib name=rtab-ether04-WAN
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge-broadcast disabled=yes ingress-filtering=no interface=\
ether09-nc
add bridge=bridge-company ingress-filtering=no interface=\
"ether10-company(switch)"
add bridge=bridge-company ingress-filtering=no interface=vlan07-company
add bridge=bridge-company ingress-filtering=no interface=vlan11-company
add bridge=bridge-guest ingress-filtering=no interface=vlan11-guest
add bridge=bridge-company ingress-filtering=no interface=vlan12-company
add bridge=bridge-guest ingress-filtering=no interface=vlan07-guest
add bridge=bridge-guest ingress-filtering=no interface=vlan12-guest
add bridge=bridge-company ingress-filtering=no interface=vlan08-company
add bridge=bridge-guest ingress-filtering=no interface=vlan08-guest
add bridge=bridge-broadcast ingress-filtering=no interface=eoip-10.2.1.1
add bridge=bridge-broadcast ingress-filtering=no interface=vlan12-broadcast
add bridge=bridge-company ingress-filtering=no interface=vlan13-company
add bridge=bridge-guest ingress-filtering=no interface=vlan13-guest
add bridge=bridge-broadcast ingress-filtering=no interface=vlan08-broadcast
add bridge=bridge-company ingress-filtering=no interface=bonding56-company
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=1024
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 enabled=yes max-mru=1400 \
max-mtu=1400 use-ipsec=yes
/interface list member
add interface=ether01-WAN list=WAN
add interface=ether03-WAN list=WAN
add interface=ether02-WAN list=WAN
add interface=ether04-WAN list=WAN
/interface ovpn-server server
set auth=sha1,md5 certificate=OpenVPN_Server.crt_0 cipher=\
blowfish128,aes128,aes192,aes256 default-profile=profile-openvpn \
require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=VPN
/interface sstp-server server
set authentication=mschap1,mschap2 certificate=\
letsencrypt-autogen_2022-09-18T13:53:26Z default-profile=VPN port=4443
/ip address
add address=10.1.1.1/16 interface=bridge-company network=10.1.0.0
add address=192.168.1.1/24 interface=bridge-guest network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=10 interface=ether01-WAN use-peer-ntp=no
add default-route-distance=40 interface=ether04-WAN use-peer-dns=no \
use-peer-ntp=no
add default-route-distance=30 interface=ether03-WAN use-peer-dns=no \
use-peer-ntp=no
add default-route-distance=20 interface=ether02-WAN use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server lease
add address=10.1.1.15 client-id=<aClientID> comment=\
"aaxxx01sv005 - Neatgear NAS" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.1.211 always-broadcast=yes client-id=<aClientID> \
comment=AAXXX01PR013 mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.5.3 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.18 client-id=<aClientID> comment=\
"from here aaxxx01vm***" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.2.19 mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.5.5 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.20 mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.5.6 always-broadcast=yes client-id=<aClientID> \
mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.1.20 client-id=<aClientID> comment=\
"aaxxx01sv020 - QNAP" mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.1.21 client-id=<aClientID> comment=\
"aaxxx01sv021 - VmWare Server" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.5.4 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.8.105 always-broadcast=yes client-id=<aClientID> \
comment=XBox mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.21 mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.6.1 always-broadcast=yes client-id=<aClientID> \
comment=EdiMax mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.6.2 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.6.3 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.6.4 always-broadcast=yes client-id=<aClientID> \
mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.23 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.24 mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.26 client-id=\
<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.1.33 client-id=<aClientID> comment=\
"CCU3 Homematic Server" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.2.28 client-id=\
<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.1.34 comment="Tradfri Server" mac-address=<aMacAddress> \
server=dhcp-10.1.0.0
add address=10.1.1.22 client-id=<aClientID> comment=\
"aaxxx01sv022 - VmWare Server" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.9.20 client-id=<aClientID> comment=\
"Server aaxxx01sv020 2nd address" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.1.32 client-id=<aClientID> comment=\
"Raspberry PI - FHEM Server" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.1.35 client-id=<aClientID> comment=\
"LAN-Gateway Homematic" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.1.36 client-id=<aClientID> comment=\
"Homematic LAN Gateway (orig. CCU2)" mac-address=<aMacAddress> \
server=dhcp-10.1.0.0
add address=10.1.1.23 client-id=\
<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.29 client-id=\
<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.30 client-id=\
<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.10 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.27 client-id=\
<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.25 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=192.168.1.0 comment="from here guest DHCP" disabled=yes \
mac-address=<aMacAddress>
add address=10.1.5.1 client-id=<aClientID> comment=\
"from here cameras" mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.1.37 client-id=<aClientID> comment="Fritz! Box 7270" \
mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.32 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.1.100 comment="from here on DHCP pool" disabled=yes \
mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.7.1 client-id=<aClientID> comment=iPhones disabled=\
yes mac-address=<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.7.2 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.5.9 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.5.8 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.5.7 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=192.168.1.203 client-id=<aClientID> disabled=yes \
mac-address=<aMacAddress> server=dhcp-192.168.1.0
add address=192.168.1.202 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-192.168.1.0
add address=10.1.5.10 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=192.168.1.138 comment="Vasi\?" mac-address=<aMacAddress> \
server=dhcp-192.168.1.0
add address=192.168.1.147 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-192.168.1.0
add address=192.168.1.200 client-id=<aClientID> comment=\
"phones guest" mac-address=<aMacAddress> server=dhcp-192.168.1.0
add address=192.168.1.201 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-192.168.1.0
add address=10.1.7.1 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.2 client-id=<aClientID> comment=\
"from here on access points" mac-address=<aMacAddress> server=\
dhcp-10.1.0.0
add address=10.1.4.3 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.5 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.6 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.11 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.13 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.4.113 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=192.168.1.203 client-id=<aClientID> comment=Name \
mac-address=<aMacAddress> server=dhcp-192.168.1.0
add address=10.1.4.4 client-id=<aClientID> mac-address=\
<aMacAddress> server=dhcp-10.1.0.0
add address=10.1.2.33 mac-address=<aMacAddress> server=dhcp-10.1.0.0
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.1.1 domain=company.lan gateway=\
10.1.1.1 netmask=16 ntp-server=10.1.1.1
add address=10.5.0.0/16 dns-server=10.5.1.1 gateway=10.5.1.1 netmask=16 \
ntp-server=10.1.1.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.1.2.1 name=companyweb.company.lan
add address=10.1.1.205 name=aaxxx01ph201.company.lan
add address=10.1.1.205 name=aaxxx01ph301.company.lan
add address=10.1.1.205 name=aaxxx01ph401.company.lan
add address=10.1.1.205 name=aaxxx01ph501.company.lan
add address=10.1.4.2 name=aaxxx01ap002.company.lan
add address=10.1.4.3 name=aaxxx01ap003.company.lan
add address=10.1.4.4 name=aaxxx01ap004.company.lan
add address=10.1.4.5 name=aaxxx01ap005.company.lan
add address=10.1.4.6 name=aaxxx01ap006.company.lan
add address=10.1.1.210 name=aaxxx01ca003.company.lan
add address=10.1.1.204 name=aaxxx01ph001.company.lan
add address=10.1.1.206 name=aaxxx01pr002.company.lan
add address=10.1.1.207 name=aaxxx01pr004.company.lan
add address=10.1.1.208 name=aaxxx01pr008.company.lan
add address=10.1.1.209 name=aaxxx01pr009.company.lan
add address=10.1.2.19 name=sip_server.company.lan
add address=10.1.1.1 name=ntp_server.company.lan
add address=10.1.1.1 name=ntp_server
add address=10.1.2.19 name=sip_server
add address=10.1.1.20 name=tftp_server
add address=10.1.1.20 name=tftp_server.company.lan
add address=10.1.1.20 name=ftp_server
add address=10.1.1.20 name=ftp_server.company.lan
add address=10.1.2.18 name=smtp_server
add address=10.1.2.18 name=smtp_server.company.lan
add address=10.1.2.1 name=aaxxx01vm001.company.lan
add address=10.1.2.9 name=aaxxx01vm009.company.lan
add address=10.1.1.207 name=aaxxx01pr004
add address=10.1.1.16 name=aaxxx01sv006.company.lan
add address=10.1.2.12 name=sites.company.lan
add address=10.1.2.12 name=AAXXX01VM012.company.local
add address=10.1.1.20 name=file_server_1.company.lan
add address=10.1.1.20 name=file_server_2.company.lan
add address=216.58.214.3 comment="no steam" regexp=.*.valvesoftware.com
add address=10.1.1.15 name=aaxxx01sv005.company.lan
add address=1.2.3.4 comment="temporary --> to be deleted" disabled=yes \
name=www.company.eu
add address=10.1.1.20 name=aaxxx01sv020.company.lan
add address=10.1.1.21 name=aaxxx01sv021.company.lan
add address=10.1.2.26 name=deep_learning.company.lan
add address=10.1.2.29 name=7d2d.company.lan
add address=10.1.2.28 name=iobroker.company.lan
add address=10.1.2.27 name=crawler.company.lan
add address=10.1.1.22 name=vmware.company.lan
add address=10.1.2.20 name=plex_server.company.lan
add address=10.3.1.12 name=cczzz01sv002.company.lan.
add address=10.2.1.12 name=bbyyy01sv002.company.lan
add address=10.1.2.20 name=http_server
add address=10.1.2.11 name=aaxxx01vm011.company.lan ttl=59m59s
add address=10.1.2.18 name=aaxxx01vm018.company.lan ttl=59m59s
add address=10.1.2.20 name=aaxxx01vm020.company.lan ttl=59m59s
add address=10.1.2.21 name=aaxxx01vm021.company.lan ttl=59m59s
add address=10.1.2.22 name=aaxxx01vm022.company.lan ttl=59m59s
add address=10.1.2.23 name=aaxxx01vm023.company.lan ttl=59m59s
add address=10.1.2.24 name=aaxxx01vm024.company.lan ttl=59m59s
add address=10.1.2.26 name=aaxxx01vm026.company.lan ttl=59m59s
add address=10.1.2.28 name=aaxxx01vm028.company.lan ttl=59m59s
add address=10.1.2.29 name=aaxxx01vm029.company.lan ttl=59m59s
add address=10.1.2.30 name=aaxxx01vm030.company.lan ttl=59m59s
add address=10.1.1.110 name=aaxxx02vm027.company.lan ttl=59m59s
add address=10.1.1.103 name=aaxxx01ws010.company.lan ttl=59m59s
add address=2.3.4.5 disabled=yes name=www2.company.eu
add address=10.1.7.1 name=Mobile_10.1.7.1 ttl=8m25s
add address=192.168.1.200 name=Mobile_192.168.1.200 ttl=8m1s
add address=10.1.7.2 name=Mobile_10.1.7.2 ttl=9m27s
/ip firewall address-list
add address=193.56.29.119 list=ip_scanner_list
add address=23.101.7.53 list=ip_scanner_list
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Rule necessary for let's encrypt (disab\
le NAT forwarding for port 80 in that case)" disabled=yes dst-port=80 \
in-interface=ether01-WAN protocol=tcp
add action=accept chain=forward comment="Forward all related" \
connection-state=established,related
add action=accept chain=input comment="Established connections" \
connection-state=established
add action=accept chain=input comment="Related connections" connection-state=\
related
add action=drop chain=input comment="drop scanner" in-interface-list=WAN \
src-address-list=ip_scanner_list
add action=drop chain=input comment="Block Guest network" connection-state=\
!established,related dst-address=10.0.0.0/8 in-interface=bridge-guest
add action=accept chain=input comment=icmp in-interface=ether01-WAN protocol=\
icmp
add action=accept chain=input comment="input tcp-ports from ether01-WAN" \
disabled=yes dst-port=443,80,25,5014,987,1723,4443,1194,321,7999 \
in-interface=ether01-WAN protocol=tcp
add action=accept chain=input comment="input tcp-ports from ether02-WAN" \
disabled=yes dst-port=80 in-interface=ether02-WAN protocol=tcp
add action=accept chain=input comment="accepted upd ports from WAN" dst-port=\
500,4500,1701,1194 in-interface=ether01-WAN protocol=udp
add action=accept chain=input disabled=yes dst-port=1194 in-interface=\
bridge-guest protocol=udp
add action=accept chain=input comment="accept ipsec protocol from WAN" \
disabled=yes in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="drop all the rest from internet" \
in-interface-list=WAN
add action=drop chain=forward comment="keep Foscam quiet" dst-address=\
!10.0.0.0/8 src-address=10.1.5.0/24
add action=accept chain=forward comment="forward all the rest"
add action=accept chain=input comment="allow everything"
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=connection-WAN2 \
disabled=yes new-connection-mark=connection-WAN2 passthrough=no
add action=mark-routing chain=prerouting dst-address=!10.0.0.0/8 \
new-routing-mark=rtab-ether02-WAN passthrough=no src-address=10.1.2.33
add action=mark-routing chain=prerouting connection-mark=connection-WAN2 \
disabled=yes new-routing-mark=rtab-ether02-WAN passthrough=no
add action=jump chain=prerouting connection-mark=no-mark connection-state=\
established,related,new disabled=yes jump-target=mark-connections
add action=mark-connection chain=mark-connections connection-state=new \
disabled=yes in-interface=ether01-WAN new-connection-mark=connection-WAN1 \
passthrough=yes
add action=mark-connection chain=mark-connections connection-mark=no-mark \
connection-state=established,related,new disabled=yes dst-port=443 \
in-interface=ether02-WAN new-connection-mark=connection-WAN2 passthrough=\
no protocol=tcp
add action=accept chain=prerouting connection-mark=no-mark disabled=yes
add action=mark-routing chain=prerouting connection-mark=connection-WAN2 \
disabled=yes new-routing-mark=rtab-ether02-WAN passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="masq everything going out on WAN" \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="Masquerade 10.0.0.0 - guest NW" \
out-interface=bridge-guest src-address=10.0.0.0/8 to-addresses=\
192.168.1.1
add action=masquerade chain=srcnat disabled=yes out-interface=bridge-company \
src-address=!10.0.0.0/8
add action=src-nat chain=srcnat comment="redirect internal requests (10.x.x.x \
--> 10.1.1.1 -> 10.1.2.24 --> 10.1.1.1 --> 10.x.x.x) " dst-address=\
10.1.2.24 to-addresses=10.1.1.1
add action=src-nat chain=srcnat dst-address=10.1.2.33 src-address=10.0.0.0/8 \
to-addresses=10.1.1.1
add action=src-nat chain=srcnat dst-address=10.1.2.18 to-addresses=10.1.1.1
add action=src-nat chain=srcnat dst-address=10.1.1.20 to-addresses=10.1.1.1
add action=dst-nat chain=dstnat comment=\
"web services with special ports --> send to nginx reverse proxy server" \
dst-port=237,5115,5311,5312,5212,5122,7999 protocol=tcp to-addresses=\
10.1.2.24
add action=dst-nat chain=dstnat comment="smtp goes to zarafa server" \
dst-port=25 in-interface=ether01-WAN protocol=tcp to-addresses=10.1.2.18
add action=dst-nat chain=dstnat comment=\
"all http and https go to nginx reverse proxy" dst-port=80,443 \
in-interface=ether01-WAN protocol=tcp to-addresses=10.1.2.24
add action=dst-nat chain=dstnat comment="zarafa access" dst-port=237 \
in-interface=ether01-WAN protocol=tcp to-addresses=10.1.2.18 to-ports=237
add action=dst-nat chain=dstnat comment=\
"Forward TCP ports from ether02-WAN to 10.1.2.33" dst-port=80,443 \
in-interface=ether02-WAN protocol=tcp to-addresses=10.1.2.33
add action=dst-nat chain=dstnat comment=\
"all https to www.company.eu from ppp goes to nginx reverse proxy " \
dst-address=1.2.3.4 dst-port=443 in-interface=all-ppp protocol=tcp \
to-addresses=10.1.2.24
add action=dst-nat chain=dstnat dst-address=2.3.4.5 dst-port=443 \
in-interface=all-ppp protocol=tcp to-addresses=10.1.2.33
add action=dst-nat chain=dstnat comment=\
"all https requests forward to nginx reverse proxy server" dst-address=\
1.2.3.4 dst-port=443 in-interface=bridge-company protocol=tcp \
to-addresses=10.1.2.24
add action=dst-nat chain=dstnat dst-address=2.3.4.5 dst-port=443 \
in-interface=bridge-company protocol=tcp to-addresses=10.1.2.33
add action=dst-nat chain=dstnat comment="openvpn gateway to 10.1.1.20" \
disabled=yes dst-port=1194 in-interface=ether01-WAN protocol=udp \
to-addresses=10.1.1.20
add action=dst-nat chain=dstnat comment="7 Days 2 Die - Server UDP ports" \
disabled=yes dst-port=26900-26903 in-interface=ether01-WAN protocol=udp \
to-addresses=10.1.2.29
add action=dst-nat chain=dstnat comment="7 Days 2 Die - Server TCP ports" \
disabled=yes dst-port=26900 in-interface=ether01-WAN protocol=tcp \
to-addresses=10.1.2.29
/ip route
add disabled=yes distance=1 dst-address=10.1.0.0/16 gateway=bridge-company \
pref-src="" routing-table=*400 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.100.1/32 gateway=1.2.3.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.3.4.1 \
routing-table=rtab-ether02-WAN suppress-hw-offload=no
add disabled=yes distance=1 dst-address=10.34.0.0/16 gateway=1.2.3.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=3.4.5.1 \
pref-src="" routing-table=rtab-ether03-WAN suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=4.5.6.1 routing-table=\
rtab-ether04-WAN suppress-hw-offload=no
/ip service
set www address=10.0.0.0/8
set www-ssl certificate=letsencrypt-autogen_2022-09-18T13:53:26Z
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=scompany profile=iPhone
add name=10.4.1.1 profile=VPN
add name=10.2.1.1 profile=VPN
add name=10.3.1.1 profile=VPN
add name=10.5.1.1 profile=VPN
add name=10.6.1.1 profile=VPN
add local-address=172.16.0.1 name=10.4.1.1_openvpn profile=profile-openvpn \
remote-address=172.16.0.4 routes=172.16.0.0/24
add name=uid0002 profile=iPhone
add name=10.1.1.1 profile=VPN
/routing ospf interface-template
add area=backbone-v2 auth-id=1 disabled=no interfaces=bridge-company \
priority=1 type=ptp
add area=backbone-v2 disabled=no interfaces=bridge-guest type=ptp
add area=backbone-v2 cost=20 disabled=no interfaces=dynamic type=ptp
add area=backbone-v2 cost=10 disabled=no interfaces=l2tp-10.2.1.1 type=ptp
add area=backbone-v2 cost=10 disabled=no interfaces=l2tp-10.3.1.1 type=ptp
/routing rule
add action=lookup disabled=yes interface=bridge-guest table=rtab-WAN
add action=lookup disabled=yes dst-address=10.1.0.0/16 interface=bridge-guest \
table=rtab-WAN
add action=lookup comment="All routes from 10.1.2.21 shall go through routing \
table rtab-ether02-WAN" disabled=yes src-address=10.1.2.33 table=\
rtab-ether02-WAN
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=aaxxx01rt001
/system logging
set 1 action=disk
set 2 action=disk
add disabled=yes topics=ovpn
add action=disk topics=watchdog
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.at.pool.ntp.org
add address=1.at.pool.ntp.org
add address=2.at.pool.ntp.org
add address=3.at.pool.ntp.org
/system scheduler
add interval=30s name=schedule-MobileDNS on-event=script-MobileDNS policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
startup
/system script
add dont-require-permissions=no name=script-MobileDNS owner=admin policy=\
read,write source="# Set IP ranges\
\n:local ipRangeArray {10.1.7.0/24; 192.168.1.200/29};\
\n:local Prefix \"Mobile_\";\
\n\
\n# Remove all Mobile records with less or equal 30 sec\
\n:foreach i in=[/ip dns static find ((name~\$Prefix) and ttl<=\"00:00:30\
\")] do={\
\n\t/ip dns static remove \$i;\
\n}\
\n\
\n# All other Mobiles reduce by 30 sec\
\n:foreach i in=[/ip dns static find ((name~\$Prefix) and ttl>\"00:00:30\"\
)] do={\
\n\t/ip dns static set \$i ttl=([/ip dns static get \$i ttl]-\"00:00:30\")\
;\
\n}\
\n\
\n# Add entries at the static dns list\
\n:foreach ipRange in=\$ipRangeArray do={\
\n\t:foreach i in=[/ip dhcp-server lease find ((address in \$ipRange) and \
(expires-after > \"00:00:00\"))] do={\
\n\t\t:local bFound false;\
\n\t\t:foreach di in [/ip dns static find name=(\$Prefix.[/ip dhcp-server \
lease get \$i address])] do={\
\n\t\t\t:set bFound true;\
\n\t\t\t/ip dns static set \$di ttl=[/ip dhcp-server lease get \$i expires\
-after];\
\n\t\t}\
\n\t\t:if (\$bFound = false) do={\
\n\t\t\t/ip dns static add name=(\"Mobile_\".[/ip dhcp-server lease get \$\
i address]) address=[/ip dhcp-server lease get \$i address] ttl=[/ip dhcp-\
server lease get \$i expires-after];\
\n\t\t}\
\n\t}\
\n}\
\n"
add dont-require-permissions=no name=test owner=admin policy=read,write \
source="# Remove all Mobile records with less or equal 1 min\
\n:local ipRangeArray {10.1.7.0/24; 192.168.16.200/3}\
\n\
\n:foreach ipRange in=\$ipRangeArray do={\
\n\t:put \$ipRange ;\
\n}\
\n"
/system watchdog
set ping-start-after-boot=15m ping-timeout=10m watch-address=8.8.8.8
/tool graphing interface
add
/tool graphing resource
add
/tool romon port
add
Add a match condition connection-mark=no-mark to the action=fasttrack-connection rule in chain forward in /IP firewall filter to prevent marked connections from getting fasttracked. Most, but not all, packets belonging to fasttracked connection bypass mangle.What is missing?
1 X ;;; fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no