Community discussions

MikroTik App
 
User avatar
NettingHelp
just joined
Topic Author
Posts: 3
Joined: Wed May 18, 2022 11:31 am

Packet loss in VLAN when enabling EoIP tunnel

Fri Nov 25, 2022 2:17 pm

Hi everyone,

I'm Luis, a SysAdmin for NettingHelp. We've been deploying LAN networks with mikrotik for the past 4 years in our customers and I've recently ran into a problem that is driving me crazy.

For some context, I'm trying to connect my customers infrastructure with our cloud servers with layer 2, in order to migrate all their servers to the cloud, having some of those services require L2 conectivity. After some research, we decided to try either VXLAN or EoIP. At first glance, it worked out perfectly with close to no config at all: just configure both tunnel endpoints and get a DHCP lease in a Windows VM under the CHR from the DHCP server running in the other endpoint (my customers local router).

The problem I'm facing is that, while the tunnel is enabled, the "bridge port" in DHCP server leases of some devices inside the VLAN that im spreading over the EoIP tunnel up to the cloud constantly flaps between being the local port (the correct one) and being the EoIP tunnel (which makes no sense, since the device is in the local infrastructure and should be reached locally without sending anything through the EoIP tunnel). In fact, those devices keep losing conectivity because of those flaps.

Also, the Windows VM in the cloud and the CHR itself lose a lot of packages when pinging either a local IP in the customers network or any internet IP (like 8.8.8.8).

When the EoiP tunnel is disabled or removed from the bridge, there are no packet loss whatsoever in the local network.

All these issues happen identically when using VXLAN instead of EoIP.

So far, I've tried L2TP, disabling firewall, transporting the VLAN either tagged or untagged through the tunnel, checking out resource usage for bottlenecks, arp config in bridge ports, rstp config in bridge ports and the bridge itself, enabling promiscuous mode, setting the bridge port for the EoIP tunnel to "Edge: no", and more. Clearly, since it's also my first time with such config, I must be missing something.

This is the local router export:
# nov/25/2022 12:34:39 by RouterOS 7.5
# software id = UMZW-92RU
#
# model = CCR1036-8G-2S+
# serial number = D8370FFBEB98
/interface bridge
add ingress-filtering=no name=TRUNK priority=0x1000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-GW1-LCR
set [ find default-name=ether2 ] name=ether2-GW2-MOV
set [ find default-name=ether3 ] name=ether3-GW3-MOV
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1 - TRK - SW1 - CORE" \
    speed=1Gbps
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2 - TRK - SW2 - CORE"
/interface pppoe-client
add disabled=no interface=ether2-GW2-MOV name=GW2-MOV user=\
    adslppp@telefonicanetpa
add disabled=no interface=ether3-GW3-MOV name=GW3-MOV user=\
    adslppp@telefonicanetpa
/interface ipip
add disabled=yes local-address=172.16.200.2 name=GW4-ipip-tunnel \
    remote-address=172.16.200.3
/interface eoip
add allow-fast-path=no local-address=MY-PUBLIC-IP-GW1 mac-address=\
    02:C6:A8:39:0E:FA mtu=1500 name=eoip-tunnel1 remote-address=CHR IP \
    tunnel-id=300
/interface vxlan
add mac-address=4A:2F:0A:E5:17:E3 mtu=1450 name=vxlan111 port=8472 vni=111
/interface vlan
add interface=ether1-GW1-LCR name=GW1-LCR vlan-id=20
add interface=TRUNK name=vlan-100-datos-secretaria vlan-id=100
add interface=TRUNK name=vlan-101-datos-colegio vlan-id=101
add interface=TRUNK name=vlan-102-datos-comunidad vlan-id=102
add interface=TRUNK name=vlan-103-datos-direccion vlan-id=103
add interface=TRUNK name=vlan-104-INFORMATICA vlan-id=104
add interface=TRUNK name=vlan-105-datos-alum2 vlan-id=105
add interface=TRUNK name=vlan-106-datos-alum3 vlan-id=106
add interface=TRUNK name=vlan-107-datos-alum4 vlan-id=107
add interface=TRUNK name=vlan-108-datos-alum5 vlan-id=108
add interface=TRUNK name=vlan-109-datos-alum6 vlan-id=109
add interface=TRUNK name=vlan-110-datos-alum7 vlan-id=110
add interface=TRUNK name=vlan-111-datos-megafonia vlan-id=111
add interface=TRUNK name=vlan-112-NETTINGHELP-PRUEBAS vlan-id=112
add interface=TRUNK name=vlan-113-datos-caldera10 vlan-id=113
add interface=TRUNK name=vlan-200-telefonia vlan-id=200
add interface=TRUNK name=vlan-300-wifi-Gestion vlan-id=300
add interface=TRUNK name=vlan-301-wifi2-PROFESORES vlan-id=301
add interface=TRUNK name=vlan-302-wifi3-ALUMNOS vlan-id=302
add interface=TRUNK name=vlan-303-wifi4-NODOCENTES vlan-id=303
add interface=TRUNK name=vlan-308-wifi9 vlan-id=308
add interface=TRUNK name=vlan-309-wifi-NettingHelp vlan-id=309
add interface=TRUNK name=vlan-400-telefonia vlan-id=400
add interface=TRUNK name=vlan-500-camara vlan-id=500
add interface=TRUNK name=vlan-600-impresoras vlan-id=600
add interface=TRUNK name=vlan-700-administracion vlan-id=700
/interface vrrp
add interface=vlan-100-datos-secretaria name=vrrp-vlan-100-datos-secretaria \
    priority=254 vrid=2
add interface=vlan-101-datos-colegio name=vrrp-vlan-101-datos-colegio \
    priority=254 vrid=3
add interface=vlan-102-datos-comunidad name=vrrp-vlan-102-datos-comunidad \
    priority=254 vrid=4
add interface=vlan-103-datos-direccion name=vrrp-vlan-103-datos-direccion \
    priority=254 vrid=5
add interface=vlan-104-INFORMATICA name=vrrp-vlan-104-INFORMATICA priority=\
    254 vrid=6
add interface=vlan-105-datos-alum2 name=vrrp-vlan-105-datos-alum2 priority=\
    254 vrid=7
add interface=vlan-106-datos-alum3 name=vrrp-vlan-106-datos-alum3 priority=\
    254 vrid=8
add interface=vlan-107-datos-alum4 name=vrrp-vlan-107-datos-alum4 priority=\
    254 vrid=9
add interface=vlan-108-datos-alum5 name=vrrp-vlan-108-datos-alum5 priority=\
    254 vrid=10
add interface=vlan-109-datos-alum6 name=vrrp-vlan-109-datos-alum6 priority=\
    254 vrid=11
add interface=vlan-110-datos-alum7 name=vrrp-vlan-110-datos-alum7 priority=\
    254 vrid=12
add interface=vlan-111-datos-megafonia name=vrrp-vlan-111-datos-megafonia \
    priority=254 vrid=13
add interface=vlan-112-NETTINGHELP-PRUEBAS name=\
    vrrp-vlan-112-NETTINGHELP-PRUEBAS priority=254 vrid=14
add interface=vlan-113-datos-caldera10 name=vrrp-vlan-113-datos-caldera10 \
    priority=254 vrid=15
add interface=vlan-200-telefonia name=vrrp-vlan-200-telefonia priority=254 \
    vrid=16
add interface=vlan-300-wifi-Gestion name=vrrp-vlan-300-wifi-Gestion priority=\
    254 vrid=17
add interface=vlan-301-wifi2-PROFESORES name=vrrp-vlan-301-PROFESORES \
    priority=254 vrid=18
add interface=vlan-302-wifi3-ALUMNOS name=vrrp-vlan-302-ALUMNOS priority=254 \
    vrid=19
add interface=vlan-303-wifi4-NODOCENTES name=vrrp-vlan-303-NODOCENTES \
    priority=254 vrid=20
add interface=vlan-308-wifi9 name=vrrp-vlan-308-wifi9 priority=254 vrid=21
add interface=vlan-309-wifi-NettingHelp name=vrrp-vlan-309-wifi-NettingHelp \
    priority=254 vrid=25
add interface=vlan-400-telefonia name=vrrp-vlan-400-telefonia priority=254 \
    vrid=22
add interface=vlan-500-camara name=vrrp-vlan-500-camara priority=254 vrid=23
add interface=vlan-600-impresoras name=vrrp-vlan-600-impresoras priority=254 \
    vrid=24
add interface=vlan-700-administracion name=vrrp-vlan-700-administracion \
    priority=254
/disk
set nvme1 disabled=no
set nvme1-part1 disabled=no name=NVMe
/interface list
add name=PUBLIC-GATEWAYS
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=3des name=\
    profile1
/ip ipsec peer
add address=CHR IP/32 disabled=yes local-address=MY-PUBLIC-IP-GW1 name=\
    peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=3des name=proposal1 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.0.20-192.168.0.254
add name=dhcp_pool1 ranges=172.16.101.20-172.16.101.254
add name=dhcp_pool2 ranges=192.168.4.20-192.168.4.254
add name=dhcp_pool3 ranges=10.0.0.20-10.0.0.254
add name=dhcp_pool4 ranges=172.16.104.20-172.16.104.254
add name=dhcp_pool5 ranges=172.16.105.20-172.16.105.254
add name=dhcp_pool6 ranges=172.16.106.20-172.16.106.254
add name=dhcp_pool7 ranges=172.16.107.20-172.16.107.254
add name=dhcp_pool8 ranges=172.16.108.20-172.16.108.254
add name=dhcp_pool9 ranges=172.16.109.20-172.16.109.254
add name=dhcp_pool10 ranges=172.16.110.20-172.16.110.254
add name=dhcp_pool11 ranges=172.16.111.50-172.16.111.254
add name=dhcp_pool12 ranges=172.16.112.20-172.16.112.254
add name=dhcp_pool13 ranges=172.16.112.20-172.16.112.254
add name=dhcp_pool14 ranges=192.168.200.20-192.168.200.254
add name=dhcp_pool15 ranges=172.16.230.20-172.16.230.254
add name=dhcp_pool16 ranges=10.100.0.20-10.100.3.254
add name=dhcp_pool17 ranges=10.100.16.20-10.100.31.254
add name=dhcp_pool18 ranges=172.16.233.20-172.16.233.254
add name=dhcp_pool19 ranges=172.16.238.20-172.16.238.254
add name=dhcp_pool20 ranges=172.16.240.20-172.16.240.254
add name=dhcp_pool21 ranges=172.16.250.20-172.16.250.254
add name=dhcp_pool22 ranges=172.16.254.20-172.16.254.254
add name=dhcp_pool23 ranges=172.16.200.20-172.16.200.254
add name=dhcp_pool24 ranges=11.11.11.2-11.11.11.254
add name=dhcp_pool25 ranges=172.16.239.20-172.16.239.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vrrp-vlan-100-datos-secretaria \
    lease-time=1d name=dhcp-vrrp-vlan-100-datos-secretaria
add address-pool=dhcp_pool1 interface=vrrp-vlan-101-datos-colegio lease-time=\
    1d name=dhcp-vrrp-vlan-101-datos-colegio
add address-pool=dhcp_pool2 interface=vrrp-vlan-102-datos-comunidad \
    lease-time=1d name=dhcp-vrrp-vlan-102-datos-comunidad
add address-pool=dhcp_pool3 interface=vrrp-vlan-103-datos-direccion \
    lease-time=1d name=dhcp-vrrp-vlan-103-datos-direccion
add address-pool=dhcp_pool4 interface=vrrp-vlan-104-INFORMATICA lease-time=1d \
    name=dhcp-vrrp-vlan-104-datos-alum1
add address-pool=dhcp_pool5 interface=vrrp-vlan-105-datos-alum2 lease-time=1d \
    name=dhcp-vrrp-vlan-105-datos-alum2
add address-pool=dhcp_pool6 interface=vrrp-vlan-106-datos-alum3 lease-time=1d \
    name=dhcp-vrrp-vlan-106-datos-alum3
add address-pool=dhcp_pool7 interface=vrrp-vlan-107-datos-alum4 lease-time=1d \
    name=dhcp-vrrp-vlan-107-datos-alum4
add address-pool=dhcp_pool8 interface=vrrp-vlan-108-datos-alum5 lease-time=1d \
    name=dhcp-vrrp-vlan-108-datos-alum5
add address-pool=dhcp_pool9 interface=vrrp-vlan-109-datos-alum6 lease-time=1d \
    name=dhcp-vrrp-vlan-109-datos-alum6
add address-pool=dhcp_pool10 interface=vrrp-vlan-110-datos-alum7 lease-time=\
    1d name=dhcp-vrrp-vlan-110-datos-alum7
add address-pool=dhcp_pool11 interface=vrrp-vlan-111-datos-megafonia \
    lease-time=1d name=dhcp-vrrp-vlan-111-datos-alum8
add address-pool=dhcp_pool12 disabled=yes interface=\
    vrrp-vlan-112-NETTINGHELP-PRUEBAS lease-time=1d name=\
    dhcp-vrrp-vlan-112-datos-alum9
add address-pool=dhcp_pool13 interface=vrrp-vlan-113-datos-caldera10 \
    lease-time=1d name=dhcp-vrrp-vlan-113-datos-caldera10
add address-pool=dhcp_pool14 interface=vrrp-vlan-200-telefonia lease-time=1d \
    name=dhcp-vrrp-vlan-200-telefonia
add address-pool=dhcp_pool15 interface=vrrp-vlan-300-wifi-Gestion lease-time=\
    1d name=dhcp-vrrp-vlan-300-wifi-GESTION
add address-pool=dhcp_pool16 interface=vrrp-vlan-301-PROFESORES lease-time=1d \
    name=dhcp-vrrp-vlan-301-PROFESORES
add address-pool=dhcp_pool17 interface=vrrp-vlan-302-ALUMNOS lease-time=1d \
    name=dhcp-vrrp-vlan-302-ALUMNOS
add address-pool=dhcp_pool18 interface=vrrp-vlan-303-NODOCENTES lease-time=1d \
    name=dhcp-vrrp-vlan-303-NODECENTES
add address-pool=dhcp_pool19 interface=vrrp-vlan-308-wifi9 lease-time=1d \
    name=dhcp-vrrp-vlan-308-wifi9
add address-pool=dhcp_pool20 interface=vrrp-vlan-400-telefonia lease-time=1d \
    name=dhcp-vrrp-vlan-400-telefonia
add address-pool=dhcp_pool21 interface=vrrp-vlan-500-camara lease-time=1d \
    name=dhcp-vrrp-vlan-500-camara
add address-pool=dhcp_pool22 interface=vrrp-vlan-600-impresoras lease-time=1d \
    name=dhcp-vrrp-vlan-600-impresoras
add address-pool=dhcp_pool23 interface=vrrp-vlan-700-administracion \
    lease-time=1d name=dhcp-vrrp-vlan-700-administracion
add address-pool=dhcp_pool25 interface=vrrp-vlan-309-wifi-NettingHelp \
    lease-time=1d name=dhcpvrrp-vlan-309-wifi-NettingHelp
/port
set 0 name=serial0
set 1 name=serial1
/queue type
add kind=pcq name=QoS-bajada pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-limit=1000KiB pcq-src-address6-mask=64 \
    pcq-total-limit=560000000KiB
add kind=pcq name=QoS-subida pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-limit=1000KiB pcq-src-address6-mask=64 \
    pcq-total-limit=560000000KiB
/queue tree
add name=profesores-bajada packet-mark=profesores-bajada parent=global \
    priority=1 queue=QoS-bajada
add name=profesores-subida packet-mark=profesores-subida parent=global \
    priority=1 queue=QoS-subida
add name=alumnos-bajada packet-mark=alumnos-bajada parent=global priority=6 \
    queue=QoS-bajada
add name=alumnos-subida packet-mark=alumnos-subida parent=global priority=6 \
    queue=QoS-subida
add name=nodocentes-bajada packet-mark=nodocentes-bajada parent=global \
    priority=7 queue=QoS-bajada
add name=nodocentes-subida packet-mark=nodocentes-subida parent=global \
    priority=7 queue=QoS-subida
/routing table
add fib name=to_GW1
add fib name=to_GW2
add fib name=to_GW3
add fib name=to_GW4
add fib name=to_GRE
/interface vlan
add interface=*50 name=vlan700-administracion vlan-id=700
/dude
set data-directory=NVMe/dude enabled=yes
/interface bridge port
add bridge=TRUNK ingress-filtering=no interface=\
    "sfp-sfpplus2 - TRK - SW2 - CORE" priority=0x10
add bridge=TRUNK ingress-filtering=no interface=\
    "sfp-sfpplus1 - TRK - SW1 - CORE" priority=0x10
add bridge=TRUNK edge=no interface=eoip-tunnel1 internal-path-cost=1000 \
    path-cost=20 point-to-point=yes pvid=300
add bridge=TRUNK disabled=yes interface=vxlan111 pvid=300
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip settings
set accept-redirects=yes accept-source-route=yes max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=TRUNK tagged=\
    "sfp-sfpplus1 - TRK - SW1 - CORE,sfp-sfpplus2 - TRK - SW2 - CORE" \
    vlan-ids="100,101,102,103,104,105,106,107,108,109,110,111,112,113,200,301,\
    302,303,308,309,400,500,600,700"
add bridge=TRUNK tagged=\
    "sfp-sfpplus1 - TRK - SW1 - CORE,sfp-sfpplus2 - TRK - SW2 - CORE" \
    vlan-ids=300
/interface list member
add interface=GW1-LCR list=PUBLIC-GATEWAYS
add interface=GW2-MOV list=PUBLIC-GATEWAYS
add interface=GW3-MOV list=PUBLIC-GATEWAYS
/interface ovpn-server server
set auth=sha1,md5
/interface vxlan vteps
add interface=vxlan111 remote-ip=CHR IP
/ip address
add address=172.16.200.2/24 interface=vlan-700-administracion network=\
    172.16.200.0
add address=172.16.200.1/24 interface=vrrp-vlan-700-administracion network=\
    172.16.200.0
add address=192.168.0.2/24 interface=vlan-100-datos-secretaria network=\
    192.168.0.0
add address=172.16.101.2/24 interface=vlan-101-datos-colegio network=\
    172.16.101.0
add address=192.168.4.1/24 interface=vrrp-vlan-102-datos-comunidad network=\
    192.168.4.0
add address=172.16.104.2/24 interface=vlan-104-INFORMATICA network=\
    172.16.104.0
add address=172.16.105.2/24 interface=vlan-105-datos-alum2 network=\
    172.16.105.0
add address=172.16.106.2/24 interface=vlan-106-datos-alum3 network=\
    172.16.106.0
add address=172.16.107.2/24 interface=vlan-107-datos-alum4 network=\
    172.16.107.0
add address=172.16.108.2/24 interface=vlan-108-datos-alum5 network=\
    172.16.108.0
add address=172.16.109.2/24 interface=vlan-109-datos-alum6 network=\
    172.16.109.0
add address=172.16.230.2/24 interface=vlan-300-wifi-Gestion network=\
    172.16.230.0
add address=10.100.0.2/22 interface=vlan-301-wifi2-PROFESORES network=\
    10.100.0.0
add address=10.100.16.2/20 interface=vlan-302-wifi3-ALUMNOS network=\
    10.100.16.0
add address=172.16.233.2/24 interface=vlan-303-wifi4-NODOCENTES network=\
    172.16.233.0
add address=172.16.238.2/24 interface=vlan-308-wifi9 network=172.16.238.0
add address=192.168.200.1/24 interface=vrrp-vlan-200-telefonia network=\
    192.168.200.0
add address=172.16.250.2/24 interface=vlan-500-camara network=172.16.250.0
add address=172.16.254.2/24 interface=vlan-600-impresoras network=\
    172.16.254.0
add address=192.168.0.1/24 interface=vrrp-vlan-100-datos-secretaria network=\
    192.168.0.0
add address=192.168.200.2/24 interface=vlan-200-telefonia network=\
    192.168.200.0
add address=192.168.4.2/24 interface=vlan-102-datos-comunidad network=\
    192.168.4.0
add address=172.16.101.1/24 interface=vrrp-vlan-101-datos-colegio network=\
    172.16.101.0
add address=172.16.104.1/24 interface=vrrp-vlan-104-INFORMATICA network=\
    172.16.104.0
add address=172.16.105.1/24 interface=vrrp-vlan-105-datos-alum2 network=\
    172.16.105.0
add address=172.16.106.1/24 interface=vrrp-vlan-106-datos-alum3 network=\
    172.16.106.0
add address=172.16.107.1/24 interface=vrrp-vlan-107-datos-alum4 network=\
    172.16.107.0
add address=172.16.108.1/24 interface=vrrp-vlan-108-datos-alum5 network=\
    172.16.108.0
add address=172.16.109.1/24 interface=vrrp-vlan-109-datos-alum6 network=\
    172.16.109.0
add address=172.16.110.2/24 interface=vlan-110-datos-alum7 network=\
    172.16.110.0
add address=172.16.110.1/24 interface=vrrp-vlan-110-datos-alum7 network=\
    172.16.110.0
add address=172.16.111.1/24 interface=vrrp-vlan-111-datos-megafonia network=\
    172.16.111.0
add address=172.16.111.2/24 interface=vlan-111-datos-megafonia network=\
    172.16.111.0
add address=172.16.112.2/24 interface=vlan-112-NETTINGHELP-PRUEBAS network=\
    172.16.112.0
add address=172.16.112.1/24 interface=vrrp-vlan-112-NETTINGHELP-PRUEBAS \
    network=172.16.112.0
add address=192.168.2.2/24 interface=vlan-113-datos-caldera10 network=\
    192.168.2.0
add address=192.168.2.1/24 interface=vrrp-vlan-113-datos-caldera10 network=\
    192.168.2.0
add address=172.16.230.1/24 interface=vrrp-vlan-300-wifi-Gestion network=\
    172.16.230.0
add address=10.100.16.1/20 interface=vrrp-vlan-302-ALUMNOS network=\
    10.100.16.0
add address=172.16.233.1/24 interface=vrrp-vlan-303-NODOCENTES network=\
    172.16.233.0
add address=10.100.0.1/22 interface=vrrp-vlan-301-PROFESORES network=\
    10.100.0.0
add address=172.16.238.1/24 interface=vrrp-vlan-308-wifi9 network=\
    172.16.238.0
add address=172.16.250.1/24 interface=vrrp-vlan-500-camara network=\
    172.16.250.0
add address=172.16.254.1/24 interface=vrrp-vlan-600-impresoras network=\
    172.16.254.0
add address=172.16.240.1/24 interface=vrrp-vlan-400-telefonia network=\
    172.16.240.0
add address=172.16.240.2/24 interface=vlan-400-telefonia network=172.16.240.0
add address=10.0.0.2/24 interface=vlan-103-datos-direccion network=10.0.0.0
add address=10.0.0.1/24 interface=vrrp-vlan-103-datos-direccion network=\
    10.0.0.0
add address=10.99.99.1/30 interface=GW4-ipip-tunnel network=10.99.99.0
add address=172.16.239.1/24 interface=vrrp-vlan-309-wifi-NettingHelp network=\
    172.16.239.0
add address=172.16.239.2/24 interface=vlan-309-wifi-NettingHelp network=\
    172.16.239.0
/ip dhcp-client
add interface=GW1-LCR
add add-default-route=no interface=vxlan111
/ip dhcp-server lease
add address=172.16.254.254 client-id=1:70:5a:f:e:dc:c comment=\
    "HP LASERJET M604 SECRETARIA" mac-address=70:5A:0F:0E:DC:0C server=\
    dhcp-vrrp-vlan-600-impresoras
add address=172.16.200.200 client-id=1:34:17:eb:b9:e2:fd comment=FILESERVER \
    mac-address=34:17:EB:B9:E2:FD server=dhcp-vrrp-vlan-700-administracion
add address=172.16.254.253 client-id=1:0:20:6b:45:e5:7c comment=\
    "KM C300i SECRETARIA (escaner)" mac-address=00:20:6B:45:E5:7C server=\
    dhcp-vrrp-vlan-600-impresoras
add address=192.168.0.253 client-id=1:18:3:73:e1:60:7b comment="EQUIPO EVA" \
    mac-address=18:03:73:E1:60:7B server=dhcp-vrrp-vlan-100-datos-secretaria
add address=172.16.230.249 client-id=1:4c:b1:cd:36:50:a0 comment=\
    "Ruckus - Sotano - Pasillo Ballet - AGG01-ETH16" mac-address=\
    4C:B1:CD:36:50:A0 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.250.13 client-id=1:8c:e7:48:58:5d:f0 comment=\
    "VIDEOGRABADOR 3" mac-address=8C:E7:48:58:5D:F0 server=\
    dhcp-vrrp-vlan-500-camara
add address=172.16.250.11 client-id=1:c0:51:7e:37:37:e2 comment=\
    "VIDEOGRABADOR 1" mac-address=C0:51:7E:37:37:E2 server=\
    dhcp-vrrp-vlan-500-camara
add address=172.16.250.12 client-id=1:8c:e7:48:1a:6:b2 comment=\
    "VIDEOGRABADOR 2" mac-address=8C:E7:48:1A:06:B2 server=\
    dhcp-vrrp-vlan-500-camara
add address=10.100.0.28 client-id=1:a0:a4:c5:a1:6f:35 comment=\
    "LUIS NETTNGHELP" mac-address=A0:A4:C5:A1:6F:35 server=\
    dhcp-vrrp-vlan-301-PROFESORES
add address=172.16.230.239 client-id=1:70:ca:97:15:7e:50 comment=\
    "Ruckus - P4 Dcha - Pasillo entrada - AGG16-ETH13" mac-address=\
    70:CA:97:15:7E:50 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.232 client-id=1:2c:c5:d3:23:c8:c0 comment=\
    "Ruckus - P3 Dcha - Pasillo fondo - AGG15-ETH09" mac-address=\
    2C:C5:D3:23:C8:C0 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.228 client-id=1:2c:c5:d3:24:b2:f0 comment=\
    "Ruckus - P3 Dcha - Pasillo centro - AGG15-ETH11" mac-address=\
    2C:C5:D3:24:B2:F0 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.227 client-id=1:2c:c5:d3:24:82:90 comment=\
    "Ruckus - P3 Izda - Pasillo fondo - AGG07-ETH22" mac-address=\
    2C:C5:D3:24:82:90 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.226 client-id=1:2c:c5:d3:24:b2:10 comment=\
    "Ruckus - P2 Izda - Pasillo fondo - AGG06-ETH13" mac-address=\
    2C:C5:D3:24:B2:10 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.225 client-id=1:2c:c5:d3:24:b8:80 comment=\
    "Ruckus - P2 Izda - Pasillo entrada - AGG06-ETH11" mac-address=\
    2C:C5:D3:24:B8:80 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.200.8 client-id=1:e8:48:b8:9a:d2:52 comment=\
    "EQUIPO ADMINISTRACION" mac-address=E8:48:B8:9A:D2:52 server=\
    dhcp-vrrp-vlan-700-administracion
add address=172.16.230.212 client-id=1:2c:c5:d3:24:b9:30 comment=\
    "Ruckus - P2 Izda - Pasillo audiovisuales - AGG06-ETH05" mac-address=\
    2C:C5:D3:24:B9:30 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.106.5 client-id=1:0:1e:67:e7:a0:cd comment=\
    "SERVIDOR DOMINIO INFORMATICA4" mac-address=00:1E:67:E7:A0:CD server=\
    dhcp-vrrp-vlan-106-datos-alum3
add address=172.16.230.243 client-id=1:2c:c5:d3:24:bd:30 comment=\
    "Ruckus - P3 Dcha - Pasillo entrada - AGG15-ETH13" mac-address=\
    2C:C5:D3:24:BD:30 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.216 client-id=1:2c:c5:d3:24:b4:50 comment=\
    "Ruckus - P4 Izda - Aula anexa a tecnologia - AGG08-ETH07" mac-address=\
    2C:C5:D3:24:B4:50 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.217 client-id=1:2c:c5:d3:24:b2:20 comment=\
    "Ruckus - P0 Dcha - Pasillo fondo - AGG11-ETH01" mac-address=\
    2C:C5:D3:24:B2:20 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.219 client-id=1:2c:c5:d3:24:84:40 comment=\
    "Ruckus - P0 Izda - Pasillo entrada - AGG02-ETH09" mac-address=\
    2C:C5:D3:24:84:40 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.224 client-id=1:2c:c5:d3:24:b0:90 comment=\
    "Ruckus - P2 Dcha - Pasillo centro - AGG14-ETH09" mac-address=\
    2C:C5:D3:24:B0:90 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.222 client-id=1:2c:c5:d3:23:c7:60 comment=\
    "Ruckus - P1 Dcha - Pasillo centro - AGG12-ETH07" mac-address=\
    2C:C5:D3:23:C7:60 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.233 client-id=1:2c:c5:d3:24:84:60 comment=\
    "Ruckus - P4 Dcha - Pasillo fondo - AGG16-ETH09" mac-address=\
    2C:C5:D3:24:84:60 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.220 client-id=1:2c:c5:d3:24:82:80 comment=\
    "Ruckus - P0 Izda - Pasillo fondo - AGG03-ETH11" mac-address=\
    2C:C5:D3:24:82:80 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.240 client-id=1:2c:c5:d3:24:81:80 comment=\
    "Ruckus - P1 Izda - Sala Profesores - AGG05-ETH14" mac-address=\
    2C:C5:D3:24:81:80 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.238 client-id=1:2c:c5:d3:23:b9:c0 comment=\
    "Ruckus - P1 Dcha - Pasillo entrada - AGG12-ETH09" mac-address=\
    2C:C5:D3:23:B9:C0 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.242 client-id=1:2c:c5:d3:24:b3:b0 comment=\
    "Ruckus - P3 Izda - Pasillo informatica - AGG07-ETH07" mac-address=\
    2C:C5:D3:24:B3:B0 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.223 client-id=1:2c:c5:d3:24:bf:20 comment=\
    "Ruckus - P1 Dcha - Pasillo fondo - AGG12-ETH05" mac-address=\
    2C:C5:D3:24:BF:20 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.218 client-id=1:2c:c5:d3:24:be:80 comment=\
    "Ruckus - P0 Dcha - Pasillo centro - AGG11-ETH04" mac-address=\
    2C:C5:D3:24:BE:80 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.214 client-id=1:2c:c5:d3:24:bb:80 comment=\
    "Ruckus - P4 Izda - Pasillo centro - AGG08-ETH09" mac-address=\
    2C:C5:D3:24:BB:80 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.234 client-id=1:2c:c5:d3:24:b8:20 comment=\
    "Ruckus - P4 Dcha - Pasillo centro - AGG16-ETH11" mac-address=\
    2C:C5:D3:24:B8:20 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.247 client-id=1:2c:c5:d3:24:82:10 comment=\
    "Ruckus - P1 Izda - Secretaria Pasillo - AGG05-ETH12" mac-address=\
    2C:C5:D3:24:82:10 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.215 client-id=1:4c:b1:cd:36:47:30 comment=\
    "Ruckus - P4 Izda - Salida ascensor dcha - AGG08-ETH03" mac-address=\
    4C:B1:CD:36:47:30 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=10.100.0.31 client-id=1:d0:7e:35:aa:d2:af comment=\
    "PORTATIL EMILIO" mac-address=D0:7E:35:AA:D2:AF server=\
    dhcp-vrrp-vlan-301-PROFESORES
add address=172.16.230.209 client-id=1:70:ca:97:16:3b:d0 comment=\
    "Ruckus - Sotano - Pasillo mantenimiento - AGG01-ETH12" mac-address=\
    70:CA:97:16:3B:D0 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.205 client-id=1:b4:fb:e4:73:11:47 mac-address=\
    B4:FB:E4:73:11:47 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.204 client-id=1:b4:fb:e4:73:c:a4 mac-address=\
    B4:FB:E4:73:0C:A4 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.203 client-id=1:fc:ec:da:a0:49:bd mac-address=\
    FC:EC:DA:A0:49:BD server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.202 client-id=1:b4:fb:e4:f3:9b:51 mac-address=\
    B4:FB:E4:F3:9B:51 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.201 client-id=1:b4:fb:e4:f3:9d:c2 mac-address=\
    B4:FB:E4:F3:9D:C2 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.197 client-id=1:b4:fb:e4:f3:9a:ff mac-address=\
    B4:FB:E4:F3:9A:FF server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.196 client-id=1:b4:fb:e4:f3:39:1a mac-address=\
    B4:FB:E4:F3:39:1A server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.194 client-id=1:b4:fb:e4:f3:37:52 mac-address=\
    B4:FB:E4:F3:37:52 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.193 client-id=1:b4:fb:e4:f3:95:cb mac-address=\
    B4:FB:E4:F3:95:CB server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.8 client-id=1:f4:8e:38:8b:f2:5e comment=\
    "EQUIPO ADMINISTRACION" mac-address=F4:8E:38:8B:F2:5E server=\
    dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.198 client-id=1:b4:fb:e4:73:d:6f mac-address=\
    B4:FB:E4:73:0D:6F server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.191 client-id=1:70:ca:97:16:25:d0 comment=\
    "Ruckus - Salon de Actos - AGG10-ETH07" mac-address=70:CA:97:16:25:D0 \
    server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.101.53 client-id=1:3c:2a:f4:59:c:ab comment=\
    "iMPRESORA BROTHER HL-L2370DN DESPACHOS ORIENTACI\D3N" mac-address=\
    3C:2A:F4:59:0C:AB server=dhcp-vrrp-vlan-101-datos-colegio
add address=172.16.254.252 client-id=1:0:20:6b:f1:34:89 comment=\
    "KM B308 REPROGRAFIA" mac-address=00:20:6B:F1:34:89 server=\
    dhcp-vrrp-vlan-600-impresoras
add address=172.16.230.199 client-id=1:f0:9f:c2:30:30:99 mac-address=\
    F0:9F:C2:30:30:99 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.200 client-id=1:b4:fb:e4:f3:9b:6c mac-address=\
    B4:FB:E4:F3:9B:6C server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.195 client-id=1:b4:fb:e4:f3:37:7a mac-address=\
    B4:FB:E4:F3:37:7A server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=192.168.0.79 client-id=1:18:3:73:4a:8f:b9 comment="EQUIPO BLANCA" \
    mac-address=18:03:73:4A:8F:B9 server=dhcp-vrrp-vlan-100-datos-secretaria
add address=10.100.0.82 client-id=1:9e:fc:cb:d4:a6:72 comment=\
    "TABLET MEGAFONIA" mac-address=9E:FC:CB:D4:A6:72 server=\
    dhcp-vrrp-vlan-301-PROFESORES
add address=172.16.230.189 client-id=1:58:fb:96:2b:95:50 comment=\
    "Ruckus - Salon de Actos 2 - AGG10-ETH13" mac-address=58:FB:96:2B:95:50 \
    server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.254.8 client-id=1:50:3e:aa:11:c6:7d comment=\
    "equipo admin provisional" mac-address=50:3E:AA:11:C6:7D server=\
    dhcp-vrrp-vlan-600-impresoras
add address=172.16.254.251 client-id=1:3c:2a:f4:59:c:ab comment=\
    "IMPRESORA BROTHER ORIENTACION" mac-address=3C:2A:F4:59:0C:AB server=\
    dhcp-vrrp-vlan-600-impresoras
add address=172.16.101.77 client-id=1:b8:6b:23:b9:28:b6 comment=\
    "PORTATIL EMILIO" mac-address=B8:6B:23:B9:28:B6 server=\
    dhcp-vrrp-vlan-101-datos-colegio
add address=10.100.2.67 client-id=1:e4:2:9b:98:86:95 comment=\
    "ERNESTO MEGAFONIA" mac-address=E4:02:9B:98:86:95 server=\
    dhcp-vrrp-vlan-301-PROFESORES
add address=172.16.101.24 client-id=1:34:17:eb:a4:6c:46 comment=\
    "AZAHARA POLIDEP" mac-address=34:17:EB:A4:6C:46 server=\
    dhcp-vrrp-vlan-101-datos-colegio
add address=172.16.230.187 client-id=1:18:e8:29:e0:b0:90 comment=\
    "Unifi - AGG17-ETH17 - Polideportivo - Oficinas" mac-address=\
    18:E8:29:E0:B0:90 server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.186 client-id=1:b4:fb:e4:f3:38:2d comment=\
    "Unifi - AGG17-ETH22 - Polideportivo - Gradas" mac-address=\
    B4:FB:E4:F3:38:2D server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.185 client-id=1:b4:fb:e4:13:63:44 comment=\
    "Unifi - AGG17-ETH24 - Pistas" mac-address=B4:FB:E4:13:63:44 server=\
    dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.184 client-id=1:18:e8:29:36:84:aa comment=\
    "Unifi - AGG18-ETH02 - Infantil Oficina" mac-address=18:E8:29:36:84:AA \
    server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=172.16.230.183 client-id=1:18:e8:29:36:71:52 comment=\
    "Unifi - AGG18-ETH03 - Infantil Hall" mac-address=18:E8:29:36:71:52 \
    server=dhcp-vrrp-vlan-300-wifi-GESTION
add address=10.100.1.45 client-id=1:f8:94:c2:95:15:4b comment=\
    "DAVID NETTINGHELP" mac-address=F8:94:C2:95:15:4B server=\
    dhcp-vrrp-vlan-301-PROFESORES
add address=192.168.4.70 client-id=1:f8:94:c2:95:15:4b comment=\
    "DAVID NETTINGHELP" mac-address=F8:94:C2:95:15:4B server=\
    dhcp-vrrp-vlan-102-datos-comunidad
add address=10.100.0.40 client-id=1:54:b8:a:7c:76:f4 comment=\
    "te voy a encontrar" mac-address=54:B8:0A:7C:76:F4 server=\
    dhcp-vrrp-vlan-301-PROFESORES
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.0.1
add address=10.100.0.0/22 dns-server=8.8.8.8,8.8.4.4 gateway=10.100.0.1
add address=10.100.16.0/20 dns-server=8.8.8.8,8.8.4.4 gateway=10.100.16.1
add address=172.16.101.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.101.1
add address=172.16.104.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.104.1
add address=172.16.105.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.105.1
add address=172.16.106.0/24 dns-server=172.16.106.5,8.8.8.8 gateway=\
    172.16.106.1
add address=172.16.107.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.107.1
add address=172.16.108.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.108.1
add address=172.16.109.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.109.1
add address=172.16.110.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.110.1
add address=172.16.111.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.111.1
add address=172.16.112.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.112.1
add address=172.16.200.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.200.1
add address=172.16.230.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.230.1
add address=172.16.233.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.233.1
add address=172.16.238.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.238.1
add address=172.16.239.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.239.1
add address=172.16.240.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.240.1
add address=172.16.250.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.250.1
add address=172.16.254.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.254.1
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
add address=192.168.200.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.200.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list

add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    _need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons

add address=210.173.216.40 comment="IPS PARA SUMINISTROS RICOH" disabled=yes \
    list=Ricoh
add address=210.173.216.59 disabled=yes list=Ricoh
add address=210.173.216.47 disabled=yes list=Ricoh
add address=210.173.216.60 disabled=yes list=Ricoh
add address=210.173.216.43 disabled=yes list=Ricoh
add address=210.173.216.142 disabled=yes list=Ricoh

/ip firewall filter
add action=drop chain=forward src-address=10.100.0.40
add action=drop chain=forward dst-address=10.100.0.40
add action=accept chain=forward dst-port=67,68 protocol=udp
add action=accept chain=input protocol=gre
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    src-address-list=!bogons tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1 src-address-list=!bogons
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
    yes jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=forward comment="Enable de support a  Boggons #" \
    connection-state=established,related,new dst-address-list=bogons \
    src-address-list=support
add action=accept chain=input comment="Enable VRRP" protocol=vrrp
add action=accept chain=forward comment="ACCESO FILESERVER" dst-address=\
    172.16.200.200 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=172.16.200.200 src-address=\
    10.0.0.0/24
add action=accept chain=forward dst-address=172.16.200.200 src-address=\
    172.16.254.253
add action=accept chain=forward dst-address=172.16.200.200 src-address=\
    172.16.101.0/24
add action=accept chain=forward comment="SECRETARIA - IMPRESORAS" \
    dst-address=192.168.0.0/24 src-address=172.16.254.0/24
add action=accept chain=forward dst-address=172.16.254.0/24 src-address=\
    192.168.0.0/24
add action=accept chain=forward comment="DATOS COLEGIO - IMPRESORAS" \
    dst-address=172.16.254.0/24 src-address=172.16.101.0/24
add action=accept chain=forward dst-address=172.16.101.0/24 src-address=\
    172.16.254.0/24
add action=accept chain=forward comment="EMILIO - MEGAFONIA" dst-address=\
    172.16.111.0/24 src-address=10.100.0.31
add action=accept chain=forward dst-address=10.100.0.31 src-address=\
    172.16.111.0/24
add action=accept chain=forward dst-address=172.16.111.0/24 src-address=\
    10.100.0.82
add action=accept chain=forward dst-address=10.100.0.82 src-address=\
    172.16.111.0/24
add action=accept chain=forward dst-address=172.16.111.0/24 src-address=\
    172.16.101.77
add action=accept chain=forward dst-address=172.16.101.77 src-address=\
    172.16.111.0/24
add action=accept chain=forward dst-address=172.16.111.0/24 src-address=\
    10.100.2.67
add action=accept chain=forward dst-address=10.100.2.67 src-address=\
    172.16.111.0/24
add action=accept chain=forward comment="DIRECCION - IMPRESORAS" dst-address=\
    10.0.0.0/24 src-address=172.16.254.0/24
add action=accept chain=forward dst-address=172.16.254.0/24 src-address=\
    10.0.0.0/24
add action=accept chain=forward comment="TORNOS - AZAHARA" dst-address=\
    172.16.250.18 src-address=172.16.101.24
add action=accept chain=forward dst-address=172.16.101.24 src-address=\
    172.16.250.18
add action=drop chain=forward comment="Drop Boggons # DO NOT ENABLE THIS RULE \
    BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" dst-address-list=\
    bogons src-address-list=bogons
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" \
    src-address-list=!support
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    disabled=yes icmp-options=8:0 limit=100,200:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=\
    0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \
    icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \
    icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \
    protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=yes \
    jump-target=ICMP protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
    protocol=icmp
/ip firewall mangle
add action=mark-connection chain=input in-interface=GW1-LCR \
    new-connection-mark=from_GW1 passthrough=yes
add action=mark-connection chain=input in-interface=GW2-MOV \
    new-connection-mark=from_GW2 passthrough=yes
add action=mark-connection chain=input in-interface=GW3-MOV \
    new-connection-mark=from_GW3 passthrough=yes
add action=mark-connection chain=input in-interface=GW4-ipip-tunnel \
    new-connection-mark=from_GRE passthrough=yes
add action=mark-routing chain=output connection-mark=from_GW1 \
    new-routing-mark=to_GW1 passthrough=yes
add action=mark-routing chain=output connection-mark=from_GW2 \
    new-routing-mark=to_GW2 passthrough=yes
add action=mark-routing chain=output connection-mark=from_GW3 \
    new-routing-mark=to_GW3 passthrough=yes
add action=mark-routing chain=output connection-mark=from_GW4 \
    new-routing-mark=to_GW4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from_GRE \
    new-routing-mark=to_GRE passthrough=yes
add action=mark-connection chain=forward in-interface=GW1-LCR \
    new-connection-mark=from_GW1 passthrough=yes
add action=mark-connection chain=forward in-interface=GW2-MOV \
    new-connection-mark=from_GW2 passthrough=yes
add action=mark-connection chain=forward in-interface=GW3-MOV \
    new-connection-mark=from_GW3 passthrough=yes
add action=mark-connection chain=forward in-interface=GW4-ipip-tunnel \
    new-connection-mark=from_GRE passthrough=yes
add action=mark-connection chain=prerouting comment="PCC alumnos" \
    dst-address-list=!bogons in-interface=vrrp-vlan-302-ALUMNOS \
    new-connection-mark=from_GW1 passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting dst-address-list=!bogons \
    in-interface=vrrp-vlan-302-ALUMNOS new-connection-mark=from_GW2 \
    passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting dst-address-list=!bogons \
    in-interface=vrrp-vlan-302-ALUMNOS new-connection-mark=from_GW3 \
    passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=from_GW1 \
    dst-address-list=!bogons in-interface=vrrp-vlan-302-ALUMNOS \
    new-routing-mark=to_GW1 passthrough=no per-connection-classifier=\
    both-addresses:3/0
add action=mark-routing chain=prerouting connection-mark=from_GW2 \
    dst-address-list=!bogons in-interface=vrrp-vlan-302-ALUMNOS \
    new-routing-mark=to_GW2 passthrough=no per-connection-classifier=\
    both-addresses:3/1
add action=mark-routing chain=prerouting connection-mark=from_GW3 \
    dst-address-list=!bogons in-interface=vrrp-vlan-302-ALUMNOS \
    new-routing-mark=to_GW3 passthrough=no per-connection-classifier=\
    both-addresses:3/2
add action=mark-connection chain=prerouting comment="PCC profesores" \
    dst-address-list=!bogons in-interface=vrrp-vlan-301-PROFESORES \
    new-connection-mark=from_GW1 passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting dst-address-list=!bogons \
    in-interface=vrrp-vlan-301-PROFESORES new-connection-mark=from_GW2 \
    passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting dst-address-list=!bogons \
    in-interface=vrrp-vlan-301-PROFESORES new-connection-mark=from_GW3 \
    passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=from_GW1 \
    dst-address-list=!bogons in-interface=vrrp-vlan-301-PROFESORES \
    new-routing-mark=to_GW1 passthrough=no per-connection-classifier=\
    both-addresses:3/0
add action=mark-routing chain=prerouting connection-mark=from_GW2 \
    dst-address-list=!bogons in-interface=vrrp-vlan-301-PROFESORES \
    new-routing-mark=to_GW2 passthrough=no per-connection-classifier=\
    both-addresses:3/1
add action=mark-routing chain=prerouting connection-mark=from_GW3 \
    dst-address-list=!bogons in-interface=vrrp-vlan-301-PROFESORES \
    new-routing-mark=to_GW3 passthrough=no per-connection-classifier=\
    both-addresses:3/2
add action=mark-connection chain=prerouting comment="PCC no docentes" \
    dst-address-list=!bogons in-interface=vrrp-vlan-303-NODOCENTES \
    new-connection-mark=from_GW1 passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting dst-address-list=!bogons \
    in-interface=vrrp-vlan-303-NODOCENTES new-connection-mark=from_GW2 \
    passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting dst-address-list=!bogons \
    in-interface=vrrp-vlan-303-NODOCENTES new-connection-mark=from_GW3 \
    passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=from_GW1 \
    dst-address-list=!bogons in-interface=vrrp-vlan-303-NODOCENTES \
    new-routing-mark=to_GW1 passthrough=no per-connection-classifier=\
    both-addresses:3/0
add action=mark-routing chain=prerouting connection-mark=from_GW2 \
    dst-address-list=!bogons in-interface=vrrp-vlan-303-NODOCENTES \
    new-routing-mark=to_GW2 passthrough=no per-connection-classifier=\
    both-addresses:3/1
add action=mark-routing chain=prerouting connection-mark=from_GW3 \
    dst-address-list=!bogons in-interface=vrrp-vlan-303-NODOCENTES \
    new-routing-mark=to_GW3 passthrough=no per-connection-classifier=\
    both-addresses:3/2
add action=mark-routing chain=prerouting comment="Administraci\F3n" \
    dst-address-list=!bogons in-interface=vrrp-vlan-700-administracion \
    new-routing-mark=to_GW1 passthrough=yes
add action=mark-routing chain=prerouting comment="WiFi Gesti\F3n" disabled=\
    yes dst-address-list=!bogons in-interface=vlan-300-wifi-Gestion \
    new-routing-mark=to_GW1 passthrough=yes
add action=mark-routing chain=prerouting comment=SECREATARIA disabled=yes \
    dst-address-list=!bogons new-routing-mark=to_GW1 passthrough=yes \
    src-address=192.168.0.80
add action=mark-routing chain=prerouting comment="DATOS COLEGIO" disabled=yes \
    dst-address-list=!bogons in-interface=vrrp-vlan-101-datos-colegio \
    new-routing-mark=to_GW2 passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.50.0/24 src-address=\
    172.16.230.0/24
add action=masquerade chain=srcnat out-interface=GW1-LCR
add action=masquerade chain=srcnat out-interface=GW2-MOV
add action=masquerade chain=srcnat out-interface=GW3-MOV
add action=dst-nat chain=dstnat comment="RDP EQUIPO ADMINISTRACION" dst-port=\
    3390 protocol=tcp src-address-list=support to-addresses=172.16.200.5 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="ZONE DIRECTOR" dst-port=443 \
    in-interface-list=PUBLIC-GATEWAYS protocol=tcp src-address-list=support \
    to-addresses=172.16.230.5 to-ports=443
add action=dst-nat chain=dstnat comment="UNIFI MANAGER" dst-port=8443 \
    in-interface-list=PUBLIC-GATEWAYS protocol=tcp src-address-list=support \
    to-addresses=172.16.230.8 to-ports=8443
add action=dst-nat chain=dstnat comment="TORNOS POLIDEPORTIVO" dst-port=55789 \
    protocol=tcp to-addresses=172.16.250.18 to-ports=55789
add action=dst-nat chain=dstnat dst-port=873 protocol=tcp to-addresses=\
    172.16.250.18 to-ports=873
add action=dst-nat chain=dstnat dst-port=53007 protocol=tcp to-addresses=\
    172.16.250.18 to-ports=53007
add action=dst-nat chain=dstnat dst-port=8008 protocol=tcp to-addresses=\
    172.16.250.18 to-ports=8008
add action=dst-nat chain=dstnat dst-port=55712 protocol=tcp to-addresses=\
    172.16.250.18 to-ports=55712
add action=dst-nat chain=dstnat dst-port=43 protocol=tcp to-addresses=\
    172.16.250.18 to-ports=43
add action=dst-nat chain=dstnat dst-port=55788 protocol=tcp to-addresses=\
    172.16.250.18 to-ports=55788
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add disabled=yes peer=peer1 proposal=proposal1 tunnel=yes
add disabled=yes dst-address=10.0.50.0/24 peer=peer1 src-address=\
    172.16.230.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=GW1-LCR pref-src="" \
    routing-table=to_GW1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=GW2-MOV pref-src="" \
    routing-table=to_GW1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=GW3-MOV pref-src="" \
    routing-table=to_GW1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=GW2-MOV pref-src="" \
    routing-table=to_GW2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=GW3-MOV pref-src="" \
    routing-table=to_GW2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=GW1-LCR pref-src="" \
    routing-table=to_GW2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=GW3-MOV pref-src="" \
    routing-table=to_GW3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=GW1-LCR pref-src="" \
    routing-table=to_GW3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=GW2-MOV pref-src="" \
    routing-table=to_GW3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=GW4-ipip-tunnel \
    pref-src="" routing-table=to_GRE scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=GW2-MOV
add disabled=no distance=15 dst-address=0.0.0.0/0 gateway=GW3-MOV
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=GW4-ipip-tunnel \
    pref-src="" routing-table=to_GW1 scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=GW4-ipip-tunnel \
    pref-src="" routing-table=to_GW2 scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=GW4-ipip-tunnel \
    pref-src="" routing-table=to_GW3 scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=GW1-LCR pref-src="" \
    routing-table=to_GRE scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=GW2-MOV pref-src="" \
    routing-table=to_GRE scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=GW3-MOV pref-src="" \
    routing-table=to_GRE scope=30 suppress-hw-offload=no target-scope=10
/radius
add address=RADIUS SERVER IP service=ppp,login
add address=RADIUS SERVER IP service=login
/radius incoming
set accept=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=R1-CSA
/system ntp client
set mode=broadcast
/user aaa
set use-radius=yes
And this is the CHR export:
# nov/25/2022 11:59:18 by RouterOS 7.5
# software id = 
#
/interface bridge
add ingress-filtering=no name=bridge1 priority=0x1500 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-GW1
set [ find default-name=ether2 ] disable-running-check=no name=ether2-LAN
/interface eoip
add allow-fast-path=no local-address=185.165.0.48 mac-address=\
    02:33:4C:8F:39:16 mtu=1500 name=eoip-tunnel1 remote-address=\
    188.227.129.179 tunnel-id=300
/interface vxlan
add mac-address=22:83:87:76:0F:FF name=vxlan111 port=8472 vni=111
/interface vlan
add interface=bridge1 name=vlan300 vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=3des name=\
    profile1
/ip ipsec peer
add address=188.227.129.179/32 disabled=yes local-address=185.165.0.48 name=\
    peer1 profile=profile1 send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=3des name=proposal1 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.0.50.20-10.0.50.254
add name=dhcp_pool1 ranges=10.10.111.2-10.10.111.254
add name=dhcp_pool2 ranges=10.10.222.2-10.10.222.254
add name=dhcp_pool3 ranges=10.123.123.2-10.123.123.254
add name=dhcp_pool4 ranges=10.123.123.2-10.123.123.254
add name=dhcp_pool5 ranges=\
    172.16.230.1-172.16.230.72,172.16.230.74-172.16.230.254
add name=dhcp_pool6 ranges=0.0.0.2-255.255.255.254
add name=dhcp_pool7 ranges=172.16.230.20-172.16.230.254
add name=dhcp_pool8 ranges=172.16.230.2-172.16.230.254
add name=dhcp_pool9 ranges=10.0.50.20-10.0.50.254
/ip dhcp-server
add address-pool=dhcp_pool9 disabled=yes interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add area-id=185.165.0.48 disabled=no instance=ospf-instance-1 name=\
    ospf-area-1
/interface bridge port
add bridge=bridge1 interface=ether2-LAN path-cost=20
add bridge=bridge1 edge=no interface=eoip-tunnel1 point-to-point=yes \
    priority=0x10
add bridge=bridge1 disabled=yes interface=vxlan111
/interface vxlan vteps
add interface=vxlan111 remote-ip=MY-PUBLIC-IP-GW1
/ip address
add address=PUBLIC-CHR-IP interface=ether1-GW1 network=
add address=10.0.50.1/24 disabled=yes interface=bridge1 network=10.0.50.0
/ip dhcp-client
add add-default-route=no interface=bridge1
/ip dhcp-relay
add dhcp-server=172.16.230.1 disabled=no interface=bridge1 name=relay1
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.0.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.50.1
add address=10.10.111.0/24 gateway=10.10.111.1
add address=10.10.222.0/24 gateway=10.10.222.1
add address=10.123.123.0/24 dns-server=8.8.8.8 gateway=10.123.123.1
add address=172.16.230.0/24 dns-server=8.8.8.8 gateway=172.16.230.1

/ip firewall filter
add action=accept chain=input src-address-list=SUPPORT
add action=drop chain=input disabled=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.230.0/24 src-address=\
    10.0.50.0/24
add action=masquerade chain=srcnat out-interface=ether1-GW1
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add disabled=yes dst-address=172.16.230.0/24 peer=peer1 src-address=\
    185.165.0.48/32 tunnel=yes
add disabled=yes dst-address=172.16.200.0/24 peer=peer1 src-address=\
    185.165.0.48/32 tunnel=yes
add disabled=yes peer=peer1 tunnel=yes
add disabled=yes dst-address=172.16.230.0/24 peer=peer1 src-address=\
    10.0.50.0/24 tunnel=yes
/ip route
add disabled=yes
add dst-address=0.0.0.0/0 gateway=

/radius
add address=185.165.0.14 service=login
/radius incoming
set accept=yes
/routing ospf interface-template
add area=ospf-area-1 cost=20 disabled=no interfaces=eoip-tunnel1 networks=\
    172.16.230.0/24
/system identity
set name=
/system logging
add topics=l2tp
add topics=ipsec
/tool sniffer
set filter-interface=ether2-LAN
/user aaa
set use-radius=yes
Note that, for security reasons, I have removed the /ip services part and the "support" address list to avoid publishing our public IPs.

Thank you in advance,
Luis
 
User avatar
NettingHelp
just joined
Topic Author
Posts: 3
Joined: Wed May 18, 2022 11:31 am

Re: Packet loss in VLAN when enabling EoIP tunnel

Thu Jan 26, 2023 1:47 pm

Hi again,

Can someone help me out with this, please?

Thanks!
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Packet loss in VLAN when enabling EoIP tunnel

Thu Jan 26, 2023 2:55 pm

I suspect that the L2 tunnel is just triggering an underlying issue.

The VRRP configuration is incorrect - the VRRP interface should have a /32 netmask with services bound to the main (not VRRP) interface, DHCP pools on the main and backup routers should not overlap as there is no lease synchronisation. Firewall rules may need modifying to handle connections flagged as invalid caused by ingress and egress being split across the primary and VRRP interfaces.

Additionally:
Bridge priorities should have the 12 least-significant bits set to zero, so 0x0000, 0x1000, 0x2000 ... 0xf000.
The use-ip-firewall-for-vlan=yes has specific use cases as described in the documentation and is usually unlikely to be necessary, it also has no effect unless use-ip-firewall=yes too.
Transporting internal LANs across the public internet without encryption is not a good idea.

Who is online

Users browsing this forum: bpwl, Google [Bot], jookraw and 79 guests