Community discussions

MikroTik App
 
igoldstein
newbie
Topic Author
Posts: 25
Joined: Thu Dec 08, 2022 8:02 pm

i cant use WAN2 - what am i doing wrong?

Thu Dec 08, 2022 8:05 pm

Hi All

we have a Mikrotik Router RB3011UiAS (arm) Firmware v6.49.7 deployed and provisioned


Attached is my Running Configuration

Id like when Netwatch sees PING is down, it should run the DOWN script, the DOWN script will move to utilize the backup ISP connected to the router to ETH2/WAN2

my problem is we loose internet from the network, it seems it is not using ETH2/WAN2

we have plugged the cable into a laptop and programmed the laptop with the IP info as we provisioned for ETH2/WAN2, and on the laptop it worked fine
so i know the connection ISP2 is working fine


# dec/08/2022 16:55:33 by RouterOS 6.49.7
# software id = EN0R-I5MX
#
# model = RouterBOARD 3011UiAS
# serial number = B00A0AA00000
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=ether1 ] name="WAN1 ETH1"
set [ find default-name=ether2 ] name="WAN2 ETH2"
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.15.30-192.168.15.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN lease-time=3d name=\
    dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
add bridge=LAN interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="WAN1 ETH1" list=WAN
add interface="WAN2 ETH2" list=WAN
/ip address
add address=10.14.200.100/24 interface="WAN1 ETH1" network=10.14.200.0
add address=192.168.15.1/24 interface=LAN network=192.168.15.0
add address=19.50.40.214/29 interface="WAN2 ETH2" network=19.50.40.208
/ip dhcp-client
add default-route-distance=50 disabled=no interface="WAN2 ETH2" use-peer-dns=\
    no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=\
    192.168.15.1 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,4.2.2.1
/ip firewall address-list
add address=0.0.0.0/8 list="Blocked IP"
add address=127.0.0.0/8 list="Blocked IP"
add address=224.0.0.0/3 list="Blocked IP"
/ip firewall filter
add action=accept chain=input comment="MikroTik - Winbox Access" dst-port=\
    8291 protocol=tcp src-address-list=my_access
add action=accept chain=input comment="MikroTik - SSH Access" dst-port=7122 \
    protocol=tcp src-address-list=my_access
add action=accept chain=input dst-port=161 protocol=udp src-address-list=\
    my_access
add action=reject chain=forward comment="tcp reset" disabled=yes protocol=tcp \
    reject-with=tcp-reset
add action=drop chain=output dst-address=8.8.4.4 out-interface="!WAN1 ETH1" \
    protocol=icmp
add action=drop chain=output dst-address=1.1.1.2 out-interface="!WAN2 ETH2" \
    protocol=icmp
add action=drop chain=input comment="Dropp blocked IP" src-address-list=\
    "port scanners"
add action=drop chain=input comment="Drop port scanners" src-address-list=\
    "port scanners"
add action=drop chain=forward comment="Drop port scanners" src-address-list=\
    "port scanners"
add action=drop chain=input comment="Dropp blocked IP" src-address-list=\
    "Blocked IP"
add action=accept chain=input comment="ICMP" protocol=icmp \
    src-address-list=my_access
add action=accept chain=input comment="Monitoring" protocol=icmp \
    src-address-list=my_monitoring
add action=accept chain=input comment="input established WAN" \
    connection-state=established in-interface-list=WAN
add action=accept chain=input comment="input related WAN" connection-state=\
    related in-interface-list=WAN
add action=accept chain=forward comment="forward established WAN" \
    connection-state=established in-interface-list=WAN
add action=accept chain=forward comment="forward related WAN" \
    connection-state=related in-interface-list=WAN
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=Winbox disabled=yes dst-port=8000 \
    protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=6122 \
    protocol=tcp
add action=drop chain=forward disabled=yes dst-address-list=!my_host \
    dst-port=80,443 out-interface="WAN1 ETH1" protocol=tcp src-address=\
    !192.168.15.5
add action=drop chain=input comment="input drop wan" in-interface-list=WAN
add action=drop chain=forward comment="forward drop WAN" in-interface-list=\
    WAN out-interface=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface="WAN1 ETH1"
add action=masquerade chain=srcnat out-interface="WAN2 ETH2"
add action=dst-nat chain=dstnat comment=Switch1 dst-port=8010 \
    in-interface-list=WAN protocol=tcp src-address-list=my_host \
    to-addresses=192.168.15.210 to-ports=80
add action=dst-nat chain=dstnat dst-port=3030 protocol=tcp src-address-list=\
    my_host to-addresses=192.168.15.5 to-ports=3030
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip route
add check-gateway=ping comment="Default Route" distance=5 gateway=\
    10.14.200.1
add check-gateway=ping comment="Secondary Route" distance=10 gateway=\
    19.50.40.209
add check-gateway=ping comment=\
    "Route to check 4.2.2.1 connectivity via Secondary  Link" distance=10 \
    dst-address=1.1.1.2/32 gateway="WAN2 ETH2"
add check-gateway=ping comment=\
    "Route to check 8.8.4.4 connectivity via PRIMARY Link" distance=1 \
    dst-address=8.8.4.4/32 gateway=10.14.200.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.15.0/24 port=8089
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=informative-slideshow \
    read-only-mode=yes touch-screen=disabled
/system clock
set time-zone-name=America/New_York
/system identity
set name=my_router
/system logging
add action=remote prefix=my_router topics=info
add action=remote prefix=my_router topics=critical
add action=remote prefix=my_router topics=error
add action=remote prefix=my_router topics=warning
/system ntp client
set enabled=yes server-dns-names="pool.ntp.org,0.north-america.pool.ntp.org,1.\
    north-america.pool.ntp.org,2.north-america.pool.ntp.org,3.north-america.po\
    ol.ntp.org"
/system scheduler
add interval=1m name=DynDns on-event=DynDns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup
/system script
add dont-require-permissions=yes name=down owner=admin policy=\
    reboot,read,write,policy,test source=":log warning \"PRIMARY link seems to\
    \_be DOWN - Running Down script\" \r\
    \n\r\
    \n/ip route set [find comment=\"Default Route\"] distance=15\r\
    \n\r\
    \n/ip firewall connection {:foreach i in [find protocol=\"tcp\"] do={remov\
    e \$i}}\r\
    \n/ip firewall connection {:foreach i in [find protocol=\"udp\"] do={remov\
    e \$i}}\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=no\r\
    \n\r\
    \ndelay delay-time=10\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=yes\r\
    \n\r\
    \n/system script run DynDnsF\r\
    \n\r\
    \n/tool e-mail send to=me@me.com subject=\"\$[/system \
    identity get name] network change\"  body=\"Primary connection failed and \
    successfully connected to secondary\""
add dont-require-permissions=yes name=up owner=admin policy=\
    reboot,read,write,policy,test source=":log warning \"PRIMARY link seems to\
    \_be UP - Running UP script\"\r\
    \n\r\
    \n/ip route set [find comment=\"Default Route\"] distance=5\r\
    \n\r\
    \n/ip firewall connection {:foreach i in= [find protocol=\"udp\"] do={remo\
    ve \$i}}\r\
    \n/ip firewall connection {:foreach i in= [find protocol=\"tcp\"] do={remo\
    ve \$i}}\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=no\r\
    \n\r\
    \ndelay delay-time=10\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=yes\r\
    \n\r\
    \n/system script run DynDnsF\r\
    \n\r\
    \n/tool e-mail send to=me@me.com subject=\"\$[/system \
    identity get name] network change\"  body=\"Primery connection is up and s\
    uccessfully connected\""
add dont-require-permissions=yes name=DynDns owner=admin policy=\
    reboot,read,write,policy,test source="# Set needed variables\r\
    \n:global username \"username\"\r\
    \n:global password \"password\"\r\
    \n:global hostname \"hostnmame.me.com\"\r\
    \n\r\
    \n:global dyndnsForce\r\
    \n:global previousIP \r\
    \n\r\
    \n# print some debug info\r\
    \n# :log info (\"UpdateDynDNS: username = \$username\")\r\
    \n# :log info (\"UpdateDynDNS: password = \$password\")\r\
    \n:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
    \n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
    path=\"/dyndns.checkip.html\"\r\
    \n:delay 1\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n#:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details http://www.dyndns.com/developers/s\
    pecs/syntax.html\r\
    \n\r\
    \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n   :set dyndnsForce false\r\
    \n   :set previousIP \$currentIP\r\
    \n   :log info \"\$currentIP or \$previousIP\"\r\
    \n   /tool fetch user=\$username password=\$password mode=http address=\"m\
    embers.dyndns.org\" \\\r\
    \n      src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$cu\
    rrentIP&wildcard=no\" \\\r\
    \n      dst-path=\"/dyndns.txt\"\r\
    \n   :delay 1\r\
    \n   :local result [/file get dyndns.txt contents]\r\
    \n   :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n   :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n   :put (\"Dyndns Update Result: \".\$result)\r\
    \n} else={\r\
    \n   :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n}"
add dont-require-permissions=yes name=DynDnsF owner=admin policy=\
    reboot,read,write,policy,test source="# Set needed variables\r\
    \n:global username \"username\"\r\
    \n:global password \"password\"\r\
    \n:global hostname \"hostname.me.com\"\r\
    \n\r\
    \n:global dyndnsForce\r\
    \n:global previousIP \r\
    \n\r\
    \n# print some debug info\r\
    \n# :log info (\"UpdateDynDNS: username = \$username\")\r\
    \n# :log info (\"UpdateDynDNS: password = \$password\")\r\
    \n:log info (\"UpdateDynDNSF: hostname = \$hostname\")\r\
    \n:log info (\"UpdateDynDNSF: previousIP = \$previousIP\")\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
    path=\"/dyndns.checkip.html\"\r\
    \n:delay 1\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details http://www.dyndns.com/developers/s\
    pecs/syntax.html\r\
    \n\r\
    \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n   :set dyndnsForce false\r\
    \n   :set previousIP \$currentIP\r\
    \n   :log info \"\$currentIP or \$previousIP\"\r\
    \n   /tool fetch user=\$username password=\$password mode=http address=\"m\
    embers.dyndns.org\" \\\r\
    \n      src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$cu\
    rrentIP&wildcard=no\" \\\r\
    \n      dst-path=\"/dyndns.txt\"\r\
    \n   :delay 1\r\
    \n   :local result [/file get dyndns.txt contents]\r\
    \n   :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n   :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n   :put (\"Dyndns Update Result: \".\$result)\r\
    \n} else={\r\
    \n   :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n}"
/tool e-mail
set address=ms.domain.com from="My Router <me@me.com>" start-tls=\
    yes user=me@me.com
/tool netwatch
add down-script="/system script run down" host=8.8.4.4 interval=30s timeout=\
    5s up-script="/system script run up"
Last edited by BartoszP on Fri Dec 09, 2022 12:21 am, edited 2 times in total.
Reason: Use proper tags: quote to quote, code for code
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: i cant use WAN2 - what am i doing wrong?

Thu Dec 08, 2022 10:05 pm

Simple question: is it a Mikrotik router? What device you you talking about? What configuration?
For the second time today I have to use my profi tool to try understand the problem.
ball.PNG
EDIT: OP edited the oryginal post following anav's suggestion
You do not have the required permissions to view the files attached to this post.
Last edited by BartoszP on Fri Dec 09, 2022 12:36 am, edited 1 time in total.
Reason: comment
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: i cant use WAN2 - what am i doing wrong?

Thu Dec 08, 2022 11:23 pm

I thought that was a Polish tear!! You guys do everything big! ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: i cant use WAN2 - what am i doing wrong?

Thu Dec 08, 2022 11:24 pm

 
igoldstein
newbie
Topic Author
Posts: 25
Joined: Thu Dec 08, 2022 8:02 pm

Re: i cant use WAN2 - what am i doing wrong?

Fri Dec 09, 2022 12:17 am

Thank you, ive updated my initial comment

Who is online

Users browsing this forum: anav, Nospam, qatar2022 and 36 guests