Community discussions

MikroTik App
 
bobbone
just joined
Topic Author
Posts: 1
Joined: Wed Oct 27, 2021 12:02 pm

Dual WAN configuration and VPN

Wed Oct 27, 2021 12:16 pm

Hi, I'm new to the forum, but I often use it to search for valuable information on the various configurations of my CRS125-24G-1S. I have always used the cloud router switch as a "simple" switch, but for some time now I have been moving all the services I had on my modem to it. DHCP, firewall, etc. Soon I will have a new fiber connection and I have configured the mikrotik so that it can use ports 1 and 2 as WAN in balanced and auto-failure mode. This setup works very well, but I have reachability problems for PCs that connect via VPN. Some IPs are pingable and some are not. I noticed that the pingable ones are packets marked WAN2_conn while the unreachable ip's are marked as WAN1_conn. I certainly made a mistake in the configuration (or I missed something).
I ask you if you can help me. For this I leave my configuration here.

Thanks a lot in advance to everyone.

Bob
# oct/27/2021 10:45:19 by RouterOS 6.49
# software id = Level 5
#
# model = CRS125-24G-1S
# serial number = 000000000000

/interface bridge
add admin-mac=00:00:00:00:00:00 arp=proxy-arp auto-mac=no name=bridge

/interface ethernet
set [ find default-name=ether1 ] name=WAN1-TIM
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
set [ find default-name=ether6 ] arp=proxy-arp
set [ find default-name=ether7 ] arp=proxy-arp
set [ find default-name=ether8 ] arp=proxy-arp
set [ find default-name=ether9 ] arp=proxy-arp
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=ether11 ] arp=proxy-arp
set [ find default-name=ether12 ] arp=proxy-arp
set [ find default-name=ether13 ] arp=proxy-arp
set [ find default-name=ether14 ] arp=proxy-arp
set [ find default-name=ether15 ] arp=proxy-arp
set [ find default-name=ether16 ] arp=proxy-arp
set [ find default-name=ether17 ] arp=proxy-arp
set [ find default-name=ether18 ] arp=proxy-arp
set [ find default-name=ether19 ] arp=proxy-arp
set [ find default-name=ether20 ] arp=proxy-arp
set [ find default-name=ether21 ] arp=proxy-arp
set [ find default-name=ether22 ] arp=proxy-arp
set [ find default-name=ether23 ] arp=proxy-arp
set [ find default-name=ether24 ] arp=proxy-arp
set [ find default-name=sfp1 ] arp=proxy-arp

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d



/ip pool
add name=dhcp ranges=172.16.0.50-172.16.0.250

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=8h name=dhcp1

/ppp profile
add local-address=10.11.12.16 name=XXXXXXXXXXXXX remote-address=10.11.12.13
set *FFFFFFFE bridge-learning=no

/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=WAN1-TIM
add bridge=bridge comment=defconf disabled=yes interface=WAN2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf disabled=yes interface=sfp1


/interface list member
add interface=WAN1-TIM list=WAN
add interface=bridge list=LAN
add interface=WAN2 list=WAN
add interface=sfp1 list=WAN


/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 enabled=yes port=443 \
    require-client-certificate=yes


/interface pptp-server server
set enabled=yes


/ip address
add address=172.16.0.1/24 interface=bridge network=172.16.0.0


/ip cloud
set ddns-enabled=yes ddns-update-interval=1h


/ip dhcp-client
add disabled=no interface=WAN1-TIM
add disabled=no interface=WAN2
add disabled=no interface=sfp1


/ip dhcp-server lease
add address=172.16.0.20 client-id=1:00:00:00:00:00:00 mac-address=\
    00:00:00:00:00:00 server=dhcp1
add address=172.16.0.14 client-id=1:00:00:00:00:00:00 mac-address=\
    00:00:00:00:00:00 server=dhcp1
add address=172.16.0.5 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.7 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.8 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.9 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.10 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.11 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.12 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.13 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.15 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.21 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.22 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.23 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.24 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.25 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.26 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.28 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.29 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.30 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.31 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.27 mac-address=00:00:00:00:00:00 server=dhcp1
add address=172.16.0.32 mac-address=00:00:00:00:00:00 server=dhcp1

/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.1.1,8.8.8.8,8.8.4.4,172.16.2.1 \
    gateway=172.16.0.1 netmask=24

/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1-TIM \
    new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add action=accept chain=prerouting dst-address=172.16.1.0/28 in-interface=\
    WAN1-TIM
add action=accept chain=prerouting dst-address=172.16.2.0/28 in-interface=\
    WAN2
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WAN1-TIM
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat comment=NVR dst-port=8888 in-interface-list=\
    WAN protocol=tcp to-addresses=172.16.0.5 to-ports=80
add action=dst-nat chain=dstnat comment=VPN dst-port=1723 in-interface-list=\
    WAN protocol=tcp to-addresses=172.16.0.1 to-ports=1723
add action=dst-nat chain=dstnat comment=CONTROLLER-WIFI dst-port=8043 \
    in-interface-list=WAN protocol=tcp to-addresses=10.10.10.11 to-ports=8043
add action=dst-nat chain=dstnat comment=OPENVPN dst-port=443 \
    in-interface-list=WAN protocol=udp to-addresses=172.16.0.1 to-ports=443
add action=dst-nat chain=dstnat comment=OPENVPNTCP dst-port=443 \
    in-interface-list=WAN protocol=tcp to-addresses=172.16.0.1 to-ports=443

/ip kid-control device
add mac-address=00:00:00:00:00:00 name="realme-8-Pro;-1"
#error exporting /ip kid-control device

/ip route
add check-gateway=ping distance=1 gateway=172.16.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=172.16.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=172.16.2.1 routing-mark=to_WAN2

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/lcd interface pages
set 1 interfaces=ether13,ether14,ether15,ether16,ether17,ether18,ether19

/ppp secret
add local-address=10.10.10.20 name=XXXXXXXXXXXXX password=XXXXXXXXXXXXX profile=\
    default-encryption remote-address=10.10.10.21 service=pptp
add name=XXXXXXXXXXX password=XXXXXXXXXXX profile=OPENVPNPROFILE service=ovpn

/system clock
set time-zone-name=Europe/Rome

/system identity
set name=MikroTik

/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233

/system scheduler
add comment="Scheduler usato per l'aggiornamento DynDNS.it" interval=1m name=\
    DynDNS on-event=DynDNS policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup

/system script
add comment="Script utilizzato per l'aggiornamento DNS" \
    dont-require-permissions=yes name=DynDNS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Set needed variables\
    \n\t:local username xxxxxxxxxx\
    \n\t:local password xxxxxxxxxx\
    \n\t:local hostname xxxxxxxxxx\
    \n\
    \n\t:global dyndnsForce\
    \n\t:global previousIP\
    \n\
    \n# print some debug info\
    \n\t:log info (\"UpdateDynDNS: username = \$username\")\
    \n\t:log info (\"UpdateDynDNS: password = \$password\")\
    \n\t:log info (\"UpdateDynDNS: hostname = \$hostname\")\
    \n\t:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\
    \n\
    \n# get the current IP address from the internet (in case of double-nat)\
    \n\t/tool fetch mode=http address=\"checkip.dyndns.it\" src-path=\"/\" dst\
    -path=\"/dyndns.checkip.html\"\
    \n\t:delay 1\
    \n\t:local result [/file get dyndns.checkip.html contents]\
    \n\
    \n# parse the current IP result\
    \n\t:local resultLen [:len \$result]\
    \n\t:local startLoc [:find \$result \": \" -1]\
    \n\t:set startLoc (\$startLoc + 2)\
    \n\t:local endLoc [:find \$result \"</body>\" -1]\
    \n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\
    \n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\
    \n\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\
    \n# but you could end up getting blacklisted by DynDNS!\
    \n\
    \n#:set dyndnsForce true\
    \n\
    \n# Determine if dyndns update is needed\
    \n# more dyndns updater request details http://www.dyndns.com/developers/s\
    pecs/syntax.html\
    \n\
    \n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\
    \n\t\t:set dyndnsForce false\
    \n\t\t:set previousIP \$currentIP\
    \n\t\t:log info \"\$currentIP or \$previousIP\"\
    \n\t\t/tool fetch user=\$username password=\$password mode=http address=\"\
    members.dyndns.it\" \\\
    \n\t\tsrc-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$curr\
    entIP&wildcard=no\" \\\
    \n\t\tdst-path=\"/dyndns.txt\"\
    \n\t\t:delay 1\
    \n\t\t:local result [/file get dyndns.txt contents]\
    \n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\
    \n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\
    \n\t\t:put (\"Dyndns Update Result: \".\$result)\
    \n\t} else={\
    \n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\
    \n\t}"


/tool graphing interface
add interface=WAN1-TIM store-on-disk=no
add interface=WAN2 store-on-disk=no
add interface=bridge store-on-disk=no
add interface=sfp1 store-on-disk=no

Who is online

Users browsing this forum: No registered users and 74 guests