Community discussions

MikroTik App
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

RB5009 - RouterOS v7.1rc6: New user help please?

Fri Nov 12, 2021 5:42 pm

Hi Mikrotik family! I am a new user that fell hard off the Ubiquiti fanboy train. I have dabbled in MikroTik Routers and switches for a while, but only on the side as a curiosity. I am diving in deep now and have swapped out my home lab from all Ubiquiti to all Mikrotik (except for WiFi). All is well as far as normal VLAN configs, firewall rules, and those sort of basics.

The only area I am struggling with is dual WAN failover. I have been trying to read and comb through the forums and have attempted various methods, but with limited success. Perhaps it is an abnormal scenario, because both WANs I have available are DHCP. One is Xfinity cable, and one is Verizon LTE. I am not looking to load balance, as data is very limited on the LTE side. I just want to fail over to LTE when latency gets high, and fail back when it is low again.

I'm new here so please be gentle! I am happy to provide whatever files you need or configs or scenarios or whatever to help. I have attached a hide-sensitive export hoping that might help?
You do not have the required permissions to view the files attached to this post.
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Fri Nov 12, 2021 8:04 pm

Maybe I can ask a more specific question. I found a tutorial on how to do this using scripts on the DHCP client entries for the WAN interfaces. It looks like below. However, in trying to run this script, "routing-mark" seem to not be a valid command now in RouterOS 7? This is where I get stuck...

{
:local rmark "to_wan1"
:local count [/ip route print count-only where comment="to_wan1"]
:if ($bound=1) do={
:if ($count = 0) do={
/ip route add distance=1 gateway=$"gateway-address" check-gateway=ping routing-mark=to_wan1 comment="to_wan1"
/ip route add distance=1 gateway=$"gateway-address" check-gateway=ping comment="to_wan1"
} else={
:if ($count = 1) do={
:local test [/ip route find where comment="to_wan1"]
:if ([/ip route get $test gateway] != $"gateway-address") do={
/ip route set $test gateway=$"gateway-address"
}
} else={
:error "Multiple routes found"
}
}
} else={
/ip route remove [find comment="to_wan1"]
}
}
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Fri Nov 12, 2021 8:14 pm

 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Fri Nov 12, 2021 8:21 pm

mrz, thank you for the reply! I was just reading about that, and went and added the tables. However, when I run this script, this still happens... am I completely trying to do the wrong thing here? Is the script I found not valid anymore?


/ip route add distance=1 gateway=$"gateway-address" check-gateway=ping routing-mark=to_wan1 comment="to_wan1"
expected end of command (line 1 column 73)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Fri Nov 12, 2021 8:44 pm

Helpful to understand in context .........
viewtopic.php?t=157048
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Fri Nov 12, 2021 10:59 pm

okay I read some more, and made an attempt at updating my config. Now if I unplug WAN1 to simulate an outage, no traffic will go over WAN2.
updated config.rsc
You do not have the required permissions to view the files attached to this post.
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?  [SOLVED]

Sat Nov 13, 2021 1:52 am

Okay, I believe at this point I do have my set actually working. Further testing today showed the problem actually being that my LTE modem is having an LTE problem LOL. I will close this topic for now and open a new one if something still doesn't work after getting it sorted out.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 5:35 am

Well, cannot resist the borg.............

Your config needs work IMHO.
First thing is remove the bridge from any dhcp and just let it be a bridge.
Thus make vlan11 your Management vlan and make the necessary changes.
All smart devices connected to the router should get an IP address on this vlan 11 subnet (192.168.1.0/24) name=Management

Then look at your interface lists.
You make one that says ALL LAN, but you already have the default labelled LAN, so it was duplication for nothing.
Interface lists are best used for GROUPS of whole subnets for example if 2/4 vlans were supposed to have internet access but the other two didnt.
Then making an interface list called INTERNET would make sense.
Rare is the case to make ONE subnet also an interface list member but for management purposes, it makes sense as you will see by the last comment I make below.
SO
from
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name="All Lan"
/interface list member
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=bridge list=LAN
add interface="Main Network" list=LAN
add interface=bridge list="All Lan"
add interface=Bench list="All Lan"
add interface=IoT list="All Lan"
add interface=Kids list="All Lan"
add interface="Main Network" list="All Lan"
add interface=ether8-WAN2 list=WAN


TO
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=CONTROL
/interface list member
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=ether8-WAN2 list=WAN
add interface="Main Network" list=LAN
add interface=Bench list=LAN
add interface=IoT list=LAN
add interface=Kids list=LAN
add interface=Management list=LAN
add interface=Management list=CONTROL

If you dont need this for anything and changing it to none doesnt take away anything you do.
then recommend this (known to cause issues)
/interface detect-internet
set detect-interface-list=none

I find this weird, 4 vlans in the config (five the way I do it) and yet you have no access bridge ports (no pvid settings and thus none going to dumb devices like a PC, or printer).
Are they all going to smart devices (managed switches, smart access points etc..?)
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1


Why do you set ingress filtering to NO............They should all be YES, unless its a hybrid port!!
WHERE is this setting MISSING
/interface bridge vlans ???????????

The firewall filter rules are a bad mix of misinformation, youtube and not understanding how the rules actually work
Best to keep to the defaults UNTIL you know what you are doing.
For example all one has to do is see these three rules to make that determination.

1-add action=accept chain=forward comment="Accept Port Forward Traffic" \
connection-nat-state=dstnat connection-state="" in-interface-list=WAN
2-add action=drop chain=forward comment="Drop Everything Else"
3-add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Rules 1 and 3 contradict/overlap each other a bit, rule 1 says allow port forwarded traffic from the WAN (good rule if you have a block all rule at the end). Rule 3 says block all traffic from the WAN except port forwarded traffic. BUT you have already allowed port forwarded traffic. Then before rule 3 is rule 2 which states, drop everything else. So rule 3 will never get used.

Rule 2, the drop all rule at the end of the forward chain is excellent (KEEP!!) but it has to be the last rule.
What this rules says is that -
all traffic that makes it to this rule (not matched previously) shall be dropped.
So any WAN to LAN, LAN to WAN or LAN to LAN traffic that touches this rule will be dropped.
So the key is to, other than the default rules,...............ensure you put in what you want to allow just before the drop all rule!
typical entries
- allow lan to wan (internet)
- allow port forwarding
-allow shared access to a printer
-allow admin access to all vlans.

SO this is what it should look like: (first three rules of input chain are good default rules)

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Input Rule For ZeroTier" in-interface=\
zerotier1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=WAN

So all traffic from WAN to ROUTER is blocked with the last rule, AND by inference all LAN traffic to ROUTER is allowed.
Thee next step (another day) will be to change this to BLOCK all LAN to ROUTER traffic and only allow necessary traffic - but not yet, need to understand how rules work first.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(first three default rules are good and should be in place)

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=forward comment="Permit Internet Traffic" in-interface-list=LAN\
out-interface-list=WAN
add action=accept chain=forward comment="Accept Port Forward Traffic" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow Printing from IoT Network" \
dst-address=192.168.10.5 in-interface=IoT
add action=accept chain=forward comment="Allow kid access to HomePod Mini " \
dst-address=192.168.10.104 in-interface=Kids
add action=drop chain=forward comment="Drop Everything Else"

I removed the rule I didnt understand and if you can explain its purpose we can put it back in with accuracy.........
add action=accept chain=forward comment="Allow Main Network Open Access" \
in-interface="Main Network"


ON NAT Rules..........
Okay the first two rules seem to be redirect rules, what they do is ensure PCs cannot use their own DNS settings as they will all be redirected to the router (fixed list)
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN \
protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN \
protocol=udp to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=32400 \
protocol=tcp


However, I dont understand the purpose of the third source nat masquerade rule??????

Where did you find this rule.??? I have not seen it used that I can recall so just curious.
/ip firewall connection tracking
set enabled=yes

What is the purpose of the MANGLE rules you have???

Modify the following
from
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


TO
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=CONTROL
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 6:12 am

Hi anav,

Wow that is a lot to digest! I guess I thought I was doing better than I am. I knew some of the firewall rules were redundant and not doing anything, but I hadn't bothered removing them yet.
There are no dumb devices connected right to the RB5009. It is connected straight to a CRS328 on the SFP+ port, and all of the end devices are connected to that switch. I was doing all of my VLAN filtering on that switch.

I will have a close look at all of this and see what I can learn.
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 7:06 am

Hi Anav,

Wow, thank you very much for nudging me to start looking things over more. I am going to take this one step at at time and try to learn and understand the changes I am making. I totally get that I am coming from a place where they try to hold your hand and do everything for you. Luckily this is just in my home lab where the risks are somewhat low compared to a business.
I attached another config file. I have made interface list, firewall, NAT, and mangle rule changes. I have NOT yet made management VLAN and bridge changes... I will work on that over the weekend. But, can you take a look and let me know if I am headed in the right direction?

The main goal with the VLANS is to keep kids, iot, and bench VLANS from accessing each other or the "main network" VLAN, but for me on the "main network" VLAN to be able to access all of the devices on those other VLANS when necessary.

Noting that there is a smart switch directly after the firewall, and I am doing my VLAN filtering on there... do I need to make other changes on the firewall with regards to proper VLAN filtering? My downstream APs and clients are all currently getting IPs from the VLANS I am expecting them to...
step1.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 6:20 pm

Hi there,,,,,
It would be best to see both configs as they do "work together"
Dont have time to look at it right now but will later.

The change will be minimal
Add ingress filtering to spfplus8 (and frame-types admin only tagged
/interface bridge vlans
add bridge=bridge tagged=bridge,sfpplus8 vlanids= all of them a,b,c,d,e etc..... that are going to the switch.
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 6:29 pm

Hi Anav,
I really took your encouragement to heart and I have my nose buried in the Wiki today. I will see if I can understand and figure the VLANS and Bridge parts out correctly! I'll let you know. I'm practicing my "make backups" and winbox safe mode.
Meanwhile, would you mind feedback on the rearranged firewall rules? Do they make more sense now? If I understand more what is going on, they accomplish my intended filtering MUCH more efficiently and effectively than my first attempt.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 11:27 pm

/interface vlan
add interface=bridge name=Bench vlan-id=30
add interface=bridge name=IoT vlan-id=20
add interface=bridge name=Kids vlan-id=40
add interface=bridge name="Main Network" vlan-id=10

add interface=bridge name=Management vlan-id=11

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0 (CHANGE TO Management)
add address=192.168.10.1/24 interface="Main Network" network=192.168.10.0
add address=192.168.20.1/24 interface=IoT network=192.168.20.0
add address=192.168.30.1/24 interface=Bench network=192.168.30.0
add address=192.168.40.1/24 interface=Kids network=192.168.40.0


/ip dhcp-server
add address-pool="MGT Network" interface=bridge lease-time=1d name=dhcp1 CHANGE TO Management
add address-pool="IoT Network" interface=IoT lease-time=1d name=dhcp3
add address-pool="Bench Network" interface=Bench lease-time=1d name=dhcp4
add address-pool="Kids Network" interface=Kids lease-time=1d name=dhcp5
add address-pool="Main Network" interface="Main Network" lease-time=1d name=\

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=mgt

add name="All Lan" Remove.......

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=yes interface=sfp-sfpplus1 frame-types=admit-only-vlan-tagged

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-spfpplus1 vlan-ids=11,10,20,30,40


/interface list member
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=ether8-WAN2 list=WAN
add interface="Main Network" list=LAN
add interface=Kids list=LAN
add interface=IoT list=LAN
add interface=Bench list=LAN was missing!!!
add interface=Management list=LAN replaces the bridge entry no longer required.
add interface=Management list=mgt

/tool mac-server mac-winbox
set allowed-interface-list=LAN CHANGE TO mgt

Firewall rules..... input chain
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ MOVE this rule to just before the ICMP rule.........
invalid log=yes

Firewall rules....... forward chain
Missing, put right before the permit internet rule............
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid log=yes

Much better, but why allow MAIN network to all vlans and not the Management network, just curious?
add action=accept chain=forward comment=\
"Allow Main Network access to all other VLANS" in-interface=\
"Main Network" out-interface-list=LAN


MISSING masquerade sourcenat rule for second LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1-WAN1

????ether8-WAN2????

Finally, change interface to LAN
add action=redirect chain=dstnat dst-port=53 in-interface-list="All Lan" \
protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list="All Lan" \
protocol=udp to-ports=53

Last step.
/interface bridge
add admin-mac=DC:2C:6E:28:FB:13 auto-mac=no comment=defconf name=bridge Select vlan filtering = YES
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sat Nov 13, 2021 11:55 pm

I always start with the default MikroTik firewall rules and make changes from there, if necessary. I see no need to reinvent the wheel and MikroTik does a very good job with the default rules.

You can always see what the defaults were by running /system default-configuration print from the command line.
 
rutman286
newbie
Topic Author
Posts: 41
Joined: Sat Oct 29, 2011 9:18 pm

Re: RB5009 - RouterOS v7.1rc6: New user help please?

Sun Nov 14, 2021 4:57 am

I appreciate all of the feedback I have received. I hope I haven't frustrated anyone, as that was never my intent. I have learned a lot from what has been shown to me here. I am as green as they come to Mikrotik, and no, I don't have a CCNA. I do this for fun in my spare time and learn as I go. And remember, I came from Ubiquiti where everything is basically a magic checkbox. I came over to Mikrotik to learn more about how it ACTUALLY works.

I have gained a lot of understanding of the firewall rules and flow from what you all have shown me.

Thank you.

Who is online

Users browsing this forum: hzdrro and 22 guests