Hello all, I'm new to mikrotik routers and I'm facing a very specific issue. I use Routerboard RB2011 UAS RM with 2 WAN connections. one PPPoE (DSL landline) and another which is over a 5G router (DLink DWR-2101). I want to use as a primary connection the 5G router (as it is way faster than the crappy DSL lines we have here in my area).
I've followed this guide : https://mikrotik.tips/combining-2-isp-w ... uterboard/ in order to set it up as a WAN failover (or so they say here).
I've added a DHCP client entry in the RouterOS for the 5G router, although it shows up as invalid (and I do not know why) I has connectivity.
Now the issue I'm facing is that the router is located in the roof and connected to the mikrotik which is located in the basement via a CAT 6 cable, but the speed is up to 3.8mbps. When I plug the 5G cable directly to a device (or on the switch) the speed goes up to 471mbps. The DSL line peaks at 8mbps. That is why I want to use the 5G connection as a primary one and have the DSL line as a backup.
I'm completely new to mikrotik and I could use some help. Please let me know what further information you need in order to be able to sort this out.
I'll post the network topology and layout as an addenum in this post.
Please keep in mind that my routing knowledge is not as great as many people here.
Thank you in advance.
Re: Routerboard RB2011 UAS RM
Random web sites, Youtube videos, etc. are often oudated, not optimal, or just wrong. There are code snippets in the wiki https://wiki.mikrotik.com/wiki/Manual:TOC and new help pages https://help.mikrotik.com/docs/. With the recent release of RouterOS v7 some examples refer to v7 and older ones to v6.
I suspect your slow speed is due to have fasttrack enabled which is not compatible with connection marking. In the forums the simplest way of showing your setup is to post the output of the /export hide-sensitive on v6 or just /export on v7 command in a terminal window, placing it in a code block (the [] icon above the text editor box when posting on the forum).
I suspect your slow speed is due to have fasttrack enabled which is not compatible with connection marking. In the forums the simplest way of showing your setup is to post the output of the /export hide-sensitive on v6 or just /export on v7 command in a terminal window, placing it in a code block (the [] icon above the text editor box when posting on the forum).
-
-
tonystarkgr
just joined
- Posts: 7
- Joined:
Re: Routerboard RB2011 UAS RM
Hi TDW, thank you for your reply. Here is the config export. The asterisks mark some IPs/names that I did not want exposed. Please let me know if you need anything else in order to continue.
Code: Select all
# apr/07/2022 21:39:18 by RouterOS 6.49.2
# software id = 58I1-W3TB
#
# model = 2011UAS
# serial number = 4271024DB1DB
/interface bridge
add admin-mac=D4:CA:6D:87:BB:2D arp=proxy-arp auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether4 ] comment="ASUS AP" name=AP
set [ find default-name=ether1 ] comment=Cosmote name=ISP1
set [ find default-name=ether2 ] comment="5G Router" name=ISP2
set [ find default-name=ether3 ] name=Switch
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ISP1 keepalive-timeout=\
disabled name=Otenet service-name=Otenet user=*****************
/interface pptp-client
add allow=chap,mschap1,mschap2 connect-to=************ name=******** user=\
*********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="DHCP Pool" ranges=192.168.1.40-192.168.1.70
/ip dhcp-server
add address-pool="DHCP Pool" disabled=no interface=bridge name="DHCP Server"
/ppp profile
add change-tcp-mss=yes dns-server=192.168.1.1 local-address="DHCP Pool" name=\
PPTPprofile only-one=yes remote-address="DHCP Pool" use-compression=yes \
use-encryption=no
set *FFFFFFFE use-compression=yes use-encryption=no
/queue simple
add dst=ISP2 name=queue1 queue=ethernet-default/ethernet-default target=""
/interface bridge port
add bridge=bridge comment=defconf interface=ISP2
add bridge=bridge comment=defconf interface=Switch
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=AP
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Otenet list=WAN
add interface=ISP1 list=WAN
add interface=ISP2 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=PPTPprofile \
enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.1.253/24 disabled=yes interface=AP network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add comment=defconf interface=ISP1
# DHCP client can not run on slave interface!
add disabled=no interface=ISP2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.122 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.122
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=*********************** list=WAN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes dst-address-list=WAN \
new-connection-mark=HairPin_NAT passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.1.0/24 in-interface=bridge new-connection-mark=ISP1 \
passthrough=no per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.1.0/24 in-interface=bridge new-connection-mark=ISP2 \
passthrough=no per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1 \
new-routing-mark=via-isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 \
new-routing-mark=via-isp2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="HairPin NAT" connection-mark=\
HairPin_NAT disabled=yes
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN dst-port=\
32400 protocol=tcp to-addresses=192.168.1.20 to-ports=32400
add action=dst-nat chain=dstnat dst-address=192.168.1.11 dst-address-list=WAN \
dst-port=3389 protocol=tcp to-addresses=192.168.1.11 to-ports=3389
add action=dst-nat chain=dstnat dst-address=192.168.1.20 dst-address-list=WAN \
dst-port=1433 protocol=tcp to-addresses=192.168.1.20 to-ports=1433
add action=dst-nat chain=dstnat dst-address=192.168.1.4 dst-address-list="" \
dst-port=9091 protocol=tcp src-address-list="" to-addresses=192.168.1.4 \
to-ports=9091
add action=src-nat chain=srcnat dst-port=1723 ipv4-options=any out-interface=\
ISP1 protocol=tcp to-ports=1723
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.20 to-ports=32400
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ISP1
add action=masquerade chain=srcnat disabled=yes out-interface=bridge
/ip route
add check-gateway=ping distance=1 gateway=Otenet routing-mark=via-isp1
add check-gateway=ping distance=1 gateway=ISP2 routing-mark=via-isp2
add check-gateway=ping distance=1 gateway=Otenet
add distance=1 dst-address=192.168.1.20/32 gateway=bridge pref-src=192.168.1.1
add distance=1 dst-address=192.168.40.0/24 gateway=Easymint
/lcd
set time-interval=hour
/ppp secret
add name=infernoulis profile=PPTPprofile service=pptp
add name=tony profile=PPTPprofile service=pptp
add name=panayotis profile=PPTPprofile service=pptp
add name=freeman profile=PPTPprofile service=pptp
/routing ospf interface
add network-type=point-to-point
/routing ospf network
add area=backbone network=192.168.1.0/24
add area=backbone network=192.168.30.0/24
/system clock
set time-zone-name=Europe/Athens
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge disabled=yes display-time=5s
set Otenet disabled=yes display-time=5s
set Easymint disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ISP1 disabled=yes display-time=5s
set ISP2 disabled=yes display-time=5s
set Switch disabled=yes display-time=5s
set AP disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
/system scheduler
add comment="Update Dynu DDNS" interval=5m name=Dynu_Updater on-event=\
"/system script run Dynu\r\
\n" policy=read,write,test start-time=startup
/system script
add dont-require-permissions=yes name=Dynu owner=admin policy=read,write,test \
source=":global ddnsuser \"***********\"\r\
\n:global ddnspass \"*************\"\r\
\n:global theinterface \"Otenet\"\r\
\n:global ddnshost \"*****************\"\r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterf\
ace ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n:log info (\"dynu: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n:for i from=( [:len \$ipfresh] - 1) to=0 do={\r\
\n:if ( [:pick \$ipfresh \$i] = \"/\") do={\r\
\n:set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n}\r\
\n}\r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n:log info (\"dynu: IP-dynu = \$ipddns\")\r\
\n:log info (\"dynu: IP-Fresh = \$ipfresh\")\r\
\n:log info \"dynu: Update IP needed, Sending UPDATE...!\"\r\
\n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$ipfresh\"\r\
\n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuser\
\_password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
\n:delay 1\r\
\n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
\n/file remove \$str\r\
\n:global ipddns \$ipfresh\r\
\n:log info \"dynu: IP updated to \$ipfresh!\"\r\
\n} else={\r\
\n:log info \"dynu: dont need changes\";\r\
\n}\r\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Routerboard RB2011 UAS RM
Without going through the configuration in detail a couple of obvious errors stand out:
You have not removed ether2 being used for the second ISP connection from the LAN bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ISP2
....
fasttrack has not been disabled, update the firewall rule
/ip firewall filter
....
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
....
Also using PPTP for VPNs is strongly discouraged, it has been vulnerable for at least 10 years.
You have not removed ether2 being used for the second ISP connection from the LAN bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ISP2
....
fasttrack has not been disabled, update the firewall rule
/ip firewall filter
....
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
....
Also using PPTP for VPNs is strongly discouraged, it has been vulnerable for at least 10 years.
-
-
tonystarkgr
just joined
- Posts: 7
- Joined:
Re: Routerboard RB2011 UAS RM
I've removed the ether2 port from the bridge and disabled fasttrack. however the issue persists. In fact it made it worse. What else should I look up into ?
Re: Routerboard RB2011 UAS RM
With the original configuration clients could possibly have been using the ISP2 connection directly if they were assigned addresses directly from the 5G router. Presumably the two ISP devices use different subnets from each other, and not your LAN 192.168.1.0/24 either.
Using gateway=SomeInterfaceName for IP routes only works for point-to-point media such as PPPoE, not ethernet. The gateway should be an IP address, if the ISP devices each hand out addresses from an unchanging subnet you can use appropriate static addresses.
Using gateway=SomeInterfaceName for IP routes only works for point-to-point media such as PPPoE, not ethernet. The gateway should be an IP address, if the ISP devices each hand out addresses from an unchanging subnet you can use appropriate static addresses.
-
-
tonystarkgr
just joined
- Posts: 7
- Joined:
Re: Routerboard RB2011 UAS RM
could you please provide an example ? If I remove the ISP1 cable from mikrotik, then the ISP2 speed drops down to ~4mbps. However if I use a small LAN cable (~2m) in the space where the rack is located then it goes up to the speed that the 5G can provide at that confined space (basement). Currently the router is placed on the roof and a cable goes all the way to the rack.
UPDATE: Based on your previous comment, ISP2 (5G) must hand out IPs or It will not work. Since its not a PPPoE device (I do not log on like I do on ISP1 which is PPPoE).
ISP2 device has IP 192.168.1.254 and the DHCP client entry gives 192.168.1.212.
UPDATE: Based on your previous comment, ISP2 (5G) must hand out IPs or It will not work. Since its not a PPPoE device (I do not log on like I do on ISP1 which is PPPoE).
ISP2 device has IP 192.168.1.254 and the DHCP client entry gives 192.168.1.212.
Re: Routerboard RB2011 UAS RM
You cannot have the same subnet for the LAN and either of the WANs. Unless you can change the 5G to use a different subnet, e.g. 192.168.2.0/24, you will have to change your LAN and all attached devices to something other than 192.168.1.0/24.
If you can change the 5G device to be 192.168.2.254, for example, you can still use a DHCP client on ISP2 to obtain the WAN address if setting a static address is not possible. As long as the gateway address itself doesn't change you can use it in for the route gateway:
add check-gateway=ping distance=1 gateway=ISP2192.168.2.254 routing-mark=via-isp2
The more complete method would be to use a script triggered by the DHCP client for ISP2 to update the route gateway.
If you can change the 5G device to be 192.168.2.254, for example, you can still use a DHCP client on ISP2 to obtain the WAN address if setting a static address is not possible. As long as the gateway address itself doesn't change you can use it in for the route gateway:
add check-gateway=ping distance=1 gateway=ISP2192.168.2.254 routing-mark=via-isp2
The more complete method would be to use a script triggered by the DHCP client for ISP2 to update the route gateway.
-
-
tonystarkgr
just joined
- Posts: 7
- Joined:
Re: Routerboard RB2011 UAS RM
I will try it and let you know. Thank you in advance
-
-
tonystarkgr
just joined
- Posts: 7
- Joined:
Re: Routerboard RB2011 UAS RM
I did what you said and it routed the WAN traffic successfully!!! thank you for that. However WITH the fasttrack the speed was up to 80mbps down / 40 up and without the fasttrak the speed almost halfed. I Used the DHCP client to get the IP from the 5G router and the IP obtained was on the same subnet as the router (192.168.2.0) ...is this correct ? (most likely I think so, but wanted to ask)
Re: Routerboard RB2011 UAS RM
Fasttrack and mangle rules do not work together, so there must be something else going on. You mention the DHCP client getting the same subnet as the router and 192.168.2.0, previously they were both 192.168.1.x so which has been changed? The latest configuration and acquired DHCP client address would help.
-
-
tonystarkgr
just joined
- Posts: 7
- Joined:
Re: Routerboard RB2011 UAS RM
The 5G router has a DHCP server built in. I think it must be enabled in order for the DHCP client to receive the address required.
What I have done so far is that I've changed the 5G router (ISP2) subnet to 192.168.2.0/24 from 192.168.1.0/24, which was the same subnet of the LAN, in order to be in a different subnet from ISP1 (192.168.0.0/24) and the LAN (192.168.1.0/24). Should I disable the DHCP server on the 5G router ? what's your proposal ? DHCP address aquicred from 5G router : 192.168.2.213/24
Below is the latest config output
UNEXPECTED UPDATE : Ran a speed test at 1:55am results are 463.55 down, 67.82 up, so I'm guessing, no heavy traffic due to the time of the day ?
What I have done so far is that I've changed the 5G router (ISP2) subnet to 192.168.2.0/24 from 192.168.1.0/24, which was the same subnet of the LAN, in order to be in a different subnet from ISP1 (192.168.0.0/24) and the LAN (192.168.1.0/24). Should I disable the DHCP server on the 5G router ? what's your proposal ? DHCP address aquicred from 5G router : 192.168.2.213/24
Below is the latest config output
Code: Select all
[admin@MikroTik] > /export hide-sensitive
# apr/09/2022 01:47:58 by RouterOS 6.49.5
# software id = 58I1-W3TB
#
# model = 2011UAS
# serial number = 4271024DB1DB
/interface bridge
add admin-mac=D4:CA:6D:87:BB:2D arp=proxy-arp auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether4 ] comment="ASUS AP" name=AP
set [ find default-name=ether1 ] comment=Cosmote disabled=yes name=ISP1
set [ find default-name=ether2 ] comment="5G Router" name=ISP2
set [ find default-name=ether3 ] name=Switch
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ISP1 keepalive-timeout=\
disabled name=Otenet service-name=Otenet user=************
/interface pptp-client
add allow=chap,mschap1,mschap2 connect-to=************* name=Easymint user=\
***********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="DHCP Pool" ranges=192.168.1.40-192.168.1.70
/ip dhcp-server
add address-pool="DHCP Pool" disabled=no interface=bridge name="DHCP Server"
/ppp profile
add change-tcp-mss=yes dns-server=192.168.1.1 local-address="DHCP Pool" name=\
PPTPprofile only-one=yes remote-address="DHCP Pool" use-compression=yes \
use-encryption=no
set *FFFFFFFE use-compression=yes use-encryption=no
/interface bridge port
add bridge=bridge comment=defconf interface=Switch
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=AP
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Otenet list=WAN
add interface=ISP1 list=WAN
add interface=ISP2 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=PPTPprofile \
enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.1.253/24 disabled=yes interface=AP network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add comment=defconf interface=ISP1
add disabled=no interface=ISP2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.122 gateway=192.168.1.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.122
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=********************* list=WAN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes dst-address-list=WAN \
new-connection-mark=HairPin_NAT passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.1.0/24 in-interface=bridge new-connection-mark=ISP1 \
passthrough=no per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.1.0/24 in-interface=bridge new-connection-mark=ISP2 \
passthrough=no per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1 \
new-routing-mark=via-isp1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 \
new-routing-mark=via-isp2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="HairPin NAT" connection-mark=\
HairPin_NAT disabled=yes
add action=dst-nat chain=dstnat disabled=yes dst-address-list=WAN dst-port=\
32400 protocol=tcp to-addresses=192.168.1.20 to-ports=32400
add action=dst-nat chain=dstnat dst-address=192.168.1.11 dst-address-list=WAN \
dst-port=3389 protocol=tcp to-addresses=192.168.1.11 to-ports=3389
add action=dst-nat chain=dstnat dst-address=192.168.1.20 dst-address-list=WAN \
dst-port=1433 protocol=tcp to-addresses=192.168.1.20 to-ports=1433
add action=dst-nat chain=dstnat dst-address=192.168.1.4 dst-address-list="" \
dst-port=9091 protocol=tcp src-address-list="" to-addresses=192.168.1.4 \
to-ports=9091
add action=src-nat chain=srcnat dst-port=1723 ipv4-options=any out-interface=\
ISP1 protocol=tcp to-ports=1723
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.20 to-ports=32400
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ISP1
add action=masquerade chain=srcnat disabled=yes out-interface=bridge
/ip route
add check-gateway=ping distance=1 gateway=Otenet routing-mark=via-isp1
add check-gateway=ping distance=1 gateway=ISP2 routing-mark=via-isp2
add check-gateway=ping distance=1 gateway=Otenet
add distance=1 dst-address=192.168.1.20/32 gateway=bridge pref-src=192.168.1.1
add distance=1 dst-address=192.168.40.0/24 gateway=Easymint
/lcd
set time-interval=hour
/ppp secret
add name=infernoulis profile=PPTPprofile service=pptp
add name=tony profile=PPTPprofile service=pptp
add name=panayotis profile=PPTPprofile service=pptp
add name=freeman profile=PPTPprofile service=pptp
/routing ospf interface
add network-type=point-to-point
/routing ospf network
add area=backbone network=192.168.1.0/24
add area=backbone network=192.168.30.0/24
/system clock
set time-zone-name=Europe/Athens
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge disabled=yes display-time=5s
set Otenet disabled=yes display-time=5s
set Easymint disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ISP1 disabled=yes display-time=5s
set ISP2 disabled=yes display-time=5s
set Switch disabled=yes display-time=5s
set AP disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
/system scheduler
add comment="Update Dynu DDNS" interval=5m name=Dynu_Updater on-event=\
"/system script run Dynu\r\
\n" policy=read,write,test start-time=startup
/system script
add dont-require-permissions=yes name=Dynu owner=admin policy=read,write,test \
source=":global ddnsuser \"***********\"\r\
\n:global ddnspass \"*************\"\r\
\n:global theinterface \"Otenet\"\r\
\n:global ddnshost \"**************************\"\r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterf\
ace ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n:log info (\"dynu: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n:for i from=( [:len \$ipfresh] - 1) to=0 do={\r\
\n:if ( [:pick \$ipfresh \$i] = \"/\") do={\r\
\n:set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n}\r\
\n}\r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n:log info (\"dynu: IP-dynu = \$ipddns\")\r\
\n:log info (\"dynu: IP-Fresh = \$ipfresh\")\r\
\n:log info \"dynu: Update IP needed, Sending UPDATE...!\"\r\
\n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$ipfresh\"\r\
\n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuser\
\_password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
\n:delay 1\r\
\n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
\n/file remove \$str\r\
\n:global ipddns \$ipfresh\r\
\n:log info \"dynu: IP updated to \$ipfresh!\"\r\
\n} else={\r\
\n:log info \"dynu: dont need changes\";\r\
\n}\r\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interfaceRe: Routerboard RB2011 UAS RM
OK, so the second WAN and LAN now use different subnets. The ISP route needs changing to use an address rather than interface per my earlier post.
The mangle mark connection rules have the wrong logic, as written they apply PCC with a destination of 192.168.1.0/24 it should be not 192.168.1.0/24. You may wish to accept traffic destined for the 5G modem and the VPN tunnel before the mark connection rules so they are still reachable. See https://wiki.mikrotik.com/wiki/Manual:PCC for more information.
Your PCC setup will distribute connections equally between the two WAN links. If you wish to use 5G unless it is unavailable there are other distribution mechanisms.
The mangle mark connection rules have the wrong logic, as written they apply PCC with a destination of 192.168.1.0/24 it should be not 192.168.1.0/24. You may wish to accept traffic destined for the 5G modem and the VPN tunnel before the mark connection rules so they are still reachable. See https://wiki.mikrotik.com/wiki/Manual:PCC for more information.
Your PCC setup will distribute connections equally between the two WAN links. If you wish to use 5G unless it is unavailable there are other distribution mechanisms.