After getting a second WAN connection from my ISP I started to change my configuration to use this 2nd connection
as failover link and directing one subnet to this 2nd wan connection.
My approach follows the Paragraph J from viewtopic.php?t=182373
Result:
1.) Failover works ( Removing connection 1 -> All traffic running on connection 2 and goes Back to connection 1 after reconnect )
2.) Never ever any packet from subnet 192.168.76.0/24 find its way to connection 2, all traffic still on connection 1
No log entries
Could you please help me to find the problem or give me some hint to enhance debugging this situation ?
You will find my configuration below. I removed the script lines because the scripts are running fine. They are only setting dyndns names and dhcp to dns.
Code: Select all
# sep/05/2022 09:13:11 by RouterOS 6.49.6
# software id = ###
#
# model = RB4011iGS+
# serial number = ###
/interface bridge
add igmp-snooping=yes igmp-version=3 name=BR1 protocol-mode=none \
vlan-filtering=yes
/interface vlan
add interface=BR1 name=AQUA_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=111
add arp=proxy-arp interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=LIME_VLAN vlan-id=60
add interface=BR1 name=RED_VLAN vlan-id=10
add interface=ether10 name=vlan-07-fiber vlan-id=7
add interface=ether1 name=vlan-07-telekom vlan-id=7
/interface pppoe-client
add comment="Magenta 100" disabled=no interface=vlan-07-telekom max-mtu=1480 \
name=pppoe-Magenta user=##user1##
add comment="fiber 500 telekom" interface=vlan-07-fiber max-mtu=1500 name=\
pppoe-fiber user=##user2##
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="contains all WAN interfaces" name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=BLUE_POOL ranges=192.168.111.100-192.168.111.200
add name=GREEN_POOL ranges=192.168.76.100-192.168.76.200
add name=RED_POOL ranges=192.168.222.100-192.168.222.200
add name=LIME_POOL ranges=192.168.10.100-192.168.10.200
add name=BASE_POOL ranges=192.168.1.102-192.168.1.199
add name=AQUA_POOL ranges=192.168.33.100-192.168.33.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=LIME_POOL disabled=no interface=LIME_VLAN name=LIME_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=AQUA_POOL disabled=no interface=AQUA_VLAN lease-script=\
dhcp-leases-to-dns name=AQUA_DHCP
/caps-man manager interface
add disabled=no interface=ether3
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 multicast-router=disabled pvid=99
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3 \
multicast-router=disabled
add bridge=BR1 interface=sfp-sfpplus1 multicast-router=disabled
add bridge=BR1 interface=ether5 multicast-router=disabled
add bridge=BR1 interface=ether4 multicast-router=disabled
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp-sfpplus1 untagged=ether2 \
vlan-ids=99
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3 vlan-ids=111
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether5,ether4,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether3,ether4,ether5 vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-Magenta list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=LIME_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=AQUA_VLAN list=VLAN
add interface=pppoe-fiber list=WAN
/ip address
add address=192.168.1.254/24 interface=BASE_VLAN network=192.168.1.0
add address=192.168.111.254/24 interface=BLUE_VLAN network=192.168.111.0
add address=192.168.76.254/24 interface=GREEN_VLAN network=192.168.76.0
add address=192.168.222.254/24 interface=RED_VLAN network=192.168.222.0
add address=192.168.10.254/24 interface=LIME_VLAN network=192.168.10.0
add address=192.168.30.9/24 interface=ether1 network=192.168.30.0
add address=192.168.33.254/24 interface=AQUA_VLAN network=192.168.33.0
/ip dhcp-server lease
add address=192.168.1.243 client-id=1:8:55:31:a0:e8:1b mac-address=\
08:55:31:A0:E8:1B server=BASE_DHCP
add address=192.168.76.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=GREEN_DHCP
add address=192.168.222.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=RED_DHCP
add address=192.168.10.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=LIME_DHCP
add address=192.168.1.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
B8:27:EB:12:A1:71 server=BASE_DHCP
add address=192.168.111.101 client-id=1:0:8:9b:bd:b5:37 mac-address=\
00:08:9B:BD:B5:37 server=BLUE_DHCP
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.10.0/24 dns-server=192.168.1.254 gateway=192.168.10.254
add address=192.168.33.0/24 dns-server=192.168.1.254 domain=##name## \
gateway=192.168.33.254
add address=192.168.76.0/24 dns-server=192.168.1.254 gateway=192.168.76.254
add address=192.168.111.0/24 dns-server=192.168.1.254 gateway=192.168.111.254
add address=192.168.222.0/24 dns-server=192.168.1.254 gateway=192.168.222.254
/ip dns
set allow-remote-requests=yes servers=100:8:101:101:600:ff08:a011:0,9.9.9.9
/ip dns static
add address=192.168.33.102 comment=AQUA_DHCP-F4:D4:88:A5:B8:65 name=\
##name## ttl=15m
/ip firewall address-list
add address=232.0.0.0/16 list=iptv_destination
add address=239.35.0.0/16 list=iptv_destination
add address=224.0.0.0/4 list=iptv_destination
/ip firewall filter
add action=accept chain=input comment="L2TP VPN erlauben" dst-port=500 \
protocol=udp src-port=""
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment=IGMP-Magenta dst-address-list=\
iptv_destination
add action=drop chain=input comment=Drop log-prefix=drop-Inp
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=IGMP-Magenta dst-address-list=\
iptv_destination
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat log-prefix=log-Accept-dstnat
add action=drop chain=forward comment="Drop Not dstnat" connection-nat-state=\
!dstnat connection-state=new in-interface=pppoe-Magenta log=yes \
log-prefix=fwd-drop
# pppoe-fiber not ready
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new connection-type="" in-interface=pppoe-fiber log=yes log-prefix=\
fwd-drop
add action=accept chain=forward
add action=accept chain=forward comment="accept LAN->cable modem" \
dst-address=192.168.30.1 in-interface=BR1 out-interface=ether1 \
src-address=192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="VoIP Auerswald" dst-port=30000-31000 \
in-interface=pppoe-Magenta protocol=udp to-addresses=192.168.111.111 \
to-ports=30000-31000
add action=dst-nat chain=dstnat dst-port=40000-41000 in-interface=\
pppoe-Magenta protocol=udp to-addresses=192.168.111.111 to-ports=\
40000-41000
add action=dst-nat chain=dstnat dst-port=5070-5080 in-interface=pppoe-Magenta \
protocol=udp to-addresses=192.168.111.111 to-ports=5070-5080
add action=dst-nat chain=dstnat comment=WWW dst-address=!0.0.0.0 dst-port=80 \
in-interface=pppoe-Magenta protocol=tcp to-addresses=192.168.111.101 \
to-ports=80
add action=dst-nat chain=dstnat comment=WWW-SSL dst-address=!0.0.0.0 \
dst-port=443 in-interface=pppoe-Magenta protocol=tcp to-addresses=\
192.168.111.101 to-ports=443
add action=masquerade chain=srcnat comment="masquerade LAN->cable modem" \
dst-address=192.168.30.1 out-interface=ether1 src-address=192.168.0.0/16
/ip firewall service-port
set sip disabled=yes
[b]/ip route
add distance=10 gateway=pppoe-fiber routing-mark=useFiber
add check-gateway=ping comment="Magenta TV and all VLAN except Green" \
distance=5 gateway=pppoe-Magenta
add comment="Only Green VLAN 192.168.76.0/32" distance=10 gateway=pppoe-fiber
/ip route rule
add action=lookup-only-in-table comment="All Green to table useFiber" \
dst-address=0.0.0.0/0 routing-mark=useFiber src-address=192.168.76.0/24 \
table=useFiber[/b]
/ip service
set www port=8080
set www-ssl port=4433
/ppp secret
add local-address=192.168.76.1 name=testuser remote-address=192.168.76.200 \
service=l2tp
/routing igmp-proxy interface
add alternative-subnets=87.141.215.251/32 interface=pppoe-Magenta upstream=\
yes
add interface=BLUE_VLAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=##name##
/system scheduler
add interval=10m name=DynamicHost on-event=DDDns policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=sep/27/2021 start-time=15:00:00
/system script
add comment="Dyndns ddnss.de" dont-require-permissions=no name=DDDns owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
add comment="Dyndns strato.de" dont-require-permissions=no name=Berlioz \
owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
add dont-require-permissions=no name=dhcp-leases-to-dns owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
/tool graphing interface
add interface=ether5
add interface=pppoe-Magenta
add interface=ether4
add interface=ether3
add interface=sfp-sfpplus1
add interface=GREEN_VLAN
add interface=pppoe-fiber
/tool graphing resource
add
/tool sniffer
set file-name=dumpqnap filter-interface=pppoe-Magenta,ether4 \
filter-ip-address=192.168.111.97/32 filter-ip-protocol=tcp filter-port=\
http