Community discussions

MikroTik App
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Newbie-- Recursive Routes-- Mangle -- Fasttrack?

Fri Jan 27, 2023 4:38 am

So im new to mikrotik.. but ive been kind of obsessing and spending all my free time trying to understand and improve.. what I was trying to practice here on a small hex.. because im providing internet to just one office for an event so I figured this would be a good exercise.. Should only have about 20 or so devices.. maybe 40 and I doubt it,. im including watches and phones.. Now I wanted to try doing recursive routes and with failover - (Internet connections will be a starlink and a mikrotik lte dish. LTE really only ever gets like 40 megs) but I was going to have the LTE as a failover.. Now in the exercise in the office it seem to work pretty good but im wondering if the Fasttrack being enabled will be a problem.. (Ive starred at that packet flow diagram and im still pretty much learning as Im practicing... sorry I just learn that way.. ) I had a mangle rule there to just try it and it seems to work as well but I dont know if I should continue to use it if I have fast track enabled. Im posting below just to see if anyone can point out if im doing this right or really wrong..

[admin@HEX-Event] > export
# jan/26/2023 21:30:52 by RouterOS 7.7
# software id = E15E-ZB1M
#
# model = RB760iGS
# serial number = 
/interface bridge
add admin-mac==auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_Wan1
set [ find default-name=ether2 ] name=ether2_Wan2
/interface wireguard
/interface vlan
add interface=bridge name=30Production vlan-id=30
add interface=bridge name=200Management vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TrustedLAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=ether1_Wan1 name=server1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=30Production ranges=10.30.0.10-10.30.3.250
add name=bridge ranges=192.168.81.10-192.168.81.250
/ip dhcp-server
add address-pool=30Production interface=30Production lease-time=8h name=30Production
add address-pool=bridge interface=bridge lease-time=8h name=Bridge81
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WAN21
/snmp community
add addresses=::/0 
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip firewall connection tracking
set generic-timeout=5m tcp-established-timeout=8h udp-stream-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_Wan1 list=WAN
add interface=wireguard1 list=TrustedLAN
add interface=bridge list=TrustedLAN
add interface=miamievent list=TrustedLAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
/ip address
add address=192.168.81.1/24 comment=defconf interface=bridge network=192.168.81.0
add address=10.30.0.1/22 interface=30Production network=10.30.0.0
add address=192.168.200.5/24 interface=200Management network=192.168.200.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1_Wan1
add add-default-route=no interface=ether2_Wan2
/ip dhcp-server network
add address=10.30.0.0/22 dns-server=8.8.8.8,1.1.1.1 gateway=10.30.0.1
add address=192.168.81.0/24 dns-server=192.168.81.1,8.8.8.8 gateway=192.168.81.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.0/16 list=PrivateIPs
add address=172.16.0.0/12 list=PrivateIPs
add address=10.0.0.0/8 list=PrivateIPs
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!TrustedLAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!PrivateIPs new-routing-mark=WAN21 passthrough=yes src-address=192.168.81.249
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1_Wan1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether2_Wan2
/ip route
add disabled=no dst-address=4.2.2.2/32 gateway=10.10.10.1 routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=4.2.2.2 pref-src="" routing-table=main scope=11 suppress-hw-offload=no target-scope=11
add disabled=no dst-address=9.9.9.9/32 gateway=192.168.31.1 routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 pref-src="" routing-table=main scope=11 suppress-hw-offload=no target-scope=11
/snmp
/system clock
set time-zone-name=America/New_York
/system identity
set name=HEX-Event
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.windows.com
/system scheduler
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
[admin@HEX-Event] > 
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Newbie-- Recursive Routes-- Mangle -- Fasttrack?

Fri Jan 27, 2023 6:07 am

Newbie-- Recursive Routes-- Mangle -- Fasttrack? = Problems
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Newbie-- Recursive Routes-- Mangle -- Fasttrack?

Fri Jan 27, 2023 6:49 am

So give up and not try? Don’t post and just pay someone else to do it ? Always amazes me the guys who never needed to learn and just spawned onto the earth and knew everything.. if only there were a place you could find a community of people who enjoy learning and helping others learn…

Jeez..

Sorry I asked? 😕
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Newbie-- Recursive Routes-- Mangle -- Fasttrack?

Fri Jan 27, 2023 7:02 am

And I’ve read how fast track causes problems with mangle just during the labs it looked like it was working,, didn’t know if the post I was reading was older or maybe something in ROS. Which made it possible even tho I didn’t see it in the change log.. ANYWAYS!! Since I wasn’t sure and don’t trust ChatGPT I figured I’d try here..
 
joshhboss
Member Candidate
Member Candidate
Topic Author
Posts: 273
Joined: Thu Aug 01, 2019 2:13 pm

Re: Newbie-- Recursive Routes-- Mangle -- Fasttrack?

Fri Jan 27, 2023 2:24 pm

Disabled Mange btw! Cause im keeping fasttrack and it's a small network, just wanted some sort of fail over.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie-- Recursive Routes-- Mangle -- Fasttrack?

Fri Jan 27, 2023 2:25 pm

Come up with a more concrete plan, what will the network consist of, what vlans will you have, provide the with network diagrams and set of well though out user requirements. The requirement should drive the config, as opposed to hey I want to try this or that....... As far as starlink is concerned be aware you are really getting a private WANIP from that service.....

Attempt a config, then come here asking for help if it doesnt work out.......... and you will get far more traction!!

Another avenue of self help is take a laptop and load EVE-NG and you can create your own networks using CHR etc..... Its really cool.

Who is online

Users browsing this forum: kolopeter, sybadi and 78 guests