Community discussions

MikroTik App
 
GregC
just joined
Topic Author
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Dual WAN Setup with DSL and Starlink

Sat Mar 04, 2023 11:34 pm

Please refer to the image below and export file. My current setup is working with the Starlink connected to ether2-WAN with no problems. I would like to use the existing DSL modem currently connected to the combo-WAN port as a workaround to remotely access the MikroTik CCR1009-7G-1C-1S+ router from a remote location. I don’t care to load balance… all I want is to access the router from remote site. The Starlink is set to bridge mode. I have spent many days looking at some of your postings and I am sure I’m missing something from the configuration shown below. Thank you in advance.
# model = CCR1009-7G-1C-1S+
/interface bridge
add comment=Management name=br-vlan1-Management
add comment=Guest name=br-vlan10-Guest
add comment=Office name=br-vlan20-Office
add comment=Video name=br-vlan30-Video

/interface ethernet
set [ find default-name=combo1 ] name=combo-WAN comment=DSL
set [ find default-name=ether1 ] name=ether1-O-Switch
set [ find default-name=ether2 ] name=ether2-WAN comment=StarLink
set [ find default-name=ether3 ] name=ether3-Office
set [ find default-name=ether4 ] name=ether4-Office
set [ find default-name=ether5 ] name=ether5-Office
set [ find default-name=ether6 ] name=ether6-Video
set [ find default-name=ether7 ] name=ether7-Management
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface vlan
add comment=Management interface=ether1-O-Switch name=vl-1-O-Switch-Management vlan-id=1
add comment=Guest interface=ether1-O-Switch name=vl-10-O-Switch-Guest vlan-id=10
add comment=Office interface=ether1-O-Switch name=vl-20-O-Switch-Office vlan-id=20
add comment=Video interface=ether1-O-Switch name=vl-30-O-Switch-Video vlan-id=30

/interface list
add name=WAN
add name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox

/ip pool
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.50
add name=dhcp_pool10 ranges=192.168.10.25-192.168.11.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.50
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.50

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=br-vlan1-Management lease-time=1d name=dhcp1
add address-pool=dhcp_pool10 disabled=no interface=br-vlan10-Guest lease-time=4h name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=br-vlan20-Office lease-time=1d name=dhcp20
add address-pool=dhcp_pool30 disabled=no interface=br-vlan30-Video lease-time=1d name=dhcp30

/interface bridge port
add bridge=br-vlan1-Management interface=vl-1-O-Switch-Management
add bridge=br-vlan10-Guest interface=vl-10-O-Switch-Guest
add bridge=br-vlan20-Office interface=vl-20-O-Switch-Office
add bridge=br-vlan30-Video interface=vl-30-O-Switch-Video
add bridge=br-vlan20-Office interface=ether3-Office
add bridge=br-vlan20-Office interface=ether4-Office
add bridge=br-vlan20-Office interface=ether5-Office
add bridge=br-vlan30-Video interface=ether6-Video
add bridge=br-vlan1-Management interface=ether7-Management

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface list member
add interface=combo-WAN list=WAN comment=DSL
add interface=br-vlan1-Management list=LAN
add interface=br-vlan10-Guest list=LAN
add interface=br-vlan20-Office list=LAN
add interface=br-vlan30-Video list=LAN
add interface=ether2-WAN list=WAN comment=StarLink
add interface=ether3-Office list=discover
add interface=ether4-Office list=discover
add interface=ether5-Office list=discover
add interface=ether6-Video list=discover
add interface=ether7-Management list=discover
add interface=sfp-sfpplus1 list=discover
add interface=br-vlan1-Management list=discover
add interface=br-vlan10-Guest list=discover
add interface=br-vlan20-Office list=discover
add interface=br-vlan30-Video list=discover
add interface=br-vlan1-Management list=mactel
add interface=br-vlan10-Guest list=mactel
add interface=br-vlan20-Office list=mactel
add interface=br-vlan30-Video list=mactel
add interface=br-vlan1-Management list=mac-winbox
add interface=br-vlan10-Guest list=mac-winbox
add interface=br-vlan20-Office list=mac-winbox
add interface=br-vlan30-Video list=mac-winbox

/ip address
add address=192.168.1.1/24 comment=Management interface=br-vlan1-Management network=192.168.1.0
add address=192.168.10.1/23 comment=Guest interface=br-vlan10-Guest network=192.168.10.0
add address=192.168.20.1/24 comment=Office interface=br-vlan20-Office network=192.168.20.0
add address=192.168.30.1/24 comment=Video interface=br-vlan30-Video network=192.168.30.0
#Static IP from DSL Modem
add address=1.2.3.66/29 comment=Static-DSL interface=combo-WAN network=1.2.3.64

/ip cloud
set ddns-enabled=yes

#Dynamic IP from Starlink on bridge mode
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2-WAN

/ip dhcp-server network
add address=192.168.1.0/24 comment=Management dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.10.0/23 comment=Guest dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 comment=Office dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Video dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1

/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=193.70.81.119 comment=BANIP list=BANIP
add address=185.153.196.93 comment=BANIP list=BANIP
add address=174.99.221.66 comment="BitTorrent Torrent Hash" list=BANIP
add address=172.16.0.0/12 comment=RFC6890 list=Bogons
add address=100.64.0.0/10 comment=RFC6890 list=Bogons
add address=240.0.0.0/4 comment=RFC6890 list=Bogons

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="L2TP Server over IPSec" port=1701,500,4500 protocol=udp
add action=accept chain=input comment="L2TP Server over IPSec" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="Block Bit Torrent Port" dst-port=44822 protocol=tcp
add action=drop chain=input comment="Block Bit Torrent Port" dst-port=54116 protocol=tcp
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward comment="Block Bit Torrent" layer7-protocol=layer7-bittorrent-exp src-address=192.168.10.0/23 src-address-list=!allow-bit
add action=drop chain=forward comment="Block Bit Torrent" dst-port=!0-1024,9791,5900,5800,3389,14147,5222,59905,500,1701,4500 protocol=tcp src-address-list=Torrent-Conn
add action=drop chain=forward comment="Block Bit Torrent" dst-port=!0-1024,9791,5900,5800,3389,14147,5222,59905,500,1701,4500 protocol=udp src-address-list=Torrent-Conn
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block torrent wwws" layer7-protocol=torrent-wwws
add action=drop chain=forward comment="Block torrent dns" dst-port=53 layer7-protocol=torrent-dns protocol=udp
add action=drop chain=forward comment="Drop to bogon list from src-address" src-address-list=Bogons
add action=drop chain=forward comment="Drop to bogon list from dst-address" dst-address-list=Bogons

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip route
add distance=1 gateway=1.2.3.70 routing-mark=RouteTable--DSL

/ip route rule
add interface=combo-WAN routing-mark=RouteTable--DSL table=RouteTable--DSL

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1234
set api-ssl disabled=yes

/system clock
set time-zone-name=America/Chicago

/system identity
set name=CCR1009-7G
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Dual WAN Setup with DSL and Starlink

Sun Mar 05, 2023 1:14 pm

You are missing any /ip firewall mangle rules, without these traffic arriving via the DSL interface will exit via Starlink and fail. Mark new connections arriving via the DSL interface, then apply the routing mark to traffic with that connection mark. You also have to disable the fasttrack rules as they are incompatible with mangling.

Separately, the use of multiple bridges for VLANs is very much the old method since VLAN-aware bridges were introduced and can introduce a number of issues, see https://help.mikrotik.com/docs/display/ ... figuration
 
GregC
just joined
Topic Author
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Dual WAN Setup with DSL and Starlink

Sun Mar 05, 2023 5:31 pm

You are missing any /ip firewall mangle rules, without these traffic arriving via the DSL interface will exit via Starlink and fail. Mark new connections arriving via the DSL interface, then apply the routing mark to traffic with that connection mark. You also have to disable the fasttrack rules as they are incompatible with mangling.

Separately, the use of multiple bridges for VLANs is very much the old method since VLAN-aware bridges were introduced and can introduce a number of issues, see https://help.mikrotik.com/docs/display/ ... figuration
Hi tdw,

I will look into the mangle rules. I was trying to learn for other option/solution(s) in order to avoid disabling the fasttrack rules. Didn't know about the issue with multiple VLANs.
Thank you, and will post back the outcome.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Dual WAN Setup with DSL and Starlink

Sun Mar 05, 2023 6:05 pm

Routing rules usually won't work in this scenario. However you might be able to use them if you have a static address on the DSL WAN specifying this as the src-address in the rule, otherwise you could qualify the fasttrack rule so it only applies fast track to packets which are not going to be mangled.

Given the speed of your WANs I wouldn't have thought that disabling fast track would be noticeable on a CCR.
 
GregC
just joined
Topic Author
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Dual WAN Setup with DSL and Starlink

Sun Mar 05, 2023 6:17 pm

Routing rules usually won't work in this scenario. However you might be able to use them if you have a static address on the DSL WAN specifying this as the src-address in the rule, otherwise you could qualify the fasttrack rule so it only applies fast track to packets which are not going to be mangled.

Given the speed of your WANs I wouldn't have thought that disabling fast track would be noticeable on a CCR.
Yes, the DSL WAN is a static IP. Currently working on the changes to see if I can work around using mangle rules. Just to be clear, the intent is to use the DSL for access to the router from remote location due to the CGNAT issues with Starlink. No intent to use DSL WAN port for the users. Currently the active port for the Starlink is working pretty good for just about 80 users going at it at around 75Mbps peeks. This is using the commercial account.

Thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Setup with DSL and Starlink

Sun Mar 05, 2023 9:45 pm

Wow so over complicated....... FIXED>
-also keep firewall rules in order of chain...... much easier to read/understand/fix (aka easier to spot the duplicate you do have in the forward chain )
-moved bogons to blackhole method, at least unlike most others you didnt include your own subnets LOL, but you do trip over the loopback one!!
(important not to be in the way of wan subnets as well,l so i imagine you already checked vis-a-vis your cgnat and static WANip!!)
-got rid of all bitorrent blocking rules for now. Ask in your thread if there is a reasonable way to do so, but my thought is not really.

** Yes I have included the method to get your routing working as required.
*** Suggest wireguard is easiest vpn method to get connectivity remotely and securely. In this regard, lets say the laptop or iphone etc has a wireguard IP of 10.10.10.2/32
The router has a wireguard IP address of 10.10.10.1/24. Establish the tunnel connection from remote device to fixed WANIP. For return traffic, the router will be told for any traffic back to source of wireguard IP address, re-enter the tunnel vice go out WAN1.


# model = CCR1009-7G-1C-1S+
/interface bridge
add bridge=bridge vlan-filtering=no (change to yes as last step)

/interface vlan
add interface=bridge comment=Management name=vlanM-5
add interface=bridge comment=Guest name=vlanG-10
add interface=bridge comment=Office name=vlanOFF-20
add interface=bridge comment=Video name=vlanVID-30


/interface wireguard
add disabled=no listen-port=15225 mtu=1420 name=WG-DSL


/interface ethernet
set [ find default-name=combo1 ] name=combo-WAN comment=DSL
set [ find default-name=ether1 ] name=ether1-O-Switch
set [ find default-name=ether2 ] name=ether2-WAN comment=StarLink
set [ find default-name=ether3 ] name=ether3-Office
set [ find default-name=ether4 ] name=ether4-Office
set [ find default-name=ether5 ] name=ether5-Office
set [ find default-name=ether6 ] name=ether6-Video
set [ find default-name=ether7 ] name=ether7-Management
set [ find default-name=sfp-sfpplus1 ] disabled=yes


/interface list
add name=WAN
add name=LAN
add name=MGMT


/ip pool
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.50
add name=dhcp_pool10 ranges=192.168.10.25-192.168.11.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.50
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.50


/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlanM-5 Management lease-time=1d name=dhcp1
add address-pool=dhcp_pool10 disabled=no interface=vlanG-10 lease-time=4h name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=vlanOFF-20 lease-time=1d name=dhcp20
add address-pool=dhcp_pool30 disabled=no interface=vlanVID-30 lease-time=1d name=dhcp30

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-tagged-vlans interface=ether1-O-Switch { trunk port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged ]interface=ether3 pvid=20 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=20 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=20 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=30 { access port }
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=5 { access port
}

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-O-Switch untagged=ether7 vlan-ids=5
add bridge=bridge tagged=bridge,ether1-O-Switch untagged=ether3,ether4,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether1-O-Switch untagged=ether6 vlan-ids=30
add bridge=bridge tagged=bridge,ether1-O-Switch vlan-ids=10


/ip neighbor discovery-settings
set discover-interface-list=MGMT


/interface list member
add interface=combo-WAN list=WAN comment=DSL
add interface=vlanM-5 list=LAN
add interface=vlanG-10 list=LAN
add interface=vlanOFF-20 list=LAN
add interface=vlanVID-30 list=LAN
add interface=WG-DSL list=LAN
add interface=ether2-WAN list=WAN comment=StarLink
add interface=vlanM-5 list=MGMT

add interface=WG-DSL list=MGMT

/interface wireguard peers
add allowed-address=10.10.10.2/32 comment="Admin over wireguard" interface=WG-DSL public-key=".... issued by remote device........"

/ip address
add address=192.168.1.1/24 comment=Management interface=vlanM-5 network=192.168.1.0
add address=192.168.10.1/23 comment=Guest interface=vlanG-10 network=192.168.10.0
add address=192.168.20.1/24 comment=Office interface=vlanOFF-20 network=192.168.20.0
add address=192.168.30.1/24 comment=Video interface=vlanVID-30 network=192.168.30.0
#Static IP from DSL Modem
add address=1.2.3.66/29 comment=Static-DSL interface=combo-WAN network=1.2.3.64

add address=10.10.10.1/24 comment=wireguard interface=WG-DSL network=10.10.10.0


/ip cloud
set ddns-enabled=yes

#Dynamic IP from Starlink on bridge mode
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2-WAN


/ip dhcp-server network
add address=192.168.1.0/24 comment=Management dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.10.0/23 comment=Guest dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 comment=Office dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Video dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1

/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp


(admin rules)
add action=accept chain=input comment="L2TP Server over IPSec" port=1701,500,4500 protocol=udp
add action=accept chain=input comment="L2TP Server over IPSec" protocol=ipsec-esp
add action=accept chain=input comment=wireguard dst-port=15225 protocol=udp
add action=accept chain=input comment="allow admin to router" in-interface-list=MGMT
add action=accept chain=input comment="allow users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="allow users to services" in-interface-list=LAN dst-port=53 protocol=tcp

add action=drop chain=input comment="drop all else" { put in as last rule so you dont lock yourself out }

{Forward Chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard to subnets" in-interface=WG-DSL out-interface-list=LAN { optional }
add action=drop chain=forward comment="port forwarding" connection-nat-state=dstnat { can be disabled or removed if not doing any port fowarding }
add action=drop chain=forward comment="Drop all else"


/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN


/ip route ( should have in place already - the two standard routes ensure all traffic by distance is routed to CGNAT )
add distance=5 gateway=ether2WAN routing-table=main check-gwy=ping
add distance=10 gateway=fixedWAN-gateway_IP routing-table=main
<dac> dst-address=10.10.10.0/24 gateway=WG-DSL routing-table=main
{ created automatically by the router }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

NOW we need to add one table, one route and one routing rule.........

/ip routing table
add fib name=RouteTable--DSL

/ip route
add dst-address=0.0.0.0/0 gateway=fixedWAN-gateway_IP routing-table=RouteTable--DSL

/ip routing rule
add action=lookup-only-in-gateway src-address=fixedWAN_IP_address table=RouteTable--DSL

Note: This routing rule ensures on the initial handshake that the return traffic is from WAN2 and thus the tunnel is hardwired to WAN2

++++++++++++ (more routes)+++++++++++++

add blackhole disabled=no dst-address=0.0.0.0/8 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=224.0.0.0/4 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=169.254.0/16 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=192.0.2.0/24 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=192.88.99.0/24 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=192.18.0.0/15 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=198.51.100.0/24 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=203.113.0/24 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=172.16.0.0/12 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=100.64.0.0/10 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=240.0.0.0/4 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=193.70.81.119 gateway="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no dst-address=174.99.221.66 gateway="" routing-table=main suppress-hw-offload=no


/ip tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
GregC
just joined
Topic Author
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Dual WAN Setup with DSL and Starlink

Sun Mar 05, 2023 10:22 pm

Wow so over complicated....... FIXED>
-also keep firewall rules in order of chain...... much easier to read/understand/fix (aka easier to spot the duplicate you do have in the forward chain )
-moved bogons to blackhole method, at least unlike most others you didnt include your own subnets LOL, but you do trip over the loopback one!!
(important not to be in the way of wan subnets as well,l so i imagine you already checked vis-a-vis your cgnat and static WANip!!)
-got rid of all bitorrent blocking rules for now. Ask in your thread if there is a reasonable way to do so, but my thought is not really.

** Yes I have included the method to get your routing working as required.
*** Suggest wireguard is easiest vpn method to get connectivity remotely and securely. In this regard, lets say the laptop or iphone etc has a wireguard IP of 10.10.10.2/32
The router has a wireguard IP address of 10.10.10.1/24. Establish the tunnel connection from remote device to fixed WANIP. For return traffic, the router will be told for any traffic back to source of wireguard IP address, re-enter the tunnel vice go out WAN1.
Hi anav,

Thank you very much for your input. I will try your suggestions and get back to you all. I am on site doing this work as it is a production router which we upgraded to use Starlink instead of the DSL. To do this, I will get another spare router, implement the changes, and test it. Again, will keep you all posted.
 
GregC
just joined
Topic Author
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Dual WAN Setup with DSL and Starlink

Wed Mar 08, 2023 12:10 am

Dual WAN Setup with DSL and Starlink – Update <SOVED>

@anav, @tdw

Again, thank you so much for your input. I have updated the image below to reflect the current change/update. Simply put, added a hAP between the static IP on DSL modem and the CCR1009 router and got it to work without having to make changes to the CCR1009 😊. Now I have a backdoor from any remote location to this router and don’t have to worry about the CGNAT from Starlink.

@anav and @tdw,

I like your suggestions for the newer VLANs, firewall filter, etc. and I am currently playing with this configuration on my lab before migrating to production as I move forward with other implementations. Although I was already playing with the latest version of 7.8.0 (Stable), I will implement your suggestions including the WireGuard as well.

Following are the steps I took:
• Upgraded the hAP to 7.8.0 (Stable).
• Also included in this update is the code for the hAP just using the default configuration out of the box.
• Notice that I added /tool romon to the configuration.
• Disabled the Wi-Fi as is not used for this implementation.
• Connected the from hAP ether2 port to CCR1009 ether7 port.
# mar/07/2023 12:34:31 by RouterOS 7.8
#
# model = RBD52G-5HacD2HnD

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
# Disabled as is not needed for this application
add authentication-types=wpa2-psk mode=dynamic-keys name=Guest supplicant-identity=""

/interface wireless
# Disabled as is not needed for this application
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX country="united states3" distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Guest ssid=Guest-2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country="united states3" distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Guest ssid=Guest-5G wireless-protocol=802.11

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf

/routing bgp template
set default disabled=no output.network=bgp-networks

/routing ospf instance
add disabled=no name=default-v2

/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/user group
set read policy=local,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!telnet,!ftp,!write,!policy

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=1.2.3.4/29 interface=ether1 network=1.2.3.4

/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip route
add distance=1 gateway=1.2.3.4

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1234
set api-ssl disabled=yes

/system identity
set name=XYZ

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/tool romon
set enabled=yes
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Setup with DSL and Starlink

Wed Mar 08, 2023 12:56 am

No thanks, if you had asked for help including the hap Id be interested. I dont have time to chase changing requirements..........
tdw is more patient LOL.
 
GregC
just joined
Topic Author
Posts: 22
Joined: Fri Oct 18, 2013 6:53 pm

Re: Dual WAN Setup with DSL and Starlink

Wed Mar 08, 2023 1:06 am

No thanks, if you had asked for help including the hap Id be interested. I dont have time to chase changing requirements..........
tdw is more patient LOL.
I hear you loud and clear. It was a last minute idea that came to me just this morning. I scratch my head wondering how you keep up with all this!!!! LOL

Who is online

Users browsing this forum: araqiel, pants6000, synchro and 113 guests