My configuration is:
1) Standard WAN over cable, used 99% of the time
2) Backup LTE WAN, used when #1 is not working
The whole thing automatically switches over using netwatch.
I have 2 bridges where one is all LAN + Wifi devices and the other where only one device with a separate LAN address is hooked up.
In addition, I have wireguard hooked up.
I would like all traffic regardless of which WAN is used to go through the VPN except for the device from the second bridge (there the traffic should always go without VPN).
Current config as below
Code: Select all
# mar/16/2023 16:22:37 by RouterOS 7.8
# software id = GUIM-DBRY
#
# model = RBD52G-5HacD2HnD
# serial number = XXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridge_elzab
/interface lte
set [ find default-name=lte1 ] name=lte_play
/interface ethernet
set [ find default-name=ether1 ] name=eth_1_wan
set [ find default-name=ether2 ] name=eth_2_wyse_printers
set [ find default-name=ether3 ] name=eth_3
set [ find default-name=ether4 ] name=eth_4
set [ find default-name=ether5 ] name=eth_5_wyse_fiscal
/interface wireguard
add listen-port=51820 mtu=1420 name=wg_biuro_lux
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=elzab_wifi radius-mac-authentication=yes supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=lp_biuro supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country=no_country_set default-authentication=no disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge security-profile=elzab_wifi ssid=elzab_wifi wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors frequency=5260 frequency-mode=superchannel \
installation=indoor mode=ap-bridge security-profile=lp_biuro ssid=lp_biuro wireless-protocol=802.11 wps-mode=disabled
/ip dhcp-server option sets
add name=MT
/ip pool
add name=default-dhcp ranges=192.168.222.10-192.168.222.254
add name=dhcp_pool_elzab ranges=192.168.66.2-192.168.66.254
/ip dhcp-server
add address-pool=default-dhcp dhcp-option-set=MT interface=bridge name=dhcp_main
add address-pool=dhcp_pool_elzab dhcp-option-set=MT interface=bridge_elzab name=dhcp_elzab
/routing table
add disabled=no fib name=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=eth_2_wyse_printers
add bridge=bridge comment=defconf ingress-filtering=no interface=eth_3
add bridge=bridge comment=defconf ingress-filtering=no interface=eth_4
add bridge=bridge_elzab comment=defconf ingress-filtering=no interface=eth_5_wyse_fiscal
add bridge=bridge interface=wlan2
add bridge=bridge_elzab interface=wlan1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=lte_play list=WAN
add interface=wg_biuro_lux list=VPN
add interface=wlan1 list=LAN
add interface=eth_1_wan list=WAN
add interface=wlan2 list=LAN
add interface=bridge_elzab list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxxx.eu endpoint-port=51820 interface=wg_biuro_lux persistent-keepalive=10s public-key=\
"xxxxxxxxxxxxxxxxxx"
/interface wireless access-list
add comment=elzab_zeta interface=wlan1 mac-address=XX:XX:XX:XX:XX:XX
/ip address
add address=192.168.222.1/24 comment=defconf interface=bridge network=192.168.222.0
add address=10.8.0.222/24 interface=wg_biuro_lux network=10.8.0.0
add address=192.168.66.1/24 interface=bridge_elzab network=192.168.66.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=eth_1_wan use-peer-dns=no use-peer-ntp=no
# DHCP client can not run on slave or passthrough interface!
add add-default-route=no interface=wlan2 use-peer-dns=no
add add-default-route=no interface=lte_play use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.222.100 comment="macbook air" dhcp-option-set=MT mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.222.223 comment="macbook pro" dhcp-option-set=MT mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.222.101 comment=ipad dhcp-option-set=MT mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.222.202 comment=wyse_printers dhcp-option-set=MT lease-time=1w mac-address=XX:XX:XX:XX:XX:XX server=dhcp_main
add address=192.168.66.33 comment=wyse_fiscal dhcp-option-set=MT lease-time=1w mac-address=XX:XX:XX:XX:XX:XX server=dhcp_elzab
/ip dhcp-server network
add address=192.168.66.0/24 gateway=192.168.66.1
add address=192.168.222.0/24 comment=defconf gateway=192.168.222.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 use-doh-server=\
https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.66.0/24 list=elzab_zeta_full
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment=spinet disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.111.1 pref-src="" routing-table=main suppress-hw-offload=yes
add comment=lteplay disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.8.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=yes target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=wg_biuro_lux pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=208.67.220.220/32 gateway=192.168.8.1 pref-src="" routing-table=main suppress-hw-offload=yes
add disabled=no distance=1 dst-address=208.67.222.222/32 gateway=192.168.111.1 pref-src="" routing-table=main suppress-hw-offload=yes
add blackhole disabled=no distance=2 dst-address=208.67.220.220/32 gateway="" pref-src="" routing-table=main suppress-hw-offload=no
add blackhole disabled=no distance=2 dst-address=208.67.222.222/32 gateway="" pref-src="" routing-table=main suppress-hw-offload=no
add comment=all_vpn disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.8.0.1 pref-src="" routing-table=vpn scope=30 suppress-hw-offload=yes target-scope=10
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RouterOS
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool e-mail
set address=email-smtp.eu-west-1.amazonaws.com from=router@xxxxxxxxxx.xx port=587 tls=starttls user=xxxxxxxxxxxxxxxxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=":log error \"SPINET is DOWN\"\
\n/tool e-mail send to=\"xxxxxxxxx@gmail.com\" subject=\"SPINET is DOWN\" body=\"\$currentTime \\r\\n SPI NET DOWN\"\
\n/ip route disable [find comment=spinet]\
\n/ip route enable [find comment=lteplay]" host=208.67.222.222 interval=5s test-script="" timeout=1s type=simple up-script=":log info \"SPINET is UP\"\
\n:delay 300s\
\n/tool e-mail send to=\"xxxxxxxxx@gmail.com\" subject=\"SPINET is UP\" body=\"\$currentTime \\r\\n SPI NET UP\"\
\n/ip route enable [find comment=spinet]\
\n/ip route disable [find comment=lteplay]"