at first - my English is not enough for long explanations, but I hope You understand me )
second - special thanks to @pcunite for these posts Using RouterOS to VLAN your network and MultiWAN with RouterOS. Also thanks to @anav for many helpful posts and answers on this forum.
I have the next network topology
All ISP are connected as ethernet and obtain IP from DHCP. (one real public IP)
Currently, I have started to configure this for a test solution.
For tests, I use hAP ac^3 instead rb4011, and my other network simulates one ISP.
And I have some questions
for pk-r00
1. all ports placed in one bridge (wan, lan, trunk). Is it correct?
2. without firewall. (as this device does not terminate any public traffic). correct?
3. All ISP live in one bridge, and potentially dhcp from one is visible to the other. Do I need to correct this? and how?
for pk-wt01 (on diagram pk-r01) (for test I use hAP ac^3 instead rb4011 on real)
1. ether1 in bridge. Correct? through this port passes public(WAN) and private(LAN) traffic. Is it secure?
2. WAN vlans configured on ether1, LAN vlans on bridge. Correct?
pk-r00
Code: Select all
# mar/18/2024 21:48:07 by RouterOS 7.8
#
# model = RB760iGS
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
# ISP VLANs
add interface=bridge1 name=vlan_isp_fn_12 vlan-id=12
add interface=bridge1 name=vlan_isp_ks_13 vlan-id=13
add interface=bridge1 name=vlan_isp_vg_11 vlan-id=11
# local VLANs
add interface=bridge1 name=vlan_mngt_100 vlan-id=100
add interface=bridge1 name=vlan_pako_101 vlan-id=101
/interface list
add name=LAN
add name=ISP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
# WANs
add bridge=bridge1 interface=ether1 pvid=11
add bridge=bridge1 interface=ether2 pvid=12
add bridge=bridge1 interface=ether3 pvid=13
# trunk for WAN and LAN
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
# WAN (for test env use only 2)
add bridge=bridge1 tagged=ether4 untagged=ether1 vlan-ids=11
add bridge=bridge1 tagged=ether4 untagged=ether2 vlan-ids=12
add bridge=bridge1 tagged=bridge1,ether4 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether4 vlan-ids=101
/interface list member
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=vlan_mngt_100 list=LAN
add interface=bridge1 list=LAN
add interface=vlan_pako_101 list=LAN
/ip dhcp-client
add interface=vlan_mngt_100
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=pk-r00
Code: Select all
# 2024-03-18 21:49:32 by RouterOS 7.12.1
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=yy:yy:yy:yy:yy:yy
set [ find default-name=ether5 ] poe-out=off
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-EF0AC4 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=pk-wt_0x24v wireless-protocol=802.11
/interface vlan
# WAN
add interface=ether1 name=vlan_isp_fn_12 vlan-id=12
add interface=ether1 name=vlan_isp_ks_13 vlan-id=13
add interface=ether1 name=vlan_isp_vg_11 vlan-id=11
# LAN
add interface=bridge name=vlan_mngt_100 vlan-id=100
add interface=bridge name=vlan_pako_101 vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_mngt ranges=192.168.100.2-192.168.100.10
add name=pool_pako ranges=192.168.101.100-192.168.101.150
/ip dhcp-server
add address-pool=pool_pako interface=vlan_pako_101 lease-time=521w3d23h59m59s name=dhcp_pako
add address-pool=pool_mngt interface=vlan_mngt_100 lease-time=521w3d10m name=dhcp_mngt
/routing table
add fib name=isp_vg
add fib name=isp_fn
add fib name=isp_ks
/interface bridge port
add bridge=bridge interface=ether2 pvid=101
add bridge=bridge interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/interface bridge vlan
# only local VLANs, no WAN VALNs
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=101
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan_isp_vg_11 list=WAN
add interface=vlan_isp_fn_12 list=WAN
add interface=vlan_isp_ks_13 list=WAN
add interface=ether2 list=LAN
add interface=vlan_pako_101 list=LAN
add interface=vlan_mngt_100 list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan_mngt_100 network=192.168.100.0
add address=192.168.101.1/24 interface=vlan_pako_101 network=192.168.101.0
/ip dhcp-client
# ISP with static adress, but obtain from DHCP (by ISP rules)
add add-default-route=no interface=vlan_isp_fn_12 use-peer-dns=no use-peer-ntp=no
# ISP DHCP. script for change routing
add add-default-route=no interface=vlan_isp_vg_11 script=":if (\$bound=1) do={\
\r\
\n /ip/route/set [find gateway!=\$\"gateway-address\" and comment=\"isp\
_vg_monitor\"] gateway=\$\"gateway-address\"\r\
\n :local msg (\"isp_vg_monitor:: ip has been changed. ip: \" . \$\"lea\
se-address\" . \"; gw:\" . \$\"gateway-address\");\r\
\n :log info \$msg;\r\
\n}\r\
\n" use-peer-dns=no use-peer-ntp=
no
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
add address=192.168.101.0/24 dns-server=192.168.101.1 gateway=192.168.101.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,9.9.9.9
/ip dns static
add address=192.168.100.1 comment=defconf name=r01.pako.lan
# default config
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
# "copypaste" from @pcunit forum topic https://forum.mikrotik.com/viewtopic.php?t=192736
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
in-interface=vlan_isp_vg_11 new-connection-mark=isp_vg_wan passthrough=\
yes
add action=mark-routing chain=prerouting connection-mark=isp_vg_wan \
in-interface-list=LAN new-routing-mark=isp_vg passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=vlan_isp_fn_12 new-connection-mark=isp_fn_wan passthrough=\
yes
add action=mark-routing chain=prerouting connection-mark=isp_fn_wan \
in-interface-list=LAN new-routing-mark=isp_fn passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
vlan_isp_vg_11 new-connection-mark=isp_vg_wan passthrough=yes
add action=mark-routing chain=output connection-mark=isp_vg_wan \
new-routing-mark=isp_vg passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
vlan_isp_fn_12 new-connection-mark=isp_fn_wan passthrough=yes
add action=mark-routing chain=output connection-mark=isp_fn_wan \
new-routing-mark=isp_fn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
# "copypaste" from @pcunit forum topic https://forum.mikrotik.com/viewtopic.php?t=192736
/ip route
# real ISP with static IP
add comment=isp_fn_monitor disabled=no distance=2 dst-address=1.1.1.1/32 \
gateway=xxx.xxx.xxx.xxx pref-src="" routing-table=main scope=10 \
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=isp_fn_gw distance=2 dst-address=0.0.0.0/0 \
gateway=1.1.1.1 scope=10 target-scope=12
add comment=isp_fn_wan distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 \
routing-table=isp_fn scope=10 target-scope=12
# for a test for second ISP i use my other network, and OpenDNS IP for check internet
add comment=isp_vg_monitor disabled=no distance=1 dst-address=\
208.67.222.222/32 gateway=192.168.76.1 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=isp_vg_gw distance=1 dst-address=0.0.0.0/0 \
gateway=208.67.222.222 scope=10 target-scope=12
add comment=isp_vg_wan disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
208.67.222.222 pref-src="" routing-table=isp_vg scope=10 \
suppress-hw-offload=no target-scope=12
# default config
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
# default config
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
# "copypaste" from @pcunit forum topic https://forum.mikrotik.com/viewtopic.php?t=192736
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.101.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.100.0/24 table=main
# I should disable this rule by netwatch, because if ISP2 is down 192.168.101.0 not switch to other ISPs
add action=lookup comment=pako_route_rule_fn disabled=no dst-address="" src-address=192.168.101.0/24 table=isp_fn
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=pk-wt01
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/routing/rule/set [find comment=\"pako_route_rule\
_fn\"] disabled=yes\r\
\n:log info \"fn_down\"" host=1.1.1.1 http-codes="" interval=10s \
test-script="" type=simple up-script="/routing/rule/set [find comment=\"pa\
ko_route_rule_fn\"] disabled=no\r\
\n:log info \"fn_up\"\r\
\n"