Yes I triedSo basically you want someone to provide the configs??
Have you tried, done any research or simply not trained?
If you are not willing to make the effort suggest --> https://mikrotik.com/consultants
Dear Sir,So basically you want someone to provide the configs??
Have you tried, done any research or simply not trained?
If you are not willing to make the effort suggest --> https://mikrotik.com/consultants
Considering the scope of this project (site-to-site tunneling with load balancing, advanced routing, Wi-Fi access points, PBX, Active Directory, etc.) and the technical expertise and experience needed to pull it off, if I were you, I'd pass on this (honestly, you'll never be able to handle this on your own).
Go to your boss and explain that you need to bring in a network specialist that the company need to pay for (not you!) to at least come up with a basic network topology that works with Mikrotik products. If it's hard to find someone available on-site, this can probably be solved using online resources. Then you might practice as a trainee during the implemenation and if you're up for it, take over operations and maintenance later on.
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1 \
new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether5 \
new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether9 \
new-connection-mark=ether9_conn passthrough=yes
add action=mark-routing chain=output connection-mark=ether1_conn \
new-routing-mark=main passthrough=yes
add action=mark-routing chain=output connection-mark=ether5_conn \
new-routing-mark=main passthrough=yes
add action=mark-routing chain=output connection-mark=ether9_conn \
new-routing-mark=main passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
ether1
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
ether5
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
ether9
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=LAN-Bridge new-connection-mark=ether1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=WiFi-Bridge new-connection-mark=ether1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=LAN-Bridge new-connection-mark=ether5_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=WiFi-Bridge new-connection-mark=ether5_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=LAN-Bridge new-connection-mark=ether9_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=WiFi-Bridge new-connection-mark=ether9_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting connection-mark=ether1_conn \
in-interface=LAN-Bridge new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether1_conn \
in-interface=WiFi-Bridge new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether9_conn \
in-interface=LAN-Bridge new-connection-mark=ether9_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether9_conn \
in-interface=WiFi-Bridge new-connection-mark=ether9_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether5_conn \
in-interface=LAN-Bridge new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=ether5_conn \
in-interface=WiFi-Bridge new-connection-mark=ether5_conn passthrough=yes
add action=mark-routing chain=prerouting comment="Ether1 only VPN" \
dst-address-list=Ether1-Only new-routing-mark=Ether1-Only_conn passthrough=yes \
src-address=192.168.90.0/24
add action=mark-routing chain=prerouting comment="Ether5 only VPN" \
dst-address-list=Ether5-Only new-routing-mark=Ether5-Only_conn passthrough=yes \
src-address=192.168.91.0/24
add action=mark-routing chain=prerouting comment=Ether5-Only dst-address-list=\
Ether5-Only new-routing-mark=Ether5-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=Ether5-Only dst-address-list=\
Ether5-Only new-routing-mark=Ether5-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=Ether1-Only dst-address-list=\
Ether1-Only new-routing-mark=Ether1-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=Ether1-Only dst-address-list=\
Ether1-Only new-routing-mark=Ether1-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=Ether9-Only dst-address-list=\
Ether9-Only new-routing-mark=Ether9-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=Ether9-Only dst-address-list=\
Ether9-Only new-routing-mark=Ether9-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-connection chain=input in-interface=\
ether1 new-connection-mark=Ether1-Only_conn passthrough=yes
add action=mark-connection chain=input in-interface=\
ether5 new-connection-mark=Ether5-Only_conn passthrough=yes
add action=mark-routing chain=output connection-mark=\
Ether1-Only_conn new-routing-mark=Ether1-Only_conn passthrough=no
add action=mark-routing chain=output connection-mark=\
Ether5-Only_conn new-routing-mark=Ether5-Only_conn passthrough=no
/system clock
set time-zone-name=Europe/Paris
Edited as you’ve suggested, I am new here so was not aware about that, thanksWhen you post your configuration, please use a Code block. Makes it easier to read.
In your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Thank you.
/ppp profile
add name=default-encryption use-encryption=required
/interface l2tp-server server
set default profile=default-encryption
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether9 new-connection-mark=ISP3_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting comment="Ether1 only VPN" new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.90.0/24
add action=mark-connection chain=prerouting comment="Ether5 only VPN" new-connection-mark=ISP2_conn passthrough=yes src-address=192.168.91.0/24
add action=mark-connection chain=prerouting comment=Ether5-Only dst-address-list=through_ISP2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-Only dst-address-list=through_ISP1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-Only dst-address-list=through_ISP3 new-connection-mark=ISP3 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_ISP1
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=to_ISP3
Dear TheCat121) Remove WiFi interface list and add ether11-WiFi to the LAN interface list (you'll see why short after):
/interface list
add name=WAN
add name=LAN
add name=WiFi
/interface list member
add interface=ether5 list=WAN
add interface=ether9 list=WAN
add interface=ether1 list=WAN
add interface=ether12-LAN list=LAN
add interface=ether11-WiFi list=WiFi
to:
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether5 list=WAN
add interface=ether9 list=WAN
add interface=ether1 list=WAN
add interface=ether12-LAN list=LAN
add interface=ether11-WiFi list=LAN
2) Disable detect internet because it is known to cause mayhem:
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
LAN wan-interface-list=WAN
to:
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=\
none wan-interface-list=none
3) In the PPP profile add a new default-encryption profile to use for the L2TP server and remove the remnants of the old one (the one with *0):
3) I suggest you change the naming conventions of the address lists and routing tables to reflect your situation. For example:Code: Select all/ppp profile add name=default-encryption use-encryption=required /interface l2tp-server server set default profile=default-encryption
/routing table
add disabled=no fib name=Ether5-Only_conn
add disabled=no fib name=Ether1-Only_conn
add disabled=no fib name=Ether9-Only_conn
/ip firewall address-list
add address=whatismyip.com list=Ether9-Only
add address=ifconfig.me list=Ether1-Only
add address=whois.domaintools.com list=Ether5-Only
to:
/routing table
add disabled=no fib name=to_ISP2
add disabled=no fib name=to_ISP1
add disabled=no fib name=to_ISP3
/ip firewall address-list
add address=whatismyip.com list=through_ISP3
add address=ifconfig.me list=through_ISP1
add address=whois.domaintools.com list=through_ISP2
4) Your firewall is at the moment an open door for all kinds of security risks. That's why I suggest reverting it to the default one with the exception of the rules for the VPN ports
5) Because there are a lot of changes to be made in the firewall mangle I'll directly post how it should look (this is the place where the LAN interface list has a significant role - instead of writing a differnet rule for LAN and WiFi, you can combine them into one):
6) Remove the masquerade rules for the L2TP (redundant)Code: Select all/ip firewall mangle add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface-list=LAN add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface-list=LAN add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface-list=LAN add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=ISP2_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether9 new-connection-mark=ISP3_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0 add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1 add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2 add action=mark-connection chain=prerouting comment="Ether1 only VPN" new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.90.0/24 add action=mark-connection chain=prerouting comment="Ether5 only VPN" new-connection-mark=ISP2_conn passthrough=yes src-address=192.168.91.0/24 add action=mark-connection chain=prerouting comment=Ether5-Only dst-address-list=through_ISP2 new-connection-mark=ISP2_conn passthrough=yes add action=mark-connection chain=prerouting comment=Ether1-Only dst-address-list=through_ISP1 new-connection-mark=ISP1_conn passthrough=yes add action=mark-connection chain=prerouting comment=Ether9-Only dst-address-list=through_ISP3 new-connection-mark=ISP3 passthrough=yes add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes add action=mark-routing chain=prerouting in-interface-list=LAN connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=yes add action=mark-routing chain=output connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=yes
7) For the routing you'll only need six entries which I'll wrote down. The others are either redundant or misconfigurations:
If there is something I missed or misspoken/miswritten/misconfigured, I'll kindly ask someone from the experts to give their second opinionCode: Select all/ip route add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main add distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main add distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=main add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=to_ISP1 add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=to_ISP2 add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-table=to_ISP3
P.S. I haven't touched the subject of the PBX because the review of the above configuration was time-consuming enough for one person, especially the mangle part
/ip firewall mangle
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-routing chain=output connection-mark=SF-Only_conn \
new-routing-mark=SF-Only_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
new-routing-mark=TW-Only_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
new-routing-mark=TCL-Only_conn passthrough=no
add action=mark-routing chain=prerouting comment="SF only VPN" \
dst-address-list=SF-Only new-routing-mark=SF-Only_conn passthrough=yes \
src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
dst-address-list=TW-Only new-routing-mark=TW-Only_conn passthrough=yes \
src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
dst-address-list=TCL-Only new-routing-mark=TCL-Only_conn passthrough=yes \
src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-Only_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-Only_conn passthrough=yes src-address=\
172.16.0.0/16
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN-Bridge new-connection-mark=\
SF-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN-Bridge new-connection-mark=\
TW-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN-Bridge new-connection-mark=\
TCL-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
yes
/system clock
set time-zone-name=Europe/Paris
/ip firewall filter
add action=drop chain=input in-interface-list=!LAN
/ip firewall filter
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn new-routing-mark=SF_Only_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn new-routing-mark=TW_Only_Conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn new-routing-mark=TCL_Only_Conn passthrough=yes
Your firewall still lacks some essential rules, for example dropping all input not coming from LAN (a default config rule):
Another one is drop all forward from WAN not dstnat-ed:Code: Select all/ip firewall filter add action=drop chain=input in-interface-list=!LAN
Your mangle rules seem OK but some changes must take place like:Code: Select all/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
1) The accept input rules should be on the top and the output mark-routing last
2) Before the output rules, there must be three probably forgotten ones:
3) I suggest changing the names of the routing tables to not be the same as their corresponding connection marks to avoid misconfigurationsCode: Select all/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=SF-Only_conn new-routing-mark=SF_Only_Conn passthrough=yes add action=mark-routing chain=prerouting connection-mark=TW-Only_conn new-routing-mark=TW_Only_Conn passthrough=yes add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn new-routing-mark=TCL_Only_Conn passthrough=yes
4) Use in-interface-list=LAN instead of in-interface in the rules containing PCC
Further, I still suggest disabling detect-internet and create a different, more generalized PPP profile for the L2TP server
Also, don't use scope=255 in the routes, make it 30
/ip firewall filter add action=drop chain=input in-interface-list=!LAN
/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN enable=no
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn new-routing-mark=SF-Only_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn new-routing-mark=TW-Only_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn new-routing-mark=TCL-Only_conn passthrough=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.18.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.19.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping comment=TW-Only disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=192.168.19.1 pref-src="" routing-table=TW-ISP_conn \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=TCL-Only disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=192.168.20.1 pref-src="" routing-table=TCL-ISP_conn \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=SF-Only disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=192.168.18.1 pref-src="" routing-table=SF-ISP_conn \
scope=30 suppress-hw-offload=no target-scope=10
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
in-interface-list=LAN
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
SF-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
TW-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
TCL-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/2
add action=mark-routing chain=output connection-mark=SF-Only_conn \
new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
new-routing-mark=TCL-ISP_conn passthrough=no
add action=mark-routing chain=prerouting comment="SF only VPN" \
dst-address-list=SF-Only new-routing-mark=SF-ISP_conn passthrough=yes \
src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
dst-address-list=TW-Only new-routing-mark=TW-ISP_conn passthrough=yes \
src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
dst-address-list=TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes \
src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
yes
@anav - IN TERMS OF JOB SECURITY...
Dear Mr. Anav,Also when you make changes please REPOST your config so that we can see the progress and any further mistakes, often made during changes.
IN TERMS OF JOB SECURITY, you could always hire a consultant on your own dime, if its worth it to help keep your job!!!
I did not set my time zone yet because MikroTik router is not operational because of configuration issues not resolved yet, but kerio is operational since years@anav - IN TERMS OF JOB SECURITY...
/system clock
set time-zone-name=Europe/Paris
Thanks for your quick response, hereunder is my fresh configFor the firewall filter rules I forgot that the order in which they are is of importance baecause the matching is dome sequentially. That's why the drop input expecr from LAN should be after all other input rules and analogously for the drop forward from WAN except dst-nated rule. As for the three suggested mangle rules that should be somewhere around the output ones, probably broke internet access because I forgot to add in-interface-list=LAN to them. Regardless of that, could you send afresh a full export of the config to see how everything is at the moment?
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 \
in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 \
in-interface-list=LAN
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" \
in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" \
in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" \
in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
SF-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
TW-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
TCL-Only_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment="SF only VPN" \
dst-address-list=SF-Only new-routing-mark=SF-ISP_conn passthrough=yes \
src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" \
dst-address-list=TW-Only new-routing-mark=TW-ISP_conn passthrough=yes \
src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" \
dst-address-list=TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes \
src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
172.17.0.0/16
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=\
SF-Only new-routing-mark=SF-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=\
TW-Only new-routing-mark=TW-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=\
TCL-Only new-routing-mark=TCL-ISP_conn passthrough=yes src-address=\
172.16.0.0/16
add action=mark-connection chain=prerouting comment=Ether5-TW-Only \
dst-address-list=TW-Only new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether1-SF-Only \
dst-address-list=SF-Only new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=Ether9-TCL-Only \
dst-address-list=TCL-Only new-connection-mark=TCL-Only_conn passthrough=\
yes
add action=mark-routing chain=output connection-mark=SF-Only_conn \
new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn \
new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn \
new-routing-mark=TCL-ISP_conn passthrough=no
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp src-port=""
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=add-dst-to-address-list address-list=SF-Only address-list-timeout=none-dynamic chain=forward comment="SF only VPN" src-address=192.168.92.0/24
add action=add-dst-to-address-list address-list=TW-Only address-list-timeout=none-dynamic chain=forward comment="TW only VPN" src-address=192.168.93.0/24
add action=add-dst-to-address-list address-list=TCL-Only address-list-timeout=none-dynamic chain=forward comment="TCL only VPN" src-address=192.168.94.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-routing-mark=SF-Only passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-routing-mark=TW-Only passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-routing-mark=TCL-Only passthrough=yes
I see that you've reverted to the old naming convention for the routing tables and marks. That's why I'll suggest once more to change it as in the previous sniplets of configuration. Bear in mind that you should not only change the names of the routing marks but also that of the routing tables to match them.
Regarding my previous comment, could you rearrange your firewall rules in the following manner:
As for the mangle, could you once again try adding the following rules before the output ones:Code: Select all/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp src-port="" add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=add-dst-to-address-list address-list=SF-Only address-list-timeout=none-dynamic chain=forward comment="SF only VPN" src-address=192.168.92.0/24 add action=add-dst-to-address-list address-list=TW-Only address-list-timeout=none-dynamic chain=forward comment="TW only VPN" src-address=192.168.93.0/24 add action=add-dst-to-address-list address-list=TCL-Only address-list-timeout=none-dynamic chain=forward comment="TCL only VPN" src-address=192.168.94.0/24 add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
This time I've modified them as per my previous commentCode: Select all/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-routing-mark=SF-Only passthrough=yes add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-routing-mark=TW-Only passthrough=yes add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-routing-mark=TCL-Only passthrough=yes
/ip firewall mangle
add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=SF-Only in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=TW-Only in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes
add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=TCL-Only in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes
Dear I noted, will update you once I'll go to office and access physically as for now unknown reason I am unable to open via Winbox or Webfig after adding the rulesOne minor suggestion - remove the dst-address-lists of the "X only VPN" rules (rules no. 12,13,14) so that all traffic originating from the VPN can be matched against them, not only destined to the addresses in the lists. Also you could combine rules no. 15-20 by using in-interface-list=LAN instead of src-address:
Code: Select all/ip firewall mangle add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=SF-Only in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=TW-Only in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=TCL-Only in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.18.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.19.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.20.0/24 in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=192.168.92.0/24
add action=accept chain=prerouting dst-address=192.168.19.0/24 src-address=192.168.93.0/24
add action=accept chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.94.0/24
add action=mark-connection chain=input comment="VPN inn from SF-Only_conn" in-interface=ether1-SF new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TW-Only_conn" in-interface=ether5-TW new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=input comment="VPN inn from TCL-Only_conn" in-interface=ether9-TCL new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment="SF only VPN" connection-mark=no-mark new-connection-mark=SF-Only_conn passthrough=yes src-address=192.168.92.0/24
add action=mark-connection chain=prerouting comment="TW only VPN" connection-mark=no-mark new-connection-mark=TW-Only_conn passthrough=yes src-address=192.168.93.0/24
add action=mark-connection chain=prerouting comment="TCL only VPN" connection-mark=no-mark new-connection-mark=TCL-Only_conn passthrough=yes src-address=192.168.94.0/24
add action=mark-routing chain=prerouting comment="SF only VPN" connection-mark=TCL-Only_Conn new-routing-mark=SF-ISP_conn passthrough=no src-address=192.168.92.0/24
add action=mark-routing chain=prerouting comment="TW only VPN" connection-mark=TW-Only_conn new-routing-mark=TW-ISP_conn passthrough=no src-address=192.168.93.0/24
add action=mark-routing chain=prerouting comment="TCL only VPN" connection-mark=TCL-Only_conn new-routing-mark=TCL-ISP_conn passthrough=no src-address=192.168.94.0/24
add action=mark-connection chain=prerouting comment=SF-Only connection-mark=no-mark dst-address-list=SF-Only in-interface-list=LAN new-connection-mark=SF-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=TW-Only connection-mark=no-mark dst-address-list=TW-Only in-interface-list=LAN new-connection-mark=TW-Only_conn passthrough=yes
add action=mark-connection chain=prerouting comment=TCL-Only connection-mark=no-mark dst-address-list=TCL-Only in-interface-list=LAN new-connection-mark=TCL-Only_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=SF-Only_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=TW-Only_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LAN new-connection-mark=TCL-Only_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=SF-Only_conn in-interface-list=LAN new-connection-mark=SF_ISP_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=TW-Only_conn in-interface-list=LAN new-connection-mark=TW_ISP_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=TCL-Only_conn in-interface-list=LAN new-connection-mark=TCL_ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=SF-Only_conn new-routing-mark=SF-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TW-Only_conn new-routing-mark=TW-ISP_conn passthrough=no
add action=mark-routing chain=output connection-mark=TCL-Only_conn new-routing-mark=TCL-ISP_conn passthrough=no
Dear TheCat12Dear I noted, will update you once I'll go to office and access physically as for now unknown reason I am unable to open via Winbox or Webfig after adding the rulesOne minor suggestion - remove the dst-address-lists of the "X only VPN" rules (rules no. 12,13,14) so that all traffic originating from the VPN can be matched against them, not only destined to the addresses in the lists. Also you could combine rules no. 15-20 by using in-interface-list=LAN instead of src-address:
Code: Select all/ip firewall mangle add action=mark-routing chain=prerouting comment=SF-Only dst-address-list=SF-Only in-interface-list=LAN new-routing-mark=SF-ISP_conn passthrough=yes add action=mark-routing chain=prerouting comment=TW-Only dst-address-list=TW-Only in-interface-list=LAN new-routing-mark=TW-ISP_conn passthrough=yes add action=mark-routing chain=prerouting comment=TCL-Only dst-address-list=TCL-Only in-interface-list=LAN new-routing-mark=TCL-ISP_conn passthrough=yes
Regards.
/ip firewall filter
add action=accept chain=input ipsec-policy=in:ipsec
For the firewall filter just add the following rule before the drop all input not from LAN and remove from the latter connection-state=established:
And please try to implement my new revision of the mangle rules and give me a feedback whether it worked or you had to revert to your version of themCode: Select all/ip firewall filter add action=accept chain=input ipsec-policy=in:ipsec
Yes, quite a nice and proper correction
/interface bridge settings set use-ip-firewall=yes
/ip firewall filter
add action=drop chain=forward dst-address=172.17.0.30 in-interface-list=!PPP
/ip route
add dst-address=172.17.0.30 gateway=l2tp-out_1
add dst-address=172.17.0.30 gateway=l2tp-out_2
add dst-address=172.17.0.30 gateway=l2tp-out_3
I can try to help you with that problem too - firstly you have to turn on IP firewall for the bridge:
After that add a firewall to drop all forward for the PBX address except for in-interface-list=PPP:Code: Select all/interface bridge settings set use-ip-firewall=yes
After you have configured the L2TP clients on the branch router, just add the following routes:Code: Select all/ip firewall filter add action=drop chain=forward dst-address=172.17.0.30 in-interface-list=!PPP
where l2tp-out_X are the different L2TP client interfacesCode: Select all/ip route add dst-address=172.17.0.30 gateway=l2tp-out_1 add dst-address=172.17.0.30 gateway=l2tp-out_2 add dst-address=172.17.0.30 gateway=l2tp-out_3
# Head office
/ppp secret
set 0 remote-address=192.168.92.2
/interface eoip
add name=eoip-main tunnel-id=101 local-address=192.168.92.1 remote-address=192.168.92.2 ipsec-secret=securepassword allow-fast-path=no
/interface bridge port
add bridge=LAN-Bridge interface=eoip-main
# Branch office router
/interface eoip
add name=eoip-remote tunnel-id=101 local-address=192.168.92.2 remote-address=192.168.92.1 ipsec-secret=securepassword allow-fast-path=no
/ip route
remove [find gateway=l2tp-out1]
/interface bridge port
add bridge=LAN-Bridge interface=eoip-remote
And make sure not to run a DHCP server for the 172.17.0.0 range on the branch office router as it may lead to undesired effects
It probably happens because the addresses of local and remote LAN are the same. I think that could be overcome with the help of an EoIP tunnel spanned over the L2TP tunnel but that would require a static address for the branch office router instead of a random one from the VPN pool:
Now the LAN-Bridge will be as if it's on one routerCode: Select all# Head office /ppp secret set 0 remote-address=192.168.92.2 /interface eoip add name=eoip-main tunnel-id=101 local-address=192.168.92.1 remote-address=192.168.92.2 ipsec-secret=securepassword allow-fast-path=no /interface bridge port add bridge=LAN-Bridge interface=eoip-main # Branch office router /interface eoip add name=eoip-remote tunnel-id=101 local-address=192.168.92.2 remote-address=192.168.92.1 ipsec-secret=securepassword allow-fast-path=no /ip route remove [find gateway=l2tp-out1] /interface bridge port add bridge=LAN-Bridge interface=eoip-remote