1. So you have two bridges and two subnets, so what is this.......??
/ip pool
add name=dhcp_pool0 ranges=192.168.9.50-192.168.9.254 triplicate
add name=dhcp_pool1 ranges=192.168.9.100-192.168.9.254 duplicate
add name=dhcp_pool2 ranges=192.168.9.100-192.168.9.254 duplicate
add name=dhcp_pool3 ranges=192.168.12.100-192.168.12.254
Clearly you have duplication ........ Why do you not notice, you have two subnets and four pools???
Only the latter two should be on the config.
2. Typically using an address list for a subnet is not required but will see what you use it for.
/ip firewall address-list
add address=192.168.9.0/24 list=Ajlan
3. Modifying firewall rules so order makes sense. First keep chains together, much easier to read and see errors.......... and also order within a chain is important.
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=Lan
add action=drop chain=input comment="drop all else" { insert this rule here but last of all rules }
+++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=Lan out-interface-list=Wan
add action=drop chain=forward comment="drop all else"
4. Now here is where we will differ.
I want you to try simple ECMP load balancing as the most efficient approach, it should provide the same effect as mangling but with much less fuss.
No tables, NO MANGLING!!! The key is no distance difference between routes.
/ip route (without recursive so you see the plain view )
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.72.72 comment=Broad
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.4.4 comment=Hath
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.150.150 comment=Play
with Recursive.
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment=Broad
add dst-address=1.0.0.1/32 gateway=192.168.72.72 scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment=Hath
add dst-address=9.9.9.9/32 gateway=192.168.4.4 scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12 comment=Play
add dst-address=8.8.4.4/32 gateway=192.168.150.150 scope=10 target-scope=11
Also one should avoid any duplication of recursive canary addresses on IP DNS
from:
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.9.9
add address=192.168.12.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
TO:
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.9.9
add address=192.168.12.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip pool
add name=dhcp_pool0 ranges=192.168.9.50-192.168.9.254 triplicate
add name=dhcp_pool1 ranges=192.168.9.100-192.168.9.254 duplicate
add name=dhcp_pool2 ranges=192.168.9.100-192.168.9.254 duplicate
add name=dhcp_pool3 ranges=192.168.12.100-192.168.12.254
Clearly you have duplication ........ Why do you not notice, you have two subnets and four pools???
Only the latter two should be on the config.
2. Typically using an address list for a subnet is not required but will see what you use it for.
/ip firewall address-list
add address=192.168.9.0/24 list=Ajlan
3. Modifying firewall rules so order makes sense. First keep chains together, much easier to read and see errors.......... and also order within a chain is important.
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=Lan
add action=drop chain=input comment="drop all else" { insert this rule here but last of all rules }
+++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=Lan out-interface-list=Wan
add action=drop chain=forward comment="drop all else"
4. Now here is where we will differ.
I want you to try simple ECMP load balancing as the most efficient approach, it should provide the same effect as mangling but with much less fuss.
No tables, NO MANGLING!!! The key is no distance difference between routes.
/ip route (without recursive so you see the plain view )
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.72.72 comment=Broad
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.4.4 comment=Hath
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.150.150 comment=Play
with Recursive.
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment=Broad
add dst-address=1.0.0.1/32 gateway=192.168.72.72 scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment=Hath
add dst-address=9.9.9.9/32 gateway=192.168.4.4 scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12 comment=Play
add dst-address=8.8.4.4/32 gateway=192.168.150.150 scope=10 target-scope=11
Also one should avoid any duplication of recursive canary addresses on IP DNS
from:
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.9.9
add address=192.168.12.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
TO:
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.9.9
add address=192.168.12.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
Statistics: Posted by anav — Thu Mar 13, 2025 4:22 pm