Hello!
at first - my English is not enough for long explanations, but I hope You understand me )
second - special thanks to @pcunite for these posts Using RouterOS to VLAN your network and MultiWAN with RouterOS. Also thanks to @anav for many helpful posts and answers on this forum.
I have the next network topology
All ISP are connected as ethernet and obtain IP from DHCP. (one real public IP)
Currently, I have started to configure this for a test solution.
For tests, I use hAP ac^3 instead rb4011, and my other network simulates one ISP.
And I have some questions
for pk-r00
1. all ports placed in one bridge (wan, lan, trunk). Is it correct?
2. without firewall. (as this device does not terminate any public traffic). correct?
3. All ISP live in one bridge, and potentially dhcp from one is visible to the other. Do I need to correct this? and how?
for pk-wt01 (on diagram pk-r01) (for test I use hAP ac^3 instead rb4011 on real)
1. ether1 in bridge. Correct? through this port passes public(WAN) and private(LAN) traffic. Is it secure?
2. WAN vlans configured on ether1, LAN vlans on bridge. Correct?
pk-r00pk-wt01
at first - my English is not enough for long explanations, but I hope You understand me )
second - special thanks to @pcunite for these posts Using RouterOS to VLAN your network and MultiWAN with RouterOS. Also thanks to @anav for many helpful posts and answers on this forum.
I have the next network topology
All ISP are connected as ethernet and obtain IP from DHCP. (one real public IP)
Currently, I have started to configure this for a test solution.
For tests, I use hAP ac^3 instead rb4011, and my other network simulates one ISP.
And I have some questions
for pk-r00
1. all ports placed in one bridge (wan, lan, trunk). Is it correct?
2. without firewall. (as this device does not terminate any public traffic). correct?
3. All ISP live in one bridge, and potentially dhcp from one is visible to the other. Do I need to correct this? and how?
for pk-wt01 (on diagram pk-r01) (for test I use hAP ac^3 instead rb4011 on real)
1. ether1 in bridge. Correct? through this port passes public(WAN) and private(LAN) traffic. Is it secure?
2. WAN vlans configured on ether1, LAN vlans on bridge. Correct?
pk-r00
Code:
# mar/18/2024 21:48:07 by RouterOS 7.8## model = RB760iGS/interface bridgeadd ingress-filtering=no name=bridge1 vlan-filtering=yes/interface ethernetset [ find default-name=ether5 ] poe-out=offset [ find default-name=sfp1 ] disabled=yes/interface vlan# ISP VLANsadd interface=bridge1 name=vlan_isp_fn_12 vlan-id=12add interface=bridge1 name=vlan_isp_ks_13 vlan-id=13add interface=bridge1 name=vlan_isp_vg_11 vlan-id=11# local VLANsadd interface=bridge1 name=vlan_mngt_100 vlan-id=100add interface=bridge1 name=vlan_pako_101 vlan-id=101/interface listadd name=LANadd name=ISP/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip hotspot profileset [ find default=yes ] html-directory=hotspot/portset 0 name=serial0/interface bridge port# WANsadd bridge=bridge1 interface=ether1 pvid=11add bridge=bridge1 interface=ether2 pvid=12add bridge=bridge1 interface=ether3 pvid=13# trunk for WAN and LANadd bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4/ip neighbor discovery-settingsset discover-interface-list=LAN/interface bridge vlan# WAN (for test env use only 2)add bridge=bridge1 tagged=ether4 untagged=ether1 vlan-ids=11add bridge=bridge1 tagged=ether4 untagged=ether2 vlan-ids=12add bridge=bridge1 tagged=bridge1,ether4 vlan-ids=100add bridge=bridge1 tagged=bridge1,ether4 vlan-ids=101/interface list memberadd interface=ether4 list=LANadd interface=ether5 list=LANadd interface=vlan_mngt_100 list=LANadd interface=bridge1 list=LANadd interface=vlan_pako_101 list=LAN/ip dhcp-clientadd interface=vlan_mngt_100/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=noset api disabled=yesset api-ssl disabled=yes/system clockset time-zone-name=Europe/Kiev/system identityset name=pk-r00Code:
# 2024-03-18 21:49:32 by RouterOS 7.12.1## model = RBD53iG-5HacD2HnD/interface bridgeadd admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf \ ingress-filtering=no name=bridge vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] mac-address=yy:yy:yy:yy:yy:yyset [ find default-name=ether5 ] poe-out=off/interface wirelessset [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \ distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\ MikroTik-EF0AC4 wireless-protocol=802.11set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\ 20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \ mode=ap-bridge ssid=pk-wt_0x24v wireless-protocol=802.11/interface vlan# WANadd interface=ether1 name=vlan_isp_fn_12 vlan-id=12add interface=ether1 name=vlan_isp_ks_13 vlan-id=13add interface=ether1 name=vlan_isp_vg_11 vlan-id=11# LANadd interface=bridge name=vlan_mngt_100 vlan-id=100add interface=bridge name=vlan_pako_101 vlan-id=101/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=pool_mngt ranges=192.168.100.2-192.168.100.10add name=pool_pako ranges=192.168.101.100-192.168.101.150/ip dhcp-serveradd address-pool=pool_pako interface=vlan_pako_101 lease-time=521w3d23h59m59s name=dhcp_pakoadd address-pool=pool_mngt interface=vlan_mngt_100 lease-time=521w3d10m name=dhcp_mngt/routing tableadd fib name=isp_vgadd fib name=isp_fnadd fib name=isp_ks/interface bridge portadd bridge=bridge interface=ether2 pvid=101add bridge=bridge interface=ether5add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1/ip firewall connection trackingset loose-tcp-tracking=no/ip neighbor discovery-settingsset discover-interface-list=LAN/ip settingsset rp-filter=loose/interface bridge vlan# only local VLANs, no WAN VALNsadd bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=101add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=100/interface list memberadd comment=defconf interface=bridge list=LANadd interface=vlan_isp_vg_11 list=WANadd interface=vlan_isp_fn_12 list=WANadd interface=vlan_isp_ks_13 list=WANadd interface=ether2 list=LANadd interface=vlan_pako_101 list=LANadd interface=vlan_mngt_100 list=LAN/ip addressadd address=192.168.100.1/24 interface=vlan_mngt_100 network=192.168.100.0add address=192.168.101.1/24 interface=vlan_pako_101 network=192.168.101.0/ip dhcp-client# ISP with static adress, but obtain from DHCP (by ISP rules)add add-default-route=no interface=vlan_isp_fn_12 use-peer-dns=no use-peer-ntp=no# ISP DHCP. script for change routingadd add-default-route=no interface=vlan_isp_vg_11 script=":if (\$bound=1) do={\ \r\ \n /ip/route/set [find gateway!=\$\"gateway-address\" and comment=\"isp\ _vg_monitor\"] gateway=\$\"gateway-address\"\r\ \n :local msg (\"isp_vg_monitor:: ip has been changed. ip: \" . \$\"lea\ se-address\" . \"; gw:\" . \$\"gateway-address\");\r\ \n :log info \$msg;\r\ \n}\r\ \n" use-peer-dns=no use-peer-ntp= no/ip dhcp-server networkadd address=192.168.100.0/24 gateway=192.168.100.1 netmask=24add address=192.168.101.0/24 dns-server=192.168.101.1 gateway=192.168.101.1 netmask=24/ip dnsset allow-remote-requests=yes servers=8.8.8.8,9.9.9.9/ip dns staticadd address=192.168.100.1 comment=defconf name=r01.pako.lan# default config/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN# "copypaste" from @pcunit forum topic https://forum.mikrotik.com/viewtopic.php?t=192736/ip firewall mangleadd action=mark-connection chain=prerouting connection-state=new \ in-interface=vlan_isp_vg_11 new-connection-mark=isp_vg_wan passthrough=\ yesadd action=mark-routing chain=prerouting connection-mark=isp_vg_wan \ in-interface-list=LAN new-routing-mark=isp_vg passthrough=yesadd action=mark-connection chain=prerouting connection-state=new \ in-interface=vlan_isp_fn_12 new-connection-mark=isp_fn_wan passthrough=\ yesadd action=mark-routing chain=prerouting connection-mark=isp_fn_wan \ in-interface-list=LAN new-routing-mark=isp_fn passthrough=yesadd action=mark-connection chain=input connection-state=new in-interface=\ vlan_isp_vg_11 new-connection-mark=isp_vg_wan passthrough=yesadd action=mark-routing chain=output connection-mark=isp_vg_wan \ new-routing-mark=isp_vg passthrough=yesadd action=mark-connection chain=input connection-state=new in-interface=\ vlan_isp_fn_12 new-connection-mark=isp_fn_wan passthrough=yesadd action=mark-routing chain=output connection-mark=isp_fn_wan \ new-routing-mark=isp_fn passthrough=yes/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN# "copypaste" from @pcunit forum topic https://forum.mikrotik.com/viewtopic.php?t=192736/ip route# real ISP with static IPadd comment=isp_fn_monitor disabled=no distance=2 dst-address=1.1.1.1/32 \ gateway=xxx.xxx.xxx.xxx pref-src="" routing-table=main scope=10 \ suppress-hw-offload=no target-scope=11add check-gateway=ping comment=isp_fn_gw distance=2 dst-address=0.0.0.0/0 \ gateway=1.1.1.1 scope=10 target-scope=12add comment=isp_fn_wan distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 \ routing-table=isp_fn scope=10 target-scope=12# for a test for second ISP i use my other network, and OpenDNS IP for check internetadd comment=isp_vg_monitor disabled=no distance=1 dst-address=\ 208.67.222.222/32 gateway=192.168.76.1 pref-src="" routing-table=main \ scope=10 suppress-hw-offload=no target-scope=11add check-gateway=ping comment=isp_vg_gw distance=1 dst-address=0.0.0.0/0 \ gateway=208.67.222.222 scope=10 target-scope=12add comment=isp_vg_wan disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ 208.67.222.222 pref-src="" routing-table=isp_vg scope=10 \ suppress-hw-offload=no target-scope=12# default config/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6# default config/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN# "copypaste" from @pcunit forum topic https://forum.mikrotik.com/viewtopic.php?t=192736/routing ruleadd action=lookup-only-in-table disabled=no dst-address=192.168.101.0/24 table=mainadd action=lookup-only-in-table disabled=no dst-address=192.168.100.0/24 table=main# I should disable this rule by netwatch, because if ISP2 is down 192.168.101.0 not switch to other ISPsadd action=lookup comment=pako_route_rule_fn disabled=no dst-address="" src-address=192.168.101.0/24 table=isp_fn/system clockset time-zone-name=Europe/Kiev/system identityset name=pk-wt01/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool netwatchadd disabled=no down-script="/routing/rule/set [find comment=\"pako_route_rule\ _fn\"] disabled=yes\r\ \n:log info \"fn_down\"" host=1.1.1.1 http-codes="" interval=10s \ test-script="" type=simple up-script="/routing/rule/set [find comment=\"pa\ ko_route_rule_fn\"] disabled=no\r\ \n:log info \"fn_up\"\r\ \n"Statistics: Posted by coreshock — Mon Mar 18, 2024 11:05 pm