Thanks much for the responses.
FYI: I'm a volunteer network admin for the summer camp I'm doing this for. My primary work is programming and devops.
I'm fairly new to Mikrotik. We used PFSense for many years.
I have been making a proof of concept on a basic test router RB941-2nD. It is on v6.
I have the VLANs and PCC setup. They seem to be working.
I was tripped up for a while on routing not working without specifying the gateway IP and interface. Might be a v6 thing. Tutorials said to just add the appropriate interface but that didn't work.
gateway=192.168.68.1%ether1_WAN1,192.168.68.1%ether2_WAN2
Upgrade to V7 is recommended to have 64MB RAM. My test device has 32MB.
I have a HEx or HAp ac2 for the production deploy.
We got the 2 starlinks not for redundancy but to dedicate one to the broadcasting, VOIP, and working from "home". I dedicated one port to the guest VLAN connecting the 2nd starlink to it. Not using mikrotik for DHCP, routing, etc for Guest VLAN.
I was looking into CAKE per your recommendations.
Seems the CPU load may be a problem per discussion on topic:
Which mikrotik for 1Gbps WAN, SOHO, and queue enabled (fqcodel / cake)
If CAKE and/or other QAS doesn't work I figure I can use the connection mark the VOIP and Broadcast VLANs and specific destinations, like MS Teams.
If CPU is a problem, maybe I can apply CAKE to just one WAN and direct the VOIP, broadcast, work-from-home stuff to that WAN.
I prefer not to use bypass mode in Starlink so I can use the starlink app to monitor and troubleshoot.
I'm pretty new to Mikrotik and have not used IPV6. I don't understand the benefit to using IPV6 or if there would be problems.
I'm thinking to set it up when I use the Starlink app and connect to the staff vlan it directs to wan1_conn and when I connect to base vlan it uses wan2_conn. I've put in the rules but I don't have the starlinks available for my test setup.
For the tests, I'm just connecting the two WAN ports the the LAN ports of another router. That provide the same gateway but different IPs assigned to the WAN interfaces.
I'm not clear on the routing table failover but seems failover is working as I unplugged the wan ports one at a time while running ping from mikrotik and a computer.
I was thinking about automating adjustment of PCC mangle rules if a connection became unavailable. Not really practical for just two WAN connections. But I love automating things like that. So just including info here for posterity.
How to auto-start a script at interface link up / down ?
Archived sample scripts as a starting point
Here is the config I have so far.
FYI: I'm a volunteer network admin for the summer camp I'm doing this for. My primary work is programming and devops.
I'm fairly new to Mikrotik. We used PFSense for many years.
I have been making a proof of concept on a basic test router RB941-2nD. It is on v6.
I have the VLANs and PCC setup. They seem to be working.
I was tripped up for a while on routing not working without specifying the gateway IP and interface. Might be a v6 thing. Tutorials said to just add the appropriate interface but that didn't work.
gateway=192.168.68.1%ether1_WAN1,192.168.68.1%ether2_WAN2
Upgrade to V7 is recommended to have 64MB RAM. My test device has 32MB.
I have a HEx or HAp ac2 for the production deploy.
We got the 2 starlinks not for redundancy but to dedicate one to the broadcasting, VOIP, and working from "home". I dedicated one port to the guest VLAN connecting the 2nd starlink to it. Not using mikrotik for DHCP, routing, etc for Guest VLAN.
I was looking into CAKE per your recommendations.
Seems the CPU load may be a problem per discussion on topic:
Which mikrotik for 1Gbps WAN, SOHO, and queue enabled (fqcodel / cake)
If CAKE and/or other QAS doesn't work I figure I can use the connection mark the VOIP and Broadcast VLANs and specific destinations, like MS Teams.
If CPU is a problem, maybe I can apply CAKE to just one WAN and direct the VOIP, broadcast, work-from-home stuff to that WAN.
I prefer not to use bypass mode in Starlink so I can use the starlink app to monitor and troubleshoot.
I'm pretty new to Mikrotik and have not used IPV6. I don't understand the benefit to using IPV6 or if there would be problems.
I'm thinking to set it up when I use the Starlink app and connect to the staff vlan it directs to wan1_conn and when I connect to base vlan it uses wan2_conn. I've put in the rules but I don't have the starlinks available for my test setup.
For the tests, I'm just connecting the two WAN ports the the LAN ports of another router. That provide the same gateway but different IPs assigned to the WAN interfaces.
I'm not clear on the routing table failover but seems failover is working as I unplugged the wan ports one at a time while running ping from mikrotik and a computer.
I was thinking about automating adjustment of PCC mangle rules if a connection became unavailable. Not really practical for just two WAN connections. But I love automating things like that. So just including info here for posterity.
How to auto-start a script at interface link up / down ?
Archived sample scripts as a starting point
Here is the config I have so far.
Code:
# may/30/2024 23:13:13 by RouterOS 6.49.15# software id = H4V8-DQ6B## model = RB941-2nD/interface bridgeadd name=BR1 protocol-mode=none vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] name=ether1_WAN1set [ find default-name=ether2 ] name=ether2_WAN2set [ find default-name=ether3 ] name=ether3_Trunkset [ find default-name=ether4 ] name=ether4_Guest/interface pwr-lineset [ find default-name=pwr-line1 ] disabled=yes/interface vlanadd interface=BR1 name=VLAN10_Guest vlan-id=10add interface=BR1 name=VLAN20_Staff vlan-id=20add interface=BR1 name=VLAN50_BASE vlan-id=50add interface=BR1 name=VLAN60_VOIP vlan-id=60add interface=BR1 name=VLAN70_Broadcast vlan-id=70/interface listadd name=WANadd name=VLANadd name=Manage/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTikadd authentication-types=wpa2-psk mode=dynamic-keys name=Staff_WiFi_Sec supplicant-identity=MikroTikadd authentication-types=wpa2-psk mode=dynamic-keys name=Guest_WiFi_Sec supplicant-identity=MikroTik/interface wirelessset [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX country="united states" disabled=no frequency=\ auto mode=ap-bridge name=wlan1_Staff security-profile=Staff_WiFi_Sec ssid=Staff wps-mode=push-button-virtual-onlyadd disabled=no keepalive-frames=disabled mac-address=0A:55:31:4A:BB:61 master-interface=wlan1_Staff multicast-buffering=\ disabled name=wlan2_Guest security-profile=Guest_WiFi_Sec ssid=Redwood wds-cost-range=0 wds-default-cost=0 wps-mode=\ disabled/ip pooladd name=V10_Guest_Pool ranges=10.10.1.1-10.10.254.255add name=V20_Staff_Pool ranges=10.20.1.1-10.20.254.255add name=V50_BASE_Pool ranges=192.168.50.100-192.168.50.199add name=V60_VOIP_Pool ranges=192.168.60.2-192.168.60.254add name=V70_Broadcast_Pool ranges=192.168.70.2-192.168.70.254/ip dhcp-serveradd address-pool=V10_Guest_Pool disabled=no interface=VLAN10_Guest name=V10_Guest_DHCPadd address-pool=V20_Staff_Pool disabled=no interface=VLAN20_Staff name=V20_Staff_DHCPadd address-pool=V50_BASE_Pool disabled=no interface=VLAN50_BASE name=V50_BASE_DHCPadd address-pool=V60_VOIP_Pool disabled=no interface=VLAN60_VOIP name=V60_VOIP_DHCPadd address-pool=V70_Broadcast_Pool disabled=no interface=VLAN70_Broadcast name=V70_Broadcast_DHCP# Log interface changes to periodically run a script that checks and adjusts PCC to handle wan availability changes.# TODO write script. Starting resources:# https://web.archive.org/web/20210416175553/https://wiki.mikrotik.com/wiki/Log_Parser_-_Event_Trigger_Script# https://forum.mikrotik.com/viewtopic.php?t=161292/system logging actionadd name=InterfaceUpDown target=memory/system loggingadd topics=interface/user groupset full policy=\ local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp/interface bridge portadd bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4_Guestadd bridge=BR1 ingress-filtering=yes interface=ether3_Trunk pvid=50add bridge=BR1 interface=wlan1_Staff pvid=20add bridge=BR1 interface=wlan2_Guest pvid=10/interface bridge vlanadd bridge=BR1 tagged=BR1 untagged=VLAN50_BASE vlan-ids=50add bridge=BR1 tagged=BR1,ether3_Trunk untagged=wlan1_Staff vlan-ids=20add bridge=BR1 tagged=BR1,ether3_Trunk untagged=ether4_Guest,wlan2_Guest vlan-ids=10add bridge=BR1 tagged=BR1,ether3_Trunk vlan-ids=60,70/interface list memberadd interface=ether1_WAN1 list=WANadd interface=ether2_WAN2 list=WANadd interface=VLAN50_BASE list=VLANadd interface=VLAN10_Guest list=VLANadd interface=VLAN20_Staff list=VLANadd interface=VLAN50_BASE list=Manageadd interface=VLAN20_Staff list=Manage/ip dhcp-clientadd add-default-route=no disabled=no interface=ether1_WAN1add add-default-route=no disabled=no interface=ether2_WAN2/ip addressadd address=10.10.0.1/16 interface=VLAN10_Guest network=10.10.0.0add address=10.20.0.1/16 interface=VLAN20_Staff network=10.20.0.0add address=192.168.50.1/24 interface=VLAN50_BASE network=192.168.50.0add address=192.168.60.1/24 interface=VLAN60_VOIP network=192.168.60.0add address=192.168.70.1/24 interface=VLAN70_Broadcast network=192.168.70.0/ip dhcp-server networkadd address=10.10.0.0/16 dns-server=10.10.0.1 gateway=10.10.0.1add address=10.20.0.0/16 dns-server=10.20.0.1 gateway=10.20.0.1add address=192.168.10.0/24 gateway=192.168.10.1add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1add address=192.168.60.0/24 gateway=192.168.60.1add address=192.168.70.0/24 gateway=192.168.70.1/ip dnsset allow-remote-requests=yes servers=8.8.4.4,9.9.9.9,8.8.8.8,1.1.1.1# Define local networks for mangle rules so we only do PCC on internet bound traffic./ip firewall address-listadd address=192.168.50.0/24 list=Local_Networksadd address=192.168.60.0/24 list=Local_Networksadd address=192.168.70.0/24 list=Local_Networksadd address=10.10.0.0/16 list=Local_Networksadd address=10.20.0.0/16 list=Local_Networksadd address=192.168.1.1 list=StarlinkDevIPsadd address=192.168.100.1 list=StarlinkDevIPs/ip firewall filteradd comment="Allow Estab & Related" \ chain=input action=accept connection-state=established,relatedadd comment="Allow VLAN" \ chain=input action=accept in-interface-list=VLANadd chain=input action=drop comment=Dropadd comment="Allow Estab & Related" \ chain=forward action=accept connection-state=established,relatedadd comment="Allow Staff & BASE VLANs Access other VLANs" \ chain=forward action=accept in-interface-list=Manageadd comment="VLAN Internet Access only" \ chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WANadd chain=forward action=drop comment=Drop# PCC for dual WAN.# For efficiency on new connection jump to more complex checks./ip firewall mangleadd comment="From External (off Mikrotik, LAN & WAN)" \ chain=prerouting action=jump connection-state=new jump-target=new_extrnaladd comment="From WANs" \ chain=new_extrnal action=mark-connection connection-mark=no-mark in-interface=ether1_WAN1 new-connection-mark=WAN1_conn passthrough=yesadd comment="Starlink APP Per VLAN"\ chain=new_extrnal action=mark-connection connection-mark=no-mark dst-address-list=StarlinkDevIPs in-interface=VLAN20_Staff new-connection-mark=WAN1_conn passthrough=yesadd chain=new_extrnal action=mark-connection connection-mark=no-mark dst-address-list=StarlinkDevIPs in-interface=VLAN50_BASE new-connection-mark=WAN2_conn passthrough=yesadd comment="From LAN" \ chain=new_extrnal action=jump connection-mark=no-mark jump-target=masq_load_balanceadd comment="To/From Local" \ chain=new_extrnal action=mark-connection connection-mark=no-mark new-connection-mark=Local_conn passthrough=yesadd comment="From Mikrotik" \ chain=output action=jump connection-state=new jump-target=masq_load_balanceadd comment="PCC LoadBalance" \ chain=masq_load_balance action=mark-connection connection-mark=no-mark dst-address-list=\ !Local_Networks new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0add chain=masq_load_balance action=mark-connection connection-mark=no-mark dst-address-list=!Local_Networks \ new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1add comment="Mark Route Table" \ chain=output action=mark-routing connection-mark=WAN1_conn new-routing-mark=WAN1_route passthrough=yesadd chain=output action=mark-routing connection-mark=WAN2_conn new-routing-mark=WAN2_route passthrough=yes/ip firewall natadd comment="Default masquerade" \ chain=srcnat action=masquerade out-interface-list=WAN#Gateway requires both gateway IP and interface (at least for firmware v6)/ip routeadd check-gateway=ping distance=1 gateway=192.168.68.1%ether1_WAN1 routing-mark=WAN1_routeadd check-gateway=ping distance=1 gateway=192.168.68.1%ether2_WAN2 routing-mark=WAN2_routeadd check-gateway=ping distance=2 gateway=192.168.68.1%ether1_WAN1,192.168.68.1%ether2_WAN2/system clockset time-zone-name=America/Los_AngelesStatistics: Posted by daves — Fri May 31, 2024 1:16 pm