Sorry for posting a common question. I searched the forums last night, googled for a bit and even watched a few YT videos but nothing seemed to work in my test lab. I'm using a newer rOS than the videos and I'm not sure if that's preventing me from getting this to work or not. I ended wiping the MikroTik a few times and starting from scratch.
I'm a newbie, so go easy on me in the responses heh.
I need a specific configuration as follows that includes
WAN1=Dynamic IP from ISP
WAN2=Dynamic IP from ISP
LAN1=192.168.1.0/24 (bridge 1)
LAN2=192.168.2.0/24 (bridge 2)
I need LAN1 to go out WAN1 only
I need LAN2 to go out WAN2 only.
I need LAN1 and LAN2 to be able to 'talk' to each other.
I've got the dual WAN (2 DHCP clients), LAN1/2 DHCP servers working correctly, addresses and pools are all correct. My issue is believe in the the routing and the mangles. Where I'm failing is if I unplug WAN1 uplink LAN1 can find WAN2 and reach the internet and vice versa. If I plug in WAN1 and unplug WAN2, LAN2 can find WAN1. The equipment on LAN2 needs to go out to WAN2 only. First question, how can I stop the LANs from finding the internet on the opposite WAN from happening?
The second question I have is, do I need two sets of rules for the firewall? Do I need one set to manage/protect WAN1 incoming traffic and do I need another set (exact copy) to manage/protect WAN2? I know this slows down the router for doing additional process and even though the router can handle it, I'd like to make it as efficient as possible.
Sorry for asking a simple question, I tried for most of yesterday but most of the walk throughs and videos I found used older OS's fail overs and I can't use that.
This test lab is using a HEX. The actual firewall will be a much more powerful, with more ports. I can change the configuration and scale up for additional ports.
Port 1 = ISP1
Port 2-3 = bridge1
Port 4 = ISP2
Port 5 = bridge 2
I reset the mikrotik configuration and quickly re-did the following configuration. It's excluding any routing, NAT or mangle rules I'm hoping I can get some advice on. I kept the original firewall rules to help for answering question 2. The real firewall will have custom rules, but not sure how to address protecting WAN2 incoming traffic.
Hopefully this is clear and concise, thank you for your help.
I'm a newbie, so go easy on me in the responses heh.
I need a specific configuration as follows that includes
WAN1=Dynamic IP from ISP
WAN2=Dynamic IP from ISP
LAN1=192.168.1.0/24 (bridge 1)
LAN2=192.168.2.0/24 (bridge 2)
I need LAN1 to go out WAN1 only
I need LAN2 to go out WAN2 only.
I need LAN1 and LAN2 to be able to 'talk' to each other.
I've got the dual WAN (2 DHCP clients), LAN1/2 DHCP servers working correctly, addresses and pools are all correct. My issue is believe in the the routing and the mangles. Where I'm failing is if I unplug WAN1 uplink LAN1 can find WAN2 and reach the internet and vice versa. If I plug in WAN1 and unplug WAN2, LAN2 can find WAN1. The equipment on LAN2 needs to go out to WAN2 only. First question, how can I stop the LANs from finding the internet on the opposite WAN from happening?
The second question I have is, do I need two sets of rules for the firewall? Do I need one set to manage/protect WAN1 incoming traffic and do I need another set (exact copy) to manage/protect WAN2? I know this slows down the router for doing additional process and even though the router can handle it, I'd like to make it as efficient as possible.
Sorry for asking a simple question, I tried for most of yesterday but most of the walk throughs and videos I found used older OS's fail overs and I can't use that.
This test lab is using a HEX. The actual firewall will be a much more powerful, with more ports. I can change the configuration and scale up for additional ports.
Port 1 = ISP1
Port 2-3 = bridge1
Port 4 = ISP2
Port 5 = bridge 2
I reset the mikrotik configuration and quickly re-did the following configuration. It's excluding any routing, NAT or mangle rules I'm hoping I can get some advice on. I kept the original firewall rules to help for answering question 2. The real firewall will have custom rules, but not sure how to address protecting WAN2 incoming traffic.
Code:
# 1970-01-02 00:13:26 by RouterOS 7.13.2# software id = APXL-TNNK## model = RB760iGS# serial number = [redacted]/interface bridgeadd admin-mac=[redacted] auto-mac=no comment=defconf name=bridge1add name=bridge2/interface ethernetset [ find default-name=ether1 ] name=ether1-ISP1set [ find default-name=ether4 ] name=ether4-ISP2/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=dhcp1 ranges=192.168.1.20-192.168.1.89add name=dhcp2 ranges=192.168.2.20-192.168.2.89/ip dhcp-serveradd address-pool=dhcp1 interface=bridge1 lease-time=10m name=dhcp1add address-pool=dhcp2 interface=bridge2 lease-time=10m name=dhcp2/interface bridge portadd bridge=bridge1 comment=defconf interface=ether2add bridge=bridge1 comment=defconf interface=ether3add bridge=bridge2 comment=defconf interface=ether5add bridge=bridge1 comment=defconf interface=sfp1/ip neighbor discovery-settingsset discover-interface-list=LAN/interface list memberadd comment=defconf interface=bridge1 list=LANadd comment=defconf interface=ether1-ISP1 list=WANadd interface=ether4-ISP2 list=WANadd interface=bridge2 list=LAN/ip addressadd address=192.168.1.1/24 comment=defconf interface=bridge1 network=192.168.1.0add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0/ip dhcp-clientadd comment=defconf interface=ether1-ISP1add interface=ether4-ISP2/ip dhcp-server networkadd address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1/ip dnsset allow-remote-requests=yes/ip dns staticadd address=192.168.1.1 comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LANStatistics: Posted by jjw2008 — Tue Jan 23, 2024 12:49 am