Hi,
I am new to Microtik and are trying to setup a multi-wan load balancing network, got the load balancing working, and trying to setup wireguard with ip cloud, this is when i found out that the router can't ping outside, while pc on network can. Can someone help me have a look at this, and maybe give me some suggestion on the firewall as well? Don't know if that is enough.
Thanks.
I am new to Microtik and are trying to setup a multi-wan load balancing network, got the load balancing working, and trying to setup wireguard with ip cloud, this is when i found out that the router can't ping outside, while pc on network can. Can someone help me have a look at this, and maybe give me some suggestion on the firewall as well? Don't know if that is enough.
Thanks.
Code:
# 2024-02-01 02:12:55 by RouterOS 7.10.2# software id = 2KKG-QJS4## model = RB5009UG+S+# serial number = HDD0865R1CF/interface bridgeadd name=bridge/interface ethernetset [ find default-name=ether1 ] name=LAN1set [ find default-name=ether2 ] disabled=yes name=LAN2set [ find default-name=ether3 ] disabled=yes name=LAN3set [ find default-name=ether4 ] name=LAN4set [ find default-name=sfp-sfpplus1 ] name=LANsset [ find default-name=ether5 ] name=WAN1set [ find default-name=ether6 ] name=WAN2set [ find default-name=ether7 ] name=WAN3set [ find default-name=ether8 ] name=WAN4/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface listadd name=WAN_listadd name=LAN_list/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool ranges=192.168.88.2-192.168.88.254/ip dhcp-serveradd address-pool=dhcp_pool interface=bridge lease-time=10m name=dhcp/routing tableadd disabled=no fib name=to_WAN1add disabled=no fib name=to_WAN2add disabled=no fib name=to_WAN3add disabled=no fib name=to_WAN4/interface bridge portadd bridge=bridge interface=LAN_list/ip neighbor discovery-settingsset discover-interface-list=LAN_list/interface list memberadd interface=WAN1 list=WAN_listadd interface=WAN2 list=WAN_listadd interface=WAN3 list=WAN_listadd interface=WAN4 list=WAN_listadd interface=LANs list=LAN_listadd interface=LAN1 list=LAN_listadd interface=LAN2 list=LAN_listadd interface=LAN4 list=LAN_listadd interface=LAN3 list=LAN_listadd interface=wireguard1 list=LAN_list/ip addressadd address=192.168.88.1/24 interface=bridge network=192.168.88.0add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0/ip cloudset ddns-enabled=yes ddns-update-interval=1h/ip dhcp-clientadd interface=WAN1 script=":local cWANIP [/ip address get [find interface=\"WA\ N1\"] address];\r\ \n/ip firewall mangle remove [find comment=\"##firewallwan1##\"];\r\ \n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\ ace-list=LAN_list action=accept comment=\"##firewallwan1##\";\r\ \n/ip firewall mangle move [find comment=\"##firewallwan1##\"] 4;\r\ \n\r\ \n/ip route\r\ \nremove [find comment=\"##routewan1##\"];\r\ \nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\ eway-address\" routing-table=to_WAN1 suppress-hw-offload=no comment=\"##ro\ utewan1##\";\r\ \nadd distance=1 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\ nt=\"##routewan1##\";\r\ \n"add interface=WAN2 script=":local cWANIP [/ip address get [find interface=\"WA\ N2\"] address];\r\ \n/ip firewall mangle remove [find comment=\"##firewallwan2##\"];\r\ \n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\ ace-list=LAN_list action=accept comment=\"##firewallwan2##\";\r\ \n/ip firewall mangle move [find comment=\"##firewallwan2##\"] 4;\r\ \n\r\ \n/ip route\r\ \nremove [find comment=\"##routewan2##\"];\r\ \nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\ eway-address\" routing-table=to_WAN2 suppress-hw-offload=no comment=\"##ro\ utewan2##\";\r\ \nadd distance=2 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\ nt=\"##routewan2##\";\r\ \n"add interface=WAN3 script=":local cWANIP [/ip address get [find interface=\"WA\ N3\"] address];\r\ \n/ip firewall mangle remove [find comment=\"##firewallwan3##\"];\r\ \n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\ ace-list=LAN_list action=accept comment=\"##firewallwan3##\";\r\ \n/ip firewall mangle move [find comment=\"##firewallwan3##\"] 4;\r\ \n\r\ \n/ip route\r\ \nremove [find comment=\"##routewan3##\"];\r\ \nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\ eway-address\" routing-table=to_WAN3 suppress-hw-offload=no comment=\"##ro\ utewan3##\";\r\ \nadd distance=3 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\ nt=\"##routewan3##\";"add interface=WAN4 script=":local cWANIP [/ip address get [find interface=\"WA\ N4\"] address];\r\ \n/ip firewall mangle remove [find comment=\"##firewallwan4##\"];\r\ \n/ip firewall mangle add chain=prerouting dst-address= \$cWANIP in-interf\ ace-list=LAN_list action=accept comment=\"##firewallwan4##\";\r\ \n/ip firewall mangle move [find comment=\"##firewallwan4##\"] 4;\r\ \n\r\ \n/ip route\r\ \nremove [find comment=\"##routewan4##\"];\r\ \nadd check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\$\"gat\ eway-address\" routing-table=to_WAN4 suppress-hw-offload=no comment=\"##ro\ utewan4##\";\r\ \nadd distance=4 dst-address=0.0.0.0/0 gateway=\$\"gateway-address\" comme\ nt=\"##routewan4##\";"/ip dhcp-server networkadd address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1/ip dnsset allow-remote-requests=yes servers=8.8.8.8,8.8.4.4/ip firewall address-listadd address=0.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internetadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internetadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internetadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=224.0.0.0/4 comment=Multicast list=not_in_internetadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internetadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internetadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internetadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internetadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internetadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internetadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internetadd address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ not_in_internetadd address=192.168.88.0/24 list=ipooladd address=192.168.100.0/24 list=ipooladd address=10.0.0.0/8 list=RFC1918add address=172.16.0.0/12 list=RFC1918add address=192.168.0.0/16 list=RFC1918/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="allow wireguard" dst-port=13231 \ protocol=udpadd action=accept chain=input protocol=icmpadd action=accept chain=input dst-address-list=ipooladd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input in-interface-list=!LAN_listadd action=fasttrack-connection chain=forward comment=FastTrack \ connection-state=established,related disabled=yes hw-offload=yesadd action=accept chain=forward comment="Established, Related" \ connection-state=established,relatedadd action=drop chain=forward comment="Drop invalid" connection-state=invalid \ log=yes log-prefix=invalidadd action=drop chain=forward comment=\ "Drop tries to reach not public addresses from LAN" dst-address-list=\ not_in_internet in-interface-list=LAN_list log=yes log-prefix=\ !public_from_LAN out-interface-list=!LAN_listadd action=drop chain=forward comment=\ "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \ connection-state=new in-interface-list=LAN_list log=yes log-prefix=!NATadd action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \ protocol=icmpadd action=drop chain=forward comment=\ "Drop incoming from internet which is not public IP" in-interface-list=\ LAN_list log=yes log-prefix=!public src-address-list=not_in_internetadd action=drop chain=forward comment=\ "Drop packets from LAN that do not have LAN IP" in-interface-list=\ LAN_list log=yes log-prefix=LAN_!LAN src-address-list=!ipooladd action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\ icmpadd action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \ protocol=icmpadd action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \ protocol=icmpadd action=accept chain=icmp comment=\ "host unreachable fragmentation required" icmp-options=3:4 protocol=icmpadd action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \ protocol=icmpadd action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \ protocol=icmpadd action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \ protocol=icmpadd action=drop chain=icmp comment="deny all other types"/ip firewall mangleadd action=accept chain=prerouting dst-address-list=RFC1918 src-address-list=\ RFC1918add action=accept chain=prerouting comment=##firewallwan3## dst-address=\ 218.250.160.0/24 in-interface-list=LAN_listadd action=accept chain=prerouting comment=##firewallwan1## dst-address=\ 42.98.99.0/24 in-interface-list=LAN_listadd action=accept chain=prerouting comment=##firewallwan2## dst-address=\ 112.119.218.0/24 in-interface-list=LAN_listadd action=accept chain=prerouting comment=##firewallwan4## dst-address=\ 218.250.160.0/24 in-interface-list=LAN_listadd action=mark-connection chain=input connection-state=new in-interface=WAN1 \ new-connection-mark=WAN1_conn passthrough=noadd action=mark-connection chain=input connection-state=new in-interface=WAN2 \ new-connection-mark=WAN2_conn passthrough=noadd action=mark-connection chain=input connection-state=new in-interface=WAN3 \ new-connection-mark=WAN3_conn passthrough=noadd action=mark-connection chain=input connection-state=new in-interface=WAN4 \ new-connection-mark=WAN4_conn passthrough=noadd action=mark-connection chain=output connection-mark=no-mark \ connection-state=new new-connection-mark=WAN1_conn passthrough=yes \ per-connection-classifier=both-addresses:4/0add action=mark-connection chain=output connection-mark=no-mark \ connection-state=new new-connection-mark=WAN2_conn passthrough=yes \ per-connection-classifier=both-addresses:4/1add action=mark-connection chain=output connection-mark=no-mark \ connection-state=new new-connection-mark=WAN3_conn passthrough=yes \ per-connection-classifier=both-addresses:4/2add action=mark-connection chain=output connection-mark=no-mark \ connection-state=new new-connection-mark=WAN4_conn passthrough=yes \ per-connection-classifier=both-addresses:4/3add action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new dst-address-type=!local in-interface-list=LAN_list \ new-connection-mark=WAN1_conn passthrough=no per-connection-classifier=\ both-addresses:4/0add action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new dst-address-type=!local in-interface-list=LAN_list \ new-connection-mark=WAN2_conn passthrough=no per-connection-classifier=\ both-addresses:4/1add action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new dst-address-type=!local in-interface-list=LAN_list \ new-connection-mark=WAN3_conn passthrough=no per-connection-classifier=\ both-addresses:4/2add action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new dst-address-type=!local in-interface-list=LAN_list \ new-connection-mark=WAN4_conn passthrough=no per-connection-classifier=\ both-addresses:4/3add action=mark-routing chain=output connection-mark=WAN1_conn \ new-routing-mark=to_WAN1 passthrough=noadd action=mark-routing chain=output connection-mark=WAN2_conn \ new-routing-mark=to_WAN2 passthrough=noadd action=mark-routing chain=output connection-mark=WAN3_conn \ new-routing-mark=to_WAN3 passthrough=noadd action=mark-routing chain=output connection-mark=WAN4_conn \ new-routing-mark=to_WAN4 passthrough=noadd action=mark-routing chain=prerouting connection-mark=WAN1_conn \ in-interface-list=LAN_list new-routing-mark=to_WAN1 passthrough=noadd action=mark-routing chain=prerouting connection-mark=WAN2_conn \ in-interface-list=LAN_list new-routing-mark=to_WAN2 passthrough=noadd action=mark-routing chain=prerouting connection-mark=WAN3_conn \ in-interface-list=LAN_list new-routing-mark=to_WAN3 passthrough=noadd action=mark-routing chain=prerouting connection-mark=WAN4_conn \ in-interface-list=LAN_list new-routing-mark=to_WAN4 passthrough=no/ip firewall natadd action=masquerade chain=srcnat out-interface=WAN1 src-address-list=\ RFC1918add action=masquerade chain=srcnat out-interface=WAN2 src-address-list=\ RFC1918add action=masquerade chain=srcnat out-interface=WAN3 src-address-list=\ RFC1918add action=masquerade chain=srcnat out-interface=WAN4 src-address-list=\ RFC1918/ip routeadd check-gateway=ping comment=##routewan3## disabled=no dst-address=\ 0.0.0.0/0 gateway=218.250.160.254 routing-table=to_WAN3 \ suppress-hw-offload=noadd comment=##routewan3## distance=3 dst-address=0.0.0.0/0 gateway=\ 218.250.160.254add check-gateway=ping comment=##routewan1## disabled=no dst-address=\ 0.0.0.0/0 gateway=42.98.99.254 routing-table=to_WAN1 suppress-hw-offload=\ noadd comment=##routewan1## distance=1 dst-address=0.0.0.0/0 gateway=\ 42.98.99.254add check-gateway=ping comment=##routewan2## disabled=no dst-address=\ 0.0.0.0/0 gateway=112.119.218.254 routing-table=to_WAN2 \ suppress-hw-offload=noadd comment=##routewan2## distance=2 dst-address=0.0.0.0/0 gateway=\ 112.119.218.254add check-gateway=ping comment=##routewan4## disabled=no dst-address=\ 0.0.0.0/0 gateway=218.250.160.254 routing-table=to_WAN4 \ suppress-hw-offload=noadd comment=##routewan4## distance=4 dst-address=0.0.0.0/0 gateway=\ 218.250.160.254/ip serviceset telnet disabled=yesset ftp disabled=yesset www address=192.168.88.0/24set ssh disabled=yes port=2200set api disabled=yesset winbox address=192.168.88.0/24set api-ssl disabled=yes/ip sshset strong-crypto=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6add address=fd12:672e:6f65:8899::/64 list=allowedadd address=fe80::/16 list=allowedadd address=ff02::/16 comment=multicast list=allowed/ipv6 firewall filteradd action=accept chain=input comment="allow established and related" \ connection-state=established,relatedadd action=accept chain=input comment="accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \ src-address=fe80::/10add action=accept chain=input comment="allow allowed addresses" \ src-address-list=allowedadd action=drop chain=inputadd action=accept chain=forward comment=established,related connection-state=\ established,relatedadd action=drop chain=forward comment=invalid connection-state=invalid log=\ yes log-prefix=ipv6,invalidadd action=accept chain=forward comment=icmpv6 in-interface-list=!LAN_list \ protocol=icmpv6add action=accept chain=forward comment="local network" in-interface-list=\ !LAN_list src-address-list=allowedadd action=drop chain=forward log-prefix=IPV6/system clockset time-zone-name=Asia/Hong_Kong/system noteset show-at-login=no/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=LAN_list/tool mac-server mac-winboxset allowed-interface-list=LAN_listStatistics: Posted by dpong01 — Wed Jan 31, 2024 10:02 pm