7.14.1 on RB4011iGS+ r2 (not complicated setup)
Currently have a single ISP1 with:
- external traffic to the router itself?? aka VPN LT2P
- external traffic to the LAN?? aka port forwarding to LAN server(s)
- traffic entering/leaving the router by VPN
I will get ISP2 (also PPPoE client) added and temporary requirements are:
- external traffic to the router itself?? aka VPN to stays on ISP1 (unchanged)
- traffic entering/leaving the router by VPN to stays on ISP1 (unchanged)
- external traffic to the LAN?? aka port forwarding to LAN server(s) be split between ISP1 & ISP2 (depending on inbound WAN / NAT)
No need for load balancing, most traffic to go out on IPS2 with only a couple of clients to go out on IPS1 (via Policy Routing with src-address I assume)
I am trying to pre-prepare the config, as I will not want much downtime when the second line gets connected
So far I think that these are really helpful:
viewtopic.php?t=179853#
viewtopic.php?t=203165
But if somebody has good pointers on config with ISP2 added to the mix, it would be most appreciated
Thanks
sebus
Code:
# 2024-03-23 10:05:45 by RouterOS 7.14.1# software id = 5WSQ-IVBW## model = RB4011iGS+# serial number = /interface bridgeadd arp=proxy-arp ingress-filtering=no name=bridge port-cost-mode=short \ vlan-filtering=yes/interface ethernetset [ find default-name=ether10 ] poe-out=offset [ find default-name=sfp-sfpplus1 ] name=sfp1/interface l2tp-serveradd name=L2TP-VPN user=/interface vlanadd interface=bridge mtu=1480 name=vlan21 vlan-id=21add interface=bridge name=vlan50 vlan-id=50add interface=bridge name=vlan99 vlan-id=99add interface=bridge name=vlan100 vlan-id=100/interface pppoe-clientadd add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 \ max-mtu=1480 name=pppoe-out1 user=/interface listadd exclude=dynamic name=discoveradd name=macteladd name=mac-winboxadd name=WANadd name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp ranges=192.168.88.5-192.168.88.148add name=dhcp-pool99 ranges=192.168.99.2-192.168.99.22add name=dhcp-pool100 ranges=192.168.100.2-192.168.100.10add name=L2TP ranges=192.168.88.150-192.168.88.160add name=dhcp-pool21 ranges=192.168.21.2-192.168.21.6/ip dhcp-serveradd address-pool=dhcp-pool99 authoritative=after-2sec-delay interface=\ vlan99 lease-time=1d name=dhcp-vlan99add address-pool=dhcp-pool100 interface=vlan100 lease-time=1w3d name=\ dhcp-vlan100add address-pool=dhcp-pool21 authoritative=after-2sec-delay bootp-support=\ none interface=vlan21 name=dhcp-vlan21/ip smb usersset [ find default=yes ] disabled=yes/interface bridge portadd bridge=bridge disabled=yes interface=\ ether1 internal-path-cost=10 path-cost=10add bridge=bridge interface=ether2 internal-path-cost=10 \ path-cost=10add bridge=bridge interface=sfp1 internal-path-cost=10 path-cost=10add bridge=bridge interface=ether3 internal-path-cost=10 \ path-cost=10 pvid=100add bridge=bridge interface=ether4 \ internal-path-cost=10 path-cost=10add bridge=bridge interface=ether9 \ internal-path-cost=10 path-cost=10add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10/ip firewall connection trackingset loose-tcp-tracking=no tcp-established-timeout=30m/ip neighbor discovery-settingsset discover-interface-list=!dynamic/ip settingsset max-neighbor-entries=4096 rp-filter=loose/interface bridge vlanadd bridge=bridge vlan-ids=1add bridge=bridge tagged=ether2,sfp1,bridge vlan-ids=99add bridge=bridge tagged=ether2,sfp1,bridge vlan-ids=100add bridge=bridge tagged=bridge,ether2,sfp1 vlan-ids=50/interface l2tp-server serverset authentication=mschap2 enabled=yes use-ipsec=yes/interface list memberadd interface=pppoe-out1 list=WANadd interface=bridge list=LAN/ip addressadd address=192.168.88.1/24 interface=bridge network=192.168.88.0add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0add address=192.168.21.1/29 interface=vlan21 network=192.168.21.0/ip dhcp-clientadd disabled=yes interface=ether1add comment=defconf disabled=yes interface=ether1/ip firewall address-listadd address=192.168.88.0/24 list=internaladd address=31.221.37.130 list=Whitelistadd address=198.199.104.26 list=bannedadd address=118.123.105.90 list=banned/ip firewall filteradd action=log chain=- comment=\ ----------------------input--------------------------------add action=drop chain=input comment="Drop VPN attempts" src-address-list=\ bannedadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="Allow L2TP VPN" in-interface=\ pppoe-out1 log=yes log-prefix=--vpn-in-1st-- port=500,1701,4500 protocol=\ udpadd action=accept chain=input comment="Allow IPsec ESP" in-interface=\ pppoe-out1 log=yes log-prefix=--vpn-in-esp-- protocol=ipsec-espadd action=accept chain=input comment=\ "Remote access to SSL Mikrotik webif & WinBox" dst-port=443,8291 log=yes \ protocol=tcp src-address-list=Whitelistadd action=accept chain=input comment=\ "VPN access to SSL Mikrotik webif & WinBox" dst-port=443,8291 log=yes \ log-prefix=--VPN-remote-access-- protocol=tcp src-address=192.168.88.161add action=accept chain=input comment="defconf: accept ICMP (internal)" \ disabled=yes protocol=icmp src-address-list=internaladd action=accept chain=input comment="Local access to SSH" disabled=yes \ dst-port=22 protocol=tcp src-address=192.168.88.98add action=accept chain=input comment="Requests to Mikrotik DNS server (LAN)" \ disabled=yes dst-port=53 in-interface-list=LAN log=yes log-prefix=--DNS-- \ protocol=udpadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN log-prefix="--not lan--"add action=log chain=- comment=\ -----------------------forward-------------------------------add action=accept chain=forward log=yes log-prefix=--Yealink-- src-address=\ 192.168.21.2# L2TP-VPN not readyadd action=accept chain=forward comment="VPN to LAN" in-interface=L2TP-VPN \ log=yes log-prefix=--vpn-to-lan-- out-interface=bridge# L2TP-VPN not readyadd action=accept chain=forward comment="LAN to VPN" in-interface=bridge log=\ yes log-prefix=--lan-to-vpn-- out-interface=L2TP-VPN# L2TP-VPN not readyadd action=accept chain=forward comment="VPN to Internet" in-interface=\ L2TP-VPN log=yes log-prefix=--vpn-out-- out-interface=pppoe-out1# L2TP-VPN not readyadd action=accept chain=forward comment="Internet to VPN" in-interface=\ pppoe-out1 log=yes log-prefix=--vpn-in-- out-interface=L2TP-VPNadd action=log chain=- comment=\ ------------------------------------------------------add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=log chain=- comment=\ ------------------------------------------------------add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN log=yes log-prefix=\ "--WAN drop--"add action=drop chain=forward comment=\ "Disable Guest VLAN to anywhere but Internet" in-interface=\ vlan99 out-interface=!pppoe-out1add action=drop chain=forward comment="Drop all other" disabled=yes \ log-prefix="--Drop all other--" out-interface=pppoe-out1/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface=pppoe-out1 out-interface-list=WANadd action=dst-nat chain=dstnat comment="VNC" dst-port=5900 log=yes \ protocol=tcp src-address-list=Whitelist to-addresses=192.168.88.25 \ to-ports=5900add action=dst-nat chain=dstnat comment="Z web" dst-port=9001 protocol=\ tcp src-address-list=Whitelist to-addresses=192.168.88.11 to-ports=80add action=dst-nat chain=dstnat comment="Zgemma stream" dst-port=8082 \ protocol=tcp src-address-list=Whitelist to-addresses=192.168.88.11 \ to-ports=8001add action=dst-nat chain=dstnat comment="VM Minecraft Server" dst-port=\ 27165 log=yes log-prefix=--mc- protocol=tcp to-addresses=192.168.88.50 \ to-ports=25565/ip firewall service-portset ftp disabled=yesset tftp disabled=yesset sip disabled=yesset pptp disabled=yes/ip routeadd disabled=no distance=1 dst-address=192.168.2.10/32 gateway=ether1 \ pref-src="" routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset www-ssl certificate=sc_WC disabled=no tls-version=only-1.2set api disabled=yesset api-ssl disabled=yes/ip smb sharesset [ find default=yes ] directory=/pub/ppp secretadd name=***** profile=default-encryption remote-address=192.168.88.161 \ service=l2tp/system clockset time-zone-name=Europe/London/system ntp clientset enabled=yes/system ntp serverset enabled=yes manycast=yes multicast=yes/system ntp client serversadd address=xx.xx.xx.xxadd address=yy.yy.yy.y/system routerboard settingsset enter-setup-on=delete-key/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=LAN/tool mac-server pingset enabled=no- external traffic to the router itself?? aka VPN LT2P
- external traffic to the LAN?? aka port forwarding to LAN server(s)
- traffic entering/leaving the router by VPN
I will get ISP2 (also PPPoE client) added and temporary requirements are:
- external traffic to the router itself?? aka VPN to stays on ISP1 (unchanged)
- traffic entering/leaving the router by VPN to stays on ISP1 (unchanged)
- external traffic to the LAN?? aka port forwarding to LAN server(s) be split between ISP1 & ISP2 (depending on inbound WAN / NAT)
No need for load balancing, most traffic to go out on IPS2 with only a couple of clients to go out on IPS1 (via Policy Routing with src-address I assume)
I am trying to pre-prepare the config, as I will not want much downtime when the second line gets connected
So far I think that these are really helpful:
viewtopic.php?t=179853#
viewtopic.php?t=203165
But if somebody has good pointers on config with ISP2 added to the mix, it would be most appreciated
Thanks
sebus
Statistics: Posted by sebus46 — Sat Mar 23, 2024 12:23 pm