Hi, another experiment.
Configuration 1: PF-AIR disabled, port forwarding works fine, I can reach the internet. Obviously load balancing doesn't work.
Code: Select all
# 2024-04-26 19:51:28 by RouterOS 7.14.3# software id = Y09A-7J23## model = RB3011UiAS# serial number = 8EED09900013/diskadd parent=usb1 partition-number=1 partition-offset=512 partition-size=\ "30 765 219 328" type=partition/interface bridgeadd admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\ short/interface ethernetset [ find default-name=ether1 ] name=ether1-PF_AIRset [ find default-name=ether2 ] name=ether2-TIMset [ find default-name=ether5 ] name=ether5-LAN2/interface wireguardadd comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn/interface vlanadd interface=bridge-LAN name=vlan10-Ospiti vlan-id=10add interface=bridge-LAN name=vlan11-IoT vlan-id=11add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13/interface pppoe-clientadd add-default-route=yes default-route-distance=11 interface=ether1-PF_AIR \ name=PF-AIR user=air218@pianetafibra.itadd add-default-route=yes default-route-distance=11 disabled=no interface=\ sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/ip dhcp-server optionadd code=160 name=160_Polycom value=\ "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"/ip pooladd name=dhcp ranges=172.16.30.2-172.16.30.254add name=vpn ranges=192.168.89.2-192.168.89.255add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254/ip dhcp-serveradd address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCPadd address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCPadd address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCPadd address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCPadd address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\ Inaffidabile_DHCP/ip smb usersadd name=admin/portset 0 name=serial0/ppp profileset *FFFFFFFE local-address=192.168.89.1 remote-address=vpn/queue simpleadd comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\ 192.168.10.0/24add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\ 192.16.12.0/24add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\ 192.168.13.0/24/routing tableadd disabled=no fib name=to_FTTCadd disabled=no fib name=to_AIR/ip smbset comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN/interface bridge portadd bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \ interface=sfp1 internal-path-cost=10 path-cost=10/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN/ip settingsset max-neighbor-entries=8192/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface bridge vlanadd bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \ vlan-ids=10,11,13/interface l2tp-server serverset enabled=yes use-ipsec=yes/interface list memberadd comment=defconf interface=bridge-LAN list=LANadd interface=PF-FTTC list=WANadd interface=PF-AIR list=WAN/interface ovpn-server serverset auth=sha256,sha512 certificate=a-centauri cipher=\ blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \ redirect-gateway=def1/interface pptp-server server# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol insteadset authentication=pap,chap,mschap1,mschap2 enabled=yes/interface sstp-server serverset default-profile=default-encryption/ip addressadd address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\ 172.16.0.0add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\ 192.168.12.0add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\ 192.168.10.0add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\ 192.168.11.0add address=192.168.13.1/24 comment=Inaffidabile interface=\ vlan13-Inaffidabile network=192.168.13.0add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\ 192.168.2.0/ip cloudset back-to-home-vpn=enabled ddns-enabled=yes/ip dhcp-server leaseadd address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCPadd address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \ mac-address=B8:27:EB:F7:41:9F server=LAN_DHCPadd address=172.16.30.244 dhcp-option=160_Polycom mac-address=\ 64:16:7F:0B:F6:FA server=LAN_DHCPadd address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\ B8:27:EB:BE:70:8F server=LAN_DHCPadd address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\ B8:27:EB:CF:86:71 server=LAN_DHCPadd address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\ 00:60:35:06:F0:16 server=LAN_DHCPadd address=172.16.22.100 client-id=\ ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\ BC:24:11:E4:49:24 server=LAN_DHCPadd address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\ BC:24:11:9E:F2:03 server=LAN_DHCPadd address=172.16.20.211 client-id=\ ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\ BC:24:11:6E:18:77 server=LAN_DHCPadd address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \ server=LAN_DHCPadd address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \ server=LAN_DHCPadd address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\ 00:A0:C5:B9:35:B1 server=LAN_DHCP/ip dhcp-server networkadd address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \ gateway=172.16.20.1 netmask=16add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.10.1add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.11.1add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.12.1add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.13.1/ip dns staticadd address=172.16.20.1 comment=defconf name=router.lan/ip firewall address-listadd address=172.16.20.230 comment=Sunfire list=MyServersadd address=172.16.20.220 comment=Minecraft list=MyServersadd address=172.16.20.218 comment=GLaDOS list=MyServers/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \ protocol=udpadd action=accept chain=input comment="allow IKE" dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \ in-interface-list=WAN protocol=tcpadd action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \ in-interface-list=WAN protocol=tcp/ip firewall mangleadd action=mark-connection chain=forward connection-mark=no-mark disabled=yes \ dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\ PF-AIR-Servers passthrough=yesadd action=mark-connection chain=forward connection-mark=no-mark disabled=yes \ dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\ PF-FTTC-Servers passthrough=yesadd action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \ new-routing-mark=to_AIR passthrough=noadd action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \ new-routing-mark=to_FTTC passthrough=noadd action=mark-connection chain=input in-interface=PF-FTTC \ new-connection-mark=FTTC_conn# PF-AIR not readyadd action=mark-connection chain=input in-interface=PF-AIR \ new-connection-mark=AIR_connadd action=mark-routing chain=output connection-mark=FTTC_conn \ new-routing-mark=to_FTTCadd action=mark-routing chain=output connection-mark=AIR_conn \ new-routing-mark=to_AIRadd action=mark-connection chain=prerouting comment="Ospiti solo AIR" \ dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\ AIR_conn passthrough=yesadd action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \ dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\ AIR_conn passthrough=yesadd action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:2/0add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:2/1add action=mark-routing chain=prerouting connection-mark=FTTC_conn \ in-interface=bridge-LAN new-routing-mark=to_FTTCadd action=mark-routing chain=prerouting connection-mark=AIR_conn \ in-interface=bridge-LAN new-routing-mark=to_AIR/ip firewall natadd action=masquerade chain=srcnat out-interface=PF-FTTC# PF-AIR not readyadd action=masquerade chain=srcnat out-interface=PF-AIRadd action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\ 192.168.89.0/24add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\ 443add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\ 10000add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\ 25565add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\ 8123add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22/ip routeadd check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=noadd check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no/ip serviceset www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\ only-1.2/ip smb sharesadd directory=usb1-part1 name=USB1 valid-users=guest/ip upnpset enabled=yes/ip upnp interfacesadd interface=PF-AIR type=external/ppp aaaset use-radius=yes/ppp secretadd name=vpnadd name=J2 profile=default-encryption/radiusadd accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\ ppp,login,hotspot,ipsec,dot1x/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system clockset time-zone-name=Europe/Rome/system identityset name=MikroTik-VR/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp serverset enabled=yes use-local-clock=yes/system ntp client serversadd address=time.inrim.itadd address=ntp1.inrim.it/tool graphing interfaceadd allow-address=172.16.0.0/16/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANrouting print:
Code: Select all
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-O>Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TAAv 0.0.0.0/0 PF-FTTC ip4 11 30 10Ac 83.136.110.254/32 PF-FTTC ip4 0 10 Ac 172.16.0.0/16 bridge-LAN ip4 0 10 Ac 192.168.2.0/24 ether2-TIM ip4 0 10 Ac 192.168.10.0/24 vlan10-Ospiti ip4 0 10 Ac 192.168.11.0/24 vlan11-IoT ip4 0 10 Ac 192.168.12.0/24 ether5-LAN2 ip4 0 10 Ac 192.168.13.0/24 vlan13-Inaffidabile ip4 0 10 Ac 192.168.216.0/24 back-to-home-vpn ip4 0 10 As 0.0.0.0/0 PF-FTTC ip4 1 30 10UsH 0.0.0.0/0 PF-AIR ip4 1 30 10A H ether1-PF_AIR link 0 A H ether2-TIM link 0 A H ether5-LAN2 link 0 A H sfp1 link 0 A H ether6 link 0 A H bridge-LAN link 0 A H PF-FTTC link 0 A H lo link 0 A H back-to-home-vpn link 0 A H vlan10-Ospiti link 0 A H vlan11-IoT link 0 A H vlan13-Inaffidabile link 0 Configuration 2: I enable PF-AIR, but NOT the first two mangle rules below:
Schermata del 2024-05-05 10-28-32.png
Results: Load balancing works very well (speedtest.net gives 150Mbit/s and 30Mbit/s, so they're clearly getting summed up) but port forwarding doesn't work all the times. Sometimes I can reach a server only through a particular connection (either PF-AIR or PF-FTTC, it seems random) and sometimes I can't reach it at all, and sometimes it works through both. This changes in a matter of seconds.
Code: Select all
# 2024-04-26 19:55:16 by RouterOS 7.14.3# software id = Y09A-7J23## model = RB3011UiAS# serial number = 8EED09900013/diskadd parent=usb1 partition-number=1 partition-offset=512 partition-size=\ "30 765 219 328" type=partition/interface bridgeadd admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\ short/interface ethernetset [ find default-name=ether1 ] name=ether1-PF_AIRset [ find default-name=ether2 ] name=ether2-TIMset [ find default-name=ether5 ] name=ether5-LAN2/interface wireguardadd comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn/interface vlanadd interface=bridge-LAN name=vlan10-Ospiti vlan-id=10add interface=bridge-LAN name=vlan11-IoT vlan-id=11add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13/interface pppoe-clientadd add-default-route=yes default-route-distance=11 disabled=no interface=\ ether1-PF_AIR name=PF-AIR user=air218@pianetafibra.itadd add-default-route=yes default-route-distance=11 disabled=no interface=\ sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/ip dhcp-server optionadd code=160 name=160_Polycom value=\ "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"/ip pooladd name=dhcp ranges=172.16.30.2-172.16.30.254add name=vpn ranges=192.168.89.2-192.168.89.255add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254/ip dhcp-serveradd address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCPadd address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCPadd address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCPadd address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCPadd address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\ Inaffidabile_DHCP/ip smb usersadd name=admin/portset 0 name=serial0/ppp profileset *FFFFFFFE local-address=192.168.89.1 remote-address=vpn/queue simpleadd comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\ 192.168.10.0/24add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\ 192.16.12.0/24add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\ 192.168.13.0/24/routing tableadd disabled=no fib name=to_FTTCadd disabled=no fib name=to_AIR/ip smbset comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN/interface bridge portadd bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \ interface=sfp1 internal-path-cost=10 path-cost=10/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN/ip settingsset max-neighbor-entries=8192/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface bridge vlanadd bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \ vlan-ids=10,11,13/interface l2tp-server serverset enabled=yes use-ipsec=yes/interface list memberadd comment=defconf interface=bridge-LAN list=LANadd interface=PF-FTTC list=WANadd interface=PF-AIR list=WAN/interface ovpn-server serverset auth=sha256,sha512 certificate=a-centauri cipher=\ blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \ redirect-gateway=def1/interface pptp-server server# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol insteadset authentication=pap,chap,mschap1,mschap2 enabled=yes/interface sstp-server serverset default-profile=default-encryption/ip addressadd address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\ 172.16.0.0add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\ 192.168.12.0add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\ 192.168.10.0add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\ 192.168.11.0add address=192.168.13.1/24 comment=Inaffidabile interface=\ vlan13-Inaffidabile network=192.168.13.0add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\ 192.168.2.0/ip cloudset back-to-home-vpn=enabled ddns-enabled=yes/ip dhcp-server leaseadd address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCPadd address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \ mac-address=B8:27:EB:F7:41:9F server=LAN_DHCPadd address=172.16.30.244 dhcp-option=160_Polycom mac-address=\ 64:16:7F:0B:F6:FA server=LAN_DHCPadd address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\ B8:27:EB:BE:70:8F server=LAN_DHCPadd address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\ B8:27:EB:CF:86:71 server=LAN_DHCPadd address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\ 00:60:35:06:F0:16 server=LAN_DHCPadd address=172.16.22.100 client-id=\ ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\ BC:24:11:E4:49:24 server=LAN_DHCPadd address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\ BC:24:11:9E:F2:03 server=LAN_DHCPadd address=172.16.20.211 client-id=\ ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\ BC:24:11:6E:18:77 server=LAN_DHCPadd address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \ server=LAN_DHCPadd address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \ server=LAN_DHCPadd address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\ 00:A0:C5:B9:35:B1 server=LAN_DHCP/ip dhcp-server networkadd address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \ gateway=172.16.20.1 netmask=16add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.10.1add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.11.1add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.12.1add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.13.1/ip dns staticadd address=172.16.20.1 comment=defconf name=router.lan/ip firewall address-listadd address=172.16.20.230 comment=Sunfire list=MyServersadd address=172.16.20.220 comment=Minecraft list=MyServersadd address=172.16.20.218 comment=GLaDOS list=MyServers/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \ protocol=udpadd action=accept chain=input comment="allow IKE" dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \ in-interface-list=WAN protocol=tcpadd action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \ in-interface-list=WAN protocol=tcp/ip firewall mangleadd action=mark-connection chain=forward connection-mark=no-mark disabled=yes \ dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\ PF-AIR-Servers passthrough=yesadd action=mark-connection chain=forward connection-mark=no-mark disabled=yes \ dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\ PF-FTTC-Servers passthrough=yesadd action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \ new-routing-mark=to_AIR passthrough=noadd action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \ new-routing-mark=to_FTTC passthrough=noadd action=mark-connection chain=input in-interface=PF-FTTC \ new-connection-mark=FTTC_connadd action=mark-connection chain=input in-interface=PF-AIR \ new-connection-mark=AIR_connadd action=mark-routing chain=output connection-mark=FTTC_conn \ new-routing-mark=to_FTTCadd action=mark-routing chain=output connection-mark=AIR_conn \ new-routing-mark=to_AIRadd action=mark-connection chain=prerouting comment="Ospiti solo AIR" \ dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\ AIR_conn passthrough=yesadd action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \ dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\ AIR_conn passthrough=yesadd action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:2/0add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:2/1add action=mark-routing chain=prerouting connection-mark=FTTC_conn \ in-interface=bridge-LAN new-routing-mark=to_FTTCadd action=mark-routing chain=prerouting connection-mark=AIR_conn \ in-interface=bridge-LAN new-routing-mark=to_AIR/ip firewall natadd action=masquerade chain=srcnat out-interface=PF-FTTCadd action=masquerade chain=srcnat out-interface=PF-AIRadd action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\ 192.168.89.0/24add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\ 443add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\ 10000add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\ 25565add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\ 8123add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22/ip routeadd check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=noadd check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no/ip serviceset www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\ only-1.2/ip smb sharesadd directory=usb1-part1 name=USB1 valid-users=guest/ip upnpset enabled=yes/ip upnp interfacesadd interface=PF-AIR type=external/ppp aaaset use-radius=yes/ppp secretadd name=vpnadd name=J2 profile=default-encryption/radiusadd accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\ ppp,login,hotspot,ipsec,dot1x/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system clockset time-zone-name=Europe/Rome/system identityset name=MikroTik-VR/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp serverset enabled=yes use-local-clock=yes/system ntp client serversadd address=time.inrim.itadd address=ntp1.inrim.it/tool graphing interfaceadd allow-address=172.16.0.0/16/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANRouting print:
Code: Select all
Flags: A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMPColumns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TAAv + 0.0.0.0/0 PF-AIR ip4 11 30 10Av + 0.0.0.0/0 PF-FTTC ip4 11 30 10Ac 83.136.109.254/32 PF-AIR ip4 0 10 Ac 83.136.110.254/32 PF-FTTC ip4 0 10 Ac 172.16.0.0/16 bridge-LAN ip4 0 10 Ac 192.168.2.0/24 ether2-TIM ip4 0 10 Ac 192.168.10.0/24 vlan10-Ospiti ip4 0 10 Ac 192.168.11.0/24 vlan11-IoT ip4 0 10 Ac 192.168.12.0/24 ether5-LAN2 ip4 0 10 Ac 192.168.13.0/24 vlan13-Inaffidabile ip4 0 10 Ac 192.168.216.0/24 back-to-home-vpn ip4 0 10 As 0.0.0.0/0 PF-FTTC ip4 1 30 10As 0.0.0.0/0 PF-AIR ip4 1 30 10A H ether1-PF_AIR link 0 A H ether2-TIM link 0 A H ether5-LAN2 link 0 A H sfp1 link 0 A H ether6 link 0 A H bridge-LAN link 0 A H PF-FTTC link 0 Configuration 3: same as config 2 but this time the two mangle rules below are enabled:
Schermata del 2024-05-05 10-33-04.png
Code: Select all
# 2024-04-26 19:59:42 by RouterOS 7.14.3# software id = Y09A-7J23## model = RB3011UiAS# serial number = 8EED09900013/diskadd parent=usb1 partition-number=1 partition-offset=512 partition-size=\ "30 765 219 328" type=partition/interface bridgeadd admin-mac=B8:69:F4:98:60:FB auto-mac=no name=bridge-LAN port-cost-mode=\ short/interface ethernetset [ find default-name=ether1 ] name=ether1-PF_AIRset [ find default-name=ether2 ] name=ether2-TIMset [ find default-name=ether5 ] name=ether5-LAN2/interface wireguardadd comment=back-to-home-vpn listen-port=10434 mtu=1420 name=back-to-home-vpn/interface vlanadd interface=bridge-LAN name=vlan10-Ospiti vlan-id=10add interface=bridge-LAN name=vlan11-IoT vlan-id=11add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13/interface pppoe-clientadd add-default-route=yes default-route-distance=11 disabled=no interface=\ ether1-PF_AIR name=PF-AIR user=air218@pianetafibra.itadd add-default-route=yes default-route-distance=11 disabled=no interface=\ sfp1 name=PF-FTTC use-peer-dns=yes user=fttc4250/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/ip dhcp-server optionadd code=160 name=160_Polycom value=\ "' http://172.16.20.215/provisioning/m1c2up6299fyn4'"/ip pooladd name=dhcp ranges=172.16.30.2-172.16.30.254add name=vpn ranges=192.168.89.2-192.168.89.255add name=dhcp_pool2 ranges=192.168.12.2-192.168.12.254add name=dhcp_pool3 ranges=192.168.10.2-192.168.10.254add name=dhcp_pool4 ranges=192.168.11.2-192.168.11.254add name=dhcp_pool5 ranges=192.168.13.2-192.168.13.254/ip dhcp-serveradd address-pool=dhcp interface=bridge-LAN lease-time=23h59m59s name=LAN_DHCPadd address-pool=dhcp_pool2 interface=ether5-LAN2 name=LAN2_DHCPadd address-pool=dhcp_pool3 interface=vlan10-Ospiti name=Ospiti_DHCPadd address-pool=dhcp_pool4 interface=vlan11-IoT name=IoT_DHCPadd address-pool=dhcp_pool5 interface=vlan13-Inaffidabile name=\ Inaffidabile_DHCP/ip smb usersadd name=admin/portset 0 name=serial0/ppp profileset *FFFFFFFE local-address=192.168.89.1 remote-address=vpn/queue simpleadd comment="Limite Ospiti" max-limit=1M/7M name=Ospiti target=\ 192.168.10.0/24add comment="Limite AptDis" max-limit=1M/10M name=AptDis target=\ 192.16.12.0/24add comment="Limite Inaffidabile" max-limit=500k/5M name=Inaffidabile target=\ 192.168.13.0/24/routing tableadd disabled=no fib name=to_FTTCadd disabled=no fib name=to_AIR/ip smbset comment=MIKROTIK domain=WORKGROUP interfaces=bridge-LAN/interface bridge portadd bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10 \ internal-path-cost=10 path-cost=10add bridge=bridge-LAN comment=defconf disabled=yes ingress-filtering=no \ interface=sfp1 internal-path-cost=10 path-cost=10/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN/ip settingsset max-neighbor-entries=8192/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface bridge vlanadd bridge=bridge-LAN tagged=vlan10-Ospiti,vlan11-IoT,vlan13-Inaffidabile \ vlan-ids=10,11,13/interface l2tp-server serverset enabled=yes use-ipsec=yes/interface list memberadd comment=defconf interface=bridge-LAN list=LANadd interface=PF-FTTC list=WANadd interface=PF-AIR list=WAN/interface ovpn-server serverset auth=sha256,sha512 certificate=a-centauri cipher=\ blowfish128,aes256-cbc,aes256-gcm enabled=yes protocol=udp \ redirect-gateway=def1/interface pptp-server server# PPTP connections are considered unsafe, it is suggested to use a more modern V N protocol insteadset authentication=pap,chap,mschap1,mschap2 enabled=yes/interface sstp-server serverset default-profile=default-encryption/ip addressadd address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\ 172.16.0.0add address=192.168.12.1/24 comment=LAN2 interface=ether5-LAN2 network=\ 192.168.12.0add address=192.168.10.1/24 comment=Ospiti interface=vlan10-Ospiti network=\ 192.168.10.0add address=192.168.11.1/24 comment=IoT interface=vlan11-IoT network=\ 192.168.11.0add address=192.168.13.1/24 comment=Inaffidabile interface=\ vlan13-Inaffidabile network=192.168.13.0add address=192.168.2.1/24 comment=TIM interface=ether2-TIM network=\ 192.168.2.0/ip cloudset back-to-home-vpn=enabled ddns-enabled=yes/ip dhcp-server leaseadd address=172.16.20.161 mac-address=BC:DD:C2:44:1E:DA server=LAN_DHCPadd address=172.16.20.233 client-id=1:b8:27:eb:f7:41:9f comment=Marconi \ mac-address=B8:27:EB:F7:41:9F server=LAN_DHCPadd address=172.16.30.244 dhcp-option=160_Polycom mac-address=\ 64:16:7F:0B:F6:FA server=LAN_DHCPadd address=172.16.20.235 client-id=1:b8:27:eb:be:70:8f mac-address=\ B8:27:EB:BE:70:8F server=LAN_DHCPadd address=172.16.20.212 client-id=1:b8:27:eb:cf:86:71 mac-address=\ B8:27:EB:CF:86:71 server=LAN_DHCPadd address=172.16.25.42 client-id=1:0:60:35:6:f0:16 mac-address=\ 00:60:35:06:F0:16 server=LAN_DHCPadd address=172.16.22.100 client-id=\ ff:11:e4:49:24:0:1:0:1:2d:a7:ed:cd:bc:24:11:e4:49:24 mac-address=\ BC:24:11:E4:49:24 server=LAN_DHCPadd address=172.16.20.215 client-id=1:bc:24:11:9e:f2:3 mac-address=\ BC:24:11:9E:F2:03 server=LAN_DHCPadd address=172.16.20.211 client-id=\ ff:11:6e:18:77:0:1:0:1:2d:a5:b3:f5:bc:24:11:6e:18:77 mac-address=\ BC:24:11:6E:18:77 server=LAN_DHCPadd address=172.16.20.230 comment=SunFire mac-address=00:03:BA:16:77:13 \ server=LAN_DHCPadd address=172.16.20.160 comment=Helios mac-address=D8:3A:DD:A7:D6:5E \ server=LAN_DHCPadd address=172.16.23.1 client-id=1:0:a0:c5:b9:35:b1 mac-address=\ 00:A0:C5:B9:35:B1 server=LAN_DHCP/ip dhcp-server networkadd address=172.16.0.0/16 comment=LAN dns-server=172.16.20.211,172.16.20.210 \ gateway=172.16.20.1 netmask=16add address=192.168.10.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.10.1add address=192.168.11.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.11.1add address=192.168.12.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.12.1add address=192.168.13.0/24 dns-server=172.16.20.211,172.16.20.210 gateway=\ 192.168.13.1/ip dns staticadd address=172.16.20.1 comment=defconf name=router.lan/ip firewall address-listadd address=172.16.20.230 comment=Sunfire list=MyServersadd address=172.16.20.220 comment=Minecraft list=MyServersadd address=172.16.20.218 comment=GLaDOS list=MyServers/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \ protocol=udpadd action=accept chain=input comment="allow IKE" dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcpadd action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcpadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=drop chain=input comment="Deny SSH from WAN" dst-port=22 \ in-interface-list=WAN protocol=tcpadd action=drop chain=input comment="Deny telnet from WAN" dst-port=23 \ in-interface-list=WAN protocol=tcp/ip firewall mangleadd action=mark-connection chain=forward connection-mark=no-mark \ dst-address-list=MyServers in-interface=PF-AIR new-connection-mark=\ PF-AIR-Servers passthrough=yesadd action=mark-connection chain=forward connection-mark=no-mark \ dst-address-list=MyServers in-interface=PF-FTTC new-connection-mark=\ PF-FTTC-Servers passthrough=yesadd action=mark-routing chain=prerouting connection-mark=PF-AIR-Servers \ new-routing-mark=to_AIR passthrough=noadd action=mark-routing chain=prerouting connection-mark=PF-FTTC-Servers \ new-routing-mark=to_FTTC passthrough=noadd action=mark-connection chain=input in-interface=PF-FTTC \ new-connection-mark=FTTC_connadd action=mark-connection chain=input in-interface=PF-AIR \ new-connection-mark=AIR_connadd action=mark-routing chain=output connection-mark=FTTC_conn \ new-routing-mark=to_FTTCadd action=mark-routing chain=output connection-mark=AIR_conn \ new-routing-mark=to_AIRadd action=mark-connection chain=prerouting comment="Ospiti solo AIR" \ dst-address-type=!local in-interface=vlan10-Ospiti new-connection-mark=\ AIR_conn passthrough=yesadd action=mark-connection chain=prerouting comment="LAN2 solo PF-AIR" \ dst-address-type=!local in-interface=ether5-LAN2 new-connection-mark=\ AIR_conn passthrough=yesadd action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=bridge-LAN new-connection-mark=FTTC_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:2/0add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface=bridge-LAN new-connection-mark=AIR_conn passthrough=yes \ per-connection-classifier=both-addresses-and-ports:2/1add action=mark-routing chain=prerouting connection-mark=FTTC_conn \ in-interface=bridge-LAN new-routing-mark=to_FTTCadd action=mark-routing chain=prerouting connection-mark=AIR_conn \ in-interface=bridge-LAN new-routing-mark=to_AIR/ip firewall natadd action=masquerade chain=srcnat out-interface=PF-FTTCadd action=masquerade chain=srcnat out-interface=PF-AIRadd action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\ 192.168.89.0/24add action=dst-nat chain=dstnat comment="SunFire HTTPS" dst-port=443 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\ 443add action=dst-nat chain=dstnat comment="SunFire HTTP" dst-port=80 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=80add action=dst-nat chain=dstnat comment="SunFire SSH" dst-port=2222 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=22add action=dst-nat chain=dstnat comment="Webmin sunfire" dst-port=10000 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.230 to-ports=\ 10000add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\ 25565add action=dst-nat chain=dstnat comment="Minecraft Dynmap" dst-port=8123 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.220 to-ports=\ 8123add action=dst-nat chain=dstnat comment="SSH Pi5 Jvital" dst-port=52233 \ in-interface-list=WAN protocol=tcp to-addresses=172.16.20.160 to-ports=22/ip routeadd check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PF-FTTC pref-src="" routing-table=to_FTTC suppress-hw-offload=noadd check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ PF-AIR pref-src="" routing-table=to_AIR suppress-hw-offload=no/ip serviceset www-ssl address=0.0.0.0/0 certificate=a-centauri disabled=no tls-version=\ only-1.2/ip smb sharesadd directory=usb1-part1 name=USB1 valid-users=guest/ip upnpset enabled=yes/ip upnp interfacesadd interface=PF-AIR type=external/ppp aaaset use-radius=yes/ppp secretadd name=vpnadd name=J2 profile=default-encryption/radiusadd accounting-backup=yes address=172.16.20.216 comment=RADIUS service=\ ppp,login,hotspot,ipsec,dot1x/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system clockset time-zone-name=Europe/Rome/system identityset name=MikroTik-VR/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp serverset enabled=yes use-local-clock=yes/system ntp client serversadd address=time.inrim.itadd address=ntp1.inrim.it/tool graphing interfaceadd allow-address=172.16.0.0/16/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANRouting table:
Code: Select all
[admin@MikroTik-VR] > /routing/route/print Flags: A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; H - HW-OFFLOADED; + - ECMPColumns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TAAv + 0.0.0.0/0 PF-AIR ip4 11 30 10Av + 0.0.0.0/0 PF-FTTC ip4 11 30 10Ac 83.136.109.254/32 PF-AIR ip4 0 10 Ac 83.136.110.254/32 PF-FTTC ip4 0 10 Ac 172.16.0.0/16 bridge-LAN ip4 0 10 Ac 192.168.2.0/24 ether2-TIM ip4 0 10 Ac 192.168.10.0/24 vlan10-Ospiti ip4 0 10 Ac 192.168.11.0/24 vlan11-IoT ip4 0 10 Ac 192.168.12.0/24 ether5-LAN2 ip4 0 10 Ac 192.168.13.0/24 vlan13-Inaffidabile ip4 0 10 Ac 192.168.216.0/24 back-to-home-vpn ip4 0 10 As 0.0.0.0/0 PF-FTTC ip4 1 30 10As 0.0.0.0/0 PF-AIR ip4 1 30 10A H ether1-PF_AIR link 0 A H ether2-TIM link 0 A H ether5-LAN2 link 0 A H sfp1 link 0 A H ether6 link 0 A H bridge-LAN link 0 A H PF-FTTC link 0 If I use the connection tracker, I see some of what I believe are incoming port forwarding connections (that I initiated from my phone) get stuck in TIMED WAIT.
Schermata del 2024-05-05 10-38-43.png
Thanks again
You do not have the required permissions to view the files attached to this post.
