Rate my config

trintrin · Fri Jan 03, 2025 11:52 am

I am quite new with networking stuff, I want to know from veterans is this a good one or bad configuration.

For context, this is a testing configuration for a school kinda setup.

# 2025-01-04 12:05:19 by RouterOS 7.16.2
# software id = 
#
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=test_ppp1
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    ether2 name=pppoe-out2 user=test_ppp2
add add-default-route=yes default-route-distance=3 disabled=no interface=\
    ether1 name=pppoe-out3 user=test_ppp3
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
add interface=bridge1 name=Office vlan-id=20
add interface=bridge1 name=PublicPC vlan-id=30
add interface=bridge1 name=PublicWIFI vlan-id=60
add interface=bridge1 name=Server vlan-id=10
add interface=bridge1 name=StaffWIFI vlan-id=40
add interface=bridge1 name=StudentsWIFI vlan-id=50
/interface list
add name=LAN
add name=WAN
/ip pool
add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool1 ranges=192.168.20.10-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.60.2-192.168.61.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool6 ranges=192.168.50.2-192.168.50.254
/routing table
add disabled=no fib name=cloud
add disabled=no fib name=to-wan1
add disabled=no fib name=to-wan2
add disabled=no fib name=to-wan3
/interface bridge port
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=MGMT list=LAN
add interface=Office list=LAN
add interface=PublicPC list=LAN
add interface=PublicWIFI list=LAN
add interface=Server list=LAN
add interface=StaffWIFI list=LAN
add interface=StudentsWIFI list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.32.2/32 interface=wireguard1 name=peer1 \
    public-key="WBKN9fZA/5+zwSzSa21PN50QigvzHzmsFbtMqhnCsiY="
/ip address
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.20.1/24 interface=Office network=192.168.20.0
add address=192.168.30.1/24 interface=PublicPC network=192.168.30.0
add address=192.168.60.1/23 interface=PublicWIFI network=192.168.60.0
add address=192.168.10.1/24 interface=Server network=192.168.10.0
add address=192.168.40.1/24 interface=StaffWIFI network=192.168.40.0
add address=192.168.50.1/24 interface=StudentsWIFI network=192.168.50.0
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MGMT name=dhcp1
add address-pool=dhcp_pool1 interface=Office name=dhcp2
add address-pool=dhcp_pool2 interface=PublicPC name=dhcp3
add address-pool=dhcp_pool3 interface=PublicWIFI name=dhcp4
add address-pool=dhcp_pool4 interface=Server name=dhcp5
add address-pool=dhcp_pool5 interface=StaffWIFI name=dhcp6
add address-pool=dhcp_pool6 interface=StudentsWIFI name=dhcp7
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/23 gateway=192.168.60.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip firewall address-list
add address=cloud.mikrotik.com list=mikrotik-cloud
add address=cloud2.mikrotik.com list=mikrotik-cloud
add address=dnnsname list=wan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All" disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=mikrotik-cloud \
    new-routing-mark=cloud passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan1_conn passthrough=yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan2_conn passthrough=yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan3_conn passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=to-wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to-wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
    new-routing-mark=to-wan3 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp src-address-list=\
    wan to-addresses=192.168.10.2 to-ports=8080
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=cloud \
    suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 \
    routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-table=to-wan1 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out2 routing-table=to-wan2 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out3 routing-table=to-wan3 scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user settings
set minimum-categories=2 minimum-password-length=8

TheCat12 · Fri Jan 03, 2025 4:24 pm

Suggest eliding the public key of the Wireguard peer from the config
In the LAN interface list, instead of ether4 you should reference the VLAN interfaces because technically they become the L3 interfaces
Would you elaborate on the usage of the first three mangle rules?
The last three mangle rules should be action=mark-routing and in the last six you could change passthrough to no because they're the last of their respective chains and marks that should be matched

trintrin · Fri Jan 03, 2025 6:36 pm

As from my thought process, the first 3 mangle rule are meant to bypass further mangle processing for traffic coming from wan side or this is just dumb?

TheCat12 · Fri Jan 03, 2025 6:58 pm

I personally find them unnecessary because they don't have any relevant function. However, if you need to access resources that are in the subnets of the PPPoE interfaces, you could transform them to something like:

add action=accept chain=prerouting dst-address="PPPoE_1_subnet" in-interface-list=LAN
add action=accept chain=prerouting dst-address="PPPoE_2_subnet" in-interface-list=LAN
add action=accept chain=prerouting dst-address="PPPoE_3_subnet" in-interface-list=LAN

anav · Fri Jan 03, 2025 10:43 pm

I would not comment on a config without knowing the requirements
a. identify all the devices/users, groups of users, external and internal users including the admin
b. identify the traffic they all require
c. be sure to cover any port forwarding or VPN traffic.
d. detail WAN setup, how many type ( static,dynamic, private, public IPs_)
e. detail the desired functionality load balancing , primary failover etc......
f. detail any exceptions, be it for single user, group of users, subnet etc in terms of traffic flow

Dartmaul · Fri Jan 03, 2025 11:25 pm

Hi.
As anav mentioned, it's pretty hard to comment on config without context, as almost any configuration may make sense at some point.

However, few things I've noticed:

1) add-default-route=yes for all pppoe-client entries with no metric change would result in ECMP. Probably a bad idea.
2) Some line under /ip address are probably invalid
3) dhcp-client on eth0 which isn't mentioned elsewhere. what's the purpose of that interface?
4) add interface=ether4 list=LAN doesn't really make much sense considering that eth4 is nesting VLANs but have no IP at it's own.
4.1) add action=accept chain=input in-interface-list=LAN would effectively work only for wireguard (or eth4 MAC server). Considering that it's followed by Drop All, might be a potential lockout
5) /ip firewall mangle add action=accept chain=prerouting in-interface=pppoe-out# are for counters?
6) add action=mark-connection chain=output connection-mark=wan - I don't really understand the purpose of those.
7) The whole bridge config and VLANs: looks like you've made a duplicate. At one hand you've created VLAN interfaces associated with eth4, at the other hand, you've put eth4 into bridge and set VLANs there as well. Generally, you configure VLANs over the bridge while doing switch-like config, and per-interface while doing routing. Considering the rest of the config, bridge(with all associated to it) should be deleted.

This PCC WAN balancing thing. It's doable, but if you have many client devices (looks like you do), it would be better to do src-addr based instead of both, that would ensure no wan-flap (imo)
Also, consider the fact that your default routes are interface state aware (if pppoe goes down, route does so as well), while your mangle rules are not, so in case of WAN failure, your round-robin balancing would send tragic to a routing table with no valid route, thus making it return with "no route to host".

TheCat12 · Sat Jan 04, 2025 12:05 am

7) The whole bridge config and VLANs: looks like you've made a duplicate. At one hand you've created VLAN interfaces associated with eth4, at the other hand, you've put eth4 into bridge and set VLANs there as well. Generally, you configure VLANs over the bridge while doing switch-like config, and per-interface while doing routing. Considering the rest of the config, bridge(with all associated to it) should be deleted.

Maybe I'm blind but last time I checked the VLAN configuration is mostly correct - the trunk port is added to a bridge, it is marked as a tagged port in the Bridge VLAN table entries (the bridge should also be a tagged member but luckily ROS does it automatically) and the VLAN interfaces are running on top of the bridge and are referenced as the L3 interfaces as it should be.

trintrin · Sat Jan 04, 2025 1:30 pm

I would not comment on a config without knowing the requirements
a. identify all the devices/users, groups of users, external and internal users including the admin
b. identify the traffic they all require
c. be sure to cover any port forwarding or VPN traffic.
d. detail WAN setup, how many type ( static,dynamic, private, public IPs_)
e. detail the desired functionality load balancing , primary failover etc......
f. detail any exceptions, be it for single user, group of users, subnet etc in terms of traffic flow

This config is pretty much for a school environment,
A. Internal user are Staff (School Staff and Teachers), Students, Guest
- Staff devices are expected to have their designated Pc, some are connected with Ethernet and some are connected through Wi-Fi
- Students are planned to be connected to school Internet through Wi-Fi, but there is a public pc setup (which I think should be isolated from staff system)
- Guest are just visitor and random ppl who want quick access to internet (these people should be isolated and restricted on speed)
External uses:
- I just have a VPN setup for an off site admin to be able to manage admin work, such as connect to the router, etc..

B. Traffic based on designated user:
- Staff, we expect them to have access to SMB share, and to an internal http server, and browsing internet
- Students, we expect them to have no access to SMB share and internal http server, but they should be able to browse internet
External traffic:
- VPN for offsite admin
- Port-forwarded

C. Needed port forwarding is
- port 8080 for a http internal website
- port 2222 for ssh to the internal website (once again for remote admin, but they dont want the vpn options)

D, Wan Setup:
- Wan1: Dynamic IP
- Wan2: Dynamic IP
- Wan3: Dynamic IP
The config I posted is in a simulated chr in proxmox, it is a bit weird lol, I tried to simulate the conditions of an actual router that is in prod.

E. Wan functionality
- Load balancing, I want all traffic to be distributed across 3 wan for optimized bandwidth usage. I think PCC is the best option here, correct me if I'm wrong

F. Note,
I need office staff pc to be on a static ip due to scanning of the printer

Here is the updated configurations:

# 2025-01-04 12:05:19 by RouterOS 7.16.2
# software id = 
#
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=test_ppp1
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    ether2 name=pppoe-out2 user=test_ppp2
add add-default-route=yes default-route-distance=3 disabled=no interface=\
    ether1 name=pppoe-out3 user=test_ppp3
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
add interface=bridge1 name=Office vlan-id=20
add interface=bridge1 name=PublicPC vlan-id=30
add interface=bridge1 name=PublicWIFI vlan-id=60
add interface=bridge1 name=Server vlan-id=10
add interface=bridge1 name=StaffWIFI vlan-id=40
add interface=bridge1 name=StudentsWIFI vlan-id=50
/interface list
add name=LAN
add name=WAN
/ip pool
add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool1 ranges=192.168.20.10-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.60.2-192.168.61.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool6 ranges=192.168.50.2-192.168.50.254
/routing table
add disabled=no fib name=cloud
add disabled=no fib name=to-wan1
add disabled=no fib name=to-wan2
add disabled=no fib name=to-wan3
/interface bridge port
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=MGMT list=LAN
add interface=Office list=LAN
add interface=PublicPC list=LAN
add interface=PublicWIFI list=LAN
add interface=Server list=LAN
add interface=StaffWIFI list=LAN
add interface=StudentsWIFI list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.32.2/32 interface=wireguard1 name=peer1 \
    public-key="WBKN9fZA/5+zwSzSa21PN50QigvzHzmsFbtMqhnCsiY="
/ip address
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.20.1/24 interface=Office network=192.168.20.0
add address=192.168.30.1/24 interface=PublicPC network=192.168.30.0
add address=192.168.60.1/23 interface=PublicWIFI network=192.168.60.0
add address=192.168.10.1/24 interface=Server network=192.168.10.0
add address=192.168.40.1/24 interface=StaffWIFI network=192.168.40.0
add address=192.168.50.1/24 interface=StudentsWIFI network=192.168.50.0
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MGMT name=dhcp1
add address-pool=dhcp_pool1 interface=Office name=dhcp2
add address-pool=dhcp_pool2 interface=PublicPC name=dhcp3
add address-pool=dhcp_pool3 interface=PublicWIFI name=dhcp4
add address-pool=dhcp_pool4 interface=Server name=dhcp5
add address-pool=dhcp_pool5 interface=StaffWIFI name=dhcp6
add address-pool=dhcp_pool6 interface=StudentsWIFI name=dhcp7
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/23 gateway=192.168.60.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip firewall address-list
add address=cloud.mikrotik.com list=mikrotik-cloud
add address=cloud2.mikrotik.com list=mikrotik-cloud
add address=dnnsname list=wan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All" disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=mikrotik-cloud \
    new-routing-mark=cloud passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan1_conn passthrough=yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan2_conn passthrough=yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan3_conn passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=to-wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to-wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
    new-routing-mark=to-wan3 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp src-address-list=\
    wan to-addresses=192.168.10.2 to-ports=8080
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=cloud \
    suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 \
    routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-table=to-wan1 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out2 routing-table=to-wan2 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out3 routing-table=to-wan3 scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user settings
set minimum-categories=2 minimum-password-length=8

TheCat12 · Sat Jan 04, 2025 3:02 pm

A. OK
B. and C. The port forwarding and the VPN would be a bit tricky if you don't have public IPs and on top of that there were some issues between Wireguard and mangle I think
D. Shouldn't the third PPPoE client be on ether3 judging by the mangle rules?
E. The output mark-routing rules were a good idea, IMO it would be better to return them, also I would wait for @anav to comment on the situation with Wireguard and mangle
F. That could be done with the help of static leases

anav · Sat Jan 04, 2025 4:06 pm

Some clarification required.

f. Is it one office PC that needs to be static or one printer that needs to be static.
And the reason give doesnt make sense, 'due to scanning of printer'
Do you mean the printer is also a scanner?
Do you meant the printer initiates a search??
Do you mean the printer needs to talk to the office PC (most likely).
Why would the office pc change IPs but the easy fix is simply to go to dhcp leases for that LAN and make it a static fixed lease.

c. Clarify, is the http server (for staff only) accessed only at school or also by staff when at home etc.........
I note that this server is NOT httpS and thus not very secure and shouldnt be open to the www.
Depending on answers it would be better for staff to VPN into the school and then access the server from behind the router.
In any case will assume Wireguard comes in on WAN1............

Until we get that clarity a quick review.........
I like the fact that you have separated out all the main entities, staffwifi, guest wifi, studentwifi, public PC, Office, server subnet, management vlan
If you have any managed switches in your setup they should be noted as well.
They all should get an IP address from the management vlan.
Will need to control the routing manually and thus remove the default-route=yes from the pppoe configurations.
Added a TRUSTED interface and a source address list identifying admins, for access to the router (input chain)
Fixed list members

WHat router is it that you will have for real............ aka how many ports?
I typically recommend taking on port off the bridge and using that as a safe space to do all the configuration.

THis config is WITHOUT PORT FORWARDING as http server to internal resources is not secure method.
Once this is working properly would add BTH for external access by staff.

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=etherXX ] name=OffBridgeXX
/interface pppoe-client
add add-default-route=no disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=test_ppp1
add add-default-route=no disabled=no interface=\
ether2 name=pppoe-out2 user=test_ppp2
add add-default-route=no disabled=no interface=\
ether3 name=pppoe-out3 user=test_ppp3
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=Server vlan-id=10
add interface=bridge1 name=Office vlan-id=20
add interface=bridge1 name=PublicPC vlan-id=30
add interface=bridge1 name=StaffWIFI vlan-id=40
add interface=bridge1 name=StudentsWIFI vlan-id=50
add interface=bridge1 name=PublicWIFI vlan-id=60
add interface=bridge1 name=MGMT vlan-id=99
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
add name=ADMIN
/ip pool
add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool1 ranges=192.168.20.10-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.60.2-192.168.61.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool6 ranges=192.168.50.2-192.168.50.254
/routing table
add disabled=no fib name=to-wan1
add disabled=no fib name=to-wan2
add disabled=no fib name=to-wan3
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4 comment="trunk to switch"
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add interface=pppoe-out1 list=WAN
add interface=pppoe-out2 list=WAN
add interface=pppoe-out3 list=WAN
add interface=MGMT list=LAN
add interface=Office list=LAN
add interface=PublicPC list=LAN
add interface=PublicWIFI list=LAN
add interface=Server list=LAN
add interface=StaffWIFI list=LAN
add interface=StudentsWIFI list=LAN
add interface=wireguard1 list=LAN
add interface=OffBridgeXX list=LAN
add interface=StaffWIFI list=ADMIN comment="interface used in firewall rule to allow staff to local server"
add interface=Office list=ADMIN
add interface=MGMT list=TRUSTED comment="interface used in firewall rules to allow admin to all"
add interface=wireguard1 list=TRUSTED
add interface=OffBridgeXX list=TRUSTED
add interface=StaffWIFI list=Connected comment="interface used in mangle rule to allow local traffic not to be PCCd"
add interface=Office list=Connected
add interface=MGMT list=Connected
add interface=wireguard1 list=Connected
add interface=OffBridgeXX list=Connected
add interface=Server list=Connected
/interface wireguard peers
add allowed-address=192.168.32.2/32 interface=wireguard1 name=peer1 public-key="===" comment="remote admin laptop"
add allowed-address=192.168.32.3/32 interface=wireguard1 name=peer2 public-key="===" comment="remote admin ipad/smartphone"
/ip address
add address=192.168.10.1/24 interface=Server network=192.168.10.0
add address=192.168.20.1/24 interface=Office network=192.168.20.0
add address=192.168.30.1/24 interface=PublicPC network=192.168.30.0
add address=192.168.40.1/24 interface=StaffWIFI network=192.168.40.0
add address=192.168.50.1/24 interface=StudentsWIFI network=192.168.50.0
add address=192.168.60.1/23 interface=PublicWIFI network=192.168.60.0
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
add address=192.168.92.1/30 interface=OffBridgeXX network=192.168.92.0
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MGMT name=dhcp1
add address-pool=dhcp_pool1 interface=Office name=dhcp2
add address-pool=dhcp_pool2 interface=PublicPC name=dhcp3
add address-pool=dhcp_pool3 interface=PublicWIFI name=dhcp4
add address-pool=dhcp_pool4 interface=Server name=dhcp5
add address-pool=dhcp_pool5 interface=StaffWIFI name=dhcp6
add address-pool=dhcp_pool6 interface=StudentsWIFI name=dhcp7
/ip dns
set allow-remote servers=1.1.1.1
/ip dns static
add address=192.168.73.5 regexp="(^|www\\.)schoolweb\\.com\$" ttl=5m
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/23 gateway=192.168.60.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip firewall address-list
add address=192.168.32.2 list=Authorized comment="admin remote laptop"
add address=192.168.32.3 list=Authorized comment="admin remote smartphone/ipad"
add address=192.168.99.A list=Authorized comment="admin local desktop"
add address=192.168.99.B list=Authorized comment="admin local portable device"
add address=192.168.92.2 list=Authorized comment="OffBridge access"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { add as last rule }
++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="staff to server" in-interface-list=ADMIN dst-address=IPofServer
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="staff to printer" in-interface-list=ADMIN dst-address=IP-printer
add action=accept chain=forward comment="printer to pc" in-interface=VLANofPrinter src-address=IP-printer out-interface=VLANofpc dst-address=IP-pc
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
{ mangles to ensure traffic to the router itself on each WAN, goes back out same WAN }
add chain=input action=mark-connection in-interface=pppoe-out1 connection-mark=no-mark \
new-connection-mark=incomingWAN1 passthrough=yes
add chain=input action=mark-connection in-interface=pppoe-out2 connection-mark=no-mark \
new-connection-mark=incomingWAN2 passthrough=yes
add chain=input action=mark-connection in-interface=pppoe-out3 connection-mark=no-mark \
new-connection-mark=incomingWAN3 passthrough=yes
add chain=output action=mark-routing connection-mark=incomingWAN1 \
new-routing-mark=to-wan1 passthrough=no
add chain=output action=mark-routing connection-mark=incomingWAN2 \
new-routing-mark=to-wan2 passthrough=no
add chain=output action=mark-routing connection-mark=incomingWAN3 \
new-routing-mark=to-wan3 passthrough=no
{ mangling to allow necessary local traffic to occur without being PCCd }
add chain=prerouting action=accept in-interface-list=Connected out-interface-list=Connected
{ mangling for PCC }
add chain-forward action=mark-connection connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
wan1_conn passthrough=yes per-connection-classifier=src-address:3/0
add chain=forward action=mark-connection connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
wan2_conn passthrough=yes per-connection-classifier=src-address:3/1
add chain=forward action=mark-connection connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=\
wan3_conn passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
new-routing-mark=to-wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
new-routing-mark=to-wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
new-routing-mark=to-wan3 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pppoe-out3
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
{ main table routes }
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope12
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope12
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope12
add distance=1 dst-address=1.0.0.1/32 gateway=pppoe-out1 routing-table=main scope=10 target-scope11 comment="WAN one"
add distance=2 dst-address=8.8.8.8/32 gateway=pppoe-out2 routing-table=main scope=10 target-scope11 comment="WAN two"
add distance=3 dst-address=9.9.9.9/32 gateway=pppoe-out3 routing-table=main scope=10 target-scope11 comment="WAN three"
{ special routes }
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to-wan1 comment="WAN1 up"
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=to-wan1 comment="WAN1 down WAN2 up"
add distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-table=to-wan1 comment="WAN1 WAN2 down WAN3 up"
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=to-wan2 comment="WAN2 up"
add check-gateway=pingdistance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to-wan2 comment="WAN2 down WAN1 up"
add distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-table=to-wan2 comment="WAN2 WAN1 down WAN3 up"
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-table=to-wan3 comment="WAN3 up"
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to-wan3 comment="WAN3 down WAN1 up"
add distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=to-wan3 comment="WAN3 WAN1 down WAN2 up"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

trintrin · Sat Jan 04, 2025 5:32 pm

D. Shouldn't the third PPPoE client be on ether3 judging by the mangle rules?

Yeah, I dint saw that.

Some clarification required.

f. Is it one office PC that needs to be static or one printer that needs to be static.
And the reason give doesnt make sense, 'due to scanning of printer'
Do you mean the printer is also a scanner?
Do you meant the printer initiates a search??
Do you mean the printer needs to talk to the office PC (most likely).
Why would the office pc change IPs but the easy fix is simply to go to dhcp leases for that LAN and make it a static fixed lease.

c. Clarify, is the http server (for staff only) accessed only at school or also by staff when at home etc.........
I note that this server is NOT httpS and thus not very secure and shouldnt be open to the www.
Depending on answers it would be better for staff to VPN into the school and then access the server from behind the router.

f. Office pc need to be static, while the printer is also static by itself. Yeah, the printer I am referring to a device that is able to scan and print, but the reason we need office pc to be static lease is due to the face that the printer need to talk to the office PC.

c. They should be able to access both at school and staff. IDK, why the previous admin have it setup only though via HTTP. I wished I could have the staff on a VPN, but is there a way where they dont have to download WireGuard and bla bla... to access it? Apparently, people just hate changes on their workflow. And this is why I prefer to just be open, or this is a bad idea, anything I can do?

anav · Sat Jan 04, 2025 7:05 pm

Well from a security perspective http is a very bad idea. In that at some point you have to login...... then you probably have a simple username and password login which in 2025 is not the way to go.
So it depends if you have third party authentication etc........... How that is done, is the key.

???? I see port forwarding for webserver, but dont see anything for SMB share, is that a hardrive they should be able to access remotely as well ?????

I have realized that the BTH methodology for easy distribution is the way to go for a group of wireguard users.
I would keep the current wireguard interface solely for the admin.
I would add a second BTH driven wireguard but only for the purposes of being able to access the server.
If this interests you then it can be broached. It consists of creating the first connection on your smartphone, and then you can easily
distribute to all the users.

a. they need to have the BTH app on their smartphone/ipad
and/or
b. have standard wireguard app on laptop or PC
and/or
c. have standard wireguard app on apple laptop.

So they have to load up the software and then do an easy import of a file you send them.
( URL link, QR code, input config file etc. )

anav · Sat Jan 04, 2025 7:07 pm

Really for proper security they can OPT IN, and in a few easy steps compared to all other methods have access to the internal school info while at home or NOT and have to go to school to access.

WHat router is it that you will have for real ( model, firmware )............ how many ports?

What is ether4 connected to???

trintrin · Sat Jan 04, 2025 7:50 pm

I see port forwarding for webserver, but dont see anything for SMB share, is that a hardrive they should be able to access remotely as well ?????

I know right, the webpage is sadly not mad by me, it's made back a while a go, even before I join the team.

Really for proper security they can OPT IN, and in a few easy steps compared to all other methods have access to the internal school info while at home or NOT and have to go to school to access.

WHat router is it that you will have for real ( model, firmware )............ how many ports?

What is ether4 connected to???

CCR1036-12G-4S, 12 Ethernet ports, 4 SFP.

ether4 is connect to LAN

anav · Sat Jan 04, 2025 9:37 pm

What do you mean ether4 is connected to LAN, one port serves the whole school, every cable spliced off a single cable???
Or is LAN a brand name for a managed switch??

Dartmaul · Sun Jan 05, 2025 12:25 am

Maybe I'm blind but last time I checked the VLAN configuration is mostly correct - the trunk port is added to a bridge, it is marked as a tagged port in the Bridge VLAN table entries (the bridge should also be a tagged member but luckily ROS does it automatically) and the VLAN interfaces are running on top of the bridge and are referenced as the L3 interfaces as it should be.

Bridge is required for switching, aka if you have multiple ports attached to it, which share the same VLAN. In this case, when there is just one single interface running VLANs, you can just attach VLAN interfaces directly to eth4.
I mean it will work either way, but in this case, bridge part looks excessive to me.

Here is the updated configurations:

# 2025-01-04 12:05:19 by RouterOS 7.16.2
# software id = 
#
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=test_ppp1
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    ether2 name=pppoe-out2 user=test_ppp2
add add-default-route=yes default-route-distance=3 disabled=no interface=\
    ether1 name=pppoe-out3 user=test_ppp3
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
add interface=bridge1 name=Office vlan-id=20
add interface=bridge1 name=PublicPC vlan-id=30
add interface=bridge1 name=PublicWIFI vlan-id=60
add interface=bridge1 name=Server vlan-id=10
add interface=bridge1 name=StaffWIFI vlan-id=40
add interface=bridge1 name=StudentsWIFI vlan-id=50
/interface list
add name=LAN
add name=WAN
/ip pool
add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool1 ranges=192.168.20.10-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.60.2-192.168.61.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool6 ranges=192.168.50.2-192.168.50.254
/routing table
add disabled=no fib name=cloud
add disabled=no fib name=to-wan1
add disabled=no fib name=to-wan2
add disabled=no fib name=to-wan3
/interface bridge port
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=MGMT list=LAN
add interface=Office list=LAN
add interface=PublicPC list=LAN
add interface=PublicWIFI list=LAN
add interface=Server list=LAN
add interface=StaffWIFI list=LAN
add interface=StudentsWIFI list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.32.2/32 interface=wireguard1 name=peer1 \
    public-key="WBKN9fZA/5+zwSzSa21PN50QigvzHzmsFbtMqhnCsiY="
/ip address
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.20.1/24 interface=Office network=192.168.20.0
add address=192.168.30.1/24 interface=PublicPC network=192.168.30.0
add address=192.168.60.1/23 interface=PublicWIFI network=192.168.60.0
add address=192.168.10.1/24 interface=Server network=192.168.10.0
add address=192.168.40.1/24 interface=StaffWIFI network=192.168.40.0
add address=192.168.50.1/24 interface=StudentsWIFI network=192.168.50.0
add address=192.168.32.1/24 interface=wireguard1 network=192.168.32.0
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MGMT name=dhcp1
add address-pool=dhcp_pool1 interface=Office name=dhcp2
add address-pool=dhcp_pool2 interface=PublicPC name=dhcp3
add address-pool=dhcp_pool3 interface=PublicWIFI name=dhcp4
add address-pool=dhcp_pool4 interface=Server name=dhcp5
add address-pool=dhcp_pool5 interface=StaffWIFI name=dhcp6
add address-pool=dhcp_pool6 interface=StudentsWIFI name=dhcp7
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/23 gateway=192.168.60.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip firewall address-list
add address=cloud.mikrotik.com list=mikrotik-cloud
add address=cloud2.mikrotik.com list=mikrotik-cloud
add address=dnnsname list=wan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All" disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=mikrotik-cloud \
    new-routing-mark=cloud passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan1_conn passthrough=yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan2_conn passthrough=yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    wan3_conn passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=to-wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to-wan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan3_conn \
    new-routing-mark=to-wan3 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp src-address-list=\
    wan to-addresses=192.168.10.2 to-ports=8080
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=cloud \
    suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 \
    routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-table=to-wan1 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out2 routing-table=to-wan2 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out3 routing-table=to-wan3 scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user settings
set minimum-categories=2 minimum-password-length=8

/tool mac-server mac-winbox set allowed-interface-list=LAN - looks like a security concern, considering all user VLANs are inside "LAN" list. I'd rather disable it completely.

Another comment considering routing:
Since mangle rules are in prerouting chain, it practically makes local routing unavailable: Let's say some device from Office vlan-id=20 tries to connect to something behind Server vlan-id=10.
Your router would just blindly put all the traffic into to-wan# table, where only default route is present, so all your locally-destined traffic would go straight to ISP.
Perhaps you misunderstood "dst-address-type=!local" part, as it accounts only for router's own IPs, not directly connected networks.

anav · Sun Jan 05, 2025 3:40 am

Note the config added in post #10. Look at the entire config first, then go line by line and write down any questions you have for posting.

I am not 100% sure of the syntax for the IP static DNS...
The idea being that anyone putting www.schoolweb.com in their browser would get directed to the server.

The failover for the routes is standard recursive wan1 is primary, secondary is WAn3 and tertiary is WAN3, and we provide a basic failover for special routes
if wan1 is down users getting WAN1 in PCC will get redirected to use WAN2, and if not available WAN3
if wan2 is down users getting WAN2 in PCC will get redirected to use WAN1, and if not available WAN3
if wan3 is down users getting WAN3 in PCC will get redirect to use WAN1, and if not available WAN2

You can make it more complex by breaking up the PCC into 1/6 and have 6 rules to mark connections but its a leap to far at this point.

trintrin · Sun Jan 05, 2025 9:17 am

What do you mean ether4 is connected to LAN, one port serves the whole school, every cable spliced off a single cable???
Or is LAN a brand name for a managed switch??

The ether 4 is connected to a manage switch, or this is not ideal because the school rely on only one connection, and it is 1gig.

Btw i want to use the provided of could ddns of mitkrotik to access stuff.

We have unifi AP and self-hosted unifi controller, does both of them have to be in the same VLAN? Can it be in MGMT VLAN? or and solution?

I don't think to allow local traffic not to be PCC is not possible, because outgoing interface and input interface are the same. or am I just dumb

I also have question regard about routes, when I put a

add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 \ routing-table=cloud scope=30 suppress-hw-offload=no target-scope=10

with a check-gateway to ping it seem to just go unreachable.

TheCat12 · Sun Jan 05, 2025 3:27 pm

I also have a question for @anav regarding PCC: shouldn't the PCC part of mangling take place in the prerouting chain instead of the forward one since routing decisions are taken after the prerouting and before the forward?

TheCat12 · Sun Jan 05, 2025 3:37 pm

Bridge is required for switching, aka if you have multiple ports attached to it, which share the same VLAN. In this case, when there is just one single interface running VLANs, you can just attach VLAN interfaces directly to eth4.
I mean it will work either way, but in this case, bridge part looks excessive to me.

Ever heard of hardware offloading?

Another comment considering routing:
Since mangle rules are in prerouting chain, it practically makes local routing unavailable: Let's say some device from Office vlan-id=20 tries to connect to something behind Server vlan-id=10.
Your router would just blindly put all the traffic into to-wan# table, where only default route is present, so all your locally-destined traffic would go straight to ISP.
Perhaps you misunderstood "dst-address-type=!local" part, as it accounts only for router's own IPs, not directly connected networks.

The IPs which should partake in the PCC are the router's own IPs and represent the networks (after all they're not /32) since they're configured on its interfaces

anav · Sun Jan 05, 2025 3:58 pm

Hi Cat,
Sort of, note that one should be accurate when possible and for example for traffic to the router we dont even use prerouting --> input chain and output chain
PCC traffic is coming from the LAN marking connections (forward chain)
THe mark routing is YES, prerouting chain

Similar to traffic to servers from external sources,
the traffic is forward chain for marking purposes ( accurate description of traffic )
The mark routing is YES, prerouting chain

Rate my config

Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config

Re: Rate my config