I've searched and found a few posts on here and followed suggestions (I'll list what I've tried below) but I cannot for the life of me get dual WAN working as I want.
I have 2 WAN devices, one is a mikrotik SXT in LTE Passthrough mode (eth1-LTE) and then a starlink in bypass mode (eth5-STARLINK). Now they both give an ip address correctly to the dhcp_client on my hAP ax^3.
From winbox, I can ping and tracert, specifying either interface and I can see the response I expect, each interface works fine, great.
However, when I try to mark a specific mac address on my lan to use a specific connection, I cannot get it to work, it gets no traffic at all (in the example it's the device commented "[STARLINK-MARK] S24". If I look in connections list I can see the traffic has the right connection mark and in my mangle I set routing mark based on connection mark.
But no connections get established in that instance.
What I've tried?
Changed dhcp_client to add default route yes/no
Setup a script (you'll see in config) to change gw when dhcp_client gets an address
Tried to set gw in the route to include interface (i.e 10.30.11.23%eth5-STARLINK)
Changed priority of route (when default route added) to be higher than the static I've added.
In the example script below, all traffic is now going through the LTE interface fine, but I can't get it to send anything over the starlink one, unless I disable the eth1-LTE interface completely and all references and then it works on STARLINK).
Please can someone have a look and let me know what I'm doing wrong?
Thank you
Code: Select all
/interface bridge
add admin-mac=DXXXXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="[LTE PoE]" name=eth1-LTE
set [ find default-name=ether2 ] comment="[LAN]" name=eth2-LAN
set [ find default-name=ether4 ] comment="[SXT Mgmt]" name=eth4-SXT
set [ find default-name=ether5 ] comment="[STARLINK]" name=eth5-STARLINK
set [ find default-name=ether3 ] disabled=yes
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz comment="2Ghz WIfi" configuration.mode=ap \
.ssid="Mikro Space Princess" disabled=no name=wifi2Ghz \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz comment="5Ghz Wifi" configuration.mode=ap \
.ssid="Mikro Space Princess" disabled=no name=wifi5Ghz \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add datapath.client-isolation=yes disabled=no name=guestWifiCfg \
security.authentication-types=wpa2-psk ssid="Guest Space Princess"
/interface wifi
add comment="[Guest Wifi 2Ghz]" configuration=guestWifiCfg \
configuration.mode=ap disabled=no mac-address=Dxxxxxxxxxxxxx\
master-interface=wifi2Ghz name=guest2Ghz
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.74.100-192.168.74.200
add name=guest_pool ranges=192.168.75.100-192.168.75.125
add name=pool2 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool1 comment="[Bridge DHCP]" interface=bridge \
lease-time=10m name=dhcpBridge
add address-pool=pool2 interface=guest2Ghz name=dhcp2
/routing table
add disabled=no fib name=ROUTE_STAR
add disabled=no fib name=ROUTE_LTE
/interface bridge port
add bridge=bridge comment=defconf interface=eth2-LAN
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=eth4-SXT
add bridge=bridge comment=defconf interface=wifi5Ghz
add bridge=bridge comment=defconf interface=wifi2Ghz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=eth1-LTE list=WAN
add interface=eth5-STARLINK list=WAN
/ip address
add address=192.168.74.1/24 comment=defconf interface=bridge network=\
192.168.74.0
add address=192.168.99.1/24 interface=guest2Ghz network=192.168.99.0
/ip dhcp-client
add comment=defconf interface=eth1-LTE
add add-default-route=no comment=STARLINK interface=eth5-STARLINK script=":if \
(\$bound=1) do={\
\n:local gw \$\"gateway-address\"\
\n/ip route set [ find comment=\"[STARLINK]\" gateway!=\$gw ] gateway=\$gw\
\n}" use-peer-dns=no
/ip dhcp-server network
add address=192.168.74.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.74.1
add address=192.168.99.0/24 dns-server=1.1.1.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.74.100-192.168.74.200 comment="[DHCP]" list=DHCP
add address=192.168.99.2-192.168.99.254 list="Guest WiFi"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="[FWD] Nautilus" \
src-mac-address=XXXXXXXXXXXX
add action=accept chain=forward comment="[FWD] Laptop" src-mac-address=\
3XXXXXXXXXXXX
add action=accept chain=forward comment="[FWD] Macbook" src-mac-address=\
XXXXXXXXXXXX
add action=accept chain=forward comment="[OUT] LAN->WAN" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="[FWD] bridge -> WAN" disabled=yes \
in-interface=bridge out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment="[DROP] LTE->STARLINK" disabled=yes \
in-interface=eth1-LTE out-interface=eth5-STARLINK
add action=drop chain=forward comment="[DROP] STARLINK->LTE" disabled=yes \
in-interface=eth5-STARLINK out-interface=eth1-LTE
add action=log chain=forward comment="[LOG] Everything else" disabled=yes \
log-prefix=DROPPED
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input dst-address=192.168.99.1
add action=drop chain=forward dst-address=192.168.88.0/24 src-address-list=\
"Guest WiFi"
add action=drop chain=forward out-interface-list=!WAN src-address=\
192.168.99.0/24
/ip firewall mangle
add action=mark-connection chain=prerouting comment="[LTE-MARK] DHCP Traffic" \
new-connection-mark=CONN_LTE passthrough=yes src-address-list=DHCP
add action=mark-connection chain=prerouting comment="[STARLINK-MARK] S24" \
new-connection-mark=CONN_STAR passthrough=yes src-mac-address=\
xxxxxxxxxxxxx
add action=mark-routing chain=prerouting comment="[MARK-ROUTE] STARLINK" \
connection-mark=CONN_STAR new-routing-mark=ROUTE_STAR passthrough=no
add action=mark-routing chain=prerouting comment="[MARK-ROUTE] LTE" \
connection-mark=CONN_LTE new-routing-mark=ROUTE_LTE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
connection-mark=CONN_LTE ipsec-policy=out,none out-interface=eth1-LTE
add action=masquerade chain=srcnat comment="defconf: masquerade" \
connection-mark=CONN_STAR ipsec-policy=out,none out-interface=\
eth5-STARLINK
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="[STARLINK]" disabled=no distance=10 dst-address=0.0.0.0/0 \
gateway=X.X.X.X%eth5-STARLINK routing-table=ROUTE_STAR scope=30 \
suppress-hw-offload=no target-scope=10
add comment="[LTE]" disabled=yes distance=10 dst-address=0.0.0.0/0 gateway=\
eth1-LTE routing-table=ROUTE_LTE scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
