MikroTik

Guys, I need setup a MikroTik 751U-2HnD (Wi-Fi) router to accomplish following tasks:

1. Dual WAN bonding/merging/at least load balancing.
2. Failover setup.
3. Web content filtering / websites block.
4. Data sharing and printing over LAN and WLAN.

Attached are network design/layout and setting file what I did, but ineffective.
Any help, idea, support please? Thanking in advance.

Guys, I need setup a MikroTik 751U-2HnD (Wi-Fi) router to accomplish following tasks:
1. Dual WAN bonding/merging/at least load balancing.
2. Failover setup.
3. Web content filtering / websites block.
4. Data sharing and printing over LAN and WLAN.
Attached are network design/layout and setting file what I did, but ineffective.
Any help, idea, support please?
Thanking in advance.

1 - There are various methods you can load balance multiple WAN links, most popular method is PCC. Example?
http://wiki.mikrotik.com/wiki/Manual:PCC
http://aacable.wordpress.com/2011/07/27 ... t-by-zaib/

2 - Failover can be accomplished via using customized scripts or within PCC.Example?
http://wiki.mikrotik.com/wiki/Failover_Scripting
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

3 - What level of filtering you want to implement for users. For basic level of filtering like blocking certain web sites, you can use Mikrotik built in Web proxy which can do the job nicely.Example?
http://aacable.wordpress.com/2011/12/29 ... rent-mode/


4 - Data/Print sharing within same lan/subnet have no issues as it will not go through router . however if you want to access your shared data/printing from internet, then you have to setup port forwarding accordingly. For example you have shared your data via http server, then simply forward port 80 from router to internal web server hosting your data, same applies to printing, just use the appropriate ports. Example?
http://aacable.wordpress.com/2012/01/29 ... er-on-lan/

What exactly does not work?

Thank you dear aacable,

I have already visited your blog and now retrying as you mention, will back soon with results/problems.

Regards,

What exactly does not work?

I have 10 users. Configured PCC as per http://wiki.mikrotik.com/wiki/Manual:PCC, it splits 7 users on one connection and 3 users on second connections. If first connection goes down neither 7 users diverted to second connection nor remaining 3 users can browse internet. I think DNS is not resolves accordingly.

Web proxy configured according to http://wiki.mikrotik.com/wiki/How_to_ma ... _web_proxy, on single connection it works fine but after implementing above PCC setting website filtering does not work. May be this problem with "in-interface" setting, what should be here in Dual WAN.
/ip firewall filter add chain=input in-interface=ISP1 protocol=tcp dst-port=8080 action=drop

Thanks,

4 - Data/Print sharing within same lan/subnet have no issues as it will not go through router . however if you want to access your shared data/printing from internet, then you have to setup port forwarding accordingly. For example you have shared your data via http server, then simply forward port 80 from router to internal web server hosting your data, same applies to printing, just use the appropriate ports. Example?
http://aacable.wordpress.com/2012/01/29 ... er-on-lan/

Dear Aacable,

I used following addressing scheme:
/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ISP1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ISP2
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=WLAN

Load balancing is working fine.

On WLAN (wireless connection) internet connectivity/browsing is OK but I can not get printouts when I send from WLAN to LAN printer.
Do I need port-forwarding or something else? What configuration I am missing to get prints on LAN printer?

Thanks

Dear Friends,

Based on your support following the configuration, that's setting up dual WAN setup for LAN and WLAN and working (able to share data and get print over LAN and Wireless).
I am getting slow response than direction connection with single WAN, sometimes I need to refresh browser/page again and again or wait a few minutes to refresh display it.

www.speedtest.net shows good results but browsing and internet connectivity is very slow. Sometime need to refresh page again and again to display it.
FAIL-OVER is not working properly, when I unplug any WANs' cable some of them or sometime all computers could not access internet.
And trouble applying "WEB PROXY" and "WEBSITES BLOCKING". When I apply, all websites goes block (no browsing).

Any idea to improve in it.

/interface
set 1 name=WAN1
set 2 name=WAN2
set 4 name=LAN
set 5 name=WLAN

/interface bridge
add l2mtu=1526 name=Local-Bridge protocol-mode=rstp

/interface bridge port
add bridge=Local-Bridge interface=LAN
add bridge=Local-Bridge interface=WLAN

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local-Bridge
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local-Bridge
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local-Bridge
add chain=prerouting dst-address-type=!local in-interface=Local-Bridge per-connection-classifier=both-addresses-and-ports:2/0 \
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local-Bridge per-connection-classifier=both-addresses-and-ports:2/1 \
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local-Bridge action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local-Bridge action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=203.128.7.10,119.152.255.60

/ip pool add name=dhcp_pool1 ranges=192.168.0.10-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Local-Bridge lease-time=3d name=dhcpLAN

/ip dhcp-server config
set store-leases-disk=5m

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=203.128.7.10,119.152.255.60 gateway=192.168.0.1

/interface wireless
set WLAN band=2ghz-b/g default-authentication=yes disabled=no mode=ap-bridge

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
aes-ccm group-key-update=5m interim-update=0s management-protection=allowed \
management-protection-key="" mode=dynamic-keys name=default radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" \
static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MIKROTIK tls-certificate=none tls-mode=\
no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=<YOUR PASSWORD> \
wpa2-pre-shared-key=<YOUR PASSWORD>

/interface wireless
set WLAN security-profile=default wireless-protocol=802.11 frequency=2412

Thanks,

Try src-address as your pcc classifier , hopefully it will solve few issues at your end

Failover doesn' with the script you are using if you pull out WAN cable (which is conencted from your WAN device to ISP). However if you turn off wan device for example dsl router, then surely it will not send traffic to second gateway due to check-gateway option in route section. You have to use different approach in this regard. using some modified SCRIPT is a good idea to make your router fully man IN-CHARGE

Dear Friends,

Based on your support following the configuration, that's setting up dual WAN setup for LAN and WLAN and working (able to share data and get print over LAN and Wireless).
I am getting slow response than direction connection with single WAN, sometimes I need to refresh browser/page again and again or wait a few minutes to refresh display it.

www.speedtest.net shows good results but browsing and internet connectivity is very slow. Sometime need to refresh page again and again to display it.
FAIL-OVER is not working properly, when I unplug any WANs' cable some of them or sometime all computers could not access internet.
And trouble applying "WEB PROXY" and "WEBSITES BLOCKING". When I apply, all websites goes block (no browsing).

Any idea to improve in it.

/interface
set 1 name=WAN1
set 2 name=WAN2
set 4 name=LAN
set 5 name=WLAN

/interface bridge
add l2mtu=1526 name=Local-Bridge protocol-mode=rstp

/interface bridge port
add bridge=Local-Bridge interface=LAN
add bridge=Local-Bridge interface=WLAN

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local-Bridge
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local-Bridge
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local-Bridge
add chain=prerouting dst-address-type=!local in-interface=Local-Bridge per-connection-classifier=both-addresses-and-ports:2/0 \
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local-Bridge per-connection-classifier=both-addresses-and-ports:2/1 \
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local-Bridge action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local-Bridge action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=203.128.7.10,119.152.255.60

/ip pool add name=dhcp_pool1 ranges=192.168.0.10-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Local-Bridge lease-time=3d name=dhcpLAN

/ip dhcp-server config
set store-leases-disk=5m

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=203.128.7.10,119.152.255.60 gateway=192.168.0.1

/interface wireless
set WLAN band=2ghz-b/g default-authentication=yes disabled=no mode=ap-bridge

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
aes-ccm group-key-update=5m interim-update=0s management-protection=allowed \
management-protection-key="" mode=dynamic-keys name=default radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" \
static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MIKROTIK tls-certificate=none tls-mode=\
no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=<YOUR PASSWORD> \
wpa2-pre-shared-key=<YOUR PASSWORD>

/interface wireless
set WLAN security-profile=default wireless-protocol=802.11 frequency=2412

Thanks,

thank you, I managed to position it and it's working.

thank you, I managed to position it and it's working.

Try src-address as your pcc classifier , hopefully it will solve few issues at your end

Failover doesn' with the script you are using if you pull out WAN cable (which is conencted from your WAN device to ISP). However if you turn off wan device for example dsl router, then surely it will not send traffic to second gateway due to check-gateway option in route section. You have to use different approach in this regard. using some modified SCRIPT is a good idea to make your router fully man IN-CHARGE

Hi aacable. I'm running on this issue. My script is quite similar and whenever one wan link fail, the other doesn't come up as the main link, I have to disable the failing wan interface manually to the other come up.

What should be the best aproach for making the fail over work better?

Thanks, Tiago.
I

Try this:
Problem is you should put the provider router in bridge mode and get the public IP on the mikrotik itself, so that you check your real internet gateway through the WAN interface; right now you just check your provider router LAN, which most times will be online when internet is down...

You can work around that with recursive routing: do a traceroute to identify what's your nexthop to Internet, then modify default routes using scope=10 setting it as the gateway.

Hello to everyone,
I'd like to buy a Microtik hEX.. could you please tel me if I can use the above scripts with it or if the hEX has few functionality?
Thanks very much!
Best regards.

hello guys .... i have a question please:

is it possible for a Mikrotik router rb750gl configure in birdge mode to make web filtering( block website )?
if yes how can i do that?
thk,,

hello gays .... i have a question please:

Kindly clarify