Howto set up 2 (def) gw (2 ISPs) with dhcp -> DNS/MASq how?
Posted: Fri Nov 28, 2014 4:36 pm
Hello all
I have a rb2011 and want to enable the second modem/router (as gw to another ISP) and struggle a bit as I need the actively used dhcp interface to "switch over" or similar. Of course both links could or will work most of the times, but internet link 1 is a bit bigger than internet link2 (by factor of roughly 500 )
So following basic setup. (only relevant infos pasted . Rest hidden or left out by [...] sign).
Q1: In /ip dhcp-server network - I add the DNServers directly. Can I use the ones supplied by the dhcp-client supplied DNS somehow?
Else I use google dns (8.8.4.4) but I do not really want to use those. (BTW the main DNS I obfuscated the address a bit)
Q2: Do I need the to-addresses=0.0.0.0 in the /ip firewall nat statements?
Q3: How would I handle the incoming requests (MASq)? Following will not work when first link is down (as it has sfp1 in it):
Is there a way to use a variable for the actually used interface (where all the traffic is going out)?
Or can I leave out the "in-interface"?
(I could define both rules throuth ether9 and sfp1 though...)
Q4: I use a bridge(1) for ether1-ether5 (ehter 6-10 are disabled and should not see traffic from ether1-5). Can I do all this above without configuring a bridge and so just use he built-in switch"part" (as this should be routing faster, yes?)?
Q5: (unrelated): To connect to the webfig GUI through one of the etherX ports, I need Firewall rules anyway? (serial console is not so common anymore on nowadays PC).
Thanks a lot
Cheers
cmb
I have a rb2011 and want to enable the second modem/router (as gw to another ISP) and struggle a bit as I need the actively used dhcp interface to "switch over" or similar. Of course both links could or will work most of the times, but internet link 1 is a bit bigger than internet link2 (by factor of roughly 500 )
So following basic setup. (only relevant infos pasted . Rest hidden or left out by [...] sign).
- sfp, ether1-ether5 as a bridge
- sfp is main gw (dhcp-client1)
- ether9 is second gw (also dhcp-client), without master port
Code: Select all
/interface bridge
add l2mtu=1598 name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
[...]
set [ find default-name=ether9 ] comment=UPC
/ip pool
add name=dhcp-cmb ranges=192.168.133.10-192.168.133.99
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 disabled=yes interface=ether6
/ip address
add address=192.168.133.1/24 interface=bridge1 network=192.168.133.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1 add-default-route=no
add dhcp-options=clientid,hostname disabled=no interface=ether9 add-default-route=no use-peer-ntp=no
/ip route
add gateway=sfp1 dst-address=0.0.0.0/0 check-gateway=ping
add gateway=ether9 dst-address=0.0.0.0/0 distance=2
/ip dhcp-server network
add address=192.168.133.0/24 dns-server=312.441.921.02,8.8.4.4 gateway=192.168.133.1
[.. FW rules left out..these are mostly for access to the webfig GUI)
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether9 to-addresses=0.0.0.0
/ip dhcp-server network
add address=192.168.133.0/24 dns-server=312.441.921.02,8.8.4.4 gateway=192.168.133.1
Else I use google dns (8.8.4.4) but I do not really want to use those. (BTW the main DNS I obfuscated the address a bit)
Q2: Do I need the to-addresses=0.0.0.0 in the /ip firewall nat statements?
Q3: How would I handle the incoming requests (MASq)? Following will not work when first link is down (as it has sfp1 in it):
Code: Select all
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.133.3 to-ports=80
Or can I leave out the "in-interface"?
(I could define both rules throuth ether9 and sfp1 though...)
Q4: I use a bridge(1) for ether1-ether5 (ehter 6-10 are disabled and should not see traffic from ether1-5). Can I do all this above without configuring a bridge and so just use he built-in switch"part" (as this should be routing faster, yes?)?
Q5: (unrelated): To connect to the webfig GUI through one of the etherX ports, I need Firewall rules anyway? (serial console is not so common anymore on nowadays PC).
Thanks a lot
Cheers
cmb