{"id":167,"date":"2022-10-19T18:02:45","date_gmt":"2022-10-19T12:02:45","guid":{"rendered":"http:\/\/saqcyber.com\/?p=167"},"modified":"2022-11-18T16:09:43","modified_gmt":"2022-11-18T10:09:43","slug":"mikrotik-router-config","status":"publish","type":"post","link":"https:\/\/saq-digital.com\/kk\/mikrotik-router-config\/","title":{"rendered":"How To setup Multiple ISP Access on Mikrotik Secure way"},"content":{"rendered":"

Use case scenario<\/h1>\n\n\n\n

We have 2 or mutiple entities with their own different LAN networks and different ISPs to join internet, but only via single router as gateway. <\/p>\n\n\n\n

In our example we use Mikrotik router and switch, Please see below network topology for the desgin.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Configuration<\/h1>\n\n\n\n

All configuration will be done on the mikrotik router, and we only use 2 ISP access, but you can extend the configuratiuon to multiple ISP access, eg 3 or more. <\/p>\n\n\n\n

Set interfaces on the router and asign names on the ports we use:<\/p>\n\n\n\n

\/interface ethernet\nset [ find default-name=ether1 ] name=ETH1-ISP1\nset [ find default-name=ether2 ] name=ETH2-LAN1\nset [ find default-name=ether3 ] name=ETH3-ISP2\nset [ find default-name=ether4 ] name=ETH4-LAN2\n\n\/interface list\nadd name=LAN1\nadd name=ISP1\nadd name=LAN2\nadd name=ISP2\n<\/code><\/pre>\n\n\n\n
Add IP Pools and it’s IP address ranges:<\/p>\n\n\n\n
\/ip pool\nadd name=LAN1-Pool ranges=10.10.10.2-10.10.10.254\nadd name=LAN2-Pool ranges=10.10.20.2-10.10.20.254<\/code><\/pre>\n\n\n\n
Configure DHCP server for LAN clients:<\/p>\n\n\n\n
\/ip dhcp-server\nadd address-pool=LAN1-Pool disabled=no interface=ETH2-LAN1 lease-time=5d \\\n    name=LAN1-DHCP\nadd address-pool=LAN2-Pool disabled=no interface=ETH4-LAN2 lease-time=5d \\\n    name=LAN2-DHCP\n\n\/interface list member\nadd interface=ETH1-ISP1 list=ISP1\nadd interface=ETH2-LAN1 list=LAN1\nadd interface=ETH3-ISP2 list=ISP2\nadd interface=ETH4-LAN2 list=LAN2\n\n\/ip address\nadd address=10.10.10.1\/24 interface=ETH2-LAN1 network=10.10.10.0\nadd address=10.10.20.1\/24 interface=ETH4-LAN2 network=10.10.20.0\n\/ip dhcp-client\nadd disabled=no interface=ETH1-ISP1\nadd disabled=no interface=ETH3-ISP2\n\/ip dhcp-server network\nadd address=10.10.10.0\/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1\nadd address=10.10.20.0\/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.20.1<\/code><\/pre>\n\n\n\n
Add DNS configuration:<\/p>\n\n\n\n
\/ip dns\nset servers=8.8.8.8,8.8.4.4<\/code><\/pre>\n\n\n\n
Most importent step is to setup firewall on the router:<\/p>\n\n\n\n
\/ip firewall address-list\nadd address=0.0.0.0\/8 comment=\"Self-Identification [RFC 3330]\" list=Bogons\nadd address=10.0.0.0\/8 comment=\"Private[RFC 1918] - CLASS A # Check if you nee\\\n    d this subnet before enable it\" list=Bogons\nadd address=127.0.0.0\/8 comment=\"Loopback [RFC 3330]\" list=Bogons\nadd address=169.254.0.0\/16 comment=\"Link Local [RFC 3330]\" list=Bogons\nadd address=172.16.0.0\/12 comment=\"Private[RFC 1918] - CLASS B # Check if you \\\n    need this subnet before enable it\" list=Bogons\nadd address=192.0.2.0\/24 comment=\"Reserved - IANA - TestNet1\" list=Bogons\nadd address=192.88.99.0\/24 comment=\"6to4 Relay Anycast [RFC 3068]\" list=\\\n    Bogons\nadd address=198.18.0.0\/15 comment=\"NIDB Testing\" list=Bogons\nadd address=198.51.100.0\/24 comment=\"Reserved - IANA - TestNet2\" list=Bogons\nadd address=203.0.113.0\/24 comment=\"Reserved - IANA - TestNet3\" list=Bogons\nadd address=224.0.0.0\/4 comment=\\\n    \"MC, Class D, IANA # Check if you need this subnet before enable it\" \\\n    list=Bogons\n\/ip firewall filter\nadd action=accept chain=forward comment=\"defconf: accept established,related\" \\\n    connection-state=established,related\nadd action=drop chain=forward comment=\"defconf: drop invalid\" \\\n    connection-state=invalid\nadd action=accept chain=input port=69 protocol=udp\nadd action=accept chain=forward port=69 protocol=udp\nadd action=drop chain=forward comment=\\\n    \"defconf:  drop all from WAN not DSTNATed\" connection-nat-state=!dstnat \\\n    connection-state=new in-interface=ETH1-ISP1\nadd action=drop chain=forward connection-nat-state=!dstnat connection-state=\\\n    new in-interface=ETH3-ISP2\nadd action=drop chain=forward comment=\"Drop to bogon list\" dst-address-list=\\\n    Bogons\nadd action=accept chain=input protocol=icmp\nadd action=accept chain=input connection-state=established\nadd action=accept chain=input connection-state=related\nadd action=drop chain=input in-interface=ETH1-ISP1\nadd action=drop chain=input in-interface=ETH3-ISP2\n\n\/ip firewall mangle\nadd action=mark-routing chain=prerouting comment=\"LAN1 to ISP1\" \\\n    new-routing-mark=LAN1-to-ISP1 passthrough=yes src-address=10.10.10.0\/24\nadd action=mark-routing chain=prerouting comment=\"LAN2 to ISP2\" \\\n    new-routing-mark=LAN2-to-ISP2 passthrough=yes src-address=10.10.20.0\/24\n\n\/ip firewall nat\nadd action=masquerade chain=srcnat out-interface=ETH1-ISP1\nadd action=masquerade chain=srcnat out-interface=ETH3-ISP2\n<\/code><\/pre>\n\n\n\n
Last step we need to setup the IP routing to let the LAN side clients to find out their own outbound gateway:<\/p>\n\n\n\n
\/ip route\nadd distance=1 gateway=192.168.1.1 routing-mark=LAN1-to-ISP1 \n\/\/192.168.1.1 is ISP1 address\nadd distance=1 gateway=192.168.2.1 routing-mark=LAN2-to-ISP2\n\/\/192.168.2.1 is ISP2 address\n\n\/system clock\nset time-zone-name=Asia\/Almaty\n<\/code><\/pre>\n\n\n\n
<\/p>","protected":false},"excerpt":{"rendered":"
Use case scenario We have 2 or mutiple entities with their own different LAN networks and different ISPs to join internet, but only via single router as gateway. In our example we use Mikrotik router and switch, Please see below network topology for the desgin. Configuration All configuration will be done on the mikrotik router, […]<\/p>\n","protected":false},"author":1,"featured_media":5740,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[11,85,102,9],"tags":[16,88,123,14],"class_list":["post-167","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-firewall","category-infrastructure","category-networking","category-routing","tag-firewall","tag-infrastructure","tag-networking","tag-routing"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"aioseo_notices":[],"featured_image_urls_v2":{"full":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-scaled.jpg",2560,945,false],"thumbnail":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-150x150.jpg",150,150,true],"medium":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-300x111.jpg",300,111,true],"medium_large":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-768x284.jpg",768,284,true],"large":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-1024x378.jpg",1024,378,true],"1536x1536":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-1536x567.jpg",1536,567,true],"2048x2048":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-2048x756.jpg",2048,756,true],"trp-custom-language-flag":["https:\/\/saq-digital.com\/wp-content\/uploads\/2022\/05\/mikrotik-dual-isp-access-v02-scaled.jpg",18,7,false]},"post_excerpt_stackable_v2":"
Use case scenario We have 2 or mutiple entities with their own different LAN networks and different ISPs to join internet, but only via single router as gateway. In our example we use Mikrotik router and switch, Please see below network topology for the desgin. Configuration All configuration will be done on the mikrotik router, and we only use 2 ISP access, but you can extend the configuratiuon to multiple ISP access, eg 3 or more. Set interfaces on the router and asign names on the ports we use: \/interface ethernet set [ find default-name=ether1 ] name=ETH1-ISP1 set [ find…<\/p>\n","category_list_v2":"Firewall<\/a>, Infrastructure<\/a>, Networking<\/a>, Routing<\/a>","author_info_v2":{"name":"SAQ","url":"https:\/\/saq-digital.com\/kk\/author\/serik-akim\/"},"comments_num_v2":"0 comments","brizy_media":[],"_links":{"self":[{"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":10,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"predecessor-version":[{"id":6083,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/posts\/167\/revisions\/6083"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/media\/5740"}],"wp:attachment":[{"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/saq-digital.com\/kk\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}