Set Up Routeros v6.27 on RB750

1. Quick Set

Can set pppoe usrname and pwd, enable DHCP. with 1WAN4LAN

set to 2WAN3LAN later, config interface in /ip address and interface in /ip dhcp-server

2. Interfaces

2WAN3LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-gateway2
set [ find default-name=ether3 ] name=ether3-master-local
set [ find default-name=ether4 ] master-port=ether3-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether3-master-local name=\
    ether5-slave-local
IP/Addresses
/ip address
add address=192.168.88.1/24 interface=ether3-master-local network=192.168.88.0

/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
IP/DHCP Server
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether3-master-local name=default authoritative=yes
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1

3. PPP

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=pppoe-out1 \
    password=pwd service-name=Telecom use-peer-dns=yes user=username
add add-default-route=yes disabled=no interface=ether2-gateway2 name=pppoe-out2 \
    password=pwd service-name=GreetWall use-peer-dns=yes user=username

Hide the private LAN behind the address given by the ISP.

/ip firewall
nat add chain=srcnat action=masquerade out-interface=pppoe-out1
nat add chain=srcnat action=masquerade out-interface=pppoe-out2

4. Dual Wan

4.1 Send forward connection back to original WAN
/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=\
    pppoe-out1 new-connection-mark=isp1-in passthrough=yes
add action=mark-routing chain=output connection-mark=isp1-in disabled=no \
    new-routing-mark=isp1-out passthrough=no
add action=mark-connection chain=input disabled=no in-interface=\
    pppoe-out2 new-connection-mark=isp2-in passthrough=yes
add action=mark-routing chain=output connection-mark=isp2-in disabled=no \
    new-routing-mark=isp2-out passthrough=no

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-mark=isp1-out scope=30 target-scope=10 check-gateway=ping
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-mark=isp2-out scope=30 target-scope=10 check-gateway=ping
4.2 Load balancing with rule table
/ip route rule
add action=lookup dst-address=1.1.0.0/15 table=table-isp1
add action=lookup dst-address=1.2.0.0/15 table=table-isp2

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-mark=table-isp1 scope=30 target-scope=10 check-gateway=ping
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-mark=table-isp2 scope=30 target-scope=10 check-gateway=ping
4.3 Load balancing with IP list

As having load balancing with rule table, load balancing with IP list will not work.

group IP with even and odd

:for i from=50 to=127 do={/ip firewall address-list add list=even address=("192.168.88." . $i*2)}

:for i from=50 to=126 do={/ip firewall address-list add list=odd address=("192.168.88." . $i*2+1)}

mark even/odd IP list

/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=even new-routing-mark=even-ip passthrough=no
add action=mark-routing chain=prerouting src-address-list=odd new-routing-mark=odd-ip passthrough=no

Load balancing with IP mark

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-mark=odd-ip scope=30 target-scope=10 check-gateway=ping
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-mark=even-ip scope=30 target-scope=10 check-gateway=ping

5. Simple Queue

/queue type add name=256k-upload kind=pcq pcq-rate=256k pcq-classifier=src-address
/queue type add name=3M-download kind=pcq pcq-rate=3M pcq-classifier=dst-address

/queue simple add name=queue-isp1 target=192.168.88.0/24 dst=pppoe-out1 max-limit=512k/12M queue=256k-upload/3M-download
/queue simple add name=queue-isp2 target=192.168.88.0/24 dst=pppoe-out2 max-limit=512k/6M queue=256k-upload/3M-download 

6. Check gateway script

{
  :local pppoecliname "pppoe-out"
  :local remoteHostA "www.baidu.com"
  :local remoteHostB "www.qq.com"
  :local remoteHostC "www.jd.com"
  :local linkcount [:len [/interface find name~$pppoecliname running]]
  :local linkname;
  :local cur "0";
  :local pingResultA;
  :local pingResultB;
  :local pingResultC;

  /interface
  :foreach i in=[find name~$pppoecliname] do={
    :set linkname [get $i name]
    :if ($linkcount>$cur && [get $i running]) do={
      :set pingResultA [/ping $remoteHostA count=10  interval=0.2 interface=$linkname]
      :set pingResultB [/ping $remoteHostB count=10  interval=0.2 interface=$linkname]
      :set pingResultC [/ping $remoteHostC count=10  interval=0.2 interface=$linkname]
      :if ($pingResultA < 6 && $pingResultB < 6 && $pingResultC < 6) do={
        :log warning ("WAN " . $linkname . " is wrong, reconnect now.")
        /interface dis $linkname
        :delay 1
        /interface en $linkname
      }
    }
    #:log info ("WAN " . $linkname . "is normal.")
    :set cur ($cur+1)
  }
  #:log info ("Checked all WAN.")
}

7. DDNS script

{
  local ipaddr
  local server "http://ddns.oray.com"
  local domain "yourhost.xicp.net"
  local par "/ph/update?&hostname=$domain&myip=$ipaddr"
  local users "name"
  local paswd "pwd"
  global lastip

  :set ipaddr [/ip address get [/ip address find interface=pppoe-out1] address]
  :set ipaddr [:pick $ipaddr 0 ([len $ipaddr] -3)]

  :if ($ipaddr != $lastip) do={
    :set lastip $ipaddr 
    /tool fetch url=($server . $par) mode=http user=$users password=$paswd
  } else={
    :log info "DDNS: No changes necessary."
  }
}

8. Securing

/ip firewall filter

add chain=input action=drop protocol=tcp src-address=!192.168.88.0/24 dst-port=8080 comment="Drop remote Webfig"

add chain=input action=drop protocol=tcp src-address=!192.168.88.0/24 dst-port=22 comment="Drop remote SSH"
add chain=input action=drop protocol=tcp src-address=!192.168.88.0/24 dst-port=21 comment="Drop remote ftp"

add chain=input protocol=tcp dst-port=8291 src-address-list=wb_blacklist action=drop comment="Drop WinBox brute forcers" disabled=no
add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage3 action=add-src-to-address-list address-list=wb_blacklist address-list-timeout=10d comment="Winbox brute forcers blacklisting" disabled=no
add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage2 action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=1m comment="Winbox brute forcers the third stage" disabled=no
add chain=input protocol=tcp dst-port=8291 connection-state=new src-address-list=wb_stage1 action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=1m comment="Winbox brute forcers the second stage" disabled=no
add chain=input protocol=tcp dst-port=8291 connection-state=new action=add-src-to-address-list address-list=wb_stage1 address-list-timeout=1m comment="Winbox brute forcers the first stage" disabled=no

add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway

References

  1. http://wiki.mikrotik.com/wiki/Securingyourrouter
  2. http://wiki.mikrotik.com/wiki/Bruteforceloginprevention
  3. http://wiki.mikrotik.com/wiki/BandwidthManagmentand_Queues
  4. http://wiki.mikrotik.com/wiki/LoadBalancingoverMultipleGateways
  5. http://forum.mikrotik.com/viewtopic.php?t=81797
  6. http://forum.mikrotik.com/viewtopic.php?t=57635