MANUAL: Mikrotik, balanceo de carga PCC con failover

Hola @Chrcasamen

Te digo cómo lo dejaría yo, y los cambios que hice con respecto a tu configuración. Obvio el resto de configuración del router, no referente al balanceo. Doy por hecho que, tal y como se ve en el export, ese equipo no lleva firewall filter alguno. Si lo llevase, asegúrate de tener desconectado el fasttrack, sino el marcado de paquetes no funciona. Dicho esto, yo lo dejaría así:

Código:
/ip address
# Por estética, declaramos las direcciones WAN como /30
add address=192.168.1.2/30 interface=ether1 network=192.168.1.0
add address=192.168.10.2/30 interface=ether2 network=192.168.10.0
add address=192.168.86.1/24 interface=ether5 network=192.168.86.0

/ip firewall mangle
# Mandamos el tráfico de la LAN a los segmentos locales que tenemos por arriba a la tabla de rutas por defecto
add action=accept chain=prerouting dst-address=192.168.1.0/30 in-interface=ether5
add action=accept chain=prerouting dst-address=192.168.10.0/30 in-interface=ether5

# Hacemos lo mismo con el resto de segmentos de red local, para que no pasen por el balanceo
add action=accept chain=prerouting dst-address=192.168.0.0/16 \
  src-address=192.168.0.0/16

# Marcamos las conexiones de entrada, lo que entre por ether1 viene de ISP1 y viceversa par ether2/ISP2
add action=mark-connection chain=prerouting connection-mark=no-mark \
  in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
  in-interface=ether2 new-connection-mark=ISP2_conn passthrough=yes

# Marcamos, balanceando, todo lo que venga de la LAN con destino no local (internet)
add action=mark-connection chain=prerouting connection-mark=no-mark \
  dst-address-type=!local in-interface=ether5 new-connection-mark=ISP1_conn \
  passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
  dst-address-type=!local in-interface=ether5 new-connection-mark=ISP2_conn \
  passthrough=yes per-connection-classifier=both-addresses:2/1

# Enrutamos, en base a las marcas, para cada nueva tabla de routing
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
  in-interface=ether5 new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
  in-interface=ether5 new-routing-mark=to_ISP2 passthrough=no

# Enrutamos también en output, para el propio tráfico de salida del router
add action=mark-routing chain=output connection-mark=ISP1_conn \
  new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_conn \
  new-routing-mark=to_ISP2 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.10.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.10.1

Cambios:
  • Las direcciones de los equipos conectados a ether1 y ether2 (tus WAN), las convertí en /30. Esto no es un error, simplemente una manera más elegante de decir que esas IP's son de extremo a extremo, no son una subred como tal que vayas a aprovechar.
  • Las dos primeras reglas de mangle las tenías mal hechas. El "bypass" que persiguen esas dos regalas es permitir que el tráfico que viene de tu LAN con destino las LAN de los router de arriba (que no la salida a internet), se salga del balanceo y se vaya por la tabla de rutas por defecto. Con eso consigues que haya comunicación con esas dos subredes, y que los equipos se vean. Para ello, el in-interface= será siempre la interfaz de tu LAN, en tu caso y para ambas reglas, ether5
  • Al ver en tu tabla de rutas más subredes, he añadido una regla nueva en prerouting para que el tráfico LAN entre dichas subredes no pase por el balanceo. Esta regla podría sustituir a las dos anteriores, puesto que he cogido el rango de direcciones 192.168.0.0/16 completo para todo lo que considero tráfico local. También podrías crear un address-list y meter ahí uno a uno los segmentos locales, y la regla sería idéntica, simplemente usando como filtro de origen y destino la misma lista. Es decir, todo tráfico con origen local y destino local, lo ignoras y lo pasas por la tabla de rutas por defecto (accept), sacándolo del balanceo.
  • Revisa que no tengas fasttrack activado en ese router en una regla del /firewall filter. Si ese equipo no lleva firewall, no tienes más que hacer.
Por cierto, el RB750gr3 es más que suficiente para lo que quieres. Lo digo por si quieres aprovechar el 4011 para algo más grande.

Saludos!
 
Hola nuevamente gracias por las sugerencias y valiosa ayuda, creo que para que lo tengan mas claro les adjunto una imagen de como esta mi balanceo, las redes que mencionas es por que lo tengo segmentado con otro RB4011 como se ve en la imagen para hacer dhcp y control de velocidad (aun no esta puesto en la configuración). Pero seguramente con ello es mas claro para que lo entiendas, envío los scripts de ambos RB4011 y voy a ocultar la informacion sensible (excelente sugerencia tambien..)

Gracias a todos por su tiempo..

RB4011 numero 1:
# aug/27/2021 19:39:18 by RouterOS 6.48.3
# software id = XXXYYY
#
# model = RB4011iGS+
# serial number = XXXYYY
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no
set [ find default-name=ether2 ] auto-negotiation=no
set [ find default-name=ether5 ] auto-negotiation=no
/interface ovpn-client
add certificate=XXXYYY cipher=aes256 connect-to=\
XXXYYY mac-address=XXXYYY name=ovpn-out1 password=\
XXXYYY user=XXXYYY
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=192.168.10.2/24 interface=ether2 network=192.168.10.0
add address=192.168.86.1/24 interface=ether5 network=192.168.86.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
ether1
add action=accept chain=prerouting dst-address=192.168.10.0/24 in-interface=\
ether2
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether5 new-connection-mark=ISP1_conn \
passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether5 new-connection-mark=ISP2_conn \
passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=ether5 new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
in-interface=ether5 new-routing-mark=to_ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.10.1 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.10.1
add check-gateway=ping disabled=yes distance=1 dst-address=192.168.87.0/24 \
gateway=192.168.1.4
add check-gateway=ping distance=1 dst-address=192.168.88.0/24 gateway=\
192.168.86.5
add check-gateway=ping distance=1 dst-address=192.168.90.0/24 gateway=\
192.168.86.5
add check-gateway=ping distance=1 dst-address=192.168.91.0/24 gateway=\
192.168.86.5
/system clock
set time-zone-name=America/Guayaquil

Router RB4011 numero 2 (control y dhcp):

# aug/28/2021 08:17:40 by RouterOS 6.48.3
# software id = XXXYYY
#
# model = RB4011iGS+
# serial number = XXXYYY
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.100-192.168.90.254
add name=dhcp_pool2 ranges=192.168.91.100-192.168.91.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 lease-time=1d10m \
name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether4 lease-time=1d10m \
name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=ether5 lease-time=1d10m \
name=dhcp3
/ip address
add address=192.168.86.5/24 interface=ether1 network=192.168.86.0
add address=192.168.88.1/24 interface=ether3 network=192.168.88.0
add address=192.168.90.1/24 interface=ether4 network=192.168.90.0
add address=192.168.91.1/24 interface=ether5 network=192.168.91.0
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.90.0/24 gateway=192.168.90.1
add address=192.168.91.0/24 gateway=192.168.91.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip route
add check-gateway=ping distance=1 gateway=192.168.86.1
/system clock
set time-zone-name=America/Guayaquil

Gracias y saludos cordiales
Christian
 

Adjuntos

  • BALANCEO.jpg
    BALANCEO.jpg
    173.5 KB · Visitas: 46
Hola @pocoyo,
Cuando dices en el primer mensaje "Doy por hecho que todos sabemos configurar una conexión en automático con el que sea nuestro operador..."
Es mucho suponer en mi caso...

Quiero conectar un router 4G con conexión SIM de Simyo (comprobado q funciona directo) en la boca 2, pero no engancha si desconecto la ONT de DIGI,
Hasta ahora he sacado ese puerto de la lista LAN y lo he metido en la lista WAN, y he quitado las anteriores configuraciones y añadido direccionamientos.
Así es como lo llevo hasta ahora, ¿qué estoy haciendo mal o qué me falta? MIL GRACIAS

Código:
/interface ethernet
set [ find default-name=ether1 ] name=1-wan
set [ find default-name=ether2 ] name=2-wan
set [ find default-name=ether3 ] name=3-w1
set [ find default-name=ether4 ] name=4-w2
set [ find default-name=ether5 ] name=5-sw
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=5-sw name=vlan-A1 vlan-id=44
add interface=5-sw name=vlan-D1 vlan-id=55
add interface=5-sw name=vlan-D2 vlan-id=66
add interface=5-sw name=vlan-D3 vlan-id=77
add interface=5-sw name=vlan-D4 vlan-id=88
add interface=5-sw name=vlan-RP vlan-id=33
add interface=1-wan name=vlan20 vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=XXX user=XXX
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool-w1 ranges=192.168.3.150-192.168.3.250
add name=pool-w2 ranges=192.168.4.150-192.168.4.250
add name=pool-A1 ranges=192.168.44.200-192.168.44.250
add name=pool-D1 ranges=192.168.55.150-192.168.55.250
add name=pool-D2 ranges=192.168.66.150-192.168.66.250
add name=pool-D3 ranges=192.168.77.150-192.168.77.250
add name=pool-D4 ranges=192.168.88.150-192.168.88.250
add name=pool-RP ranges=192.168.33.150-192.168.33.250
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool-w1 disabled=no interface=3-w1 name=dhcp-w1
add address-pool=pool-w2 disabled=no interface=4-w2 name=dhcp-w2
add address-pool=pool-A1 disabled=no interface=vlan-A1 name=dhcp-A1
add address-pool=pool-D1 disabled=no interface=vlan-D1 name=dhcp-D1
add address-pool=pool-D2 disabled=no interface=vlan-D2 name=dhcp-D2
add address-pool=pool-D3 disabled=no interface=vlan-D3 name=dhcp-D3
add address-pool=pool-D4 disabled=no interface=vlan-D4 name=dhcp-D4
add address-pool=pool-RP disabled=no interface=vlan-RP name=dhcp-RP
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes ipsec-secret=XXX use-ipsec=yes
/interface list member
add interface=2-wan list=WAN
add interface=3-w1 list=LAN
add interface=4-w2 list=LAN
add interface=5-sw list=LAN
add interface=1-wan list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.2.2/24 interface=2-wan network=192.168.2.0
add address=192.168.3.1/24 interface=3-w1 network=192.168.3.0
add address=192.168.4.1/24 interface=4-w2 network=192.168.4.0
add address=192.168.44.1/24 interface=vlan-A1 network=192.168.44.0
add address=192.168.55.1/24 interface=vlan-D1 network=192.168.55.0
add address=192.168.66.1/24 interface=vlan-D2 network=192.168.66.0
add address=192.168.77.1/24 interface=vlan-D3 network=192.168.77.0
add address=192.168.88.1/24 interface=vlan-D4 network=192.168.88.0
add address=192.168.1.2/24 interface=1-wan network=192.168.1.0
add address=192.168.33.1/24 interface=vlan-RP network=192.168.33.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
(...)
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.4.1
add address=192.168.33.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.33.1
add address=192.168.44.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.44.1
add address=192.168.55.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.55.1
add address=192.168.66.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.66.1
add address=192.168.77.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.77.1
add address=192.168.88.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.3 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudfare-dns.com
add address=104.16.249.249 name=cloudfare-dns.com
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.3.0/24 list=aislados
add address=192.168.4.0/24 list=aislados
add address=192.168.44.0/24 list=aislados
add address=192.168.55.0/24 list=aislados
add address=192.168.66.0/24 list=aislados
add address=192.168.77.0/24 list=aislados
add address=192.168.88.0/24 list=aislados
add address=192.168.4.172 list=bloquear
add address=192.168.33.0/24 list=aislados
/ip firewall filter
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=drop chain=input comment="Rechaza todo lo que no venga de la lista LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Acepta trafico ipsec entrante" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acepta trafico ipsec saliente" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack para conexiones ya establecidas o relacionadas" connection-state=established,related
add action=accept chain=forward comment="Acepta el resto de trafico no capturado por fasttrack" connection-state=established,related,untracked
add action=drop chain=forward comment="Rechaza invalidas en forward" connection-state=invalid
add action=drop chain=forward comment="Rechaza todo trafico desde la WAN salvo el nateado" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="bloquea toda comunicacion en forward, a cualquier cosa que no sea internet" out-interface-list=!WAN src-address-list=aislados
add action=drop chain=forward comment="permite solamente conexiones de la centralita con servidor Carlus" dst-address=!159.8.126.226 src-address=192.168.44.250
add action=reject chain=forward disabled=yes reject-with=icmp-network-unreachable src-address-list=bloquear
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.100.0/24
/ip route
add distance=2 gateway=2-wan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.161/32
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.161/32
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=vlan-A1
/ppp secret
add name=ExternoMK password=XXX service=l2tp
 
Hola @pocoyo,
Cuando dices en el primer mensaje "Doy por hecho que todos sabemos configurar una conexión en automático con el que sea nuestro operador..."
Es mucho suponer en mi caso...

Quiero conectar un router 4G con conexión SIM de Simyo (comprobado q funciona directo) en la boca 2, pero no engancha si desconecto la ONT de DIGI,
Hasta ahora he sacado ese puerto de la lista LAN y lo he metido en la lista WAN, y he quitado las anteriores configuraciones y añadido direccionamientos.
Así es como lo llevo hasta ahora, ¿qué estoy haciendo mal o qué me falta? MIL GRACIAS

Código:
/interface ethernet
set [ find default-name=ether1 ] name=1-wan
set [ find default-name=ether2 ] name=2-wan
set [ find default-name=ether3 ] name=3-w1
set [ find default-name=ether4 ] name=4-w2
set [ find default-name=ether5 ] name=5-sw
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=5-sw name=vlan-A1 vlan-id=44
add interface=5-sw name=vlan-D1 vlan-id=55
add interface=5-sw name=vlan-D2 vlan-id=66
add interface=5-sw name=vlan-D3 vlan-id=77
add interface=5-sw name=vlan-D4 vlan-id=88
add interface=5-sw name=vlan-RP vlan-id=33
add interface=1-wan name=vlan20 vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=XXX user=XXX
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool-w1 ranges=192.168.3.150-192.168.3.250
add name=pool-w2 ranges=192.168.4.150-192.168.4.250
add name=pool-A1 ranges=192.168.44.200-192.168.44.250
add name=pool-D1 ranges=192.168.55.150-192.168.55.250
add name=pool-D2 ranges=192.168.66.150-192.168.66.250
add name=pool-D3 ranges=192.168.77.150-192.168.77.250
add name=pool-D4 ranges=192.168.88.150-192.168.88.250
add name=pool-RP ranges=192.168.33.150-192.168.33.250
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool-w1 disabled=no interface=3-w1 name=dhcp-w1
add address-pool=pool-w2 disabled=no interface=4-w2 name=dhcp-w2
add address-pool=pool-A1 disabled=no interface=vlan-A1 name=dhcp-A1
add address-pool=pool-D1 disabled=no interface=vlan-D1 name=dhcp-D1
add address-pool=pool-D2 disabled=no interface=vlan-D2 name=dhcp-D2
add address-pool=pool-D3 disabled=no interface=vlan-D3 name=dhcp-D3
add address-pool=pool-D4 disabled=no interface=vlan-D4 name=dhcp-D4
add address-pool=pool-RP disabled=no interface=vlan-RP name=dhcp-RP
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes ipsec-secret=XXX use-ipsec=yes
/interface list member
add interface=2-wan list=WAN
add interface=3-w1 list=LAN
add interface=4-w2 list=LAN
add interface=5-sw list=LAN
add interface=1-wan list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.2.2/24 interface=2-wan network=192.168.2.0
add address=192.168.3.1/24 interface=3-w1 network=192.168.3.0
add address=192.168.4.1/24 interface=4-w2 network=192.168.4.0
add address=192.168.44.1/24 interface=vlan-A1 network=192.168.44.0
add address=192.168.55.1/24 interface=vlan-D1 network=192.168.55.0
add address=192.168.66.1/24 interface=vlan-D2 network=192.168.66.0
add address=192.168.77.1/24 interface=vlan-D3 network=192.168.77.0
add address=192.168.88.1/24 interface=vlan-D4 network=192.168.88.0
add address=192.168.1.2/24 interface=1-wan network=192.168.1.0
add address=192.168.33.1/24 interface=vlan-RP network=192.168.33.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
(...)
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.4.1
add address=192.168.33.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.33.1
add address=192.168.44.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.44.1
add address=192.168.55.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.55.1
add address=192.168.66.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.66.1
add address=192.168.77.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.77.1
add address=192.168.88.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.3 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudfare-dns.com
add address=104.16.249.249 name=cloudfare-dns.com
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.3.0/24 list=aislados
add address=192.168.4.0/24 list=aislados
add address=192.168.44.0/24 list=aislados
add address=192.168.55.0/24 list=aislados
add address=192.168.66.0/24 list=aislados
add address=192.168.77.0/24 list=aislados
add address=192.168.88.0/24 list=aislados
add address=192.168.4.172 list=bloquear
add address=192.168.33.0/24 list=aislados
/ip firewall filter
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=drop chain=input comment="Rechaza todo lo que no venga de la lista LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Acepta trafico ipsec entrante" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acepta trafico ipsec saliente" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack para conexiones ya establecidas o relacionadas" connection-state=established,related
add action=accept chain=forward comment="Acepta el resto de trafico no capturado por fasttrack" connection-state=established,related,untracked
add action=drop chain=forward comment="Rechaza invalidas en forward" connection-state=invalid
add action=drop chain=forward comment="Rechaza todo trafico desde la WAN salvo el nateado" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="bloquea toda comunicacion en forward, a cualquier cosa que no sea internet" out-interface-list=!WAN src-address-list=aislados
add action=drop chain=forward comment="permite solamente conexiones de la centralita con servidor Carlus" dst-address=!159.8.126.226 src-address=192.168.44.250
add action=reject chain=forward disabled=yes reject-with=icmp-network-unreachable src-address-list=bloquear
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.100.0/24
/ip route
add distance=2 gateway=2-wan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.161/32
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.161/32
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=vlan-A1
/ppp secret
add name=ExternoMK password=XXX service=l2tp
Tienes un par de cosillas mal. Un servidor DHCP tiene el mismo segmento que estás usando para ese router, bórralo:
Código:
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.2.1

Y la ruta la tienes mal creada. si en lugar de usar DHCP para obtener IP de ese equipo estás configurándola manual, como veo que tienes en /ip address, la ruta ha de ir con el gateway correspondiente. Si suponemos que el router que lleva la SIM tiene la 192.168.2.1, la ruta debería quedar así:
Código:
/ip route
add dst-address=0.0.0.0/0 distance=2 gateway=192.168.2.1

Saludos!
 
Tienes un par de cosillas mal. Un servidor DHCP tiene el mismo segmento que estás usando para ese router, bórralo:
Código:
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.2.1

Y la ruta la tienes mal creada. si en lugar de usar DHCP para obtener IP de ese equipo estás configurándola manual, como veo que tienes en /ip address, la ruta ha de ir con el gateway correspondiente. Si suponemos que el router que lleva la SIM tiene la 192.168.2.1, la ruta debería quedar así:
Código:
/ip route
add dst-address=0.0.0.0/0 distance=2 gateway=192.168.2.1

Saludos!
Muchas gracias!!!
Trasteando un poco conseguí solucionarlo antes de leer tu mensaje.
Detecté el servidor DCHP y lo borré (me alegra haber acertado)

Y después hice un DCHP-Client con la ruta automática.

Al final me ha quedado así, he comprobado que funciona (de hecho ahora estoy con la sim y DIGI apagado)

Código:
/interface ethernet
set [ find default-name=ether1 ] name=1-wan
set [ find default-name=ether2 ] name=2-wan
set [ find default-name=ether3 ] name=3-w1
set [ find default-name=ether4 ] name=4-w2
set [ find default-name=ether5 ] name=5-sw
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=5-sw name=vlan-A1 vlan-id=44
add interface=5-sw name=vlan-D1 vlan-id=55
add interface=5-sw name=vlan-D2 vlan-id=66
add interface=5-sw name=vlan-D3 vlan-id=77
add interface=5-sw name=vlan-D4 vlan-id=88
add interface=5-sw name=vlan-RP vlan-id=33
add interface=1-wan name=vlan20 vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=xxx user=xxx
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool-cfg ranges=192.168.2.2-192.168.2.254
add name=pool-w1 ranges=192.168.3.150-192.168.3.250
add name=pool-w2 ranges=192.168.4.150-192.168.4.250
add name=pool-A1 ranges=192.168.44.200-192.168.44.250
add name=pool-D1 ranges=192.168.55.150-192.168.55.250
add name=pool-D2 ranges=192.168.66.150-192.168.66.250
add name=pool-D3 ranges=192.168.77.150-192.168.77.250
add name=pool-D4 ranges=192.168.88.150-192.168.88.250
add name=pool-RP ranges=192.168.33.150-192.168.33.250
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool-w1 disabled=no interface=3-w1 name=dhcp-w1
add address-pool=pool-w2 disabled=no interface=4-w2 name=dhcp-w2
add address-pool=pool-A1 disabled=no interface=vlan-A1 name=dhcp-A1
add address-pool=pool-D1 disabled=no interface=vlan-D1 name=dhcp-D1
add address-pool=pool-D2 disabled=no interface=vlan-D2 name=dhcp-D2
add address-pool=pool-D3 disabled=no interface=vlan-D3 name=dhcp-D3
add address-pool=pool-D4 disabled=no interface=vlan-D4 name=dhcp-D4
add address-pool=pool-RP disabled=no interface=vlan-RP name=dhcp-RP
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes ipsec-secret=xxx use-ipsec=yes
/interface list member
add interface=2-wan list=WAN
add interface=3-w1 list=LAN
add interface=4-w2 list=LAN
add interface=5-sw list=LAN
add interface=1-wan list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.3.1/24 interface=3-w1 network=192.168.3.0
add address=192.168.4.1/24 interface=4-w2 network=192.168.4.0
add address=192.168.44.1/24 interface=vlan-A1 network=192.168.44.0
add address=192.168.55.1/24 interface=vlan-D1 network=192.168.55.0
add address=192.168.66.1/24 interface=vlan-D2 network=192.168.66.0
add address=192.168.77.1/24 interface=vlan-D3 network=192.168.77.0
add address=192.168.88.1/24 interface=vlan-D4 network=192.168.88.0
add address=192.168.1.2/24 interface=1-wan network=192.168.1.0
add address=192.168.33.1/24 interface=vlan-RP network=192.168.33.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=2 disabled=no interface=2-wan
/ip dhcp-server lease
(...)
/ip dns
set allow-remote-requests=yes servers=1.1.1.3 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudfare-dns.com
add address=104.16.249.249 name=cloudfare-dns.com
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=aislados
add address=192.168.3.0/24 list=aislados
add address=192.168.4.0/24 list=aislados
add address=192.168.44.0/24 list=aislados
add address=192.168.55.0/24 list=aislados
add address=192.168.66.0/24 list=aislados
add address=192.168.77.0/24 list=aislados
add address=192.168.88.0/24 list=aislados
add address=192.168.4.172 list=bloquear
add address=192.168.33.0/24 list=aislados
/ip firewall filter
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=drop chain=input comment="Rechaza todo lo que no venga de la lista LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Acepta trafico ipsec entrante" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acepta trafico ipsec saliente" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack para conexiones ya establecidas o relacionadas" connection-state=established,related
add action=accept chain=forward comment="Acepta el resto de trafico no capturado por fasttrack" connection-state=established,related,untracked
add action=drop chain=forward comment="Rechaza invalidas en forward" connection-state=invalid
add action=drop chain=forward comment="Rechaza todo trafico desde la WAN salvo el nateado" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="bloquea toda comunicacion en forward, a cualquier cosa que no sea internet" out-interface-list=!WAN src-address-list=aislados
add action=drop chain=forward comment="permite solamente conexiones de la centralita con servidor Carlus" dst-address=!159.8.126.226 src-address=192.168.44.250
add action=reject chain=forward disabled=yes reject-with=icmp-network-unreachable src-address-list=bloquear
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.100.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.0/24
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.0/24
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=vlan-A1
/ppp secret
add name=ExternoMK password=xxx service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=NewTik
/tool e-mail
(...)
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Ahora sólo me falta encontrar un script que me envíe un mail cuando se caiga DIGI y entre en funcionamiento SIMYO...
Ya tengo entretenimiento para los próximos días!!

Saludos
 
Muchas gracias!!!
Trasteando un poco conseguí solucionarlo antes de leer tu mensaje.
Detecté el servidor DCHP y lo borré (me alegra haber acertado)

Y después hice un DCHP-Client con la ruta automática.

Al final me ha quedado así, he comprobado que funciona (de hecho ahora estoy con la sim y DIGI apagado)

Código:
/interface ethernet
set [ find default-name=ether1 ] name=1-wan
set [ find default-name=ether2 ] name=2-wan
set [ find default-name=ether3 ] name=3-w1
set [ find default-name=ether4 ] name=4-w2
set [ find default-name=ether5 ] name=5-sw
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=5-sw name=vlan-A1 vlan-id=44
add interface=5-sw name=vlan-D1 vlan-id=55
add interface=5-sw name=vlan-D2 vlan-id=66
add interface=5-sw name=vlan-D3 vlan-id=77
add interface=5-sw name=vlan-D4 vlan-id=88
add interface=5-sw name=vlan-RP vlan-id=33
add interface=1-wan name=vlan20 vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=xxx user=xxx
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool-cfg ranges=192.168.2.2-192.168.2.254
add name=pool-w1 ranges=192.168.3.150-192.168.3.250
add name=pool-w2 ranges=192.168.4.150-192.168.4.250
add name=pool-A1 ranges=192.168.44.200-192.168.44.250
add name=pool-D1 ranges=192.168.55.150-192.168.55.250
add name=pool-D2 ranges=192.168.66.150-192.168.66.250
add name=pool-D3 ranges=192.168.77.150-192.168.77.250
add name=pool-D4 ranges=192.168.88.150-192.168.88.250
add name=pool-RP ranges=192.168.33.150-192.168.33.250
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool-w1 disabled=no interface=3-w1 name=dhcp-w1
add address-pool=pool-w2 disabled=no interface=4-w2 name=dhcp-w2
add address-pool=pool-A1 disabled=no interface=vlan-A1 name=dhcp-A1
add address-pool=pool-D1 disabled=no interface=vlan-D1 name=dhcp-D1
add address-pool=pool-D2 disabled=no interface=vlan-D2 name=dhcp-D2
add address-pool=pool-D3 disabled=no interface=vlan-D3 name=dhcp-D3
add address-pool=pool-D4 disabled=no interface=vlan-D4 name=dhcp-D4
add address-pool=pool-RP disabled=no interface=vlan-RP name=dhcp-RP
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes ipsec-secret=xxx use-ipsec=yes
/interface list member
add interface=2-wan list=WAN
add interface=3-w1 list=LAN
add interface=4-w2 list=LAN
add interface=5-sw list=LAN
add interface=1-wan list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.3.1/24 interface=3-w1 network=192.168.3.0
add address=192.168.4.1/24 interface=4-w2 network=192.168.4.0
add address=192.168.44.1/24 interface=vlan-A1 network=192.168.44.0
add address=192.168.55.1/24 interface=vlan-D1 network=192.168.55.0
add address=192.168.66.1/24 interface=vlan-D2 network=192.168.66.0
add address=192.168.77.1/24 interface=vlan-D3 network=192.168.77.0
add address=192.168.88.1/24 interface=vlan-D4 network=192.168.88.0
add address=192.168.1.2/24 interface=1-wan network=192.168.1.0
add address=192.168.33.1/24 interface=vlan-RP network=192.168.33.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=2 disabled=no interface=2-wan
/ip dhcp-server lease
(...)
/ip dns
set allow-remote-requests=yes servers=1.1.1.3 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudfare-dns.com
add address=104.16.249.249 name=cloudfare-dns.com
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=aislados
add address=192.168.3.0/24 list=aislados
add address=192.168.4.0/24 list=aislados
add address=192.168.44.0/24 list=aislados
add address=192.168.55.0/24 list=aislados
add address=192.168.66.0/24 list=aislados
add address=192.168.77.0/24 list=aislados
add address=192.168.88.0/24 list=aislados
add address=192.168.4.172 list=bloquear
add address=192.168.33.0/24 list=aislados
/ip firewall filter
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=drop chain=input comment="Rechaza todo lo que no venga de la lista LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Acepta trafico ipsec entrante" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acepta trafico ipsec saliente" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack para conexiones ya establecidas o relacionadas" connection-state=established,related
add action=accept chain=forward comment="Acepta el resto de trafico no capturado por fasttrack" connection-state=established,related,untracked
add action=drop chain=forward comment="Rechaza invalidas en forward" connection-state=invalid
add action=drop chain=forward comment="Rechaza todo trafico desde la WAN salvo el nateado" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="bloquea toda comunicacion en forward, a cualquier cosa que no sea internet" out-interface-list=!WAN src-address-list=aislados
add action=drop chain=forward comment="permite solamente conexiones de la centralita con servidor Carlus" dst-address=!159.8.126.226 src-address=192.168.44.250
add action=reject chain=forward disabled=yes reject-with=icmp-network-unreachable src-address-list=bloquear
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.100.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.0/24
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.4.0/24
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=vlan-A1
/ppp secret
add name=ExternoMK password=xxx service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=NewTik
/tool e-mail
(...)
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Ahora sólo me falta encontrar un script que me envíe un mail cuando se caiga DIGI y entre en funcionamiento SIMYO...
Ya tengo entretenimiento para los próximos días!!

Saludos
Genial! Me extrañó que no lo hicieras por DHCP, porque es la manera más sencilla de que las rutas sean automáticas y se auto-detecte la caída de una ruta (en las estáticas tienes que poner la comprobación vía ping)

Para lo que quieres hacer, una pista: las conexiones de tipo PPP (como el PPPoE que levanta tu conexión principal), llevan asociados perfiles (PPP -> Profile). Puedes crear un nuevo perfil, copia de "default" y usar los eventos "on-up" y "on-down" para llamar al script que manda ese tipo de notificaciones.

Saludos!
 
Hola de nuevo,
Como soy un puto ignorante y el 99% de las veces no sé lo que hago, he cambiado el switch Dlink, que lo tenía lleno, por uno Cisco de 16 puertos que sobraba en la oficina... :-D
Lo he dejado conectado así:

1.png

He cambiado los nombres a las VLAN, y a todo lo correspondiente, pero no consigo que me enganche la segunda WAN de la sim de Simyo.
Llevo toda la mañana haciendo pruebas pero nada, aparece pero no engancha:

Código:
/interface ethernet
set [ find default-name=ether1 ] name=1-wan
set [ find default-name=ether2 ] name=2-wan
set [ find default-name=ether3 ] name=3-cfg1
set [ find default-name=ether4 ] name=4-cfg2
set [ find default-name=ether5 ] name=5-sw
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=5-sw name=vlan-A1 vlan-id=212
add interface=5-sw name=vlan-D1 vlan-id=213
add interface=5-sw name=vlan-D2 vlan-id=214
add interface=5-sw name=vlan-D3 vlan-id=215
add interface=5-sw name=vlan-D4 vlan-id=216
add interface=5-sw name=vlan-RP vlan-id=211
add interface=5-sw name=vlan-wf1 vlan-id=207
add interface=5-sw name=vlan-wf2 vlan-id=208
add interface=1-wan name=vlan20 vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 max-mru=1492 max-mtu=1492 name=pppoe-out1 user=xxx
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool-cfg1 ranges=192.168.3.100-192.168.3.200
add name=pool-cfg2 ranges=192.168.4.100-192.168.4.200
add name=pool-wf1 ranges=192.168.207.100-192.168.207.200
add name=pool-wf2 ranges=192.168.208.100-192.168.208.200
add name=pool-A1 ranges=192.168.212.100-192.168.212.200
add name=pool-D1 ranges=192.168.213.100-192.168.213.200
add name=pool-D2 ranges=192.168.214.100-192.168.214.200
add name=pool-D3 ranges=192.168.215.100-192.168.215.200
add name=pool-D4 ranges=192.168.216.100-192.168.216.200
add name=pool-RP ranges=192.168.211.100-192.168.211.200
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool-cfg1 disabled=no interface=3-cfg1 name=dhcp-cfg1
add address-pool=pool-cfg2 disabled=no interface=4-cfg2 name=dhcp-cfg2
add address-pool=pool-wf1 disabled=no interface=vlan-wf1 name=dhcp-wf1
add address-pool=pool-wf2 disabled=no interface=vlan-wf2 name=dhcp-wf2
add address-pool=pool-A1 disabled=no interface=vlan-A1 name=dhcp-A1
add address-pool=pool-D1 disabled=no interface=vlan-D1 name=dhcp-D1
add address-pool=pool-D2 disabled=no interface=vlan-D2 name=dhcp-D2
add address-pool=pool-D3 disabled=no interface=vlan-D3 name=dhcp-D3
add address-pool=pool-D4 disabled=no interface=vlan-D4 name=dhcp-D4
add address-pool=pool-RP disabled=no interface=vlan-RP name=dhcp-RP
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=yes
/interface list member
add interface=3-cfg1 list=LAN
add interface=4-cfg2 list=LAN
add interface=5-sw list=LAN
add interface=1-wan list=WAN
add interface=pppoe-out1 list=WAN
add interface=2-wan list=WAN
/ip address
add address=192.168.3.1/24 interface=3-cfg1 network=192.168.3.0
add address=192.168.4.1/24 interface=4-cfg2 network=192.168.4.0
add address=192.168.212.1/24 interface=vlan-A1 network=192.168.212.0
add address=192.168.213.1/24 interface=vlan-D1 network=192.168.213.0
add address=192.168.214.1/24 interface=vlan-D2 network=192.168.214.0
add address=192.168.215.1/24 interface=vlan-D3 network=192.168.215.0
add address=192.168.216.1/24 interface=vlan-D4 network=192.168.216.0
add address=192.168.1.2/24 interface=1-wan network=192.168.1.0
add address=192.168.211.1/24 interface=vlan-RP network=192.168.211.0
add address=192.168.207.1/24 interface=vlan-wf1 network=192.168.207.0
add address=192.168.208.1/24 interface=vlan-wf2 network=192.168.208.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=2 disabled=no interface=2-wan
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.4.1
add address=192.168.207.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.207.1
add address=192.168.208.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.208.1
add address=192.168.211.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.211.1
add address=192.168.212.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.212.1
add address=192.168.213.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.213.1
add address=192.168.214.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.214.1
add address=192.168.215.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.215.1
add address=192.168.216.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.216.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.3 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudfare-dns.com
add address=104.16.249.249 name=cloudfare-dns.com
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.211.0/24 list=aislados
add address=192.168.213.0/24 list=aislados
add address=192.168.214.0/24 list=aislados
add address=192.168.215.0/24 list=aislados
add address=192.168.216.0/24 list=aislados
add address=192.168.212.0/24 list=aislados
add address=192.168.207.0/24 list=aislados
add address=192.168.208.0/24 list=aislados
/ip firewall filter
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=accept chain=input comment="Acepta established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Rechaza invalidas en input" connection-state=invalid
add action=accept chain=input comment="Acepta ping ICMP" protocol=icmp
add action=drop chain=input comment="Rechaza todo lo que no venga de la lista LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Acepta trafico ipsec entrante" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acepta trafico ipsec saliente" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fasttrack para conexiones ya establecidas o relacionadas" connection-state=established,related
add action=accept chain=forward comment="Acepta el resto de trafico no capturado por fasttrack" connection-state=established,related,untracked
add action=drop chain=forward comment="Rechaza invalidas en forward" connection-state=invalid
add action=drop chain=forward comment="Rechaza todo trafico desde la WAN salvo el nateado" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="bloquea toda comunicacion en forward, a cualquier cosa que no sea internet" out-interface-list=!WAN src-address-list=aislados
add action=drop chain=forward comment="permite solamente conexiones de la centralita con servidor Carlus" dst-address=!159.8.126.226 src-address=192.168.212.200
add action=reject chain=forward disabled=yes reject-with=icmp-network-unreachable src-address-list=bloquear
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.100.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.216.0/24
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.100.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.216.0/24
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=vlan-A1
/ppp secret
add name=ExternoMK service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=NewTik
/tool e-mail
(...)
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Ayuda please!!
 
A qué te refieres con que "enganche"? Mira la tabla de rutas a ver si tienes una que apunta a la 0.0.0.0/0 con distancia 2 y en azul. Esa es la ruta de la otra WAN, la cual no estará activa hasta que se caiga la de la wan principal.

Saludos!
 
Quiero decir que no tengo navegación si apago la ONT de DIGI.

Captura de pantalla con DIGI funcionando y el cable de la segunda WAN de Simyo desconectado:

3.png


Captura de pantalla con DIGI funcionando y el cable de la segunda WAN de Simyo conectado:

1.png



Captura de pantalla con DIGI apagado:

2.png
 
Pégale un pantallazo al status del DHCP, a ver qué IP te está dando y de qué segmento. No vaya a ser que tengas ese segmento ya usado en otra interfaz.

La tabla de rutas tiene buena pinta, salvo por la que te aparece "unreachable" en ether3, pero que no te afecta.

Saludos!
 
Perdona, no tengo claro dónde está el status del DHCP, este es el pantallazo de todo lo que cambia con esa conexión

1.png
 
Última edición:
Tienes una dirección con el mismo segmento en la interfaz 1-wan, ese es tu problema. Ve a IP -> Address y borra la segunda entrada, la que tienes sobre esa interfaz.

Saludos!
 
Arriba