- Download firmware from https://mikrotik.com/product/RB2011UiAS-2HnD-IN#fndtn-downloads
routeros-7.15.3-mipsbe.npk
wireless-7.15.3-mipsbe.npk
- In winbox go files and drag end drop here all three files
- System => Reboot
- System => Router BOARD => Update to 7.15.3 => Reboot
No Default Configuration: Check => Reset Configuration
- System => Users => Add =>
Name: newMikrotikRouterAdmin
Group: full
Password: someStrongPassword - Remove admin
/user add name=newMikrotikRouterAdmin password=someStrongPassword group=full
/user remove admin
Interfaces => Interface:
ehter2 => ISP1
ether3 => ISP2
/interface ethernet
set | find default-name=ether2 | comment=ISP1
set | find default-name=ether3 | comment=ISP2
- Bridgge => Add:
name: br-lan - => Ports tab => Add to bridge 1: eth1, eth4, eth5, eth6, eth7, eth8, eth9, eth10, spf1, wlan1
/interface bridge port
add bridge=br-lan interface=ether1
add bridge=br-lan interface=ether4
add bridge=br-lan interface=ether5
add bridge=br-lan interface=ether6
add bridge=br-lan interface=ether7
add bridge=br-lan interface=ether8
add bridge=br-lan interface=ether9
add bridge=br-lan interface=ether10
add bridge=br-lan interface=sfp1
add bridge=br-lan interface=wlan1
IP => Addresses => Add:
Adrdress: 192.168.9.1/24
Interface: br-lan
/ip address add address=192.168.9.1/24 interface=br-lan
IP => DHCP Client
=> Add
Interface: ether2
=> Add
Interface: ether3
IP => DNS:
Allow Remote Requests: check
System => NTP Client:
Enable: true
NTP Servers: pool.ntp.org
/system clock
set time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
IP => DHCP Server => => DHCP Setup:
DHCP Server Interface: br-lan
DHCP Address Space: 192.168.9.0/24
Gateway for DHCP Network: 192.168.9.1
Adresses to Give Out: 192.168.9.2 - 192.168.9.254
DNS Servers: 192.168.9.1
Lease Time: 00:30:00 (default)
Interfaces => Interface List
=> Lists => Add => Name: WAN
=> Add
List: WAN
Interface: ether2
=> Add
List: WAN
interface: ether3
/interface list
add name=WAN
/interface list member
add interface=ether2 list=WAN
add interface=ether3 list=WAN
=> Lists => Add => Name: LAN
=> Add
List: LAN
interface: ether1
=> Add
List: LAN
interface: ether4
=> etc...
/interface list
add name=LAN
/interface list member
add interface=ether1 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
IP => Neighbors => Discovery settings => Interface => LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
IP => Firewall => NAT
=> Add:
Chain: srcnat
Src. Address: 192.168.9.0/24
Out. Interface List: WAN
=> Action
Action: masqurade
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.9.0/24
Wireless => Wireless:
wlan1: enable
=> Security Profiles => default:
Mode: dynamic keys
WPA2 PSK: check
Unicast Ciphers => aes ccm: check
Group Ciphers => aes ccm: check
WPA2 Pre-Shared Key: someStrongWifiPassword
=> WiFi Interfaces => wlan1 => Wireless
Mode: ap bridge
Band: 2Ghz-B/G/N
SSID: wifiName
Security Profile: default
/routing table add disabled=no fib name=to-isp1-table
/routing table add disabled=no fib name=to-isp2-table
ISP1
interface: ether2
gateway: 192.168.1.1
check ip: 192.168.8.1
ISP2
interface: ether3
gateway: 192.168.8.1
check ip: 77.88.8.8/32
IP => DHCP Client => ether2-wan2:
Add Default Route: no
IP => DHCP Client => ether2-wan2:
Add Default Route: no
/ip route
add comment=isp1-check distance=10 dst-address=77.88.8.1 gateway=192.168.1.1
add comment=isp2-check distance=10 dst-address=77.88.8.8 gateway=192.168.8.1
add comment=isp1-default distance=251 gateway=192.168.1.1
add comment=isp2-default distance=252 gateway=192.168.8.1
add comment=to-isp1-table-default distance=10 gateway=192.168.1.1 routing-table=to-isp1-table
add comment=to-isp2-table-default distance=10 gateway=192.168.8.1 routing-table=to-isp2-table
IP => Firewall filter rules
/ip firewall filter
add action=accept chain=input comment="accept establish & related" connection-state=established,related
add action=drop chain=input comment="drop input invalid" connection-state=invalid
add action=drop chain=input comment="drop all other from wan" in-interface-list=WAN
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop forward invalid" connection-state=invalid
add action=drop chain=forward comment="drop all not dstnated forward" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=output comment="block ping check isp1 address through isp2" dst-address=77.88.8.1 out-interface=ether3
add action=drop chain=output comment="block ping check isp2 address through isp1" dst-address=77.88.8.8 out-interface=ether2
# for debug
add action=drop chain=output comment="[DEBUG] block isp1-check address to check failover script" disabled=yes dst-address=77.88.8.1 out-interface=ether2
add action=drop chain=output comment="[DEBUG] block isp2-check address to check failover script" disabled=yes dst-address=77.88.8.8 out-interface=ether3
IP => Firewall => Mangle
/ip firewall mangle
add action=mark-connection chain=prerouting comment="from isp1" connection-mark=no-mark in-interface=ether2 new-connection-mark=con-isp1 passthrough=yes
add action=mark-connection chain=prerouting comment="from isp2" connection-mark=no-mark in-interface=ether3 new-connection-mark=con-isp2 passthrough=yes
add action=mark-routing chain=prerouting comment="from lan to isp1" connection-mark=con-isp1 in-interface-list=!WAN new-routing-mark=to-isp1-table passthrough=yes
add action=mark-routing chain=prerouting comment="from lan to isp2" connection-mark=con-isp2 in-interface-list=!WAN new-routing-mark=to-isp2-table passthrough=yes
add action=mark-routing chain=output comment="from router to isp1" connection-mark=con-isp1 new-routing-mark=to-isp1-table passthrough=yes
add action=mark-routing chain=output comment="from router to isp2" connection-mark=con-isp2 new-routing-mark=to-isp2-table passthrough=yes
Sytem => Scripts => add:
Name: addRoutes
Source:
*content from scripts/add-routes.rsc*
IP => DHCP Client =>
=> ether2 => Advanced => Script =>
*content from scripts/dhcp-client-ether2.rsc*
=> ether3 => Advanced => Script =>
*content from scripts/dhcp-client-ether3.rsc*
System => Scripts => add:
Name: failover
Source:
*content from scripts/failover.rsc*
To force a switch to one of the providers, just change the script:
:local forceUseEnabled false;
to
:local forceUseEnabled true;
and set isp1 or isp2 for forceUseIsp variable;
System => Scheduler => add
Name: failover
Interval: 00:00:15 // 15s
On Event: failover // failover script name
Sytem => Scripts => add:
Name: balance
Source:
*content from scripts/balance.rsc*
/ip route set distance=251 numbers=[find comment="isp1-default"];
check download speed on https://www.speedtest.net/
and set it for maxSpeedInMbitsIsp1 variable in balance script:
49.32 Mbps =>
:local maxSpeedInMbitsIsp1 49;
/ip route set distance=253 numbers=[find comment="isp1-default"];
check download speed on https://www.speedtest.net/
Set it for maxSpeedInMbitsIsp2 variable in balance script:
28.45 Mbps =>
:local maxSpeedInMbitsIsp2 28;
System => Scheduler => add
Name: balance
Interval: 00:00:5 // 5s
On Event: balance // balance script name
- In the scheduler, turn off the balance script
- Manually change the distance for isp1-default route - either 241 - if you need isp1 provider, or 243 if you need isp2 provider
- In the failover script for the variable
forceUseIsp change value to true
and for forceUseIsp, specify either "isp1" or "isp2"