oakwhiz · January 10, 2023 11:14
diff --git a/router.cfg b/router.cfg
 # jul/28/2022 00:34:21 by RouterOS 7.4rc2
 # incomplete config, do not use directly

 /ip firewall address-list
 add address=192.168.88.0/24 list=local
 add address=192.168.88.0/24 list=preferprimary
 add address=1.2.3.0/24 list=localnet-primary
 add address=4.5.6.0/24 list=localnet-backup
 add address=9.9.9.10 list=reserved-main
 add address=9.9.9.11 list=reserved-isp1
 add address=149.112.112.11 list=reserved-isp1
 add address=9.9.9.9 list=reserved-isp2
 add address=149.112.112.10 list=reserved-main
 add address=149.112.112.112 list=reserved-isp2
 add address=1.2.3.100 list=backupnat
 /ip firewall connection tracking
 set loose-tcp-tracking=no
 /ip firewall filter
 add action=accept chain=input icmp-options=8:0-255 protocol=icmp
 add action=accept chain=input icmp-options=0:0-255 protocol=icmp
 add action=accept chain=input comment="Accept established related" connection-state=established,related,untracked
 add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=InputInvalid
 add action=accept chain=input comment="SSH from ISP1 public (debugging)" dst-port=22 in-interface=vlan50 protocol=tcp src-address-list=localnet-primary
 add action=accept chain=input comment="HTTP from ISP1 public (debugging)" dst-port=80 in-interface=vlan50 protocol=tcp src-address-list=localnet-primary
 add action=accept chain=input comment="DHCP client" dst-port=68 in-interface-list=WAN protocol=udp src-port=67
 add action=accept chain=input comment="DHCP server" dst-port=67 in-interface-list=LAN protocol=udp src-port=68
 add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
 add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
 add action=reject chain=input connection-state=new protocol=tcp reject-with=icmp-port-unreachable src-address=!192.168.88.0/24
 add action=drop chain=input protocol=udp src-address=!192.168.88.0/24
 add action=accept chain=forward comment="established related" connection-state=established,related
 add action=drop chain=forward comment="drop invalid" connection-state=invalid
 add action=drop chain=forward comment="Drop bad IPs in LAN" in-interface-list=LAN log=yes log-prefix=LAN_badip src-address-list=!local
 add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
 # vrrp_fake_vlan60_2 not ready
 add action=accept chain=forward connection-state=new in-interface=vlan50 out-interface=vrrp_fake_vlan60_2 src-address-list=backupnat
 # vrrp_fake_vlan60_2 not ready
 add action=accept chain=forward connection-state=new dst-address-list=backupnat in-interface=vrrp_fake_vlan60_2 out-interface=vlan50
 add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface=vrrp_fake_vlan60_1
 add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface=vlan50
 add action=drop chain=forward comment="default drop"

 /ip firewall mangle
 add action=passthrough chain=prerouting comment="Log debugging" log=yes log-prefix=MainICMPreply src-address-list=reserved-main
 add action=accept chain=prerouting comment="local bridge access" dst-address-list=local in-interface-list=LAN
 add action=accept chain=prerouting comment="LAN to directly connected on primary link -> main table" dst-address-list=localnet-primary in-interface-list=LAN
 add action=accept chain=prerouting comment="LAN to directly connected on backup link -> main table" dst-address-list=localnet-backup in-interface-list=LAN
 add action=accept chain=prerouting comment="Local subnet primary to main table" in-interface=vlan50 src-address-list=localnet-primary
 add action=accept chain=prerouting comment="Local subnet backup to main table" in-interface=vrrp_fake_vlan60_1 src-address-list=localnet-backup
 add action=accept chain=prerouting comment="Specific reachability checks to main table" src-address-list=reserved-main
 add action=accept chain=prerouting comment="Specific reachability checks to main table" src-address-list=reserved-isp1
 add action=accept chain=prerouting comment="Specific reachability checks to main table" src-address-list=reserved-isp2
 add action=mark-connection chain=prerouting comment="Mark reachability checks" connection-mark=no-mark disabled=yes in-interface=vlan50 new-connection-mark=conn_primary passthrough=yes src-address-list=reserved-isp1
 add action=mark-connection chain=prerouting comment="Mark reachability checks" connection-mark=no-mark disabled=yes in-interface=vrrp_fake_vlan60_1 new-connection-mark=conn_backup passthrough=yes src-address-list=reserved-isp2
 add action=accept chain=prerouting comment=traceroute disabled=yes dst-address-list=!local in-interface-list=LAN protocol=icmp
 # vrrp_fake_vlan60_2 not ready
 add action=mark-routing chain=prerouting comment="1:1 NAT backup IP uses backupnat table" in-interface=vrrp_fake_vlan60_2 new-routing-mark=backupnat passthrough=no
 add action=mark-routing chain=prerouting comment="1:1 NAT backup IP uses backupnat table" dst-address-type=!local in-interface=vlan50 new-routing-mark=backupnat passthrough=no src-address-list=backupnat
 add action=mark-connection chain=prerouting comment="Failover marking primary" connection-mark=no-mark in-interface=vlan50 new-connection-mark=conn_primary passthrough=yes
 add action=mark-connection chain=prerouting comment="Failover marking backup" connection-mark=no-mark in-interface=vrrp_fake_vlan60_1 new-connection-mark=conn_backup passthrough=yes
 add action=mark-connection chain=prerouting comment="PCC preferprimary address list" connection-mark=no-mark connection-state=new disabled=yes dst-address-list=!local dst-address-type=!local in-interface-list=LAN new-connection-mark=\
    conn_primary passthrough=yes src-address-list=preferprimary
 add action=mark-connection chain=prerouting comment="PCC 75% to primary" connection-mark=no-mark dst-address-list=!local dst-address-type=!local in-interface-list=LAN new-connection-mark=conn_primary passthrough=yes \
    per-connection-classifier=!src-address:4/3
 add action=mark-connection chain=prerouting comment="PCC 25% to secondary" connection-mark=no-mark dst-address-list=!local dst-address-type=!local in-interface-list=LAN new-connection-mark=conn_backup passthrough=yes \
    per-connection-classifier=dst-address:4/3
 add action=mark-routing chain=prerouting comment="Failover routing marking primary" connection-mark=conn_primary dst-address-list=!local new-routing-mark=primarylink passthrough=no
 add action=mark-routing chain=prerouting comment="Failover routing marking backup" connection-mark=conn_backup dst-address-list=!local new-routing-mark=backuplink passthrough=no
 add action=passthrough chain=prerouting comment=debug log-prefix=ManglePreroutingDefault
 add action=accept chain=output comment="Specific reachability checks to main table" dst-address-list=reserved-main
 add action=accept chain=output comment="Specific reachability checks to main table" dst-address-list=reserved-isp1
 add action=accept chain=output comment="Specific reachability checks to main table" dst-address-list=reserved-isp2
 add action=accept chain=output comment=debug connection-mark=no-mark disabled=yes out-interface-list=WAN src-address-type=local
 add action=mark-connection chain=output comment="Mark output to reachability check IPs (Primary)" connection-mark=no-mark disabled=yes dst-address-list=reserved-isp1 new-connection-mark=conn_primary passthrough=yes
 add action=mark-connection chain=output comment="Mark output to reachability check IPs (Backup)" connection-mark=no-mark disabled=yes dst-address-list=reserved-isp2 new-connection-mark=conn_backup passthrough=yes
 add action=mark-routing chain=output comment="Failover routing marking primary" connection-mark=conn_primary new-routing-mark=primarylink passthrough=no
 add action=mark-routing chain=output comment="Failover routing marking backup" connection-mark=conn_backup new-routing-mark=backuplink passthrough=no
 add action=mark-connection chain=output comment="Mark unmarked outputs under main" connection-mark=no-mark new-connection-mark=conn_main passthrough=yes
 add action=passthrough chain=output comment=debug log-prefix=MangleOutputDefault
 add action=mark-connection chain=postrouting comment="Postrouting mark output flows" connection-mark=no-mark disabled=yes new-connection-mark=conn_primary out-interface=vlan50 passthrough=yes
 add action=mark-connection chain=postrouting comment="Postrouting mark output flows" connection-mark=no-mark disabled=yes new-connection-mark=conn_backup out-interface=vrrp_fake_vlan60_1 passthrough=yes
 add action=mark-connection chain=input comment="Mark input via primary" disabled=yes in-interface=vlan50 new-connection-mark=conn_primary passthrough=yes
 add action=mark-connection chain=input comment="Mark input via backup" disabled=yes in-interface=vrrp_fake_vlan60_1 new-connection-mark=conn_backup passthrough=yes
 /ip firewall nat
 add action=masquerade chain=srcnat comment="Masquerade primary link" out-interface=vlan50
 add action=masquerade chain=srcnat comment="Masquerade backup link" out-interface=vrrp_fake_vlan60_1
 # vrrp_fake_vlan60_2 not ready
 add action=masquerade chain=srcnat comment="source NAT providing 1:1 dynamic IP from backup link to act as gateway for primary link" dst-address-type=!local out-interface=vrrp_fake_vlan60_2 src-address-list=backupnat
 # vrrp_fake_vlan60_2 not ready
 add action=dst-nat chain=dstnat comment="destination NAT providing 1:1 dynamic IP from backup link to act as gateway for primary link" dst-address-type=local in-interface=vrrp_fake_vlan60_2 to-addresses=1.2.3.100

 /ip route
 add comment=MAGIC_COMMENT_ISP1_MAIN1 disabled=no distance=1 dst-address=9.9.9.10/32 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
 add comment=MAGIC_COMMENT_ISP2_MAIN1 disabled=no distance=1 dst-address=149.112.112.10/32 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
 add check-gateway=ping comment=MAGIC_COMMENT_ISP1_MAIN2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.10 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
 add check-gateway=ping comment=MAGIC_COMMENT_ISP2_MAIN2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=149.112.112.10 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
 add comment=MAGIC_COMMENT_ISP1_ALT1 disabled=no distance=1 dst-address=9.9.9.11/32 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
 add comment=MAGIC_COMMENT_ISP1_ALT1 disabled=no distance=1 dst-address=149.112.112.11/32 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
 add comment=MAGIC_COMMENT_ISP2_ALT1 disabled=no distance=1 dst-address=9.9.9.9/32 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no
 add comment=MAGIC_COMMENT_ISP2_ALT1 disabled=no distance=1 dst-address=149.112.112.112/32 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
 add check-gateway=ping comment=MAGIC_COMMENT_ISP1_ALT2 disabled=no distance=1 dst-address=192.0.2.1/32 gateway=9.9.9.11 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
 add check-gateway=ping comment=MAGIC_COMMENT_ISP2_ALT2 disabled=no distance=1 dst-address=192.0.2.2/32 gateway=9.9.9.9 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
 add check-gateway=ping comment=MAGIC_COMMENT_ISP1_ALT2 disabled=no distance=1 dst-address=192.0.2.1/32 gateway=149.112.112.11 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
 add check-gateway=ping comment=MAGIC_COMMENT_ISP2_ALT2 disabled=no distance=1 dst-address=192.0.2.2/32 gateway=149.112.112.112 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
 add comment=MAGIC_backupnatroute disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.2.3.4 pref-src="" routing-table=backupnat scope=10 suppress-hw-offload=no target-scope=11
 add comment=ISP1_DEFAULT_VHOP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.0.2.1 pref-src="" routing-table=primarylink scope=10 suppress-hw-offload=no target-scope=12
 add comment=ISP1_DEFAULT_VHOP disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.0.2.2 pref-src="" routing-table=primarylink scope=10 suppress-hw-offload=no target-scope=12
 add comment=ISP2_DEFAULT_VHOP disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.0.2.1 pref-src="" routing-table=backuplink scope=10 suppress-hw-offload=no target-scope=12
 add comment=ISP2_DEFAULT_VHOP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.0.2.2 pref-src="" routing-table=backuplink scope=10 suppress-hw-offload=no target-scope=12
 add comment=MAGIC_COMMENT_ISP1_MAIN1 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
 add comment=MAGIC_COMMENT_ISP2_MAIN1 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	# jul/28/2022 00:34:21 by RouterOS 7.4rc2
	# incomplete config, do not use directly

	/ip firewall address-list
	add address=192.168.88.0/24 list=local
	add address=192.168.88.0/24 list=preferprimary
	add address=1.2.3.0/24 list=localnet-primary
	add address=4.5.6.0/24 list=localnet-backup
	add address=9.9.9.10 list=reserved-main
	add address=9.9.9.11 list=reserved-isp1
	add address=149.112.112.11 list=reserved-isp1
	add address=9.9.9.9 list=reserved-isp2
	add address=149.112.112.10 list=reserved-main
	add address=149.112.112.112 list=reserved-isp2
	add address=1.2.3.100 list=backupnat
	/ip firewall connection tracking
	set loose-tcp-tracking=no
	/ip firewall filter
	add action=accept chain=input icmp-options=8:0-255 protocol=icmp
	add action=accept chain=input icmp-options=0:0-255 protocol=icmp
	add action=accept chain=input comment="Accept established related" connection-state=established,related,untracked
	add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=InputInvalid
	add action=accept chain=input comment="SSH from ISP1 public (debugging)" dst-port=22 in-interface=vlan50 protocol=tcp src-address-list=localnet-primary
	add action=accept chain=input comment="HTTP from ISP1 public (debugging)" dst-port=80 in-interface=vlan50 protocol=tcp src-address-list=localnet-primary
	add action=accept chain=input comment="DHCP client" dst-port=68 in-interface-list=WAN protocol=udp src-port=67
	add action=accept chain=input comment="DHCP server" dst-port=67 in-interface-list=LAN protocol=udp src-port=68
	add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
	add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
	add action=reject chain=input connection-state=new protocol=tcp reject-with=icmp-port-unreachable src-address=!192.168.88.0/24
	add action=drop chain=input protocol=udp src-address=!192.168.88.0/24
	add action=accept chain=forward comment="established related" connection-state=established,related
	add action=drop chain=forward comment="drop invalid" connection-state=invalid
	add action=drop chain=forward comment="Drop bad IPs in LAN" in-interface-list=LAN log=yes log-prefix=LAN_badip src-address-list=!local
	add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
	# vrrp_fake_vlan60_2 not ready
	add action=accept chain=forward connection-state=new in-interface=vlan50 out-interface=vrrp_fake_vlan60_2 src-address-list=backupnat
	# vrrp_fake_vlan60_2 not ready
	add action=accept chain=forward connection-state=new dst-address-list=backupnat in-interface=vrrp_fake_vlan60_2 out-interface=vlan50
	add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface=vrrp_fake_vlan60_1
	add action=accept chain=forward connection-state=new in-interface-list=LAN out-interface=vlan50
	add action=drop chain=forward comment="default drop"

	/ip firewall mangle
	add action=passthrough chain=prerouting comment="Log debugging" log=yes log-prefix=MainICMPreply src-address-list=reserved-main
	add action=accept chain=prerouting comment="local bridge access" dst-address-list=local in-interface-list=LAN
	add action=accept chain=prerouting comment="LAN to directly connected on primary link -> main table" dst-address-list=localnet-primary in-interface-list=LAN
	add action=accept chain=prerouting comment="LAN to directly connected on backup link -> main table" dst-address-list=localnet-backup in-interface-list=LAN
	add action=accept chain=prerouting comment="Local subnet primary to main table" in-interface=vlan50 src-address-list=localnet-primary
	add action=accept chain=prerouting comment="Local subnet backup to main table" in-interface=vrrp_fake_vlan60_1 src-address-list=localnet-backup
	add action=accept chain=prerouting comment="Specific reachability checks to main table" src-address-list=reserved-main
	add action=accept chain=prerouting comment="Specific reachability checks to main table" src-address-list=reserved-isp1
	add action=accept chain=prerouting comment="Specific reachability checks to main table" src-address-list=reserved-isp2
	add action=mark-connection chain=prerouting comment="Mark reachability checks" connection-mark=no-mark disabled=yes in-interface=vlan50 new-connection-mark=conn_primary passthrough=yes src-address-list=reserved-isp1
	add action=mark-connection chain=prerouting comment="Mark reachability checks" connection-mark=no-mark disabled=yes in-interface=vrrp_fake_vlan60_1 new-connection-mark=conn_backup passthrough=yes src-address-list=reserved-isp2
	add action=accept chain=prerouting comment=traceroute disabled=yes dst-address-list=!local in-interface-list=LAN protocol=icmp
	# vrrp_fake_vlan60_2 not ready
	add action=mark-routing chain=prerouting comment="1:1 NAT backup IP uses backupnat table" in-interface=vrrp_fake_vlan60_2 new-routing-mark=backupnat passthrough=no
	add action=mark-routing chain=prerouting comment="1:1 NAT backup IP uses backupnat table" dst-address-type=!local in-interface=vlan50 new-routing-mark=backupnat passthrough=no src-address-list=backupnat
	add action=mark-connection chain=prerouting comment="Failover marking primary" connection-mark=no-mark in-interface=vlan50 new-connection-mark=conn_primary passthrough=yes
	add action=mark-connection chain=prerouting comment="Failover marking backup" connection-mark=no-mark in-interface=vrrp_fake_vlan60_1 new-connection-mark=conn_backup passthrough=yes
	add action=mark-connection chain=prerouting comment="PCC preferprimary address list" connection-mark=no-mark connection-state=new disabled=yes dst-address-list=!local dst-address-type=!local in-interface-list=LAN new-connection-mark=\
	conn_primary passthrough=yes src-address-list=preferprimary
	add action=mark-connection chain=prerouting comment="PCC 75% to primary" connection-mark=no-mark dst-address-list=!local dst-address-type=!local in-interface-list=LAN new-connection-mark=conn_primary passthrough=yes \
	per-connection-classifier=!src-address:4/3
	add action=mark-connection chain=prerouting comment="PCC 25% to secondary" connection-mark=no-mark dst-address-list=!local dst-address-type=!local in-interface-list=LAN new-connection-mark=conn_backup passthrough=yes \
	per-connection-classifier=dst-address:4/3
	add action=mark-routing chain=prerouting comment="Failover routing marking primary" connection-mark=conn_primary dst-address-list=!local new-routing-mark=primarylink passthrough=no
	add action=mark-routing chain=prerouting comment="Failover routing marking backup" connection-mark=conn_backup dst-address-list=!local new-routing-mark=backuplink passthrough=no
	add action=passthrough chain=prerouting comment=debug log-prefix=ManglePreroutingDefault
	add action=accept chain=output comment="Specific reachability checks to main table" dst-address-list=reserved-main
	add action=accept chain=output comment="Specific reachability checks to main table" dst-address-list=reserved-isp1
	add action=accept chain=output comment="Specific reachability checks to main table" dst-address-list=reserved-isp2
	add action=accept chain=output comment=debug connection-mark=no-mark disabled=yes out-interface-list=WAN src-address-type=local
	add action=mark-connection chain=output comment="Mark output to reachability check IPs (Primary)" connection-mark=no-mark disabled=yes dst-address-list=reserved-isp1 new-connection-mark=conn_primary passthrough=yes
	add action=mark-connection chain=output comment="Mark output to reachability check IPs (Backup)" connection-mark=no-mark disabled=yes dst-address-list=reserved-isp2 new-connection-mark=conn_backup passthrough=yes
	add action=mark-routing chain=output comment="Failover routing marking primary" connection-mark=conn_primary new-routing-mark=primarylink passthrough=no
	add action=mark-routing chain=output comment="Failover routing marking backup" connection-mark=conn_backup new-routing-mark=backuplink passthrough=no
	add action=mark-connection chain=output comment="Mark unmarked outputs under main" connection-mark=no-mark new-connection-mark=conn_main passthrough=yes
	add action=passthrough chain=output comment=debug log-prefix=MangleOutputDefault
	add action=mark-connection chain=postrouting comment="Postrouting mark output flows" connection-mark=no-mark disabled=yes new-connection-mark=conn_primary out-interface=vlan50 passthrough=yes
	add action=mark-connection chain=postrouting comment="Postrouting mark output flows" connection-mark=no-mark disabled=yes new-connection-mark=conn_backup out-interface=vrrp_fake_vlan60_1 passthrough=yes
	add action=mark-connection chain=input comment="Mark input via primary" disabled=yes in-interface=vlan50 new-connection-mark=conn_primary passthrough=yes
	add action=mark-connection chain=input comment="Mark input via backup" disabled=yes in-interface=vrrp_fake_vlan60_1 new-connection-mark=conn_backup passthrough=yes
	/ip firewall nat
	add action=masquerade chain=srcnat comment="Masquerade primary link" out-interface=vlan50
	add action=masquerade chain=srcnat comment="Masquerade backup link" out-interface=vrrp_fake_vlan60_1
	# vrrp_fake_vlan60_2 not ready
	add action=masquerade chain=srcnat comment="source NAT providing 1:1 dynamic IP from backup link to act as gateway for primary link" dst-address-type=!local out-interface=vrrp_fake_vlan60_2 src-address-list=backupnat
	# vrrp_fake_vlan60_2 not ready
	add action=dst-nat chain=dstnat comment="destination NAT providing 1:1 dynamic IP from backup link to act as gateway for primary link" dst-address-type=local in-interface=vrrp_fake_vlan60_2 to-addresses=1.2.3.100

	/ip route
	add comment=MAGIC_COMMENT_ISP1_MAIN1 disabled=no distance=1 dst-address=9.9.9.10/32 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	add comment=MAGIC_COMMENT_ISP2_MAIN1 disabled=no distance=1 dst-address=149.112.112.10/32 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	add check-gateway=ping comment=MAGIC_COMMENT_ISP1_MAIN2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.10 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
	add check-gateway=ping comment=MAGIC_COMMENT_ISP2_MAIN2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=149.112.112.10 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
	add comment=MAGIC_COMMENT_ISP1_ALT1 disabled=no distance=1 dst-address=9.9.9.11/32 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	add comment=MAGIC_COMMENT_ISP1_ALT1 disabled=no distance=1 dst-address=149.112.112.11/32 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	add comment=MAGIC_COMMENT_ISP2_ALT1 disabled=no distance=1 dst-address=9.9.9.9/32 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no
	add comment=MAGIC_COMMENT_ISP2_ALT1 disabled=no distance=1 dst-address=149.112.112.112/32 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	add check-gateway=ping comment=MAGIC_COMMENT_ISP1_ALT2 disabled=no distance=1 dst-address=192.0.2.1/32 gateway=9.9.9.11 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
	add check-gateway=ping comment=MAGIC_COMMENT_ISP2_ALT2 disabled=no distance=1 dst-address=192.0.2.2/32 gateway=9.9.9.9 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
	add check-gateway=ping comment=MAGIC_COMMENT_ISP1_ALT2 disabled=no distance=1 dst-address=192.0.2.1/32 gateway=149.112.112.11 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
	add check-gateway=ping comment=MAGIC_COMMENT_ISP2_ALT2 disabled=no distance=1 dst-address=192.0.2.2/32 gateway=149.112.112.112 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
	add comment=MAGIC_backupnatroute disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.2.3.4 pref-src="" routing-table=backupnat scope=10 suppress-hw-offload=no target-scope=11
	add comment=ISP1_DEFAULT_VHOP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.0.2.1 pref-src="" routing-table=primarylink scope=10 suppress-hw-offload=no target-scope=12
	add comment=ISP1_DEFAULT_VHOP disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.0.2.2 pref-src="" routing-table=primarylink scope=10 suppress-hw-offload=no target-scope=12
	add comment=ISP2_DEFAULT_VHOP disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.0.2.1 pref-src="" routing-table=backuplink scope=10 suppress-hw-offload=no target-scope=12
	add comment=ISP2_DEFAULT_VHOP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.0.2.2 pref-src="" routing-table=backuplink scope=10 suppress-hw-offload=no target-scope=12
	add comment=MAGIC_COMMENT_ISP1_MAIN1 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=1.2.3.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
	add comment=MAGIC_COMMENT_ISP2_MAIN1 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=4.5.6.7 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10