Routing Selected Networks over Specific WAN/ISP interfaces

terminal205 · August 23, 2017, 8:51pm

I have roamed the forums long enough that I have seen similar questions, but try as I might I am unable to solve this issue. My setup is like this : RB2011, 2 separate ISPs (eth1, eth2), two separate networks(10.0.1.0/24 and 192.168.0.0/16) for office and guests. What I am attempting to accomplish is routing the 10.0.1.0/24 network over ISP1, and routing the massive guest network over ISP2.

What is the simplest and most direct way to do this? Should I blow away my configuration and start with no default config (currently has some default config settings)? Now that I have written it, it sounds super simple, but I must be missing something because I am running into all sorts of issues with my current configuration: ISP2 gateway unreachable and routing not sending anything across the interface; additional “software” bridges (thinking these are not needed based on previous threads and additional reading)([office_local: eth4, eth5,etc],[guest_local:eth3]). Should I be able to simply use a master-slave setup with these ?

tldr: i fear my configuration has become bloated and needs to be simplified because default settings are conflicting with new custom settings

Sob · August 24, 2017, 1:48am

Put default route for each ISP in different routing table, mark routing for outgoing connections based on internal interface, and if you want also incoming connections, mark them and routing for their reply packets.

Check this, it has everything you need:

http://wiki.mikrotik.com/wiki/Manual:PCC

The only flaw it that it’s about load balancing and that’s not what you want. But if you examine and understand example config (in the middle of page and following explanation), I can almost guarantee that you’ll know what you need to do. Basically ignore the main subject (PCC) and instead of rules with per-connection-classifier option add yours that will mark connections based on incoming LAN interface.

terminal205 · August 24, 2017, 8:29pm

After reading the PCC entry in the manual, I decided there might be a better way. What if I used the two separate internal switches to separate the traffic? Below is my new approach. Please let me know if this is even possible with the RB2011 or if I am wasting my time.

ETH1 : ISP2
ETH2 : Master (guest_lan : 192.168.0.1/16)
ETH3 : Slave-2
ETH4 : Slave-2
ETH5 : Slave-2
ETH6 : ISP1
ETH7 : Master (office_lan: 10.0.1.1/24)
ETH8 : Slave-7
ETH9 : Slave-7
ETH10 : Slave-7

With this setup, would it work if I setup the firewall and mangle to do routing of ETH7 out ETH6?

Sob · August 24, 2017, 11:44pm

I assumed you already had it like this, i.e. two interfaces for ISP1 and ISP2 and two interfaces for two internal networks. And yes, it can work. Mark new connections from first LAN with mark A, and new connections from second LAN with mark B. Then mark routing for A connections to use ISP1 and B connections to use ISP2.

terminal205 · August 25, 2017, 1:41am

Can you elaborate a bit on this? It sounds like the PCC topic you mentioned earlier.

At this point I have tagged connections originating from 182.168.0.0/24 with b_conn and connections originating from 10.0.1.0/24 with a_conn.

Sob · August 25, 2017, 12:23pm

Yes, I wrote that it’s almost the same. You just replace these rules:

add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn

by:

add chain=prerouting in-interface=ether2 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP1_conn 
add chain=prerouting in-interface=ether7 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP2_conn

Or you can use addresses:

add chain=prerouting src-address=192.168.0.1/16 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP1_conn 
add chain=prerouting src-address=10.0.1.1/24 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP2_conn

And the rest is the same as in PCC example.

In fact, the bare bones way to do it is without connection marks and with just route marking, e.g.:

/ip firewall mangle
add chain=prerouting src-address=192.168.0.1/16 action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting src-address=10.0.1.1/24 action=mark-routing new-routing-mark=to_ISP2

But the first approach with connection marks is more future proof. For example, if you decided to forward some port from ISP1’s address to 10.0.1.x (i.e. host that normally uses ISP2), it would just work with connection marking. But it would fail with this other approach.

terminal205 · August 25, 2017, 3:25pm

This worked swimmingly. And to top it off, it helped me resolve an issue I had been having for some time before that: making both ISP ports active

Thank you very much for your help.

yakula · September 9, 2017, 8:12am

Hi
If it’s two link not two ISP and I want to separate the traffic. Can I use same way ?
Thanks

Sob · September 9, 2017, 11:58am

Not much info to work with, but the answer is probably yes.