hAP AC (962UiGS-5HacT2HnT) ROS v6.46.4.
- ISP_1 (2 dynamic IP, 500 Mbps),
- ISP_2 (1 static IP, 100 Mbps),
- 2 masquerade, srcnat rules, Out Interfaces ISP_1, ISP_2,
- 10 rules for internal servers forwarded from ISP_2,
- default RouterOS rules
my configuration was worked fine for 5 years, but one ISP_1 (2 dynamic IP, 500 Mbps) do some nightly service works, "broke my internet connection", router switched to ISP_2 (1 static IP, 100 Mbps), I call service and get technician visit, tell him history, he calls some master technician, he reconfigure something at their site, and ISP_1 internet works, if I directly connect computer to it
but!
if I connect this ISP_1 Ethernet cable to router, router switches to WAN1 - ISP_1, but ISP_2 link stops working - PING stops, internal services from outside are not accessible, if I disable ether1_ISP1, all starts working again after second
it looks like, that when ether1_ISP1 is enabled, all data goes somewhere wrong, but I can't find where and why
basic dual WAN configuration do not work
You do not have the required permissions to view the files attached to this post.
Re: basic dual WAN configuration do not work
Thats what i think as well...it looks like, that when ether1_ISP1 is enabled, all data goes somewhere wrong, but I can't find where and why
Is your ISP 1 IP still Dynamic or Static ?
If it is static, did you make sure your config and your addresses, subnets etc are correct ?
Re: basic dual WAN configuration do not work
ISP_1 it's dynamic - as my experiments I disable and enable this ether1 and get addresses - 46.*, 85.*, 95. and so on. for now I even leave Add Default Route - on, and if I enable ether1 (ISP1), I get working internet through this link with full speed (~500/500), but after second of enable ether1, static link ether5 came unreachable from outside (but if I try ping 1.1.1.1 through ether5 I get ~7ms response)
Re: basic dual WAN configuration do not work
just as experiment I put simple configuration:
on spare RB-751G and get the same results, if I enable ether1, ether5 came unreachable from outside, PING stops, forwarded web server on 80 port stops respond, but internet connection to outgoing connections switches from ether5 to ether1 and gets ~500/500 Mbps
I have no idea what's going on...
Code: Select all
# apr/06/2020 22:42:27 by RouterOS 6.46.4
# software id = 5DWL-EDZZ
#
# model = 751G-2HnD
/interface bridge
add admin-mac=00:0C:42:FB:C7:47 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=87.87.87.87/24 interface=ether5 network=87.87.87.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept forwarded ports" dst-port=80 protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether5
add action=dst-nat chain=dstnat comment="services on MPE" dst-address=87.87.87.87 dst-port=80 protocol=tcp to-addresses=192.168.88.80
/ip route
add distance=20 gateway=87.87.87.1
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Riga
/system ntp client
set enabled=yes primary-ntp=192.168.88.80
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANI have no idea what's going on...
Re: basic dual WAN configuration do not work
and for clear experiment, I remove all LAN devices, just connect to RB-751G ether1, ether5 as WANs and one Windows 10 notebook to ether3 as LAN device. results - all as previous - if I turn on ether1, ether5 stops respond from outside
Re: basic dual WAN configuration do not work
There do not appear to be any mangle rules or additional routing tables to properly support dual WAN operation. Replies to traffic arriving from either ISP1 or ISP2 will return via the best default route to ISP1 - this may have accidentally worked until the nightly engineering works correctly blocked this traffic.
Re: basic dual WAN configuration do not work
thanks, it looks possible reason for my problems
I don't find HOWTO for dual WAN, when one link is with dynamic IP, with possibly changing gateway
I don't find HOWTO for dual WAN, when one link is with dynamic IP, with possibly changing gateway
Re: basic dual WAN configuration do not work
I'm sure load balancing with dynamic gateways will have cropped up before in the forums - a script triggered by the DHCP client, or possibly using routing filters.
It depends on what you need - if all traffic will be to/from ISP1, other than replies to that coming from ISP2, instead of full load balancing you could get away with something like
/ip firewall mangle
add chain=prerouting dst-address=87.87.87.87/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ether5 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
/ip route
add gateway=87.87.87.1 routing-mark=to_ISP2 check-gateway=ping
basically a cut-down version of https://wiki.mikrotik.com/wiki/Manual:PCC. Note that you will have to disable fasttrack for mangling to work.
It depends on what you need - if all traffic will be to/from ISP1, other than replies to that coming from ISP2, instead of full load balancing you could get away with something like
/ip firewall mangle
add chain=prerouting dst-address=87.87.87.87/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ether5 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
/ip route
add gateway=87.87.87.1 routing-mark=to_ISP2 check-gateway=ping
basically a cut-down version of https://wiki.mikrotik.com/wiki/Manual:PCC. Note that you will have to disable fasttrack for mangling to work.
Re: basic dual WAN configuration do not work
thanks!
1st mangle rule I in dst-address put 87.87.87.0/24 as 'ip address expected' or I must use 87.87.87.87?
2nd and 3rd I use In. Interface List=LAN or in-interface=bridge
this corrects "half" of problems one time - if I enable ether1, ether5 no stop answering on PINGs, but inside servers came unreachable from outside
and after next disable/enable eth1, eth5 stopped answer on outside PINGs completely if eth1 is enabled
p.s.
as You say - "load balancing with dynamic gateways will have cropped up before in the forums" - but it was answers and fragments from some configurations, not complete tutorial
but thanks again for trying!
1st mangle rule I in dst-address put 87.87.87.0/24 as 'ip address expected' or I must use 87.87.87.87?
2nd and 3rd I use In. Interface List=LAN or in-interface=bridge
this corrects "half" of problems one time - if I enable ether1, ether5 no stop answering on PINGs, but inside servers came unreachable from outside
and after next disable/enable eth1, eth5 stopped answer on outside PINGs completely if eth1 is enabled
p.s.
as You say - "load balancing with dynamic gateways will have cropped up before in the forums" - but it was answers and fragments from some configurations, not complete tutorial
but thanks again for trying!
Re: basic dual WAN configuration do not work
delete DHCP client and manually added routes and import this
Code: Select all
/ip firewall mangle add action=mark-connection chain=prerouting \
comment="Connmark in from ETH" connection-mark=no-mark in-interface=ether5 \
new-connection-mark=conn_eth passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting \
comment="Connmark in from TET" connection-mark=no-mark in-interface=ether1 \
new-connection-mark=conn_tet passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting \
comment="Routemark transit out via ETH" connection-mark=conn_eth \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_eth passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting \
comment="Routemark transit out via TET" connection-mark=conn_tet \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_tet passthrough=no
/ip firewall mangle add action=mark-routing chain=output \
comment="Routemark local out via ETH" connection-mark=conn_eth \
dst-address-type=!local new-routing-mark=to_eth passthrough=no
/ip firewall mangle add action=mark-routing chain=output \
comment="Routemark local out via TET" connection-mark=conn_tet \
dst-address-type=!local new-routing-mark=to_tet passthrough=no
/ip route add check-gateway=ping comment="For recursion via ETH" \
distance=1 dst-address=4.2.2.1 gateway=87.87.87.1 scope=10
/ip route add check-gateway=ping comment="Unmarked via ETH" \
distance=2 gateway=4.2.2.1
/ip route add comment="Marked via ETH Main" distance=1 gateway=4.2.2.1 \
routing-mark=to_eth
/ip route add comment="Marked via TET Backup1" distance=2 gateway=4.2.2.1 \
routing-mark=to_tet
/ip route rule add comment="From ETH IP to Inet" src-address=87.87.87.87 table=to_eth
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1 script=":if (\$bound=1) do={\r\
\n /ip route remove [ find gateway=\"4.2.2.2\" ]; /ip route remove \
[ find where dst-address ~\"4.2.2.2\" ]\r\
\n /ip route add check-gateway=ping comment=\"For recursion via TET\" \
distance=1 dst-address=4.2.2.2/32 gateway=\$\"gateway-address\" scope=10\r\
\n /ip route add check-gateway=ping comment=\"Unmarked via TET\" \
distance=1 gateway=4.2.2.2\r\
\n /ip route add comment=\"Marked via TET Main\" distance=1 gateway=4.2.2.2 \
routing-mark=to_tet\r\
\n /ip route add comment=\"Marked via ETH Backup1\" distance=2 \
gateway=4.2.2.2 routing-mark=to_eth\r\
\n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none \
out-interface=\$\"interface\" to-addresses=\$\"lease-address\" \
comment=\"NAT via TET\"\r\
\n /ip route rule add comment=\"From TET IP to Inet\" \
src-address=\$\"lease-address\" table=to_tet \r\
\n} else={\r\
\n /ip route remove [ find gateway=\"4.2.2.2\" ]; /ip route remove \
[ find where dst-address ~\"4.2.2.2\" ]\r\
\n /ip firewall nat remove [find comment=\"NAT via TET\"]\r\
\n /ip route rule remove [find comment=\"From TET IP to Inet\"]\r\
\n}\r\
\n" use-peer-dns=no use-peer-ntp=no
Last edited by ieleja on Wed Apr 08, 2020 9:10 am, edited 1 time in total.
Re: basic dual WAN configuration do not work
Config comes LAST. A thorough understand of requirements comes first.
Re: basic dual WAN configuration do not work
after upgrade to v7.* and ISP blocking any ICMP beyond gateway, old problem comes again, if if optics with DHCP is enabled, routing messes and port forwarding don't work. corrected via adopting DHCP script to v7.*
routing rule
instead
ip route rule
as in v6.*
another correction in "recursion" route, now ISP gateway, not 4.2.2.1, which isn't pingable from this ISP
routing rule
instead
ip route rule
as in v6.*
another correction in "recursion" route, now ISP gateway, not 4.2.2.1, which isn't pingable from this ISP
Re: basic dual WAN configuration do not work
Dual wan works very well.
What is not clear is the requirements, so I have to guess.
WAN1 is primary should run most traffic all the time. If WAN1 fails you want users to go to WAN2?
WAN2 is secondary, handles servers all the time. If WAN2 fails you want servers accessible on WAN1?
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gatewayIP routing-table=main comment=MyStatic
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-gatewayIP routing table=main comment=MyDynamic
Thats the starting point for two fixed static WANIPs.
If you have a dynamic WANIP you need to ensure the gateway IP is updated via script.
So in the IP DHCP client area under ADVANCED TAB enter the following script:
:if ($bound=1) do={
:local gw [ /ip dhcp-client get $"gateway-address" ]
/ip route set [ find comment="MyDynamic" gateway!=$gw ] gateway=$gw
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If you want to add recursive routing, then it would look like.
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 comment=wan1
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 routing table=main scope=10 target-scope=12 comment=wan2
add distance=1 dst-address=1.1.1.1/32 gateway=ISP1-gatewayIP routing-table=main scope=10 target-scope=11
add distance=2 dst-address=9.9.9.9/32 gateway=ISP2-gatewayIP routing table=main scope=10 target-scope=11 comment=MyDynamic
Since you have servers that need to work on WAN2 all the time, we will need to ensure that external traffic hitting the WANs heading to the servers, goes out the same WAN. We do both WANs in case WAN2 is down and we use WAN1 for servers.......
add action=mark-connections chain=forward in-interface=WAN1 connection-mark=no-mark \
new connection-mark=from-WAN1 passthrough=yes
add action=mark-connections chain=forward in-interface=WAN2 connection-mark=no-mark \
new connection-mark=from-WAN2 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=Servers connection-mark=from-WAN1 \
new-routing-mark=to-WAN1 passthrough=no
add action=mark-routing chain=prerouting in-interface-list=Servers connection-mark=from-WAN2 \
new-routing-mark=to-WAN2 passthrough=no
NOTE: firewall address list Servers, contains the IP addresses of all servers.....
Basically this marks any traffic coming on the WAN with the appropriate connection marks.
Then any traffic with these marks coming from the servers (reply traffic), gets sent out the same WAN they came in on.
To complete the config we need tables and routes.
/routing table add fib name=to-WAN1
/routing table add fib name=to-WAN2
And then the routes
add dst-address=0.0.0.0/0 gateway=ISP1-gatewayIP routing-table=to-WAN1
add dst-address=0.0.0.0/0 gateway=ISP2-gatewayIP routing-table=to-WAN2 comment=MyDynamic
++++++++++++++++++++++++++++++++++++++++++++++++++
What is not clear is the requirements, so I have to guess.
WAN1 is primary should run most traffic all the time. If WAN1 fails you want users to go to WAN2?
WAN2 is secondary, handles servers all the time. If WAN2 fails you want servers accessible on WAN1?
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gatewayIP routing-table=main comment=MyStatic
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-gatewayIP routing table=main comment=MyDynamic
Thats the starting point for two fixed static WANIPs.
If you have a dynamic WANIP you need to ensure the gateway IP is updated via script.
So in the IP DHCP client area under ADVANCED TAB enter the following script:
:if ($bound=1) do={
:local gw [ /ip dhcp-client get $"gateway-address" ]
/ip route set [ find comment="MyDynamic" gateway!=$gw ] gateway=$gw
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If you want to add recursive routing, then it would look like.
add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 comment=wan1
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 routing table=main scope=10 target-scope=12 comment=wan2
add distance=1 dst-address=1.1.1.1/32 gateway=ISP1-gatewayIP routing-table=main scope=10 target-scope=11
add distance=2 dst-address=9.9.9.9/32 gateway=ISP2-gatewayIP routing table=main scope=10 target-scope=11 comment=MyDynamic
Since you have servers that need to work on WAN2 all the time, we will need to ensure that external traffic hitting the WANs heading to the servers, goes out the same WAN. We do both WANs in case WAN2 is down and we use WAN1 for servers.......
add action=mark-connections chain=forward in-interface=WAN1 connection-mark=no-mark \
new connection-mark=from-WAN1 passthrough=yes
add action=mark-connections chain=forward in-interface=WAN2 connection-mark=no-mark \
new connection-mark=from-WAN2 passthrough=yes
add action=mark-routing chain=prerouting in-interface-list=Servers connection-mark=from-WAN1 \
new-routing-mark=to-WAN1 passthrough=no
add action=mark-routing chain=prerouting in-interface-list=Servers connection-mark=from-WAN2 \
new-routing-mark=to-WAN2 passthrough=no
NOTE: firewall address list Servers, contains the IP addresses of all servers.....
Basically this marks any traffic coming on the WAN with the appropriate connection marks.
Then any traffic with these marks coming from the servers (reply traffic), gets sent out the same WAN they came in on.
To complete the config we need tables and routes.
/routing table add fib name=to-WAN1
/routing table add fib name=to-WAN2
And then the routes
add dst-address=0.0.0.0/0 gateway=ISP1-gatewayIP routing-table=to-WAN1
add dst-address=0.0.0.0/0 gateway=ISP2-gatewayIP routing-table=to-WAN2 comment=MyDynamic
++++++++++++++++++++++++++++++++++++++++++++++++++
Re: basic dual WAN configuration do not work
Yes, and in latest post I explain corrections after:Dual wan works very well.
- upgrade from v6 to v7,
- my ISP with static IP now blocks any IGMP, except I only can ping my GW, not these "1.1.1.1", "9.9.9.9" and so...
but thanks for answer, I add it to my personal scripting book...
Who is online
Users browsing this forum: rolfschneider and 18 guests