Good evening everyone
I have the following need
I have a customer with two Wan connections
Wan 1 - Public IP 1.1.1.1
Wan 2 - Public IP 2.2.2.2
My client’s LAN is on the following class
192.168.1.0/24, and a DVR with IP 192.168.1.200
My need is to use Wan 2 for navigation, and Wan 1 for some services that the customer uses including connection to the DVR externally.
How can I set this on Mikrotik.
Do you have any suggestions?
Thanks
What do you mean you… Its the clients router so why do you need it for navigation?? by the way navigation means nothing to me, if you are asking about how to navigate in an airplane using the sun, moon or stars, that would make sense. 
a. What does the client need in full detail.
What services ( server, vpn etc…) and over which WAN
What do the client users need for traffic WAn1 primary, WAN2 backup?
How are you going to remotely config the device?
Good morning and thanks for the reply
Then the situation is as follows
This client of mine initially started with a 100 Mb fiber internet connection
Now the company has expanded and we have added a second 1Gb fiber connection.
The problem is that this client of mine uses web apps configured with remote devices, the same goes for connecting to the DVR. All these apps use the IP of wan 1, the one with 100 fiber
I would therefore like to use the old WAN 1 connection at 100 MB for these services, while I would like to use the new 1 GB connection for browsing the company’s internet. So by internet browsing I am referring to the use of the www., including email applications etc. etc.
How can I do it? It’s possible?
Yes very easy.
Make WAN2 Primary WAN, you can add wireguard to this so you can remote config the router.
Can you confirm that WAN2 (gig) is a publicly reachable IP static or dynamic or the upstream router can port forward to it??
WAN1 will be secondary but the idea is to use routing rules to force that traffic out WAN1
Will need mangling to ensure services to each are sent out the right WAN etc..
Is there any external originating traffic coming in on any WAN (assuming yes to the servers using WAN1 ) anything else we should know about…?
Copy of config would be good starting point
/export file=anynameyouwish ( minus router serial #, any public WANIP info )
HI
Both IPs are public
So I have no problems
How do I set wan 2 as primary and wan 1 as secondary?
Secondary only for the requested services?
Should I use the distance function?
Thanks for now
Yes distance is the easiest separator.
One recommendation is to put the users and the servers on different subnets
and then you simply need to use routing rules to force servers out WAN1.
If not and they are all on one LAN subnet then you will need to mangle and use source-address lists to separate the subnet out.
Provide a config so we can see the state of the setup so far.
/export file=anynameyouwish ( minus router serial number, any public WANIP information )
/interface bridge
add admin-mac=6C:3B:6B:AD:30:E8 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=1.1.1.1/29 interface=WAN2 network=X.X.X.X
add address=2.2.2.2/29 interface=WAN1 network=X.X.X.X
/ip dhcp-client
add comment=defconf disabled=no interface=WAN1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Hello and thanks again for your support
This is my setup
the two wans are set, how do I set them now:
wan 1- outgoing connections (browsing)
wan2 - incoming connections (service etc. etc.)
currently my internet connection works and I go with wan 1
then I set up both WANs
I enabled wan 2 for incoming access, but if I go to the logs it takes the IP of wan 1
dstnat: in:WAN2 out:(unknown 0), src-mac 48:a9:8a:24:e3:64, proto TCP (SYN), (IP WAN1):46500->XXXXXXXX:XXXXXX, len 60
My PC comes out with wan 1, not with 2. I only need wan 2 to connect from the outside
a small note, if I disconnect the wan1 cable then it works
Is that the whole (LAST) configuration? (if you post a configuration and later change it, you should repost the latest configuration)
From configuration in post #8:
You have no firewall filter rules?
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
Shouldn’t you add WAN2 to list=WAN?
You seemingly have masquerade/srcnat for WAN (which should mean WAN1 only)
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
(1) Fix Interface List Members:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
(2) Add some routing tables in case needed.
/routing table
add fib name=to-WAN1
add fib name=to-WAN2
(3) Why do you have IP DHCP client for WAN1. You have manually set the IP address of both WAN1 and WAN2 in IP addresses and thus should not need IP DHCP Client for either WAN.
Its one or the other not both!!
(4) Fix by removing static DNS entry and modifying…
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
(5) Set this to NONE.
/tool mac-server
set allowed-interface-list=LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You are missing IP ROUTES?
You are missing any port forwarding dstnat rules?? Can you confirm that you have no external users originating traffic and reaching a LAN server?
Did you want to be able to remotely ( from your smartphone/ipad or laptop ) connect to the router for config purposes??
Where are your firewall rules? You should not hookup the router to the internet until you do!!
/ip firewall filter
add action=accept chain=input comment=" established, related,untracked"
connection-state=established,related,untracked
add action=drop chain=input comment=“DROP invalid packets”
connection-state=invalid
add action=accept chain=input comment=“allow icmp” protocol=icmp
add action=accept chain=input comment=“Lan access” in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { put this rule in last to avoid locking yourself out }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=
“fasttrack established,related connections” connection-state=
established,related hw-offload=yes
add action=accept chain=forward comment=“ALLOW established, related,untracked”
connection-state=established,related,untracked
add action=drop chain=forward comment=“DROP invalid packets”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”
/ip routes
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=gwyIP-WAN2 routing-table=main
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=gwyIP-WAN1 routing-table=main
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now to ensure servers talking to the web are using WAN1 we need to identify all the IP addresses of those devices.
Lets call them MyServers
Then we have to mangle to ensure they go out WAN2. We mark the traffic coming from those devices not going to local addresses ( aka thus going out WAN )
/ip firewall mangle
add chain=forward action=mark-connections connection-mark=no-mark src-address-list=MyServers
dst-address-type=!local new-connection-mark=W1-conn passthrough=yes
add chain=prerouting action=mark-routing connection-mark=W1-conn
src-address-list=MyServers new routing-mark=to-WAN1 passthrough=no
ADD TO ROUTES
/ip routes
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=gwyIP-WAN2 routing-table=main
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=gwyIP-WAN1 routing-table=main
add dst-address=0.0.0.0/0 gateway=gwyIP-WAN1 routing-table=to-WAN1
Good morning everyone
And thanks for the support.
If I set this
/ip firewall mangle
add chain=prerouting src-address=192.168.X.X action=mark-routing new-routing-mark=WAN2
/ip route
add dst-address=0.0.0.0/0 routing-mark=WAN2 gateway=X.X.X.X
My device takes wan2 and I reach it externally
So do I have to use the mangle?
Can I send my device out with wan1 and reach it with wan2?
I’m afraid not, I don’t think so
There are many ways to skin the cat as mkx and rextended say.
So yes,
If you just have this,
/ip firewall mangle
add chain=prerouting src-address=192.168.X.X action=mark-routing new-routing-mark=WAN2
Any traffic from that LANIP should go out WAN2. That means ANY TRAFFIC!! Think about it.
Also, YES to your question
a. you can reach 192.168.X.X from a specific WAN ( but the associated return traffic has to go out the same WAN )
b. yes, you can go out with other traffic from 192.168.X.X on the other WAN.
But this is foolish speculation. YOu need to determine your actual requirements PRIOR to configuring the router.
Therefore, in detail
a. identify the user(s)/device(s) and groups of users/devices including you the admin
b. identify the traffic they should be able to accomplish.
Once we KNOW all the requirements, then a config can be achieved.
I am not going to be part of chasing you changing your mind every post… either you have a plan or you dont LOL.
