2 ISP >> 2LAN

dhsv2 · May 27, 2021, 3:54am

I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

All this I did in the next clip
https://www.youtube.com/watch?v=7HgrUmRA6Ac

But I have another problem, which is

LAN 1 LAN 2 cannot be reached
Can the problem be solved so that LAN1 can access LAN 2 and vice versa?

anav · May 27, 2021, 9:50am

Post your config

/export hide-sensitive file=anynameyouwish

dhsv2 · May 27, 2021, 11:01am

Please as you requested

anynameyouwish.rsc (1.81 KB)

dhsv2 · May 27, 2021, 11:02am

Please as you requested
anynameyouwish.rsc (1.81 KB)

anav · May 27, 2021, 11:14am

Please post your config, not part of it.
If you want help that is… you are here for help please do not assume you know what to show or not to show!!!

dhsv2 · May 27, 2021, 11:34am

I did not hide or delete anything that is what I see when using the command

/ export hide-sensitive file = anynameyouwish

This is the code that appeared on the use of the command
/ export
I am not an expert if you want to know something else, tell me the method

 /export                                   
# apr/18/2021 08:07:34 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-ISP1-P2P
set [ find default-name=ether2 ] comment=WAN-ISP2-DSL
set [ find default-name=ether3 ] comment=LAN1-ISP1
set [ find default-name=ether4 ] comment=LAN2-ISP2
set [ find default-name=ether5 ] comment=SE
/ip pool
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether4 name=dhcp2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.2.192/24 comment=WAN-ISP1 interface=ether1 network=\
    192.168.2.0
add address=192.168.20.1/24 comment=LAN-ISP1 interface=ether3 network=\
    192.168.20.0
add address=192.168.10.2/24 comment=WAN-ISP2 interface=ether2 network=\
    192.168.10.0
add address=192.168.30.1/24 comment=LAN-ISP2 interface=ether4 network=\
    192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=P2P new-routing-mark=ISP1 \
    passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting comment=DSL new-routing-mark=ISP2 \
    passthrough=yes src-address=192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=1 gateway=192.168.10.1 routing-mark=ISP2
/system clock
set time-zone-name=Asia/Riyadh
[admin@MikroTik] >

dhsv2 · May 27, 2021, 11:39am

anav · May 27, 2021, 12:11pm

Ahh my bad so you dont have firewall rules because you are behind another router??
Doesnt seem so if you are connecting to P2P whatever that is and dsl…
You dont need mangle rules to ensure LAN1 uses ISPX and LAN2 to use ISPy
Your source nat rule is not correct

dhsv2 · May 27, 2021, 12:51pm

For the firewall I have deleted it temporarily
I drew an illustration
Can you modify the script to solve the problem?

dhsv2 · May 27, 2021, 12:59pm

Note that ISP-1 (DSL) can access the server from outside the internal network
Unlike ISP-2 (4G) it cannot be accessed from the external network

Another note
ISP -1 (DSL) speed is only 4Mb
ISP -2 (4G) speed is 50Mbps
This is what made me do this

anav · May 27, 2021, 3:31pm

Okay so routers 1 and 2 are not providing full routing to your devices, they simply there for firewall protection and the MIKROTIK is left to handle DHCP and subnets etx…
Is that accurate??

Cannot guarantee anything will work not knowing what is going on in Routers 1 and Routers 2.

Change your IP routes to this (basically add routes that are required before any mangled route rules. In all cases the main table needs to be populated with standard routes first (they were missing)
/ip route
add distance=1 gateway=192.168.2.1 check ping-gateway
add distance=2 gateway=192.168.10.1
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2

Delete your mangle rules

Add two Route Rules.
First Rule
src-address=192.168.20.0/24
Action: LOOKUP
Table: ISP1

Second Rule
src-address=192.168.30.0/24
Action: LOOKUP
Table: ISP2

Done, should work in the following manner.
All users on LAN1 will go out ISP1. If ISP1 goes offline, the router will take LAN1 traffic and find the next available route on the main table and will send traffic out ISP2.
All users on LAN2 will go out ISP1. If ISP2 goes offline, the router will take LAN2 traffic and the find the next available route on the main table and will send traffic out ISP1

If you added more subnets they will go out LAN1, unless ISP1 goes offline and if so will be sent out ISP2.

dhsv2 · May 27, 2021, 10:59pm

Okay so routers 1 and 2 are not providing full routing to your devices, they simply there for firewall protection and the MIKROTIK is left to handle DHCP and subnets etx…
Is that accurate??

Cannot guarantee anything will work not knowing what is going on in Routers 1 and Routers 2.

Change your IP routes to this (basically add routes that are required before any mangled route rules. In all cases the main table needs to be populated with standard routes first (they were missing)
/ip route
add distance=1 gateway=192.168.2.1 check ping-gateway
add distance=2 gateway=192.168.10.1
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2

Delete your mangle rules

Add two Route Rules.
First Rule
src-address=192.168.20.0/24
Action: LOOKUP
Table: ISP1

Second Rule
src-address=192.168.30.0/24
Action: LOOKUP
Table: ISP2

Done, should work in the following manner.
All users on LAN1 will go out ISP1. If ISP1 goes offline, the router will take LAN1 traffic and find the next available route on the main table and will send traffic out ISP2.
All users on LAN2 will go out ISP1. If ISP2 goes offline, the router will take LAN2 traffic and the find the next available route on the main table and will send traffic out ISP1

If you added more subnets they will go out LAN1, unless ISP1 goes offline and if so will be sent out ISP2.

Thank you for the help, but I want the server to only connect to ISP1

And the rest of the ISP2 users only (the reason is fast connection)

anav · May 28, 2021, 12:34am

What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.

Basically you suck as a communicator!

In any case the answer is easy, just do what I told you with the following adjustments.

/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1

Delete your mangle rules

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE

dhsv2 · May 28, 2021, 6:37am

What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.

Basically you suck as a communicator!

In any case the answer is easy, just do what I told you with the following adjustments.

/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1

Delete your mangle rules

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE

Thank you very much for the help and I apologize for the many questions. Excuse me. Sometimes I cannot describe the problem precisely because my mother tongue is not English.
On the whole I think this works. I will tell you try it and give you a result
Can you take a final look at the final code

# may/28/2021 09:38:29 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-ISP1-P2P
set [ find default-name=ether2 ] comment=WAN-ISP2-DSL
set [ find default-name=ether3 ] comment=LAN1-ISP1
set [ find default-name=ether4 ] comment=LAN2-ISP2
set [ find default-name=ether5 ] comment=SE
/ip pool
add name="pool isp1" ranges=192.168.20.100-192.168.20.254
add name="poo; isp2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="pool isp1" disabled=no interface=ether3 name=dhcp1
add address-pool="poo; isp2" disabled=no interface=ether4 name=dhcp2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.2.192/24 comment=WAN-ISP1 interface=ether1 network=\
    192.168.2.0
add address=192.168.20.1/24 comment=LAN-ISP1 interface=ether3 network=\
    192.168.20.0
add address=192.168.10.2/24 comment=WAN-ISP2 interface=ether2 network=\
    192.168.10.0
add address=192.168.30.1/24 comment=LAN-ISP2 interface=ether4 network=\
    192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=P2P disabled=yes \
    new-routing-mark=ISP1 passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting comment=DSL disabled=yes \
    new-routing-mark=ISP2 passthrough=yes src-address=192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add disabled=yes distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2
add disabled=yes distance=1 gateway=192.168.10.1 routing-mark=ISP2
add distance=2 gateway=192.168.10.1
/ip route rule
add src-address=192.168.20.0/24 table=ISP1
add src-address=192.168.30.0/24 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh

anav · May 28, 2021, 10:23am

My directions have been clear, and yet I dont see that you have made any of the changes.
Why did you remove the default firewall rules ?
Where is your server identification in a destination NAT rule?

Suggest you get a consumer router like asus, and be happy because clearly you do not understand mikrotik and seem to be making little effort to learn.

dhsv2 · May 28, 2021, 10:57am

After several tries, everything worked fine
SPI 1 to LAN1
SPI2 tp LAN2
But I am still facing the same problem, which is

LAN1 devices cannot access LAN 2, and vice versa, LAN2 devices cannot access LAN 1

What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.

Basically you suck as a communicator!

In any case the answer is easy, just do what I told you with the following adjustments.

/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1

Delete your mangle rules

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE

anav · May 28, 2021, 1:45pm

Its not a language problem, its you do not really know what you want as your last post is exactly opposite of the first post.
No worries we will get there.

Follow my suggestion.

State all your requirements down exactly what you expect each user to be able to do.
So if you have 20 users, each with a different requirement then I would expect to see a list from 1. through 20.
If you have a GROUP of users with the same requirement that only needs one line of description.

So, please provide your list.
Then we can work on the confg.

dhsv2 · May 28, 2021, 3:21pm

Note that my main problem in the first post was the same as my request currently. Can you help me?

But I have another problem, which is

LAN 1 LAN 2 cannot be reached
Can the problem be solved so that LAN1 can access LAN 2 and vice versa?

anav · May 28, 2021, 3:58pm

Okay so you want LAN1 to reach LAN2 and LAN2 to reach LAN1

?? WHY
Just use one LAN not two. The purpose of different subnets is to have two groups of users.
If there is no real difference of the groups in terms of requirements, just make it one LAN.

By the way, you need firewall rules to do that but you have removed them.
Put them back and then you will have connectivity between LANs

dhsv2 · May 29, 2021, 6:12am

Thank you very much for your patience with me and your help

It is assumed that they are all one network and be under the service provider (ISP1), but because of the speed of the Internet in the service provider (ISP1) and it has features that I cannot give up, and only some devices must be connected to it
A service provider (ISP2) has been subscribed to solve the problem of internet speed, but some features are not available, which is (Static IP)
Now I want him to call
LAN1 with LAN2
And the
LAN2 with LAN1
Can you help me