2 public IPs from the same ISP

89d · November 4, 2019, 11:47am

I have a Mikrotik RouterBoard 1100AHx4. The setup looks like this:
Mikrotik LAN.png
Private Network

ether1 = WAN #1 (IP: AAA.AAA.AAA.AAA/21)
ether2 = LAN (192.168.0.0/24)
ether5 = Backup WAN #1 (IP: BBB.BBB.BBB.BBB)

Guest Networks

ether6 = WAN #2 (IP: AAA.AAA.AAA.???/21)
ether7 = WLAN #1 (192.168.50.0/24)
ether8 = WLAN #2 (192.168.100.0/24)

I have a static IP given by ISP 1 for WAN #1 based on the MAC address. I’d like to setup another static IP for WAN #2 from the same ISP 1 and have the LAN traffic go through WAN #1 and the traffic from the 2 WLANs go through WAN #2.

When I try to add the second DHCP client for ether6 I’m faced with routing problems because all the traffic wants to go through either WAN #1 or WAN #2. I also want to block each network from accessing another (LAN, WLAN #1, WLAN #2). At the moment I just have explicit firewall “forward drop” rules for each network pair.

I have route failover setup for LAN with WAN #1 and Backup WAN #1. The WLAN networks are not part of the failover because they are just non-critical guest networks.

What should I try?

Zacharias · November 4, 2019, 1:32pm

First and most important, does your ISP give you a second static IP ?

You can use Mangles and PCC to load balance your WAN interfaces https://wiki.mikrotik.com/wiki/Manual:PCC

89d · November 4, 2019, 2:35pm

Yes - at least that’s what we are paying them for. Since I’m still testing I just get a random free IP from the same subnet as on WAN #1. Once I have figured out everything I’ll let them know the MAC address and I’ll start using the actual static IP.

I’ll give PCC a try. Thank you.

millenium7 · November 5, 2019, 11:26pm

Policy based routing is really quite simple

Optionally add all internet services into an Interface List. I.e. I use ‘InternetFacing’ this way I don’t need to duplicate all my firewall rules, i.e. instead of ‘in-interface=ether1-ISP1’ drop all rule. I just use ‘in-interface-list=InternetFacing’ with ether1/2/3 etc as part of that list. Just makes life easier, anything specific like allow SSH on ISP1 but not on ISP2 just use individual rules
Create src-nat/masquerade rules for all internet interfaces (can just 1 ‘masquerade’ rule with out-interface-list=InternetFacing this also works for all ur connections at once)

For the actual routing part I just do this…

Create a static 0.0.0.0/0 default route for each internet service but when making the route fill in the ‘routing mark’ field, I.e. ISP1 for ISP1
Create a mangle rule. chain=prerouting action=mark routing and choose 1 of the filled in fields. Add your own source match i.e. address list, in-interface etc
---- Optionally: In the above rule I generally add another field, dst-address-list!=PrivateIPs (and I have an address list containing 192.168.0.0/16 172.16.0.0/12 and 10.0.0.0/8 which allows LAN-LAN communication. You can always add an additional firewall filter rule to selectively stop this after the fact