2 Wan 2 Lan

apracz · December 7, 2016, 6:06pm

Hi,

I have 2 internet links and 2 lan, in wan1 my clients access from internet to lan a Terminal Service using nat wan1–>mkt—>ts server.

Wan1 (using to my local users access internet fiber2home 150/150MB)
Wan2 (dedicate link 20/20mb exclusive to Terminal Services access)

With wan2 i dont conncted from internet to my TS, in firewall i have create 2 rules

rule 1-> from wan1 to port 3389 dst-nat myinternetIP
rule 2-> from wan2 to port 3389 dst-nat myinternetIP

It´s all ok ipaddress, routes, but using wan2 i dont connect my server.

I dont link create Load Balance our failover.

cdiedrich · December 8, 2016, 3:36pm

Do you mark the incoming connections?
If not, the server replies to requests to WAN2 will leave via WAN1.

Try this and replace the gateways and interfaces according to your WANs:

/ip route
add distance=1 gateway=1.1.1.1 routing-mark=WAN1_traffic
add distance=1 gateway=2.2.2.2 routing-mark=WAN2_traffic

/ip firewall mangle
add action=mark-connection chain=input comment="WAN1 in -> WAN1 out" in-interface=ether1-WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-routing chain=output comment="WAN1 in -> WAN1 out" connection-mark=WAN1_conn new-routing-mark=WAN1_traffic passthrough=no
add action=mark-connection chain=input comment="WAN2 in -> WAN2 out" in-interface=ether2-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output comment="WAN2 in -> WAN2 out" connection-mark=WAN2_conn new-routing-mark=WAN2_traffic passthrough=no
add action=mark-connection chain=forward comment="WAN1 in -> WAN1 out forward" connection-state=new in-interface=ether1-WAN1 new-connection-mark=WAN1_pfw passthrough=no
add action=mark-routing chain=prerouting comment="WAN1 in -> WAN1 out forward" connection-mark=WAN1_pfw in-interface=LAN1 new-routing-mark=WAN1_traffic passthr
add action=mark-routing chain=prerouting comment="pfw wan1, out wan1" connection-mark=WAN1_pfw in-interface=LAN2 new-routing-mark=WAN1_traffic passthrough=no
add action=mark-connection chain=forward comment="pfw wan2, out wan2" connection-state=new in-interface=ether2-WAN2 new-connection-mark=WAN2_pfw passthrough=no

-Chris

apracz · December 9, 2016, 4:10pm

cdiedrich

I trie this config, change the internet names but not access, only on wan1 above my config

Interfaces:
Wan 1 = 01-COPEL-Bel
Wan 2 = 03-Copel-Fixo

Lans:
02-REDE-SERVIDORES
04-REDE-local



/ip route
add distance=1 gateway=1.1.1.1 routing-mark=COPEL_BEL_traffic
add distance=1 gateway=2.2.2.2 routing-mark=COPEL_FIXO_traffic
add distance=1 gateway=1.1.1.1
add distance=1 gateway=2.2.2.2

/ip firewall mangle
add action=mark-connection chain=input comment="COPEL_BEL in -> COPEL_BEL out" in-interface=01-COPEL-Bel new-connection-mark=COPEL_BEL_conn passthrough=yes
add action=mark-routing chain=output comment="COPEL_BEL in -> COPEL_BEL out" connection-mark=COPEL_BEL_conn new-routing-mark=COPEL_BEL_traffic passthrough=no
add action=mark-connection chain=input comment="COPEL_FIXO in -> COPEL_FIXO out" in-interface=03-Copel-Fixo new-connection-mark=COPEL_FIXO_conn passthrough=yes
add action=mark-routing chain=output comment="COPEL_FIXO in -> COPEL_FIXO out" connection-mark=COPEL_FIXO_conn new-routing-mark=COPEL_FIXO_traffic passthrough=no
add action=mark-connection chain=forward comment="COPEL_BEL in -> COPEL_BEL out forward" connection-state=new in-interface=01-COPEL-Bel new-connection-mark=COPEL_BEL_pfw passthrough=no
add action=mark-routing chain=prerouting comment="COPEL_BEL in -> COPEL_BEL out forward" connection-mark=COPEL_BEL_pfw in-interface=02-REDE-SERVIDORES new-routing-mark=COPEL_BEL_traffic passthrough=no
add action=mark-routing chain=prerouting comment="pfw COPEL_BEL, out COPEL_BEL" connection-mark=COPEL_BEL_pfw in-interface=04-REDE-local new-routing-mark=COPEL_BEL_traffic passthrough=no
add action=mark-connection chain=forward comment="pfw COPEL_FIXO, out COPEL_FIXO" connection-state=new in-interface=03-Copel-Fixo new-connection-mark=COPEL_FIXO_pfw passthrough=no

apracz · December 15, 2016, 4:10pm

anyone know how I can solve it?

jtommasi · December 15, 2016, 5:29pm

Please try this:

/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=WAN2-out passthrough=yes src-address=WAN2-ip-address

/ip route
add comment=“WAN2 routing” distance=1 gateway=WAN2-gateway routing-mark=WAN2-out

Replace WAN2-ip-address and WAN2-gateway with your values.

These rules make all packets that comes to WAN2 IP, to get replied on the same interface.

Let me know if it worked.

Rgds,

Julio

apracz · December 22, 2016, 8:51pm

Hello

I using this and Work, but my VPN just connect on Wan1 in Wan2 dont connect

[

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection 
add chain=prerouting in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection 

/ip firewall mangle
add chain=prerouting in-interface=LAN1 connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN1 connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

/ip firewall mangle
add chain=output src-address=1.1.1.1 action=mark-routing new-routing-mark=to_WAN1
add chain=output src-address=2.2.2.2 action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=1.1.1.1
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=2.2.2.2

Sob · December 22, 2016, 10:51pm

About that config from 2016-12-09, it’s missing rules to mark routing for connections with COPEL_FIXO_pfw mark:

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=COPEL_FIXO_pfw in-interface=02-REDE-SERVIDORES new-routing-mark=COPEL_FIXO_traffic passthrough=no
add action=mark-routing chain=prerouting connection-mark=COPEL_FIXO_pfw in-interface=04-REDE-local new-routing-mark=COPEL_FIXO_traffic passthrough=no

And this new one, if it’s supposed to work also with second LAN, has exactly the same problem, i.e. it needs additional:

/ip firewall mangle
add chain=prerouting in-interface=LAN2 connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN2 connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

apracz · January 3, 2017, 12:47pm

Thanks

but with this config i´m not connect to my vpn, just only in wan1, wan2 dont connect

quote=“Sob”]About that config from 2016-12-09, it’s missing rules to mark routing for connections with COPEL_FIXO_pfw mark:

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=COPEL_FIXO_pfw in-interface=02-REDE-SERVIDORES new-routing-mark=COPEL_FIXO_traffic passthrough=no
add action=mark-routing chain=prerouting connection-mark=COPEL_FIXO_pfw in-interface=04-REDE-local new-routing-mark=COPEL_FIXO_traffic passthrough=no

And this new one, if it’s supposed to work also with second LAN, has exactly the same problem, i.e. it needs additional:

/ip firewall mangle
add chain=prerouting in-interface=LAN2 connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN2 connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

[/quote]

apracz · January 3, 2017, 1:17pm

I was seeing the access logs, the vpn connects but not the return OK connect on wan2.

Something is not returning the connection status OK to my client