Hi.
I have CCR-1016-12G.
Everywhere i found manuals and examples for 2 WAN with loadbalancing.
I need example for 2 WAN WITHOUT load balancing for similar configuration:
1WAN with IPsec ----> |--------| -----> LAN with 2 subnets ex. 10.x.1.1/24 and 10.x.2.1/24
CCR
2WAN ----> |--------| -----> LAN with 3 subnets ex. 10.x.5.1/24 10.x.6.1/24 10.x.7.1/24
How configure router beetween:
1WAN ← traffic → LAN with 2 subnets,
2WAN ← traffic → LAN with 3 subnets and
LAN with 2 subnets ← traffic → LAN with 3 subnets.
In routes establish your WAN routes requiring that routing mark corresponding to the LAN you want routed out of it
This is problem.
WAN1 and WAN2 is default set for load balancing on CCR ?
If set parameter “distance=1” on both WAN - WAN1 not responding.
WAN1 distance=1 , WAN2 distance=2 - all traffic going to WAN1. Routing-mark not working.
How set routes for 2 WAN without load balancing ?
This config has to work. It hasn’t the loadbalancing-mode, but has the Failover-mode.
You have to change “x” in 10.x.5.1 and 10.x.7.254.
Uncheck box “Add default route” in both ISP-connections, if it’s using now.
Also change AAA.AAA.AAA.AAA to ip-address of Gateway ISP1 (only IP! not interface-name etc.)
And BBB.BBB.BBB.BBB to ip-address of Gateway ISP2 (only IP! not interface-name etc.)
Other ip addresses used here for ping-checking internet. It’s public DNS servers.
/ip firewall address-list
add list=static-wan2 address=10.x.5.1-10.x.7.254 comment="IP to WAN2"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark STATIC route to WAN2" dst-address-type=!local new-routing-mark=to-wan2 src-address-list=static-wan2
/ip route
add comment="STATIC Route-1 to WAN2" distance=1 gateway=192.168.100.2 routing-mark=to-wan2
add comment="STATIC Route-2 to WAN2" distance=2 gateway=192.168.100.1 routing-mark=to-wan2
add comment="Default Route to WAN1" distance=1 gateway=192.168.100.1
add comment="Default Route to WAN2" distance=2 gateway=192.168.100.2
add check-gateway=ping comment="Virtual host for ISP1-host1" distance=1 dst-address=192.168.100.1/32 gateway=151.197.0.38 scope=10
add check-gateway=ping comment="Virtual host for ISP1-host2" distance=2 dst-address=192.168.100.1/32 gateway=4.2.2.1 scope=10
add check-gateway=ping comment="Virtual host for ISP2-host1" distance=1 dst-address=192.168.100.2/32 gateway=151.197.0.39 scope=10
add check-gateway=ping comment="Virtual host for ISP2-host2" distance=2 dst-address=192.168.100.2/32 gateway=4.2.2.2 scope=10
add comment="Static PING way by ISP1-host1" distance=1 dst-address=151.197.0.38/32 gateway=AAA.AAA.AAA.AAA scope=10
add comment="Static PING way by ISP1-host2" distance=1 dst-address=4.2.2.1/32 gateway=AAA.AAA.AAA.AAA scope=10
add comment="Static PING way by ISP2-host1" distance=1 dst-address=151.197.0.39/32 gateway=BBB.BBB.BBB.BBB scope=10
add comment="Static PING way by ISP2-host2" distance=1 dst-address=4.2.2.2/32 gateway=BBB.BBB.BBB.BBB scope=10
add comment="HELP for reverse GW1(1)" distance=20 dst-address=151.197.0.38/32 type=blackhole
add comment="HELP for reverse GW1(2)" distance=20 dst-address=4.2.2.1/32 type=blackhole
add comment="HELP for reverse GW2(1)" distance=20 dst-address=151.197.0.39/32 type=blackhole
add comment="HELP for reverse GW2(2)" distance=20 dst-address=4.2.2.2/32 type=blackhole
Thank you for your interest and patience.
I found another solutions - Policy Based Routing - from Butch Evans blog.
It`s working for me fine. Easy configuration without “blackhole” and next option for expert.
bingo220 - your configuration really has the Failover-mode for VPN with IPsec ?
Thank you for interesting example configuration.
Check it out at the next lesson with RouterOS and more WAN.
