2 wans with same gateway (not failover)

kenigoff · June 23, 2016, 10:14pm

hello,

i’m struggled with configuring 2 wans from same ISP which share same ISP’s gateway.
i created manualy 2 routes:
add distance=2 gateway=x.x.x.0%TIS_15 pref-src=x.x.x.207
add distance=1 gateway=x.x.x.0.0%TIS_100 pref-src=x.x.x.22
route with distance 1 is active although route with distance 2 is not active,but enabled (so all lan ips routed to this interface don’t have internet). can you point me, what should i do?
i have lot’s of mangle rules which are working well and if should i create another 1 or 2? i need both wan interfaces work same time (not failover), for different local subnets.

Please, advice

ZeroByte · June 23, 2016, 10:21pm

If the ISP is using PPPoE, ask them if they can support MLPPP - you can then bond the two using MLPPP and it will automatically do all of the load-balancing and fault protection for you.

kenigoff · June 23, 2016, 10:33pm

i don’t need any kind of load-balancing. i have 1 wan for internet from my lan (working) and 2 wan for published services (different subnet). and no, my ISP doesn’t provide any additional services free of charge (especially MLPPP). both wan with static public ip.

kenigoff · June 24, 2016, 10:03am

no thoughts? i’ve tried many ways already, but it just doesn’t want to work. i know how to make it work using cisco ios, but no clue in routeros.
trick with % doesn’t work (in one route, 2 gateways and 2 routes with same gateway with %). also, tried to put pref-src, still nothing.

BlackVS · June 24, 2016, 10:34am

i have 1 wan for internet from my lan (working) and 2 wan for published services (different subnet).

If shortly:

Set default gateway to the first provider in the main routing table (i.e. no routing mark set in route).
Create the other routing table with different name (for example, routing mark set as “WAN2”) and set default gateway to the second provider in this table .This table will be used for marked connections only.
Mark connections incoming to wan2 for example “to_wan2” (mark connections as “to_wan2” in forward chain for wan2 interface as input) and use second routing table for marked connections for outgoing to global packets (do mark routing as “WAN2” in prerouting chain for packets coming from lan interface and going to global dst addresses).
Of course dst-nat on wan2 for published services.
If you want to force some services to use wan2 for Internet access (from lan to global) - add corresponding mark routing as WAN2 rule in prerouting chain - for example, set mark route as wan2 for connections from certain src-address to global dst-addresses.
Remember - mark connection just marks connection. And nothing more. Packet goes as usually. Which route table to use is set by further mark routing rules.

kenigoff · June 24, 2016, 10:38am

thanks. created 2 routing tables (main and other) , created 2 routes, default and second marked and it works, even without marking traffic in mangle. i just don’t use masquarade, only src-nat with " to ip address".

kenigoff · June 27, 2016, 10:11am

hi again, strange but scheme works only sometimes, i.e. it works now, but later, in 10 minutes i see it doesn’t work.
check, if everything is correct (published-7 is lan, 10.10.254.0 lan subnet, x.x.x.207 public ip):
mangle:
add action=mark-connection chain=forward in-interface=tis115 new-connection-mark=to_tis115 passthrough=no
add action=mark-routing chain=prerouting connection-mark=to_tis115 dst-address=x.x.x.207 in-interface=published-7 new-routing-mark=TIS15 passthrough=no
add action=mark-routing chain=prerouting dst-address=x.x.x.207 new-routing-mark=TIS15 passthrough=no src-address=10.10.254.0/24
add action=mark-routing chain=prerouting dst-address=8x.x.x.207 new-routing-mark=TIS15 passthrough=no

routes:
add distance=1 gateway=tis100
add distance=1 gateway=tis115 routing-mark=TIS15

/ip route rule
add routing-mark=TIS15 src-address=10.10.254.0/24 table=TIS15

BlackVS · June 27, 2016, 10:38am

add action=mark-routing chain=prerouting connection-mark=to_tis115 dst-address=x.x.x.207 in-interface=published-7 new-routing-mark=TIS15 passthrough=no
add action=mark-routing chain=prerouting dst-address=x.x.x.207 new-routing-mark=TIS15 passthrough=no src-address=10.10.254.0/24
add action=mark-routing chain=prerouting dst-address=8x.x.x.207 new-routing-mark=TIS15 passthrough=no

Looks strange… x.x.x.207 and 8x.x.x.207 - where they are?

Try one this instead three:

add action=mark-routing chain=prerouting connection-mark=to_tis115 dst-address=!10.0.0.0/8 new-routing-mark=TIS15 passthrough=no

I.e. if - any - connection already has mark to_tis1155 and dst-address is not local (!10.0.0.0/8 in our case) - use TIS15 routing table.

kenigoff · June 27, 2016, 10:54am

tried yours, still nothing.should i mark forwarded ports as well?internet access from 10.10.254.0/24 doens’t work also.

BlackVS · June 27, 2016, 12:24pm

Ok. I propose to start from every beginning %) becuase I suspect that we talk about different little bit things.
Please paint diagram - you network and that you want exactly to get. With subnets, gates, etc.

kenigoff · June 27, 2016, 1:38pm

WAN1&WAN2 (PPPoE statis IP’s) links come from same ISP (same gateway). Published servers on 10.10.254.0/24 subnet. Also i need to access internet from 10.10.254.0/24
Othe subnets are working very well with WAN1 link

kenigoff · June 28, 2016, 7:52am

no thoughts?

deejayq · June 28, 2016, 8:38am

/ip route rule
add src-address=10.10.254.0/24 table=via-207
add src-address=192.168.0.0/24 table=via-22
add src-address=192.168.1.0/24 table=via-22
add src-address=192.168.2.0/24 table=via-22

/ip route
add dst-address=0.0.0.0/0 gateway=(the interface on which x.x.x.207 is set) routing-mark=via-207
add dst-address=0.0.0.0/0 gateway=(the interface on which x.x.x.22 is set) routing-mark=via-22
(i think there is a mistake in your diagram, the gateway provided by your isp can be x.x.x.0 in certain conditions, but i don’t think that is your case, so i assume is x.x.x.1)

this should work (you could also add a default route without any routing-mark, for traffic originating from the router itself.
after that you can add masquerading or other nat-ing.

kenigoff · June 28, 2016, 11:25am

gateway actualy is x.x.x.0
i suppose i should use mangle rules above as well?

BlackVS · June 29, 2016, 7:23am

To clarify - published servers should be accessible from Internet via WAN2 and go to the Internet via same WAN2 only?
All other - non published - should use only WAN1?
Later I will do sample configuration for testing and if all Ok - will publish here config.

BlackVS · June 29, 2016, 4:07pm

Just playing with similar to your network - see work config below.
I started from default config.
Here is I show two possible ways - route rules (variant 1) and mangle mark route (variant 2). Here they are equal. But variant 2 is more flexible.
In the case if you wish publish same services via both wan’s in the same time - mark connections rules needed.

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-lan0
set [ find default-name=ether3 ] name=ether3-lan1
set [ find default-name=ether4 ] name=ether4-lan2
set [ find default-name=ether5 ] name=ether5-published
/interface pppoe-client
add disabled=no interface=ether1-gateway name=pppoe-out1 password=ppp1 user=ppp1
add disabled=no interface=ether1-gateway name=pppoe-out2 password=ppp2 user=ppp2
/ip pool
add name=pool-0 ranges=192.168.0.100-192.168.0.199
add name=pool-2 ranges=192.168.2.100-192.168.2.199
add name=pool-1 ranges=192.168.1.100-192.168.1.199
add name=pool-254 ranges=10.10.254.100-10.10.254.199
/ip dhcp-server
add address-pool=pool-0 disabled=no interface=ether2-lan0 name=server0
add address-pool=pool-1 disabled=no interface=ether3-lan1 name=server1
add address-pool=pool-2 disabled=no interface=ether4-lan2 name=server2
add address-pool=pool-254 disabled=no interface=ether5-published name=server254
/ip address
add address=192.168.0.1/24 interface=ether2-lan0 network=192.168.0.0
add address=192.168.2.1/24 interface=ether4-lan2 network=192.168.2.0
add address=192.168.1.1/24 interface=ether3-lan1 network=192.168.1.0
add address=10.10.254.254/24 interface=ether5-published network=10.10.254.0
/ip dhcp-client
add add-default-route=no comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server lease
add address=10.10.254.10 client-id=1:0:c:42:cf:40:db mac-address=00:0C:42:CF:40:DB server=server254
/ip dhcp-server network
add address=10.10.254.0/24 dns-server=8.8.8.8 gateway=10.10.254.254
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add chain=input comment="default configuration" dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Forward all from ether5-published to wan2. Variant2" in-interface=\
    ether5-published new-routing-mark=to-wan2
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out2
add action=dst-nat chain=dstnat comment=\
    "Publish 10.10.254.10 in Internet via WAN2" dst-address=10.177.2.22 \
    dst-port=80 in-interface=pppoe-out2 protocol=tcp \
    to-addresses=10.10.254.10
/ip route
add comment="Default gateway for published" distance=1 gateway=10.177.2.1%pppoe-out2 routing-mark=to-wan2
add comment="Default gateway for all" distance=1 gateway=10.177.2.1%pppoe-out1
/ip route rule
add action=lookup-only-in-table comment=\
    "Forward all from ether5-published to wan2. Variant1" disabled=yes \
    interface=ether5-published table=to-wan2

skyctgbd · June 29, 2016, 6:44pm

Try defining the outbound interface.
For example replace this.

/ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.4 routing-mark=to_wan-ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.4 routing-mark=to_wan-ISP2 check-gateway=ping

With following

/ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.4%eth1-ISP routing-mark=to_wan-ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.4%eth2-ISP routing-mark=to_wan-ISP2 check-gateway=ping

Replace the eth1-ISP with your own wan interface name , use the notation % for sure.
If it works , let me know.