Access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP)

RouterOS General
1

Hello there! I ran into a very primitive problem, namely: Configuring access to MikroTik CCR1016-12G via two IP addresses (2 WAN IP).

I will describe the whole problem comprehensively.
I’m exploring the Internet in search of instructions for configuring the above functions, I found one solution to this problem - packet labeling. Using this method, I did not achieve the desired result, but I got at least something.

The chain of events and settings: All actions were performed by me through WinBox, the terminal commands are given for a visual demonstration of my actions.

  1. Setting rules Firewall Mangle - Made rules 4 (two for each provider):
/ip firewall mangle 
add action=mark-connection chain=input dst-address=111.111.111.111 in-interface=ETH1 new-connection-mark=OBIT passthrough=no 
add action=mark-routing chain=output connection-mark=OBIT new-routing-mark=OBIT passthrough=no 
add action=mark-connection chain=input dst-address=222.222.222.222 in-interface=ETH2 new-connection-mark=RTLK passthrough=no 
add action=mark-routing chain=output connection-mark=RTLK new-routing-mark=RTLK passthrough=no
  1. After that, I went to configure the Route List (two routes, one for each provider):
/ip route
add distance=1 gateway=111.111.111.111 routing-mark=OBIT
add distance=1 gateway=222.222.222.222 routing-mark=RTLK

It should be noted that before this stage, the device was fully configured (client devices had access to the Internet). All I did was add

routing-mark=****

for each of the routes. After that, the Internet on the client devices completely disappeared.
3. I studied the situation a little and found information that it is necessary to make 2 more static routes to 0.0.0.0/0 for each of the providers – I did it and the access to the Internet for client devices appeared again.
However, access to the MikroTik CCR1016-12G device appeared only through one of the external IP addresses.

Next, I will describe checking the result:

  1. Going to the address 111.111.111.111 to which routing-mark=OBIT is assigned - I get access to the web interface of the device
  2. Going to the address 222.222.222.222 which is assigned routing-mark=RTLK - I do not get access to the web interface of the device
  3. I disconnect (manually – by pulling out the provider’s wire) 111.111.111.111
  4. I check access by 222.222.222.222 which is assigned routing-mark=RTLK - I get access to the web interface of the device
  5. I connect 111.111.111.111 back – the device thinks a little.
  6. I check access by 222.222.222.222 which is assigned routing-mark=RTLK - I do not get access to the web interface of the device
  7. I check access by 111.111.111.111 which is assigned routing-mark=OBIT - I get access to the web interface of the device
  8. I’m sad and I don’t understand why this is happening.

The client device is connected by a wire to the MikroTik CCR1016-12G, when one of the WAN is disconnected, it thinks a little (about 1 minute) and the connection is restored. I checked on a public website to view the IP address updating it, when I turn on the WAN back, I also think and the IP address changes.

I can take screenshots or give the device configuration on request. There is nothing secret about it.

2

Look at this post. Read its last paragraph first to get the relationship to your case.

3

Thank you, a good solution!
Fortunately, it was not useful, but I took it into account for further study of this equipment.

It was easier, I use PPPOE on one of the WANs and specified the wrong " in. Interface " based on the physical port, not on the PPPOE connection.

4

So you actually did use connection-mark already before posting? Because without assigning a connection-mark to incoming connections based on in-interface, you cannot assign the correct routing-mark to the response packets of these connections. As you’ve mentioned a wrong in-interface now, it seems to be the case, but in your OP, you haven’t mentioned the use of connection-mark, hence I’ve pointed you to that summary post.