Accessing Mikrotik when using route-mark

tom8823 · November 13, 2015, 8:46am

On my Mikrotik I use 2 WANs from differen ISP.

Let say I have public IP 1.2.3.4 on WAN1 and 5.6.7.8 on WAN2

All my traffic is routed without any routing mark through WAN1. But we have VLAN for guests and I set mark-route and src-nat masquarade to use WAN2. Of course in IP>Router WAN2 has route mark set to “route-guest”.

Everything works fine except I can no longer use WAN2 public IP to access Mikrotika with Winbox and I can’t use WAN2 IP for DST-NAT.

I know that is probably problem with marking traffic but I don’t know how to do that.

Please help

pe1chl · November 13, 2015, 9:36am

You can mark all traffic with the source address equal to the WAN2 address so it will be routed via WAN2.

tom8823 · November 13, 2015, 10:02am

How do I do that? I will be able to access MT with winbox?

tom8823 · November 16, 2015, 11:12am

Can anyone help me?

nickshore · November 16, 2015, 11:24am

If you add a mangle rule which matches new connections with in interface WAN2 and marks them, you can the use that connection mark to make sure that return packets are routed out of WAN2.

eg:

/ip firewall mangle add action=mark-connection chain=input comment="Mark new connections on WAN2" connection-state=new in-interface=WAN2 new-connection-mark=cnxWAN2

/ip firewall mangle add action=mark-routing chain=output comment="route to WAN2" connection-mark=cnxWAN2 dst-address-type=!local \
    new-routing-mark=route-guest passthrough=no

Hope that helps
Nick