Can someone quickly quality assurance my Dual WAN, Dual LAN setup?

OlofL · February 18, 2021, 5:34pm

I have mostly copied the ideas from this video, https://www.youtube.com/watch?v=67Dna_ffCvc
BUT… it is almost 6 years old now, so maybe setups are more elegant/changed

Everything seems to work fine now, but I need some quality assurance before going live, since I have never played around with mangle table too much before…

I am running ROS 6.48.1 on a CCR, but labbed in GNS3 as seen in picture.

The requirements are pretty simple:
Two LANs, both are NAT’ed.
LAN1 route all out of ISP1, with failover to ISP2
LAN2 route all out of ISP2, with failover to ISP1

Any input is welcome (I will fix firewall/potential dstnat rules later)

The configuration:

/interface ethernet
set [ find default-name=ether5 ] disable-running-check=no name=LAN1
set [ find default-name=ether6 ] disable-running-check=no name=LAN2

set [ find default-name=ether1 ] disable-running-check=no name=WAN1
set [ find default-name=ether2 ] disable-running-check=no name=WAN2

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=LAN1 list=LAN
add interface=LAN2 list=LAN

/ip address
add address=192.168.1.1/24 interface=LAN1 network=192.168.1.0
add address=172.16.1.1/24 interface=LAN2 network=172.16.1.0
add address=15.15.15.2/24 interface=WAN1 network=15.15.15.0
add address=26.26.26.2/24 interface=WAN2 network=26.26.26.0

/ip firewall address-list
add address=192.168.1.0/24 list=LAN1
add address=172.16.1.0/24 list=LAN2
add address=192.168.1.0/24 list=ALL_LAN
add address=172.16.1.0/24 list=ALL_LAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!ALL_LAN new-routing-mark=ISP1_PREF src-address-list=LAN1
add action=mark-routing chain=prerouting dst-address-list=!ALL_LAN new-routing-mark=ISP2_PREF src-address-list=LAN2
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=ISP1>WAN1
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=ISP2>WAN2
add action=mark-routing chain=output connection-mark=ISP1>WAN1 new-routing-mark=ISP1_PREF
add action=mark-routing chain=output connection-mark=ISP2>WAN2 new-routing-mark=ISP2_PREF
add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1>LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2>LANs
add action=mark-routing chain=prerouting connection-mark=WAN1>LANs new-routing-mark=ISP1_PREF src-address-list=ALL_LAN
add action=mark-routing chain=prerouting connection-mark=WAN2>LANs new-routing-mark=ISP2_PREF src-address-list=ALL_LAN

/ip firewall nat
add action=masquerade chain=srcnat src-address-list=ALL_LAN
add action=dst-nat chain=dstnat dst-port=2222 protocol=tcp to-addresses=192.168.1.2 comment="test dstnat to internal network"
/ip route
add check-gateway=arp distance=10 gateway=26.26.26.1 routing-mark=ISP2_PREF
add check-gateway=arp distance=20 gateway=15.15.15.1 routing-mark=ISP2_PREF
add check-gateway=arp distance=10 gateway=15.15.15.1 routing-mark=ISP1_PREF
add check-gateway=arp distance=20 gateway=26.26.26.1 routing-mark=ISP1_PREF
add check-gateway=arp distance=5 gateway=26.26.26.1
add check-gateway=arp distance=5 gateway=15.15.15.1