CHR Router - 2 ISP Hetzner

SwaggerRO · September 20, 2020, 4:37pm

Hello,

I’m having some troubles completing a connection on my Mikrotik router (CHR) on a Proxmox hosted on a Hetzner server.

So we have the same ISP (Hetzner) that’s providing access via vSwitch and via subnet.

Internet access and IP’s are setup and working with the vSwitch but now I want to add a second WAN, on a different ethernet port, but without success. I’ve been searching through topics but without any finality.

I have the configuration in the next way:

ether1 - for vSwitch → IP’s starting with 116.xxx.xxx.xxx → for this I use as GW the IP starting with 116.
ether4 - for subnet → IP’s starting with 46.xxx.xxx.xxx → for this I use as GW the IP starting with 195.

I want to setup 2 WAN on the same time, not failover or another method. I want to access both public IPv4’s from vSwitch and from the subnet that’s routed via the public IP from the Dedicated server.

I think it’s a very easy thing using Mangle and mark routes but I can’t figure it out.

I’ll attach some photos of what I did since now.

ip address.png

SwaggerRO · September 26, 2020, 2:43pm

Anybody, any ideea?

Couldn’t find any way to make it work.

mkx · September 26, 2020, 6:16pm

I guess you’re after Policy Based Routing…

SwaggerRO · September 26, 2020, 7:29pm

And how should I do that?

Any hints?

I sent you a private message :).

mkx · September 26, 2020, 7:33pm

Never did PBR myself, so hopefully someone experienced will drop by.

Your PM brought me here … slightly faster than I’d come on my own.

SwaggerRO · September 26, 2020, 7:40pm

Oh, got it.

Thanks for help anyway. Tried now to do PBR like the tutorial on mikrotik but no success, it’s not working. - https://wiki.mikrotik.com/wiki/Policy_Base_Routing

Sob · September 26, 2020, 7:50pm

If it’s all static, you can use routing rules, e.g.:

/ip route rule
add src-address=116.x.x.x/xx table=ISP2

Other way is to use firewall mangle:

/ip firewall mangle
add chain=prerouting src-address=116.x.x.x/xx action=mark-routing new-routing-mark=ISP2

The latter gives you more control, you can for example route only traffic to selected ports.

And “not working” is not useful info, you need to find out what exactly doesn’t work. You can start with:

/tool traceroute address=8.8.8.8 routing-table=ISP2

to see if access to internet via ISP2 works from router.

SwaggerRO · September 29, 2020, 1:06pm

@Sob thanks for your reply!

I’m sorry that I didn’t detailed the issue, I’ll try to be more specific now.

So we have the next sittuation.

ether1 - ISP1 → 116.202.xxx.xxx/29 subnet that’s routed via IP 116.202.xxx.xxx
ether 4 - ISP2 → 46.4.xxx.xxx/27 subnet that’s routed via IP 195.201.xxx.xxx

I’ve made the changes that you suggested, I see that traceroute works but if I ping one of the /27 subnet IP Addresses, I don’t receive an reply.

Please see attached screenshots.

Sob · September 30, 2020, 2:50pm

If you want to route between the two subnets, you need to either exclude them from marking, add route(s) to them in other routing table(s), or use simple and foolproof (before all others):

/ip route rule
add action=lookup-only-in-table dst-address=116.202.xxx.xxx/29 table=main
add action=lookup-only-in-table dst-address=46.4.xxx.xxx/27 table=main