Config 2 routers to accsess same local server, double WAN,how?

Hello everyone, as a new newcomer to the microtick business, I would like some support please, as I can’t get any further even after trying for days.
Besides, I’m not even sure if it can be realized like that.

The plan would be to configure two routers, each of which has its own WAN connection, so that the same access to an internal web server is possible from both external WAN IP addresses.
Quite simply, without a load balancer, just a failover.

Sohrt Overview:

In detail:
Router 1, is a mikrotik 55xx Local IP: 192.168.2.0/24 Main router, WAN – connection via PPoE in combination with a modem. The firewall and NAT rules run here. There is a web server underneath. And it is precisely this web server and co. that should be accessible from both WAN addresses from the outside.

Everything works over the WAN1 connection.

Router 2 is a mikrotik 33xx has LTE access and depends on Router1 in the local network as a DHCP client for Management.
The WAN2 connection goes to router 1 via a VLAN connection IP 192.168.10.0/24 (on the bridge), DHCP Server on Router 2.
Routes have been entered so far.

If the WAN1 connection is disabled, the output works over the LTE-WAN2 connection. I get an internet connection as a failover.

What doesn’t work is that I can access the local web server from outside via WAN2 (LTE).
No matter how I regulate the NAT or set the firewall

Passtrough doesn’t work either, I can’t access the internet at all.

I would prefer to only manage the nat rules in router 1.

Keyword CGNAT, that shouldn’t be a problem. I found an AP where I can get a real IP. → If activated, I can access the http page of router 2 via the WAN2 IP.

Config main router 1:
[*]

#
#

/interface list
add name=WAN
add name=LAN
add name=FreiFunk
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dpd-maximum-failures=3
/ip pool
add name="DHCP LAN" ranges=192.168.2.34-192.168.2.254
add name=dhcp_Wlan_Gast ranges=192.168.20.7-192.168.20.254
/ip dhcp-server
add address-pool="DHCP LAN" interface="LAN Bridge" lease-time=12h name=\
    "DHCP LAN"
add address-pool=dhcp_Wlan_Gast interface=VLAN20_WLAN_GAST lease-time=12h30m \
    name="dhcp WLAN Gast"


/interface bridge port
add bridge="LAN Bridge" interface=ether2
add bridge="LAN Bridge" interface=ether3
add bridge="LAN Bridge" interface=ether4
add bridge="LAN Bridge" interface=ether5
add bridge="LAN Bridge" interface=ether6
add bridge="LAN Bridge" interface=sfp-sfpplus1
add bridge="LAN Bridge" interface=ether1
add bridge="LAN Bridge" disabled=yes interface=ether7_WAN1
add bridge=Bridge_VLAN20 interface=VLAN20_WLAN_GAST
add bridge=Bridge_VLAN20 interface=WLAN_GAST_AP2
add bridge="LAN Bridge" interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes

/interface list member
add comment="LAN Netz" interface="LAN Bridge" list=LAN
add comment=WAN interface=PPOE list=WAN
add interface=wireguard-VPN list=LAN
add interface=VLAN10_LTE_WAN list=WAN


/ip dhcp-client
add default-route-distance=3 interface=VLAN10_LTE_WAN use-peer-ntp=no

/ip firewall address-list
add address=xxxxxx.sn.mynetname.net list=WAN-IP
add address=192.168.2.12 comment="Exchange Server verteilung \FCber DNS" \
    list=owa
add address=232.0.0.0/16 list=Multicast
add address=239.35.0.0/16 list=Multicast
add address=224.0.0.0/4 list=Multicast
add address=192.168.2.14 list=owa
add address=xxxxxxxxx.sngh.mynetname.net list=WAN-IP

/ip firewall filter
add action=drop chain=input comment="WAN -> FW | Block Ping" icmp-options=\
    8:0-255 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="IP-TV Multicast" dst-address-list=\
    Multicast
add action=accept chain=forward dst-address-list=Multicast
add action=accept chain=input comment=\
    "ALLG. Aufgebaute Verbindungen erlauben" connection-state=\
    established,related
add action=accept chain=input comment="LAN -> FW | Zugriff erlauben" \
    in-interface="LAN Bridge"
add action=accept chain=input comment="VPN -> FW | Zugriff erlauben" \
    in-interface=wireguard-VPN src-address=192.168.15.2
add action=accept chain=input comment="WAN -> FW | WireGuard Zugriff" \
    dst-port=518 protocol=udp
add action=accept chain=input dst-address=192.168.15.1 in-interface=\
    wireguard-VPN
add action=accept chain=input comment="Wlan_Gast | DNS" dst-port=53 \
    in-interface=VLAN20_WLAN_GAST protocol=udp
add action=drop chain=forward comment="VPN Coding, Nur Codierport erlauben" \
    in-interface=wireguard-VPN protocol=tcp src-address=192.168.15.15 \
    src-port=!6801
add action=accept chain=forward comment="VPN -> LAN | Netzwerkzugriff" \
    dst-address=!192.168.15.0/24 in-interface=wireguard-VPN out-interface=\
    "LAN Bridge" src-address-list=""
add action=accept chain=input comment="L2TP -> LAN | VPN Intern" dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=tcp
add action=drop chain=input comment=\
    "ALLG. | Alle ohne Verbindungsstatus blockieren"
add action=accept chain=forward comment="LAN -> WAN | Zugriff erlauben" \
    in-interface="LAN Bridge" out-interface-list=WAN
add action=accept chain=forward comment="VPN -> WAN | Zugriff erlauben" \
    in-interface=wireguard-VPN out-interface-list=WAN
add action=accept chain=forward comment="Wlan_Gast -> WAN | Zugriff erlauben" \
    in-interface=VLAN20_WLAN_GAST out-interface-list=WAN
add action=drop chain=forward comment=\
    "Wlan_Gast -> Int.| Kein interner Zugriff" in-interface=VLAN20_WLAN_GAST
add action=accept chain=forward comment=\
    "ALLG. | Aufgebaute Verbindungen erlauben "
add action=drop chain=forward comment=\
    "ALLG. | Alles nicht definerte nicht erlauben"
	
/ip firewall mangle
add action=mark-packet chain=prerouting connection-mark=igmp_con \
    new-packet-mark=igmp_pkt passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=Multicast \
    new-connection-mark=igmp_con passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | HTTP Webserver" \
    dst-address-list=WAN-IP dst-port=80 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | HTTPS Webserver" \
    dst-address-list=WAN-IP dst-port=443 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | FTP" \
    dst-address-list=WAN-IP dst-port=20-21 protocol=tcp to-addresses=\
    192.168.2.13
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | S-FTP" \
    dst-address-list=WAN-IP dst-port=990 protocol=tcp to-addresses=\
    192.168.2.13
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | FTP Data" \
    dst-address-list=WAN-IP dst-port=49400-49499 protocol=tcp to-addresses=\
    192.168.2.13
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | Imap4-Safe" \
    dst-address-list=WAN-IP dst-port=993 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | POP3-Safe" \
    dst-address-list=WAN-IP dst-port=995 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | POP3" \
    dst-address-list=WAN-IP dst-port=110 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | Imap4" \
    dst-address-list=WAN-IP dst-port=143 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | SMTP-Clients" \
    dst-address-list=WAN-IP dst-port=587 protocol=tcp to-addresses=\
    192.168.2.29
add action=dst-nat chain=dstnat comment="WAN -> SNET01 | SMTP to Server" \
    dst-address-list=WAN-IP dst-port=25 protocol=tcp to-addresses=\
    192.168.2.29


/ip route
add disabled=no distance=1 dst-address="" gateway=192.168.2.27 routing-table=\
    *400 suppress-hw-offload=no
add disabled=no distance=1 dst-address="" gateway=PPOE-Telekom pref-src="" \
    routing-table=*401 scope=30 suppress-hw-offload=no target-scope=10


/routing igmp-proxy interface
add alternative-subnets=87.141.215.251/32 interface=PPOE-Telekom upstream=yes
add interface="LAN Bridge"

Config router 2, LTE:
[*]

#
# model = RBM33G

/interface bridge
add comment="LTE VLAN Bridge" name=Bridge10
add admin-mac=48:A9:8A:0B:F8:81 auto-mac=no comment=defconf name=bridgeLocal

/interface vlan
add interface=bridgeLocal name=VLAN10_LTE vlan-id=10
/interface list
add name=LTE

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=172.16.0.10-172.16.0.25
add name=dhcp_pool1 ranges=192.168.10.7-192.168.10.10
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge10 lease-time=12h30m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1

/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal interface=ether1
add bridge=bridgeLocal interface=wlan1
add bridge=Bridge10 interface=VLAN10_LTE
add bridge=Bridge10 interface=LTE
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=lte1 list=LTE

/ip address
add address=192.168.2.27/24 interface=ether1 network=192.168.2.0
add address=192.168.10.1/24 interface=VLAN10_LTE network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no comment=defconf interface=bridgeLocal
/ip dhcp-server lease
add address=192.168.10.10 client-id=1:dc:2c:6e:28:ec:2c mac-address=\
    DC:2C:6E:28:EC:2C server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.2.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=drghtfzgjkjk.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=drop chain=input in-interface=lte1 protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=bridgeLocal
add action=drop chain=input
add action=accept chain=forward disabled=yes in-interface=bridgeLocal \
    out-interface=lte1
add action=accept chain=forward in-interface=Bridge10 out-interface=lte1
add action=drop chain=forward comment="Block LTE Vlan zu Local" in-interface=\
    Bridge10 out-interface=bridgeLocal
add action=drop chain=forward in-interface=bridgeLocal out-interface=Bridge10
add action=accept chain=forward
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat out-interface=lte1
/ip route
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    192.168.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10

any help is appreciated.

Router 2 has to have a public IP address not a cgnat address, to be able to port forward from it. In other words, how would an external user reach that wanIP…

Mechanically there is no reason why the server cannot be accessible via both WANs all the time.
One would use port translation to arrive at the main router1 with different ports an translate them to the port the server is expecting.

As already mentioned, CGNAT is not a problem in my case because I can access the web interface via the public IP address from Router 2.
Just not on the servers that are on router 1.

I now suspect that there is something wrong with my routes.

The whole point of using an advanced LAN-WAN double router topology is to isolate one network from the other. But since both routers are on the same subnet, it must be a firewall issue. While this is becoming a common setup, I am not equipped to test it at home and my knowledge is limited in this regard. The guide from MT uses only one router, as are the video guides I could find. One of the gurus here must know the answer…you might want to post your config using the hide-sensitive command…

I’ve now tried different routes, unfortunately all without success.
Yes, correct, both routers are on the same network. It will probably only be a small thing.

I couldn’t find a similar example anywhere…

I have attached the config for both routers.

Thanks in advance

The latest finding is that if I connect a web server directly to a port on Router 2 and remove this port from the LAN bridge, I can also access it from outside via WAN 2. As already mentioned CGNAT is not the problem here.

I’m now slowly going in the direction that my colleague already suspected, that it’s a firewall issue…

Okay, the approach seems flawed to me.

THe first router, the primary router gets a dynamic public IP.
Therefore you can set any LANsubnet structure you wish behind this router.
I personally prefer vlans if you need vlans and thus there is no bridge subnet it just is a bridge with no DHCP responsibilities etc.
So one has a vlan for all subnets and applies appropriate /interface bridge port and /interface bridge vlan settings.

Now in terms of Router 2. I could care less what comes from here, lets say for some reason the router gets a private IP from the ISP provider.
From Router1s perspective the input coming from Router 2 is in effect WAN2 with static IP and known gateway etc…

Ensure that the private WANIP is of a different subnet structure from any of the VLANs on Router 1!!
So whichever router its easier to do that on… make it so.

You can terminate the WAN2 with a vlan as you have done…
On Router1, Create the vlan to the ethernet port interface the traffic is coming in on.
in IP DHCP client ensure the interface is vlanXX.

Done…
Now I will assume both WANS are capable of being reached by public or Domain Names.
Therefore we have to ensure server traffic entering WANX goes back out WANX.

Before continuing clarity is needed, in terms of which WAN in general is the one that is the go to WAN for all LAN users
Call this the primary and the other the secondary
Or, do you have a group going to one and another group going to the other.
Or, do you want to load balance between the two.
Do you have any external users that need access to router services…such as wireguard or other VPN?

One needs to make a decision to progress the config. Once we know the above, it will be easier to handle your server requirements.
One cannot config an MT router in isolation of other requirements

“On Router1, Create the vlan to the ethernet port interface the traffic is coming in on.
in IP DHCP client ensure the interface is vlanXX”
WAN1 the master comes via PPoE and is connected directly to router 1 at the Ethernet port.
WAN2 (LTE, Router 2) is not connected directly to a port of Router 1 because the two routers are spatially separated. The connection between the two is my internal network. Router2 is a client of Router1. Therefore i used VLAN, too.

WAN1 (PPoE) is Master, WAN2 (LTE" secondery, only Failover.
Load Balancer or similar is not necessary, a simple failover which I implement with distance is sufficient.

Access from outside is necessary, which I achieve with DynDNS.

are the two routers connected by ethernet cable??
if so, then treat the connection from R2 as WAN2 on R1.

What is the function of Router 2, assuming its a cellular capable router what are your options on R2.
Terminate the LTE signal into a public IP address and through NAT provide you with a private IP address of your choice?
Bridge the LTE signal so that you can pass a public IP address directly to R1 ???

router 1 and router 2 are connected over WIFI. Cable is not possible…

yes, router 2 is a cellular capable router used only for establish the LTE connection.
the LTE signal is a public IP address, which I can also reach from outside. Access to the web server from router 2 is possible.

The goal would then be to use this public address 8router2) to set a NAt rule on my internal server, which is connected to router 1.Unfortunately that doesn’t work yet.


I’ve already tried passthrough, but unfortunately it doesn’t work at all. I can’t even establish a connection to the outside world.

Ahh, okay, Im not the one to describe a wifi to wifi connection but the concept is the same…
R1 gets a wifi signal and its used as a WAN2 input… so a different subnet then exists on R1.

Whatever IP address is assigned to the R1 WLAN port is set statically on both devices by IP address on R1 by dhcp lease on R2
For port forwarding on R2, simply port forward to that IP address, on R1 simply create a dst-nat rule for the incoming traffic on WAN2…