Dual connection routing help required

garethiowc · March 29, 2023, 9:32pm

Hi All,

I have a RB1100 6.48.6 with two internet connections -

Connection 1 - Starlink - DHCP - Carrier grade nat - Default route cost 0
Connection 2 - Fixed Wireless Access - PPPOE - Public IPv4 - Default route cost 1

Due to CGN i would like to access my cctv via the public address but when i connect i see the traffic coming in using touch but the return traffic is trying to go via the CGN connection.

My CCTV NVR is on address 10.10.40.254 and i have configured a mangle rule

/ip firewall mangle
add action=mark-routing chain=prerouting log=yes \
    new-routing-mark=FWA_ACCESS passthrough=yes \
    src-address=10.10.40.254

/ip route
add distance=2 gateway=FWA routing-mark=FWA_ACCESS

Remote access is now working but only if torch is running on any interface, soon as it stops so does the remote access.

If i change the route cost around and remove the mangle remote access works fine when the FWA connection is being used as the main.

I can’t get any remote winbox access with a mangle rule when the FWA is the secondary connection. But it works when it’s the primary.

Any advise would be great.

Thanks

anav · March 29, 2023, 9:50pm

CONFIG?

/export file=anynameyouwish ( minus router serial number and public wanip information )

garethiowc · March 29, 2023, 10:01pm

Please see attached file

I might have made my life more difficult by updating to router OS 7.8
export.rsc (11.3 KB)

anav · March 29, 2023, 10:14pm

A diagram would help because you failed to describe a switch which seems central to your setup, hiding information is not helpful.

Since you didnt disclose the switch I will ignore it.

Put all vlans on bridge, not on ether1 and forget switch…

Furthermore what are these half done dst nat rules??
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp
src-address= to-addresses=10.10.40.254 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 protocol=tcp
src-address= to-addresses=10.10.40.254 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 protocol=tcp
src-address= to-addresses=10.10.10.254 to-ports=80

You can combine the two other good rules into one, since same protocol and to ports not required if same as dst-ports.
add action=dst-nat chain=dstnat dst-port=554,8000 in-interface=FWA protocol=tcp
to-addresses=10.10.40.254

+++++++++++++++++++++++++++++++++++++++++++++

To the crux of your issue…
Remove all the mangling not required…
Simply create one table, one route and one routing rule.

/routing table add name=useLTE fib

/ip route
add dst-address=0.0.0.0/0 gwy=FWA-gateway-IP table=useLTE

/routing rule add action=lookup-only-in-table src-address=10.10.40.0/24 table=useLTE

What this says in effect is that any traffic coming from the CCTV subnet, either originating traffic or return traffic is going out FWA and to no other gateway.
SO, if you need CCTV traffic to reach any other local subnets you will need this.

/routing rules (order is critical
add action=lookup-only-in-table dst-address=localsubnetA table=main
add action=lookup-only-in-table dst-address=localsubnetB table=main
…
add action=lookup-only-in-table src-address=10.10.40.0/24 table=useLTE

garethiowc · April 13, 2023, 9:36am

Sorry for the delay I have only just had a chance to revisit the issue.

Thank you very much anav that works perfectly.

Am i able to route remote winbox sessions in the same way as it suffers with the same issue.

anav · April 13, 2023, 2:46pm

No one should be remotely accessing the router via winbox, one should remotely access the router via Wirguard and then use winbox.