I’m in need of some help. My ISP provides two IP addresses - each being provided by DHCP from their modem, one IP coming from port 1 on the model, the other IP coming from port 2.
On the Miktrotik Router (ccr2004-1g-12s) I’d like to configure various IP ranges/subnets so that machines on one subnet reach the internet via IP1, and other subnets access the internet via IP2.
Right now, I have configured internal network services to be provided from IP1, however I am not sure how to go about configuring a second connection from the same router providing service to a different range of IPs.
I’m not a networking expert (however have been learning), so I genuinely value any input to help solve this one.
If both IP- addresses are static, i would do it like that:
Add DHCP client on ether2, disable “add default root” on both DHCP Clients. And add manual routes for both IP Addresses.
Then add a mangle roule to mark specific traffic to be routed to the second route. And the change the route accordingly.
If you need a more detailed explenation, please ask.
Thanks for the reply. One of the IPs is static, the other is dynamic - however, the ISP is providing each IP via DHCP, so as far as I can tell, it shouldn’t make a difference. The idea is to group servers behind the static IP, and wifi guests/desktops behind the non-static IP.
I’m having trouble setting this up - I’ve simplified the config as much as possible & set up a sandbox environment thanks to the VM offered by Mikrotik.
My setup is really simple.
Basically, I’d like traffic coming from 10.3.4.0/23 to be sent out of bridge local1 / ether3 interface and traffic coming from 10.3.6.0/23 to be sent out of bridge local2 / ether4
Both ether3 and ether4 are being handed out DHCP IPs from the ISP.
you have two different subnets on two different ports.
So put both on the bridge.
I am not 100% sure if putting both on the bridge will allow layer 2 access between them.
If that is an issue only put one subnet on the bridge.
Use firewall rules to separate the two subnets at layer 3.
As far as mangling, don’t need it, you have found the right mechanism in your scenario.
It should work.,
The problem is that the gateway is identical and thus there is no way to move traffic to the right WANIP, will think on this.
besides missing the ACTION entry in the route rule, and of course you need the standard table main entries.
Are you sure the gateway is the same??? makes little sense to me that you have
a. one dynamic IP
b. one static IP
from the same provider from the samegateway.
Sounds fishy to me.
If the ISP is providing a static IP typically one needs an IP address entry and not a dhcp client entry for that etherport ??
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add add-default-route=no disabled=no interface=ether2
My ISP does provide two WAN IPs, however I am attempting to simulate the environment in a virtualized environment first. The two “WAN” IPs are bridged adapters within VMWare.
As far as I know that shouldn’t make a difference and should be able to direct traffic to either adapter based on the subnet the VMs are in, however as you pointed out I am not familiar on how to do this since the two adapters share the same gateway.
Basically the ISP hands out two IPs via their modem/router:
WAN1: static public IP
WAN2: dynamic public IP
For some subnets I’d like traffic to go out of WAN1, for other subnets traffic to go out through WAN2
We’re a small company, and testing on production equipment is well, not a good idea. So my best solution (so far) has to been to test things out in VMs.
The machines can indeed reach the outside world via separate interfaces, but are unable to ping their gateways/internal resources. I’ve tried similar steps as above in terms of manually entering routes, but no success. Any idea(s)?
I tried setting the destination address to be 10.3.4.0/23 and/or 10.3.6.0/23 as well as setting a routing mark for lan1, I was still unable to ping internal resources -
e.g: client 10.3.4.5 can reach outside google, but can’t reach anything under 10.3.4.0/23
if I disable the two other routes with the routing marks ‘wan2’ or ‘wan1’ , the clients can reach internal IPs just fine, but nothing on the internet.
I am able to split the traffic between interfaces & different subnets can reach the outside world via separate interfaces, however machines in these subnets cannot reach internal resources.
You mean 10.3.4.5 cannot ping 10.3.6.8 for example ( the one above was within the same subnet LOL )
The fact of the mattter is that it should and the issue is that you are using a fake environment which is causing the issue or you have pc firewalls blocking traffic.
Nothing set on the router is causing the above problem.
As Ive stated before this
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1
should look like
THIS
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1 dns-server=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1 dns-server=10.3.6.1
If I disable them, from the clients I can ping anything internal - which leaves me to believe it’s not a firewall issue on any of the clients.
You are right, the fake environment isn’t ideal, however I am working remotely and cannot jump over to the router if a mistake has been made. Thus I need to get the config working properly in a test environment before moving it over to production. If anyone has advice for a better/more accurate test environment, I’d certainly appreciate it! The Cloud Hosted Router VM image offered by Mikrotik has been a godsend so far for other issues I’ve had!
I’ve tried these configs multiple times & variations of them, no such luck unfortunately!
In Winbox, the entry 0.0.0.0/0 reachable ether2 gets highlighted in blue.
For this section:
add src-address=10.3.4.0/23 table=wan1 Action: Lookup in table
add src-address=10.3.6.0/23 table=wan2 Action: lookup in table
I can confirm that in Winbox as well as in the command line there are two options, both ‘Lookup’ and ‘Lookup only in table’, however when outputting the config after keying in the entries you’ve suggested, that portion is not reflected..
Correct, the second route on the main table will be in Blue as the router only chooses one route on the main table as being reachable at a time.
If that route became unreachable, then the other route would turn black.
However thats the main table, you are using different tables and the traffic should flow, regardless of what table main is displaying.
Just for giggles, prove it to yourself by DISABLING the first route and the second route should turn black.
IF it does not then there is something wrong with your connection to that WAN.
I would remove the source address from here…
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.3.4.0/23
add action=masquerade chain=srcnat out-interface=ether2 src-address=10.3.6.0/23
Not really required, adding source address here has nothing to do with routing if that was the intention.
Also for some reason during the day or for some period of time ISP1 was down, and your routing moved traffic to the available route, your masquerade rule would phuck it up.
