Dual WAN Failover using non-standard setup

svt11 · December 22, 2019, 6:28pm

Hi, I’ve previously setup Load Balancing with Failover using PCC method. Unfortunately there were issues and now I;m looking to configure Failover only but, I need to balance between the subnets. I want to configure subnet1 to go through WAN1, subnet2 → WAN2, subnmet3 → WAN1 and etc. I;ve followed this post http://forum.mikrotik.com/t/routing-selected-networks-over-specific-wan-isp-interfaces/111576/1 , but I’m struggling withe configuration. Here’s my config in mangle and ip route

/ip firewall mangle

add action=accept chain=prerouting dst-address=A.A.A.A
src-address-list=for_NetX
add action=accept chain=prerouting dst-address=B.B.B.B
src-address-list=for_A1
add action=mark-connection chain=input connection-mark=no-mark in-interface=
ether1 new-connection-mark=A1_conn passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=
ether2 new-connection-mark=NetX_conn passthrough=no
add action=mark-routing chain=output connection-mark=NetX_conn
new-routing-mark=to_NetX passthrough=no
add action=mark-routing chain=output connection-mark=A1_conn
new-routing-mark=to_A1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local new-connection-mark=NetX_conn passthrough=no
src-address-list=for_NetX
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local new-connection-mark=A1_conn passthrough=no
src-address-list=for_A1
add action=mark-routing chain=prerouting connection-mark=NetX_conn
new-routing-mark=to_NetX passthrough=no
add action=mark-routing chain=prerouting connection-mark=A1_conn
new-routing-mark=to_A1 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address-list=
for_A1
add action=masquerade chain=srcnat out-interface=ether2 src-address-list=
for_NetX
/ip route
/ip route
add check-gateway=ping distance=1 gateway=A.A.A.1 routing-mark=to_NetX
add check-gateway=ping distance=1 gateway=B.B.B.1 routing-mark=to_A1
add check-gateway=ping distance=1 gateway=A.A.A.1 distance=1
add check-gateway=ping distance=1 gateway=B.B.B.1 distance=2

For DNS I use the routerboard. When I first tried DNS wasn’t working. In the browser it said lloking up. Also at cmd with nslookup couldn’t find out DNS server to use. Now with this configurations it says - Connecting to www.osradar.com for example. Somehow it doesn’t return the request. What I’m missing in this configuration? Thank you.

Zacharias · December 22, 2019, 7:23pm

You can use policy routing rules for that as well…

svt11 · December 22, 2019, 8:28pm

Policy routing you mean for the DNS? I think that I need to set in-interface in the mangle rules and then src-address-list for the new connections and routing marks. LAN-bridge combines all the VLAN interfaces and offcourse the default VLAN 1. I’ve created VLAN with id=1, but I’ve never seen any traffic coming on this separate port. Also where to set passthrough=no?

DNS is set to be the router and will be using ISP1 and ISP2 DNS addresses. How to configure for_NetX addr list for example to use only their DNS addresses using routerboard DNS and only them?
Thank you.

svt11 · December 23, 2019, 4:09pm

OK, here is my configuration.

dec/22/2019 19:56:40 by RouterOS 6.45.6

software id = W8VM-N73N

model = CCR1009-8G-1S-1S+

serial number =

/interface bridge
add arp=proxy-arp fast-forward=no name=LAN-bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] mac-address=X.X.X.X speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=
10M-full,100M-full,1000M-full
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full

/interface vlan
add interface=LAN-bridge name=EngeniusAP vlan-id=32
add interface=LAN-bridge name=Kameri vlan-id=1
add interface=LAN-bridge name=Management vlan-id=99
add interface=LAN-bridge name=Work1 vlan-id=11
add interface=LAN-bridge name=Work2 vlan-id=12

/interface list
add exclude=dynamic name=discover
add include=dynamic name=for_A1
add name=for_NetX

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool
add name=Work1Pool ranges=
add name=Work2Pool ranges=
add name=KameriPool ranges=
add name=EngeniusPool ranges=
add name=ManagementPool ranges=

/ip dhcp-server
add address-pool=EngeniusPool authoritative=after-2sec-delay disabled=no
interface=EngeniusAP name=DHCPEngenius
add address-pool=KameriPool authoritative=after-2sec-delay disabled=no
interface=LAN-bridge name=DHCPKameri
add address-pool=Work1Pool authoritative=after-2sec-delay disabled=no
interface=Work1 name=DHCPWork1
add address-pool=Work2Pool authoritative=after-2sec-delay disabled=no
interface=Work2 name=DHCPWork2

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=LAN-bridge hw=no interface=ether3
add bridge=LAN-bridge hw=no interface=ether4
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=discover

/interface list member
add interface=LAN-bridge list=for_NetX
add interface=EngeniusAP list=for_A1
add interface=Work1 list=for_A1
add interface=Work2 list=for_NetX
add interface=ether1
add interface=ether2

/ip address
add address=A1_addr/30 interface=ether1 network=A1_netw
add address=A1_addr/27 interface=ether2 network=NetX_netw

/ip address
add address=A1_addr/30 interface=ether1 network=A1_netw
add address=A1_addr/27 interface=ether2 network=NetX_netw
add address=192.168.1.1/24 interface=LAN-bridge network=192.168.1.0
add address=192.168.11.1/24 interface=Work1 network=192.168.11.0
add address=192.168.32.1/22 interface=EngeniusAP network=192.168.32.0
add address=192.168.12.1/24 interface=Work2 network=192.168.12.0

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
netmask=24
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
netmask=24
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1
netmask=24
add address=192.168.32.0/22 dns-server=192.168.32.1 gateway=192.168.32.1
netmask=22
/ip dns
set allow-remote-requests=yes cache-size=10240KiB servers=8.8.8.8,4.4.4.4

/ip firewall address-list
add address=192.168.11.0/24 list=for_A1
add address=192.168.32.0/22 list=for_A1
add address=192.168.1.0/24 list=for_NetX
add address=192.168.12.0/24 list=for_NetX
/ip firewall filter
add action=accept chain=input disabled=yes port=69 protocol=udp
add action=accept chain=input dst-address=A1_addr dst-port=53
in-interface=ether1 protocol=udp
add action=accept chain=input dst-address=A1_addr dst-port=53
in-interface=ether1 protocol=tcp
add action=accept chain=input dst-address=A1_addr dst-port=53
in-interface=ether2 protocol=tcp
add action=accept chain=input dst-address=A1_addr dst-port=53
in-interface=ether2 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input in-interface=ether2 protocol=icmp
add action=accept chain=input connection-state=established,related
in-interface=ether1
add action=accept chain=input connection-state=established,related
in-interface=ether2
add action=accept chain=input disabled=yes dst-address=A1_addr
dst-port=8291 in-interface=ether1 protocol=tcp
add action=accept chain=input disabled=yes dst-address=A1_addr dst-port=
8291 in-interface=ether2 protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp
add action=drop chain=input disabled=yes in-interface-list=*2000012
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related disabled=yes
add action=accept chain=forward disabled=yes dst-address=192.168.11.0/24
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24
src-address=192.168.11.0/24
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes
add action=accept chain=forward disabled=yes port=69 protocol=udp
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=*2000012
add action=drop chain=forward comment=“Drop to bogon list” disabled=yes
dst-address-list=Bogons
add action=drop chain=input comment=“drop ftp brute forcers” disabled=yes
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login incorrect” disabled=yes
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
disabled=yes protocol=tcp
add action=accept chain=input connection-state=established,related
in-interface=ether1

/ip firewall mangle
add action=accept chain=prerouting dst-address=NetX_netw/27 in-interface=LAN-bridge
add action=accept chain=prerouting dst-address=A1_netw/30 in-interface=LAN-bridge

add action=mark-connection chain=input connection-mark=no-mark in-interface=
ether1 new-connection-mark=A1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=
ether2 new-connection-mark=NetX_conn passthrough=no

add action=mark-connection chain=prerouting in-interface=LAN-bridge connection-state=new
dst-address-type=!local new-connection-mark=NetX_conn passthrough=yes
src-address-list=for_NetX
add action=mark-connection chain=prerouting in-interface=LAN-bridge connection-state=new
dst-address-type=!local new-connection-mark=A1_conn passthrough=no
src-address-list=for_A1

add action=mark-routing chain=prerouting connection-mark=NetX_conn
new-routing-mark=to_NetX passthrough=yes
add action=mark-routing chain=prerouting connection-mark=A1_conn
new-routing-mark=to_A1 passthrough=no

add action=mark-routing chain=output connection-mark=NetX_conn
new-routing-mark=to_NetX passthrough=yes
add action=mark-routing chain=output connection-mark=A1_conn
new-routing-mark=to_A1 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address-list=
for_A1
add action=masquerade chain=srcnat out-interface=ether2 src-address-list=
for_NetX

/ip route
add check-gateway=ping distance=1 gateway=A1_gw routing-mark=to_NetX
add check-gateway=ping distance=1 gateway=A1_gw routing-mark=to_A1
add check-gateway=ping distance=1 gateway=NetX_gw
add check-gateway=ping distance=2 gateway=A1_gw

I’m not still quiet sure about what passthrough is doing, but I think in this configuration enabling and disabling won’t make so much sense. I’ve read this thread http://forum.mikrotik.com/t/passthrough-explanation/87491/1 and I think I’ve understand many things. Should I make separate rules for every VLAN interface? Thank you.

EDIT

I’ve figured out that it works only for subnet, in which is LAN-bridge, but not for the other VLANs. I’ve changed the input list to be a list, which included necessary VLAN interfaces, but still there are problems. I’ve changed also passthrough values. I’ve almost understood how do the work.

add action=mark-connection chain=prerouting in-interface-list=for_NetX connection-state=new \
    dst-address-type=!local new-connection-mark=NetX_conn passthrough=yes \
    src-address-list=for_NetX
add action=mark-connection chain=prerouting in-interface-list=for_A1 connection-state=new \
    dst-address-type=!local new-connection-mark=A1_conn passthrough=yes \
    src-address-list=for_A1