Dual WAN: how to send answer via the same WAN interface?

SpaceCommander · January 20, 2014, 1:29am

There is RB951 with ROS 5.25 connected to 2 ISP’s.
How to send answers to external requests (icmp, ssh, winbox, …) via the same WAN interface?
Following does not work:

/ip route

add dst-addr=0.0.0.0/0 gateway=1.1.1.1 distance=10 routing-mark=route-isp1
add dst-addr=0.0.0.0/0 gateway=2.2.2.2 distance=10 routing-mark=route-isp2

add dst-addr=0.0.0.0/0 gateway=1.1.1.1 distance=20
add dst-addr=0.0.0.0/0 gateway=2.2.2.2 distance=30

/ip firewall mangle

add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether-isp1 new-connection-mark=conn-isp1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether-isp2 new-connection-mark=conn-isp2 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=conn-isp1 new-routing-mark=route-isp1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=conn-isp2 new-routing-mark=route-isp2 passthrough=no

add action=mark-routing chain=output connection-mark=conn-isp1 new-routing-mark=route-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=conn-isp2 new-routing-mark=route-isp2 passthrough=no

Thanx in advance!

efaden · January 20, 2014, 1:34am

SpaceCommander:

There is RB951 with ROS 5.25 connected to 2 ISP’s.
How to send answers to external requests (icmp, ssh, winbox, …) via the same WAN interface?
Following does not work:

/ip route

add dst-addr=0.0.0.0/0 gateway=1.1.1.1 distance=10 routing-mark=route-isp1
add dst-addr=0.0.0.0/0 gateway=2.2.2.2 distance=10 routing-mark=route-isp2

add dst-addr=0.0.0.0/0 gateway=1.1.1.1 distance=20
add dst-addr=0.0.0.0/0 gateway=2.2.2.2 distance=30

/ip firewall mangle

add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether-isp1 new-connection-mark=conn-isp1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether-isp2 new-connection-mark=conn-isp2 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=conn-isp1 new-routing-mark=route-isp1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=conn-isp2 new-routing-mark=route-isp2 passthrough=no

add action=mark-routing chain=output connection-mark=conn-isp1 new-routing-mark=route-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=conn-isp2 new-routing-mark=route-isp2 passthrough=no

Thanx in advance!

Look at http://mum.mikrotik.com/presentations/US12/tomas.pdf

If you read through that and can’t get it to work I can try to write out the config for you.

-Eric

SpaceCommander · January 20, 2014, 1:45am

Okay, fixed firewall mangle settings are now here (“prerouting” changed to “input”, as on Tomas slides 31,32):

add action=mark-connection chain=INPUT connection-mark=no-mark \
    in-interface=ether-isp1 new-connection-mark=conn-isp1 passthrough=yes
add action=mark-connection chain=INPUT connection-mark=no-mark \
    in-interface=ether-isp2 new-connection-mark=conn-isp2 passthrough=yes

add action=mark-routing chain=output connection-mark=conn-isp1 new-routing-mark=route-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=conn-isp2 new-routing-mark=route-isp2 passthrough=no

But it still does not work..

deejayq · January 20, 2014, 5:54am

maybe this will help
http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/