I need to set up a dual wan once again and just wanted a re-check…not sure, what solution is best in my case.
I planned to use this set up: http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways
Load balancing is not needed, actually I only need the second WAN to have another external IP I can use for port forwarding / dst-nat.
Now my question is, if it is better to use the above set up or using a different approach: dstnat + srcnat/masquerade.
Using the configuration above means some LAN-clients use WAN1, some use WAN2 as gateway, using connection marks to make the difference.
The alternative I see is sending all LAN-clients over WAN1 and only dst-nat the needed ports of the public IP on WAN2 to the LAN-clients + masquerading their src-nat with something like this:
If your goal is to have a second WAN connection just for some of the traffic you should look into policy routing. This involves using the mangle facilities to assign routing marks to the relevant packets, and to have a route for that routing mark out the second WAN circuit. You’d also want to statefully mark all incoming connections on that interface so you can force them to leave via the same interface rather than use the default route circuit.
The wiki and forums have many, many examples for policy routing.
As far as I understand, the link I posted above describes this scenario - I think I could set this up successfully.
My question was more directed at a suggestion regarding the performance. Are some NAT rules worse or uses MANGLE more cpu power?
Or can’t one really tell until I can name the number of NAT rules and the number of MANGLE rules?
You need both NAT and mangle rules, but for unrelated reasons. Mangle rules are how you set your routing policies. They determine what routes packets take. NAT has nothing to do with that, NAT is simply responsible for translating private to public IP addresses at your autonomous system border (i.e., your WAN link interface).
Hm, I ran into another problem with dual wan:
I use the same cable provider for the second WAN. Currently both connection are configured as DHCP, so I got two dhcp clients running.
The second WAN doesn’t set default route, dns or ntp. But I have still routing problems, since the dynamic IP address has the same gatway and mask.
My first public IPs is 217.1.1.80/26, the second is 217.1.1.81/26 (example IPs). That leads to a routing entry 217.1.1.0/26 - but this is reachable through both WANs. Would setting routes including preferred source manually help?
The only fully functional work around I’m aware of is to buy a second router for the second WAN connection and connect it to the first one via a /30. That way the WAN subnet only exists on one port as seen by either router.
I’ve never tried it, so I’m not sure how well it will work. Note that it does warn that you can only set this up and edit it by the CLI, once you have it set up that way DO NOT edit the route via Winbox.
Thanks for your replies - and sorry for mine coming so late.
I will test your suggestions tomorrow and will report back. The Wiki Link looks pretty good, it’s almost exactly what I’m looking for. The only difference to my setup is, that I still have only one LAN behind the two WANs. But I hope I can deal with that.
Alright, Feklars suggestions worked so far. No complains for 2 days, so I guess it does the trick. Great solution btw, really saved my arse
Now I can have dual WAN on the routers (some 750G, mostly RB1100). I need/use it mostly for port forwarding.
