I’m configuring a CCR 1009-8G-1S on RouterOS v6.49.6 and currently trying to figure out how would I establish a parallel connection while having both ISPs active. The only reason for doing this and not a failover, is a client with a OpenVPN (1194 port) client-to-site via internal PFsense (192.168.254.150) that needs to have our 2nd ISP as their main connection with us, and only revert to our 1st ISP in case our line is down.
The 1st ISP is currently assigned on the SFP1 interface on the router, and the 2nd is on Ether7.
What I have done currently is the setup on the IP Addresses (redacted for security) :
/ip address
add address=Y.Y.Y.Y/30 interface=ether7 network=Y.Y.Y.Y comment=ISP2
add address=X.X.X.X/29 interface=sfp1 network=X.X.X.X comment=ISP1
add address=192.168.254.254/24 interface=bridge network=192.168.254.0 comment=“Subnet I need routed for 2nd ISP”
add address=192.168.1.254/24 interface=bridge network=192.168.1.0 comment=“Rest of the traffic”
Let me know if you need more info, but I’m trying to figure out a way with this setup to get everything going and have a failover in place without the need of my input each time there’s a failure.
So, essentially I’m trying to route 192.168.254.0/24 towards the 2nd ISP (ether7) while the rest of my traffic is going through the 1st ISP. In case of failure from our 2nd ISP, I would like this traffic to be sent back out the sfp1 where our 1st ISP is.
As stated, all traffic will go to WAN and if it goes down failover will move traffic to WAN2 and if WAN1 comes back then traffic will go back to WAN1.
Now you have it would appear one subnet that needs to go out out WAN2 instead of WAN1 when originating traffic, but ensure WAN1 can be used if WAN2 goes down.
One problem I see is you have two identical bridges with a different IP address.
So one can have two bridges, Or one bridge and one ethernet port, or TWO or more vlans and one bridge.
Q1. Does either LAN traffic only use one ethernet port?
Q2. how does the client use WAN2. Originates an outgoing connection? Coming in on VPN and going out WAN2 for internet??
Q1. There’s traffic coming in the same ethernet port on the Mikrotik (let’s say ether 3) from multiple subnets due to how the environment is set up. I can try to isolate one specific port for just the 254 subnet, but what would be your recommendation afterwards to solve the issue?
Q2. We’re connecting to their OpenVPN server as a client and using the 2nd ISP’s public IP. This isn’t the case yet however, due to the problem I’m having, so we’re using our 1st ISP to establish the connection.
Each post adds more confusion, not clarity.
What do you mean multiple subnets… do you mean vlans??
You should really provide network diagrams/topology and full config…
there are no VLANs configured on the network, I’ve only used subnetting to sort the network into different departments etc.
As an example:
192.168.1.0/24 for DHCP
192.168.2.0/24 for Finance
192.168.3.0/24 for tech support
192.168.254.0/24 for other traffic (the one I need to redirect to the other ISP).
What I managed to do yesterday was using mangle with prerouting to achieve it somewhat, like so:
/ip firewall mangle
chain=prerouting src-address=192.168.254.0/24 action=mark-routing new-routing-mark=“2nd ISP”
What this did was all the endpoints on the 192.168.254.0/24 subnet were now going through the 2nd ISP for their traffic, however they had no communication whatsoever to the other subnets that I have, more importantly, no communication to our Windows Server to resolve DNS. It also seemed that communication from the other subnets to this rerouted one wasn’t happening at all. I suppose an additional configuration must be made to have cross-communication.
What would you like from the network diagram? What exactly is confusing so I can draw that section?