Dual WAN (really weird) problem...

RouterOS General
1

Hello all,

How are you? Hope you’re all fine!

Please, I’m using mikrotik for some time I’m new to this forum and I need your help, becauseI don’t know how to fix this problem…

This is the scenario (please apologize for the “graphics”):

(Internet)
|
[ WAN1 GW - 10.0.1.1 ]
|
[WAN1 Interface IP Addr: 10.0.1.2 ] /
|
{RB493}
|
[WAN1 Interface IP Addr: 10.0.2.2 ]
|
[ WAN2 GW - 10.0.2.1 ]
|
(Internet)

The problem:

When I try to connect, from any external address (via the Internet), to any of the interfaces, the connection sometimes fails and in sometimes it happens (sometimes I have to try several times to get a connection) … this happens in a intermittent way… but when the connection is successful, it is stable … if I disconnect and try to connect again, I have to try several times again until connect.

When I test, removing all balancing and routing settings, the connections are successful… so I believe it’s a configuration problem, but I can’t find the problem, nor the solution… :frowning:

I already tried several configurations with routing and even added routing rules (as can be seen below), but without success.

These are the Firewall, routing and routing rules examples of my configuration:

/interface ethernet
set [ find default-name=ether1 ] comment=“Intranet - ether1” name=LAN1
set [ find default-name=ether2 ] comment=“Internet1 - ether2” name=WAN1
set [ find default-name=ether3 ] comment=“Internet2 - ether3” name=WAN2

/ip address
add address=10.0.1.2/24 interface=WAN1 network=10.0.1.0
add address=10.0.2.2/24 interface=WAN2 network=10.0.2.0
add address=192.168.0.1/24 interface=LAN1 network=192.168.0.0

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 out-interface=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 out-interface=WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=LAN1 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=LAN1 new-routing-mark=to_WAN2

/ip firewall nat
add action=masquerade chain=srcnat comment=“Masquerade to WAN1” out-interface=WAN2
add action=masquerade chain=srcnat comment=“Masquerade to WAN2” out-interface=WAN1

/ip route
add check-gateway=arp distance=1 gateway=10.0.1.1 routing-mark=to_WAN1
add check-gateway=arp distance=1 gateway=10.0.2.1 routing-mark=to_WAN2
add check-gateway=arp distance=1 gateway=10.0.1.1
add check-gateway=arp distance=2 gateway=10.0.2.1

/ip route rule
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 src-address=0.0.0.0/0 table=to_WAN1
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 src-address=0.0.0.0/0 table=to_WAN2

Please, anyone here have experienced this problem or know how I can fix?

Thanks in advance!!

Best Regards
Fabio

2

Modify the mangle rules to exclude out-interface and set passthrough=no in the output mangle rule

ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=LAN1 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=LAN1 new-routing-mark=to_WAN2
3

Press “quote” (the symbol in the top right corner of the post) to see how to force the formatting.

            (Internet)
                 |
      [ WAN1 GW - 10.0.1.1 ]
                 |
[WAN1 Interface IP Addr: 10.0.1.2 ]
                 |
              {RB493}
                 |
[WAN1 Interface IP Addr: 10.0.2.2 ]
                 |
      [ WAN2 GW - 10.0.2.1 ]
                 |
            (Internet)



I haven’t experienced this problem, but there are unnecessary conditions out-interface=WANx in your mangle rules below:

/ip firewall mangle


add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 out-interface=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 out-interface=WAN2 passthrough=yes

This picture shows that routing is already done, i.e. the out-interface is already chosen, when the /ip firewall mangle chain=output rules are executed. If these rules assign a routing-mark, the routing is done one more time, taking the routing-mark into account and thus possibly resulting in choice of a different out-interface.

Those conditions make your rules below only assign the routing-mark forcing the packets to use route via WANx to packets which have already been routed that way by the basic phase of routing.

So remove these unnecessary conditions from the rules and remove the _/ip route rule_s.

The above were clear bugs; what remains a puzzle to me is the randomness of the result of the basic phase of routing given that the routes in the routing table “main” have different distance values so the one via WAN1 should always be preferred. So it should have never worked via WAN2, except if WAN1 was randomly falling down and up again.