Hi,
I’m trying to add to mikrotik second WAN, because ISP gave me on this WAN link another subnet block of 16 Public IP addresses, these IP should forward for my internal services on LAN, but now I’m stuck with problem even accessing my mikrotik through this second WAN, if I figure this out then will step to port forwarding on this WAN. This is my setup:
LAN - sfp-sfpplus1
DMZ - ETH5
WAN1 - sfp - x.x.x.58/29
WAN2 - ETH8 x.x.x.246/30, routable IP block on this link is x.x.x.145/28
ROS ver 6.37.5
but still can’t ping WAN2 x.x.x.246 from outside, I get request timeout, and on mikrotik firewall connections I don’t have any connection marks with “WAN2”
mangle on WAN2 are the same like on WAN1 but counters on WAN2 mangle rules do not increase at all, doesn’t this look strange?
I didn’t study everything in detail, but if alternative routing tables give you problems with reaching some destinations, then either don’t mark routing for those destinations, or make sure that routes to them are always looked up in right routing table, e.g.:
should show on firewall connections connection mark “WAN2->ROS” when I ping mikrotik to WAN2 from outside, but it didn’t get any “WAN2->ROS” mark, so is clear that next all my mangles do not work.
I’ve even upgraded mikrotik to latest bugfixes ROS but still the same.
I had a better look at whole thread, and even your initial config should have worked. Are you sure that you for example don’t block stuff from second WAN in /ip firewall filter?
It also means that I have to disagree with pukkita’s original suggestion (sorry ). You don’t need to mark connections in input, doing so in prerouting is fine. And you don’t need to mark them in forward either. Just prerouting alone is enough (unless you want to have different marks for connections to and through router, for some reason). This is minimal config covering both traffic to router and through router:
Btw, in linked presentation, the whole “sticky connections” part seems to be unnecessarily complicated. I hope I’m not missing something (it’s a little late here…), but it seems to me that it only makes sense when you insist on different marks for incoming and outgoing connections (not sure why). If you don’t need that, then with the above simple config, you can mark new outgoing connections with wan1 or wan2 mark and you have the same thing. Or don’t mark them at all and they’ll get correctly marked by first reply packet coming from WAN.
Now something more, I have three remote networks over ovpn tunnels, and three over ipsec tunnels, users over ipsec tunnel connecting to my server on LAN, but after enabled this your setup these ipsec remote users loose connectivity to this server, until I disable this:
Stupid question first, the second connection definitely works (when you e.g. connect different router there), right?
Next, did you perhaps do something with rp-filter in /ip settings? Option “strict” is known to not play nice with multiple WANs.
I’m not sure what else it could be.
With tunnels, ovpn ones will probably need a routing rule for remote subnets. With IPSec it depends on what you have. If it’s transport mode with some internal tunnel (ipip, …), it should be the same as ovpn. If it’s tunnel mode, I’d guess that it should just work. I never tried it with multiple WANs, but outside encrypted packets should work well with the rules. Incoming inside packets (stuff going through tunnel) will get marked with WANx mark, but as long as the tunnel itself works, it should not matter. But you can try to make an exception for them (add accept mangle rules before the others with in-interface= ipsec-policy=in,ipsec, and you can also try to not mark routing for ipsec-policy=out,ipsec packets). But in any case, first step is to solve ping on WAN2.
Yes, link that I’m trying connect as WAN2 working for 100% I switched it to my other tp-link router and everything works there.
Now I see in IP → setting that I have RP filter - Strict .
My IPSEC are in tunnel mode, and my OVPN tunnels have OSFP so do not have any route roules.
RP Filter changed to “no” or “loose”
but still can’t ping WAN2 IP, any “WAN2” connections marks doesn’t show in mikrotik firewall connections while pinging.
Remote IPSEC networks doesn’t have access to my server, it’s java based application on this server, application login page doesn’t show for them but when I disable IP route with mangle “to_WAN1”:
Either use Tools->Torch on WAN2 interface to see what’s going on there, or (maybe better, because you won’t miss anything) add some logging rules for icmp (in prerouting, input, output and postrouting) and watch what happens with your ping packets, if they are any replies and where are they going.
The second part is strange too. If you still have routes configured like in first post:
then difference bettween disabled and enabled to_WAN1 route should be none. If it does something, then it means that connections (and then routing) must be getting marked, otherwise router would ignore to_WAN1 routing table. But there’s no difference between this and main one, both have gateway=x.x.x.57.
You can try to not mark connections from IPSec (put it before other rules):
when I enable torch o WAN2 I see that something is going on here, I see my incoming connection from 83.x.x.130, but this not shows as connection mangle mark “WAN2”
additionally I see that counters on WAN2 prerouting increasing this time, earlier I didn’t have that:
I have only something like this about mangle dynamic:
these last local subnets are remote IPSEC (tunnel) subnets - these have problem accesing my LAN server described earlier.
I have also three ovpn subnets and here is enabled OSPF so routes are dynamic.
). You don’t need to mark connections in input, doing so in prerouting is fine. And you don’t need to mark them in forward either. Just prerouting alone is enough (unless you want to have different marks for connections to and through router, for some reason). This is minimal config covering both traffic to router and through router:
