Dual wan

sindy · February 10, 2018, 12:35am

What does “/ip firewall mangle export” show?

wireles1234 · February 10, 2018, 12:48am

/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether2-WIFI
new-routing-mark=wan1-only passthrough=yes

sindy · February 10, 2018, 12:52am

Add “dst-address=!x.x.x.x/y” to the rule, where x.x.x.x/y is the other local subnet. That way, the routing mark will not be assigned for packets between the two LAN subnets and routing between them will work.

wireles1234 · February 10, 2018, 12:59am

you say so?

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.50.1 \
in-interface=ether2-WIFI new-routing-mark=wan1-only passthrough=yes

sindy · February 10, 2018, 1:04am

Yes, that is what I had in mind. I am a bit confused by the fact that you talk about ether3 all the time and now the in-interface in the rule is ether2-WLAN, but I assume you wanted to simplify the discussion originally. In any case, the subnet must be the other one than the one attached to the interface mentioned in the rule.

sindy · February 10, 2018, 1:05am

Wait, a ! is missing before the subnet, this way the rule would not assign the routing mark where actually needed

wireles1234 · February 10, 2018, 1:26am

how I do this?

what happens is that I change bone pose the ether2 as the ether3 since I want to have an order for you to understand better stop you an image

sindy · February 10, 2018, 1:34am

Okay. So the mangle rule shall contain “in-interface=ether2-WIFI” (the interface not allowed to use LTE) and “dst-address=**!**ip.subnet.associated.to/bridge-LAN”.

That should be all you need to obtain visibility between devices connected to ether2-WIFI to devices connected to bridge-LAN while still preventing devices connected to ether2-WIFI from getting to internet via LTE.

wireles1234 · February 10, 2018, 1:45am

then it would be this way

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.50.1 \
    in-interface=ether2-WIFI new-routing-mark=wan1-only passthrough=yes

sindy · February 10, 2018, 1:47am

Seems fine to me. Does everything work as expected?

wireles1234 · February 10, 2018, 2:15am

I am not able to access a computer by remote desktop with ip 192.168.50.230 and I am connected by the wireless network that I have IP of 192.168.40.100

sindy · February 10, 2018, 2:34am

If disabling (not removing) the mangle rule makes the RDP work, there is something wrong with the rule, otherwise something else is wrong and you’ll have to post the output of "/export hide-sensitive ".

wireles1234 · February 10, 2018, 2:44am

The problem has been solved by removing the “!” in the rule
I will try all night and tomorrow I will confirm you if everything goes well thank you very much

last night it worked fine but I had two problems the first was that every time I rebooted the device I created a rule for wan2 auntomatically so I had to add the address manually to remove this error and the second problem was that in ether1 I do not have poe then I need poe for wan1 and just change the ethernet to the ether2 and the ether3 I am like the lan that will not have internet when there is no internet the wan1

now I have no connection between devices that are in the bridge-lan and ether3

wireles1234 · February 11, 2018, 1:26pm

the problem persists I can not access between the devices of bridge1 and ether3 if I place the! I do not have internet or communication between the two DHCP but if I remove it but it gives me internet which is what I do not want to have when I’m active wan2

any solution? everything else works fine

sindy · February 11, 2018, 1:50pm

I don’t know what is your time zone, but it was pretty late down here when we discussed this two days ago. So I’ve missed (twice )that you’ve configured 192.168.50.1 as the dst-address in the mangle rule while it should cover the whole 192.168.50.0/24.

Nevertheless I don’t get how it is possible that it works without the ! in front of the dst-address value, as in such case, the rule doesn’t apply to any packet except those towards 192.168.50.1 (the Mikrotik itself). Maybe I’ve misunderstood you too and without the !, “everything works” means that LAN-3 can access bridge-LAN but can also access internet via LTE?

The idea is that the routing mark would be assigned to all packets coming in through LAN-3 except those towards anything in bridge-LAN’s subnet (hence 192.168.50.0/24), because the automatically generated routes towards local subnets are created in routing table “main”. So if the routing mark different from “main” is assigned to a packet, the automatically generated route towards 192.168.50.0/24 is not usable for that packet.

So plese set the dst-address item in the mangle rule properly to !192.168.50.0/24 and check both items (LAN-3 can talk to bridge-LAN but cannot get to internet via LTE).

wireles1234 · February 11, 2018, 2:36pm

hello friend thank you for answering I will tell you the results

with the rule so I do not have internet when the wan2 is active but I do not have access to the devices of bridge1 (I’m on the ether3)

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.50.0/24 \
    in-interface=LAN-3 new-routing-mark=wan1-only passthrough=yes

without him ! I have access but I ping the wan2 DNS in this case 8.8.4.4 but I do not have internet

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.50.0/24 \
    in-interface=LAN-3 new-routing-mark=wan1-only passthrough=yes

The other thing I notice is that I do not have ping between the bridge-lan and ether3, between the devices

sindy · February 11, 2018, 3:04pm

If you disable the rule, can you ping between a device connected to LAN-3 and a device connected to bridge-LAN?

Second, can you try to remove the dst-address check from the already existing mangle rule completely, and add another rule after it, saying

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.50.0/24 \
    in-interface=LAN-3 new-routing-mark=main passthrough=yes

(this time, the ! must not be there before the subnet).

The idea is that the routing mark “wan1-only” would be assigned to all packets coming in via LAN-3, but then changed back to “main” if the packet is for 192.168.50.0/24. I want to check that it is not an issue with evaluation of the inverted condition.

wireles1234 · February 11, 2018, 3:36pm

If you disable the rule, can you ping between a device connected to LAN-3 and a device connected to bridge-LAN?

not only can I ping the 192.168.50.1

ok I added the rule and I can only ping it to 192.168.50.1 and I do not have access between bridge-lan and lan-3

sindy · February 11, 2018, 3:56pm

If the originally added mangle rule was disabled and you still could not ping between devices connected to LAN-3 and to bridge-LAN, the rule is not the reason. So you can remove the second mangle rule, disable the first one, and find out why you cannot ping between devices in the two subnets.

First, try to ping a device in each subnet from Mikrotik (tool → ping). If any of them does not answer, there may be some firewall rule on the device which prevents it from responding pings.
Once you can ping devices in both subnets from Mikrotik, try to ping from one of those devices in one subnet to another one in another subnet, in both directions. If that does not work and both devices can access internet, there must be some blocking rule in the Mikrotik’s firewall which prevents that, other than the (still disabled) mangle rule.

If you find nothing this way, can you post the output of “/ip firewall export”, “/ip route export” and “/ip route print” ?

wireles1234 · February 11, 2018, 4:23pm

if I disable the rules I can ping between bridge-lan and lan3 and vice versa if I activate the rules I can ping the lan3 to devices connected to the bridge-lan but if I want to ping the bridge-lan to the devices connected to the lan3 I can not

previously I did not ping because I had the windows firewall activated on my two computers this was my mistake apology

Firewall

/ip firewall filter
add action=accept chain=input comment="Eliminar solicitudes de DNS de public" \
    connection-state=new dst-port=53 in-interface=LAN-2 protocol=tcp
add action=accept chain=input comment="Eliminar solicitudes de DNS de public" \
    connection-state=new dst-port=53 in-interface=LAN-2 protocol=udp
add action=accept chain=input comment="No permitir paquetes extra\F1os" \
    connection-state=invalid
add action=accept chain=input comment=\
    "Permitir el acceso LAN al enrutador y a Internet" connection-state=new \
    in-interface=bridge-LAN
add action=accept chain=input comment=\
    "Permitir el acceso LAN al enrutador y a Internet" connection-state=new \
    in-interface=LAN-3
add action=accept chain=input comment=\
    "Permitir conexiones que se originaron desde LAN" connection-state=\
    established
add action=accept chain=input comment=\
    "Permitir ping ICMP desde cualquier lugar" protocol=icmp
add action=accept chain=input comment=\
    "No permitir nada desde cualquier lugar en cualquier interfaz"
add action=accept chain=forward comment="No permitir paquetes extra\F1os" \
    connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=LAN-3 new-routing-mark=\
    wan1-only passthrough=yes
add action=mark-routing chain=prerouting dst-address=192.168.50.0/24 \
    in-interface=LAN-3 new-routing-mark=main passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat

Route

/ip route
add comment="Wifi sin Internet" distance=1 gateway=192.168.20.1 routing-mark=\
    wan1-only scope=10
add check-gateway=ping comment="WAN 1 ON" distance=1 gateway=8.8.8.8
add check-gateway=ping comment="WAN 2 ON" distance=2 gateway=8.8.4.4
add comment="Wan 2 verificacion de internet" distance=1 dst-address=\
    8.8.4.4/32 gateway=192.168.8.1 scope=10
add comment="Wan 1 verificacion de internet" distance=1 dst-address=\
    8.8.8.8/32 gateway=192.168.20.1 scope=10