dualwan problem

gt4a · September 14, 2015, 8:30am

hi, I’ve just got a ccr1016 and have 2 wan (static ip, different ISP) connected.

by now, wan 1 is ok (default route, have some dst-nat/src-nat with it).

but wan 2 is not usable, think I maby miss some routing settings?
(both wan 1 & 2 are not for internet surfing purpose, just for specific servers in Lan, mostly port mapping)

Line 2 was tested with computers, it’s ok. (can access internet)
wan 2 can ping its gateway (isp side), but ping internet ip failed.
have tried disable all filter policy, no work.
if i disable wan 1, wan 2 is usable.
tried add lower priority default for wan 2, no work.
ping or telnet wan 2 from internet failed, got 1 msg everytime :

15:04:17 firewall,info dstnat: in:ether2 out:(none), src-mac b4:a4:e3:95:d4:2c, proto TCP (SYN), 23.110.80.42:12200->1.2.3.4:80, len 40

so what should I do to make wan 2 usable? any advice is appreciated.

gt4a · September 14, 2015, 10:17am

I’ve add below config, but still no work.

 /ip firewall mangle
 
 0    chain=prerouting action=mark-connection new-connection-mark=cu_conn_1 passthrough=yes src-address=172.16.16.158 log=no log-prefix="" 

 1    chain=input action=mark-connection new-connection-mark=cu_conn_1 passthrough=yes in-interface=ether2 log=no log-prefix="" 

 2    chain=prerouting action=mark-routing new-routing-mark=cu_route_1 passthrough=yes connection-mark=cu_conn_1 log=no log-prefix="" 

 3    chain=output action=mark-routing new-routing-mark=cu_route_1 passthrough=yes connection-mark=cu_conn_1 log=no log-prefix=""

/ip route

 0 A S  dst-address=0.0.0.0/0 gateway=1.85.12.105 gateway-status=1.85.12.105 reachable via  ether2 distance=2 scope=30 target-scope=10 
        routing-mark=cu_route_1 

 1 A S  dst-address=0.0.0.0/0 gateway=11.8.22.241 gateway-status=11.8.22.241 reachable via  ether1 distance=1 scope=30 target-scope=10

/ip firewall nat

 
 chain=srcnat action=src-nat to-addresses=1.85.12.110 src-address=172.16.16.158 log=yes log-prefix="" 
 chain=dstnat action=dst-nat to-addresses=172.16.16.158 to-ports=80 protocol=tcp dst-address=1.85.12.110 dst-port=80 log=yes log-prefix=""

LAN IP = 172.16.16.158 (intend public IP = 1.85.12.110)
WAN 1 = 11.8.22.240/29 (eth1)
WAN 2 = 1.85.12.104/29 (eth2)

gt4a · September 15, 2015, 6:13am

solved. just 1 mangle rule(source ip) & routing mark is enough.