Force local IP to use specific wan on load balancing

ElTRiC · March 31, 2019, 3:56pm

Hello,

I have setup load balancing through PCC. I have two outpout :
WAN_DSL and WAN_4G

I have two local clients, TV box provided by DSL ISP and a personal file server.
I want to force TV box to only use WAN_DSL (tv stream doesn’t work on LTE) and force file server to only use WAN_4G, both have fixed IP on LAN.

I already have found PBR informations here : https://wiki.mikrotik.com/wiki/Policy_Base_Routing but it seems a bit complicated, I hope you can give me a simple way to set that.

Thanks people

anav · March 31, 2019, 4:30pm

Can you clarify that you want to provide a file server on a cellular 4G network? In other words you are expecting others to come in on the 4G network and get files from your server?

ElTRiC · March 31, 2019, 4:48pm

It’s my private file server, and I have 100mb upload on my 4G wan vs 128kb upload on DSL. And unlimited data plan
Actually it’s to be able to upload all my pictures to amazon and google photo so I have a backup on cloud servers.

anav · March 31, 2019, 5:08pm

I guess what I meant is that you will be accessing your file server when at remote sites (like a coffee shop etc).

ElTRiC · March 31, 2019, 5:21pm

Nope, I already use teamviewer for that purpose.
And I just discovered that I need to force another local client to use only one output… My son’s Switch, Nintendo online seems to be damn picky

ElTRiC · March 31, 2019, 6:04pm

https://serverfault.com/questions/660916/nat-a-single-ip-using-2nd-wan-internet

Is that correct for my needs ?

solar77 · April 2, 2019, 2:04pm

It would normally work but I am not 100% in your case because you already have PCC.

I’d suggest to try

 
 /ip firewall mangle
 add chain=prerouting src-address=IP_of _ Nintendo dst-address-type=!local action=route dst-address=gateway_WAN2

ElTRiC · April 2, 2019, 2:46pm

It would normally work but I am not 100% in your case because you already have PCC.

I’d suggest to try
 
 /ip firewall mangle
 add chain=prerouting src-address=IP_of _ Nintendo dst-address-type=!local action=route dst-address=gateway_WAN2

Thanks for your hint, just tried
It seems to forward my IP through WAN2 as expected, but it also seems to totally bypass dst-nat rules I need to forward ports. Is mangle prioritized over NAT ? Or is it the action “route” who does bypass everything else ?

solar77 · April 2, 2019, 3:01pm

it does seem to bypass policy based routing, I am not sure why but hopefully someone can tell me in this thread.

what port forwarding do you have to do? is it to the Nintendo ? this rule should only affect traffic originated from this particular IP address.

ElTRiC · April 2, 2019, 3:08pm

/ip dhcp-server lease
add address=192.168.0.7 mac-address=nintendo:mac server=defconf
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/24 \
    new-routing-mark=through_WAN_4G src-address=192.168.0.7
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT A for Switch" dst-port=1-65535 \
    in-interface=WAN_4G protocol=udp routing-mark=through_WAN_4G \
    to-addresses=192.168.0.7 to-ports=1-65535
add action=src-nat chain=srcnat routing-mark=through_WAN_4G to-addresses=\
    192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=through_WAN_4G

Ok, that’s what I fumbled around for now…
Forcing specific IP through specific WAN : Check !
Opening UDP ports for that specific IP as well : not check

ElTRiC · April 2, 2019, 3:12pm

https://en-americas-support.nintendo.com/app/answers/detail/a_id/22272/~/how-to-set-up-a-routers-port-forwarding-for-a-nintendo-switch-console

In my opinion it’s crap, opening whole UDP ports towards the Switch… but well, their “online” feature (you have to pay for) is basic P2P and I have to deal with… Or suffer about kids crying that they’re not able to play online ^^

ElTRiC · April 2, 2019, 3:22pm

IT WORKS !!!
Just had to uncheck Passthrough in mangle rule

solar77 · April 2, 2019, 3:33pm

Glad it worked.

opening all these UDP port and the word P2P seems be a “risky game”
I’d suggest to put this device in it’s own VLAN so whoever has access to it, cannot access anything else on your network.

PS: use good measure to protect your router as well. close down services you don’t need, upgrade firmware. etc.

ElTRiC · April 2, 2019, 4:11pm

I know it’s not safe. Now adding a VLAN only for this client? Since I never have set one up on mikrotik I fear to spend a lot of time and break other rules which are finally working now.
Ofc I’m monitoring my router closely, it was already hacked within a day when I started to set it up without password

solar77 · April 2, 2019, 4:37pm

keep a backup config each step of the way . so you can always reset the router to factory default and come back to your latest backup again. This made me been very brave in my early days with Mikrotik

Tower3 · April 3, 2019, 8:29am

Hello everyone, i appologise in advance if im posting in the wrong section as i am new to the forum.
I have a problem with mangle, i have RB3011 with 3 gateways on it, OSPF setup successfully with a static gateway. I setup mangle to identify my different subnets and place routes so that certain subnetscan use certain gateways. All is working well for months now and the only problem that i a, having is that i loose comms with subnets that are not using the default route.

I am sure it is a simple fix but just can seem to find it

Thax