Hi everyone, I have a routerboard with ISP1 as primary and ISP2 as secondary. This Routerboard establishes an sstp-client towards an external server, I would like it to do it with ISP2 instead of with the default route of the main routing table.
Directing traffic to go out a non-primary WAN, is easiest when you define the users requiring such traffic.
If its a whole subnet, or a few users, then its easiest to sure routing rules.
If its less than a subnet and more so users across various subsets you have a list of users and that is when to use mangling.
So you need to describe the requirement more clearly in terms of users.
releasing an entire subnet, an IP, are things that happen every day. Instead, releasing an sstp client on a specific LAN had honestly never happened to me. The opposite happened to me when I had to listen to a server on wan2 which is not the primary one. What do you mean by user? How do you match users to the mangle? I don’t understand your advice. could you give an example?
Your thinking is off the mark.
What is the purpose of your SSTP.
Surely its not for the sake of having it alone,
Surely, its not because the SSTP woke you up in the middle of the night and asked you to be set up on the router?
Who is in charge here, who is in control??
In other words, what users (external, internal) need SSTP and for what reason.
Don’t worry, @anav feels obliged to provide an advice even if he doesn’t understand the requirements.
Please elaborate on “doesn’t work” - with your mangle rules and route/routing table in place, does it not connect or it connects from the WAN 1 address?
The thing is that unless you have a src-nat or masquerade rule in place that acts on packets that leave through WAN2 even if the original source address is an own one of the router, they leave via WAN2 with the source IP address of WAN1. Depending on how lazy your WAN2 ISP is, the packets may or may not make it to the destination, so it either does not work (if the WAN2 ISP drops packets with a foreign source address) or the Mikrotik->server packets may go via WAN2 and the server->Mikrotik ones come back via WAN1.
The reason is that mangle chain output comes after routing, and routing assigns the address associated to the out-interface chosen as a source one of the packet. If the mangle rules in chain output assign a routing mark, the routing is repeated (the packet flow diagram calls this “routing adjustment”), but the source address is not changed in this second round of routing, so the src-nat or masquerade rule has to take care of it.
Pray tell me strange looking bird, are we talking AI routers now?
I guess in the new world order routers can by themselves create a tunnel to talk to each other directly without the need for users.
So you must be saying there are no users involved.
By the way thats the tip of the iceberg in terms of what I dont understand!
I dunno re new world order, but in the old one, this is simply called site-to-site VPN, nothing strange about it.
The topic is clear, how to force a local process on the router, which acts as a TCP client and cannot be told via configuration to bind to a particular local address, to use a particular WAN interface to connect to a particular remote server. The fact that said process happens to be an SSTP client is not really important.
I apologize for the late response but I wanted to understand what was going on before writing here. observing the connection tracking and the packet flow it is clear that I was lost in a glass of water. the sstp went out with the Wan indicated by the routing table indicated in the Mark routing but was masked by the generic masquerade rule, creating a specific srcnat for IP protocol and port with the correct source, everything works perfectly. Thanks for making me think
