Forcing IP requests to a specific WAN

simonefil · April 14, 2021, 4:32pm

Goodmorning everyone.
I have a configuration with two WANs and a bridge. The WANs are configured in load balancing with PCC and everything works correctly.
I need from the devices inside the bridge to reach a one public ip 138.68.XXX.XXX only from a single WAN (only WAN1)
I created this rule in the mangle:

add chain= prerouting action=mark-routing dst-address=138.68.XXX.XXX new routing mark=mark-server001 passtrough=no

And this rule in routes

Add distance=1 gateway=WAN1 routing-mark=mark-server001

but not working. I can’t reach that IP anymore.
I’m sure I’m wrong but I can’t understand.
Can I ask you for help?
Thanks so much!
A good day

anav · April 14, 2021, 5:16pm

Sorry no can helpee unless you show the config as all items have relationships!!
/export hide-sensitive file=anynameyhouwish.

How many lan subnets do you have by the way??

simonefil · April 14, 2021, 6:23pm

Here I uploaded the export file https://drive.google.com/file/d/1YDbGj-phamW5IH_yId1G1F6pNjfVkrUl/view?usp=sharing
I have only one subnet: 192.168.1.0/24

Thank you so much for your help

Jotne · April 14, 2021, 7:24pm

Post the file in the forum and add code tags like I have done with your file.

# apr/14/2021 20:13:21 by RouterOS 6.48.1
# software id = U3XR-QKMS
#
# model = RouterBOARD 941-2nD
# serial number = 661606E70404
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN1"
set [ find default-name=ether2 ] name="ether2 WAN2"
set [ find default-name=ether3 ] name="ether3 LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface="ether3 LAN" multicast-router=disabled
add bridge=bridge1 interface=ether4 multicast-router=disabled
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add disabled=no interface="ether1 WAN1"
add disabled=no interface="ether2 WAN2"
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip firewall mangle
add action=mark-connection chain=input in-interface="ether1 WAN1" \
    new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=input in-interface="ether2 WAN2" \
    new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting dst-address-list=138.XXX.XXX.XXX \
    new-routing-mark=mark-server001 passthrough=no
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge1 new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge1 new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.75 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway="ether2 WAN2" routing-mark=to_WAN2
add distance=1 gateway="ether1 WAN1" routing-mark=mark-server001
/system clock
set time-zone-name=Europe/Rome
/system script

Jotne · April 14, 2021, 7:27pm

If you change from

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"

to:

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"

You will only have one way out: WAN1

simonefil · April 14, 2021, 7:34pm

If you change from

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"

to:

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"

You will only have one way out: WAN1

All traffic will go out on WAN1. All traffic, must be balanced across the two WANs, with the exception of traffic directed to that specific IP address.
Thank you

Jotne · April 14, 2021, 7:43pm

Some like this may do then

/ip firewall nat
add action=masquerade chain=srcnat dst-address=138.68.0.0/16 out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"

PS No need to quote post above you, use Post Reply button below post.

2frogs · April 14, 2021, 8:36pm

/ip firewall mangle
add chain=prerouting action=mark-routing dst-address=138.68.XXX.XXX in-interface=bridge1 new-routing-mark=to_WAN1 passtrough=no

anav · April 14, 2021, 9:45pm

Very nice Jotne!
I was going to recommend a routing solution not a source nat solution.
Source nat tells the router which public IP should be used to provide NATING for the private IP, but does not tell the router which route that trafffic should take??
When you add mangling in the mix I get right confused.

First of ALL I dont understand MARKING ANY ROUTES without having normal ROUTEs first established for the router.
So to me this should be.
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.75 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=“ether2 WAN2” routing-mark=to_WAN2
add distance=1 gateway=“ether1 WAN1” routing-mark=mark-server001
LIKE THIS
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.75
add check-gateway=ping distance=1 gateway="ether2 WAN2
"add distance=1 gateway=“ether1 WAN1”[/i]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=1 gateway=192.168.3.75 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=“ether2 WAN2” routing-mark=to_WAN2
add distance=1 gateway=“ether1 WAN1” routing-mark=mark-server001

To be honest, I dont know why the heck 192.168.3.75 is doing there,
I thought there was two WANS, one and two, does the OP have three WANS ???
Or is that the source (device that needs only to access the exterior specific WANIP).
(or is there a group of devices, its was really not made clear???).

I would use a route rule
source address=specific device OR
dst address=exterior WANIP
action= lookup only in table
table=use-this-only

where
another route is established ( a third for wan1)
add distance=1 gateway=“ether1 WAN1” routing-mark=use-this-only { and with this approach no mangling is required)