Forward Odoo Website to WAN2 interface

miankamran7100 · May 14, 2024, 12:56pm

help please

Hello,
I have to mark traffic of this website myerplive.com to my WAN2.
I have created an address list and in
mangle
add prerouting DST address list mark routing new routing mark to_wan2
and
add new routing mark in routes.

But its not working?
how to mark all lan traffic for this website myerplive.com to WAN 2

anav · May 14, 2024, 1:12pm

Post your config and will try again, I have no idea why your previous thread was deleted. I think someone made an error and instead of deleting perhaps one post they deleted the entire thread?

miankamran7100 · May 15, 2024, 7:40am

/interface bridge
add name=bridge1_LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1 poe-out=off
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] disabled=yes name=ether3-WAN3
/ip pool
add name=dhcp-pool ranges=192.168.8.2-192.168.8.254
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge1_LAN name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=LiveERP
/interface bridge port
add bridge=bridge1_LAN interface=ether4
add bridge=bridge1_LAN interface=ether5
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/ip address
add address=192.168.101.11/24 comment=WAN1 interface=ether1-WAN1 network=
192.168.101.0
add address=192.168.102.11/24 comment=WAN2 interface=ether2-WAN2 network=
192.168.102.0
add address=192.168.3.11/24 comment=WAN3 disabled=yes interface=ether2-WAN2
network=192.168.3.0
add address=192.168.8.1/24 comment=“Access Point” interface=bridge1_LAN
network=192.168.8.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN valid-server=48:A9:8A:97:28:85
/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=
1.1.1.1,8.8.4.4,8.8.8.8
/ip firewall address-list
add address=www.myerplive.com list=LiverERP
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=LiverERP
new-routing-mark=LiveERP passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether1-WAN1
new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether2-WAN2
new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=prerouting disabled=yes in-interface=
ether3-WAN3 new-connection-mark=wan3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn
new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=wan3_conn disabled=yes
new-routing-mark=to_WAN3 passthrough=no
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1_LAN new-connection-mark=wan1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=bridge1_LAN new-connection-mark=wan2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting disabled=yes dst-address-type=
!local in-interface=bridge1_LAN new-connection-mark=wan3_conn
passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=wan1_conn
in-interface=bridge1_LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn
in-interface=bridge1_LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3_conn disabled=
yes in-interface=bridge1_LAN new-routing-mark=to_WAN3 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.101.0/24
add action=accept chain=prerouting dst-address=192.168.102.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.103.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1 src-address=
192.168.8.0/24
add action=masquerade chain=srcnat out-interface=ether2-WAN2 src-address=
192.168.8.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=ether3-WAN3
src-address=192.168.8.0/24
/ip route
add comment=“WAN-2 DNS” disabled=no distance=1 dst-address=1.1.1.1/32
gateway=192.168.101.1%ether1-WAN1 pref-src=“” routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add comment=“WAN-2 DNS” disabled=no distance=1 dst-address=8.8.4.4/32
gateway=192.168.102.1%ether2-WAN2 pref-src=“” routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add comment=“WAN-3 DNS” disabled=yes distance=1 dst-address=8.8.8.8/32
gateway=192.168.3.1 pref-src=“” routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src=
“” routing-table=to_WAN1 scope=30 suppress-hw-offload=no target-scope=12
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.10.10.2 pref-src=
“” routing-table=to_WAN2 scope=30 suppress-hw-offload=no target-scope=12
add disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=10.10.10.3
pref-src=“” routing-table=to_WAN3 scope=30 suppress-hw-offload=no
target-scope=12
add comment=LiveERP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.102.1 pref-src=“” routing-table=LiveERP scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=“DNS 1” disabled=no distance=1 dst-address=
10.10.10.1/32 gateway=1.1.1.1 routing-table=main scope=10
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“DNS 2” disabled=no distance=1 dst-address=
10.10.10.2/32 gateway=8.8.4.4 routing-table=main scope=10
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“DNS 3” disabled=yes distance=1 dst-address=
10.10.10.3/32 gateway=8.8.8.8 routing-table=main scope=10
suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=Main disabled=no distance=1 dst-address=
0.0.0.0/32 gateway=192.168.101.1%ether1-WAN1 pref-src=“” routing-table=
main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4478
set ssh disabled=yes
set api disabled=yes
set winbox port=4477
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
/system note
set show-at-login=no
/system package update
set channel=testing

anav · May 15, 2024, 12:08pm

Concept of the solution!!
Two WAN load balancing scenario. No vlans, no servers on LAN. Single LAN. Only caveat is that users going to a website described by address-list=WebAddress, have to use WAN2.

So my solution is simple, ensure WAN2 is primary in main routes. That means all traffic normally will go out WAN2.
When we load balance, traffic will be equally distributed via WAN1 and WAN2 as per the mangles.

Therefore in mangling is we put this single rule in FIRST in the order, we have solved the requirement as simply as possible.
(before LB mangling put this rule in)
/firewall mangle
add action=accept chain=prerouting src-address=192.168.8.0/24 dst-address-list=WebAddress

Logic: Since WAN2 is the primary WAN, this traffic will always go out through that WAN as required and not get caught up in LB.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Changes Required: MISSING FIREWALL!!

/routing table { removed un-needed tables }
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
/ip dhcp-server network { missing dns server }
add address=192.168.8.0/24 dns-server=192.168.8.1 gateway=192.168.8.1

/interface list
add name=WAN
add name=LAN

/interface list members
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=bridge1_LAN list=LAN

/ip firewall address-list
add address=192.168.8.X list=Authorized Comment=Admin desktop
add address=192.168.8.Y list=Authorized Comment=Admin laptop

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users DNS services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“users DNS services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { Put this rule in last so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment=“Drop all else”

/ip firewall mangle
add action=accept chain=prerouting src-address=192.168.8.0/24 dst-address-list**=LiverERP**
+++++++++++++++++++++++++++++++++++++++
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local
in-interface=bridge1_LAN new-connection-mark=wan1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark dst-address-type=!local
in-interface=bridge1_LAN new-connection-mark=wan2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
+++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=wan1_conn
new-routing-mark=to_WAN1 passthrough**=no**
add action=mark-routing chain=prerouting connection-mark=wan2_conn
new-routing-mark=to_WAN2 passthrough**=no**
add action=mark-routing chain=prerouting connection-mark=wan3_conn disabled=\

/ip firewall nat { Do not put in source addresses unless needed, in this case NOT, src nat is NOT normally to be used as some sort of firewall rule
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2

I noted that you want to do nested recursive for ROUTING… ( we choose 10.10.10.2 as a arbitrary address )
ALSO do not use same DNS endpoints in Recursive, as used in DNS servers for LAN users

/ip route { No need for % symbols, as the gateways are differerent !! }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.10.10.2 routing-table=main scope=10 target-scope=14
++++++++++++++++++++++++
add check-gateway=ping distance=2 dst-address=10.10.10.2/32 gateway=1.0.0.1
comment=“WAN2 Primary” routing-table=main scope=10 target-scope=13
add check-gateway=ping distance=4 dst-address=10.10.10.2/32 gateway=9.9.9.9
comment=“WAN1 Secondary” routing-table=main scope=10 target-scope=13
+++++++++++++
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.102.1 comment=“WAN2 Primary”
routing-table=main scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=192.168.101.1 comment=“WAN1 Secondary”
routing-table=main scope=10 target-scope=12

NOW FOR THE SPECIAL TABLE ROUTES
add dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-table=to_WAN1
add dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-table=to_WAN2