forwarding traffic to a specific WAN interface

Techsystem · November 1, 2022, 8:49am

Hello My friends..!
so i have RB951ui and want the LAN 4 + 5 ports on it to use port 3 as the WAN interface like this scenario.
the main WAN connection coming to the Mikrotik router from eth-1, the ip address of eth-1 that it get from this WAN DHCP Server is 192.168.1.111.
then i set eth-2 to give the ip in this range 192.168.10.100-192.168.10.200 so the ip address of the eth-2 is 192.168.10.1
now from this eth-2 port that have the range above, i give my express VPN router internet -connected eth-2 port from mikrotik to WAN port in my expressVPN router-
now from LAN on my express VPN router that have the ip range 192.168.132.1-192.168.132.254 i connect the eth-3 on mikrotik to it. and it take the ip 192.168.132.5
in the end i want to all traffic that leave the eth4 & eth5 to go through the VPN -ie: from eth-3- not from eth1, so how can i do that..?
anyone have any idea please..?

anav · November 1, 2022, 11:00am

Draw a network diagram. see apps
https://forum.mikrotik.com/viewtopic.php?p=908118

Techsystem · November 1, 2022, 1:28pm

here we are..

anav · November 1, 2022, 9:32pm

Makes even less sense… I have no idea how the MT connects to the internet, ISP modem (what is internet and what is ethernet cabling).

Techsystem · November 2, 2022, 3:19am

ISP modem

Sob · November 2, 2022, 3:41am

So basically it’s:

ether1 = WAN1 (DHCP)
ether2 = LAN1 (192.168.10.1/24, uses WAN1)
ether3 = WAN2 (DHCP?)
ether4-5 = LAN2 (?.?.?.?/?, uses WAN2)

Correct?

Techsystem · November 2, 2022, 7:55am

yes that’s correct ..!
ether4-5=LAN2 with ip range 192.168.1.1/24 and it contain only the VPN traffic -ether3 - so all LAN2 traffic pass through ether3 only not ether1.

anav · November 2, 2022, 11:16am

Scenario 1: LAN1 users go to WAN1 due to lower distance of WAN1, if WAN1 is not available users will go to WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 table=main distance=2
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWG fib

/ip route rule
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Scenario 2: LAN1 users go to WAN1 and are not able to use WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main
dst-address=0.0.0.0/0 gwy=ISP2 table=main
dst-address=0.0.0.0/0 gwy=ISP1 table=useWAN1
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWAN1 fib
add name=useWG fib

/ip route rule
add src-address=192.168.10.0/24 action=lookup-only-in-table table=useWAN1
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Sob · November 2, 2022, 3:56pm

A problem I see is that if LAN2 has 192.168.1.1/24 and WAN1 gets 192.168.1.111, it’s same subnets on two diffent interfaces, such thing generally doesn’t work well.

Techsystem · November 2, 2022, 4:06pm

Scenario 1: LAN1 users go to WAN1 due to lower distance of WAN1, if WAN1 is not available users will go to WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 table=main distance=2
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWG fib

/ip route rule
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Scenario 2: LAN1 users go to WAN1 and are not able to use WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main
dst-address=0.0.0.0/0 gwy=ISP2 table=main
dst-address=0.0.0.0/0 gwy=ISP1 table=useWAN1
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWAN1 fib
add name=useWG fib

/ip route rule
add src-address=192.168.10.0/24 action=lookup-only-in-table table=useWAN1
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Hello Mr Anav..!
so i will try your method and give you the out put .
i was trying to use a amngle rule to apply that, i used mark connection and mark routing in sequense, but i didn’t get what i want, i think your
rules above will solve the problem.
my best regards.

anav · November 2, 2022, 5:00pm

Mangle rules are also useful in certain situations. In this case it can be solved in various ways.
The problem with directing a LAN outside to a specific wan by routing rules then prevents lanA to talk to lanB for example.
However solvable by adding another routing rule with dst=LANB, placed before the lan to WAN routing rule in order./…

Mangle is good when you need to ensure remote originated traffic coming into one WAN goes out the same WAN. In your case I believe that
your concern is only outgoing traffic (local originated traffic).

Techsystem · November 11, 2022, 9:26am

Scenario 1: LAN1 users go to WAN1 due to lower distance of WAN1, if WAN1 is not available users will go to WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 table=main distance=2
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWG fib

/ip route rule
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Scenario 2: LAN1 users go to WAN1 and are not able to use WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main
dst-address=0.0.0.0/0 gwy=ISP2 table=main
dst-address=0.0.0.0/0 gwy=ISP1 table=useWAN1
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWAN1 fib
add name=useWG fib

/ip route rule
add src-address=192.168.10.0/24 action=lookup-only-in-table table=useWAN1
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Hello Mr anav..!
so ok i apply your steps above and it work well ..!.however, what if i want to a specific ip address to exceed this rule, i mean from LAN2 i want two IPs to go through original WAN1 not WAN2 what i have to do in this scenario..?
do i have to create a new route rule for it in this case ..?
why i want to do this..?
well as i mention the incoming traffic from WAN2 is a VPN traffic and i want for a specific devices to not use it.

anav · November 11, 2022, 12:20pm

If you need two specific IPs to go through the normal wan just put two routing rules for them before the one that forces them out wan 2

add src-address=IP1 action=lookup-only-in-table table=main
add src-address=IP2 action=lookup-only-in-table table=main

pks1357 · April 14, 2023, 11:59am

Scenario 1: LAN1 users go to WAN1 due to lower distance of WAN1, if WAN1 is not available users will go to WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 table=main distance=2
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWG fib

/ip route rule
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

Scenario 2: LAN1 users go to WAN1 and are not able to use WAN2. LAN2 user are only allowed to use WAN2.

/ip route
dst-address=0.0.0.0/0 gwy=ISP1 table=main
dst-address=0.0.0.0/0 gwy=ISP2 table=main
dst-address=0.0.0.0/0 gwy=ISP1 table=useWAN1
dst-address=0.0.0.0/0 gwy=wireguard table=useWG

/ip table
add name=useWAN1 fib
add name=useWG fib

/ip route rule
add src-address=192.168.10.0/24 action=lookup-only-in-table table=useWAN1
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useWG

thnx anav , i was searching for this solution for some time for my ccr2004, but your method is simple and elegant, works like charm