I’m trying to complete my dual WAN configuration, but seems like I have something really wrong.
As I said, I have two, separate networks - LAN1 and LAN2, also have two wans, WAN1 and WAN2. Goal is to give LAN1 users access to internet through WAN1 and LAN2 users to WAN2, separately, isolated but at the same time, incoming packets destined to LAN1 server should always replied using its WAN1 gateway, same goes to LAN2 servers.
I have four rules in routes:
0.0.0.0/0 GW1 matching WAN1_traffic route marks
0.0.0.0/0 GW2 matching WAN2_traffic route marks
0.0.0.0/0 GW1 Metric 10
0.0.0.0/0 GW2 Metric 20
When I set connection and route mangles the server loses connection. I know, more detailed config may needed but maybe if I’ll see some working example then this may be easier for me to figure out
Better if you do the work…
provide a network diagram and your current config
/export fiile=anynameyouwish ( minus router serial number and any public WANIP information )
Just to be clear, both WANs are from the same provider correct? If so then failover isnt really a concern as its really valid and useful with two separate providers.
One question you need to think about before making any config is whether or not you are getting any traffic on your WANs that is originated externally?
This will drive the complexity or simplicity of your setup…
Yes, it’s from the same provider and yes the failover isn’t needed really, just separate networks in one router.
I’m not sure but it seems like when I request anything from LAN2 when the mange is active, the response is coming back to the WAN1 interface instead of WAN2
Your answer has nothing to do with my question LOL.
I will assume you do not port forward any ports to either LAN1 or LAN2 devices.
In other words you do not host any servers that outside users initiate connections too.
OOPSIE, I went back to read your initial post, info is there, you do have servers on LAN1 and LAN2.
(1) I know this will work and would be my first kick at the can.
First the mangles ( here we identify packets coming in on the WAN and mark those packets, and then we assign route-marks to those packets so that the return leaving traffic associated goes out the same WAN!
_/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark**=WAN2** passthrough=yes
Here we assign additional routes that will be used to identify traffic with the route-marks applied above.
/ip route
add distance=1 gwy=WAN1 table=main {standard route- should already be there}
add distance=1 gwy=WAN2 table=main {standard route- should already be there}
add distance=1 gwy=WAN1 table=useWAN1 {route for both local LAN1 originated traffic and external traffic coming on WAN1}
add distance=1 gwy=WAN2 table=useWAN2 {route for local LAN2 originated traffic AND external traffic coming on WAN2} Here we identify traffic coming from the LAN and instruct the router to send out that traffic according to the IP routes we created above (with the unique tables)
/routing rules
add src-address=LAN1 action=lookup-in-table-only table=useWAN1 { force LAN1 out WAN1 }
add src-address=LAN2 action=lookup-in-table-only table=useWAN2 { force LAN2 out WAN2 }
These are the routing table entries/definitions required that connect the route-marks from mangling and the tables in routing rules… TO GO out specific routes upon exiting the router.
Secondly one could do it all with mangles, both the incoming WAN traffic (and most importantly the associated return “leaving” traffic), and the outgoing LAN originated traffic.
.
But here is where it gets blurry for me.
I dont know if I need a set of mark routes for both instances (incoming or outgoing) OR JUST USE one set of Mark-Routing???
if you look at the marking-route mangle rules, they dont need to specifiy for which interface… so if both incoming on WAN and incoming from LAN get marked with those packets and thus,
it means the traffic goes out the correct WAN its a win win!!!
Since we already mark packets for incoming on ISP1 and ISP2 in pre-routing
Clearly one would need mangling in pre-routing aka same same to mark new packets for in-interface=LAN1 and in-interface=LAN2
if we use the same mark-packets NAMES, then we only need one set of marking-route rules so it would look like…
_ip firewall mangle
(original mark connection mark rules for traffic origination outside of WAN)
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
(new mark connection rules for LAN originated traffic)
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=LAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=LAN2 new-connection-mark=WAN2 passthrough=yes
( use original mark routes rules FOR BOTH - very efficient!!! )
add action=mark-routing chain=prerouting connection-mark=WAN1
new-routing-mark=viaISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2
new-routing-mark=viaISP2 passthrough=no_
/ip route
add distance=1 gwy=WAN1 table=main {standard route- should already be there}
add distance=1 gwy=WAN2 table=main {standard route- should already be there}
add distance=1 gwy=WAN1 table=viaISP1 {route for both local LAN1 originated traffic and external traffic coming on WAN1}
add distance=1 gwy=WAN2 table=viaISP2 {route for local LAN2 originated traffic AND external traffic coming on WAN2} /routing-table add fib name=viaISP1
/routing-table add fib name=viaISP2
The third example would be simply creating two sets of mark route rules (one for prerouting wan and one for prerouting lan marked packets).
Which firmware are you using?
If its version 6, I can whip up the config for that…
The first example, the only real difference is no creation of tables and we use routing marks in /IP route.
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
Here we assign additional routes that will be used to identify traffic with the route-marks applied above.
/ip route
add distance=1 gwy=WAN1 {standard route- should already be there}
add distance=1 gwy=WAN2 t {standard route- should already be there}
add distance=1 gwy=WAN1 routing-mark=useWAN1 {route for both local LAN1 originated traffic and external traffic coming on WAN1}
add distance=1 gwy=WAN2 routing-mark=useWAN2 {route for local LAN2 originated traffic AND external traffic coming on WAN2}
Here we identify traffic coming from the LAN and instruct the router to send out that traffic according to the IP routes we created above (with the unique tables)
/routing rules
add src-address=LAN1 action=lookup-in-table-only table=useWAN1 { force LAN1 out WAN1 }
add src-address=LAN2 action=lookup-in-table-only table=useWAN2 { force LAN2 out WAN2 }
The second example, again the only difference is we dont need to create tables…
ip firewall mangle
(original mark connection mark rules for traffic origination outside of WAN)
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
(new mark connection rules for LAN originated traffic)
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=LAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=LAN2 new-connection-mark=WAN2 passthrough=yes
( use original mark routes rules FOR BOTH - very efficient!!! )
add action=mark-routing chain=prerouting connection-mark=WAN1
new-routing-mark=viaISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2
new-routing-mark=viaISP2 passthrough=no
/ip route
add distance=1 gwy=WAN1 {standard route- should already be there}
add distance=1 gwy=WAN2 {standard route- should already be there}
add distance=1 gwy=WAN1 routing-mark=viaISP1 {route for both local LAN1 originated traffic and external traffic coming on WAN1}
add distance=1 gwy=WAN2 routing-mark=viaISP2 {route for local LAN2 originated traffic AND external traffic coming on WAN2}
Sorry I have provided a a bunch of different configs/options, without context of what the whole config looks like right now I cannot comment coherently
I used both variants, with and without using the tables. If I enable mange that catches routing for ip routes, then the connection brakes…
“First the mangles ( here we identify packets coming in on the WAN and mark those packets, and then we assign route-marks to those packets so that the return leaving traffic associated goes out the same WAN!”
Seems like it interracts with VPN as I have also configured VPN clients to communicate with LAN subnets, and my RDP session is established using LAN ip. Somehow I should exclude VPN traffic out of this scheme…
