Righty now a have a setup with 2 wans and failover and i can force any ip i want on my network to use the 2nd wan gateway using mark routing.
But ill like to run the proxy server and hotspot but only using wan 2, not the primary wan.
Possible solutions
- For hotspot: set the routing-mark to those packets coming or going from/through a specified interface (InInterface or OutInterface)
- For the proxy, you could set the routing-mark on the outgoing chain and destination port 80(Proxied web port).
- Create an address that matches with the clients using the hotspot and web proxy.
- …
It would be better if you include more information about your problem.
Sure.
Routes
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 PPPoE-Speedy 10
1 ADS 0.0.0.0/0 190.17.136.1 1
2 DS 0.0.0.0/0 PPPoE-Speedy 4
3 ADC 10.5.50.0/24 10.5.50.1 wlan2-clientes 0
4 ADC 190.17.136.0/24 190.17.136.156 ether1-Fibertel 0
5 ADC 190.173.0.1/32 190.173.10.248 PPPoE-Speedy 0
6 ADC 192.168.0.0/24 192.168.0.1 bridge-local 0
7 DC 192.168.1.0/24 192.168.1.1 wlan3-Hotspot 255
ether1-Fibertel is the gateway 1, and PPPoE-Speedy is gateway 2, both have dynamic IP but ive enabled check gateway for the failover.
dhcp server
[admin@MikroTik] > ip dhcp print
Flags: D - dynamic, X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 default bridge-local dhcp 10m
1 dhcp1 wlan2-clientes clientes_pool 1h
2 I dhcp2 wlan3-Hotspot hotspot_pool 1h
mangle rules
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Youtube
chain=prerouting action=mark-packet new-packet-mark=youtube_pack passthrough=no dst-address-list=youtube
log=no log-prefix=""
1 ;;; speedy wifi
chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=10.5.50.0/24
dst-address=!10.5.50.0/24 log=no log-prefix=""
2 ;;; SpeedyServer
chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.43
dst-address=!192.168.0.0/24 log=no log-prefix=""
3 X ;;; PS4 Speedy
chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.64
dst-address=!192.168.0.0/24 log=no log-prefix=""
4 X ;;; SpeedyLAB
chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.40
dst-address=!192.168.0.0/24 log=no log-prefix=""
5 X ;;; SpeedyOficinaPablo
chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.7
dst-address=!192.168.0.0/24 log=no log-prefix=""
6 X ;;; SpeedyVentas1
chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.8
nat
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
11 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
12 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
14 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
15 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
16 ;;; fibertel
chain=srcnat action=masquerade out-interface=ether1-Fibertel log=no log-prefix=""
17 ;;; speedy
chain=srcnat action=masquerade out-interface=PPPoE-Speedy log=no log-prefix=""
18 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.1.0/24
hotspot
[admin@MikroTik] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hotspot1 wlan3-Hotspot hotspot_pool hsprof1 1h
[admin@MikroTik] > ip hotspot profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot html-directory-override=""
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
1 name="hsprof1" hotspot-address=192.168.1.1 dns-name="cds.city.computacion" html-directory=hotspot
html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap
http-cookie-lifetime=54w2d split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=received nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id=""
radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX
[admin@MikroTik] > ip hotspot walled print
Flags: X - disabled, D - dynamic
# SERVER METHOD DST-HOST DST-PORT PATH ACTION HITS
0 X ;;; place hotspot rules here
allow 0
1 hotspot1 *gaming-city* 80-443 allow 0
2 hotspot1 *cds-city* 80-443 allow 0
3 hotspot1 *mercadolibre* allow 0
4 hotspot1 *mercadopago* allow 0
I was thinking about reversing the wans and then set everyone to wan 2 using mark routing, but then the failover is not going to work (i think).
Im going to try to set the routing mark on outgoing chain port 80, since the hotspot already using the build in proxy server, if that works it should change both.
Yes… this did the trick, thank you.
11 chain=output action=mark-routing new-routing-mark=speedywifi passthrough=no protocol=tcp dst-port=80 log=no
log-prefix=""
12 chain=output action=mark-routing new-routing-mark=speedywifi passthrough=no protocol=tcp dst-port=443 log=no
log-prefix=""
that causes build-in proxy to use 2nd wan, and so does the hotspot.
But now im thinking i may have to use a 3rd party proxy after all because anything near the 40mb/s on the internal proxy already puts the cpu usage to 100%, its too much for the little 951G.
Actually the problem in general is that i had to disable fasttrack in order to use routing marks and queues, that causes the cpu usage to skyrocket.