I have a RB450G SW. V.4.10
I have now for the last 2 days tried to set it up to use 2 WAN interfaces with no luck.
I can only get connection thru the first interface and no connection on the second.
I can from external also only ping the first interface but not the second one.
So was wondering if someone could help me with my setup.
My setup is as followed:
WAN 1 : Port 1, IP: Static DHCP, Speed : 60/60 Mbit
WAN 2 : Port 4, IP Static DHCP, Speed 30/4 Mbit
LAN : Port 2, IP: 192.168.200.1
What I want is that all traffic shall go thru WAN 1 as my default ISP since it has the best line dor upload/download.
That’s no problem that works by default.
Where I then some firewall NAT rules for Mail, WEP, and FTP.
Witch also works with no problem.
My problem I that I also want to be able to use WAN 2 only for incoming traffic, since I still have some customers referring to that IP, so I want to be able to have Firewall Nat rules on both interfaces routing to the same internal servers.
Just until I have all customers moved to the WAN 1 interface.
In all the ways I have tried that I only have external access to my servers from WAN 1, nothing happens when I try is on WAN 2.
Could someone please come with a detailed description on how to solve my problem.
For simple cases, you can use the distance value in the routing table to control which routes have preference for outbound.
As for the rest its hard to tell what the issue is without knowing more about your situation, for instance do you have your own IP addresses, or do you have different public address space on wan1 and on wan2 (which is what it sounds like, possibly). Are your customers that you haven’t moved yet using public space from wan1, or why can’t you just move them?
You have your servers in private address space, and you’re using NAT rules on wan1 and on wan2 to dst-nat to them and one of the isn’t working for some reason?
I have 2 public IP addresses in 2 separate subnets. They are from 2 different ISP,’s.
And since I have got a new and much faster connection I want to have everything to that but, since some customers still have the old address in their application I want to be able to still use my old connection just for incoming traffic.
On my Wan 1 i have the DHCP Client options to Add Default route and Default Route Distance set to 0.
And on the WAN 2 the DHCP Client options to Add Default route and Default Route Distance set to 1.
The reason to be able to use both interfaces for incoming for some time is that some customers uses the public IP but most of them us a DNS name, but even when I update the DNS name their can go up to one day before the changes have been updated around the world. So there for I would like the passivity to use both interfaces for incoming traffic.
When I add firewall rules to route traffic from the WAN 2 interface to the internal servers I can in the Firewall se that some packages comes to that rule.
So my theory is that the traffic comes in thro the WAN 2 interface to my server but when my server is sending a response back it is doing I thru WAN 1 instead.
And then maybe the clients can’t figure it out when it send’s it to one IP address and but get the answer back from another IP address.
But this I just want I thing could be the problem but don’t know if that’s right.
And then maybe the clients can’t figure it out when it send’s it to one IP address and but get the answer back from another IP address.
But this I just want I thing could be the problem but don’t know if that’s right.
That is exactly the problem, and you cannot solve that problem. Clients will not accept return traffic from a different IP address. There is no workaround.
all in the same router,
1.0.0.0/24 → ether1 metric 2
2.0.0.0/24 → ether4 metric 1
192.168.200.1/24 → ether2 → your servers and clients
You dstnat to your servers and masquerade/srcnat your clients?
And connection tracking is on?
If you setup the rules right, nat should be able to handle that properly. Anything with a public IP may require policy routing to send it out the right interface, unless both ISPs are willing to transit traffic from the other address space (which usually requires pre-arrangement or BGP, or a lax ISP, and their upstream(s) may block it in that case).
Connections originated by your servers or clients would appear to be a 2.x.x.x address, incoming connections would setup a NAT for that flow (and related flows if applicable), and would appear to be either 1.x.x.x or 2.x.x.x depending on which one they came in on, as long as that NAT flow exists.
As far as the clients/servers are concerned, they should just be getting connections from 192.168.200.1, and its the router, not the clients, that are figuring out what address to send things out on.
I should mention that some protocols don’t get along well with NAT, such as SIP and Windows file sharing, although they’d likely still have problems if you only had one WAN.
And, some external sites (SMTP servers for instance) may not like it if DNS/reverse-DNS doesn’t match up (you could create corresponding DNS entries in both 1. and 2. networks, until transition is complete).
I am not sure about what connection tracking is, but this should be the most important things in my config.
I can see in the Firewall / Nat Bytes and Packages that data is received when I try to connect to my Web server on the public IP of WAN2 but it’s not able to display the page.
When I do the same on the public IP of WAN 1 there is no problem.
I am using an external server to try to connect to my server to be sure that’s it working properly.
I’m guessing the issue is that you (and abeggled) probably need a policy route to send traffic out the correct interface based on the source-ip, or ingress interface. You probably have a 0.0.0.0 route that goes out one of your WANs?
For testing, you could just add a temporary static route to wherever you’re testing from to force traffic to that IP/network back out the specific WAN port, and see if it works.
You can look in the wiki for policy routing based on source address. You need to send anything with a 95.154.16.1 src address out one of the WANs and anything with a 95.166.21.1 out the other WAN.
Also, to verify NAT:
In winbox, go to ip, firewall, connections tab.
click on tracking and verify its enabled.
now try to connect to your web server. You should see an entry appear in the connections list (which will probably be filled with many entries already if you have active traffic).
Find the line for your computer to the webserver, and double-click it, and you should see the relevant IP translations.
It seems that the problem is that the traffic isn’t send back thru the right interface.
I have tried to make a static route that all traffic from the external server I am using for testing is sending it thru the gateway to interface WAN 2.
Now I can connect to my web server on the static IP of WAN 2, and the I doesn’t work thru WAN 1.
So does anyone know how to build the routes to that the traffic is send back thru the interface on which is was received or how to solve I so that I can use both interfaces for incoming communication.
How should a VLAN and a management switch solve my problem.
My problems seems to be a routing problem, to get the outgoing traffic out of the same interface on which it was received.
It should be possible to solve somehow since every other Firewall with Dual ore treble WAN I have worked with has no problem with it out of the box.
So must be a configuration problem form my side.
I have tried with the example from ” Standard Policy-Based Routing with Failover” and modified for my setup.
But I doesn’t work, I then have no access out or inn.
ip firewall mangle add src-address=95.154.16.0/24 action=mark-routing new-routing-mark=net2 chain=prerouting
ip firewall mangle add src-address=95.166.21.0/24 action=mark-routing new-routing-mark=net1 chain=prerouting
ip route add gateway=95.154.16.1 routing-mark=net2 check-gateway=ping
ip route add gateway=95.166.21.1 routing-mark=net1 check-gateway=ping
I also tried to change the mangle rules to that they should listen to my publich IP’s
ip firewall mangle add dst-address=95.154.16.201 action=mark-routing new-routing-mark=net2 chain=prerouting
ip firewall mangle add dst-address=95.166.21.155 action=mark-routing new-routing-mark=net1 chain=prerouting