Hi all.
Please help, because spent two weeks to find solution and tried 100500 ways with reading tons off info, but still no luck.
I have two wan connections with two local subnets ISP1 and ISP2 and need achieve ISP1 to LAN1 and ISP2 to LAN2 and each subnet must reach PIHOLE DNS SERVER on LAN3 network
For forwarding each wan to dedicated lan this code script works well
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_ISP1 passthrough=yes src-address=LAN1_IP
add action=mark-routing chain=prerouting new-routing-mark=to_ISP2 passthrough=yes src-address=LAN2_IP
with
/ip route
add check-gateway=ping distance=1 gateway=ISP1_GW_IP routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=ISP2_GW_IP routing-mark=to_ISP2
add distance=1 gateway=ISP1_GW_IP,ISP2_GW_IP
But main problem when mangle rules is on then i cant access local dns server , or anything else in local outside current lan subnet.
Please give a clue where can see really working example. I using ROS 6.42
Thank You
You can:
- not mark routing when destination is in LAN
1a) by adding dst-address=! or dst-address-list=! to existing rules
1b) by adding new accept rules for LAN destinations before your existing rules (accept rule stops processing in given chain) - use routing rules to tell router to always search for LAN destinations in main routing table:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
...
Huh…why i tried this first time strigt away didn’t work at all and in internet found any other ways except this so quick nice way,.
Now after full reset it works for some reason.
I think some miss configuration was in mikrotik and believed more mikrotik than forum guru 
THANK YOU, !!! More guys like YOU who spend bit time to answer in short and exact.
Hi,
I have 2 ISPs :
- ISP1 : 192.168.5.0/24
- ISP2 : 192.168.1.0/24
The addresses of my local LAN are :
- LAN1 : 192.168.3.1/24
- LAN2 : 192.168.2.1/24
Below is the setup of the the mangle :
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface-list=LANs_Local
add action=accept chain=prerouting dst-address=192.168.5.0/24 in-interface-list=LANs_Local
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=eth02-ISP2 new-connection-mark=connect-ISP2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=eth01-ISP1 new-connection-mark=connect-ISP1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LANs_Local new-connection-mark=connect-ISP2 passthrough=yes per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LANs_Local new-connection-mark=connect-ISP1 passthrough=yes per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=connect-ISP2 dst-address-type=!local in-interface-list=LANs_Local new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=connect-ISP1 dst-address-type=!local in-interface-list=LANs_Local new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=connect-ISP2 new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=connect-ISP1 new-routing-mark=ISP1 passthrough=yes
But the problem is I can’t interconnect the LANs; client from LAN1 can’t use the printer located in LAN2, or client from LAN2 can’t connect to the server in LAN1.
What should I do?
Thanks
Maybe read the thread you’re digging up? I’ll give you a hint, it already contains a solution that would work for you too.
Hi,
To be honest I’m quite a newbie in Mikrotik. The previous setup was already installed before my arrival. I’ve searched all mangle tutorials, and here are the changes I’ve setup.
I tried adding new mangle rules that I put on the top, and I also remove the invert in the dst-address-type, except in the PCC pre-routing (to allow accessing the winbox using the IP address)
I have created also in the NAT rule to accept the connection to the devices using the registered static IPs.
But, I still can’t access the network printers which have static IP and already registered in the static address-list from different subnet. I don’t know where I did wrong.
Please kindly help.
Many many thanks in advance
Regards,
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Local-Addresses in-interface-list=LANs_Local
add action=accept chain=output dst-address-list=Local-Addresses
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface-list=LANs_Local
add action=accept chain=prerouting dst-address=192.168.5.0/24 in-interface-list=LANs_Local
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=local in-interface=eth02-ISP2 new-connection-mark=connect-ISP2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=local in-interface=eth01-ISP1 new-connection-mark=connect-ISP1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LANs_Local new-connection-mark=connect-ISP2 passthrough=yes per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=LANs_Local new-connection-mark=connect-ISP1 passthrough=yes per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=connect-ISP2 dst-address-type=local in-interface-list=LANs_Local new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=connect-ISP1 dst-address-type=local in-interface-list=LANs_Local new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=connect-ISP2 new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=connect-ISP1 new-routing-mark=ISP1 passthrough=yes
/ip firewall nat chain=srcnat action=accept dst-address-list=StaticIPs
Get rid of all dst-address-type parameters, completely remove them. Your last changes to them broke it completely, and anyway, dst-address-type=local means local address assigned to router, so with these rules it doesn’t do anything useful. Next step, if Local-Addresses list contains local subnets or individual addresses that should be accessible from other LANs, then this rule is correct:
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Local-Addresses in-interface-list=LANs_Local
The second one in chain=output is not needed. If it still won’t work, next thing to check are forward chain rules in “/ip firewall filter”, make sure they don’t block traffic between LANs (if that’s what you want). You can also check using Tools->Torch on outgoing interface, if traffic from one LAN passed trough router to another, and if there’s anything coming back.
The nat rule you added is useless too. But if you’d see traffic only in one direction and no responses, different srcnat rule may be required as a hotfix. The problem could be that device allows access only from own subnet. So you could either reconfigure it, or use:
/ip firewall nat
add chain=srcnat dst-address=<printer> action=masquerade
It would hide all connections from other LANs behind router’s address, which is in same subnet as target device.
thx sob
it’s old but i get the answer from here