Hi. I’m a relative Mikrotik newb, my first post to this forum so pardon my inexperience. I have a basic understanding of networks, but struggling with a rather simple concept. We’ve just introduced a 2nd ISP connection, using ISP2 as an isolated Guest wireless network. PC’s and servers right now on same subnet currently use ISP1. I would like to move the PC/Internet traffic to it’s own 10.10.10.x/24 subnet. Not looking to load-balance right now, but simply split the PC Internet traffic to use ISP2 and the Internal server/Web hosting using ISP1. PC to server network traffic is necessary for AD authentication and backups. I don’t want to hammer the TMG F/W with internal traffic.We have a spare Mikrotik 750 that I’d like to use as the internal router. All other internal devices are unmanaged layer 2 switches.
My first goal was to pass traffic between the new PC network and Server network. What I’ve tried so far on the default Mikrotik config:
Disabled default f/w rules and NAT
Disabled dchp server on ether2
add ip 10.10.10.1 and DCHP server to ether3 (no Master port). Host picked up ip and default gateway 10.10.10.1
add ip 192.168.1.2 to ether4 (no Master port)
The routes were dynamically added. I could not ping the 10.10.10.11 host from the Mikrotik. I could ping ip’s on 192.168.1.x. from Mikrotik. At this point, figured I was heading down the wrong path, but…
Added static route on TMG server: route add 10.10.10.0 mask 255.255.255.0 192.168.1.2
This is where it gets murkier. After adding internal 10.10.10.0 network and f/w rule on TMG, I was able to ping between hosts on the 2 subnets. I don’t want the firewall in the way, attempted to enable RIP on the Mikrotik ether4 interface.
It did not produce desirable results, so removed RIP. At some point I introduced a routing loop on 192.168.1 subnet, (TMG f/w logs saying ping traffic denied due to TTL expiring, but worked earlier). Backed out all TMG changes.
I haven’t created the default route for PC Internet traffic on ether1 yet, as routing internal traffic is the primary goal at this point. At no point could I ping the 10.10.10.11 host from the Mikrotik. After reading some posts on similar topics, it’s suggested to place another router behind TMG firewall?
Thanks in advance.
I created a diagram of how I would do it with 1 router.
On the mikrotik router, create 2 Mangle rules.
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PCRoute src-address=\
10.10.10.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=ServerRoute src-address=\
192.168.1.0/24
Then go to IP Routes, and add 2 new static default routes.
/ip route
add distance=1 gateway=ether1 routing-mark=PCRoute
/ip route
add distance=1 gateway=ether2 routing-mark=ServerRoute
This ‘should’ route internet traffic from the pc side out the correct port.