Multi-Wan with Proxy and Live IPs

mudasir · July 6, 2011, 12:36pm

Hi,

I have a scenario where i am a bit stuck. Below is a brief info of what i am working on.

We have 2 ISP. (ISP1 and ISP2).
We have 2 separate Live IP pools from both ISPs (pool1 and pool2).
Local Clients use 192.168.10.0/24 , few clients are provided with live IP (from ISP1 and ISP2 at random).
Web-proxy is needed to be configured at Mikrotik for user web logs as per company policy.
Logs are needed only for 192.168.10.0/24 , so Live IPs are not required to go through Proxy.

I have configured Proxy to only accept 192.168.10.0/24 through a dst-nat rule in IP->Firewall->NAT.
I have configured separate Routing Mark rules in IP->Firewall->Mangle. Below are the routing rules.

/ip firewall mangle
add action=mark-routing chain=prerouting comment="WCALL Live IP Pool Routing" disabled=no in-interface=LAN new-routing-mark=\
    WCALL_LIVE_POOL passthrough=no src-address-list=wcall_liveips
add action=mark-routing chain=prerouting comment="TW Live IP Pool Routing" disabled=no in-interface=LAN new-routing-mark=\
    TW_LIVE_POOL passthrough=no src-address-list=tw_liveips
add action=mark-routing chain=prerouting comment="Special Route" disabled=no new-routing-mark=SPECIAL_ROUTE passthrough=no src-address-list=\
    special_route
add action=mark-routing chain=prerouting comment="SOC Route" disabled=no new-routing-mark=SOC_Route passthrough=no src-address-list=\
    second_floor
add action=mark-routing chain=prerouting comment="Mezzanine Route" disabled=no new-routing-mark=Mezzanine_Route passthrough=no \
    src-address-list=mezzanine
add action=mark-routing chain=prerouting comment="First Floor Routing" disabled=no new-routing-mark=first_floor_route passthrough=no \
    src-address-list=first_floor
add action=mark-routing chain=prerouting comment="Third Floor Route" disabled=no new-routing-mark=Third_Floor_Route passthrough=no \
    src-address-list=third_floor

I have defined routes for each routing mark to fit my need. Live IPs from ISP1 are set to route to the Gateway provided by ISP1 and Live IPs from ISP2 are set to route to the gateway provided by ISP2.

But what i am facing is that the default route is being used by everything. The routes that i created by specifying routing marks are not working.

I would like to know, how will i be able to route only 192.168.10.0/24 to proxy and not the Live IP’s from both the ISPs and also that Live IPs from each ISP should be routed to their respective gateways.

Looking for a quick and positive reply.

fewi · July 6, 2011, 2:10pm

Post the following information:

/ip address print detail
/interface print detail
/ip route print detail
/ip firewall export

On a side note, globally routable unicast IPs are called “public IPs”, not “live IPs”.

mudasir · July 6, 2011, 2:37pm

Hi,

Thanks for your reply, below are the details that you asked, i have removed replaced IP’s with “XXX”

[admin@firewall.mywall] > ip address print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.10.253/24 network=192.168.10.0 interface=LAN actual-interface=LAN 

 1   address=XXX.XXX.XXX.XXX/30 interface=TW actual-interface=TW 			(Point to Point from ISP1 - TW /30)

 2   address=XXX.XXX.XXX.XXX/29 interface=LAN actual-interface=LAN  		(Public Pool Gateway ISP1 - TW /29)

 3   address=192.168.1.10/24 network=192.168.1.0 interface=DSL actual-interface=DSL 

 4   address=XXX.XXX.XXX.XXX/30 interface=WCALL actual-interface=WCALL  	(Point to Point from ISP2 - WCALL)

 5   address=XXX.XXX.XXX.XXX/28 interface=LAN actual-interface=LAN 	(Public Pool Gateway ISP2 - WCALL /28)

[admin@firewall.mywall.com] > interface print detail 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="LAN" type="ether" mtu=1500 max-l2mtu=4096 

 1  R  name="WCALL" type="ether" mtu=1500 max-l2mtu=4096 

 2  R  name="TW" type="ether" mtu=1500 

 3  R  name="DSL" type="ether" mtu=1500

[admin@firewall.mywall.com] > ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=<GW of ISP2> gateway-status=XXX.XXX.XXX.XXX reachable WCALL distance=1 scope=30 target-scope=10 
        routing-mark=first_floor_route 

 1 A S  dst-address=0.0.0.0/0 gateway=<GW of ISP2> gateway-status=XXX.XXX.XXX.XXX reachable WCALL distance=1 scope=30 target-scope=10 
        routing-mark=Mezzanine_Route 

 2 A S  dst-address=0.0.0.0/0 gateway=<GW of ISP1> gateway-status=XXX.XXX.XXX.XXX reachable TW distance=1 scope=30 target-scope=10 
        routing-mark=SOC_Route 

 3 A S  dst-address=0.0.0.0/0 gateway=<GW of ISP2> gateway-status=XXX.XXX.XXX.XXX reachable WCALL distance=1 scope=30 target-scope=10 
        routing-mark=Third_Floor_Route 

 4 A S  dst-address=0.0.0.0/0 gateway=<GW of ISP2> gateway-status=XXX.XXX.XXX.XXX reachable WCALL distance=1 scope=30 target-scope=10 
        routing-mark=WCALL_LIVE_POOL 

 5 A S  dst-address=0.0.0.0/0 gateway=<GW of ISP1> gateway-status=XXX.XXX.XXX.XXX reachable TW check-gateway=ping distance=1 scope=30 
        target-scope=10

[admin@firewall.mywall.com] > ip firewall export 
# jul/06/2011 19:23:18 by RouterOS 5.4
# software id = N7I4-H05P
#
/ip firewall address-list
add address=192.168.10.53 disabled=no list=mezzanine
add address=192.168.10.48 disabled=no list=first_floor
add address=192.168.10.102 disabled=no list=second_floor
add address=192.168.10.49 disabled=no list=third_floor
add address=192.168.10.10 disabled=no list=servers
add address=XXX.XXX.XXX.XXX disabled=no list=liveips			(Public IP from ISP1)
add address=XXX.XXX.XXX.XXX disabled=no list=wcall_liveips		(Public IP from ISP2)

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=drop chain=forward disabled=no p2p=all-p2p src-address-list=!liveips
add action=drop chain=forward disabled=yes src-address-list=first_floor

/ip firewall mangle
add action=mark-routing chain=prerouting comment="ISP2 WCall Live IP Pool Routing" disabled=no in-interface=LAN new-routing-mark=\
    WCALL_LIVE_POOL passthrough=no src-address-list=wcall_liveips
add action=mark-routing chain=prerouting comment="SOC Route" disabled=no new-routing-mark=SOC_Route passthrough=no src-address-list=\
    second_floor
add action=mark-routing chain=prerouting comment="Mezzanine Route" disabled=no new-routing-mark=Mezzanine_Route passthrough=no \
    src-address-list=mezzanine
add action=mark-routing chain=prerouting comment="First Floor Routing" disabled=no new-routing-mark=first_floor_route passthrough=no \
    src-address-list=first_floor
add action=mark-routing chain=prerouting comment="Third Floor Route" disabled=no new-routing-mark=Third_Floor_Route passthrough=no \
    src-address-list=third_floor

/ip firewall nat
add action=src-nat chain=srcnat comment="WCALL Live Pool" disabled=yes src-address=XXX.XXX.XXX.111 to-addresses=XXX.XXX.XXX.111
add action=src-nat chain=srcnat comment="TW Live Pool" disabled=no src-address=XXX.XXX.XXX.222 to-addresses=XXX.XXX.XXX.222
add action=redirect chain=dstnat comment="Everything to Proxy except Mezzanine" disabled=no dst-port=80 protocol=tcp src-address=\
    192.168.10.0/24 to-ports=8080
add action=masquerade chain=srcnat disabled=no src-address-list=first_floor
add action=masquerade chain=srcnat disabled=no src-address-list=mezzanine
add action=masquerade chain=srcnat disabled=no src-address-list=second_floor
add action=masquerade chain=srcnat disabled=no src-address-list=third_floor
add action=masquerade chain=srcnat disabled=no src-address-list=servers

/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes