Multiple internet services & Multiple WAN

adolfossl · November 18, 2022, 12:13pm

Hello!
I have two wans connected to the mkrotik with 2 independent IPs, currently they work as failover. I would like to be able to access all the services that I have shared (html, ssh, mail server…) independently from each IP. I start to think it’s impossible…
I guess my problem will be in the configuration of mangle or in the routes (Pepe is ISP-1 and LTE1 is ISP-2

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Pepe new-connection-mark=pepe_conn passthrough=yes
add action=mark-routing chain=output connection-mark=pepe_conn new-routing-mark=to-Pepe passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=lte1 new-connection-mark=Vdfn_conn passthrough=yes
add action=mark-routing chain=output connection-mark=Vdfn_conn new-routing-mark=to-Vdfn passthrough=no
add action=mark-routing chain=prerouting connection-mark=pepe_conn in-interface=bridgeLAN new-routing-mark=to-Pepe passthrough=no
add action=mark-routing chain=prerouting connection-mark=Vdfn_conn in-interface=bridgeLAN new-routing-mark=to-Vdfn passthrough=no

/ip route
add comment=“MONITOR Pepe” disabled=no distance=1 dst-address=1.1.1.1/32 gateway=192.168.5.1 pref-src=0.0.0.0 routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add comment=“MONITOR Vdfn” disabled=no distance=1 dst-address=4.2.2.2/32 gateway=lte1 pref-src=0.0.0.0 routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=“ROUTING Pepe” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=0.0.0.0 routing-table=
to-Pepe scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“ROUTING Vdfn” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=4.2.2.2 pref-src=0.0.0.0 routing-table=
to-Vdfn scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“DEFAULT Route - Backup (Vdfn)” disabled=no distance=2 dst-address=0.0.0.0/0 gateway=4.2.2.2 pref-src=0.0.0.0
routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“DEFAULT Route - MAIN (Pepe)” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=0.0.0.0
routing-table=main scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“FAILOVER Pepe” disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=4.2.2.2 pref-src=0.0.0.0 routing-table=
to-Vdfn scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“FAILOVER Vdfn” disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=“” routing-table=to-Pepe
scope=30 suppress-hw-offload=no target-scope=11

Thank you

Sob · November 18, 2022, 1:49pm

It’s very possible. Your mangle rules seem correct. I’m not completely sure about routes, because I don’t use recursive routing often enough myself. As a quick test, you can try these instead of the two (ROUTING Pepe/Vdfn) you have:

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-table=to-Pepe
add dst-address=0.0.0.0/0 gateway=lte1 routing-table=to-Vdfn

If it doesn’t changes anything, then it’s either something else in your config (firewall filter or NAT), or some outside influence (ISP config).

adolfossl · November 22, 2022, 10:33am

Hello everybody again.

Finally, the original config works… but has a stranger problem…

If I make a direct connection to the Mikrotik (ssh or webmin) through the backup connection it works perfectly. However, if I connect with a computer behind the mikrotik (ssh to a raspberry) the connection becomes very slow. I have discovered that if I have winbox open with torch running on the interface of the backup connection it works fast and stable. Any idea why this happens? Thank you

Sob · November 22, 2022, 12:11pm

Fasttrack, probably. Add connection-mark=no-mark to it.

adolfossl · November 22, 2022, 12:47pm

Sorry, I don’t understand what I should do.

I’ve done like this and it’s still going slow.

/ip/firewall/filter
add action=accept chain=forward comment=“pidesktop TCP4000” connection-mark=no-mark dst-port=4000 in-interface-list=WAN protocol=tcp

/ip firewall nat
add action=dst-nat chain=dstnat comment=“pi4desktop TCP 4000 → 22” dst-port=4000 protocol=tcp to-addresses=192.168.90.254 to-ports=22

Sob · November 22, 2022, 1:15pm

Do you have rule in firewall filter with action=fasttrack-connection? If so, that’s the one you should change.

adolfossl · November 23, 2022, 9:59am

Excellent, It’s work!!!

Thank you very much!!!