Multiple WAN Connections With Port Forwarding

RouterOS Beginner Basics
1

Hey everyone,

Just to start, I am CCNP however this is my first time using mikrotik so unfamiliarity is over 9000.

Right, so, I’m busy setting up a site, the site has a single 100Mbps fiber line. The site uses two different ISPs, each connection established via PPPoE.

The first connection, call it WA-PPPoE, is capped at 300GB.
The second connection, call it AX-PPPoE, is uncapped but only 1Mbps.

There is only 1 ethernet connection, RouterOS is running inside a VM with a single network adapter assigned. It’s IP is 192.168.0.251

The 300GB connection, WA-PPPoE, is the primary link. The site Almost reaches the cap come month end, but generally speaking they manage it well. However should the time ever come that they do reach their 300GB cap too soon (or there’s a general failure), they need to fall over to the 1Mbps PPPoE connection, AX-PPPoE.

The 1Mbps uncapped connection, AX-PPPoE, isn’t just there for failover though. It is used for remote access via SSH and RDP as the most commonly used protocols. The linux server listens for SSH connections on port 8841.

Both of the WAN links, WA-PPPoE and AX-PPPoE, have their public IPs dynamically assigned by the ISP. There is no option for static address reservation from said ISPs.

\



Router Local LAN:
ether1 192.168.0.251/24

WAN:
AX-PPPoE: Dynamic IP
WA-PPPoE: Dynamic IP

Server:
Linux Server1 – IP: 192.168.0.100 – SSH Port 8841
Windows Server1 – IP: 192.168.0.110 – RDP Port 3389

So, I’ve set the router up… mostly… the CLI is pretty stright forward for the basics. Both PPPoE connections have been created and have successfully established connections with their respective ISPs. I’ve tested them on their own with NAT rules to confirm throughput. I can NAT a single interface and forward the ports easily enough… but then I’m left with one PPPoE interface “un-natted”.

What I’m having issues with is creating the routing rules and marking the relevant traffic for the relevant interfaces. Such that if I SSH to;

for example
Connect via AX-PPPoE – 196.175.35.2:8841 (assume that this is my dynamic IP) – forwarded to 192.168.0.100;
Then the traffic needs to me marked for that interface such that any incomming or outgoing packets will use AX-PPPoE…

However, the exact same example needs to work if instead the WA-PPPoE WAN link is used, say perhaps AX-PPPoE is down due to ISP issues.


I don’t want the interfaces to load balance. If I understand this all properly then the distance of the WA-PPPoE connection should be 1 whilst AX-PPPoE should be 2.

2

Seem to have done it with this? After doing some research on the matter....

Any mistakes I'll come to regret?

\

WA-PPPoE In & Out Interface

/ip firewall mangle add action=mark-connection chain=input in-interface=WA-PPPoE new-connection-mark=WA-PPPoE_conn passthrough=yes disabled=no comment="in WA,out WA"
/ip firewall mangle add action=mark-routing chain=output connection-mark=WA-PPPoE_conn new-routing-mark=WA-PPPoE_traffic passthrough=no disabled=no comment="in WA,out WA"

AX-PPPoE In & Out Interface

/ip firewall mangle add action=mark-connection chain=input in-interface=AX-PPPoE new-connection-mark=AX-PPPoE_conn passthrough=yes disabled=no comment="in AX,out AX"
/ip firewall mangle add action=mark-routing chain=output connection-mark=AX-PPPoE_conn new-routing-mark=AX-PPPoE_traffic passthrough=no disabled=no comment="in AX,out AX"

WA Forward

/ip firewall mangle add action=mark-connection chain=forward in-interface=WA-PPPoE connection-state=new new-connection-mark=WA-PPPoE_pfw passthrough=no disabled=no comment="pfw WA, out WA"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=ether1 connection-mark=WA-PPPoE_pfw new-routing-mark=wan1_traffic passthrough=no disabled=no comment="pfw WA, out WA"

AX Forward

/ip firewall mangle add action=mark-connection chain=forward in-interface=AX-PPPoE connection-state=new new-connection-mark=AX-PPPoE_pfw passthrough=no disabled=no comment="pfw AX, out AX"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=ether1 connection-mark=AX-PPPoE_pfw new-routing-mark=AX-PPPoE_traffic passthrough=no disabled=no comment="pfw AX, out AX"

WA dist1 & AX dist 2 Routing

/ip route add dst-address=0.0.0.0/0 gateway=WA-PPPoE distance=1 routing-mark=WA-PPPoE_traffic disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=AX-PPPoE distance=2 routing-mark=AX-PPPoE_traffic disabled=no

3

Still need assistance on scripting the router such that if WA-PPPoE goes down then AX-PPPoE will take over. While the router monitors for link-up status WA-PPPoE, and will change the routing back when connectivity is re-established.

If anyone can help me, please.

4

Apologies for all the posts…

Seems like my configuration isn’t working exactly as planned. For some reason the AX-PPPoE link is being used as the primary interface.

Supposed to be WA-PPPoE.

Anyone know what’s going on there?

5

Solved it all… Research always wins I suppose