I have 2WAN on sfp1 (61.219.84.107) and sfp2 (61.219.84.108), now i would like to add the third WAN on sfp3 (61.219.84.105).
The local area network keeps the default address to 192.168.88.1/24.
A very strange thing is if i add 61.219.84.105 to the “Address List”, then local network will be forced to change to 61.219.84.105 from 192.168.88.1
Whenever you change it, it will automatically be forced back to 61.219.84.105.
Any recommendation, please?
ConfigWithADDress105.rsc (8.45 KB)
There is nothing weird going on, the router is simply working in accordance with the rules you have made.
To comment further
/export file=anynameyouwish ( minus router serial number, any real public WANIP info, keys etc.)
Thanks for your comments. I uploaded my configuration of adding new address 61.219.84.105 on sfp3.
Sfp3 and 61.219.84.105 are all new added configuration item, the original setting doesn’t have them.
Okay, same gateway three different WANIPs, from same provider.
what should be the priority of WANS? ( all used equally or one only etc and the rest are backups in terms of normal outgoing LAN traffic…)
you have servers, and they are to be accessible by different wans correct…
any VPN or router services accessed externally?
first mistake I see is making WAN ports part of the bridge, they should be removed from bridge ports.
Dont see any masquerade rule for sfp3
after understanding all the requirements for traffic flows, external and internal then one can figure out routes and mangling properly
Yes. Different WAN IP (Totally 6 IPs) to the same gateway.
ANS1: No priority.
ANS2: Yes, sfp1 to general use and Exchange Server. sfp2 to NAS.
ANS3: Yes, NAS and Exchange Server, SharePoint Server, etc.
ANS4: WAN ports are all disabled.
ANS5: I will add masquerade and actually added before, but i don’t need to add it to make “quick set” change my local network from 192.168.88.1 to 61.219.84.105, therefore i didn’t set it before i pack the configuration.
ANS6: the question is, the original working routing, just added the third address 61.219.84.105 then “quick set” change my local network from 192.168.88.1 to 61.219.84.105, and no a thing i added than adding the address.
Question not answered, why do you have three WANs??
If you dont have a priority WAN and the other two being backkup what is the thinking?
If you want Lan users to be able to use all three WANs then that is a load sharing setup for the wans.
You should not be using QuickSet if you have multiple WAN.
The reason QuickSet show the wrong LAN IPs, is that it’s looking for the IP of an interface named “bridge”. Since you renamed that, it’s just guessing the first interface is the LAN. But this is only an issue if you click OK in QuickSet – which will then make the IP shown the LAN & break everything.
quickset=quicksand 
Three WANs are for serving 3 different servers on Internet, Exchange Server on sfp1, NAS server on sfp2, Proxmox Environment on sfp3. Internal LAN users will surf Internet with sfp1, the default routing interface. No priority.
That is, the major incoming traffic are from Internet, when goes for email, they go sfp1 to Exchange Server, for NAS, goes to sfp2, for PVE, goes to sfp3. Those on the internal network will be loop back by DNS to connect internally without going to sfp interfaces.
I am wondering would it be possible that Quickset has recognized something wrong?
QuickSet might need the comment “defconf” on the bridge for it show the right LAN. Since I use QuickSet as a status page… I know it uses either the name or comment “defconf”. On a particular device, it pretty deterministic but varies by device/version how it specifically find LAN etc.
To be clear, QuickSet showing something wrong is not going to break anything. It really is just guessing from the config wrong.
Lan interface is not a bridge port by the way…
Also cannot make heads or tails of this dstnat rule.
add action=dst-nat chain=dstnat comment=“NAS Channel” dst-address=
61.219.84.108 in-interface=sfp2 log=yes protocol=tcp to-addresses=
192.168.88.220 to-ports=0-65535
You want your router to accept all traffic (every port) hitting your WANIP ???
Until we rationalize it…removed.
FW are crap
+++++++++++++++++++++++++++++++++++++++++++++
# model = CCR1036-12G-4S
# serial number = XXXXXXXXXXXXXX
/interface bridge
add name=BridgeLAN port-cost-mode=short protocol-mode=none
/interface bonding
add mode=balance-xor name=BondingNAS slaves=ether10,ether11
/interface list
add name=WAN
add name=LAN
/routing table
add fib name=useWAN2
/interface bridge port
add bridge=BridgeLAN ingress-filtering=no interface=BondingNAS \
add bridge=BridgeLAN ingress-filtering=no interface=ether1
add bridge=BridgeLAN ingress-filtering=no interface=ether2
add bridge=BridgeLAN ingress-filtering=no interface=ether3
add bridge=BridgeLAN ingress-filtering=no interface=ether4
add bridge=BridgeLAN ingress-filtering=no interface=ether5
add bridge=BridgeLAN ingress-filtering=no interface=ether6
add bridge=BridgeLAN ingress-filtering=no interface=ether7
add bridge=BridgeLAN ingress-filtering=no interface=sfp4
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=spf1 list=WAN
add interface=spf2 list=WAN
add interface=spf3 list=WAN
add interface=bridgeLAN list=LAN
/ip address
add address=61.219.84.107/24 interface=sfp1 network=61.219.84.0
add address=61.219.84.108/24 interface=sfp2 network=61.219.84.0
add address=61.219.84.105/24 interface=sfp3 network=61.219.84.0
add address=192.168.88.1/24 interface=BridgeLAN network=192.168.88.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,168.95.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="accept only LAN traffic" in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward \
connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forwardconnection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept comment="port forwarding" connection-nat-state=dstnat
add action=drop commment="Drop All Else"
/ip firewall mangle
add chain=forward action=mark-connections connection-mark=no-mark \
in-interface=spf2 new-connection-mark=incomingWAN2 passthrough=yes
add chain=prerouting action=mark-routing connection-mark=incomingWAN2 \
src-address=192.168.88.220 new-routing-mark=useWAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=sfp1
add action=masquerade chain=srcnat log=yes out-interface=sfp2
add action=masquerade chain=srcnat log=yes out-interface=sfp3
add action=dst-nat chain=dstnat comment="NAS Channel" dst-address=\
61.219.84.108 dst-port=443 log=yes protocol=tcp to-addresses=192.168.88.220
add action=dst-nat chain=dstnat comment="SBS2011" dst-port=25 dst-address=\
61.219.84.107 log=yes protocol=tcp to-addresses=192.168.88.7
add action=dst-nat chain=dstnat comment="SBS2011" dst=port=987 dst-address=\
61.219.84.107 log=yes protocol=tcp to-addresses=192.168.88.7
add action=dst-nat chain=dstnat comment="SBS2011" dst=port=80 dst-address=\
61.219.84.107 log=yes protocol=tcp to-addresses=192.168.88.7
add action=dst-nat chain=dstnat comment="SBS2011" dst-port=443 dst-address=\
61.219.84.107 log=yes protocol=tcp to-addresses=192.168.88.7
add action=dst-nat chain=dstnat comment="RPC over HTTP" dst-address=\
61.219.84.107 dst-port=6001-6005 protocol=tcp to-addresses=192.168.88.7
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 \
gateway=61.219.84.254%sfp1 routing-table=main
add distance=4 check-gateway=ping dst-address=0.0.0.0/0 \
gateway=61.219.84.254%sfp2 routing-table=main
add distance=6 dst-address=0.0.0.0/0 gateway=61.219.84.254%sfp3 \
routing-table=main
+++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=61.219.84.254%sfp2 routing-table=useWAN2
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
Added decon or deconf on comment but no use at all.
UNlikely to change anything, but:
defconf
NOT decon
NOT deconf
NOT defcon
Just tried defconf, but it doesn’t lock Lan on 192.168.88.1/24 either. Quickset simply swap my local network ip 192.168.88.1/24 to WAN IP 61.219.84.105…
QuickSet being wrong is NOT going to effect the rest of the config’s operation.
Is everything else working… and the ONLY issue why QuickSet is showing wrong LAN?
Please ignore quickset so we can focus on a working config. Unless your a squirrel
(1) Added back NAS on port 443 to the config.
(2) This had no meaning…
/interface bridge port
add bridge=BridgeLAN ingress-filtering=no interface=BondingNAS
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether1
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN disabled=yes ingress-filtering=no interface=sfp1
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether6
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=ether7
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN disabled=yes ingress-filtering=no interface=sfp2
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN disabled=yes ingress-filtering=no interface=sfp3
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=sfp4 internal-path-cost=
10 path-cost=10
add bridge=BridgeLAN ingress-filtering=no interface=LAN internal-path-cost=10
path-cost=10****
There is no such interface!! Removed.
There is a interface-list called LAN, but no interface! What goes under bridge ports are typically etherports and wifiports.
(3) The Routing is setup such that sfp1 is the primary WAN. Thus we need not do anything special for:
a. all users, will thus always be routed out WAN1
b. Servers on LAN accessed via WAN1 will have traffic returned out WAN1 ( no mangling required )
c. Servers on LAN accessed via WAN2 will have traffic retured out WAN2.
squeak, squeak…
(1) Added back NAS on port 443 to the config.
Done, thanks for the guidance.
add bridge=BridgeLAN ingress-filtering=no interface> =LAN > internal-path-cost=10
path-cost=10[/i]
There is no such interface!! Removed.
There is a > interface-list > called LAN, but no interface! What goes under bridge ports are typically etherports and wifiports.
Thanks again for finding out the unnecessary setting, it’s inactive and removed.
(3) The Routing is setup such that sfp1 is the primary WAN. Thus we need not do anything special for:
a. all users, will thus always be routed out WAN1
b. Servers on LAN accessed via WAN1 will have traffic returned out WAN1 ( no mangling required )
c. Servers on LAN accessed via WAN2 will have traffic retured out WAN2.
Thanks, i will check around.