Need Help for Seperate LAN to Different WAN Settings

Rezbin · November 14, 2016, 12:49pm

This is my 1st Post and hope will get some help.
I have 2 WAN connection and 2 LAN Network setup Code below. What i want to do is LAN-1 User will get WAN-1 Access and LAN-2 Will get WAN-2. But only LAN-1 user getting internet but LAN-2 not.

/interface ethernet
set [ find default-name=ether5 ]  name=FLOOR-5
set [ find default-name=ether3 ]  name=Local
set [ find default-name=ether4 ]  master-port=Local name=Local-4
set [ find default-name=ether1 ]  name=WAN1
set [ find default-name=ether2 ]  name=WAN2

/ip neighbor discovery
set FLOOR-5 comment="PORT-5 FOR 5TH FLOOR"
set Local comment="PORT-3"
set Local-4 comment="PORT-4, SLAVE OF PORT-3"
set WAN1 comment="PORT-1"
set WAN2 comment="PORT-2"

/ip address
add address=123.123.123.123/28 interface=WAN1 network=123.123.123.48
add address=444.444.444.444/30 interface=WAN2 network=444.444.444.68
add address=192.168.0.1/24 interface=Local network=192.168.0.0
add address=192.168.1.1/24 interface=FLOOR-5 network=192.168.1.0

/ip pool
add name=DHCP_POOL_1 ranges=192.168.0.2-192.168.0.254
add name=DHCP_POOL_2 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=DHCP_POOL_1 disabled=no interface=Local name=VINRACK_DHCP_1
add address-pool=DHCP_POOL_2 disabled=no interface=FLOOR-5 name=VINRACK_DHCP_2

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=202.164.215.3,8.8.8.8 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=180.234.0.193,180.234.8.193 gateway=192.168.1.1

/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_CONN passthrough=no
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_CONN passthrough=no

add action=mark-routing chain=output connection-mark=WAN1_CONN new-routing-mark=TO_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_CONN new-routing-mark=TO_WAN2 passthrough=no

add chain=prerouting dst-address=123.123.123.0/28 in-interface=Local
add chain=prerouting dst-address=444.444.444.0/30 in-interface=FLOOR-5

add action=mark-routing chain=prerouting connection-mark=WAN1_CONN in-interface=Local new-routing-mark=TO_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_CONN in-interface=FLOOR-5 new-routing-mark=TO_WAN2

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local new-connection-mark=WAN1_CONN
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=FLOOR-5 new-connection-mark=WAN2_CONN

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2


/ip route
add check-gateway=ping distance=1 gateway=123.123.123.49 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=444.444.444.69 routing-mark=TO_WAN2

add check-gateway=ping distance=1 gateway=123.123.123.49
add check-gateway=ping distance=2 gateway=444.444.444.69

Will some one please advice with code what i am missing. coz im nutts in this

Sob · November 15, 2016, 1:07am

Switch last two blocks of mangle rules, first mark connections from LANs and then mark routing for them. Because now when you have new connection, it doesn’t have any connection mark, so the first packet always uses default route. Next packet of connection gets routed correctly, but it’s too late if first one already went wrong way.

Rezbin · November 15, 2016, 7:52am

Really Guru its Working Well… you are great…

Hikove · November 22, 2016, 2:45am

Hi!
I hope someone still around this post.
My question is, with the configuration discussed here, the devices in Floor 5 can see the devices in the local network? and the other way around too?
If not, which rules in NAT or route do I need to add?
Thank you.

Sob · November 22, 2016, 4:27am

There’s nothing specifically blocking it, but since all connections from both subnets get their routing marked, even 192.168.x.x will go to one of ISP’s gateways. Use this rule:

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

Hikove · November 22, 2016, 12:20pm

Thank you very much for your help!
I will abuse your kindness with another question. ^^ Is there a way to make failover rules for both WANs (if WAN1 fail, both subnets go to WAN2 and vice-versa) in this example, w/o using a script? only rules.
If you could send me to a link to make it possible, I’d greatly appreciate it.
Thank you again.

Sob · November 22, 2016, 11:05pm

I did a quick test and it worked, this is the important part that should do the trick:

/ip route
add check-gateway=arp dst-address=0.0.0.0/0 gateway=<ISP1 GW IP> routing-mark=wan1
add check-gateway=arp dst-address=0.0.0.0/0 gateway=<ISP2 GW IP> routing-mark=wan2
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=wan1 table=wan1
add dst-address=0.0.0.0/0 routing-mark=wan1 table=wan2
add dst-address=0.0.0.0/0 routing-mark=wan2 table=wan2
add dst-address=0.0.0.0/0 routing-mark=wan2 table=wan1

You’ll also want to re-mark connections using backup link to avoid another disconnection when the main one comes back:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=wan2 in-interface=<WAN1> new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=wan1 in-interface=<WAN2> new-connection-mark=wan2 passthrough=yes

Hikove · November 23, 2016, 1:39am

Thank you very much!!
I know now what I have to do.
I appreciate your help.