Problem with Two Separate WAN Connections on MikroTik CCR2004

RouterOS General
1

Hello my friends,
Merry Christmas to all of you, and I hope you have a great weekend..!

I have the following scenario:

I have MikroTik CCR2004 with two WAN connections:

WAN-1 connected to Ether-1 from ONU-1
WAN-2 connected to Ether-13 from ONU-2
For WAN-1, I have two public IP addresses, and I am using both of them. I assigned the IPs as follows:

ether-1 = xxx.xx.xx.85
ether-1 = xxx.xx.xx.84
I have also assigned SRC NAT rules for both IPs to the following two bridges that use this IPs

Bridge-1 = 192.168.0.1/24
Bridge-2 = 10.0.0.0/24

For WAN-2, I have also two public IP addresses, but I am using only one of them:

ether-13 = xxx.xx.xx.123
I have assigned a SRC NAT rule for the following bridge and I want it to use this public IP.

Bridge-3 = 172.16.0.1/24
All public IPs in WAN -1- and WAN -2- have the same gateway.

The problem is that I am unable to get Bridge-3 subnet to connect to the internet.

You can see the configuration file for more details.
ccr2004.rsc (11 KB)

2

Merry Christmas to you too! I have only skimmed your configuration but I think the problem is that you have used a routing rule for scr-address 172.16.0.0/24 which looks ONLY at the Server 2 routing table (“action=lookup-only-in-table”). Problem is there is no route configured for Server 2 routing table so nothing is basically reachable.

3

Hello, my friend!

Thank you for your attention. No, there is a route configuration for Server 2, but I changed the name in the file above. Now I’ve corrected the name as it should be.
My problem was that I forgot to add ether13 to the WAN address list table. However, I still have an issue: I am not sure if all the other traffic from Bridge 1 and Bridge 2 is also using ether13, which I don’t want to happen.

4

It shouldn’t but this is easy to check anyway. Hook up a pc and issue traceroute or tracert and check the hops. Or simpler, go a browser and type what is my ip address. You should see different public ip addresses when connecting to different bridges. For example, when using bridge x it shows x.x.x.x and when using bridge y it shows y.y.y.y or whatever. This means the traffic goes out a different interface

5

First thing. check your configuration, whenever there is a “*” (asterisk followed by a (hex) number, it is a reference to something that was deleted/moved/renamed and that RoS cannot find anymore, it is a placeholder for something that was there but doesn’t exist anymore:

/interface list member
add interface=ether1 list=WAN
add interface=bridge1-Wifi list=LAN
add interface=*16 list=LAN
add interface=macvlan1 list=WAN
add interface=wireguard1 list=LAN
add interface=“bridge2-Server -1-” list=LAN
add interface=“bridge3-Server -2-” list=LAN



/ip route

add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1
pref-src=“” routing-table=“ERP Server” scope=30 suppress-hw-offload=no
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1
pref-src=“” routing-table=Wifi scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1 routing-table=main
suppress-hw-offload=no
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1
pref-src=“” routing-table=*2 scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1
pref-src=“” routing-table=“Manifest Server” scope=30 suppress-hw-offload=
no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10

Then, a few semi-random notes:
ether13 is not in interface-list LAN or WAN.
your way of naming things is confusing, personally I would call things in the same order, and - if possible - avoid spaces (as they imply the use of double quotes, and this before or later will bite you back when using CLI), these:

/interface bridge
add name=bridge1-Wifi
add name=> "bridge2-Server -1-
add name=> "bridge3-Server -2-

miss closing quotes.
and these are NOT valid:

add bridge="bridge2-Server -1-> ERP> " interface=ether7
add bridge="bridge2-Server -1-> ERP> " interface=ether8

I would rename them:
bridge1-Wifi ->bridge_Wifi_0
“bridge2-Server -1-” → bridge_Server_1
“bridge3-Server -2-” → bridge_Server_2

Your routes and routing tables/rules are a mess because they make reference to fib’s that either do not exist or are empty.
Here again, be consistent in naming, like:

/routing table
add disabled=no fib name="Server 1 " → Table_Server_1
add disabled=no fib name=Wifi → Table_Wifi_0
add disabled=no fib name="Server 2 " → Table_Server_2

6

Thank you for your advice jaclaz. I have changed the real names of all my interfaces, routing tables, and rules for security reasons, as they refer to actual server names. That’s why you see “ERP” and “Manifest” used as placeholders. Despite that, my focus remains on the main configuration.

My current issue is: how can I ensure that Bridge 1 and Bridge 2 exclusively use the WAN-1 bandwidth and route, while Bridge 3 exclusively uses the WAN-2 bandwidth and route?

7

It seems to me you were already on the right track:

  1. add a dedicated routing table
  2. add a route/gateway on that routing table for the intended gateway
  3. add a routing rule filtering the source address range and making use of that router table

Loosely, if it was 3 times 1:1, it would be something like:

/routing table
add disabled=no fib name=table1
add disabled=no fib name=table2
add disabled=no fib name=table3

/ip address
add address=172.16.1.1/24 interface="bridge1"
add address=172.16.2.1/24 interface="bridge2"
add address=172.16.3.1/24 interface="bridge3"

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1 routing-table=table1
add distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1 routing-table=table2
add distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1 routing-table=table3

/routing rule
add action=lookup-only-in-table src-address=172.16.1.1/24 table=table1
add action=lookup-only-in-table src-address=172.16.2.1/24 table=table2
add action=lookup-only-in-table src-address=172.16.3.1/24 table=table3

Assuming that you can choose LAN addresses and have bridge1 and bridge2 in two contiguous subnets, you can instead use a /23 in routing rule and have only two tables, I would try something like:

/routing table
add disabled=no fib name=table1-2
add disabled=no fib name=table3

/ip address
add address=172.16.1.1/24 interface="bridge1"
add address=172.16.2.1/24 interface="bridge2"
add address=172.16.3.1/24 interface="bridge3"

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1 routing-table=table1-2
add distance=1 dst-address=0.0.0.0/0 gateway=xxx.xx.xx.1 routing-table=table3

/routing rule
add action=lookup-only-in-table src-address=172.16.1.1/23 table=table1-2
add action=lookup-only-in-table src-address=172.16.3.1/24 table=table3
8

I will soon ask some questions here as I am actively searching for a similar goal. In my case, I think I need to tinker more with the routes, and I will use yours now as inspiration, but I have the same “problem” as you. The public IPs WANs are from the same ISP and have the same gateway. Mine are even PPoEs so even with profiles I end up not being able to select gateway, which is a generic 10.0.0.1.
Disabling one or another PPOEs solves the routes I have in place but my goal actually is to separate (isolate if possible) 1 ISP1 + 1 bridge1 + 1 DHCP1 from the other 1 ISP2 + 1 bridge2 + 1 DHCP2, no load balancing, no failover, trying to keep it very simple.
Having the same ISPs gateway can be your problem too.

Kind regards,
Paul