Redirect Port to specific WAN

wfalcon · June 17, 2019, 3:13pm

Hi there!

I hope I can get a clear answer on this one.
So far I haven’t found any guide or question about this before (as to my keyword knowledge in searching).

Let’s say i have:

WAN1 PPPOE (ISP1) IP: 10.10.10.10 (normal internet access)
WAN2 PPPOE (ISP2) IP: 11.11.11.11 (normal internet access)

is it possible to force redirect all SSH connections that are originating from any of my internal network devices (192.168.1.0/24) to the cloud only through WAN1? and discard and redirect all the other connections to WAN2?

I want it to be like this

WAN1 PPPOE (ISP1) IP: 10.10.10.10 (only SSH passes through here and everything else will be redirected to WAN2)
WAN2 PPPOE (ISP2) IP: 11.11.11.11 (normal internet access)

Your help is much appreciated!
Thanks a lot!

anav · June 17, 2019, 3:19pm

If WAN2 for whatever reason (ISP problems) goes down do you want everyone to go to WAN1 for backup purposes?

This assumes wan1 and wan2 are not from the same provider, if they are you can disregard this question as both would be not available in the case of ISP failure.

wfalcon · June 17, 2019, 3:25pm

Thanks for the reply!
That’s a good question actually.

for my basic tests I don’t want to switch to WAN1 in case WAN2 went down.
But if you’re in a position to help out, could you please show us how it can be applied in both scenarios?

Appreciated a lot

sebastia · June 17, 2019, 6:30pm

Hi
You can to that with mangling. In mangle:prerouting, route-mark all all packets for port SSH (tcp:22) (or any other port you might be using), with some mark.
Next step, make sure you have a route over desired isp with that routing-mark.

See https://wiki.mikrotik.com/wiki/Policy_Base_Routing, wrt route mangling it’s still correct

AidanAus · June 18, 2019, 6:22am

something like this would fail over the SSH, take out the second line of the route if you dont want it to fail over
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=SSH passthrough=no
protocol=tcp dst-port=22
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.10 routing-mark=SSH
add check-gateway=ping distance=2 gateway=11.11.11.11 routing-mark=SSH
add distance=1 gateway=11.11.11.11

Opps put in src-port not dst should be fixed now

wfalcon · June 19, 2019, 9:20am

Thank you so much!

Thanks for the configurations sample.
It worked like charm
and yes it’s dst-port

wfalcon · October 31, 2019, 8:38am

deleted

Sob · October 31, 2019, 2:16pm

You can’t do that with L7. To route some connection to specific WAN, you need to do so for all its packets, from the very first one. Problem is, first TCP packet is just SYN and it doesn’t contain any hostnames or anything. So it goes one way and then after you are able to identify the connection, the rest goes other way, and it doesn’t work.