Redirect Traffic of certain IP/Website to different WAN

robon · September 14, 2018, 5:21am

Can i get help on my following query:

I have two WAN connections, lets call them
•WAN1
•WAN2
My LAN is 192.168.1.0/24
In LAN network, I want redirect certain Website IP (suppose) 10.10.10.10 traffic from WAN2 and rest of internet traffic go through WAN1.

I’ve tried listing Website IP in Address List and creating mangle rule mentioning that Address list in Dst Address List and Mark Route to WAN2, but still no success.

Please help on this.

Sob · September 14, 2018, 4:54pm

Described solution sounds correct, you probably just made some small mistake. Post your config and someone may spot it.

robon · September 16, 2018, 5:04am

Followings is the config.

/ip firewall address-list
add address=10.10.10.10 list=Web

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“LAN PC” new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.174
add action=mark-routing chain=prerouting comment=“LAN PC” dst-address-list=Web new-routing-mark=WAN2 passthrough=yes src-address=192.168.1.174

robon · September 16, 2018, 5:07am

I tried putting second mangle rule above than first one aswell, that didn’t work aswell.

sindy · September 16, 2018, 7:38am

Mangle rules assigning a routing-mark to some packets are just one part of the solution.

The other part are routes marked with the same routing-mark.

The mere fact that the routing-mark name matches an interface name has no effect.

Have a look here, here and here.

robon · September 16, 2018, 11:40am

Routes are configured in this way:

/ip route
add check-gateway=ping distance=1 gateway=X.X.X.X routing-mark=WAN1
add check-gateway=ping distance=2 gateway=Y.Y.Y.Y routing-mark=WAN2
add check-gateway=ping comment=“WAN1 Gateway” distance=1 gateway=X.X.X.X
add check-gateway=ping comment=“WAN2 Gateway” distance=2 gateway=Y.Y.Y.Y

/ip firewall address-list
add address=10.10.10.10 list=Web

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“LAN PC” new-routing-mark=WAN1 passthrough=yes src-address=192.168.1.174
add action=mark-routing chain=prerouting comment=“LAN PC” dst-address-list=Web new-routing-mark=WAN2 passthrough=yes src-address=192.168.1.174

sindy · September 16, 2018, 12:42pm

What exactly means “no success”? Do you get to the web server at 10.10.10.10 via WAN1, or you don’t get to that web at all if the mangle rules are active…?

What does /ip firewall mangle print stats say - do the rules’ counters count matching packets?

If you disable all routes except the last one, does all traffic flow via WAN2 or you get nowhere at all?

robon · September 17, 2018, 12:16pm

When i check the traceroute to 10.10.10.10, it doesn’t go from WAN2, it goes from WAN1

If you disable all routes except the last one, does all traffic flow via WAN2 or you get nowhere at all?

In this case 10.10.10.10 goes through WAN2.

sindy · September 17, 2018, 12:40pm

From where do you traceroute? From the Mikrotik itself or from the device with IP address 192.168.1.174?