route specific LAN host connections to selected WAN

silverdr · August 26, 2023, 3:06am

Howdy! I’ve got a setup similar to the attached simplified diagram. Two ISPs with failover, LAN and WLAN (although WLAN part is not relevant here). Mikrotik sits between local networks and both ISPs. What I need to achieve is that specific traffic, namely HTTPS (443/tcp) to the internet, from LAN host with IP 192.168.0.24 on the diagram, is always routed through ISP1, even if everything else (including other traffic from the same host) goes through the default WAN interface (ISP0 as long as it is up). The two WAN connections and failover, using recursive routes works perfectly fine but I can’t make it the setup to route HTTPS traffic from said host to internet always over ISP1. Tried to follow the thread here:

http://forum.mikrotik.com/t/routing-single-host-ip-out-specific-wan-interface/87082/1
as well as
https://wiki.mikrotik.com/wiki/Manual:PCC
mentioned in the thread there

RouterOS is current V7 (7.11).

ConradPino · August 26, 2023, 6:04am

I choose different default gateways by source IP address with Policy Routing alone.
Policy Routing rules detect routing-mark settable with firewall Mangle rules.
Route Selection and Filters look useful but IMO are over kill in this case.
I disavow having an experienced opinion so do your own due diligence.

anav · August 26, 2023, 10:59am

I am not convinced you can force https on anything, but if you are just talking a port then that should be possible.
i will look at the config when I have had some brekkie and coffee, just finished rowing 10K in rough conditions… so a wee knackered.

anav · August 26, 2023, 4:43pm

well you didnt provide your config so nothing for me to look at.

silverdr · August 28, 2023, 8:53am

I didn’t provide my config because there isn’t any [related to the topic] that I could provide. I would simply be grateful for pointing me into the right direction

anav · August 28, 2023, 11:43am

https://forum.mikrotik.com/viewtopic.php?t=182373

I1, J and K apply.

silverdr · August 28, 2023, 10:43pm

Thank you. The J1 looks very close to what I’d be looking for but in this case, when setting the rule I don’t see any way to narrow down the traffic type to specific port. Meaning – I expect – that all traffic from a given host would go through ISP1, right?

anav · August 28, 2023, 11:16pm

No idea until I see a config.

silverdr · August 29, 2023, 5:19pm

Here is what does not work (“WAN0” is the “ISP1” on the diagram), loosely based on:

https://help.mikrotik.com/docs/display/ROS/Firewall+Marking#FirewallMarking-DetailedSectionOverview.1

The idea being that the situation is similar but instead of marking the whole LAN subnet

src-address=192.168.1.0/24

only a single host with additional conditions could be used to achieve the same (forcing traffic through specific gateway/ISP):

dst-address-list=!not_public_ip dst-port=443  protocol=tcp src-address=192.168.0.24

/routing table
add disabled=no fib name=useWAN0

/ip route
add distance=1 dst-address=<monitored_ip0> gateway=pppoe-wan2 routing-table=main target-scope=31
add distance=2 dst-address=<monitored_ip1> gateway=pppoe-wan2 routing-table=main target-scope=31
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=<monitored_ip0> routing-table=main scope=30 target-scope=32
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=<monitored_ip1> routing-table=main scope=30 target-scope=32
add distance=5 dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 routing-table=useWAN0 scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1-wan0
add action=masquerade chain=srcnat out-interface=pppoe-wan2
[… here a number of dst-nat ones for "port forwarding" to various hosts, including the one in question but NO https (tcp/443)…]

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!not_public_ip dst-port=443 new-routing-mark=useWAN0 passthrough=yes \
    protocol=tcp src-address=192.168.0.24

/ip firewall filter [forward chain]
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Accept dst-NATted connections from internet to listed local addresses" \
    connection-nat-state=dstnat dst-address=192.168.0.24 in-interface-list=wan
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=drop chain=forward comment="drop ssh brute-forcers downstream" dst-port=22 protocol=tcp src-address-list=\
    ssh_blacklist
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_public_ip \
    in-interface-list=lan log=yes log-prefix=!public_from_LAN_to_INTERNET out-interface-list=wan
add action=drop chain=forward dst-address-list=not_public_ip in-interface-list=wlan out-interface-list=wan
add action=drop chain=forward comment="Drop incoming from internet where source is not public IP" in-interface-list=wan log=yes \
    log-prefix=!public src-address-list=not_public_ip
add action=drop chain=forward comment="Drop incoming from internet where destination is not public IP" dst-address-list=\
    not_public_ip in-interface-list=wan log=yes log-prefix=!public
add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" src-address=\
    0.0.0.0/8
add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" dst-address=\
    0.0.0.0/8
add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" src-address=\
    127.0.0.0/8
add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" dst-address=\
    127.0.0.0/8
add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" src-address=\
    224.0.0.0/3
add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" dst-address=\
    224.0.0.0/3

If you need any other part of the config, please let me know

anav · August 29, 2023, 7:17pm

I need to see the config not parts of the config… the only think I dont need is

a. router serial number
b. public WANIP information
c. keys etc.
d. long assed lists of dhcp leases LOL.

Since you have servers and dual wans, you probably want to ensure any traffic coming in on WAN0 goes out wan0 and traffic coming on Wan1 goes out wan1.
So one could consider extra mangle rules for that…
the only issue is one LAN member that needs to go out WAN1 regardless for port 443 traffic.

I am thinking you only need one mangle rule for that traffic ( and associated table and extra IP route )
If anything the firewall rules look messy and may be part of the problem, hard to say without seeing the full config.

silverdr · August 29, 2023, 9:00pm

The dual WAN is only for

a) failover
b) the tcp/443 traffic from (currently only) this one internal host

this means that whatever traffic from the outside is not important as if the main WAN fails, the traffic requiring DNS lookup to main WAN IP will fail anyway, and traffic not requiring DNS will go through backup WAN. The host in question also does not expose the 443 port. It is only for traffic originating from this host - it needs to pull regularly in large amount of data

the only issue is one LAN member that needs to go out WAN1 regardless for port 443 traffic.

That’s what I thought too, based on the doc I linked to and a few other sources and that’s what I did but the moment those three are enabled, the host can no longer reach the data sources.

I do understand but please also understand my reluctance to provide full config. a) full output is really large due to static internal dns entries and of course DHCP leases b) In such a large output It is easy to overlook and disclose some data, which shouldn’t be disclosed. Having said that here is the (almost - no DNS and no DHCP plus some names, addresses masked) full one, which I spend a lot of time double-checking for sensitive or semi-sensitive data

# 2023-08-29 19:47:16 by RouterOS 7.11
/interface bridge add name=lan-bridge
/interface ethernet set [ find default-name=ether1 ] l2mtu=1592 name=eth1-lan1g rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="WAN0 connection unreliable on 1G TRXes! (both eth and sfp)" l2mtu=1592 name=sfp1-wan0
/interface ethernet set [ find default-name=sfp-sfpplus2 ] l2mtu=1592 name=sfp2-wan2
/interface ethernet set [ find default-name=sfp-sfpplus3 ] l2mtu=1592 name=sfp3-wlan
/interface ethernet set [ find default-name=sfp-sfpplus4 ] l2mtu=1592 name=sfp4-lan10g-copper
/interface ethernet set [ find default-name=sfp-sfpplus5 ] l2mtu=1592 name=sfp5-lan10g-fiber
/interface ethernet set [ find default-name=sfp-sfpplus6 ] l2mtu=1592 name=sfp6-lan10g-fiber
/interface ethernet set [ find default-name=sfp-sfpplus7 ] l2mtu=1592 name=sfp7-lan10g-fiber
/interface ethernet set [ find default-name=sfp-sfpplus8 ] l2mtu=1592 name=sfp8-lan10g-fiber
/interface pppoe-client add disabled=no interface=sfp2-wan2 name=pppoe-wan2 user=<pppoe_user>
/interface bonding add mode=802.3ad name=james_basement_bonding slaves=sfp7-lan10g-fiber,sfp8-lan10g-fiber
/interface bonding add mode=802.3ad name=james_everest_bonding slaves=sfp5-lan10g-fiber,sfp6-lan10g-fiber
/interface ethernet switch set 0 name=switch0
/interface list add name=wan
/interface list add name=lan
/interface list add name=wlan
/interface list add name=lan_and_wlan
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=dhcp_pool0_lan ranges=192.168.0.32-192.168.0.223
/ip pool add name=dhcp_pool3_wlan ranges=192.168.30.32-192.168.30.254
/ip dhcp-server add address-pool=dhcp_pool0_lan interface=lan-bridge lease-time=1h name=dhcp_lan
/ip dhcp-server add address-pool=dhcp_pool3_wlan interface=sfp3-wlan lease-time=10m name=dhcp_wlan
/port set 0 name=serial0
/queue type add kind=fq-codel name="fw codel"
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/routing table add disabled=no fib name=useWAN0
/system logging action set 3 bsd-syslog=yes remote=192.168.0.24
/system logging action add email-start-tls=yes email-to=<email_address> name=email target=email
/interface bridge port add bridge=lan-bridge ingress-filtering=no interface=eth1-lan1g
/interface bridge port add bridge=lan-bridge ingress-filtering=no interface=sfp4-lan10g-copper
/interface bridge port add bridge=lan-bridge comment="sfp7-lan10g-fiber + sfp8-lan10g-fiber" ingress-filtering=no interface=james_basement_bonding
/interface bridge port add bridge=lan-bridge comment="sfp5-lan10g-fiber + sfp6-lan10g-fiber" ingress-filtering=no interface=james_everest_bonding
/ip neighbor discovery-settings set discover-interface-list=lan_and_wlan
/ip settings set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings set disable-ipv6=yes
/interface list member add interface=lan-bridge list=lan
/interface list member add interface=sfp3-wlan list=wlan
/interface list member add interface=sfp1-wan0 list=wan
/interface list member add interface=sfp2-wan2 list=wan
/interface list member add interface=lan-bridge list=lan_and_wlan
/interface list member add interface=sfp3-wlan list=lan_and_wlan
/interface list member add interface=pppoe-wan2 list=wan
/interface ovpn-server server set auth=sha1,md5
/ip address add address=192.168.0.1/24 comment=LAN interface=lan-bridge network=192.168.0.0
/ip address add address=192.168.30.1/24 comment=WLAN interface=sfp3-wlan network=192.168.30.0
/ip address add address=<subnet_ip_address_0>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_1>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_2>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_3>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_4/29 interface=sfp1-wan0 network=<network_ip>
/ip cloud set update-time=no
<long_list_of dhcp-server leases here>
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 domain=lan gateway=192.168.0.1 netmask=24
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.30.1 domain=wlan gateway=192.168.30.1 netmask=24
/ip dns set allow-remote-requests=yes servers=<upstream_dns_severs_ips>
<long_list_of_static_dns_entries here>
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_public_ip
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_public_ip
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_public_ip
/ip firewall address-list add address=192.168.0.0/24 list=lan
/ip firewall filter add action=accept chain=input comment="Allow Established and Related connections" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow ICMP on router ports" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept access from LAN interfaces and addresses" in-interface-list=lan src-address=192.168.0.0/24
/ip firewall filter add action=accept chain=input comment="Accept access from WLAN interfaces and addresses" in-interface-list=wlan src-address=192.168.30.0/24
/ip firewall filter add action=accept chain=input comment="Accept Regular SSH on primary WAN address" dst-address=<wan_ip_address> dst-port=22 protocol=tcp
/ip firewall filter add action=accept chain=input comment="Let's Encrypt" disabled=yes dst-address=<wan_ip_address> dst-port=80 in-interface-list=wan protocol=tcp
/ip firewall filter add action=drop chain=input comment="Drop ssh brute-forcers" dst-port=22 log=yes log-prefix="SSH brute-forcer dropped" protocol=tcp src-address-list=ssh_blacklist
/ip firewall filter add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
/ip firewall filter add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
/ip firewall filter add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
/ip firewall filter add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
/ip firewall filter add action=drop chain=input comment="Drop everything else"
/ip firewall filter add action=fasttrack-connection chain=forward comment="FastTrack established and related connections" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="Accept already established and related connections" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="Accept dst-NATted connections from internet to listed local addresses" connection-nat-state=dstnat dst-address=192.168.0.24 in-interface-list=wan
/ip firewall filter add action=drop chain=forward comment="Drop incoming internet packets that are not dst-NATted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=wan log=yes log-prefix=!NAT
/ip firewall filter add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop ssh brute-forcers downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall filter add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_public_ip in-interface-list=lan log=yes log-prefix=!public_from_LAN_to_INTERNET out-interface-list=wan
/ip firewall filter add action=drop chain=forward dst-address-list=not_public_ip in-interface-list=wlan out-interface-list=wan
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet where source is not public IP" in-interface-list=wan log=yes log-prefix=!public src-address-list=not_public_ip
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet where destination is not public IP" dst-address-list=not_public_ip in-interface-list=wan log=yes log-prefix=!public
/ip firewall filter add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" src-address=0.0.0.0/8
/ip firewall filter add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" dst-address=0.0.0.0/8
/ip firewall filter add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" src-address=127.0.0.0/8
/ip firewall filter add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" dst-address=127.0.0.0/8
/ip firewall filter add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" src-address=224.0.0.0/3
/ip firewall filter add action=drop chain=forward comment="drop invalid/fake source/destination addresses even on local interfaces" dst-address=224.0.0.0/3
/ip firewall filter add action=accept chain=output comment=NTP dst-address=213.239.234.28
/ip firewall filter add action=accept chain=output comment=NTP dst-address=193.106.144.7
/ip firewall filter add action=accept chain=output comment="DNS (UDP)" dst-port=53 protocol=udp
/ip firewall filter add action=accept chain=output comment="DNS (TCP)" dst-port=53 protocol=tcp
/ip firewall filter add action=drop chain=output comment="testing failover" disabled=yes dst-address=<monitored_ip0>
/ip firewall filter add action=drop chain=output comment="testing failover" disabled=yes dst-address=<monitored_ip1>
/ip firewall filter add action=accept chain=output comment=ICMP protocol=icmp
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!not_public_ip dst-port=443 new-routing-mark=useWAN0 passthrough=yes protocol=tcp src-address=192.168.0.24
/ip firewall nat add action=masquerade chain=srcnat out-interface=sfp1-wan0
/ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-wan2
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6666 protocol=tcp to-addresses=192.168.0.24 to-ports=6666
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6667 protocol=udp to-addresses=192.168.0.24 to-ports=6667
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6668 protocol=udp to-addresses=192.168.0.24 to-ports=6668
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6669 protocol=tcp to-addresses=192.168.0.24
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6669 protocol=udp to-addresses=192.168.0.24 to-ports=6669
/ip firewall nat add action=dst-nat chain=dstnat comment="Port 80 for LetsEncrypt certificate validation access" disabled=yes dst-address=<external_ip> dst-port=80 protocol=tcp to-addresses=192.168.0.24 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat comment="SMTP on specific address" disabled=yes dst-address=<external_ip> dst-port=25 protocol=tcp to-addresses=192.168.0.24 to-ports=25
/ip firewall nat add action=src-nat chain=srcnat protocol=tcp src-address=192.168.0.24 src-port=25 to-addresses=<external_ip> to-ports=25
/ip firewall nat add action=dst-nat chain=dstnat comment="IMAPS running on 192.168.0.24" disabled=yes dst-address=<external_ip> dst-port=993 protocol=tcp to-addresses=192.168.0.24 to-ports=993
/ip firewall nat add action=dst-nat chain=dstnat comment="SUBMISSION running on 192.168.0.24" disabled=yes dst-address=<external_ip> dst-port=587 protocol=tcp to-addresses=192.168.0.24 to-ports=587
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=no
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=<monitored_ip0> pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 pref-src="" routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=<monitored_ip0> gateway=pppoe-wan2 pref-src="" routing-table=main suppress-hw-offload=no target-scope=31
/ip route add disabled=no distance=2 dst-address=<monitored_ip1> gateway=pppoe-wan2 pref-src="" routing-table=main suppress-hw-offload=no target-scope=31
/ip route add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=<monitored_ip1> pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 pref-src="" routing-table=useWAN0 scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet address=0.0.0.0/0 disabled=yes
/ip service set ftp address=0.0.0.0/0 disabled=yes
/ip service set www address=0.0.0.0/0 disabled=yes
/ip service set ssh address=0.0.0.0/0 port=22
/ip service set www-ssl address=192.168.0.0/24,192.168.30.0/24 certificate=letsencrypt-autogen_2023-08-26T20:35:51Z disabled=no
/ip service set api address=0.0.0.0/0 disabled=yes
/ip service set winbox address=0.0.0.0/0 disabled=yes
/ip service set api-ssl address=0.0.0.0/0 disabled=yes
/ip ssh set forwarding-enabled=remote strong-crypto=yes
/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule add action=lookup-only-in-table disabled=no routing-mark=useWAN0 table=useWAN0
/system clock set time-zone-autodetect=no time-zone-name=UTC
/system identity set name=<identity name>
/system logging add action=remote topics=!web-proxy,!dns,!debug
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=213.239.234.28
/system ntp client servers add address=193.106.144.7
/system routerboard settings set baud-rate=38400 boot-os=router-os
/system scheduler add interval=3m name=test_wan2_state on-event=wan2_test policy=read,write,policy,test start-date=2023-08-25 start-time=22:14:57
/system script add dont-require-permissions=yes name=cycle_wan2 owner=sys policy=read,write,policy,test source=":local wan2IfaceName \"pppoe-wan2\";\
    \n:local cycleDelay 10;\
    \n\
    \n:if ([interface get value-name=disabled [find name=pppoe-wan2]] = false) do={\
    \n  :interface/pppoe-client disable \$wan2IfaceName;\
    \n  :delay \$cycleDelay;\
    \n}\
    \n\
    \n:if ([interface get value-name=disabled [find name=pppoe-wan2]] = true) do={\
    \n  :interface/pppoe-client enable \$wan2IfaceName;\
    \n}\
    \n"
/system script add dont-require-permissions=yes name=notify_wan2_down owner=sys policy=read,write,policy,test source="/tool/e-mail/send to=\"<email_address>\" cc=\"<another_email_address>\" subject=\"WAN2 down\" body=\"WAN2 went down\";"
/system script add dont-require-permissions=yes name=notify_wan2_up owner=sys policy=read,write,policy,test source="# send notification e-mail when WAN2 goes up\
    \n\
    \n/tool/e-mail/send to=\"<email_address>\" cc=\"<another_email_address>\" subject=\"WAN2 up\" body=\"WAN2 is up again\";"
/system script add dont-require-permissions=yes name=wan2_down owner=sys policy=read,write,policy,test source=":global wan2Up;\
    \n:set wan2Up false;\
    \n/system/script/run notify_wan2_down;\
    \n"
/system script add dont-require-permissions=yes name=wan2_test owner=sys policy=read,write,policy,test source=":global wan2Up;\
    \n\
    \n:local wan2D1Inactive [ip route get value-name=inactive [find comment=wan2_d1]];\
    \n:local wan2D2Inactive [ip route get value-name=inactive [find comment=wan2_d2]];\
    \n\
    \n:if (\$wan2D1Inactive && \$wan2D2Inactive) do={\
    \n  :if (\$wan2Up) do={\
    \n    /system/script/run wan2_down;\
    \n  }\
    \n  /system/script/run cycle_wan2;\
    \n} else={\
    \n  :if (!\$wan2Up) do={\
    \n    /system/script/run wan2_up;\
    \n  }\
    \n}\
    \n"
/system script add dont-require-permissions=yes name=wan2_up owner=sys policy=read,write,policy,test source=":global wan2Up;\
    \n:set wan2Up true;\
    \n/system/script/run notify_wan2_up;\
    \n"
/system watchdog set send-email-to=<watchdog_email_address>
/tool bandwidth-server set enabled=no
/tool e-mail set address=<smtp_server_address> from="<from_email_address>" port=587 tls=starttls user=<email_server_user>
/tool mac-server set allowed-interface-list=lan
/tool mac-server mac-winbox set allowed-interface-list=lan
/tool sniffer set filter-ip-address=192.168.8.0/24 filter-ip-protocol=icmp

anav · August 29, 2023, 10:14pm

(1) All your DST NAT rules are missing the in-interface-list=WAN part of the rule ( dynamic ) or dst-address (static WANIP).

(2) why this duplicate nat rule..?
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6669 protocol=tcp to-addresses=192.168.0.24
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6669 protocol=udp to-addresses=192.168.0.24 to-ports=6669

(3) What is the purpose of this dst nat rule… functionally speaking what does it do? → dont need to know exactly what its used for…
/ip firewall nat add action=src-nat chain=srcnat protocol=tcp src-address=192.168.0.24 src-port=25 to-addresses=<external_ip> to-ports=25

(4) Dont understand your IP routes.
For simple primary failover should be like… (single recursive to make sure connectivity past the ISP is achieved (good practice).
Nothing more complicated…
The only additional route is for the mangled connection!
/ip route
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=3 dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=11 target-scope=11
add comment=SecondaryISP distance=10 dst-address=0.0.0.0/0 gateway=SecondaryISP-gatewayIP scope=10 target-scope=30
+++++++++++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=SecondaryISP-gatewayIP routing-table=useSecondary

Assuming:
/ip table
add fib name=useSecondary
/ip mangle
add chain=prerouting action= mark-connection connection-mark=no-mark
in-interface-list=LAN src-address=192.168.0.24 dst-port=443
new-connection-mark=https-conn passthrough=yes
add chain=prerouting action=mark-route connection-mark=https-conn
new-routing-mark=useSecondary passthrough=yes

Note: The connection marks is not strictly needed as one could go straight to the routing mark,
but I use the no-mark for other reasons (aka fastrack rule see below)

Where I may miss the mark is that your server does HTTPS port 443 to other local users ??? If so, then we need to adjust it further refined so we dont capture that traffic by accident…
by adding dst-address-type=!local to the first rule…

(5) Firewall filter rules and address lists… - simplify StART WITH THIS and add more later if there are issues,…

/ip firewall address-list { set static dhcp leases }
add address=AdminIP-1 list=TRUSTED comment=“admin desktop”
add address=AdminIP-2 list=TRUSTED comment=“admin laptop”
add address=AdminIP-3 list=TRUSTED comment=“admin smartphone”
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin via SSH - crappy choice use Wireguard instead” dst-port=22 protocol=tcp
add action=accept chain=input in-interface-list=lan_and_wlan src-address-list=TRUSTED
add action=accept chain=input comment=“Allow LAN DNS queries-UDP & NTP”
dst-port=53,123 in-interface-list=lan_and_wlan protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=lan_and_wlan protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related connection-mark=no-mark
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=lan_and_wlan out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat

add action=drop chain=forward comment=“drop all else”

Note: Any traffic required not covered that is required above, add where the ********* are located.
Examples could be all users (both wlan and bridge) to shared printer or Admin IP or TRUSTED list to all subnets etc…

Final comment, if you didnt notice it in the config, suggest you use wireguard to access router remotely vice SSH and thus no worries about port 22 abuse.
Even still as a backup its not so bad but why on earth are you using the common default port. Do it on 2222 for example ???

I lied, final final comment, you should insist all your users coming into the servers provide you with either their:
a. fixed static WANIP OR if they dont have that
b. their dynamic IP via a DYNDNS service, there are many that are free so their is no excuse not to have one. You put these into a firewall address list and the mT router will resolve them.

This provides a better level of server security and also makes all the ports invisible on scans vice the normal visible but closed on scans.

silverdr · August 29, 2023, 11:50pm

I guess nobody ever noticed because it generally works. To my understanding dst-address is not defined because it uses whatever the default at the moment is. in-interface-list could be defined though. Do I understand correctly that adding this can improve performance a tiny bit, right?

I “inherited” this setup so I may not know all the details but a) it’s different protocol so I take it needs both tcp and udp. Why the first one doesn’t have to-ports like all remaining ones I don’t know. Does it take the same port (as dst-port) by default?

Not a secret. The server in question sends e-mail out. The rule “src-nats” its IP into specific one of the five external IPs, used only for e-mail in a DMARC compliant way (SPF specified, signed, etc.). So in other words the rule is supposed to make the SMTP connections come out from selected IP

It is not more complicated, with the exception that it uses two recursives because there are two monitored IPs in case one is unreachable for reasons different than the ISP fault.

And that’s how it is. Two recursive routes for PrimaryISP:

/ip route add disabled=no distance=1 dst-address=<monitored_ip0> gateway=pppoe-wan2 pref-src="" routing-table=main suppress-hw-offload=no target-scope=31
/ip route add disabled=no distance=2 dst-address=<monitored_ip1> gateway=pppoe-wan2 pref-src="" routing-table=main suppress-hw-offload=no target-scope=31
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=<monitored_ip0> pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32
/ip route add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=<monitored_ip1> pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32

One default for SecondaryISP:

/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 pref-src="" routing-table=main suppress-hw-offload=no

And the only additional route is for the mangled (SecondaryISP) connection that I try to make work:

/ip route add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 pref-src="" routing-table=useWAN0 scope=30 suppress-hw-offload=no target-scope=10

It does. Actually it serves 443 only internally

Again - that’ how (I believe) this is done:

/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=!not_public_ip dst-port=443 new-routing-mark=useWAN0 passthrough=yes protocol=tcp src-address=192.168.0.24

Please note the

dst-address-list=!not_public_ip

Although - yes - it could use address-type

(5) Firewall filter rules and address lists… - simplify StART WITH THIS and add more later if there are issues,…

/ip firewall address-list { set static dhcp leases }
add address=AdminIP-1 list=TRUSTED comment=“admin desktop”
add address=AdminIP-2 list=TRUSTED comment=“admin laptop”
add address=AdminIP-3 list=TRUSTED comment=“admin smartphone”
/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin via SSH - crappy choice use Wireguard instead” dst-port=22 protocol=tcp
add action=accept chain=input in-interface-list=lan_and_wlan src-address-list=TRUSTED
add action=accept chain=input comment=“Allow LAN DNS queries-UDP & NTP”
dst-port=53,123 in-interface-list=lan_and_wlan protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=lan_and_wlan protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related connection-mark=no-mark
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=lan_and_wlan out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat

add action=drop chain=forward comment=“drop all else”

Note: Any traffic required not covered that is required above, add where the ********* are located.
Examples could be all users (both wlan and bridge) to shared printer or Admin IP or TRUSTED list to all subnets etc…

Final comment, if you didnt notice it in the config, suggest you use wireguard to access router remotely vice SSH and thus no worries about port 22 abuse.
Even still as a backup its not so bad but why on earth are you using the common default port. Do it on 2222 for example ???

I lied, final final comment, you should insist all your users coming into the servers provide you with either their:
a. fixed static WANIP OR if they dont have that
b. their dynamic IP via a DYNDNS service, there are many that are free so their is no excuse not to have one. You put these into a firewall address list and the mT router will resolve them.

This provides a better level of server security and also makes all the ports invisible on scans vice the normal visible but closed on scans.

I appreciate your input and most probably shall implement your suggestions over time. Just for the current urgent problem I still couldn’t infer from the above why I can’t make the 192.168.0.24 server to have outgoing 443 traffic routed through “Secondary” ISP regardless of the state of primary one. I don’t do the connection marking but you mentioned (the same what I thought) that it is not strictly necessary. I didn’t have the in-interface-list but adding it doesn’t change anything. So what else am I missing or doing wrong?

anav · August 30, 2023, 1:50am

In terms of any config rule its best to remove ambiguity.
My bad I should have noticed it was two diff protocols…
I was only aware of 2 WANIps, not sure what you mean by 5 external IPs… if it aint local on the router how do you sourcenat to it ???
Okay got it two recursives…
Okay so thats straight, the server originates 443 traffic out to the NET and acts as a server for 443 locally.
I dont like the formulation of your mangling setup…

Try mimmicking my mangling setup and see if that is successful…
/ip table
add fib name=useSecondary
/ip mangle
add chain=prerouting action= mark-connection connection-mark=no-mark
in-interface-list=LAN src-address=192.168.0.24 dst-port=443 dst-address-type=!local
new-connection-mark=https-conn passthrough=yes
add chain=prerouting action=mark-route connection-mark=https-conn
new-routing-mark=useSecondary passthrough=yes

/ip route
add dst-address=0.0.0.0/0 gateway=SecondaryISP-gatewayIP routing-table=useSecondary

silverdr · August 30, 2023, 6:36pm

There are two WAN connections but the “Secondary ISP” aka “WAN0” in the historical naming of this setup is not a single IP but a three bit subnet:

/ip address add address=<subnet_ip_address_0>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_1>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_2>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_3>/29 interface=sfp1-wan0 network=<network_ip>
/ip address add address=<subnet_ip_address_4>/29 interface=sfp1-wan0 network=<network_ip>

The current primary ISP gives only a single IP over PPPoE so it’s not included in the statically assigned addresses above. Altogether there are six external IPs. One on “WAN2” and five on “WAN0”. One of those IP addresses is “mail.”

This is RouterOS 7 so I can’t exactly reuse your mangling setup but here’s as close as I could

/routing table
add disabled=no fib name=useWAN0

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local dst-port=443 \
    in-interface-list=lan new-connection-mark=https-conn passthrough=yes protocol=tcp src-address=192.168.0.24
add action=mark-routing chain=prerouting connection-mark=https-conn new-routing-mark=useWAN0 passthrough=yes

/ip route
add comment="xtra d5 for useWAN0 table" disabled=no dst-address=0.0.0.0/0 gateway=<wan0_gw_ip>%sfp1-wan0 pref-src="" routing-table=useWAN0 suppress-hw-offload=no

No change. I start to wonder whether these two are enough

/ip firewall filter
add action=fasttrack-connection chain=forward comment="FastTrack established and related connections" connection-mark=no-mark connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept already established and related connections" connection-state=established,related

but they should, shouldn’t they?

anav · August 30, 2023, 7:26pm

Yes those rules all look good…??

Are you saying that all port 443 traffic ORIGINATING/starting at the server is still going out wan0, instead of wan1 ??

silverdr · August 30, 2023, 7:45pm

No, when I activate those or my previous variants (with or without connection marking) then the server stops communicating to the outside over 443

anav · August 30, 2023, 7:54pm

Hmm, okay but remember there is no INCOMING traffic originated that hits that server at port 443.
Its strictly the server initiating traffic out port 443, to what I dont know.

Is the outgoing traffic heading out WAN1 and the problem is return traffic is not making it back???

Finally is the problematic WAN (secondary), the one with multiple external IP addresses??

silverdr · August 30, 2023, 7:58pm

It’s only initiated from the inside and nothing 443 should com from the outside. So… I was wondering whether those “established, related” filter rules were enough. It’s TCP so.. they should?

anav · August 30, 2023, 8:02pm

If you could answer the questions it would be helpful
It makes no sense to state, it only originates out port 443, if it does then there has to be return traffic.

SO, does traffic actually leave the router on port 443 on the secondary WAN Yes/No ?
Does the return traffic get through Yes/NO ?

Is the problematic Secondary wan the one with multiple options for IP address yes/no?