I have a HexS router,
I want to maintain a single IP pool.
but want all the users who are connected via LAN1 should access the internet only via WAN1
and
All the users who are connected via LAN2 should access the internet only via WAN2.
If there are any articles or videos that were already shared please share them.
Thanks.
Its not that simple.
What type of connections are WAN1, WAN2, public IP/private IP? Static/dynamic IP.
Do you wish to have a primary/failover scenario for other subnets ( or are there only two subnets ).
What happens when one provider is not available ( assuming two different providers ). Should the other subnet be able to access the one available WAN?
Finally are you hosting any servers that you expect external users to visit??
Thanks for the reply.
Both the WAN IP’s are Static & Public IP’s.
Right now I am using a Failover.
But whenever there is a Latency in one of the ISPs i face issues(as its not complete Failover).
Since few days I have been facing an issue with the Wireless Access points.(most of the users and devices are connected via Wifi only)
I am using FreeRadius for Individual User Authentication at each AccessPoint, hence cannot use two different VLANs for each WAN)
I wish, that the whole traffic of AccesPoint-1 that is connected to LAN-1 is served via WAN1
and
Complete Internet Traffic of AccessPoint-2 that is connected to LAN-2 is served via WAN2
This way i can judge which Accesspoint is choking or and can have a better judgment of RootCause.
Are all users on one flat subnet? Do you have two subnets (two LANs) one for each AP basically?
Without a config its pure guesswork
assuming
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0 { LAN1 connects to access point on ether2 }
add address=192.168.20.1/24 interface=ether3 network=192.168.20.0 { LAN2 connects to access point ether3 }
Normal manual routers for your ISP connections
/ip route
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip table=main
add dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip table=main
No need for distance or anything fancy at the moment, we can do primary and failover once you have figured out which is the stable better ISP.
We will next set the config to ensure LAN1 goes out WAN1 and LAN2 goes out WAN2, which entails adding two tables, two routes and two routing rules.
/routing table add fib name=preferWAN1
/routing table add fibe name=preferWAN2
/ip route
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip routing-table=main
add dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip routing-table=main
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip routing-table=preferWAN1
add dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip routing-table=preferWAN2
/routing rule add src-address=192.168.10.0/24 table=lookup-only-in-table table=preferWAN1
/routing rule add src-address=192.168.20.0/24 table=lookup-only-in-table table=preferWAN2
But as i said
Iam using an Authentication server (LDAP via Freeradius).
Users who connect to either of the Access points will get authenticated
Hence i am looking to use only a Single IP pool instead of two different for each LAN.
How are the two APs connected to the Router?
/export file=anynameyouwish (minus router serial number and any public wanip information )
Right now
Port 1 & 2 assigned to WAN 1 & 2, rest of ports are under Bridge, from one of the LAN port to UnManagable Switch and from there its connected to Access points, and LAN devices.
You cannot do what you want using an un-managed switch.
A manage switch is doable but complex! Easiest solution is the APs directly to two different ports on the router.
The APs traffic needs two arrive at two different interfaces on the bridge if at all possible.
YEs this is the plan
in case there is a solution i will dedicate the LAN1,2 ports to AP’s.
If you dedicate the two APs to ports 1 and 2, its very doable using bridge filters.
Assign packet marks using bridge filters…
/interface bridge filter
add action=mark-packet chain=input packet-mark=no-packet-mark in-interface=ether1 new-packet-mark=AP1-mark
add action=mark-packet chain=input packet-mark=no-packet mark in-interface=ether2 new-packet-mark=AP2-mark
Assign connection marks using mangling.
add action=mark-connection chain=prerouting connection-mark=no-mark packet-mark=AP1-mark
new-connection-mark=via-AP1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark packet-mark=AP2-mark
new-connection-mark=via-AP2 passthrough=yes
Assign routing marks using mangling
add action=mark-routing chain=prerouting routing-mark=no-mark connection-mark=via-AP1
new-routing-mark=onlyWAN1 passthrough=yes
add action=mark-routing chain=prerouting routing-mark=no-mark connection-mark=via-AP2
new-routing-mark=onlyWAN2 passthrough=yes
Add tables.
/routing table add fib name=onlyWAN1
/routing table add fib name=onlyWAN2
Add routes
add dst-address=0.0.0.0/0 gateway=ISP1-gwy-IP routing-table=main
add dst-address=0.0.0.0/0 gateway=ISP2-gwy-IP routing-table=main
add dst-address=0.0.0.0/0 gateway=ISP1-gwy-IP routing-table=onlyWAN1
add dst-address=0.0.0.0/0 gateway=ISP2-gwy-IP routing-table=onlyWAN2
add dst-address=0.0.0.0/0 gateway=ISP1-gwy-IP routing-table=onlyWAN1 blackhole=yes distance=2
add dst-address=0.0.0.0/0 gateway=ISP2-gwy-IP routing-table=onlyWAN2 blackhole=yes distance=2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We add the blackhole routes to ensure that if WAN1 or WAN2 is not available, the users will NOT move to the other WAN. As you requested to isolate the ‘bad’ WAN behaviour properly.
Once you have determined the problem ISP and you decided upon a primary and alternate and what the APs will actually feed, we can change the IP route structure accordingly and perhaps remove all the mangling altogether…
Note: You should disable fastrack rule in forward chain when mangling…
Of course you could also modify and keep the fastrack rule in effect for any other traffic not captured by the mangling.
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related connection-mark=no-mark
Thanks Anav.