I moved full working config from Router 6 to Router 7 and I lost incoming connection on 2nd WAN. Working the only on 1st WAN.
I have read many post & manuals but still doesn’t work.
My config:
apr/20/2023 05:25:53 by RouterOS 7.8
software id = C5KE-4SUQ
model = CCR2116-12G-4S+
/interface list
add name=WAN
add name=LAN
add ame=LAN-ETH-BOOT
By parameter distance I can select now the working incoming connection from WAN-1 or WAN-2. With the same value usually - but not always - incomming connections work on the WAN-1.
On RouterOS 6 works both in the same time. What is missing in Router 7? I added - maybe wrong - table FIB.
Well without a clear communication of the requirements it will be hard to say. (diagram always helps)
Is this a PCC setup?
Is this a Primary & Secondary Setup.
Are there exceptions.
Do both ISPs provide static or dynamic Public IPs
Do they provide private IPs.
What are the expections of internal user traffic flow,
LANS x,y,z do what (group traffic flow)
Users a,b,c do what (single users exceptions)
Servers
Any existing>
If accessed by internal users is it done by LANIP or dyndns name?
If accessed by external users how do they know which IP to use.
I am newbie in MikroTIk. From the very beginning I want the only:
Access internet from LAN by any WAN - no failover, no load-balancer, etc… I will try this in future - see below.
The priority for me are incoming connection from internet via both WANs to services in LAN.
I have created rules for PPC in ratio WAN-1 1/3 & WAN-2 2/3 - WAN-2 is faster - and switched on worked good - maybe more tests are needed. Now are off, this is not priority:
I have got full real public & static IPs from both ISPs: IP-1=31.x.y.z, IP-2=79.x.y.z
I grouped all regular users & servers in subnets 10.0.5-7.XYZ. The services accessed from public in subnet 10.0.2-3.XYZ.
All internal users receive IP from DHCP - DHCP-server is running from VM/Proxmox. I need the only routing from MikroTik.
Schema:
External users select manually for connect IP WAN-1 / WAN-2.
In other words I want the port forward to public like this rules:
(1) Why are you using bridges and not VLANs?? ONE BRIDGE ONLY!!!
(2) Your mangling is a mess and conflicts with your config…
For example its clear you want to load balance out the two wans but your sourcenat rule (which are wrong) implies you only want certain lans to go out certain WANs etc..
So before I look at your routes, mangles, routing rules perhap you need to spell out the requirements.
I try to use new router because the old one is too slow. Based on the old working config OS 6 I am trying to do the same on the new router OS 7 without changes. I was thinking there is the only 1 change between versions 6 & 7: table-FIB. Maybe this is my mistake, maybe there is more changes. I used: https://help.mikrotik.com/docs/display/ROS/Moving+from+ROSv6+to+v7+with+examples
I am open to any corrections.
ad. 1.)
I have got 2 WANs - 1 slow & 1 fast.
I have got many devices & VMs “grouped” in sub-nets 10.0.{group}.{device}/24. I cannot move them to 10.0.X.Y/16. The old config was working without VLANs. The network was increased step by step by years… After years maybe big change is needed.
There are connected devices eg. laptops, printers, AP & IP-phones without support for VLANs so VLANs can create problem. The second problem can be with switches - they are general unmanaged devices. I will to do tests with them - some supports VLANs.
but what about performance ? If this will not impact in the performance or is better as eg “good practices” I can change.
ad. 2.)
I will do failover in next configuration step, load balance will be based on IP source address. Maybe this will be more “compatible” with rules from OS=6.
I am not going to use load-balance in this step - this is not priority for me. The priority for me is access the LAN’s services via both WANs from public internet.
internet IP-public[1-2] => LAN IP=10.0.[2,3,11].[0-255]
eg both incomming connection in the same time to both WANs from 2 different users from internet:
(user #1) ssh user1@IP-public-1 -p 1234
(user #2) ssh user2@IP-public-2 -p 1234
router will connect to
IP=10.0.11.12 at port 1022
Could you support me how to write working rule for this one connection in OS ver. 7?
And silimar q’tion - corect me if I am wrong: the connection via UDP will be the same, the only protocol will be changed to UDP? Or maybe in OS=7 with routing UDP is something other?
Now I see all incomming connections even create the only mark for WAN2 (lower distance) - there is no mark for WAN1:
I have tested several sets of rules from different sites/forums and everything doesn’t work in OS=7…
laptops - also working outside company as standalone devices, and via VPN - there are 2 VPNs servers on VMs for different laptops groups in different subnets 10.0.SUBNET.XYZ, every laptop has got other IP in LAN and other via VPN; I will not move VPNs from VM to MikroTik.
printers
mobiles via WiFi
bare-metal servers, NASes, etc
VMs in 2 subnets
In WANs:
2 connections working nonstop: 1st fast for regular work for laptops (2 subnets) and selected VMs (from 2 subnets but not full subnets) , 2nd slow for technical works like connecting the rest VMs to services’ API in other places/internet, servers (eg. emails, backups), and for the rest.
Finally also failover for WAN-1 to WAN-2 and vice-versa.
ad 2.)
I am going to connect from internet/outside to internal=LAN services via 1st or 2nd connection.
Eg:
I am connecting from my private home computer to: ssh user@WAN-1 -p 1234, in the same time other person uses ssh user@WAN-2 -p 1234 and the MikroTik will redirect both connection to IP=10.0.1.2 port 22.
The same with VPNs: on the laptops are configured 2 VPNs to both WANs as 2 different VPNs - every with other WAN as endpoint.
Silimar with other services - the incomming connections are to WAN1 or to WAN2 - both MikroTik will redirect to the same VM and the same port and send back answer via used WAN in request.
There is no exception for any device.
I am glad to add any information if still is something not clean. THX for your time!
My architecture is complex. Maybe this will better describe my blocker with ROS=7.
Idea as picture: there are connected to MikroTik:
ETH=1: WAN-1 / ISP-1 public, static IP=79.0.0.0
ETH=2: WAN-2 / ISP-2 public, static IP=31.0.0.0
ETH=3: direct connected computer IP=10.0.3.3/24 with SSH port=22 & Apache/http port=80
ETH=4: direct connected printer IP=10.0.4.4/24 with IPP port=9100
ETH=5: direct connected classic computer IP=10.0.5.5/24 with desktop with access to public internet
Now I want to access SSH, Apache/http and printer from outside / public internet via random WAN.
10 persons want to access services by WAN-1, next 10 persons want to access services by WAN-2.
Correct me if I am wrong: this is case, the packets from internet should be send back by the same WAN as received. I see in the forum posts like this one: http://forum.mikrotik.com/t/multi-wan-connection-tracking/157689/1 or any other but this works the only with RouterOS 6 - in 7 doesn’t. In “7” the services are possible to access the only by WAN-1 or WAN-2, but never on both WANs.
Correct me if I am wrong: this is case, > the packets from internet should be send back by the same WAN as received. > I see in the forum posts like this one: viewtopic.php?t=185577 or any other but this works the only with RouterOS 6 - in 7 doesn’t. > In “7” the services are possible to access the only by WAN-1 or WAN-2, but never on both WANs.
those bold lines explained,
1a. yes. in terms of nat, because nat alters nor modifies the ip address (dnat snat masquerade).
the request and reply sessions should match in its respective routing tables.
1b. no. in terms of full ip routing which doesn’t modify any ip address of their source or destination.
the full ip routing request and reply can use any interface, any basic main routing tables ( there are exemption for other types of routing tables)
hmm, really?? could you give any examples?
i think that is because the application server which provides the service, bind to a specific inbound ip address.
3… please define your network problem as inbound or outbound connection problem, which should be resolved one at a time. as step by step.
This is hard to believe, that port forwarding with Multi-WAN working perfect with ROS=6, but is not possible in ROS=7…
There is several configs/setups on the net but all of them are for version 6, in version 7 doesn’t work.
You will need to mangle.
To ensure external users exit the same WAN they enter use mangle rules and specifically two sets…
A. Have to ensure any users coming in externally for mainly the internal server, on any WAN, go back out the same WAN.
This rule has two purposes, to mark incoming traffic headed toward a server etc, or to the router itself!
… /ip firewall nat add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ETH1-WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ETH2-WAN2 new-connection-mark=WAN2_conn passthrough=yes
B. We want to ensure any traffic that was headed for the router itself through the WANs,
gets sent back out the same interface. This also ensure any return traffic from servers goes out the appropriate WAN
Note: Return traffic from the Router itself does not go through preouting and thus we must use output chain.
If there is no need for the router traffic …then one could use the pre-routing vice output chain, this method catches both!!
…
Why you have any more mangling rules is a mystery to me…
Similarly only need two masquerade rules. add action=masquerade chain=srcnat out-interface=ETH1-WAN1
add action=masquerade chain=srcnat out-interface=ETH2-WAN2
Since you have two static PUBLIC IPs, the correct format would be add action=src-nat chain=srcnat out-interface=ETH1-WAN1 to-address=79.X.X.X
add action=src-nat chain=srcnat out-interface=ETH2-WAN2 to-address=31.Y.Y.Y
So stop being stubborn and blaming RoS7 for your config errors… and lets focus on fixing the config!!
We can add failover and PCC or anything else after focusing on proper mangling for the incoming traffic for servers…
Typically the only thing you need to add for fair LAN usage of the two WANs, if desired is two more set of mangle rules.
a. to mark connections and PCC LAN traffic. ( okay a third PCC rule to emphasize (send more traffic to) WAN2 )
b. to mark routes for that LAN traffic.
Looking at your IP routes, also a mess…
IF PCC handles where traffic is going, you simply need a mechanism to allow the other WAN to get the other WANs traffic in PCC…
Not sure why you have different distances in your setup???
…
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=14 { main table for WAN1 }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.8.8 scope=10 target-scope=14 { main table for WAN2 }
…
Add Cases for Failure< There may be quicker other ways to accomplish same but this technique works with 3, 4 etc WANS.
THX for support but still something is wrong. There is still the same: I can connect the only 1pc WAN: 1 or 2 depend how router wants. After 3, 5, 30 minutes the WAN “accepting” incoming connection can be auto-changed. I changed parameter Distance for “froze” always working WAN-2.
But I also want WAN-1 in the same time.
I tested from few computers - but always all computers can connect the only WAN-1 or WAN-2. There is not possible to connect in the same time eg. 2 computers WAN-1, 3 computers WAN-2.
What I do wrong ?
DUMP - without many disabled rules - as attachment in post. MikroTik__20230425.rsc (10 KB)
