Hi all, I have the following situation on a RB750 (RouterOS v6) to manage 2 isp for two networks divided according to two “source access lists”. In this way the 192.168.1.0/24 class goes out with isp 1 TIM, while 192.168.4.0/24 goes out with isp2 VODAFONE (and with the lists I can customize any single host).
Everything works. It also works as a failover in case of lack of one of the two connectivity
Now I need to migrate this config on a RB5009 with Router OS v7. I made the following changes, but the second class 192.168.4.0/24 does not exit correctly with the isp2 while the first has several errors in establishing connections. Internal routing does not work on OVPN client connections that worked with double isp on previous config on rb750 (but working if i set only one gateway with isp1).
I see nothing wrong with your setup; but would change the sourcenat rules as its not clear which WAN they refer to and thus not sure if they would work right.
From: /ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.4.0/24
TO /ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1{ adding src-address is optional but not required } add action=masquerade chain=srcnat out-interface=WAN2 { adding src-address is optional but not required }
OR BETTER since wan2 is a fixed/static wanip. /ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=src-nat chain=srcnat dst-address=192.168.1.3 out-interface=eth2-WAN2
But I have an issue as to why your LAN1 and WAN2 are in the same subnet…also problematic
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
add address=192.168.1.3/32 interface=eth2-WAN2 network=192.168.1.2
Then to top it off, and worse you add the ISP2 address to one of the LAN firewall address lists and not the one with the same subnet???
/ip firewall address-list
add address=192.168.1.0/24 list=TIM
add address=192.168.4.0/24 list=VODAFONE
add address=192.168.1.31 list=VODAFONE
Would also agree with the previous poster that your rules are a bit funny to have worked well in the past…
Agree with your approach using firewall address lists as you state its not just whole subnets but subnets plus or minus a number of folks that may change from time to time. Much easier to adjust a firewall address list and smarter, then to keep changing whole rules.
Additional destination address in mangle rule suggested above, is also a smart move IF YOU NEED LAN to LAN traffic because what it does is only mark traffic NOT headed for the other subnet(s). In this way LAN to LAN traffic is not affected by your mangling. You could get away with not adding the additional dst part by creating two ROUTING RULES,
to ensure LAN1 could reach LAN2 and LAN2 could reach LAN1.
However as stated, it was not clear if you needed LAN1 to LAN2 traffic or vice versa and if NOT then you can skip the previous posters addition of destination address in mangle rules.
In terms of routing standard routes plus two mangled routes should suffice without any need for routing rules!! /ip route
add dst-address=0.0.0.0/0 gateway=WAN1 routing table=main
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=main
add dst-address=0.0.0.0/0 gateway=WAN1 routing table=isp1
add dst-address=0.0.0.0/0 gateway=WAN2 routing-table=isp2
What you have not detailed is any requirements for the relationship between the two wans?
Did you want any failover, if WAN1 was to go down move all LAN1 to WAN2 and vice versa if WAN2 was to go down, move all LAN2 to WAN1 etc. ???
The goal is to have two distinct classes that don’t speak to each other and have nothing in common. I have two isps, I would like isp1 to provide LAN1 (1.x) and isp2 to provide LAN2. (4.x).
There are no constraints, in fact they allow a failover of one of the two networks if the other fails.
Finally, I would like to have the possibility to decide the exit isp of a specific client (by ip). So with this configuration, do I also mark the internal lan-to-lan routing?
I think they should add examples as to how to do this somewhere e.g a tutorial or something.
I want to route a specific device e.g ethe3 or maybe just an ip traffic to pass through a vpn or maybe an l2tp tunnel.
But I can’t find info on how to do this on router os 7.
Everything is in default setting my router address is 192.168.1.1 if anyone can help out I would appreciate it.
Actually this easy a few routing rules and routing adjustment to your environment it’s done, People think this is hard because they don’t know how routing works there are two ways to achieved this in RouterOS by using routing rules or mangle for a start you should watch this video to get the concept and wrap your head around it