Routing with two gateways

Ernstm · May 23, 2012, 7:01am

Hi all.

I have a bit of a problem with my setup.

My ISP gives me multiple public IP addresses and I need to configure a gateway for my mail server that does not effect the rest of the network.

The problem I have is that when adding a second gateway with a routing mark (matching the mail server) the second Interface, my default “reachable interface” cant be manually set. Thus the mail routes via the wrong interface.

The problem is that both my outgoing interfaces have the same default gateway (the gateway of the router). Thus the routes pick the “reachable interface” automatically and I cant force the mail’s gateway via the second interface.

It would seem that the default interface selected as the “reachable interface” is selected when I activate the interfaces. Thus which ever interface in activated last is chosen and I cant seem to find a way to “lock it down” so to speak.

Is there another way I can accomplish this?

Thanks in advance for your assistance.

karina · May 23, 2012, 12:51pm

What is your purpose in splitting the traffic ?

Ernstm · May 23, 2012, 1:49pm

Well I have a router from the ISP acting as the gateway with public ip let say … 41.222.222.1
and I have two interfaces from the Mikrotik Router using this gateway with Public IP’s 41.222.222.2 and 41.222.222.3 and as such they both have a gateway of 41.222.222.1

The reason is that I want mail traffic on the one interface public IP and everything else on the other interface. Thus traffic … say spam for example from an infected pc on the network … wont get the mail server RBL listed.

karina · May 23, 2012, 2:40pm

I am pretty sure you need to put both ips on the same interface then use a combination of mangle rules and a srcnat rule to show mail traffic coming from the other ip. I am a bit a of novice on this I am sure someone with more knowledge than me can give you the correct rules to put in.

it is better i think to put some firewall rules in to detect and prevent spamming in the first place. I seem to remember there are some good examples of this on this forum somewhere.

I also have a SMTP server whitelist and drop all others on my network. Basically my users either use my own SMTP server or they have to sign a declaration of non spamming and I whitelist thier preferred server

Feklar · May 23, 2012, 4:04pm

http://wiki.mikrotik.com/wiki/Manual:Load_balancing_multiple_same_subnet_links#Configuration

Mainly these lines:

/ip route
add gateway=10.1.101.1
add gateway=10.1.101.1%ether1 routing-mark=first
add gateway=10.1.101.1%ether2 routing-mark=other

Keep in mind that you have do add the routes through the CLI and do not edit them with winbox or webfig. It will wipe out the interface information that you want to keep for the specific route.

karina · May 23, 2012, 5:43pm

Hi Feklar,

How would you go about this if you only have one WAN interface.

I have a /28 block of Public ips. with one gateway. and only one WAN interface.

I want SMTP traffic on port 25 to be sourced from one of my ips and http from another

Feklar · May 23, 2012, 7:56pm

Use different NAT rules.

/ip firewall nat
add chain=srcnat action=src-nat to-address=<SMTP IP> protocol=tcp dst-port=25 out-interface=ether1 comment="NAT SMTP Server out a different IP"
add chain=srcnat action=src-nat to-address=<MAIN IP> out-interface=ether1 comment="NAT everything else out the main IP"

Be sure both IPs are assigned to the WAN of the router.

karina · May 24, 2012, 7:59am

Many Thanks feklar

Ernstm · May 29, 2012, 11:08am

Thanks For the info