Hi all.
There is router with 2 WAN ports (different ISP).
I would like to have access for both WAN IPs.
Basically I can access only for IP that has default (0.0.0.0/0) route.
How I can make access for second WAN IP.
I have found some documentation in manual about load balancing, but
seems that example not useful for me because looks like mangle prerouting do not help me to do that.
You can simply add the second WAN IP default gateway to your default route. For example, if your two ISP default gateways were 77.88.1.1 and 44.34.23.1 you could do:
/ip route add dst-address=0.0.0.0/0 gateway=77.88.1.1,44.34.23.1
The system will alternate connections between the two.
If you want to control which traffic goes where, you have to use mangles and policy routing. There are examples in the Wiki.
Hmm, The problem is that for me is not differences how to LAN traffic goes. I’m more interested in the WAN traffic. Looks like mangle and policy routing working only for LAN traffic because it is possible to MARK it.
I cannot find way to MARK traffic witch is specifically about WAN. I can not MARK it because they are not in prerouting chain.
May be you can show me the example how to do that?
I don’t have a good and/or quick example to show you and I’m lacking on time to put one together. We don’t do policy routing to use multiple ISP connections because we are big enough to have our own ASN with BGP feeds from tier-1 connection providers and we just let BGP take care of things for us. I will tell you that you should test your setups with 2.9 and 3.x versions separately as there are some issues in 3.x with policy routing.
Hello,
The main problem you are experiencing is probably 2nd WAN isp doesnt allow you to source packets with IP addresses from the 1st isp (BCP 38 enforcement is good really). This probably only applies for pings and other packets coming directly to the router, winbox, etc. You need to mangle packets coming to the router from each WAN and mark each appropriately, then use policy routing to send it back out the same way it came in. Its not automatic unfortunately. I posted some rules in the forums a few months ago about exactly this - search author ‘changeip’ and ‘output prerouting mangle’ you should find it.
EDIT - i think this is it: http://forum.mikrotik.com/t/policy-based-routing/19589/9
Thx,
Sam
Thank you for advice , this is exactly that I need, however seems I lost something simple … 
My configurtation …
/ip firewall mangle add chain=input action=mark-connection new-connection-mark=conn-mark-isp2 passthrough=yes in-interface=isp2
/ip firewall mangle add chain=output action=mark-routing new-routing-mark=routing-mark-isp2 passthrough=yes connection-mark=conn-mark-isp2
/ip route add gateway=ISP2-GW-IP routing-mark=routing-mark-isp2
It’s not working
you are not marking packets, only connection ? You need both. Post the following so we dont have to keep guessing:
/ip route print detail
/ip firewall mangle print
Thx,
Sam
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
0 ADC dst-address=192.168.245.0/27 pref-src=192.168.245.25 interface=isp2 scope=10 target-scope=0
1 A S dst-address=0.0.0.0/0 gateway=192.168.245.1 interface=isp2 gateway-state=reachable scope=255 target-scope=10 routing-mark=routing-mark-isp2
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=conn-mark-isp2 passthrough=yes in-interface=isp2
1 chain=output action=mark-routing new-routing-mark=routing-mark-isp2 passthrough=yes connection-mark=conn-mark-isp2
[admin@MikroTik] >
Regards,
Mangust
you dont have enough … follow that example thread and actually put all those rules in place if you want it to work.
http://forum.mikrotik.com/t/policy-based-routing/19589/9
marking only the connection (SYN packet only) isn’t going to get you what you need : )