Hi,
i’ve setup a new hap ax2 with 3 seperate wan connections. New main (calbe/CAB), old main (adsl/DSL) and a backup (LTE). All with static IP over dhcp.
It works most of the time but for some random public IPs the router is unable to find a route.
Only if i force those IPs over a specific route will they work.
My setup should be quite simple.
First the interfaces where each modem is connected
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] name=ether2-CAB
set [ find default-name=ether3 ] name=ether3-DSL
set [ find default-name=ether4 ] name=ether4-LTE
Then the DHCP clients without a default route
/ip dhcp-client
add add-default-route=no interface=ether2-CAB
add add-default-route=no interface=ether3-DSL
add add-default-route=no interface=ether4-LTE
For mangle/routing entries in the new routing table
/routing table
add disabled=no fib name=CAB
add disabled=no fib name=DSL
add disabled=no fib name=LTE
Default routes for each connection with increasing costs to prioritize cable->dsl->lte
/ip route
add comment=GW_CAB disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
aaa.aaa.aaa.aaa routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=GW_DSL disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
bbb.bbb.bbb.bbb routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=GW_LTE disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
ccc.ccc.ccc.ccc routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
And routes for each routing table
/ip route
add comment="ROUTE CAB" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
aaa.aaa.aaa.aaa routing-table=CAB scope=30 suppress-hw-offload=no \
target-scope=10
add comment="ROUTE DSL" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=bbb.bbb.bbb.bbb routing-table=DSL scope=30 suppress-hw-offload=no \
target-scope=10
add comment="ROUTE LTE" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
ccc.ccc.ccc.ccc routing-table=LTE scope=30 suppress-hw-offload=no \
target-scope=10
I use Netwatch to check the connections and dis-/enable the respective default routes.
For that i set routing rules to 3 reliable IPs (like 8.8.8.8, 8.8.4.4, 1.1.1.1)
/routing rule
add action=lookup-only-in-table comment="CHECK ROUTE CAB" disabled=no \
dst-address=xxx.xxx.xxx.xxx/32 table=CAB
add action=lookup-only-in-table comment="CHECK ROUTE DSL" disabled=no \
dst-address=yyy.yyy.yyy.yyy/32 table=DSL
add action=lookup-only-in-table comment="CHECK ROUTE LTE" disabled=no \
dst-address=zzz.zzz.zzz.zzz/32 table=LTE
These will always be reachable duo to the routing table specific default routes, while clients use the active routs on the main table.
To complete the routing a few firewall rules:
An address list to catch all private scopes
/ip firewall address-list
add address=10.0.0.0/8 comment=a list=PRIVATE
add address=172.16.0.0/12 comment=b list=PRIVATE
add address=192.168.0.0/16 comment=a list=PRIVATE
Mark incomming connections to return them from the correct interface
/ip firewall mangle
add action=mark-connection chain=input comment=IN_CAB connection-state=new \
dst-address=aaa.aaa.aaa.aaa new-connection-mark=IN_CAB src-address-list=\
!PRIVATE
add action=mark-connection chain=input comment=IN_DSL connection-state=new \
dst-address=bbb.bbb.bbb.bbb new-connection-mark=IN_DSL src-address-list=\
!PRIVATE
add action=mark-connection chain=input comment=IN_LTE connection-state=new \
dst-address=ccc.ccc.ccc new-connection-mark=IN_LTE src-address-list=\
!PRIVATE
And the respective routing marks
add action=mark-routing chain=prerouting comment="OUT_CAB" connection-mark=\
IN_CAB dst-address-list=!PRIVATE new-routing-mark=CAB src-address-list=\
PRIVATE
add action=mark-routing chain=prerouting comment=OUT_DSL connection-mark=\
IN_DSL dst-address-list=!PRIVATE new-routing-mark=DSL \
src-address-list=PRIVATE
add action=mark-routing chain=prerouting comment=OUT_LTE connection-mark=\
IN_LTE dst-address-list=!PRIVATE new-routing-mark=LTE src-address-list=\
PRIVATE
And a masquerate
/ip firewall nat
add action=masquerade chain=srcnat comment="DEFAULT MASQUERADE" \
dst-address-list=!PRIVATE src-address-list=PRIVATE
This works fine most of the time. When disabling cable, everything goes over dsl without a problem, same for lte.
Yet for some random public IPs i get “unable to find route to host”. Sometimes those can be reached over a different connection. Sometimes i can ping it from the router, sometimes not, sometimes specifiying the interface, sometimes i don’t have to.
If i force it with another mangle rule
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DEFAULT_OUT_CAB \
connection-state=new dst-address-list=!PRIVATE new-connection-mark=\
IN_CAB src-address-list=PRIVATE
…everything works fine, except that i can’t use the main routing table. So currently i have such a mangle for all WANs and dis-/enable them with my Netwtch checks alongside the default main routes.
I’ve made similar setups and never hat that problem. Did i make a mistake, or has more changed in version 7?