Support for WAN side connections for multiple links

RouterOS General
1

Hello, I have a problem with the configuration in RouterOS v7.6 of the correct handling of return traffic when connections initiated from the WAN side to addresses served by a table other than main.

I currently have 2 links one has a default route in the main table the other has a default route in a separate WAN2 routing table.
The problem is that in this configuration, an example remote connection to the router through the second link causes the router to respond in accordance with the entry in the main table.

How (in RouterOS v7) to handle new connections directed to the WAN2 interface?

Thank you in advance

2

https://forum.mikrotik.com/viewtopic.php?p=908118

3

Sorry for the lack of response - I’m completing the topic now.

It’s about handling incoming traffic TO MikroTik from 2 ISP

I have added 2 default routing routes in 2 different tables:

/ip route/print detail where dst-address="0.0.0.0/0"
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp 
 0  As   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=x.x.x.x immediate-gw=x.x.x.x%vlan3730_WAN distance=1 scope=30 target-scope=10 suppress-hw-offload=no 
 1  As   dst-address=0.0.0.0/0 routing-table=LTE pref-src="" gateway=y.y.y.y immediate-gw=y.y.y.y%vlan10_LTE distance=1 scope=30 target-scope=10 suppress-hw-offload=no
 
/routing/table/print
Flags: D - dynamic; X - disabled, I - invalid; U - used 
 0 D   name="main" fib
 1     name="LTE" fib

Mangle configuration is:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=vlan10_LTE log=yes log-prefix=LTE_conn new-connection-mark=LTE_conn passthrough=yes
add action=mark-routing chain=output connection-mark=LTE_conn log=yes log-prefix=LTE_route new-routing-mark=LTE passthrough=yes

And finally, by pinging from the Internet to the address on the vlan10_LTE interface, the response is directed to the gateway in vlan3730_WAN - that is, the links work in the main routing table:

firewall,info LTE_conn prerouting: in:vlan10_LTE out:(unknown 0), connection-state:new src-mac a0:50:43:e5:11:02, proto ICMP (type 8, code 0), x.x.x.x->y.y.y.y, len 60
firewall,info LTE_route output: in:(unknown 0) out:vlan3730_WAN, connection-mark:LTE_conn connection-state:established proto ICMP (type 0, code 0), x.x.x.x->y.y.y.y, len 60

I have no idea what I’m doing wrong here
Thank you in advance for your help

4

  1. The relationship between WAN1 and WAN2. ( assuming two different providers correct?)
    Is one Primary, to be used by all users and the other secondary only if WAN1 fails.

  2. How are external users directed to WAN2 for example, DYDNS name if dynamic, or BY WANIP if fixed/static?
    All servers on WAN2 or some on WAN1?

  3. Describe users behind Router, subnet A needs , Subnet B needs wrt to which WAN they go out.
    Are there users with specific needs?

5

Hello, in the case is not about local network service.
It is about the ability to get to the MikroTik itself through one of the two active links.
So that the traffic to the client initiating the connection always returned through the same link with which it was initiated.

6

Okay got it.
Dont worry about how incoming users get to a particular WAN
Just be concerned that we ensure same in same out.

Basic concept

ip route
add route for WAN1 table=main
add route for WAN2 table=main
add route for WAN1 table=isp1-out
add route for WAN2 table =ISP2-OUT

Preroute mangle new connection marks coming in on WAN1 (no mark, in-interface=WAN1) viaWAN1
Preroute mangle new connections marks coming in on WAN2 (no mark, in-interface=WAN2 viaWAN2
Preroute mangle new routing mark (connection-mark=viaWAN1) isp1-out
Preroute mangle new routing mark (connection-mark=viaWAN2) ISP2-OUT

Adjustment to fastrackrule
add action=fasttrack-connection chain=forward comment=Fasttrack
connection-marks=no-mark connection-state=established,related hw-offload=yes

+++++++++++++++++++++++++++++++
However, what about users ON THE LAN, ORIGINATING traffic, what are they supposed to do…

7

Hello, thank you for your reply - final managed to embrace the topic, below I am posting the final mangle rules:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=vlan10_LTE new-connection-mark=LTE_conn passthrough=yes
add action=mark-routing chain=output connection-mark=LTE_conn new-routing-mark=LTE passthrough=yes

In contrast, another problem has now arisen.
There are various networks connected to the MikroTik - ultimately through the link WAN1 or WAN2 we want to connect via WireGuard to access them. I should also add that I have tested accessing any WAN link to the MikroTik using SSH as an example, and the return already works correctly. On the other hand, with WireGuard, the return of UDP packets with the tunnel goes through the gateway in the main table (WAN1) regardless that it was initiated from WAN2. I assume there shouldn’t be a problem with this, as WireGuard is an internal RouterOS process, so if packets from e.g. SSH login return correctly, they should also return correctly from WireGuard.

8

The second rule ( mark routing ) change to passthrough=no!
and where are the rules to ensure same same for second WAN?

The same approach can be applied to wireguard, think about it.
The initial handshake has to come in and out of the same WAN.

So by using the endpoint or server address dyndns name etc, we can control which wan the client connects to.
How the router responds depends on how you setup your routes.

Since you fail to provide that information ( what your intentions are for wan1 and wan2 primary secondry, PCC load balance etc…and what the requirements are for the users behind the router) due to lack of planning or lack of cooperation, I am moving on.

At first it was ensuring incoming goes out same outgoing, then you are now talking wireguard, and now mention 'other networks connectd to the router"
Another reason is that I dont chase requirements, and am moving on, not a game to me to hide stuff when working on a config approach…

9

I changed the second rule (mark-routing output) to passthrough=no
Do there have to be rules for WAN1 since it is running in the main array and as a rule there are no problems with external communication?

As for the WireGuard handshake, since the SSH connection over the same link works fine then WireGuard should too.
At the same time, I actually noticed a strange thing - when trying to connect at a given peer, the time does not start counting but (it is still 00:00:00) but you can see the tx-rx data.
Zrzut ekranu 2023-03-15 161259.png
In reference to your last sentence - if I have to send an export of more configurations I can do it. Sorry but if I am doing something wrong just tell me about it :slight_smile:

10

In the Firewall section of the RouterOS interface, create a new rule to allow incoming traffic on the WAN2 interface. This rule should be placed above any existing rules that deny incoming traffic.
Set up NAT rules to translate incoming traffic from the WAN2 interface to the correct destination addresses and ports on your local network.