Hello, thanks for the forum. It is a pleasure to be part of it.
I’m an ISP and I work using PPPoE with my clients, delivering public ips. I have two carriers that give me one / 24 public ips each. I’m looking for make each ip range go out through their wan using dynamic pppoe: depending on the assigned ip to the client, must go out through one wan or another.
I have solved that issue by making static routes such that:
IP-ROUTES: I add the route for each wan, but in one of them I put marked in Routing Mark.
In RULES I add the ips of that wan and assign it the Routing Mark table.
In this way, I get the upstream traffic of that secondary range to go out through it, and not through the main one.
THE PROBLEM: now there is no access to my own ips, I mean, I do not access the public IP from any of my public ips to other of my public ips. From outside my network without problem. This affects, for example, several clients that have two houses connected to this mikrotik and now cannot access ftp servers between them.
CLIENT1: 87.100.100.2/32 (Or any ip, from carrier1 or 2)
CLIENT2: 88.100.100.2/32 (Or any ip, from carrier1 or 2)
CLIENT1 tries to access CLIENT2. Does not agree.
We deactivated in IP-ROUTE the rule that Routing Mark has and now they do access each other but the upload traffic of all now leaves through the same wan; the main one.
I have given an example but I will try to explain better.
Let’s assume that we are going to use two ethernet ports as input, each port is a provider.
ETH1: 84.54.54.1/24
ETH2: 84.54.55.1/24
Between the two providers we have 512 public ips. Good.
Now, we are going to supply those public ips by PPPoE to our clients using the ethernet3 port. We already have the pools created and they are supplied perfectly.
I create the main route for the first provider in IP-> Routes:
Now, the problem… A client with ip 84.54.54.6, for example, tries to access to a server hosted by another client with ip 84.54.55.96. There is no access.
What’s going on is that each PPPoE tunnel becomes a “connected subnet”, i.e. a route with distance=0 to its remote-address is added to your routing table whenever the client connects. So the packets from a client in one /24 (subnet A) to a client in the same subnet A or in the other /24 (subnet B) would normally take a direct path, bypassing the WANs. But your policy routing (by means of /ip route rule rows) has (probably) changed this only for packets from clients in subnet B (those which are instructed to use a specific routing table to go out via the corresponding WAN interface), but as you say that for source subnet A you keep using the main routing table, it means it is used also for packets towards subnet B, and in the main routing table, the dynamically added routes mentioned above override the default route via WAN A’s gateway. So packets from subnet A to subnet B still take the shortcut whilst packets from subnet B to subnet A go out the WAN and come back via WAN A. So if you use some firewall rules referring to in-interface(-list), they may not match on the traffic taking a different-than-expected way.
On the other hand, if two clients in subnet B want to talk to each other, your routing rules request that everything from subnet B, including packets to another subnet B address, go out the WAN B, and the ISP B may not loop the packets back to your WAN since from the ISP’s perspective they should have never received them.
But all the above is just a speculation. If you want a more useful advice, instead of posting sad smileys, post your current configuration, anonymized the way suggested in my automatic signature just below.
Also, instead of choosing routing tables by means of /ip route rule rows, moving WAN B and all the PPPoE interfaces using that WAN to a separate VRF group could be a simpler way, however not knowing the other circumstances (some public IPs may be used to NAT clients which do not require public IP addresses) it is hard to say what is the best way.
Please edit the above post and place [code] before the configuration export and [/code] after it.
As I’ve assumed, there is just a single /ip route rule row, so all the traffic from 84.54.55.0/24, including the one towards 84.54.55.0/24 itself and to 84.54.54.0/24, is marked to use WAN2.
The /ip route rules are processed the same way like firewall rules or ipsec policies, top to bottom until the first match.
The action=lookup-only-in-table prevents the packets from being sent out via WAN1 if WAN2 is down so the route via WAN2 becomes inactive. With plain action=lookup, if no route is found in the required routing table, the packet is routed using the routes in routing table main (i.e. those with no routing-mark).
There is no need to modify the two default routes. As I wrote before, each time a PPPoE client connects, a route with distance=0 and dst-address matching the assigned IP address of that client is dynamically created in routing table main - use /ip route print to see that.
Out of all routes whose dst-addresses match the destination address of a packet, the one with the most narrow (long) prefix always wins over all the other ones in the same routing table. So since these dynamically added routes exist, packets to their dst-addresses will ignore the default route.
[quote=Normanj post_id=787611 time=1587523665 user_id=161941]
Thanks, Sindy, but how about the multi-subnet can meet each other to connect can’t ping and connect each subnet on my Mikrotik please help thanks in advance..
[/quote] @Normanj, unless you are an alter ego of @planetamurciano who’s forgotten his password, please create a dedicated topic and edit your previous post with a link to it. And put the configuration export to that topic straight away, from the description it is unclear what your actual issue is.
