Two WANs to one bridge

zipero · March 22, 2020, 3:43pm

Hi everyone,
Maybe someone will be able to help me, I have bought MT board for home usage to have 2 WANs load balanced to one LAN(bridge). I’ve done the configuration and it’s as below (did hide some of sensitive info - one of my IP addresses). It’s not working for me tough. I’ve biased it on: https://wiki.mikrotik.com/wiki/Manual:PCC

The short descriptio of what I have is:
ISP1Switch<=> MT ETH port 1 (enterpol) gateway=1xx.1xx.16.110
ISP2Modem/Router <=> MT ETH port 2 (upc) gateway=192.168.2.2

I assume that outgoing load will be balanced and fail safe will work (cable unplugged etc).

The below config does seem to not work for me, what I am doing wrong, please help. I can from wlan1 ping the ISP2 Router 192.168.2.2 but any other than that the connection seem to not work (no web pages, not getting response from ping 8.8.8.. I did unplug the ISP1 cable for now as this is currently used by someone.

[admin@MikroTik] > export hide-sensitive 
# mar/22/2020 12:19:09 by RouterOS 6.43.16
# software id = YQ1Q-VX55
#
# model = RBD52G-5HacD2HnD
# serial number = BEEB0983D467
/interface bridge
add admin-mac=B8:69:F4:67:B0:2E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=enterpol
set [ find default-name=ether2 ] name=upc
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity="" unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=profile1 ssid=MikroTik-67B032 wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=profile1 ssid=MikroTik-67B033 \
    wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.150
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=enterpol list=WAN
add interface=upc list=WAN
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
add address=192.168.2.2/24 interface=upc network=192.168.2.0
add address=1xx.1xx.16.110/20 interface=enterpol network=1xx.1xx.16.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.2 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=1xx.1xx.16.0/20 in-interface=bridge
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=enterpol new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=upc new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=bridge new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=bridge new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=enterpol
add action=masquerade chain=srcnat out-interface=upc
/ip route
add check-gateway=ping distance=1 gateway=1xx.1xx.16.110 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.2.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=1xx.1xx.16.110
add check-gateway=ping distance=2 gateway=192.168.2.2
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox

WeWiNet · March 23, 2020, 9:09am

you need to set RP mode to “loose” in IP → Settings

Zacharias · March 23, 2020, 9:46am

I do not see anything wrong with your configuration…
Did you clean the Firewall Connections Table or just Reboot your Router ?

Personally i never had to Change the RP-Filter option to any of my Mangles configuration…

zipero · March 29, 2020, 12:37pm

Thank you for your help, did restart the router few times during the setup proces but it seems that I still can’t figure it out. Changed the suggested rp-filter.

/ip settings
set rp-filter=loose

But unfortunately this did not work. Did plug second cable and from a PC connected to lan did ping the other gateway the one on enterpol (1xx.1xx.16.1) and it did work as a ping. So I was able to ping 192.168.2.1 at the same moment. But at the same time ping to 8.8.8.8 is just unreachable, as it would allow only to move one step above the router or some other issue. Windows seem to get proper info from the router via wlan

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . : A4-4E-31-09-09-A0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.150(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Maybe any other suggestions. Still stuck on this

Zacharias · March 29, 2020, 5:53pm

Yes i was almost sure the rp-filter wouldnt help…
I checked your config again and i dont find anything wrong…

In your Interface Lists LAN and WAN, have you added your Bridge in the LAN interface List, and your ether1 and ether2 on your WAN Interface List ?
If not please add it…

Sob · March 29, 2020, 6:56pm

Disable fastttrack rule, it doesn’t go well with mangling. But I don’t think it should completely break everything.

Zacharias · March 29, 2020, 7:24pm

I will be surprisef if that was a fasttrack problem..

zipero · March 31, 2020, 10:01am

Hi,
Diable the fasstrack rule in the firewall but this did not improve the situation. I’m wondering about few things:

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.2 name=router.lan

The whole /ip dns static must appear from my router connected to the ether2 called upc, this probaly does not break anything, as for the interface lists bot ether1 (aka enterpol) and ether2 (aka upc) are both on WAN list.

If I have export of the config and would want to cleat the router off all unnecessary configuration that might be there somewhere and it might be affecting the router, but maybe not to go to defconf, what is the best way to do it or is it not recommended and defconf is always a good starting point?

Thank you all for your help.
Best Reagrds

Zacharias · March 31, 2020, 10:20am

In case you can not even ping 8.8.8.8 as you state in your first post this has nothing to do with the DNS configuration…
Can you please disable ALL your firewall rules and try again ? or you can simply add your WAN interfaces in the WAN Interface list as i suggested you earlier…
Also, have you tried both your ISPs seperatelly, not connected to the Mikrotik, and see if you can reach the Internet ?

zipero · April 1, 2020, 2:38pm

Good news everyone ( wonder if you read this in Professor Farnsworth voice ). I did get a little progress or big progress actualy. I was testing the setup mainly on wan2 interface because could not use wan1 as it was used by other house holders. Did had chance to connect both at once and it works, but barely. The reason why it didn’t work at all at the first place or along the way was that MikroTik doesn’t seem to be able to recognize that gateway 192.168.2.2 that is connected to the wan2 is reachable. When clearly PING to that address was always working (from any PC connected to bridge). Another thing is that my connection now is spotty or at least thats what I guess MikroTik does here. Because it’s removing 1xx.1xx.16.1 reachable wan1 form the route list every 16 seconds (yes I wast sitting with my phone and laping the interwal as 16 seconds like a dummy ) Screenshot attached as well. So any suggestions why? Both ISP connections are stable and if I connect to them directly they work spot on.

This is the current setup:

[admin@MikroTik] > export hide-sensitive 
# apr/01/2020 16:08:03 by RouterOS 6.43.16
# software id = YQ1Q-VX55
#
# model = RBD52G-5HacD2HnD
# serial number = BEEB0983D467
/interface bridge
add admin-mac=B8:69:F4:67:B0:2E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=64:70:02:67:53:F3 name=wan1
set [ find default-name=ether2 ] name=wan2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=profile24 supplicant-identity=\
    "" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=profile5 supplicant-identity="" \
    unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no \
    distance=indoors frequency=auto mode=ap-bridge security-profile=profile24 ssid=\
    Z-Network24 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=profile5 \
    ssid=Z-Network5 wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.150
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=3h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/interface list member
add interface=bridge list=LAN
add interface=wan1 list=WAN
add interface=wan2 list=WAN
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
add address=192.168.2.2/24 interface=wan2 network=192.168.2.0
add address=1xx.1xx.16.110/20 interface=wan1 network=1xx.1xx.16.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wan1
add add-default-route=no dhcp-options=hostname,clientid interface=wan2
add add-default-route=no dhcp-options=hostname,clientid interface=wan1
/ip dhcp-server lease
add address=192.168.0.10 allow-dual-stack-queue=no mac-address=E0:D5:5E:95:07:AD
add address=192.168.0.11 allow-dual-stack-queue=no mac-address=00:11:32:6F:26:44
add address=192.168.0.2 allow-dual-stack-queue=no mac-address=A8:5E:45:17:8E:32
add address=192.168.0.55 allow-dual-stack-queue=no mac-address=00:25:B3:EC:71:4E
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.2 name=router.lan
/ip firewall address-list
add address=192.168.0.0/24 list=admin-access
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input src-address-list=admin-access
add action=drop chain=input dst-port=21,22,23,80,443,8921 protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=1xx.1xx.16.0/20 in-interface=bridge
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wan1 \
    new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wan2 \
    new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge new-connection-mark=ISP1_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge new-connection-mark=ISP2_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=bridge \
    new-routing-mark=to_ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=bridge \
    new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat out-interface=wan2
add action=dst-nat chain=dstnat dst-address=1xx.1xx.16.110 dst-port=1234 protocol=tcp \
    to-addresses=192.168.0.11 to-ports=22
add action=dst-nat chain=dstnat dst-address=1xx.1xx.16.110 dst-port=777 protocol=tcp \
    to-addresses=192.168.0.11 to-ports=777
add action=dst-nat chain=dstnat dst-address=1xx.1xx.16.110 dst-port=9500 protocol=tcp \
    to-addresses=192.168.0.10 to-ports=5900
/ip route
add check-gateway=ping distance=1 gateway=1xx.1xx.16.110 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=192.168.2.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=1xx.1xx.16.110
add check-gateway=ping distance=3 gateway=192.168.2.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system leds settings
set all-leds-off=after-1h
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

2020-04-01 16_13_50-Window.png

Sob · April 1, 2020, 3:07pm

Now I see it. When you want to use 192.168.2.2 as gateway on upstream router, it’s not the best idea to assign the same address to this router.

zipero · April 2, 2020, 7:58am

The wan2 interface has 192.168.2.2 address and the gateway for that address is 192.168.2.1 and bridge (LAN) network is 192.168.0.0/24 is this casing the problem?

Zacharias · April 2, 2020, 8:03am

You use as Gateway 192.168.2.2, that is wrong… This address is assigned to your Wlan interface…
You must use as Gateway the address 192.168.2.1 or whatever that is…

zipero · April 3, 2020, 4:36pm

Yes that was it. Thank you for the help, topic can be closed if we do such things on this forum.