Use two WANs at same time (not Load Balancer)

RouterOS Beginner Basics
1

Hi again :slight_smile:

I have one LAN with some services (mumble server, web server and some other stuffs), two ISPs (grouped at interface list WAN) and DNS round-robin (provided by FreeDNS, with offline support).

For example mumble.example.com points to ISP1.PUBLIC.IP and ISP2.PUBLIC.IP, with their NAT rules:

chain=dstnat action=dst-nat to-addresses=10.0.0.60 to-ports=64738 protocol=tcp in-interface-list=WAN dst-port=64738 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=10.0.0.60 to-ports=64738 protocol=udp in-interface-list=WAN dst-port=64738 log=no log-prefix=""

Mikrotik accepts incoming connection on Both ISPs but all established traffic flows across ISP2.
I saw a few posts on this forum, tried some settings but nothing works for me. The problem is my lack of proper knowledge about this, but didn’t find a friendly documentation.

At the moment Firewall Mangle and Routes Rules are empty. Routes are managed by scripts running on their DHCP-Clients and Netwatch:

What I want to achieve?

  1. Traffic from LAN to WAN follows the default gateways distance [it’s working and acts like FailOver]
  2. Connections coming from ISP1 must be responded by ISP1 and from ISP2 by ISP2.
  3. Based on ISPs availability, redirect established connections to a working connection (I think this can be achieved enabling/disabling rules filtering by comment).

Thank :slight_smile:

2

See whether your specific case is covered among the many methods available here:
https://wiki.mikrotik.com/wiki/Load_Balancing
You say it’s not LB, but it’s still a kind of LB.

3

I made several tests without success. I want to ask you if these masquerade rules have the same result.

> interface list member print
Flags: X - disabled, D - dynamic 
 #   LIST                                                               INTERFACE                                                             
 0   LAN                                                                bridge                                                                
 1   WAN                                                                wan1                                                                  
 2   WAN                                                                wan2
 
> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""

VS

> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=wan1 log=no log-prefix=""
 1    chain=srcnat action=masquerade out-interface=wan2 log=no log-prefix=""

Thanks!

4

You should know it’s not possible to use two default routes simultaneously without marked packets.

Read https://wiki.mikrotik.com/wiki/Manual:PCC

5

Thank dmitris. I didn’t ask about markning packages or routes. I want to know if these rules are equivalentes or generates different behaveior.

6

I’m trying to do the same.
I have tried packet marking all from a device single IP on LAN and using Routing. But this still does not work.
Any ideas?

I only want one device to pass through WAN2 while all other traffic to go through WAN1

7

Ok. Got it.

ISP1 is ADSL
ISP2 is LTE

I’ve got the unique device MAC marked and placed into an address list DeviceToISP2 - done in MANGLE

Firewall
For now, I’ve put a block all INPUT chain from LTE1

Mangle - Untick Passthrough except for where mentioned
PREROUTING - In interface=LTE1, Action=Mark Connection, New Connection Mark=ISP2_CONN
PREROUTING - In interface=Bridge1 (this is you LAN connection), Source Address List= DeviceToISP2, Action=Mark Connection, New Connection Mark=ISP2_CONN, PASSTHROUGH=yes
PREROUTING - Connection Mark= ISP2_CONN, Action=Mark Routing, New Routing Mark=to_ISP2, PASSTHROUGH=yes
OUTPUT - Connection Mark=ISP2_CONN, Action=Mark Routing, New Routing Mark=to_ISP2, PASSTHROUGH=yes

Route List
Dest= 0.0.0.0/0, Gateway=192.168.42.129 (the IP of the LTE modem - I know the addy is odd), Check Gateway= ping, Distance=1, Routing mark=to_ISP2

NAT
Chain=Src NAT, Out Interface=LTE1, Connection Mark = ISP2_CONN, Action= Masquerade


Logically I find this odd.
From Lan, connection is detected and marked then passed through until OUTPUT. It then picks up the routing mark.
From LTE, connection is detected and marked and then routing mark is set. OUTPUT then detects any in bound connections and mark the routes

I think these rules need re-ordering and possibly removing one. Will have a play.

I think NAT can remove the conn mark too.

I’ll try and clean this up.

8

I don’t understand the 2nd and 3rd Prerouting… If I untick PASSTHROUGH on the 2nd. OR I move the 3rd up to position 2 then the connection fails.

I have removed the Connection Mark from the NAT and all is ok. But the problem above is still apparent.
NAT
Chain=Src NAT, Out Interface=LTE1, Action= Masquerade

9

I guess it is related with fasttrack, but I can’t confirm at this moment :frowning:

10

Mangle does not work with Fasttrack!
Need to disable fast track!

11

It would not hurt for MT code to remind the user by making fastrack red in winbox or a log entry such that this gotcha is a thing of the past, or simply turn fastrack off if mangle is applied.

12

I do not have any fast-track firewall rules.
I don’t think fast-track is enabled. I looked in IP\Settings and the Fast Path is unchecked (think that is something entirely different though) I do have route cache enabled though - don’t know what that does?

I use simple queues and remember there was a setting somewhere once.

My understanding of PASSTHROUGH is that the chain is completely bypassed when it is ticked (after the rule is executed). In my case I thought that I wanted the subsequent rules (to route mark) to execute so in theory, I want Passthrough un-ticked. However, the behaviour is the opposite???