hi, my scenario is to route all the VPN traffic over wan1 that has public IP and all the other traffic like wifi clients over wan2 don’t have public ip. Best way to do that?
I’m not seeing that you need to do anything more clever than set the default route to WAN2. That sends local traffic out that direction, but inbound VPN traffic comes in on the public IP bound to WAN1, which means the outbound replies go back out the same direction.
What am I missing that makes this difficult?
wan1 with pub ip has pppoe client
wan2 is lte from another router and has as interface ether2
so when i give default route on lte wan1 didnt work and cloud service get ip from lte … can you explain me more please …sorry
I think the part I was missing is the direction of the VPN tunnel establishment. You did not state that, and so I presumed that you were allowing an external network to connect into your VPN server via that public IP you speak of, in which case you get the behavior I predicted.
It sounds like the VPN connection is being made out from this RouterOS device instead, and you’re wanting it to go out WAN1 instead of WAN2. Is that correct?
If that’s that case, you simply need to add routes toward your external VPN provider to direct the internal traffic out the desired interface:
/ip route
add dst-address=203.0.113.0/24 gateway=ether1
I’m using TEST-NET-3 addressing here as an example. You’d put actual public IPs into that place instead.
Personally, I’d invert it as I initially said: allow the external network to connect into your VPN server’s public IP, allowing the default routing to do its job without any extra help. For that, all you need to do is allow the VPN server access through the firewall. For Wireguard, it would be something like:
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
I will explain .
i have an sstp server on mikrotik
my ip is public so i use the cloud service (ddns) so i cant put any ip somewhere.
now that i want to do is this vpn route over wan1
and all other traffic (lan) route via wan2 . explain more
Only lan-wlan over wan2
all others over wan1
There are a vast number of “cloud services,” which is why I did not dare presume your meaning before, but I am now willing to dare a guess that you mean RouterOS’s Cloud feature.
If that’s the case, you simply modify the route command I gave you before to direct packets to the documented cloud2.mikrotik.com address:
/ip route
add dst-address=159.148.172.251/32 gateway=ether1
/ipv6 route
add dst-address=2a02:610:7501:4000::251 gateway=ether1
Those two addresses were retrieved by a simple DNS lookup. If they ever change, you will need to repeat that and update these two static routes.
(It’s too bad you can’t give a domain name here and have it do the DNS lookup for you, allowing you to fix up after a change with a simple reboot, but alas…)
ether1 === wan1 isp with public IP
ether2 === wan2 lte with nated IP
ether3 === LAN
inside router enabled sstp server
dial out with ddns cloud mikrotik xxxxxxxxxx.mynetname.net
i have dhcp client with default route only on wan2 that is the wan that i want to use on lan-wlan
route 0.0.0.0/0 gw ether 1
route 0.0.0.0/0 gw ether2
if i dont type the ther2 route nothing happens.. i have internet but noone of vpn client connect on router…
when i have enable both routes with distance 1 both some of vpn client connected some not but i have internet ok.
i cant understand what needs to do at all…
there is no way to say that ether3 aka lan want to route through wan2 with routing mark maybe … and everything else routing mark through wan1???
post current config
/export file=anynameyouwish ( minus router serial number, any public WANIP, keys etc. )
i found solution with
add on routing table extra option lte
add mangle rule prerouting source adresses all the lan and mark routing on ether 2 (lte)
after that i add route 0.0.0.0/0 on ether2 routing table lte
after these the vpn goes from the other wan
i dont know if it is the correct way but it works for now i wait for your opinion