Hi guys,
I am newbie to Mikrotik stuff, recently I made dual balancing setting based on information from the internet and it works OK.
I have recently decided to add 3rd WAN interface only for my backup purpose – no need to add it into current load balancing config. I just wanted to be able to connect it via wlan1 interface – I mean WAN3 port and its traffic assign to wlan1 interface – so when I connect to WIFI only WAN3 traffic is used. It would be good to have access to other WAN interfaces for monitoring purpose…
Honestly, I tried several settings to do that but it did not work at the end – so had to restore my previous settings … Any hint would be appreciated, I could also add my current config if it helps.
Thanks a lot for your feedback!
I’ve tried to add vlan for WAN3 and wlan1 interface - looks like it’s working however I’d like to be able to have management access from both bridges - I probably need to create additional mangle rules but I am struggling
But you might suggest “more clever” solution , so I am adding my current config below.
Thanks for any suggestions.
It would help what you mean by management.
Adding a third WAN is easy, only allowing WLAN1 to access WAN3 is easy.
Its the unclear messaging on management that is messy.
Does the WAN ISP come in on a vlan tag?
If not then dont assign vlan to the WAN traffic, add the vlan tag to the WLAN traffic.
You use a bridgevlan10 later on in the config(which you should remove by the way) but also fail to define it at the start!
I am of two minds, I prefer all vlans one bridge like this.
Assign the WLAN to the bridge port
Assign the vlan10 to the bridge as its parent interface.
Assign a vlan for the rest of the bridge
Vlan20 parent interface is bridge.
Vlan10 and Vlan20 ip address, dhcp pool, dhcp server, dhcp-server-network
Vlan 20 takes over from your bridge settings already in place so the bridge only does bridging.
However if there are NOT multiple vlans going over any single port your approach is fine.
Bridge for all ports except WLAN1 which is associated with the vlan
So just change the parent interface of the VLAN10 to WLAN1 and not WAN1!
You still need an ip address, ip pool, dhcp-server and dhp-server network for vlan10
REMOVE vlan10 from the bridge port settings.
Remove the made up bridgevlan10 bridge you made up at bridge port time not defined at the top, and further don’t need another bridge anyway.
your masquerade rule should state out-interface=WAN3 Not the vlan.
I dont see a an IP route for wan3??
GET RID OF ALL MANGLE RULES For WAN3 dont need it.
For IP Routes, to ensure WLAN1 uses WAN3 is easy.
create a standard routing (main table entry for WAN3)
then create a second entry a copy of the first one but with the entry of Routing Mark: wan3wifi
Then go to Routing Rules and
you can input source address 192.168.3.0/24 (whatever the subnet is for wlan1)
OR interface vlan10 your choice either or…
THen go to ACTION: and enter lookup only in table.
Then for TABLE enter wan3wifi
In this regard wlan1 users will be directed to use WAN3 all the time.
If WAN3 is not available then they will not have internet access but you didnt make it clear what happens if WAN3 is not available.
Appreciate your feedback!
Honestly, I got confused myself as meanwhile I did some adjustments and when I tried to restore my last “working” config - one of my connected router stopped responding…
However, the below is my last working config from which I started to apply my desired settings I mentioned in the begining - to seperate WAN3.
So can you please navigate me from here to use WAN3 via wlan1?
Will it work without creating VLANS and to use IP routes only…?
btw. for “management” access I mean, to be able to access gateway IP no matter which interface I use …
As stated
create a vlan and attach to whatever wlanX you want to use for WAN3
ensure
a. you remove wlanX from the bridge if its currently attached, if wlanX is a new wlan no worries
b. define vlan10 with interface wlanX
c. give vlan10 an IP address, ip pool, dhcp server, dhcp server-network
d. remove any instance of WAN3 in your mangling rules (and it may change your pcc settings 0/3, 1/3, 2/3, 3/3 etc,
e. Apply the IP route suggestions I made on the previous post.
f. ensure you add vlan10 to the LAN interface as a member.
Decide if wlanX should access any other WANS if WAN3 is not available.
a. NO, then use Action: lookup ONLY in table.
b. YES, then use Action: lookup in table.
The only other thing that you may need to do is modify the forward chain filter rules to prevent WLANX to the bridge subnet via L3.
The easiest way to do this on the default config is simple.
add chain=forward action=drop in-interface=vlan10 out-interface=bridge (1)
and if you also want to block bridge folks from accessing WLANX
add chain=forward action=drop in-interface=bridge out-interface=vlan10 (2)
Note: you can use src-address and dst address where they describe the subnets instead of using interface designations, both are correct.
Yuu can do both which means the router checks both the interface and address information to match the packets.
However I recommend changing the default rule by adding a drop all rule at the end of the forward chain.
So Instead of Rule Block (1)
Rule Block (2)
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
One has…
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“drop all else”
a. So the drop all rule covers the two rules one would have to make anyway’
b. the DST nat rule is simplified and only covers allowing port forwarding if desired (you should disable it as you dont have any need at the moment)
c. the DST nat rule which also blocks WAN to LAN traffic is covered by the block all rule which also blocks LAN to LAN traffic and LAN to WAN traffic (everything not already allowed)*****
*********** You should realize that one rule does have to be added since we have a block everything rule and this rule should go before the block all rule.
add action=accept chain=forward in-interface=LAN out-interface-list=WAN comment=“Allow internet traffic”