WAN2 cannot communicate with WAN1

RouterOS Beginner Basics
1

I have two WAN (WAN1 and WAN2) and one LAN.
I try to describe my scenario:
LAN: 192.168.100.x/24
WAN1: XXX.XXX.XXX.XXX/28
WAN2: YYY.YYY.YYY.YYY/28

For internet some PCs (From 192.168.100.1 to 192.168.100.20) use WAN1 → WORKS → IP XXX.XXX.XXX.210
Others PCs use WAN2 (From 192.168.100.21 to 192.168.100.100) use WAN2 → WORKS → IP YYY.YYY.YYY.162
On WAN1 i have some servers with various services.
I configured MANGLE and Routes and the internet connection works.

Problem
From the servers (192.168.100.1-20) if i try to contact one Public IP on WAN2 → PING WORKS
If i make a tracert to YYY.YYY.YYY.YYY the first step is the gateway of my network (192.168.100.254)

If i make the same operation but from the IP Included (192.168.100.21-100) i cannot reach the IP on WAN1
If i make a tracert to XXX.XXX.XXX.XXX the first step is * * * *

Why the first step is not my gateway and i cannot reach the IP on my WAN1?
Using WAN2 i can reach every IP on Internet but i cannot reach my IP on WAN1.

There are someone can help me ?
Thanks

2

Sounds more like “LAN IP range can not communicate with WAN1” problem than “WAN 2 to WAN1” communication?

Please post config (routing table etc.), else impossible to check what is wrong.

3

Yes correct, LAN IP range can not communicate with WAN 1.
This is the routs configuration:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 70.144.125.161 1
1 A S 0.0.0.0/0 113.139.219.9 1
2 A S 0.0.0.0/0 113.139.219.9 1
3 S 0.0.0.0/0 70.144.125.161 1
4 ADC 10.10.2.0/24 10.10.2.254 Port4 0
5 ADC 70.144.125.160/28 70.144.125.162 Port3 0
6 ADC 192.168.100.0/24 192.168.100.254 Port2 0
7 ADC 113.139.195.64/28 113.139.195.66 Port1 0

4

Export your NAT configuration…

5

2 ;;; NAT Masquerade per Mosaico MIS
chain=srcnat action=masquerade src-address=192.168.100.9 log=no log-prefix=“”

3 ;;; WAN - NAT Masquerade per INTERNET - ALL CLIENTS → 113.139.219.10
chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=192.168.100.20-192.168.100.100

4 chain=srcnat action=masquerade src-address=192.168.100.13

5 ;;; DMZ Masquerade per INTERNET 113.139.219.13
chain=srcnat action=src-nat to-addresses=113.139.219.13 src-address=10.10.2.1-10.10.2.10 log=no log-prefix=“”

6

You have no masquerade rule for 192.168.100.1-20…

Also i would make the masquerade rules more strict, i would use source address and out interface at the same time…

7

i already done but not fix my problem.
After that, i removed the rule.
2019-10-30 16_15_34-C__Windows_System32_cmd.exe - tracert www.google.it.png
2019-10-30 16_15_58-Select Administrator_ C__Windows_System32_cmd.exe - tracert 213.149.195.66.png

8

Are you sure that this is the correct public IP ?

9

is changed…a little bit…i don’t want public my IP…
but the concept is the same
why i can contact all the internet ip but not mine on WAN1 from LAN that use the WAN2 internet connection?

10

Either wrong configuration or you trace route a non existing IP…

You were already missing a masquerade rule for your first “subnet” , i don’t even know how you could reach the Internet through that subnet with that rule missing…

That’s why i believe there are mistakes in your configuration…

11

NAT Rule N° 3
3 ;;; WAN - NAT Masquerade per INTERNET - ALL CLIENTS
chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=192.168.100.21-192.168.100.100

12

This rule has as source address the second “subnet” ( there is no real subnetting here)…

There is no masquerade for your other subnet…

13

I fixed the problem.
NAT Configuration is OK, the problem is on the Mangle.

Is Necessary to configure the MANGLE like in the picture:
11.11.11.0/24 → WAN1
12.12.12.0/24 → WAN2
192.168.88.0/24 → Local LAN
2019-10-31 09_22_19-Load_Balancing_workshop.pdf.jpg

14

No it is not ok..! You do not masquerade your whole192.168.100.0/24, only one part of it… You will have no internet access from the “subnet” you do not masquerade…

Is Necessary to configure the MANGLE like in the picture:
11.11.11.0/24 → WAN1
12.12.12.0/24 → WAN2
192.168.88.0/24 → Local LAN

I guess you don’t really know what that rule does…
You use those accept rules in the mangle facility in order to exclude the directly connected routers from your mangles…Otherwise when you try to ping lets say 11.11.11.1 or 12.12.12.1 they will be routed through your wan interfaces.. This means you will never reach them…Thus we use the main routing table for those addresses…

However you said you cant reach your Public IP.. Strictly speaking your Public IP is neither 11.11.11.1 or 12.12.12.1… Since you are behind a router and you use no tunnels, the public IPs are on your ISPs routers…

15

11.11.11.0/24 → WAN1
12.12.12.0/24 → WAN2
192.168.88.0/24 → Local LAN

The ip on the screen are an example!!!

16

So you did put your real public addresses, that may not even be Static, inside your mangle rules? :laughing:

I Never, never, in all the networks i ve setup, i had to do this configuration… But anyways if it works what can i say…!