Community discussions

 
User avatar
matiaszon
Member
Member
Topic Author
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

2x WAN & 1x LAN

Thu Dec 14, 2017 12:19 pm

Introduction
My friend (more than 2000 km away) is trying to figure out making connection with 2x WAN and a single LAN.
WAN1: LTE/4G dongle, much faster down and up links, no public IP, private IP on router 192.168.3.10, gateway 192.168.3.1,
WAN2: ether1, old slow line (1,5/0,5 Mbps), public but not static IP, private IP on router 192.168.1.248, gateway 192.168.1.254,
LAN: 192.168.88.0/24, all other porst bridged, IP: 192.168.88.1
Unfortunately, even WAN2 connection goes through modem (double NAT), but MikroTik is in DMZ zone and NAT is turned off on modem.

Goals to achieve
1. Make all traffic (except 1 device: 192.168.88.253, which should go through WAN2) to go through WAN1 (LTE) as it is much faster.
2. Make WAN2 working all the time simultanously (don't want to use it as fail over, unless WAN1 breaks down).
3. Make MikroTik Cloud (DDNS) working through WAN2, as it is the only IP I can get without running TeamViewer on any machine in local network.

Export of IP config
# dec/14/2017 10:01:22 by RouterOS 6.40.5
# software id = KIG8-169Z
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1207B5E643
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip neighbor discovery
set ether1-GW-BT discover=no
/ip pool
add name=pool1-home ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=pool1-home always-broadcast=yes authoritative=\
    after-2sec-delay disabled=no interface=bridge-LAN lease-time=2h name=\
    DHCP-fendoch
/ip address
add address=192.168.88.1/24 comment=LAN interface=bridge-LAN network=\
    192.168.88.0
add address=192.168.1.248/24 comment="WAN BT" interface=ether1-GW-BT network=\
    192.168.1.0
add address=192.168.3.10/24 comment="WAN LTE" interface=LTE network=\
    192.168.3.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:a8:60:b6:4:fc:18 mac-address=\
    A8:60:B6:04:FC:18 server=DHCP-fendoch
add address=192.168.88.253 client-id=1:0:de:fa:11:80:0 mac-address=\
    00:DE:FA:11:80:00 server=DHCP-fendoch
/ip dhcp-server network
add address=192.168.88.0/24 comment=LAN dns-server=\
    8.8.8.8,8.8.4.4,192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Web Interface" dst-port=50180 \
    protocol=tcp
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat comment="box" dst-port=\
    50221-50222 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.88.253 to-ports=21-22
add action=dst-nat chain=dstnat comment="box web" dst-port=50280 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.253 to-ports=\
    80
/ip route
add distance=1 gateway=192.168.3.1
add distance=2 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set www port=50180
With the above config all traffic goes throurh WAN1, but I can't even use WAN2 as an incoming port for MikroTik service.
If I change distane from 2 to 1 on WAN2 in route, then all traffic automatically goes through WAN2, which is not what I want.

I found the following config in the net:
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
Is that what I am looking for (except the addresses used in the example)? Of course, there will be still something to add (like pointing the exact gateway for 192.168.88.253 and cloud update), but generally, what this config will do?
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: 2x WAN & 1x LAN

Thu Dec 14, 2017 5:46 pm

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
change with something like
 add action=mark-connection chain=prerouting dst-address-list=!Connected dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes src-address=192.168.88.253
add action=mark-connection chain=prerouting dst-address-list=!Connected dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes src-address="other LAN"

where Connected is ACL with connected subnets (to ISP) an "other LAN" are all IPs except one you mentioned ... and accordingly you need to mark DDNS traffic flows with WAN2 if something is sourcing inside your network
! most probably you'll need to disable or update fasttrack to cover just part of traffic that will not change dring this kind of loadsharing

Who is online

Users browsing this forum: No registered users and 16 guests