Page 1 of 1

How to force the built-in proxy server/hotspot to use 2nd wan?

Posted: Mon Apr 23, 2018 8:00 pm
by shivansps
Righty now a have a setup with 2 wans and failover and i can force any ip i want on my network to use the 2nd wan gateway using mark routing.

But ill like to run the proxy server and hotspot but only using wan 2, not the primary wan.

Re: How to force the built-in proxy server/hotspot to use 2nd wan?  [SOLVED]

Posted: Tue Apr 24, 2018 12:38 am
by ochaconm
Righty now a have a setup with 2 wans and failover and i can force any ip i want on my network to use the 2nd wan gateway using mark routing.

But ill like to run the proxy server and hotspot but only using wan 2, not the primary wan.
Possible solutions
  1. For hotspot: set the routing-mark to those packets coming or going from/through a specified interface (InInterface or OutInterface)
  2. For the proxy, you could set the routing-mark on the outgoing chain and destination port 80(Proxied web port).
  3. Create an address that matches with the clients using the hotspot and web proxy.
  4. ...
It would be better if you include more information about your problem.

Re: How to force the built-in proxy server/hotspot to use 2nd wan?

Posted: Tue Apr 24, 2018 4:59 pm
by shivansps
Sure.

Routes
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          PPPoE-Speedy             10
 1 ADS  0.0.0.0/0                          190.17.136.1              1
 2  DS  0.0.0.0/0                          PPPoE-Speedy              4
 3 ADC  10.5.50.0/24       10.5.50.1       wlan2-clientes            0
 4 ADC  190.17.136.0/24    190.17.136.156  ether1-Fibertel           0
 5 ADC  190.173.0.1/32     190.173.10.248  PPPoE-Speedy              0
 6 ADC  192.168.0.0/24     192.168.0.1     bridge-local              0
 7  DC  192.168.1.0/24     192.168.1.1     wlan3-Hotspot           255
ether1-Fibertel is the gateway 1, and PPPoE-Speedy is gateway 2, both have dynamic IP but ive enabled check gateway for the failover.

dhcp server
[admin@MikroTik] > ip dhcp print
Flags: D - dynamic, X - disabled, I - invalid 
 #    NAME                   INTERFACE                 RELAY           ADDRESS-POOL                 LEASE-TIME ADD-ARP
 0    default                bridge-local                              dhcp                         10m       
 1    dhcp1                  wlan2-clientes                            clientes_pool                1h        
 2  I dhcp2                  wlan3-Hotspot                             hotspot_pool                 1h 
mangle rules
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Youtube
      chain=prerouting action=mark-packet new-packet-mark=youtube_pack passthrough=no dst-address-list=youtube 
      log=no log-prefix="" 

 1    ;;; speedy wifi
      chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=10.5.50.0/24 
      dst-address=!10.5.50.0/24 log=no log-prefix="" 

 2    ;;; SpeedyServer
      chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.43 
      dst-address=!192.168.0.0/24 log=no log-prefix="" 

 3 X  ;;; PS4 Speedy
      chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.64 
      dst-address=!192.168.0.0/24 log=no log-prefix="" 

 4 X  ;;; SpeedyLAB
      chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.40 
      dst-address=!192.168.0.0/24 log=no log-prefix="" 

 5 X  ;;; SpeedyOficinaPablo
      chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.7 
      dst-address=!192.168.0.0/24 log=no log-prefix="" 

 6 X  ;;; SpeedyVentas1
      chain=prerouting action=mark-routing new-routing-mark=speedywifi passthrough=no src-address=192.168.0.8 
nat
[admin@MikroTik] > ip firewall nat print      
Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 

 1  D chain=hotspot action=jump jump-target=pre-hotspot 

 2  D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 

 3  D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 

 4  D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80 

 5  D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443 

 6  D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth 

 7  D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 

 8  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80 

 9  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128 

10  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080 

11  D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443 

12  D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 

13  D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http 

14  D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 

15 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough 

16    ;;; fibertel
      chain=srcnat action=masquerade out-interface=ether1-Fibertel log=no log-prefix="" 

17    ;;; speedy
      chain=srcnat action=masquerade out-interface=PPPoE-Speedy log=no log-prefix="" 

18    ;;; masquerade hotspot network
      chain=srcnat action=masquerade src-address=192.168.1.0/24 
hotspot
[admin@MikroTik] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS 
 #   NAME                  INTERFACE                 ADDRESS-POOL                 PROFILE                 IDLE-TIMEOUT
 0   hotspot1              wlan3-Hotspot             hotspot_pool                 hsprof1                 1h  
[admin@MikroTik] > ip hotspot profile print       
Flags: * - default 
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot html-directory-override="" 
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d 
     split-user-domain=no use-radius=no 

 1   name="hsprof1" hotspot-address=192.168.1.1 dns-name="cds.city.computacion" html-directory=hotspot 
     html-directory-override="" rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap 
     http-cookie-lifetime=54w2d split-user-domain=no use-radius=yes radius-accounting=yes 
     radius-interim-update=received nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id="" 
     radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX
[admin@MikroTik] > ip hotspot walled print 
Flags: X - disabled, D - dynamic 
 #   SERVER     METHOD  DST-HOST                           DST-PORT   PATH                           ACTION       HITS
 0 X ;;; place hotspot rules here
                                                                                                     allow           0
 1   hotspot1           *gaming-city*                      80-443                                    allow           0
 2   hotspot1           *cds-city*                         80-443                                    allow           0
 3   hotspot1           *mercadolibre*                                                               allow           0
 4   hotspot1           *mercadopago*                                                                allow           0

I was thinking about reversing the wans and then set everyone to wan 2 using mark routing, but then the failover is not going to work (i think).

Im going to try to set the routing mark on outgoing chain port 80, since the hotspot already using the build in proxy server, if that works it should change both.

Re: How to force the built-in proxy server/hotspot to use 2nd wan?

Posted: Tue Apr 24, 2018 5:30 pm
by shivansps
Yes... this did the trick, thank you.
11    chain=output action=mark-routing new-routing-mark=speedywifi passthrough=no protocol=tcp dst-port=80 log=no 
      log-prefix="" 

12    chain=output action=mark-routing new-routing-mark=speedywifi passthrough=no protocol=tcp dst-port=443 log=no 
      log-prefix="" 
that causes build-in proxy to use 2nd wan, and so does the hotspot.

But now im thinking i may have to use a 3rd party proxy after all because anything near the 40mb/s on the internal proxy already puts the cpu usage to 100%, its too much for the little 951G.

Actually the problem in general is that i had to disable fasttrack in order to use routing marks and queues, that causes the cpu usage to skyrocket.