I have 2 wan ports:
WAN1 (distance 1 in the route)
WAN2 (distance 2 in the route)
My setup is that every client uses WAN1 and when this fails it used WAN2. I do this with setting a distance in the route.
Every client is in the range 192.168.0.50-192.168.0.150.
How to force that some client, 192.168.0.100-192.168.0.110 used always WAN2 to access the internet?
Re: force some client to wan2
You could use routing marks (mangle).
You can see some info in:
https://wiki.mikrotik.com/wiki/Policy_Base_Routing
You can see some info in:
https://wiki.mikrotik.com/wiki/Policy_Base_Routing
Re: force some client to wan2
I do this now for email traffic.
I use IP Mangle rule to mark route for all traffic coming from LAN (in interface) on port 25
I create a routing rule that sends this traffic (marked by the mangle rule) to the mail server IP of the ISP if traffic, plus enter in the gateway IP.
Same concept can be used in your case
Use an IP Mangle rule to mark-route for all traffic coming from source address list
(create an address list entry first - for example, name - WAN2Clients 192.168.0.100-192.168.0.110 comment - useonly_WAN2 .
For your routing rule
Destination 0.0.0.0/0
Gateway IP of your ISP (not your WANIP)
reference the mangle rule name (has to match exactly)
Hope this gets you going in the right direction.
I use IP Mangle rule to mark route for all traffic coming from LAN (in interface) on port 25
I create a routing rule that sends this traffic (marked by the mangle rule) to the mail server IP of the ISP if traffic, plus enter in the gateway IP.
Same concept can be used in your case
Use an IP Mangle rule to mark-route for all traffic coming from source address list
(create an address list entry first - for example, name - WAN2Clients 192.168.0.100-192.168.0.110 comment - useonly_WAN2 .
For your routing rule
Destination 0.0.0.0/0
Gateway IP of your ISP (not your WANIP)
reference the mangle rule name (has to match exactly)
Hope this gets you going in the right direction.
Re: force some client to wan2
above advice is the way to do it. Alternatively, use mangle rule, action route, src-address=192.168.0.100-192.168.0.110, to force specific IP to certain route. This might be less to configure and still do what you want. Hope this helps you.
MTCNA MTCTCE UEWA
Re: force some client to wan2
I prefer using address lists to identify GROUP OBJECTS, be they users, IP addresses, services etc.........
That way I am monkeying LESS with actual rules OF ANY SORT, when soley having to change objects!!
In other words, I only have to modify objects in many instances and not rules.
In reviewing this issue, I have decided to derive a better solution.................
Assumption: LAN is comprised of users or potential users from 192.168.0.2 - 192.168.0.254 (assuming 192.168.0.1 is the DHCP gateway).
Background: OP has a requirement to ensure users .50-.150 use WAN1, OP has a requirement to ensure subset of users .100-.110 use WAN2.
Solution: Identify necessary groups,
Additions for example. Admin use of WAN2 vice WAN1 to add some complication for example purposes, and identification of unused groups for later use.
Address List
LAN1_GroupA - 192.168.0.50 - 192.168.0.150 (comment: WAN1 users)
LAN1_GroupB - 192.168.0.100 - 192.168.0.110 (comment: WAN2 users).
LAN1_GroupC - 192.168.0.21 - 192.168.0.23 (comment: Admin PCs to access WAN2)
LAN1-GroupD - 192.168.0.2 - 192.168.0.49 (comment: not used)
LAN1_GroupE - 192.168.0.151 - 192.168.0.254 (comment: not used)
For clarity, the PRIMARY ISP is considered to be WAN1 and the SECONDARY ISP is considered to be WAN2.
Mangle Rules:
ip firewall Mangle/
add chain=prerouting src-address list=LAN1_GroupB action=mark-routing new-routing-mark=GroupB_WAN2
add chain=prerouting src-address list=LAN1_GroupC action=mark-routing new-routing-mark=Admin_WAN2
** I am not sure if stating src address alone, as per the above, is sufficient or do I have to identify the interface at all ?? ( such as "in-interface LAN" ? )
Standard Routing Rules for Failover ** Assumes all traffic going out of router is assumed to use WAN1 unless otherwise specified. Thus for simplicity sake I don't have to differentiate routing where not necessary. The basic routing rules state that all users will use the Primary WAN unless its unavailable and users will be pushed to the secondary WAN, in this case WAN2. When WAN1 comes back online users will then be routed through WAN1.
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP (not WANIP), check gateway (ping), distance = 1
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP, distance = 2
New routing rules for specific users (whose primary route is out WAN2)........ One should note that there are TWO rules as above per group, to deal with failover. Designed in case WAN2 becomes unavailable and users thus need access to the internet via WAN1. If WAN 2 comes back online, users will then once again be routed through WAN2
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP (not WANIP)" check gateway ping, distance = 1, Routing-Mark=GroupB_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP" distance = 2, Routing-Mark=GroupB_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP" check gateway ping, distance = 1 Routing-Mark=Admin_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP" distance = 2, Routing-Mark=Admin_WAN2
That way I am monkeying LESS with actual rules OF ANY SORT, when soley having to change objects!!
In other words, I only have to modify objects in many instances and not rules.
In reviewing this issue, I have decided to derive a better solution.................
Assumption: LAN is comprised of users or potential users from 192.168.0.2 - 192.168.0.254 (assuming 192.168.0.1 is the DHCP gateway).
Background: OP has a requirement to ensure users .50-.150 use WAN1, OP has a requirement to ensure subset of users .100-.110 use WAN2.
Solution: Identify necessary groups,
Additions for example. Admin use of WAN2 vice WAN1 to add some complication for example purposes, and identification of unused groups for later use.
Address List
LAN1_GroupA - 192.168.0.50 - 192.168.0.150 (comment: WAN1 users)
LAN1_GroupB - 192.168.0.100 - 192.168.0.110 (comment: WAN2 users).
LAN1_GroupC - 192.168.0.21 - 192.168.0.23 (comment: Admin PCs to access WAN2)
LAN1-GroupD - 192.168.0.2 - 192.168.0.49 (comment: not used)
LAN1_GroupE - 192.168.0.151 - 192.168.0.254 (comment: not used)
For clarity, the PRIMARY ISP is considered to be WAN1 and the SECONDARY ISP is considered to be WAN2.
Mangle Rules:
ip firewall Mangle/
add chain=prerouting src-address list=LAN1_GroupB action=mark-routing new-routing-mark=GroupB_WAN2
add chain=prerouting src-address list=LAN1_GroupC action=mark-routing new-routing-mark=Admin_WAN2
** I am not sure if stating src address alone, as per the above, is sufficient or do I have to identify the interface at all ?? ( such as "in-interface LAN" ? )
Standard Routing Rules for Failover ** Assumes all traffic going out of router is assumed to use WAN1 unless otherwise specified. Thus for simplicity sake I don't have to differentiate routing where not necessary. The basic routing rules state that all users will use the Primary WAN unless its unavailable and users will be pushed to the secondary WAN, in this case WAN2. When WAN1 comes back online users will then be routed through WAN1.
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP (not WANIP), check gateway (ping), distance = 1
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP, distance = 2
New routing rules for specific users (whose primary route is out WAN2)........ One should note that there are TWO rules as above per group, to deal with failover. Designed in case WAN2 becomes unavailable and users thus need access to the internet via WAN1. If WAN 2 comes back online, users will then once again be routed through WAN2
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP (not WANIP)" check gateway ping, distance = 1, Routing-Mark=GroupB_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP" distance = 2, Routing-Mark=GroupB_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP" check gateway ping, distance = 1 Routing-Mark=Admin_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP" distance = 2, Routing-Mark=Admin_WAN2
Last edited by anavds on Thu Apr 26, 2018 3:57 pm, edited 2 times in total.
-
-
gjniewenhuijse
just joined
- Posts: 17
- Joined:
Re: force some client to wan2
Thanks everyone, this helps me a lot.
Who is online
Users browsing this forum: No registered users and 60 guests