Community discussions

MikroTik App
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

set deafult internet source

Fri Jan 04, 2019 11:45 am

Hello,

I have 3 different internet connetion on interfaces:
  • ether1
  • ether2
  • sfp1
When all of them are connected the default one is ether1>ether2>sfp1.

I would like to have sfp1 as default internet connection for all internal LAN interfaces, and use ether1 only for vpn connections (since it has public address). Ether2 and sfp1 doesnt have public addresses.

Is it possible to set up ?

Best Regards,
SB
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set deafult internet source

Fri Jan 04, 2019 12:17 pm

Hi

It can be done for IPv4 but not for IPv6.
IPv4 using policy based routing
* based on routing rules (/ip route rule)
* based on route marking on packet level (/ip firewall mangle)

For both approaches above you'll need to define new routing table for each other than default route: /ip route for each route mark
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: set deafult internet source

Fri Jan 04, 2019 12:48 pm

Thank you for answer Sebastia.

Actually i've made a mistake, the current order is ether1>sfp1>ether2. We can consider the case ether1>sfp1, (i wont user ether 2 anymore).
I tried to change routes order, but it is not possible. I have no idea how to set any rules for my routes. Do you have any reliable article, which will help to solve my issue ?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set deafult internet source

Fri Jan 04, 2019 2:06 pm

Example of routing with mangle for routing mark: https://wiki.mikrotik.com/wiki/Policy_Base_Routing
There is a bit more stuff there, vpn ..., which you can ignore.

The steps are:
1a: routing rule (or 1b)
/ip route rule
add action=lookup src-address=1.2.3.4/32 table=WAN1

1b: packet mark (or 1a)
/ip firewall mangle
add action=mark-routing new-routing-mark=WAN1 chain=prerouting src-address=1.2.1.4/32

2. create routing table
/ip route
add comment=WAN1 distance=20 gateway=<ip gw> routing-mark=WAN1

(3. you want to make sure that masqarade / src-nat is done for these "wan" interfaces)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set deafult internet source

Fri Jan 04, 2019 5:00 pm

There is possibly an even simpler solution. The vpn dedicated interface, is that for "client" side, so your device is making a connection to vpn server on internet?

If "client": then the solution could be simplified:
* route to 0.0.0.0/0 to internet gateway (default)
* route to <ip of vpn> over vpn dedicate interface

Route selection is based on (among other) most specific destination criterion. So a route for subset of default route will be selected before default if available.

To define the order of fall-back, you need to specify different distances for the routes: lower distance -> higher priority
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: set deafult internet source

Fri Jan 04, 2019 10:05 pm

Hey Sebastia , my explanation from first post could be not easy to understand:
I would like to have sfp1 as default internet connection for all internal LAN interfaces, and use ether1 only for vpn connections (since it has public address).
I meant, that WAN interface is public == it has public IP from ISP. As a result I can establish VPN L2TP/IPsec only by ether1, cause sfp1 WAN doesn't have public static IP address.

That's why i want to change connections order. I want sfp1 to be preffered internet connection (it's faster), and the VPN connection will be established through ether1.

Could you just help me to set rules to change default route for internet connection. As i mentioned - when both of them are connected to the router, ether1 is used.
It makes me sick, cause for normal usage i have to disconnect ether1 cable. Then when i am not at home (and want to have VPN Access) i have to plug ether1 to the router before leaving home. It makes me sick.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set deafult internet source

Fri Jan 04, 2019 11:22 pm

Please post your current config: /export hide-sensitive compact terse
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: set deafult internet source

Sat Jan 05, 2019 12:08 am

Please post your current config: /export hide-sensitive compact terse
Which particular parts do you need ? Whole list would be very long.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set deafult internet source

Sat Jan 05, 2019 1:10 pm

The whole thing, and enclose it in [ code ][/ code ] tags

Who is online

Users browsing this forum: blejzu, Uqbar and 52 guests