Community discussions

 
craigreilly
newbie
Topic Author
Posts: 40
Joined: Mon Jan 26, 2015 7:04 pm

set up second WAN/ISP temporarily

Tue Jun 11, 2019 9:02 pm

We are transitioning to a new ISP. I want to setup the second ISP while the first is still in place - until we can test everything, and get DNS resolution using the new host names.

So far:
1-Added IP Addresses of new ISP and selected interface of ISP2
2-Created a Mangle prerouting for Routing Mark for testing from my IP only.
3-Added default IP Route and selected the routing mark from step 2
4-Added Source NAT setting the out interface, routing mark and "to address" using one of the public ip's on WAN2.

At this point, I can surf the webs and whatsmyip shows the new ISP IP Address

Now - I've added the NAT rules for inbound traffic (internal services)... and for them to work, I add a Mangle prerouting rule.
But when I do this - the old IP address on ISP1 no longer responds to requests.

So - how do I get both ISP1 and ISP2 to respond to requests while we are setting up the router and testing... and of course, waiting for DNS resolution to update.

Thanks in advance for the assistance. I did not initially program this device so I am stumbling along.

Oh and to mention - we are using the Mikrotik VPN feature too for L2TP/ipSEC to connect to our Remote Desktop.

(CCR1009-8G-!S-1S+)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 12:08 am

You'll need to mark traffic coming from ISP2, so that based on that mark only that traffic will be routed out to internet over isp2.
The other traffic to internet should go over isp1.

Added emphasis
Last edited by sebastia on Wed Jun 12, 2019 2:48 pm, edited 1 time in total.
 
craigreilly
newbie
Topic Author
Posts: 40
Joined: Mon Jan 26, 2015 7:04 pm

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 1:49 am

"At this point, I can surf the webs and whatsmyip shows the new ISP IP Address"

So the outbound mark is working as intended...


So When I mark the traffic coming from ISP2 - it only works on ISP2.
So, for example
70.1.1.1 (ISP1) inbound goes to port 80 to server 192.168.3.20
When I add the NAT rule
60.1.1.1 (ISP2) inbound goes to port 80 to server 192.168.3.20
and add Mangle rule as well...

but now 70.1.1.1 no longer works for the inbound, only 60.1.1.1

I need both working so until DNS is resolved - both IP's will work.
 
2frogs
Member
Member
Posts: 474
Joined: Fri Dec 03, 2010 1:38 am

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 3:31 am

You need to mark connections coming in to each WAN and then make routing mark based on those connections:
/ip firewall mangle
add action=mark-connection chain=input comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In"
add action=mark-connection chain=input comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In"
add action=mark-routing chain=output comment="ISP1-Out" connection-mark="ISP1-In" new-routing-mark="ISP1"
add action=mark-routing chain=output comment="ISP2-Out" connection-mark="ISP2-In" new-routing-mark="ISP2"

/ip route
add distance=1 gateway=1.1.1.1 routing-mark="ISP1"
add distance=1 gateway=2.2.2.1 routing-mark="ISP2"
And as you can see you need to add a route for ISP 1 with routing mark as you did for ISP 2.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1480
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 2:51 pm

The above will work for traffic going to router itself only.

For traffic forwarded, "forward chain + input interface condition" for inbound and "prerouting chain + mark condition" for outbound can be used.
 
2frogs
Member
Member
Posts: 474
Joined: Fri Dec 03, 2010 1:38 am

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 3:07 pm

Oops, I copy/paste wrong section of code. Correct it as @sebastia stated. Sorry for my mistakes!
 
craigreilly
newbie
Topic Author
Posts: 40
Joined: Mon Jan 26, 2015 7:04 pm

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 7:10 pm

So I shouldn't use those 6 lines of code?
Perhaps I should hire someone.
 
2frogs
Member
Member
Posts: 474
Joined: Fri Dec 03, 2010 1:38 am

Re: set up second WAN/ISP temporarily

Wed Jun 12, 2019 8:23 pm

Here is the correct code:
/ip firewall mangle
add action=mark-connection chain=forward comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In"
add action=mark-connection chain=forward comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In"
add action=mark-routing chain=prerouting comment="ISP1-Out" connection-mark="ISP1-In" new-routing-mark="ISP1"
add action=mark-routing chain=prerouting comment="ISP2-Out" connection-mark="ISP2-In" new-routing-mark="ISP2"

/ip route
add distance=1 gateway=1.1.1.1 routing-mark="ISP1"
add distance=1 gateway=2.2.2.1 routing-mark="ISP2"
You will need to edit the in-interface’s and gateways to match your configuration.

Edit: In fact it wouldn’t hurt to include my original mangle rules since you are using the Mikrotik as VPN.
 
User avatar
amt
Long time Member
Long time Member
Posts: 520
Joined: Fri Jan 16, 2015 2:05 pm

Re: set up second WAN/ISP temporarily

Thu Jun 13, 2019 5:12 pm

Here is the correct code:
/ip firewall mangle
add action=mark-connection chain=forward comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In"
add action=mark-connection chain=forward comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In"
add action=mark-routing chain=prerouting comment="ISP1-Out" connection-mark="ISP1-In" new-routing-mark="ISP1"
add action=mark-routing chain=prerouting comment="ISP2-Out" connection-mark="ISP2-In" new-routing-mark="ISP2"

/ip route
add distance=1 gateway=1.1.1.1 routing-mark="ISP1"
add distance=1 gateway=2.2.2.1 routing-mark="ISP2"
You will need to edit the in-interface’s and gateways to match your configuration.

Edit: In fact it wouldn’t hurt to include my original mangle rules since you are using the Mikrotik as VPN.
I have also same rules but only difference I have no two isp, I have two link one of our pop points and no any problem.

Who is online

Users browsing this forum: No registered users and 14 guests