Page 1 of 1

Redirect Port to specific WAN

Posted: Mon Jun 17, 2019 6:13 pm
by wfalcon
Hi there!

I hope I can get a clear answer on this one.
So far I haven't found any guide or question about this before (as to my keyword knowledge in searching).

Let's say i have:

WAN1 PPPOE (ISP1) IP: 10.10.10.10 (normal internet access)
WAN2 PPPOE (ISP2) IP: 11.11.11.11 (normal internet access)

is it possible to force redirect all SSH connections that are originating from any of my internal network devices (192.168.1.0/24) to the cloud only through WAN1? and discard and redirect all the other connections to WAN2?

I want it to be like this

WAN1 PPPOE (ISP1) IP: 10.10.10.10 (only SSH passes through here and everything else will be redirected to WAN2)
WAN2 PPPOE (ISP2) IP: 11.11.11.11 (normal internet access)

Your help is much appreciated!
Thanks a lot!

Re: Redirect Port to specific WAN

Posted: Mon Jun 17, 2019 6:19 pm
by anav
If WAN2 for whatever reason (ISP problems) goes down do you want everyone to go to WAN1 for backup purposes?

This assumes wan1 and wan2 are not from the same provider, if they are you can disregard this question as both would be not available in the case of ISP failure.

Re: Redirect Port to specific WAN

Posted: Mon Jun 17, 2019 6:25 pm
by wfalcon
If WAN2 for whatever reason (ISP problems) goes down do you want everyone to go to WAN1 for backup purposes?

This assumes wan1 and wan2 are not from the same provider, if they are you can disregard this question as both would be not available in the case of ISP failure.
Thanks for the reply!
That's a good question actually.

for my basic tests I don't want to switch to WAN1 in case WAN2 went down.
But if you're in a position to help out, could you please show us how it can be applied in both scenarios?

Appreciated a lot

Re: Redirect Port to specific WAN  [SOLVED]

Posted: Mon Jun 17, 2019 9:30 pm
by sebastia
Hi
You can to that with mangling. In mangle:prerouting, route-mark all all packets for port SSH (tcp:22) (or any other port you might be using), with some mark.
Next step, make sure you have a route over desired isp with that routing-mark.

See https://wiki.mikrotik.com/wiki/Policy_Base_Routing, wrt route mangling it's still correct

Re: Redirect Port to specific WAN

Posted: Tue Jun 18, 2019 9:22 am
by AidanAus
something like this would fail over the SSH, take out the second line of the route if you dont want it to fail over
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=SSH passthrough=no \
protocol=tcp dst-port=22
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.10 routing-mark=SSH
add check-gateway=ping distance=2 gateway=11.11.11.11 routing-mark=SSH
add distance=1 gateway=11.11.11.11

Opps put in src-port not dst should be fixed now :P

Re: Redirect Port to specific WAN

Posted: Wed Jun 19, 2019 12:20 pm
by wfalcon
Hi
You can to that with mangling. In mangle:prerouting, route-mark all all packets for port SSH (tcp:22) (or any other port you might be using), with some mark.
Next step, make sure you have a route over desired isp with that routing-mark.

See https://wiki.mikrotik.com/wiki/Policy_Base_Routing, wrt route mangling it's still correct

Thank you so much!

something like this would fail over the SSH, take out the second line of the route if you dont want it to fail over
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=SSH passthrough=no \
protocol=tcp dst-port=22
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.10 routing-mark=SSH
add check-gateway=ping distance=2 gateway=11.11.11.11 routing-mark=SSH
add distance=1 gateway=11.11.11.11

Opps put in src-port not dst should be fixed now :P

Thanks for the configurations sample.
It worked like charm
and yes it's dst-port

Re: Redirect Port to specific WAN

Posted: Thu Oct 31, 2019 10:38 am
by wfalcon
deleted

Re: Redirect Port to specific WAN

Posted: Thu Oct 31, 2019 4:16 pm
by Sob
You can't do that with L7. To route some connection to specific WAN, you need to do so for all its packets, from the very first one. Problem is, first TCP packet is just SYN and it doesn't contain any hostnames or anything. So it goes one way and then after you are able to identify the connection, the rest goes other way, and it doesn't work.