Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Dual WAN - Stuck in process. Please help

Post Reply
 
ChiEngDa
just joined
Topic Author
Posts: 7
Joined: Sun Nov 06, 2016 6:00 pm

Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 7:26 pm

Hardware - RB750GR3
Software - 6.47.7
Location - USA (if relevnat)

Existing ISP1 configuration (ISP1 -> RB -> LAN, no DHCP on the RB itself) , adding ISP2 to provide redundancy to existing configuration
ISP 1 Cable modem
ISP 2 - ATT Uverse internet (Uverse modem configured in passthrough mode)

What I did/what I see
1) Plug in ISP2. On Interfaces, I now see I see ISP1 marked "R" (Master) and IPS2 marked "RS" (Slave). not sure why ISP2 got RS.
2) On IP->Addresses , i see
LAN address belonging to interface "bridge1"
ISP1 Address
added ISP2 address based on what Uverse modem issues in passthrough (76.217. etc address for me)

3) Going to IP-Firewall->NAT , trying to allow ISP2 to be used for Out Interface I get message "in/out interface not possible when ISP2 is slave, use master instead "bridge 1")

What am I doing wrong? what should I be doing instead?

What I want is
ISP1 -> LAN
ISP2 -> LAN
no DHCP

thank you!

I exported the current config as well, right now new interfaces is added but no rules are configured. what should I do next?
Code: Select all
/interface bridge
add admin-mac=6C:3B:6B:64:E0:34 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \
    speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \
    speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \
    speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ATT_Uverse_Internet
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ATT_Uverse_Internet list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\
    76.217.231.255
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.1.1.41,9.9.9.9
/ip dns static
add address=10.1.1.100 name=router
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=WOW_cable_internet
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=WOW_cable_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=WOW_cable_internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Chicago
/system identity
set name=SMR
/system resource irq rps
set WOW_cable_internet disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ATT_Uverse_Internet disabled=no
set ether2-master disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Last edited by ChiEngDa on Sun Nov 15, 2020 5:31 am, edited 1 time in total.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 7:56 pm

for starters, you are trying to make ether2 a WAN connected to ISP2, so remove ether2 from bridge, Menu Bridge-->Ports
Top
 
ChiEngDa
just joined
Topic Author
Posts: 7
Joined: Sun Nov 06, 2016 6:00 pm

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 8:30 pm

for starters, you are trying to make ether2 a WAN connected to ISP2, so remove ether2 from bridge, Menu Bridge-->Ports
Thank you! I have removed the port where ISP2 was incoming from Bridge which I think was making it a 'slave below'
This is what I have right now (below) and I think I need to get firewall script configured and set up load balance/failover
Code: Select all
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \    speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \    speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \    speed=100Mbps

/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\76.217.231.255

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface=WOW_cable_internet
add action=masquerade chain=srcnat out-interface=ATT_Uverse_Internet
Last edited by ChiEngDa on Sun Nov 15, 2020 5:32 am, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 8:32 pm

(1) I disagree with CZFAN - Depends what the OP wants to do, he wants one lan, so I am assuming he wants LAN on ports 2,3,4

(2) The error I noted was this one
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ATT_Uverse_Internet (wan does not normally belong on bridge)
add bridge=bridge1 interface=ether2-master

/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
SO all ports (3,4,5) will allow users to be on this network (assuming dhcp turned off but all devices assigned IPs manually).

FIREWALL FILTER RULES

(3) This rule is incomplete, you need to include the other WAN ISP as well.
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WOW_cable_internet
(if you add both ISP to interface list members for WAN, then you can use in-interface-list=WAN)

Alternatively the default rule also works and is stated as such:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN (however you dont have your lan interface list identified)


(4) You need to create a second masquerade rule for sourcenat, one for each wan is fine.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=WOW_cable_internet
(add the other out-interface!!!)

(5) Dont see second DHCP client for second WAN???
(6) Dont see any routing rules???
Top
 
ChiEngDa
just joined
Topic Author
Posts: 7
Joined: Sun Nov 06, 2016 6:00 pm

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 8:44 pm

Thank you both!! Here is full config (vs posting the pieces of it)
I only have single LAN (home) and my only port on the RB is either2 where LAN comes in. RouterBoard is a router that is setup as gateway for my internal devices (server, DHCP, DNS all handed elsewhere)
I have ISP1 on either1 and ISP2 on either5.

I know my configuration is not complete
FIREWALL FILTER RULES are missing
Failover rules are missing (check gateway, etc).

I am not finding where in GUI to edit IP ROUTE check gateway sections and I think coming to the desire to edit the actual config file myself (vs trying through GUI).

Code: Select all
/interface bridge
add admin-mac=6C:3B:6B:64:E0:34 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \
    speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \
    speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \
    speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ATT_Uverse_Internet list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\
    76.217.231.255
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.1.1.41,9.9.9.9
/ip dns static
add address=10.1.1.100 name=router
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=WOW_cable_internet
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=WOW_cable_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=WOW_cable_internet
add action=masquerade chain=srcnat out-interface=ATT_Uverse_Internet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Chicago
/system identity
set name=SMR
/system resource irq rps
set WOW_cable_internet disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ATT_Uverse_Internet disabled=no
set ether2-master disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Last edited by ChiEngDa on Sun Nov 15, 2020 5:32 am, edited 1 time in total.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 8:52 pm

Thank you both!! Here is full config (vs posting the pieces of it)
I only have single LAN (home) and my only port on the RB is either2 where LAN comes in. RouterBoard is a router that is setup as gateway for my internal devices (server, DHCP, DNS all handed elsewhere)
I have ISP1 on either1 and ISP2 on either5.

I know my configuration is not complete
FIREWALL FILTER RULES are missing
Failover rules are missing (check gateway, etc).

I am not finding where in GUI to edit IP ROUTE check gateway sections and I think coming to the desire to edit the actual config file myself (vs trying through GUI).
viewtopic.php?t=157048
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 8:58 pm

Yeah still seeing only 1 dhcp client setting and one associated address for wan>
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip address
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\
76.217.231.255

Still missing second input chain rule for second ISP
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WOW_cable_internet
????????????????????????????
Top
 
ChiEngDa
just joined
Topic Author
Posts: 7
Joined: Sun Nov 06, 2016 6:00 pm

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 9:38 pm

Yeah still seeing only 1 dhcp client setting and one associated address for wan>
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
/ip address
add address=76.217.230.243 interface=ATT_Uverse_Internet network=\
76.217.231.255

Still missing second input chain rule for second ISP
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=WOW_cable_internet
????????????????????????????
Thank you ALL!!! Awesome community!
So i had the following problems
- the port I put ISP2 was still assigned to bridge (caught and fixed)
- the DHCP client was not set up (caught and fixed)
- suggestion to set up the WAN list for interfaces and update the firewall script to use it (thank you)

I posted what I have right now below , in testing from LAN PC I was able to disable ISP1 and still be connected (as well as check on sites like speedtest that I am coming from ISP2), disable ISP2 and test , enable both and test.

I think my config is not smart , it does not take into account capacity in any form (ISP1 is 500/50, ISP2 is backup 100/10)
System had ISP1 with Distance of 1 so I manually added Distance of 2 for ISP2 which I think would allow users to prefer ISP.


Hopefully last request - for my config below anything else I may be missing or should think about?
Code: Select all
/interface bridge
add admin-mac=6C:3B:6B:64:E0:34 auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] comment=ATT_WAN name=ATT_Uverse_Internet \
    speed=100Mbps
set [ find default-name=ether1 ] comment=WOW_WAN name=WOW_cable_internet \
    speed=100Mbps
set [ find default-name=ether2 ] comment="Internal LAN" name=ether2-master \
    speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=discover
add disabled=yes interface=ether3 list=discover
add disabled=yes interface=ether4 list=discover
add interface=ATT_Uverse_Internet list=WAN
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
add interface=WOW_cable_internet list=WAN
/ip address
add address=10.1.1.100/24 comment=defconf interface=bridge1 network=10.1.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=WOW_cable_internet
add disabled=no interface=ATT_Uverse_Internet
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.100 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.1.1.41,9.9.9.9
/ip dns static
add address=10.1.1.100 name=router
/ip firewall filter
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=WOW_cable_internet
add action=masquerade chain=srcnat out-interface=ATT_Uverse_Internet
/ip route
add distance=2 gateway=76.217.228.1
Last edited by ChiEngDa on Sun Nov 15, 2020 5:33 am, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 10:09 pm

I only see one route listed, besides that looking much better.
Top
 
ChiEngDa
just joined
Topic Author
Posts: 7
Joined: Sun Nov 06, 2016 6:00 pm

Re: Dual WAN - Stuck in process. Please help

Sat Nov 14, 2020 10:28 pm

I only see one route listed, besides that looking much better.
I don't understand why it only lists that in config I export.. may be because the rest is 'dynamic' when I look at GUI ?
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Dual WAN - Stuck in process. Please help

Sun Nov 15, 2020 12:54 am

Please post configs in code brackets, I.e.
Code: Select all
, you will find them on the button menu.
Yes, you will only see the one as the other is dynamic, I.e. DHCP client
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Dual WAN - Stuck in process. Please help

Sun Nov 15, 2020 4:22 am

Thanks for the clarification, what about only one IP routing?
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Dual WAN - Stuck in process. Please help

Sun Nov 15, 2020 10:27 am

Thanks for the clarification, what about only one IP routing?

If you want to see all routes, including dynamic ones, OP can post results of /ip route print
Top
 
ChiEngDa
just joined
Topic Author
Posts: 7
Joined: Sun Nov 06, 2016 6:00 pm

Re: Dual WAN - Stuck in process. Please help

Sun Nov 15, 2020 4:17 pm

Thanks for the clarification, what about only one IP routing?

If you want to see all routes, including dynamic ones, OP can post results of /ip route print
Here it is . I don't get why ATT uses 76.217.228.1 for gateway and 76.217.230.243 for the preferred source but it seem to work. Everything was configured through DHCP client attached to each connection , ATT gateway is in passthrough mode.

I think failover works (since i tested it yesterday). I dont remember settings up the failback routes for each connection (the way I remember doing it in pfsense years ago if A goes down ->B, if B goes down ->A , etc)
Code: Select all
 /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          65.60.182.1               1
 1  DS  0.0.0.0/0                          76.217.228.1              2
 2 ADC  10.1.1.0/24        10.1.1.100      bridge1                   0
 3 ADC  65.60.182.0/24     65.60.182.76    WOW_cable_internet        0
 4 ADC  76.217.228.0/22    76.217.230.243  ATT_Uverse_Inte...        0
Top
Post Reply

Who is online

Users browsing this forum: Mr47 and 57 guests
  4. RouterOS
  5. Beginner Basics