Community discussions

MikroTik App
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Forcing IP requests to a specific WAN

Wed Apr 14, 2021 7:32 pm

Goodmorning everyone.
I have a configuration with two WANs and a bridge. The WANs are configured in load balancing with PCC and everything works correctly.
I need from the devices inside the bridge to reach a one public ip 138.68.XXX.XXX only from a single WAN (only WAN1)
I created this rule in the mangle:
add chain= prerouting action=mark-routing dst-address=138.68.XXX.XXX new routing mark=mark-server001 passtrough=no
And this rule in routes
Add distance=1 gateway=WAN1 routing-mark=mark-server001
but not working. I can't reach that IP anymore.
I'm sure I'm wrong but I can't understand.
Can I ask you for help?
Thanks so much!
A good day
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 8:16 pm

Sorry no can helpee unless you show the config as all items have relationships!!
/export hide-sensitive file=anynameyhouwish.

How many lan subnets do you have by the way??
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 9:23 pm

Sorry no can helpee unless you show the config as all items have relationships!!
/export hide-sensitive file=anynameyhouwish.

How many lan subnets do you have by the way??
Here I uploaded the export file https://drive.google.com/file/d/1YDbGj- ... sp=sharing
I have only one subnet: 192.168.1.0/24

Thank you so much for your help
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 10:24 pm

Post the file in the forum and add code tags like I have done with your file.
# apr/14/2021 20:13:21 by RouterOS 6.48.1
# software id = U3XR-QKMS
#
# model = RouterBOARD 941-2nD
# serial number = 661606E70404
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN1"
set [ find default-name=ether2 ] name="ether2 WAN2"
set [ find default-name=ether3 ] name="ether3 LAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface="ether3 LAN" multicast-router=disabled
add bridge=bridge1 interface=ether4 multicast-router=disabled
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add disabled=no interface="ether1 WAN1"
add disabled=no interface="ether2 WAN2"
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip firewall mangle
add action=mark-connection chain=input in-interface="ether1 WAN1" \
    new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=input in-interface="ether2 WAN2" \
    new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting dst-address-list=138.XXX.XXX.XXX \
    new-routing-mark=mark-server001 passthrough=no
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge1 new-connection-mark=WAN2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge1 new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge1 new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.75 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway="ether2 WAN2" routing-mark=to_WAN2
add distance=1 gateway="ether1 WAN1" routing-mark=mark-server001
/system clock
set time-zone-name=Europe/Rome
/system script
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 10:27 pm

If you change from
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"
to:
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
You will only have one way out: WAN1
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 10:34 pm

If you change from
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"
to:
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
You will only have one way out: WAN1
All traffic will go out on WAN1. All traffic, must be balanced across the two WANs, with the exception of traffic directed to that specific IP address.
Thank you
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 10:43 pm

Some like this may do then
/ip firewall nat
add action=masquerade chain=srcnat dst-address=138.68.0.0/16 out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether1 WAN1"
add action=masquerade chain=srcnat out-interface="ether2 WAN2"
PS No need to quote post above you, use Post Reply button below post.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Forcing IP requests to a specific WAN

Wed Apr 14, 2021 11:36 pm

/ip firewall mangle
add chain=prerouting action=mark-routing dst-address=138.68.XXX.XXX in-interface=bridge1 new-routing-mark=to_WAN1 passtrough=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Forcing IP requests to a specific WAN

Thu Apr 15, 2021 12:45 am

Very nice Jotne!
I was going to recommend a routing solution not a source nat solution.
Source nat tells the router which public IP should be used to provide NATING for the private IP, but does not tell the router which route that trafffic should take??
When you add mangling in the mix I get right confused.

First of ALL I dont understand MARKING ANY ROUTES without having normal ROUTEs first established for the router.
So to me this should be.
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.75 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway="ether2 WAN2" routing-mark=to_WAN2
add distance=1 gateway="ether1 WAN1" routing-mark=mark-server001

LIKE THIS
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.75
add check-gateway=ping distance=1 gateway="ether2 WAN2
"add distance=1 gateway="ether1 WAN1"[/i]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=1 gateway=192.168.3.75 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway="ether2 WAN2" routing-mark=to_WAN2
add distance=1 gateway="ether1 WAN1" routing-mark=mark-server001


To be honest, I dont know why the heck 192.168.3.75 is doing there,
I thought there was two WANS, one and two, does the OP have three WANS ?????
Or is that the source (device that needs only to access the exterior specific WANIP).
(or is there a group of devices, its was really not made clear???).

I would use a route rule
source address=specific device OR
dst address=exterior WANIP
action= lookup only in table
table=use-this-only

where
another route is established ( a third for wan1)
add distance=1 gateway="ether1 WAN1" routing-mark=use-this-only { and with this approach no mangling is required)

Who is online

Users browsing this forum: BioMax, giovanniv, mantouboji and 50 guests