Community discussions

MikroTik App
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

2 ISP >> 2LAN

Thu May 27, 2021 6:54 am

I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2


All this I did in the next clip
https://www.youtube.com/watch?v=7HgrUmRA6Ac

But I have another problem, which is


LAN 1 LAN 2 cannot be reached
Can the problem be solved so that LAN1 can access LAN 2 and vice versa?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Thu May 27, 2021 12:50 pm

Post your config

/export hide-sensitive file=anynameyouwish
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu May 27, 2021 2:01 pm

Please as you requested

anynameyouwish.rsc
You do not have the required permissions to view the files attached to this post.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu May 27, 2021 2:02 pm

Post your config

/export hide-sensitive file=anynameyouwish

Please as you requested
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Thu May 27, 2021 2:14 pm

Please post your config, not part of it.
If you want help that is............. you are here for help please do not assume you know what to show or not to show!!!
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu May 27, 2021 2:34 pm

Please post your config, not part of it.
If you want help that is............. you are here for help please do not assume you know what to show or not to show!!!
I did not hide or delete anything that is what I see when using the command

/ export hide-sensitive file = anynameyouwish

This is the code that appeared on the use of the command
/ export
I am not an expert if you want to know something else, tell me the method

 /export                                   
# apr/18/2021 08:07:34 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-ISP1-P2P
set [ find default-name=ether2 ] comment=WAN-ISP2-DSL
set [ find default-name=ether3 ] comment=LAN1-ISP1
set [ find default-name=ether4 ] comment=LAN2-ISP2
set [ find default-name=ether5 ] comment=SE
/ip pool
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether4 name=dhcp2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.2.192/24 comment=WAN-ISP1 interface=ether1 network=\
    192.168.2.0
add address=192.168.20.1/24 comment=LAN-ISP1 interface=ether3 network=\
    192.168.20.0
add address=192.168.10.2/24 comment=WAN-ISP2 interface=ether2 network=\
    192.168.10.0
add address=192.168.30.1/24 comment=LAN-ISP2 interface=ether4 network=\
    192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=P2P new-routing-mark=ISP1 \
    passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting comment=DSL new-routing-mark=ISP2 \
    passthrough=yes src-address=192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=1 gateway=192.168.10.1 routing-mark=ISP2
/system clock
set time-zone-name=Asia/Riyadh
[admin@MikroTik] > 
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu May 27, 2021 2:39 pm

Please post your config, not part of it.
If you want help that is............. you are here for help please do not assume you know what to show or not to show!!!

1.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Thu May 27, 2021 3:11 pm

Ahh my bad so you dont have firewall rules because you are behind another router??
Doesnt seem so if you are connecting to P2P whatever that is and dsl........
You dont need mangle rules to ensure LAN1 uses ISPX and LAN2 to use ISPy
Your source nat rule is not correct
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu May 27, 2021 3:51 pm

Ahh my bad so you dont have firewall rules because you are behind another router??
Doesnt seem so if you are connecting to P2P whatever that is and dsl........
You dont need mangle rules to ensure LAN1 uses ISPX and LAN2 to use ISPy
Your source nat rule is not correct
For the firewall I have deleted it temporarily
I drew an illustration
Can you modify the script to solve the problem?
TEST.jpg
You do not have the required permissions to view the files attached to this post.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu May 27, 2021 3:59 pm

Note that ISP-1 (DSL) can access the server from outside the internal network
Unlike ISP-2 (4G) it cannot be accessed from the external network

Another note
ISP -1 (DSL) speed is only 4Mb
ISP -2 (4G) speed is 50Mbps
This is what made me do this
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Thu May 27, 2021 6:31 pm

Okay so routers 1 and 2 are not providing full routing to your devices, they simply there for firewall protection and the MIKROTIK is left to handle DHCP and subnets etx......
Is that accurate??

Cannot guarantee anything will work not knowing what is going on in Routers 1 and Routers 2.

Change your IP routes to this (basically add routes that are required before any mangled route rules. In all cases the main table needs to be populated with standard routes first (they were missing)
/ip route
add distance=1 gateway=192.168.2.1 check ping-gateway
add distance=2 gateway=192.168.10.1

add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2

Delete your mangle rules

Add two Route Rules.
First Rule
src-address=192.168.20.0/24
Action: LOOKUP
Table: ISP1

Second Rule
src-address=192.168.30.0/24
Action: LOOKUP
Table: ISP2

Done, should work in the following manner.
All users on LAN1 will go out ISP1. If ISP1 goes offline, the router will take LAN1 traffic and find the next available route on the main table and will send traffic out ISP2.
All users on LAN2 will go out ISP1. If ISP2 goes offline, the router will take LAN2 traffic and the find the next available route on the main table and will send traffic out ISP1

If you added more subnets they will go out LAN1, unless ISP1 goes offline and if so will be sent out ISP2.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Fri May 28, 2021 1:59 am

Okay so routers 1 and 2 are not providing full routing to your devices, they simply there for firewall protection and the MIKROTIK is left to handle DHCP and subnets etx......
Is that accurate??

Cannot guarantee anything will work not knowing what is going on in Routers 1 and Routers 2.

Change your IP routes to this (basically add routes that are required before any mangled route rules. In all cases the main table needs to be populated with standard routes first (they were missing)
/ip route
add distance=1 gateway=192.168.2.1 check ping-gateway
add distance=2 gateway=192.168.10.1

add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2

Delete your mangle rules

Add two Route Rules.
First Rule
src-address=192.168.20.0/24
Action: LOOKUP
Table: ISP1

Second Rule
src-address=192.168.30.0/24
Action: LOOKUP
Table: ISP2

Done, should work in the following manner.
All users on LAN1 will go out ISP1. If ISP1 goes offline, the router will take LAN1 traffic and find the next available route on the main table and will send traffic out ISP2.
All users on LAN2 will go out ISP1. If ISP2 goes offline, the router will take LAN2 traffic and the find the next available route on the main table and will send traffic out ISP1

If you added more subnets they will go out LAN1, unless ISP1 goes offline and if so will be sent out ISP2.
Thank you for the help, but I want the server to only connect to ISP1

And the rest of the ISP2 users only (the reason is fast connection)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Fri May 28, 2021 3:34 am

What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.

Basically you suck as a communicator!

In any case the answer is easy, just do what I told you with the following adjustments.

/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1

Delete your mangle rules

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Fri May 28, 2021 9:37 am

What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.

Basically you suck as a communicator!

In any case the answer is easy, just do what I told you with the following adjustments.

/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1

Delete your mangle rules

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE

Thank you very much for the help and I apologize for the many questions. Excuse me. Sometimes I cannot describe the problem precisely because my mother tongue is not English.
On the whole I think this works. I will tell you try it and give you a result
Can you take a final look at the final code
# may/28/2021 09:38:29 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-ISP1-P2P
set [ find default-name=ether2 ] comment=WAN-ISP2-DSL
set [ find default-name=ether3 ] comment=LAN1-ISP1
set [ find default-name=ether4 ] comment=LAN2-ISP2
set [ find default-name=ether5 ] comment=SE
/ip pool
add name="pool isp1" ranges=192.168.20.100-192.168.20.254
add name="poo; isp2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="pool isp1" disabled=no interface=ether3 name=dhcp1
add address-pool="poo; isp2" disabled=no interface=ether4 name=dhcp2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.2.192/24 comment=WAN-ISP1 interface=ether1 network=\
    192.168.2.0
add address=192.168.20.1/24 comment=LAN-ISP1 interface=ether3 network=\
    192.168.20.0
add address=192.168.10.2/24 comment=WAN-ISP2 interface=ether2 network=\
    192.168.10.0
add address=192.168.30.1/24 comment=LAN-ISP2 interface=ether4 network=\
    192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=P2P disabled=yes \
    new-routing-mark=ISP1 passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting comment=DSL disabled=yes \
    new-routing-mark=ISP2 passthrough=yes src-address=192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add disabled=yes distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2
add disabled=yes distance=1 gateway=192.168.10.1 routing-mark=ISP2
add distance=2 gateway=192.168.10.1
/ip route rule
add src-address=192.168.20.0/24 table=ISP1
add src-address=192.168.30.0/24 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Fri May 28, 2021 1:23 pm

My directions have been clear, and yet I dont see that you have made any of the changes.
Why did you remove the default firewall rules ?
Where is your server identification in a destination NAT rule?

Suggest you get a consumer router like asus, and be happy because clearly you do not understand mikrotik and seem to be making little effort to learn.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Fri May 28, 2021 1:57 pm

After several tries, everything worked fine
SPI 1 to LAN1
SPI2 tp LAN2
But I am still facing the same problem, which is

LAN1 devices cannot access LAN 2, and vice versa, LAN2 devices cannot access LAN 1

What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2

THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.

Basically you suck as a communicator!

In any case the answer is easy, just do what I told you with the following adjustments.

/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1

Delete your mangle rules

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Fri May 28, 2021 4:45 pm

Its not a language problem, its you do not really know what you want as your last post is exactly opposite of the first post.
No worries we will get there.


Follow my suggestion.

State all your requirements down exactly what you expect each user to be able to do.
So if you have 20 users, each with a different requirement then I would expect to see a list from 1. through 20.
If you have a GROUP of users with the same requirement that only needs one line of description.

So, please provide your list.
Then we can work on the confg.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Fri May 28, 2021 6:21 pm

Note that my main problem in the first post was the same as my request currently. Can you help me?


But I have another problem, which is


LAN 1 LAN 2 cannot be reached
Can the problem be solved so that LAN1 can access LAN 2 and vice versa?

Its not a language problem, its you do not really know what you want as your last post is exactly opposite of the first post.
No worries we will get there.


Follow my suggestion.

State all your requirements down exactly what you expect each user to be able to do.
So if you have 20 users, each with a different requirement then I would expect to see a list from 1. through 20.
If you have a GROUP of users with the same requirement that only needs one line of description.

So, please provide your list.
Then we can work on the confg.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Fri May 28, 2021 6:58 pm

Okay so you want LAN1 to reach LAN2 and LAN2 to reach LAN1

?? WHY
Just use one LAN not two. The purpose of different subnets is to have two groups of users.
If there is no real difference of the groups in terms of requirements, just make it one LAN.

By the way, you need firewall rules to do that but you have removed them.
Put them back and then you will have connectivity between LANs
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Sat May 29, 2021 9:12 am

Thank you very much for your patience with me and your help

It is assumed that they are all one network and be under the service provider (ISP1), but because of the speed of the Internet in the service provider (ISP1) and it has features that I cannot give up, and only some devices must be connected to it
A service provider (ISP2) has been subscribed to solve the problem of internet speed, but some features are not available, which is (Static IP)
Now I want him to call
LAN1 with LAN2
And the
LAN2 with LAN1
Can you help me


Okay so you want LAN1 to reach LAN2 and LAN2 to reach LAN1

?? WHY
Just use one LAN not two. The purpose of different subnets is to have two groups of users.
If there is no real difference of the groups in terms of requirements, just make it one LAN.

By the way, you need firewall rules to do that but you have removed them.
Put them back and then you will have connectivity between LANs
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Mon May 31, 2021 8:27 am

I'm waiting for you

Okay so you want LAN1 to reach LAN2 and LAN2 to reach LAN1

?? WHY
Just use one LAN not two. The purpose of different subnets is to have two groups of users.
If there is no real difference of the groups in terms of requirements, just make it one LAN.

By the way, you need firewall rules to do that but you have removed them.
Put them back and then you will have connectivity between LANs
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Mon May 31, 2021 2:02 pm

You are confused, I have given you all the answers you need.

a. you want all LAN1 users to be able to reach LAN2 users
b. you want all LAN2 users to be able to reach LAN1 users
d. you want all users on both LAN1** and LAN2 to ONLY use ISP2 as its faster.
e. ** you want to ensure one server ONLY uses LAN1

I have provided the direction to complete d and e.
Yuu have refused to put in firewall rules and is where we would answer a and b.
My work is done.

From above posts....
In any case the answer is easy, just do what I told you with the following adjustments.
Get rid of mangle rules and then............. you need three routes, two standard and one copy for ISP1 with Route mark.



/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
add distance=10 gateway=192.168.2.1 route-mark=ISP1

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP ONLY in TABLE
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

As far as lan visibility that depends on our firewall forward chain rules which are not yet shown.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 3:46 pm

The translator
This is the currently used firewall rules
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
You are confused, I have given you all the answers you need.

a. you want all LAN1 users to be able to reach LAN2 users
b. you want all LAN2 users to be able to reach LAN1 users
d. you want all users on both LAN1** and LAN2 to ONLY use ISP2 as its faster.
e. ** you want to ensure one server ONLY uses LAN1

I have provided the direction to complete d and e.
Yuu have refused to put in firewall rules and is where we would answer a and b.
My work is done.

From above posts....
In any case the answer is easy, just do what I told you with the following adjustments.
Get rid of mangle rules and then............. you need three routes, two standard and one copy for ISP1 with Route mark.



/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
add distance=10 gateway=192.168.2.1 route-mark=ISP1

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP ONLY in TABLE
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

As far as lan visibility that depends on our firewall forward chain rules which are not yet shown.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 3:56 pm

Put the CPEs in bridge mode and let MikroTik handle WAN. Why are you double NATting (triple in the case of LTE) yourself?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 4:04 pm

There are no firewall rules blocking lan1 to lan2 or lan2 to lan1 traffic. The router will route between them just fine.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 4:20 pm

Unfortunately, there is no connection between LAN1 to LAN2
And vice versa !!
There are no firewall rules blocking lan1 to lan2 or lan2 to lan1 traffic. The router will route between them just fine.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 4:21 pm

I reprogrammed again
Can you take a look where is the problem?

# may/29/2021 10:08:30 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WIN-ISP1
set [ find default-name=ether2 ] comment=WIN-ISP2
set [ find default-name=ether3 ] comment=LAN-ISP1
set [ find default-name=ether4 ] comment=LAN-ISP2
set [ find default-name=ether5 ] comment=SE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="DHCP_POOL -SE" ranges=192.168.88.2-192.168.88.254
add name="DHCP_POOL -LAN1" ranges=192.168.20.100-192.168.20.254
add name="DHCP_POOL -LAN2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="DHCP_POOL -SE" disabled=no interface=ether5 name=DHCP-SE \
    relay=0.0.0.1
add address-pool="DHCP_POOL -LAN1" disabled=no interface=ether3 name=DHCP-LAN1
add address-pool="DHCP_POOL -LAN2" disabled=no interface=ether4 name=DHCP-LAN2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=SE interface=ether5 network=192.168.88.0
add address=192.168.20.1/24 comment=LAN1-ISP1 interface=ether3 network=\
    192.168.20.0
add address=192.168.30.1/24 comment=LAN1-ISP1 interface=ether4 network=\
    192.168.30.0
add address=192.168.2.197/24 comment=WIN-ISP1 interface=ether1 network=\
    192.168.2.0
add address=192.168.10.3/24 comment=WIN-ISP2 interface=ether2 network=\
    192.168.10.0
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.20.0/24 dns-server=192.168.2.81 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.2.81 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
    192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add comment="MARK ISP1" distance=1 gateway=192.168.2.1 routing-mark=ISP1
add comment="MARK ISP1" distance=2 gateway=192.168.10.1 routing-mark=ISP2
add comment=gateway-ISP1 distance=1 gateway=192.168.2.1
add comment=gateway-ISP2 distance=2 gateway=192.168.10.1
/ip route rule
add action=lookup-only-in-table src-address=192.168.20.0/24 table=ISP1
add action=lookup-only-in-table src-address=192.168.30.251/32 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
There are no firewall rules blocking lan1 to lan2 or lan2 to lan1 traffic. The router will route between them just fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 6:22 pm

So far looking just fine.

(1) Remove this meaningless gateway entry
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.20.0/24 dns-server=192.168.2.81 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.2.81 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

(2) Why dns-server at .2.81 ???? Just for now please change to for testing/elimination purposes :
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

(3) FIREWALL RULES Remove the first two rules that are forward chain, they are out of order and not grouped in the right spot for easy understanding. The rest of the rules are fine!!
Furthermore they are not required. Clearly you do not have access from LAN1 to LAN2 or vice versa with these rules in place so they are not effective because the problem isnt the firewall rules.
Note: If your last ruie in the forward chain was drop all other traffic, then these two rules would make sense, as well as rules to allow LAN to WAN traffic which is automatically allowed by the default rule set as well.

/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.20.0/24



(4) I am a bit confused by the implementation of the IP Routes. They are correct when the requirements were this.
a. all LAN1 folks can only use ISP1 {look up only}
b. all LAN2 folks can only use ISP2 {look up only}

But I thought you had changed the requirements or clarified them to the following
i.. all LAN1 and LAN2 folks should only use ISP2, because its the faster network
ii. one device ( a server on LAN1) should only use LAN1

Furthermore you have to be careful of the ACTION selection on the Route Rules.
If you state LOOK UP, then if the ISP being pointed too is offline, the router will go back to the main table and see if there is another reachable route.
If you state LOOK UP ONLY, then if the ISP is offline, the router will NOT look elsewhere and no backup route is possible.

So, with that in mind, if you look at your current config
a. IF ISP1 goes offline, LAN1 folks will not get moved to ISP2
b. IF ISP2 goes offline , LAN2 folks will not get moved to ISP1

Therefore once again, I ask you to provide better explanation and consistent explanation of your requirements and please consider the case if ISP1 or ISP2 goes offline, what do you want to happen next or not.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 6:58 pm

Currently I use a computer
ip: 192.168.20.254
I tried to ping 192.168.30.251
For example, 192.168.30.251 is the server
No connection as attached
ping.jpg
# may/29/2021 09:48:54 by RouterOS 6.48.3
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WIN-ISP1
set [ find default-name=ether2 ] comment=WIN-ISP2
set [ find default-name=ether3 ] comment=LAN-ISP1
set [ find default-name=ether4 ] comment=LAN-ISP2
set [ find default-name=ether5 ] comment=SE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="DHCP_POOL -SE" ranges=192.168.88.2-192.168.88.254
add name="DHCP_POOL -LAN1" ranges=192.168.20.100-192.168.20.254
add name="DHCP_POOL -LAN2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="DHCP_POOL -SE" disabled=no interface=ether5 name=DHCP-SE \
    relay=0.0.0.1
add address-pool="DHCP_POOL -LAN1" disabled=no interface=ether3 name=DHCP-LAN1
add address-pool="DHCP_POOL -LAN2" disabled=no interface=ether4 name=DHCP-LAN2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=Maintenance interface=ether5 network=\
    192.168.88.0
add address=192.168.20.1/24 comment=LAN1-ISP1 interface=ether3 network=\
    192.168.20.0
add address=192.168.30.1/24 comment=LAN1-ISP1 interface=ether4 network=\
    192.168.30.0
add address=192.168.2.197/24 comment=WIN-ISP1 interface=ether1 network=\
    192.168.2.0
add address=192.168.10.3/24 comment=WIN-ISP2 interface=ether2 network=\
    192.168.10.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.88.0/24 comment=Maintenance gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add comment="MARK ISP1" distance=5 gateway=192.168.2.1 routing-mark=ISP1
add comment="MARK ISP1" distance=10 gateway=192.168.10.1 routing-mark=ISP2
add comment=gateway-ISP1 distance=5 gateway=192.168.2.1
add comment=gateway-ISP2 distance=10 gateway=192.168.10.1
/ip route rule
add comment="Users' devices for example" src-address=192.168.20.0/24 table=ISP1
add action=lookup-only-in-table comment="The server, for example" src-address=\
    192.168.30.251/32 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN




So far looking just fine.

(1) Remove this meaningless gateway entry
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.20.0/24 dns-server=192.168.2.81 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.2.81 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

(2) Why dns-server at .2.81 ???? Just for now please change to for testing/elimination purposes :
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

(3) FIREWALL RULES Remove the first two rules that are forward chain, they are out of order and not grouped in the right spot for easy understanding. The rest of the rules are fine!!
Furthermore they are not required. Clearly you do not have access from LAN1 to LAN2 or vice versa with these rules in place so they are not effective because the problem isnt the firewall rules.
Note: If your last ruie in the forward chain was drop all other traffic, then these two rules would make sense, as well as rules to allow LAN to WAN traffic which is automatically allowed by the default rule set as well.

/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.20.0/24



(4) I am a bit confused by the implementation of the IP Routes. They are correct when the requirements were this.
a. all LAN1 folks can only use ISP1 {look up only}
b. all LAN2 folks can only use ISP2 {look up only}

But I thought you had changed the requirements or clarified them to the following
i.. all LAN1 and LAN2 folks should only use ISP2, because its the faster network
ii. one device ( a server on LAN1) should only use LAN1

Furthermore you have to be careful of the ACTION selection on the Route Rules.
If you state LOOK UP, then if the ISP being pointed too is offline, the router will go back to the main table and see if there is another reachable route.
If you state LOOK UP ONLY, then if the ISP is offline, the router will NOT look elsewhere and no backup route is possible.

So, with that in mind, if you look at your current config
a. IF ISP1 goes offline, LAN1 folks will not get moved to ISP2
b. IF ISP2 goes offline , LAN2 folks will not get moved to ISP1

Therefore once again, I ask you to provide better explanation and consistent explanation of your requirements and please consider the case if ISP1 or ISP2 goes offline, what do you want to happen next or not.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 8:20 pm

Then I suspect a firewall on the PC or server that you are trying to ping.
There is nothing I see on the MT that is blocking that traffic??
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 8:26 pm

I closed the firewall in both devices. I think there is a problem with the settings of the mikrotik

Then I suspect a firewall on the PC or server that you are trying to ping.
There is nothing I see on the MT that is blocking that traffic??
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 8:34 pm

When working Disable to


src-address = 192.168.20.0 / 24
Action: LOOKUP
Table: ISP1

Second Rule
src-address = 192.168.30.0 / 24
Action: LOOKUP
Table: ISP2
Ping works


Then I suspect a firewall on the PC or server that you are trying to ping.
There is nothing I see on the MT that is blocking that traffic??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 11:16 pm

Glad its working what did you figure out was the issue as it was not clear in your posts????
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 11:29 pm

The problem has not yet been solved
I canceled the Route Rules temporarily to make sure that the problem is not with my computer

I'm still facing the same problem
R.jpg
Glad its working what did you figure out was the issue as it was not clear in your posts????
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN

Tue Jun 01, 2021 11:58 pm

The routes rules have nothing to do with being unable to ping one LAN from the other.
I wish they were because I too want you to find the source of the issue.
 
User avatar
iHyenDeer
just joined
Posts: 12
Joined: Wed Apr 18, 2018 10:45 am
Location: Mexico
Contact:

Re: 2 ISP >> 2LAN

Wed Jun 02, 2021 5:37 am

Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:

192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?


Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.

If im not missing something important (Besides security) That should do it.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Wed Jun 02, 2021 6:43 am

Right, that's what I want
192.168.20.0/24  to comunicate to 192.168.30.0/24 and vice versa right? 
Where is it added?

Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:

192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?


Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.

If im not missing something important (Besides security) That should do it.
 
User avatar
iHyenDeer
just joined
Posts: 12
Joined: Wed Apr 18, 2018 10:45 am
Location: Mexico
Contact:

Re: 2 ISP >> 2LAN

Wed Jun 02, 2021 6:54 am

Like this.

on your

ip>route>rules
show2.PNG
show 1.PNG
Should allow your two CIDR ranges to talk to each other.


Right, that's what I want
192.168.20.0/24  to comunicate to 192.168.30.0/24 and vice versa right? 
Where is it added?

Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:

192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?


Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.

If im not missing something important (Besides security) That should do it.
[/quote]
You do not have the required permissions to view the files attached to this post.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Wed Jun 02, 2021 6:57 am

Thank you for your help, I tried the suggestion, but unfortunately it didn't work
Like this.

on your

ip>route>rules

show2.PNG

show 1.PNG

Should allow your two CIDR ranges to talk to each other.


Right, that's what I want
192.168.20.0/24  to comunicate to 192.168.30.0/24 and vice versa right? 
Where is it added?

Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:

192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?


Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.

If im not missing something important (Besides security) That should do it.
[/quote]
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Wed Jun 02, 2021 8:53 am

Thank you for your help..I will try if you have any suggestion please share it with me
The routes rules have nothing to do with being unable to ping one LAN from the other.
I wish they were because I too want you to find the source of the issue.
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Sat Jun 05, 2021 7:11 pm

I have a question, what is the benefit of (check ping-gateway) as in the picture?
C-ping.jpg
You are confused, I have given you all the answers you need.

a. you want all LAN1 users to be able to reach LAN2 users
b. you want all LAN2 users to be able to reach LAN1 users
d. you want all users on both LAN1** and LAN2 to ONLY use ISP2 as its faster.
e. ** you want to ensure one server ONLY uses LAN1

I have provided the direction to complete d and e.
Yuu have refused to put in firewall rules and is where we would answer a and b.
My work is done.

From above posts....
In any case the answer is easy, just do what I told you with the following adjustments.
Get rid of mangle rules and then............. you need three routes, two standard and one copy for ISP1 with Route mark.



/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
add distance=10 gateway=192.168.2.1 route-mark=ISP1

Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP ONLY in TABLE
Table: ISP1

ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done

As far as lan visibility that depends on our firewall forward chain rules which are not yet shown.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 2 ISP >> 2LAN  [SOLVED]

Sat Jun 05, 2021 7:26 pm

For your network settings change from
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.30.1

@ dhsv2
When you have a failover settings, typically one differentiates the ISPs by distance as the router will always select the shorter distance route in the MAIN table.
Hence


Now what happens when the first ISP goes down, not reachable, yes, the router will look on the MAIN table for any other reachable routes to send traffic,
Then the router will start using ISP2 for all the traffic assuming ISP2 is also available.
Next question, what happens when ISP1 comes back on-line.......... answer nothing, the router will not know that the route is now reachable because no attempt is made to use or "CHECK" that route.

So adding check-gateway=ping tells the router to keep checking if the ISP is available which includes the scenario if it has gone offline.
Since the router is checking to see if its up and it comes back online, the router will know that the route is once again reachable and with lower distance will move traffic back to ISP1
 
dhsv2
newbie
Topic Author
Posts: 30
Joined: Sun Oct 01, 2017 6:03 pm

Re: 2 ISP >> 2LAN

Thu Jun 10, 2021 12:04 pm

thank you so much
For your network settings change from
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.30.1

@ dhsv2
When you have a failover settings, typically one differentiates the ISPs by distance as the router will always select the shorter distance route in the MAIN table.
Hence


Now what happens when the first ISP goes down, not reachable, yes, the router will look on the MAIN table for any other reachable routes to send traffic,
Then the router will start using ISP2 for all the traffic assuming ISP2 is also available.
Next question, what happens when ISP1 comes back on-line.......... answer nothing, the router will not know that the route is now reachable because no attempt is made to use or "CHECK" that route.

So adding check-gateway=ping tells the router to keep checking if the ISP is available which includes the scenario if it has gone offline.
Since the router is checking to see if its up and it comes back online, the router will know that the route is once again reachable and with lower distance will move traffic back to ISP1

Who is online

Users browsing this forum: 0xAA55, bpwl, cmmike, hatred and 45 guests