Post your config
/export hide-sensitive file=anynameyouwish
I did not hide or delete anything that is what I see when using the commandPlease post your config, not part of it.
If you want help that is............. you are here for help please do not assume you know what to show or not to show!!!
/export
# apr/18/2021 08:07:34 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-ISP1-P2P
set [ find default-name=ether2 ] comment=WAN-ISP2-DSL
set [ find default-name=ether3 ] comment=LAN1-ISP1
set [ find default-name=ether4 ] comment=LAN2-ISP2
set [ find default-name=ether5 ] comment=SE
/ip pool
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether4 name=dhcp2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.2.192/24 comment=WAN-ISP1 interface=ether1 network=\
192.168.2.0
add address=192.168.20.1/24 comment=LAN-ISP1 interface=ether3 network=\
192.168.20.0
add address=192.168.10.2/24 comment=WAN-ISP2 interface=ether2 network=\
192.168.10.0
add address=192.168.30.1/24 comment=LAN-ISP2 interface=ether4 network=\
192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=P2P new-routing-mark=ISP1 \
passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting comment=DSL new-routing-mark=ISP2 \
passthrough=yes src-address=192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=1 gateway=192.168.10.1 routing-mark=ISP2
/system clock
set time-zone-name=Asia/Riyadh
[admin@MikroTik] >
Please post your config, not part of it.
If you want help that is............. you are here for help please do not assume you know what to show or not to show!!!
For the firewall I have deleted it temporarilyAhh my bad so you dont have firewall rules because you are behind another router??
Doesnt seem so if you are connecting to P2P whatever that is and dsl........
You dont need mangle rules to ensure LAN1 uses ISPX and LAN2 to use ISPy
Your source nat rule is not correct
Thank you for the help, but I want the server to only connect to ISP1Okay so routers 1 and 2 are not providing full routing to your devices, they simply there for firewall protection and the MIKROTIK is left to handle DHCP and subnets etx......
Is that accurate??
Cannot guarantee anything will work not knowing what is going on in Routers 1 and Routers 2.
Change your IP routes to this (basically add routes that are required before any mangled route rules. In all cases the main table needs to be populated with standard routes first (they were missing)
/ip route
add distance=1 gateway=192.168.2.1 check ping-gateway
add distance=2 gateway=192.168.10.1
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2
Delete your mangle rules
Add two Route Rules.
First Rule
src-address=192.168.20.0/24
Action: LOOKUP
Table: ISP1
Second Rule
src-address=192.168.30.0/24
Action: LOOKUP
Table: ISP2
Done, should work in the following manner.
All users on LAN1 will go out ISP1. If ISP1 goes offline, the router will take LAN1 traffic and find the next available route on the main table and will send traffic out ISP2.
All users on LAN2 will go out ISP1. If ISP2 goes offline, the router will take LAN2 traffic and the find the next available route on the main table and will send traffic out ISP1
If you added more subnets they will go out LAN1, unless ISP1 goes offline and if so will be sent out ISP2.
What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2
THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.
Basically you suck as a communicator!
In any case the answer is easy, just do what I told you with the following adjustments.
/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
Delete your mangle rules
Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1
ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done
Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE
# may/28/2021 09:38:29 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-ISP1-P2P
set [ find default-name=ether2 ] comment=WAN-ISP2-DSL
set [ find default-name=ether3 ] comment=LAN1-ISP1
set [ find default-name=ether4 ] comment=LAN2-ISP2
set [ find default-name=ether5 ] comment=SE
/ip pool
add name="pool isp1" ranges=192.168.20.100-192.168.20.254
add name="poo; isp2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="pool isp1" disabled=no interface=ether3 name=dhcp1
add address-pool="poo; isp2" disabled=no interface=ether4 name=dhcp2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.2.192/24 comment=WAN-ISP1 interface=ether1 network=\
192.168.2.0
add address=192.168.20.1/24 comment=LAN-ISP1 interface=ether3 network=\
192.168.20.0
add address=192.168.10.2/24 comment=WAN-ISP2 interface=ether2 network=\
192.168.10.0
add address=192.168.30.1/24 comment=LAN-ISP2 interface=ether4 network=\
192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=mark-routing chain=prerouting comment=P2P disabled=yes \
new-routing-mark=ISP1 passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting comment=DSL disabled=yes \
new-routing-mark=ISP2 passthrough=yes src-address=192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=ether2
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=ISP1
add disabled=yes distance=1 gateway=192.168.2.1 routing-mark=ISP1
add distance=2 gateway=192.168.10.1 routing-mark=ISP2
add disabled=yes distance=1 gateway=192.168.10.1 routing-mark=ISP2
add distance=2 gateway=192.168.10.1
/ip route rule
add src-address=192.168.20.0/24 table=ISP1
add src-address=192.168.30.0/24 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
What is your problem?
This is what you said in your first post!
I have two spi and i have two lanterns and i want each lan provider with a different internet service provider
SPI 1 to LAN1
SPI2 tp LAN2
THERE IS NO MENTION OF A SERVER!!!
THERE IS NO DST NAT RULE FOR A SERVER
THERE IS NO SERVER IP IDENTIFIED ANYWHERE.
Basically you suck as a communicator!
In any case the answer is easy, just do what I told you with the following adjustments.
/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
Delete your mangle rules
Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP
Table: ISP1
ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done
Now, in the case where ISP1 is not available (it is offline), then the router will move the traffic to the next available route in the Main Table in this case ISP2.
IF you do not want the server to use ISP2, if ISP1 is offline then you need to change the Action part of the Rule above to LOOKUP ONLY IN TABLE
But I have another problem, which is
LAN 1 LAN 2 cannot be reached
Can the problem be solved so that LAN1 can access LAN 2 and vice versa?
Its not a language problem, its you do not really know what you want as your last post is exactly opposite of the first post.
No worries we will get there.
Follow my suggestion.
State all your requirements down exactly what you expect each user to be able to do.
So if you have 20 users, each with a different requirement then I would expect to see a list from 1. through 20.
If you have a GROUP of users with the same requirement that only needs one line of description.
So, please provide your list.
Then we can work on the confg.
Okay so you want LAN1 to reach LAN2 and LAN2 to reach LAN1
?? WHY
Just use one LAN not two. The purpose of different subnets is to have two groups of users.
If there is no real difference of the groups in terms of requirements, just make it one LAN.
By the way, you need firewall rules to do that but you have removed them.
Put them back and then you will have connectivity between LANs
Okay so you want LAN1 to reach LAN2 and LAN2 to reach LAN1
?? WHY
Just use one LAN not two. The purpose of different subnets is to have two groups of users.
If there is no real difference of the groups in terms of requirements, just make it one LAN.
By the way, you need firewall rules to do that but you have removed them.
Put them back and then you will have connectivity between LANs
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
You are confused, I have given you all the answers you need.
a. you want all LAN1 users to be able to reach LAN2 users
b. you want all LAN2 users to be able to reach LAN1 users
d. you want all users on both LAN1** and LAN2 to ONLY use ISP2 as its faster.
e. ** you want to ensure one server ONLY uses LAN1
I have provided the direction to complete d and e.
Yuu have refused to put in firewall rules and is where we would answer a and b.
My work is done.
From above posts....
In any case the answer is easy, just do what I told you with the following adjustments.
Get rid of mangle rules and then............. you need three routes, two standard and one copy for ISP1 with Route mark.
/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
add distance=10 gateway=192.168.2.1 route-mark=ISP1
Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP ONLY in TABLE
Table: ISP1
ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done
As far as lan visibility that depends on our firewall forward chain rules which are not yet shown.
There are no firewall rules blocking lan1 to lan2 or lan2 to lan1 traffic. The router will route between them just fine.
# may/29/2021 10:08:30 by RouterOS 6.48.2
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WIN-ISP1
set [ find default-name=ether2 ] comment=WIN-ISP2
set [ find default-name=ether3 ] comment=LAN-ISP1
set [ find default-name=ether4 ] comment=LAN-ISP2
set [ find default-name=ether5 ] comment=SE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="DHCP_POOL -SE" ranges=192.168.88.2-192.168.88.254
add name="DHCP_POOL -LAN1" ranges=192.168.20.100-192.168.20.254
add name="DHCP_POOL -LAN2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="DHCP_POOL -SE" disabled=no interface=ether5 name=DHCP-SE \
relay=0.0.0.1
add address-pool="DHCP_POOL -LAN1" disabled=no interface=ether3 name=DHCP-LAN1
add address-pool="DHCP_POOL -LAN2" disabled=no interface=ether4 name=DHCP-LAN2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=SE interface=ether5 network=192.168.88.0
add address=192.168.20.1/24 comment=LAN1-ISP1 interface=ether3 network=\
192.168.20.0
add address=192.168.30.1/24 comment=LAN1-ISP1 interface=ether4 network=\
192.168.30.0
add address=192.168.2.197/24 comment=WIN-ISP1 interface=ether1 network=\
192.168.2.0
add address=192.168.10.3/24 comment=WIN-ISP2 interface=ether2 network=\
192.168.10.0
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.20.0/24 dns-server=192.168.2.81 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.2.81 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.20.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip route
add comment="MARK ISP1" distance=1 gateway=192.168.2.1 routing-mark=ISP1
add comment="MARK ISP1" distance=2 gateway=192.168.10.1 routing-mark=ISP2
add comment=gateway-ISP1 distance=1 gateway=192.168.2.1
add comment=gateway-ISP2 distance=2 gateway=192.168.10.1
/ip route rule
add action=lookup-only-in-table src-address=192.168.20.0/24 table=ISP1
add action=lookup-only-in-table src-address=192.168.30.251/32 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
There are no firewall rules blocking lan1 to lan2 or lan2 to lan1 traffic. The router will route between them just fine.
# may/29/2021 09:48:54 by RouterOS 6.48.3
# software id = X4DJ-AS1Z
#
# model = 750GL
# serial number = 2E1B010AF526
/interface ethernet
set [ find default-name=ether1 ] comment=WIN-ISP1
set [ find default-name=ether2 ] comment=WIN-ISP2
set [ find default-name=ether3 ] comment=LAN-ISP1
set [ find default-name=ether4 ] comment=LAN-ISP2
set [ find default-name=ether5 ] comment=SE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name="DHCP_POOL -SE" ranges=192.168.88.2-192.168.88.254
add name="DHCP_POOL -LAN1" ranges=192.168.20.100-192.168.20.254
add name="DHCP_POOL -LAN2" ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool="DHCP_POOL -SE" disabled=no interface=ether5 name=DHCP-SE \
relay=0.0.0.1
add address-pool="DHCP_POOL -LAN1" disabled=no interface=ether3 name=DHCP-LAN1
add address-pool="DHCP_POOL -LAN2" disabled=no interface=ether4 name=DHCP-LAN2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=Maintenance interface=ether5 network=\
192.168.88.0
add address=192.168.20.1/24 comment=LAN1-ISP1 interface=ether3 network=\
192.168.20.0
add address=192.168.30.1/24 comment=LAN1-ISP1 interface=ether4 network=\
192.168.30.0
add address=192.168.2.197/24 comment=WIN-ISP1 interface=ether1 network=\
192.168.2.0
add address=192.168.10.3/24 comment=WIN-ISP2 interface=ether2 network=\
192.168.10.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.88.0/24 comment=Maintenance gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip route
add comment="MARK ISP1" distance=5 gateway=192.168.2.1 routing-mark=ISP1
add comment="MARK ISP1" distance=10 gateway=192.168.10.1 routing-mark=ISP2
add comment=gateway-ISP1 distance=5 gateway=192.168.2.1
add comment=gateway-ISP2 distance=10 gateway=192.168.10.1
/ip route rule
add comment="Users' devices for example" src-address=192.168.20.0/24 table=ISP1
add action=lookup-only-in-table comment="The server, for example" src-address=\
192.168.30.251/32 table=ISP2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So far looking just fine.
(1) Remove this meaningless gateway entry
/ip dhcp-server network
add gateway=0.0.0.1
add address=192.168.20.0/24 dns-server=192.168.2.81 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.2.81 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
(2) Why dns-server at .2.81 ???? Just for now please change to for testing/elimination purposes :
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
(3) FIREWALL RULES Remove the first two rules that are forward chain, they are out of order and not grouped in the right spot for easy understanding. The rest of the rules are fine!!
Furthermore they are not required. Clearly you do not have access from LAN1 to LAN2 or vice versa with these rules in place so they are not effective because the problem isnt the firewall rules.
Note: If your last ruie in the forward chain was drop all other traffic, then these two rules would make sense, as well as rules to allow LAN to WAN traffic which is automatically allowed by the default rule set as well.
/ip firewall filter
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.20.0/24
(4) I am a bit confused by the implementation of the IP Routes. They are correct when the requirements were this.
a. all LAN1 folks can only use ISP1 {look up only}
b. all LAN2 folks can only use ISP2 {look up only}
But I thought you had changed the requirements or clarified them to the following
i.. all LAN1 and LAN2 folks should only use ISP2, because its the faster network
ii. one device ( a server on LAN1) should only use LAN1
Furthermore you have to be careful of the ACTION selection on the Route Rules.
If you state LOOK UP, then if the ISP being pointed too is offline, the router will go back to the main table and see if there is another reachable route.
If you state LOOK UP ONLY, then if the ISP is offline, the router will NOT look elsewhere and no backup route is possible.
So, with that in mind, if you look at your current config
a. IF ISP1 goes offline, LAN1 folks will not get moved to ISP2
b. IF ISP2 goes offline , LAN2 folks will not get moved to ISP1
Therefore once again, I ask you to provide better explanation and consistent explanation of your requirements and please consider the case if ISP1 or ISP2 goes offline, what do you want to happen next or not.
Then I suspect a firewall on the PC or server that you are trying to ping.
There is nothing I see on the MT that is blocking that traffic??
src-address = 192.168.20.0 / 24
Action: LOOKUP
Table: ISP1
Second Rule
src-address = 192.168.30.0 / 24
Action: LOOKUP
Table: ISP2
Then I suspect a firewall on the PC or server that you are trying to ping.
There is nothing I see on the MT that is blocking that traffic??
Glad its working what did you figure out was the issue as it was not clear in your posts????
192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?
Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:
192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?
Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.
If im not missing something important (Besides security) That should do it.
192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?
[/quote]Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:
192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?
Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.
If im not missing something important (Besides security) That should do it.
[/quote]Like this.
on your
ip>route>rules
show2.PNG
show 1.PNG
Should allow your two CIDR ranges to talk to each other.
Right, that's what I wantWhere is it added?Code: Select all192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?
Im not an expert on routing, But I faced the same issue before, Besides the language barrier, all you need:
192.168.20.0/24 to comunicate to 192.168.30.0/24 and vice versa right?
Just add the src-address and dst-address on your rules for the main table.
one to allow 192.168.20.0/24 to talk to 192.168.30.0/24
and other one to allow 192.168.30.0/24 to talk back to 192.168.20.0/24.
If im not missing something important (Besides security) That should do it.
The routes rules have nothing to do with being unable to ping one LAN from the other.
I wish they were because I too want you to find the source of the issue.
You are confused, I have given you all the answers you need.
a. you want all LAN1 users to be able to reach LAN2 users
b. you want all LAN2 users to be able to reach LAN1 users
d. you want all users on both LAN1** and LAN2 to ONLY use ISP2 as its faster.
e. ** you want to ensure one server ONLY uses LAN1
I have provided the direction to complete d and e.
Yuu have refused to put in firewall rules and is where we would answer a and b.
My work is done.
From above posts....
In any case the answer is easy, just do what I told you with the following adjustments.
Get rid of mangle rules and then............. you need three routes, two standard and one copy for ISP1 with Route mark.
/ip route
add distance=5 gateway=192.168.10.1 check ping-gateway {this ISP2 getting the shorter distance}
add distance=10 gateway=192.168.2.1
add distance=10 gateway=192.168.2.1 route-mark=ISP1
Add one Route Rule.
src-address=192.168.20.xx { where that is the IP of the server}
Action: LOOKUP ONLY in TABLE
Table: ISP1
ALL LAN1 and LAN2 subnet traffic will go out ISP2 because it has a shorter distance setting.
The exception is the server which you stated by the rule above should go out ISP1.
Done
As far as lan visibility that depends on our firewall forward chain rules which are not yet shown.
For your network settings change from
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.30.1
@ dhsv2
When you have a failover settings, typically one differentiates the ISPs by distance as the router will always select the shorter distance route in the MAIN table.
Hence
Now what happens when the first ISP goes down, not reachable, yes, the router will look on the MAIN table for any other reachable routes to send traffic,
Then the router will start using ISP2 for all the traffic assuming ISP2 is also available.
Next question, what happens when ISP1 comes back on-line.......... answer nothing, the router will not know that the route is now reachable because no attempt is made to use or "CHECK" that route.
So adding check-gateway=ping tells the router to keep checking if the ISP is available which includes the scenario if it has gone offline.
Since the router is checking to see if its up and it comes back online, the router will know that the route is once again reachable and with lower distance will move traffic back to ISP1