Community discussions

MikroTik App
 
minoarpi
just joined
Topic Author
Posts: 3
Joined: Sun Jun 27, 2021 11:08 pm

WAN1 and WAN2 loadbalancing - want to add WAN3 with seperate wifi

Mon Jun 28, 2021 3:41 pm

Hi guys,
I am newbie to Mikrotik stuff, recently I made dual balancing setting based on information from the internet and it works OK.
I have recently decided to add 3rd WAN interface only for my backup purpose – no need to add it into current load balancing config. I just wanted to be able to connect it via wlan1 interface – I mean WAN3 port and its traffic assign to wlan1 interface – so when I connect to WIFI only WAN3 traffic is used. It would be good to have access to other WAN interfaces for monitoring purpose…
Honestly, I tried several settings to do that but it did not work at the end – so had to restore my previous settings … Any hint would be appreciated, I could also add my current config if it helps.
Thanks a lot for your feedback!

I've tried to add vlan for WAN3 and wlan1 interface - looks like it's working however I'd like to be able to have management access from both bridges - I probably need to create additional mangle rules but I am struggling
But you might suggest "more clever" solution , so I am adding my current config below.
Thanks for any suggestions.
[/code
]/interface bridge
add admin-mac=08:55:31:70:38:29 auto-mac=no comment=defconf name=bridge
add name=bridgeVLAN10
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether4 ] name=WAN3
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-70382E wireless-protocol=802.11
/interface vlan
add interface=WAN3 name=vlanWAN3 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    WifiDoma supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovakia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=WifiDoma ssid=\
    OrangeLTE wireless-protocol=802.11
/interface vlan
add interface=wlan1 name=vlanWLAN1 vlan-id=10
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/queue simple
add max-limit=1M/15M name="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.0/24
add max-limit=768k/8M name=Xbox parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.248/32
add max-limit=768k/4M name=LG_Spalna parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.249/32
add max-limit=768k/4M name=AntikDole parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.247/32
add max-limit=768k/7M name=AntikHore parent="Orange Bandwith" priority=1/1 \
    queue=pcq-upload-default/pcq-download-default target=192.168.1.246/32
add max-limit=768k/4M name="Jakub TV Stick" parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.245/32
add max-limit=768k/2M name=GoogleHomeHore parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.252/32
add max-limit=768k/3M name=LG_Jakub parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.253/32
add max-limit=768k/3M name=Chromecast parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.254/32
add disabled=yes max-limit=768k/7M name=LG-Obyvacka parent="Orange Bandwith" \
    priority=1/1 queue=pcq-upload-default/pcq-download-default target=\
    192.168.1.251/32
add max-limit=768k/2M name=GoogleHomeDole parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.250/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridgeVLAN10 comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridgeVLAN10 interface=WAN3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN3 list=WAN
add interface=bridgeVLAN10 list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=WAN1
add add-default-route=no comment=defconf disabled=no interface=WAN2
# DHCP client can not run on slave interface!
add disabled=no interface=WAN3
/ip dhcp-server lease
add address=192.168.1.252 mac-address=00:F6:20:D3:12:56 server=defconf
add address=192.168.1.250 mac-address=F8:0F:F9:8D:5D:D4 server=defconf
add address=192.168.1.249 client-id=1:c8:8:e9:93:23:ad mac-address=\
    C8:08:E9:93:23:AD server=defconf
add address=192.168.1.248 client-id=1:f0:6e:b:f3:3d:ab mac-address=\
    F0:6E:0B:F3:3D:AB server=defconf
add address=192.168.1.253 mac-address=CC:2D:8C:37:FF:EC server=defconf
add address=192.168.1.254 mac-address=6C:AD:F8:54:FD:2E server=defconf
add address=192.168.1.32 client-id=1:f4:8c:eb:a7:7:8a mac-address=\
    F4:8C:EB:A7:07:8A server=defconf
add address=192.168.1.247 client-id=1:0:16:2a:83:39:ad mac-address=\
    00:16:2A:83:39:AD server=defconf
add address=192.168.1.246 client-id=1:0:16:2a:84:5f:cc mac-address=\
    00:16:2A:84:5F:CC server=defconf
add address=192.168.1.27 client-id=1:38:6a:77:3d:cc:e7 mac-address=\
    38:6A:77:3D:CC:E7 server=defconf
add address=192.168.1.21 client-id=1:f4:8c:eb:a6:d8:f2 mac-address=\
    F4:8C:EB:A6:D8:F2 server=defconf
add address=192.168.1.245 client-id=1:6c:d:c4:c7:21:e0 mac-address=\
    6C:0D:C4:C7:21:E0 server=defconf
add address=192.168.1.233 client-id=1:20:17:42:a0:8b:2a mac-address=\
    20:17:42:A0:8B:2A server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.245-192.168.1.254 list=Orange
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_WAN2 \
    passthrough=no src-address-list=Orange
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.6.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.100.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridgeVLAN10 new-connection-mark=WAN3_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/2
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN2
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=vlanWAN3
/ip route
add distance=2 gateway=192.168.100.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.3.2 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.3.2
add distance=2 gateway=192.168.100.1
add disabled=yes distance=1 gateway=\
    192.168.3.2,192.168.3.2,192.168.3.2,192.168.100.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN1 and WAN2 loadbalancing - want to add WAN3 with seperate wifi

Wed Jun 30, 2021 4:48 pm

It would help what you mean by management.
Adding a third WAN is easy, only allowing WLAN1 to access WAN3 is easy.
Its the unclear messaging on management that is messy.

Does the WAN ISP come in on a vlan tag?
If not then dont assign vlan to the WAN traffic, add the vlan tag to the WLAN traffic.
You use a bridgevlan10 later on in the config(which you should remove by the way) but also fail to define it at the start!

I am of two minds, I prefer all vlans one bridge like this.
Assign the WLAN to the bridge port
Assign the vlan10 to the bridge as its parent interface.

Assign a vlan for the rest of the bridge
Vlan20 parent interface is bridge.

Vlan10 and Vlan20 ip address, dhcp pool, dhcp server, dhcp-server-network
Vlan 20 takes over from your bridge settings already in place so the bridge only does bridging.

However if there are NOT multiple vlans going over any single port your approach is fine.
Bridge for all ports except WLAN1 which is associated with the vlan

So just change the parent interface of the VLAN10 to WLAN1 and not WAN1!


You still need an ip address, ip pool, dhcp-server and dhp-server network for vlan10
REMOVE vlan10 from the bridge port settings.
Remove the made up bridgevlan10 bridge you made up at bridge port time not defined at the top, and further don't need another bridge anyway.

your masquerade rule should state out-interface=WAN3 Not the vlan.

I dont see a an IP route for wan3??
GET RID OF ALL MANGLE RULES For WAN3 dont need it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN1 and WAN2 loadbalancing - want to add WAN3 with seperate wifi

Wed Jun 30, 2021 5:02 pm

For IP Routes, to ensure WLAN1 uses WAN3 is easy.
create a standard routing (main table entry for WAN3)
then create a second entry a copy of the first one but with the entry of Routing Mark: wan3wifi

Then go to Routing Rules and
you can input source address 192.168.3.0/24 (whatever the subnet is for wlan1)
OR interface vlan10 your choice either or............

THen go to ACTION: and enter lookup only in table.
Then for TABLE enter wan3wifi

In this regard wlan1 users will be directed to use WAN3 all the time.
If WAN3 is not available then they will not have internet access but you didnt make it clear what happens if WAN3 is not available.
 
minoarpi
just joined
Topic Author
Posts: 3
Joined: Sun Jun 27, 2021 11:08 pm

Re: WAN1 and WAN2 loadbalancing - want to add WAN3 with seperate wifi

Wed Jun 30, 2021 6:10 pm

Appreciate your feedback!
Honestly, I got confused myself as meanwhile I did some adjustments and when I tried to restore my last "working" config - one of my connected router stopped responding.....
However, the below is my last working config from which I started to apply my desired settings I mentioned in the begining - to seperate WAN3.
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether4 ] name=WAN3
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-70382E wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    WifiDoma supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovakia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=WifiDoma ssid=\
    OrangeLTE wireless-protocol=802.11
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/queue simple
add max-limit=1M/15M name="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.0/24
add max-limit=768k/8M name=Xbox parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.248/32
add max-limit=768k/4M name=LG_Spalna parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.249/32
add max-limit=768k/4M name=AntikDole parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.247/32
add max-limit=768k/7M name=AntikHore parent="Orange Bandwith" priority=1/1 \
    queue=pcq-upload-default/pcq-download-default target=192.168.1.246/32
add max-limit=768k/4M name="Jakub TV Stick" parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.245/32
add max-limit=768k/2M name=GoogleHomeHore parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.252/32
add max-limit=768k/3M name=LG_Jakub parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.253/32
add max-limit=768k/3M name=Chromecast parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.254/32
add disabled=yes max-limit=768k/7M name=LG-Obyvacka parent="Orange Bandwith" \
    priority=1/1 queue=pcq-upload-default/pcq-download-default target=\
    192.168.1.251/32
add max-limit=768k/2M name=GoogleHomeDole parent="Orange Bandwith" queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.250/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN3 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=WAN1
add add-default-route=no comment=defconf disabled=no interface=WAN2
add disabled=no interface=WAN3
/ip dhcp-server lease
add address=192.168.1.252 mac-address=00:F6:20:D3:12:56 server=defconf
add address=192.168.1.250 mac-address=F8:0F:F9:8D:5D:D4 server=defconf
add address=192.168.1.249 client-id=1:c8:8:e9:93:23:ad mac-address=\
    C8:08:E9:93:23:AD server=defconf
add address=192.168.1.248 client-id=1:f0:6e:b:f3:3d:ab mac-address=\
    F0:6E:0B:F3:3D:AB server=defconf
add address=192.168.1.253 mac-address=CC:2D:8C:37:FF:EC server=defconf
add address=192.168.1.254 mac-address=6C:AD:F8:54:FD:2E server=defconf
add address=192.168.1.32 client-id=1:f4:8c:eb:a7:7:8a mac-address=\
    F4:8C:EB:A7:07:8A server=defconf
add address=192.168.1.247 client-id=1:0:16:2a:83:39:ad mac-address=\
    00:16:2A:83:39:AD server=defconf
add address=192.168.1.246 client-id=1:0:16:2a:84:5f:cc mac-address=\
    00:16:2A:84:5F:CC server=defconf
add address=192.168.1.27 client-id=1:38:6a:77:3d:cc:e7 mac-address=\
    38:6A:77:3D:CC:E7 server=defconf
add address=192.168.1.21 client-id=1:f4:8c:eb:a6:d8:f2 mac-address=\
    F4:8C:EB:A6:D8:F2 server=defconf
add address=192.168.1.245 client-id=1:6c:d:c4:c7:21:e0 mac-address=\
    6C:0D:C4:C7:21:E0 server=defconf
add address=192.168.1.233 client-id=1:20:17:42:a0:8b:2a mac-address=\
    20:17:42:A0:8B:2A server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.245-192.168.1.254 list=Orange
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_WAN2 \
    passthrough=no src-address-list=Orange
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.6.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.100.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/2
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN2
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=WAN3
/ip route
add distance=2 gateway=192.168.100.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.3.2 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.3.2
add distance=2 gateway=192.168.100.1
add disabled=yes distance=1 gateway=\
    192.168.3.2,192.168.3.2,192.168.3.2,192.168.100.1
So can you please navigate me from here to use WAN3 via wlan1?
Will it work without creating VLANS and to use IP routes only...?
btw. for "management" access I mean, to be able to access gateway IP no matter which interface I use ....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN1 and WAN2 loadbalancing - want to add WAN3 with seperate wifi

Wed Jun 30, 2021 7:58 pm

As stated
create a vlan and attach to whatever wlanX you want to use for WAN3
ensure
a. you remove wlanX from the bridge if its currently attached, if wlanX is a new wlan no worries
b. define vlan10 with interface wlanX
c. give vlan10 an IP address, ip pool, dhcp server, dhcp server-network
d. remove any instance of WAN3 in your mangling rules (and it may change your pcc settings 0/3, 1/3, 2/3, 3/3 etc,,,,,,,,,,,,,
e. Apply the IP route suggestions I made on the previous post.
f. ensure you add vlan10 to the LAN interface as a member.

Decide if wlanX should access any other WANS if WAN3 is not available.
a. NO, then use Action: lookup ONLY in table.
b. YES, then use Action: lookup in table.

The only other thing that you may need to do is modify the forward chain filter rules to prevent WLANX to the bridge subnet via L3.
The easiest way to do this on the default config is simple.
add chain=forward action=drop in-interface=vlan10 out-interface=bridge (1)
and if you also want to block bridge folks from accessing WLANX
add chain=forward action=drop in-interface=bridge out-interface=vlan10 (2)

Note: you can use src-address and dst address where they describe the subnets instead of using interface designations, both are correct.
Yuu can do both which means the router checks both the interface and address information to match the packets.

However I recommend changing the default rule by adding a drop all rule at the end of the forward chain.

So Instead of
Rule Block (1)
Rule Block (2)
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


One has..........
add action=accept chain=forward comment="allow port forwarding"\
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"

a. So the drop all rule covers the two rules one would have to make anyway'
b. the DST nat rule is simplified and only covers allowing port forwarding if desired (you should disable it as you dont have any need at the moment)
c. the DST nat rule which also blocks WAN to LAN traffic is covered by the block all rule which also blocks LAN to LAN traffic and LAN to WAN traffic (everything not already allowed)*****

*********** You should realize that one rule does have to be added since we have a block everything rule and this rule should go before the block all rule.
add action=accept chain=forward in-interface=LAN out-interface-list=WAN comment="Allow internet traffic"
 
minoarpi
just joined
Topic Author
Posts: 3
Joined: Sun Jun 27, 2021 11:08 pm

Re: WAN1 and WAN2 loadbalancing - want to add WAN3 with seperate wifi

Thu Jul 01, 2021 1:53 pm

Thanks a lot!
Will try to apply it.

Who is online

Users browsing this forum: Bing [Bot], dwnldr and 48 guests