Community discussions

MikroTik App
 
patrickbeau
just joined
Topic Author
Posts: 4
Joined: Sat Jul 31, 2021 1:17 pm

Dual Wan and incoming port translation

Sun Aug 01, 2021 12:13 pm

Hello,

You'll see reading it: i'm a noob to Mikrotik (and bought one to discover it). I'm facing a no way issue and is bored to reset it after making mistake, so I stopped on a basic configuration.

My router is connected to 2 ISPs with dynamic IP: one facing ONT, one facing a bridge behind a cable router. All IPs/gateways configured on the Mikrotik are with DHCP client and are publics one.
Main ISP is my main output, and I would like it to be the first Internet access for 99% of my appartment.
Second ISP is a backup output, and I would like it to be the first Internet access for a specific address list. I'm currently experiencing with only one adress: 192.168.69.210.
192.168.69.210 have a incoming port translation only from ISP2. It works when ISP1 is down.
It's now that you tell me RTFM (I did it but I'm maybe too stupid), but I would like to be able to :
- force ISP2 for a specific address list.
- force ISP1 as main ISP, keeping ISP2 for backup and port translation.
- make port translation on ISP2 work when ISP1 is up.

I tried things with mangle and so but it doesn't work :/
If you have hints or so doing it, I'll be really pleased to read them.

Regards,

ps: My working configuration working with nothing of that is:
/interface ethernet
set [ find default-name=ether6 ] comment="WAN Sfr" name=ISP_2
set [ find default-name=combo1 ] name=ether0
set [ find default-name=sfp-sfpplus1 ] name=etherS0
set [ find default-name=ether7 ] name=orange-support
/interface bridge
add name=LAN
/interface vlan
add comment="WAN Orange" interface=orange-support name=ISP_1 vlan-id=832
/interface list
add name=WAN
add name=INSIDE
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=0x736167656d
add code=77 name=userclass value=0x2b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e4c697665626f7833
add code=90 name=authsend value=0x00000000000000000000001a0900000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip pool
add name=dhcp_pool0 ranges=192.168.69.100-192.168.69.199
/ip dhcp-server
add address-pool=dhcp_pool0 bootp-support=none disabled=no interface=LAN lease-time=6d name=dhcp1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=LAN interface=etherS0
add bridge=LAN hw=no interface=ether0
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN disabled=yes interface=ISP_2
add bridge=LAN broadcast-flood=no disabled=yes interface=orange-support unknown-multicast-flood=no unknown-unicast-flood=no
add bridge=LAN interface=ether1
add bridge=LAN interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=*2000011
/ip settings
set route-cache=no
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=INSIDE wan-interface-list=WAN
/interface list member
add interface=ISP_1 list=WAN
add interface=ISP_2 list=WAN
add interface=LAN list=INSIDE
/ip address
add address=192.168.69.254/24 interface=ether2 network=192.168.69.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,userclass,vendor-class-identifier disabled=no interface=ISP_1
add disabled=no interface=ISP_2
/ip dhcp-server lease
add address=192.168.69.209 client-id=1:0:0:0:0:37:8e mac-address=00:00:00:00:37:8E server=dhcp1
/ip dhcp-server network
add address=192.168.69.0/24 dns-server=192.168.69.254 domain=appart.info-res.fr gateway=192.168.69.254 ntp-server=192.168.69.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=208.67.222.222,208.67.220.220,8.8.8.8,1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=192.168.69.0/24 list=local
/ip firewall filter
add action=accept chain=input in-interface=LAN
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="allow ICMP" in-interface-list=WAN protocol=icmp
add action=accept chain=forward dst-address-list=LAN dst-port=50805 in-interface=ISP_2 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="block everything else" in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=50805 in-interface=ISP_2 protocol=tcp to-addresses=192.168.69.210
add action=masquerade chain=srcnat out-interface=ISP_1
add action=masquerade chain=srcnat out-interface=ISP_2
/lcd
set color-scheme=dark default-screen=stats
/lcd pin
set pin-number=0377
/lcd screen
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=rtr.appart.info-res.fr
/system leds
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool mac-server
set allowed-interface-list=INSIDE
/tool mac-server mac-winbox
set allowed-interface-list=INSIDE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan and incoming port translation

Sun Aug 01, 2021 8:48 pm

Hi there,
How many addresses require ISP2?
Can you put them on their own interface (etherport, or vlan)?

As for port translation I have no idea what you are talking about.
Do you mean you have a server on your subnet and you want that traffic to come in on WAN2 and Leave on WAN2?

Correct your config is a tad messy with errors, for example you have a vlan as a bridge port............... and your IP address is set to ether2 and not the bridge......
You also have non-standard rules and clearly you dont know enough to make them so will assume you saw them somewhere on youtube.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Dual Wan and incoming port translation

Sun Aug 01, 2021 9:31 pm

Maybe the OP means that NAT does not work when using the Second WAN while the first one is still UP ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan and incoming port translation

Sun Aug 01, 2021 9:47 pm

Yup, it sounds very much like that which is not an indication that the problem is NAT but in routing.
However when looking at the config, one realizes the problems are many layered.
Much better to get to a solid stable config from which to apply nat and routing to solve the requirements.
 
patrickbeau
just joined
Topic Author
Posts: 4
Joined: Sat Jul 31, 2021 1:17 pm

Re: Dual Wan and incoming port translation

Sun Aug 01, 2021 10:28 pm

Anav, Zacharias, Hello,

Sorry for the messy configuration, I tried and untried things. Sometimes, untried weren't correctly made.

Thanks for having seen ether2 craps. It's corrected now. It explain why some rules sucked, and I didn't understood why..

Nop, no Youtube, only searches and trials to try to understand how this work. I have no friends having Mikrotik and I have trouble to understand how mangle & NAT are reacting. I'm use to pfsense and other less complicated routers (but quite.. sensible to be polite).

ISP1 is on vlan because my ISP need it. DHCP client rules are also needed.
ISP2 have only one IP and is directly bridged to the modem.

To summarize, the main problem is "How to make a specific source going trough a specific ISP which isn't main, considering that both external IP/GW are dynamics?"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan and incoming port translation

Sun Aug 01, 2021 10:48 pm

Well i need answers to my questions to be of assistance.....
If i can solve your issue without mangling that would be super.
 
patrickbeau
just joined
Topic Author
Posts: 4
Joined: Sat Jul 31, 2021 1:17 pm

Re: Dual Wan and incoming port translation

Sun Aug 01, 2021 10:55 pm

Well i need answers to my questions to be of assistance.....
If i can solve your issue without mangling that would be super.
*need some sleep* sorry

How many addresses require ISP2? Only IP is needing ISP2 when ISP1 is alive. All IPs will need ISP2 when ISP1 is dead.

Can you put them on their own interface (etherport, or vlan)? For the moment, it's impossible. My switch is dead, a dummy one is replacing it. I thought about this way too :)

Do you mean you have a server on your subnet and you want that traffic to come in on WAN2 and Leave on WAN2? Yes.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan and incoming port translation

Mon Aug 02, 2021 1:25 am

This is dirt simple.

dst-0.0.0.0/0 gatewayofISP1 distance=5 check-gateway=ping
dst-0.0.0.0/0 gatewayofISP2 distance=10
dst-0.0.0.0/0 gatewayofISP2 distance=10 routing-mark=USETHISWAN
(edited: thanks zach)

Route Rule
Source address= IP of device (could be the whole subnet )
(Alternatley you can use interface involved but that doesnt apply here)
Action: Lookup only in Table
Table=USETHISWAN

no mangling required.
All LAN user will use ISP1
Source IP address in Route rule will use ISP2
IF LAN1 goes down all users will use LAN2.
IF LAN2 goes down, source IP address in route rule will not have access at al.
Last edited by anav on Mon Aug 02, 2021 3:47 am, edited 2 times in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Dual Wan and incoming port translation

Mon Aug 02, 2021 1:46 am

@anav, same distance on all routes ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan and incoming port translation

Mon Aug 02, 2021 3:47 am

@anav, same distance on all routes ?
Oopsie, much thanks zacharias, ISP2 should have a greater distance which in a way instructs the router to use ISP1.
 
patrickbeau
just joined
Topic Author
Posts: 4
Joined: Sat Jul 31, 2021 1:17 pm

Re: Dual Wan and incoming port translation

Mon Aug 02, 2021 8:46 am

It's simple when you understand it. I didn't think that route rule works like this.
I now have to script IP & Gateways renewal on dynamic IP renew. It will be an headache but it'll works ;)

Thanks both :)

Who is online

Users browsing this forum: No registered users and 32 guests