Dual WAN on RB450G configuration

adi55 · Fri Nov 12, 2010 6:15 am

I need help to configure step by step a dual WAN on my new RB450G in the following scenario:

2 ISP providers:
WAN1 (main) = PPOE (ether2)
WAN2 = static IP (89.38.X.X) with mask = 255.255.255.192 and dedicated mac-address (ether1)
fail-over or load balancing (I am not sure, any suggestion are wellcome)

2 computers on local network (ether5 and ether 4, gigabit)

I need detailed and step by step explanation because I'm very new in Mikrotik products.

Thank you in advance!

Fri Nov 12, 2010 9:48 am

You can find detailed explanation here
http://wiki.mikrotik.com/wiki/PCC

adi55 · Fri Nov 12, 2010 11:27 am

Thank you for quick answer but I need more specific help.
From that page I see the example is for two WLANs and I need for two WAN connections (one PPPOE and one static)

Because I don't know mikrotik sintax I need detailed help for configuration

Thank you!

Fri Nov 12, 2010 11:43 am

Here is an example how to set up pppoe client
http://wiki.mikrotik.com/wiki/Manual:In ... oE#Example

And here is an example how to set up ip address
http://wiki.mikrotik.com/wiki/Manual:IP/Address#Example

Everything else is the same as in PCC example, no matter what interface is used as WAN.

adi55 · Sat Nov 13, 2010 7:56 am

Ok I don't succeed.
For first I tried to configure the static connection.
Follow my actual configuration:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    192.168.88.255  ether2-local           
 1   ;;; iLink
     89.38.241.108/26   89.38.241.64    89.38.241.127   ether3-local           
[admin@MikroTik] > 
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  0.0.0.0/0                          89.38.241.65       1       
 1 ADC  89.38.241.64/26    89.38.241.108   ether3-local       0       
 2 ADC  192.168.88.0/24    192.168.88.1    bridge             0       
[admin@MikroTik] >

Local seems to be ok but not internet connection.

ISP gave me IP=89.38.241.108 with Mask=255.255.255.192 and Gateway=89.38.241.65

adi55 · Sun Nov 14, 2010 10:49 am

I resolved configuring the two internet connections but only pppoe-connection working the static address from ISP connection in unreachable now.
Also local computers cannot see each other.
Here are the actual prints:

[admin@RB450G] > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=89.38.241.108/26 network=89.38.241.64 broadcast=89.38.241.127
interface=ether1 actual-interface=ether1

1 address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255
interface=LAN actual-interface=LAN

2 D address=188.26.161.240/32 network=10.0.0.1 broadcast=0.0.0.0
interface=pppoe-out1 actual-interface=pppoe-out1
[admin@RB450G] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=pppoe-out1
gateway-status=pppoe-out1 reachable check-gateway=ping distance=1
scope=30 target-scope=10 routing-mark=to_wlan1

1 S dst-address=0.0.0.0/0 gateway=89.38.241.65
gateway-status=89.38.241.65 unreachable check-gateway=ping
distance=10 scope=30 target-scope=10 routing-mark=to_wlan2

2 A S dst-address=0.0.0.0/0 gateway=pppoe-out1
gateway-status=pppoe-out1 reachable check-gateway=ping distance=2
scope=30 target-scope=10

3 S dst-address=0.0.0.0/0 gateway=89.38.241.65
gateway-status=89.38.241.65 unreachable distance=20 scope=30
target-scope=10

4 ADC dst-address=10.0.0.1/32 pref-src=188.26.161.240 gateway=pppoe-out1
gateway-status=pppoe-out1 reachable distance=0 scope=10

5 ADC dst-address=89.38.241.64/26 pref-src=89.38.241.108 gateway=ether1

Any help please?

Thank you

adi55 · Mon Nov 15, 2010 4:41 pm

Nobody can help me?

I CAN ping lan computers from router but cannot ping computers each other. From cmd I can ping gateway (192.168.1.1) but not the other computer.

Than you

Feklar · Mon Nov 15, 2010 5:38 pm

We would need to see your mangle and NAT rules. What you have posted is just your routing table, we need the firewall rules in addition to that to even begin to see what is going on.

adi55 · Mon Nov 15, 2010 8:38 pm

Thank you Feklar. Here are the rules:

[admin@RB450G] /ip firewall> export
# jan/02/1970 14:58:32 by RouterOS 4.13
# software id = 10RJ-XAT1
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="" disabled=no dst-port=80 protocol=tcp
add action=drop chain=input comment="" disabled=no
/ip firewall mangle
add action=mark-routing chain=output comment="" connection-mark=wlan1_conn \
    disabled=no new-routing-mark=to_wlan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wlan2_conn \
    disabled=no new-routing-mark=to_wlan2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@RB450G] /ip firewall>

Yours,

Feklar · Mon Nov 15, 2010 9:34 pm

Ok, I see a couple of things wrong with the firewall rules, so lets get started.

1.) You have no mangle rule that is marking for connections from what I can see. Without that rule your mark-route rules will never fire since they are looking for a connection with a mark.

/ip firewall mangle
add action=mark-connection chain=prerouting comment="" connection-state=new disabled=no new-connection-mark=wlan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" connection-state=new disabled=no new-connection-mark=wlan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1

2.) You have your mangle route rules on the output chain. This will not work as the output chain is only ever used for traffic that originated from the router itself. Prerouting or Forward is what you probably want. Look at the packet flow diagram and see what one fits your needs best.
http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
input= traffic specifically for the router
output= traffic generated by the router
forward= traffic going over the router (i.e. from clients)
prerouting= traffic before any routing has been done on it
postrouting= traffic after routing decisions have happened.
3.) Not really a problem at this point, but your mangle rule is too general. Either make two of them and specify an out interface, or add in the src-address as your LAN. Without that to narrow it down it will masquerade everything and could have some side effects that you don't want.

This should get you up and running at least and then you can move on from there. Also keep in mind that order of rules is very very important. If something is in the wrong order a rule may match something you don't want it to and once again have interesting side effects.

adi55 · Wed Nov 17, 2010 7:46 am

Thank you Feklar trying to help me.
I need another litle help with route priority.
Now the default connection is wlan1 (ether1) and I need wlan2 (ether2 - pppoe) to be the default route.
Here is my routes list:

[admin@RB450G] > ip route  print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-out1         1       
 1 A S  0.0.0.0/0                          ether1             1       
 2 A S  0.0.0.0/0                          89.38.241.65       1       
 3   S  0.0.0.0/0                          ether1             1       
 4   S  0.0.0.0/0                          pppoe-out1         2       
 5 ADC  10.0.0.1/32        188.26.140.11   pppoe-out1         0       
 6 ADC  89.38.241.64/26    89.38.241.108   ether1             0       
 7 ADC  192.168.1.0/24     192.168.1.1     LAN                0       
[admin@RB450G] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable distance=1 scope=30 
        target-scope=10 routing-mark=to_wlan1 

 1 A S  dst-address=0.0.0.0/0 gateway=ether1 gateway-status=ether1 reachable 
        check-gateway=ping distance=1 scope=30 target-scope=10 
        routing-mark=to_wlan2 

 2 A S  dst-address=0.0.0.0/0 gateway=89.38.241.65 
        gateway-status=89.38.241.65 reachable ether1 distance=1 scope=30 
        target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=ether1 gateway-status=ether1 reachable 
        check-gateway=ping distance=1 scope=30 target-scope=10 

 4   S  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable check-gateway=ping distance=2 
        scope=30 target-scope=10 

 5 ADC  dst-address=10.0.0.1/32 pref-src=188.26.140.11 gateway=pppoe-out1 

[admin@RB450G] >

Thank you for your patience

Feklar · Wed Nov 17, 2010 5:06 pm

Change the distance of the PPPoE route to something that is lower than the other route. I.E. change PPPoE weight to 1 and your other routes to 5. The distances are the way of specifying what route is used for that specific routing table, any other routes with a higher distance are disabled until they are the route with the least amount of distance.

Basically when you mark for routing, what you are telling the router to do is for that connection to use this routing table. When you have a list of routes that don't specify a routing mark, they are part of the main routing table that is used by default. If your routing mark table fails, then the connection will fall through to the main routing table.

EDIT:

If you are talking about weighting the PPPoE connection higher in your mangle rules, just add in more mark connection rules like above until you get the ratio that you want. Just be sure to update the per-connection-classifier for all rules so they are consistent. I.E. if you have 5 PCC rules, the divisor should be 5 on all of them, with the remainder number going up by one on each starting at 0.

rini · Thu Nov 18, 2010 12:30 am

Hi there.

try this configuration

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=TEST passthrough=no
protocol=tcp dst-port=1863

/ip firewall nat
add chain=dstnat action=accept

/ip firewall nat
add chain=srcnat action=masquerade src-address=0.0.0.0/0

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out routing-mark=TEST

/ip route
add dst-address=0.0.0.0/0 gateway=89.38.241.65 routing-mark=TEST

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out,89.38.241.65 routing-mark=main

if you have example from pppoe a bandwidth 4MB and from static 2MB

u have to add another gateway, u have to make a raport 2:1

example /ip route add dst-address=0.0.0.0/0 gateway=pppeo-out,pppoe-out,89.38.241.65

dont create too many rules make it simple then add the rules
try this and post a comment
bye

adi55 · Fri Nov 19, 2010 4:15 pm

Thank you feklar and rini.

I made my best to understand PCC. After a lot of work my router is almost working.
I say almost because the fail over mode is working, but NOT load balancing.
The route for ether2 is unreachable in load balancing mode. I think both of WANS must be reachable.

Following my rules:

[admin@RB450G] > ip route print           
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-out1         1       
 1   S  0.0.0.0/0                          89.38.241.65       1       
 2 A S  0.0.0.0/0                          pppoe-out1         1       
 3   S  0.0.0.0/0                          89.38.241.65       5       
 4 ADC  10.0.0.1/32        188.26.140.48   pppoe-out1         0       
 5 ADC  89.38.241.64/26    89.38.241.108   ether2             0       
 6 ADC  192.168.1.0/24     192.168.1.1     LAN                0       
[admin@RB450G] >

[admin@RB450G] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable check-gateway=ping distance=1 
        scope=30 target-scope=10 routing-mark=to_pppoe-out1 

 1   S  dst-address=0.0.0.0/0 gateway=89.38.241.65 
        gateway-status=89.38.241.65 unreachable check-gateway=ping distance=1 
        scope=30 target-scope=10 routing-mark=to_ether2 

 2 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable check-gateway=ping distance=1 
        scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=89.38.241.65 
        gateway-status=89.38.241.65 unreachable check-gateway=ping distance=5 
        scope=30 target-scope=10 

 4 ADC  dst-address=10.0.0.1/32 pref-src=188.26.140.48 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable distance=0 scope=10 

 5 ADC  dst-address=89.38.241.64/26 pref-src=89.38.241.108 gateway=ether2 
        gateway-status=ether2 unreachable distance=0 scope=200

[admin@RB450G] > ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=mark-connection new-connection-mark=pppoe-out1_conn 
     passthrough=yes in-interface=pppoe-out1 

 1   chain=input action=mark-connection new-connection-mark=ether2_conn 
     passthrough=yes in-interface=ether2 

 2   chain=output action=mark-routing new-routing-mark=to_pppoe-out1 
     passthrough=yes connection-mark=pppoe-out1_conn 

 3   chain=output action=mark-routing new-routing-mark=to_ether2 
     passthrough=yes connection-mark=ether2_conn 

 4   chain=prerouting action=mark-routing new-routing-mark=TEST passthrough=no 
     protocol=tcp dst-port=1863 

 5   chain=prerouting action=accept dst-address=10.0.0.1 in-interface=LAN 

 6   chain=prerouting action=accept dst-address=89.38.241.108 in-interface=LAN 

 7   chain=prerouting action=mark-connection 
     new-connection-mark=pppoe-out1_conn passthrough=yes 
     dst-address-type=!local in-interface=LAN 
     per-connection-classifier=both-addresses:2/0 

 8   chain=prerouting action=mark-connection new-connection-mark=ether2_conn 
     passthrough=yes dst-address-type=!local in-interface=LAN 
     per-connection-classifier=both-addresses:2/1 

 9   chain=prerouting action=mark-routing new-routing-mark=to_pppoe-out1 
     passthrough=yes in-interface=LAN connection-mark=pppoe-out1_conn 

10   chain=prerouting action=mark-routing new-routing-mark=to_ether2 
     passthrough=yes in-interface=LAN connection-mark=ether2_conn

[admin@RB450G] > ip firewall nat print       
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade protocol=0 src-address=192.168.1.0/24 

 1   chain=srcnat action=masquerade out-interface=pppoe-out1 

 2   chain=srcnat action=masquerade out-interface=ether2 
[admin@RB450G] >

Any help is welcome.

Thank you

Feklar · Sat Nov 20, 2010 4:29 am

It says your non-ppoe connection is unreachable on that interface. What interface do you have the public IP addresses on? Is the cable plugged in on that interface? Do you have a link light on that interface?

adi55 · Sat Nov 20, 2010 4:51 am

Public IP address is on ether2 interface.

And YES, I have lights on all interfaces:
ether1=pppoe yellow
ether2=public IP yellow
ether4=PC2 green+yellow
ether5=PC1 green+yellow

Also, when I physically disconnect pppoe, router make fail over with public IP (ether2).

Yours,

Feklar · Sat Nov 20, 2010 6:37 am

Ok, If you plug directly into the internet connection can your computer get online with the provided IP information?
Is the router able to ping 89.38.241.65?
Is 89.38.241.65 on the LAN or the WAN of the ISP router?

I'm not trying to get too basic on you, but from what I can see from here, everything looks correct, so something is causing the router to think that the subnet is unreachable on that interface. Can you do an /ip address export and paste it here?

adi55 · Sat Nov 20, 2010 7:35 pm

Thank you very much for help.
Now all seems to be all right.

If I'll need any suggestions for tunning the router I'll open another thread.

Yours,

proggams2 · Mon Nov 22, 2010 3:41 pm

can you please post the last configuration you have done to routes and firewall-mangle

adi55 · Mon Nov 22, 2010 6:38 pm

[admin@RB450G] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable check-gateway=ping distance=1 
        scope=30 target-scope=10 routing-mark=to_pppoe-out1 

 1 A S  dst-address=0.0.0.0/0 gateway=89.38.241.65 
        gateway-status=89.38.241.65 reachable ether2 check-gateway=ping 
        distance=5 scope=30 target-scope=10 routing-mark=to_ether2 

 2 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable check-gateway=ping distance=1 
        scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=89.38.241.65 
        gateway-status=89.38.241.65 reachable ether2 check-gateway=ping 
        distance=5 scope=30 target-scope=10 

 4 ADC  dst-address=10.0.0.1/32 pref-src=188.27.84.226 gateway=pppoe-out1 
        gateway-status=pppoe-out1 reachable distance=0 scope=10 

 5 ADC  dst-address=89.38.241.64/26 pref-src=89.38.241.108 gateway=ether2

[admin@RB450G] > ip firewall mangle print  
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=mark-connection new-connection-mark=pppoe-out1_conn 
     passthrough=yes in-interface=pppoe-out1 

 1   chain=input action=mark-connection new-connection-mark=ether2_conn 
     passthrough=yes in-interface=ether2 

 2   chain=output action=mark-routing new-routing-mark=to_pppoe-out1 
     passthrough=yes connection-mark=pppoe-out1_conn 

 3   chain=output action=mark-routing new-routing-mark=to_ether2 
     passthrough=yes connection-mark=ether2_conn 

 4   chain=prerouting action=mark-routing new-routing-mark=TEST passthrough=no 
     protocol=tcp dst-port=1863 

 5   chain=prerouting action=accept dst-address=10.0.0.1 in-interface=LAN 

 6   chain=prerouting action=accept dst-address=89.38.241.108 in-interface=LAN 

 7   chain=prerouting action=mark-connection 
     new-connection-mark=pppoe-out1_conn passthrough=yes 
     dst-address-type=!local in-interface=LAN 

[admin@RB450G] >

Yours,

rotur · Fri Dec 10, 2010 3:32 am

I have the same problem at 450g.
There are some changes for the better??
Describe your last settings.
THX

Dual WAN on RB450G configuration

Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Re: Dual WAN on RB450G configuration

Who is online