Community discussions

MikroTik App
 
zyxnull
just joined
Topic Author
Posts: 21
Joined: Mon Jan 14, 2013 10:50 am

Dual Wan and mangle rules

Tue May 10, 2016 1:33 am

Hello everybody

I have a question related to mangle rules and Dual Wan, let me describe you my scenario: Currently I have a CR125-24G-15-RM, ports ether1 and ether2 are WAN however I do not need balance or failover, I just need to be able to access the router on WAN2 (ether2) and let people connect to the Internet on WAN1 (ether1)

I have the following mangle and route rules

/ip firewall mangle
add action=mark-connection chain=input comment=WAN1 in-interface=ether1-WAN1 \
new-connection-mark=MWAN1
add action=mark-routing chain=output connection-mark=MWAN1 new-routing-mark=\
RWAN1 passthrough=no
add action=mark-connection chain=forward comment=WAN1PF connection-state=new \
in-interface=ether1-WAN1 new-connection-mark=PFMWAN1
add action=mark-routing chain=prerouting connection-mark=PFMWAN1 \
in-interface=bridge-local new-routing-mark=RWAN1
add action=mark-connection chain=input comment=WAN2 in-interface=ether2-WAN2 \
new-connection-mark=MWAN2
add action=mark-routing chain=output connection-mark=MWAN2 new-routing-mark=\
RWAN2 passthrough=no
add action=mark-connection chain=forward comment=WAN2PF connection-state=new \
in-interface=ether2-WAN2 new-connection-mark=PFMWAN2
add action=mark-routing chain=prerouting connection-mark=PFMWAN2 \
in-interface=bridge-local new-routing-mark=RWAN2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2

/ip route
add distance=1 gateway=ether1-WAN1 routing-mark=RWAN1
add distance=1 gateway=ether2-WAN2 routing-mark=RWAN2
add distance=1 gateway=192.168.1.1
add distance=2 gateway=200.100.100.12

So far so good, I'm able to access my router on WAN2 and people is using WAN1 for internet, however if I ssh onto the router and ping anything only the first packet will reach its destination, all subsequent packets fail

[admin@MikroTik] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 55 60ms
1 8.8.8.8 timeout
2 8.8.8.8 timeout
3 192.168.1.10 84 64 987ms host unreachable
sent=4 received=1 packet-loss=75% min-rtt=60ms avg-rtt=60ms max-rtt=60ms

I know I may be missing a rule or two on mangling or routing but I'm at loss know, any ideas?
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Dual Wan and mangle rules

Tue May 10, 2016 9:46 am

You should not need all the mangle rules and marking traffic.
Just add a srcnat
add action=masquerade src-address="lan/mask" dst-address="ip-address of router" chain=srcnat out-interface=ether2 
Alter the above statement to match your config.this is what it looks like for me to access my modem.
add action=masquerade src-address=172.17.0
.0/16 dst-address=192.168.0.5 chain=srcnat out-interface=ether3
 
zyxnull
just joined
Topic Author
Posts: 21
Joined: Mon Jan 14, 2013 10:50 am

Re: Dual Wan and mangle rules

Tue May 10, 2016 9:21 pm

I've been going around your answer and can't wrap my head around it, specially your example

- Does your router has multiple networks? (192.168.0.0/24 and 172.17.0.0/16)

- Do this rule replace the normal masquerade rules already in place like the following
chain=srcnat action=masquerade out-interface=ether1-wan1 log=no 
chain=srcnat action=masquerade out-interface=ether2-wan2 log=no 

You should not need all the mangle rules and marking traffic.
Just add a srcnat
add action=masquerade src-address="lan/mask" dst-address="ip-address of router" chain=srcnat out-interface=ether2 
Alter the above statement to match your config.this is what it looks like for me to access my modem.
add action=masquerade src-address=172.17.0
.0/16 dst-address=192.168.0.5 chain=srcnat out-interface=ether3
 
User avatar
dgnevans
Member
Member
Posts: 469
Joined: Fri Mar 08, 2013 11:24 am
Location: Zimbabwe
Contact:

Re: Dual Wan and mangle rules

Tue May 10, 2016 10:42 pm

You would like your clients to access internet on Wlan 1 ether 1. The nat statements you have are correct. To have them access the internet through this connection have one static router pointing 0.0.0.0/0 traffic at your gateway for wan1(gateway1ether1)
To access the router connected to wan2 through ether2 at a 3 nat statement at the bottom of the other 2 nat statements
add chain=srcnat action=masquerade src-add
ress=lan network/mask dst-address= ip address of router out-interface=ether2 log=no log-prefix
=""
I have 2 wan connections. I use the below statement to access my modem on my satellite connection which is my secondary connection.let me know if you need further explanation
add action=masquerade src-address=172.17.0
.0/16 dst-address=192.168.0.5 chain=srcnat out-interface=ether3
where src-adress is my lan ip. dst-address is modem ip and out-interface is wan 2 interface.
 
zyxnull
just joined
Topic Author
Posts: 21
Joined: Mon Jan 14, 2013 10:50 am

Re: Dual Wan and mangle rules

Wed May 18, 2016 1:43 am

Found a previous post on this forum that I didn't found the first and that solves my problem, you may find it here

http://forum.mikrotik.com/viewtopic.php?t=43852

Who is online

Users browsing this forum: patrikg and 90 guests