DualWAN - route for specific dest IP / port

petrz · Mon Oct 14, 2019 12:54 am

I have following situation: WAN1, WAN2, LAN. All traffic is routed via WAN1, WAN2 is used as fallback.
WAN1 is connected to LTE modem directly, WAN2 is connected to other mikrotik (that makes masquerade).

I need to route traffic to particular IP / port always via WAN2, even when WAN1 is reachable.

What is wrong / missing?

# model = RouterBOARD 952Ui-5ac2nD
/ip settings
set rp-filter=loose

/ip address
add address=10.20.30.1/24 interface=lan network=10.20.30.0

/ip dhcp-client
add default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=wan1
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=wan2

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=lan
add action=accept chain=forward in-interface=lan
add action=drop chain=input in-interface=wan1
add action=drop chain=input in-interface=wan2
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=wan1
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=wan2

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wan1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wan2 new-connection-mark=wan2_conn

add action=mark-routing chain=prerouting connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn new-routing-mark=to_wan2

add action=mark-routing chain=prerouting dst-address=DST-IP-I-NEED-VIA-WAN2 protocol=tcp dst-port=22 in-interface=lan log=yes log-prefix=TO-VPS new-routing-mark=to_wan2 passthrough=no 

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=wan1

/ip route
add check-gateway=ping distance=1 gateway=WAN1_GW_IP routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=WAN2_GW_IP routing-mark=to_wan2

add disabled=yes distance=1 dst-address=DST-IP-I-NEED-VIA-WAN2/32 gateway=WAN2_GW_IP

When I enable routing rule for that IP for all ports (disabled in code above), it works. But I need to route only specific port traffic. In current setup, with enable routing-mark=to_wan2 time out occurs.

Additional questions:
Is it possible to add DHCP obtained GW IP into static rule?
Is possible to run OpenVPN server listening on both WAN1 and WAN2?

Sob · Mon Oct 14, 2019 3:01 am

For start, do something with fasttrack, either disable it or make it apply only to connections using default routing table. It's your main problem.

Then for the mangle rule, I'd move it up and make it mark connections (wan2_conn) instead of marking routing directly. What you have now should work too, because connections will get marked by first response packet, but this should be more clear.

To use gateway from dhcp, you can make lease script and update it from there. See either manual or simple example.

To make service or router work from both WANs, add the same route marking rules you have in chain=prerouting also in chain=output.

petrz · Fri Oct 18, 2019 1:43 am

Thank you, Sob.

If somebody will need, this works for me:

/ip settings
set rp-filter=loose

/interface list member
add interface=wan1 list=WAN_all
add interface=wan2 list=WAN_all

/ip route
add check-gateway=arp comment=wan1_marked distance=1 routing-mark=to_wan1 gateway=GW-IP-FOR-WAN1
add check-gateway=arp comment=wan2_marked distance=1 routing-mark=to_wan2 gateway=127.0.0.1
add check-gateway=arp comment=wan1_default distance=1 gateway=GW-IP-FOR-WAN1
add check-gateway=arp comment=wan2_default distance=2 gateway=127.0.0.1

/ip dhcp-client
add add-default-route=no comment="DHCP for WAN2" dhcp-options=hostname,clientid disabled=no interface=wan2 script="{ :if (\$bound=1) do={ /ip route set [/ip route find where comment=\"wan2_marked\"] gateway=\$\"gateway-address\" d\
    isabled=no; /ip route set [/ip route find where comment=\"wan2_default\"] gateway=\$\"gateway-address\" disabled=no; } else { /ip route set [/ip route find where comment=\"wan2_marked\"] disabled=yes; /ip route set [/ip route find\
    \_where comment=\"wan2_default\"] disabled=yes; }}"

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=lan     new-connection-mark=wan2_conn passthrough=yes protocol=tcp dst-address=DST-IP-I-NEED-VIA-WAN2 dst-port=22
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface-list=!WAN_all new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface-list=!WAN_all new-routing-mark=to_wan2 passthrough=no

add action=mark-connection chain=output connection-mark=no-mark new-connection-mark=wan1_conn out-interface=wan1 passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark new-connection-mark=wan2_conn out-interface=wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1 out-interface-list=WAN_all passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2 out-interface-list=WAN_all passthrough=no

Sob · Fri Oct 18, 2019 3:55 am

You shouldn't need static wan2_default route. If you do it to have distance 2, you can choose that in config of dhcp client.

DualWAN - route for specific dest IP / port [SOLVED]

DualWAN - route for specific dest IP / port

Re: DualWAN - route for specific dest IP / port [SOLVED]

Re: DualWAN - route for specific dest IP / port

Re: DualWAN - route for specific dest IP / port

Who is online