Community discussions

 
beriabraham
just joined
Topic Author
Posts: 1
Joined: Fri Nov 08, 2019 11:53 am

Dual WAN and Dual LAN at the same time

Fri Nov 08, 2019 12:55 pm

Hello guys!

I am a begginer MikroTik user.
I have an hAP ac lite router, and i want to do some kind of load balancing on it.
I have 2 wan port, and i want that the WAN 1 (port1) connect to LAN1(port3), and WAN2 (port2) connect to LAN2(port4).
So if i connect my pc to the 4th port, i want to use the wan2, and when i disconnect the wan2 cable, don't use the wan1 connection.
I'm totally lost in this task.

(Sorry for my bad english)

Thanks
Best Regards,
Abraham
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Dual WAN and Dual LAN at the same time

Fri Nov 08, 2019 4:06 pm

Good day,
What you are asking for is very reasonable.
You will get there but there is a bit of a learning curve to MT configurations.
Think of it as quite a capable router but you have to program all the steps unlike a consumer router which does most of the config behind the scenes.

The good news is that your request is actually the easiest possible scenario as there is actually no load balancing at all.
It seems your saying.
a. ISP1 should be used exclusively for LAN1
b. ISP2 should be used exclusively for LAN2

If ISP1 is not available all users on LAN1 will not get internet.
If ISP2 is not available all users on LAN2 will not get internet.
ASSUMPTION: You do not want users on LAN1 to have any traffic with users on LAN2 ??

In firewall rules Forward filter,
Besides the normal default rules
simply add DROP ALL ELSE rule at the end and if traffic is not explicitly permitted by rules it will be dropped.
Thus for example any traffic between the subnets LAN1 and LAN2 will not be permitted as this is not part of the default rule set.

You will need basic sourcenat configuration that covers all traffic going out ISP1 and all traffic going out ISP2
You could state it more explicitly since we know it to be the intention by stating all traffic from LAN1 going out on ISP1 and all traffic from LAN2 going out ISP2.......
Basically stating all traffic coming from the private LAN will get assigned the associates WANIP and appear as public traffic outbound. Return traffic will be tracked back to the private originator.
Remember, this is simply a NAT identification and is NOT routing. In other words this does not tell the router WHERE to send the lan traffic.

The other part of this equation is routing.
This is where my knowledge falters because I recall I think that there is an EASY way to define for each LAN where that traffic should be routed, probably some obscure poorly described Table MAIN type router rule (poorly described for my lack of IT expertise but sufficient for those that know what they are doing).

I am hoping that someone (aka sob, sindy, xvo, czfan, mkx etc......) will fill in the routing hole I have created and fix up any other messes I may have created above.

This stuff is really fun when you dont let it get you frustrated. Make use of the SAFE mode box in Winbox while making changes!!!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3897
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN and Dual LAN at the same time

Sat Nov 09, 2019 4:22 pm

First, I would not call what you describe a load balancing configuration, as such name suggests that you want to use the router itself to distribute a common traffic among several network paths.
From your description, the task looks like what is commonly called virtual routing and forwarding (VRF), as you want the WAN1<=>LAN1 traffic to be completely separated from the WAN2<=>LAN2 one.

In this simple form, you don't even need to deal with any firewall rules and other stuff to implement it. Just use the following command:
/ip route vrf add routing-mark=my-vrf-routing-mark interfaces=wan2,lan2
This will cause the packets coming in via these interfaces to get automatically assigned a routing-mark attribute with value my-vrf-routing-mark, so only routes marked with the same value of routing-mark will be used to route them; also the dynamically created routes to any IP subnets attached to these interfaces, and any routes obtained via DHCP or PPPoE (if any of these is used on the WAN interface) will be automatically marked with this routing-mark value.
However, what cannot be made independent is the DNS handling at Mikrotik itself. So if you want the devices connected to LAN2 not to share Mikrotik's DNS cache with devices connected to LAN1, you'll have to configure them with external DNS servers rather than with the address of your Mikrotik. Mikrotik itself will use routes from the main routing table (with no routing-mark assigned), so only WAN1, which means that also all the DNS requests forwarded by the Tik will be sent via WAN1.

@anav, the above is a good starting point to understand the mystery of multiple routing tables, as in this simplified case there are just two of them, and each packet only ever uses one of them.

For more complex scenarios, where the in-interface alone would not be sufficient to choose the routing table, you would have to assign routing marks using /ip firewall mangle rules, based on multiple criteria. This would also allow you to implement various backup and load balancing scenarios (e.g. some critical traffic would be allowed to use both WANs). But of course, in this case things get more complicated really fast, as the separation is not as strict as with VRF and you have to think about routing fallbacks and other stuff.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Dual WAN and Dual LAN at the same time

Sun Nov 10, 2019 1:36 am

Hi Sindy, are you saying that the no matter what the OP sets for DNS in the router it will alwasy use WAN1?

I understand if one sets DNS to MT cache DNS or to LANIP the router will use WAN1 regardless.
But by external do you mean set DNS to 1.1.1.1 for example in DHCP settings?
In this case DNS request on LAN2 would go out WAN2 and head for 1.1.1.1???

Okay lets say one never discovered the VRF functionality.
How would the OP configure the router use routing rules..........???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4784
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual WAN and Dual LAN at the same time

Sun Nov 10, 2019 3:19 am

You'd start with default routes in different routing tables, for each WAN. Then you can either mark routing using firewall magle rules (based on incoming interface), or routing rules would be possible to, select LAN interface as condition and lookup in routing table for selected WAN.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 3897
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN and Dual LAN at the same time

Sun Nov 10, 2019 1:09 pm

Hi Sindy, are you saying that the no matter what the OP sets for DNS in the router it will alwasy use WAN1?
What I am saying is nothing more than that the router's own processes such as NTP client, DNS proxy etc. cannot be told to use other routing table than "main" by means of the VRF configuration.
You can use /ip route rule rows and /ip firewall mangle rules to make router-originated packets use other routing tables, but that's beyond the "VRF only" setup.

I understand if one sets DNS to MT cache DNS or to LANIP the router will use WAN1 regardless.
Correct (in this context where WAN1 is a default gateway interface for routing table "main").

But by external do you mean set DNS to 1.1.1.1 for example in DHCP settings?
In this case DNS request on LAN2 would go out WAN2 and head for 1.1.1.1???
Exactly. Because for the router, such packet to 1.1.1.1:53 is nothing special, just another packet to be forwarded.

Okay lets say one never discovered the VRF functionality.
How would the OP configure the router use routing rules..........???
The point is that routing rules (and/or mangle rules) alone are not enough. These rules are used to force a particular routing table to use to the packet, but you first have to build the routing tables to be used. This is no deal for static routes, you just add routing-mark=xyz to route's parameters when adding it, but dynamically added routes (on all kinds of L3 PPP interfaces and/or on DHCP clients attached to L2 interfaces, which is the vast majority of WANs in the SOHO environment), are always added to the routing table which is a default one for the interface, i.e. the one indicated by the /ip route vrf row or the "main" one. So to move (or duplicate) these routes into another routing table than the one implied by the interface, you need scripting, so yet another can of worms.

So to achieve the same behavior like using VRF, you need
  • a script triggered by the dynamic assignment of IP configuration to WAN2, which creates (or updates, so the script must distinguish between the two cases) a default route in the desired routinig table (i.e. labeled with the desired routing-mark) with the gateway IP assigned by the dynamic configuration protocol.
  • /ip firewall mangle rules which assign the desired routing-mark to packets coming in via WAN2 or LAN2:
    /ip firewall mangle
    add chain=prerouting in-interface=WAN2 action=mark-routing new-routing-mark=xxx
    add chain=prerouting in-interface=LAN2 action=mark-routing new-routing-mark=xxx
  • an /ip route rule preventing packets bearing a particular routing-mark from reverting to use of routing table main if no route with the required routing-mark is available (which happens e.g. when WAN2 or LAN2 are down): routing-mark=xxx action=lookup-only-in-table table=xxx
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Dual WAN and Dual LAN at the same time

Sun Nov 10, 2019 9:06 pm

Okay so basically the mangle plus route rules (mainly to deal with if one route goes down idea..preventing leakage of intended path) plus dns to exernal DNS IPs and bobs your uncle.
Makes more sense to me than VRF because VRF = black magic (havent read up on it so until I do .,.. I feel safer going the long way round) :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 107 guests