Community discussions

MikroTik App
 
ICNIT
just joined
Topic Author
Posts: 5
Joined: Mon May 17, 2021 9:32 am

Different Interface to difference WAN

Mon May 17, 2021 9:38 am

Hi All,

I think it sounds stupid, but I just want to double confirm.

Scenario Ether1=WAN1 , Ether2=WAN2 , Ether3,4,5=Bridge (VLAN1,VLAN10,VLAN20,VLAN30).

If I want VLAN1 user to use WAN1, and VLAN10,20,30 to use WAN2, is it possible to be done in firewall > NAT?

Chain: scr-nat
Src. address: 172.16.0.0/24 (VLAN1)
Out. Interface: WAN1
Action: masquerade

Chain: scr-nat
Src. address: 172.16.10.0/24, 172.16.20.0/24, 172.16.30.0/24(VLAN10,20,30)
Out. Interface: WAN2
Action: masquerade

So user in VLAN1 doesnt share the bandwidth with user in VLAN10,20,30.

Is it possible to work?

Thanks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5691
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Different Interface to difference WAN

Mon May 17, 2021 12:21 pm

yes, can
 
sid5632
Member
Member
Posts: 469
Joined: Fri Feb 17, 2017 6:05 pm

Re: Different Interface to difference WAN

Mon May 17, 2021 2:16 pm

I think it sounds stupid, but I just want to double confirm.
By double-posting in two different forum sections?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8367
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Interface to difference WAN

Mon May 17, 2021 2:21 pm

Using firewall rules for routing is not the preferred path because that is not what they are designed/responsible to do.
What firewall rules are intended to do is to ensure you either allow or deny traffic between networks, subnets or devices, in terms of access to/fro the router or across the router.

For example in firewall rules you can say vlan10 you are allowed out wan1 and vlan10 you are not allowed out WAN2 but that doesnt tell VLAN10 where to attempt to go out of the router.
That is done by routes and is where you should delineate where subnets traffic is to BE DIRECTED if that is the requirement.

Firewall rule = where traffic is permitted/denied
Route = where traffic is sent/directed

I hope that makes it clearer, albeit a shitty explanation.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

By the way do not use vlan1, it is the default vlan to be used with bridges, for example, and thus shouldnt be used for normal vlan traffic.
This article is the best on vlans.....
viewtopic.php?f=23&t=143620

In terms of Routes
Its hard to provide advice as we do not see your current route setup.
/export hide-sensitive file=anynameyouwish.

Typically one has
0.0.0.0/0 gwy of ISP1=x.x.x.x check-gateway=ping distance=5
0.0.0.0/0 gwy of ISP2=y.y.y.y distance=10

Where ISP1 is the primary and if it goes down then the router switches to ISP1.
In this case ISP2 is not used at all except for a backup scenario.

Lets say you have vlans 10,20.30 and 31 and you wanted all of them to use WAN1 except vlan 31
Then the only change required would be the following:

0.0.0.0/0 gwy of ISP1=x.x.x.x check-gateway=ping distance=5
0.0.0.0/0 gwy of ISP2=y.y.y.y distance=10
0.0.0.0/0 gwy of ISP2=y.y.y.y distance=10 routing-mark=wan2-only

Where in your setup you add a second instance of the WAN2 route but add a routing mark and then fill in an associated route rule, with the command of lookup only in table.
As per the diagram, which in effect will take any internet bound traffic for my vlan31 and send it out on WAN2, all the time.

....
singlevlan.JPG
You do not have the required permissions to view the files attached to this post.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5691
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Different Interface to difference WAN

Mon May 17, 2021 2:33 pm

>>> Route = where traffic is sent/directed

also do routing for private IP (172.16.0.0....172.31.255.255) on the Internet without masquerading?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8367
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Interface to difference WAN

Tue May 18, 2021 12:50 am

Not sure what you are getting at but one can have the standard source-nat rule in place or two standard rules which I prefer

Two rules for sourcenat
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT FOR WAN1" \
ipsec-policy=out,none out-interface=wan1interface
add action=masquerade chain=srcnat comment="SCR_NAT for WAN2" \
ipsec-policy=out,none out-interface=wan2interface

Singe rule for sourcenat
add action=masquerade chain=srcnat comment="SCR_NAT FOR BOTH WANS" \
ipsec-policy=out,none out-interface-list=WAN

where the interface list members would include
interface=wan1 list=WAN
interface=wan2 list=WAN

note: i dont stipulate the etherport in the above rules (single or dual), as if one uses pppoe or a vlan, that is what is required and same goes for list members. I always put the etherport as well for completeness on the interface list members.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 5691
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Different Interface to difference WAN

Tue May 18, 2021 12:57 am

I really think that the misunderstand arose on the fact than I have to imagine the configuration,
because without seeing any graphics or /export, only the imagination remains...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8367
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Interface to difference WAN

Tue May 18, 2021 1:07 am

I really think that the misunderstand arose on the fact than I have to imagine the configuration,
because without seeing any graphics or /export, only the imagination remains...
Yes, best not to speculate and ask for network diagram and /export config...............
I simply went by his first line, and question which seemed like a routing question to me and something I dont use firewalls for as a direct approach
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ICNIT
just joined
Topic Author
Posts: 5
Joined: Mon May 17, 2021 9:32 am

Re: Different Interface to difference WAN

Tue May 18, 2021 3:52 am

I think it sounds stupid, but I just want to double confirm.
By double-posting in two different forum sections?
so sorry, i didnt know i posted twice, because when i post this it gave me an error, then i went to another to post again.
first time here to post thread.
 
ICNIT
just joined
Topic Author
Posts: 5
Joined: Mon May 17, 2021 9:32 am

Re: Different Interface to difference WAN

Tue May 18, 2021 4:03 am

Using firewall rules for routing is not the preferred path because that is not what they are designed/responsible to do.
What firewall rules are intended to do is to ensure you either allow or deny traffic between networks, subnets or devices, in terms of access to/fro the router or across the router.

For example in firewall rules you can say vlan10 you are allowed out wan1 and vlan10 you are not allowed out WAN2 but that doesnt tell VLAN10 where to attempt to go out of the router.
That is done by routes and is where you should delineate where subnets traffic is to BE DIRECTED if that is the requirement.

Firewall rule = where traffic is permitted/denied
Route = where traffic is sent/directed

I hope that makes it clearer, albeit a shitty explanation.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

By the way do not use vlan1, it is the default vlan to be used with bridges, for example, and thus shouldnt be used for normal vlan traffic.
This article is the best on vlans.....
viewtopic.php?f=23&t=143620

In terms of Routes
Its hard to provide advice as we do not see your current route setup.
/export hide-sensitive file=anynameyouwish.

Typically one has
0.0.0.0/0 gwy of ISP1=x.x.x.x check-gateway=ping distance=5
0.0.0.0/0 gwy of ISP2=y.y.y.y distance=10

Where ISP1 is the primary and if it goes down then the router switches to ISP1.
In this case ISP2 is not used at all except for a backup scenario.

Lets say you have vlans 10,20.30 and 31 and you wanted all of them to use WAN1 except vlan 31
Then the only change required would be the following:

0.0.0.0/0 gwy of ISP1=x.x.x.x check-gateway=ping distance=5
0.0.0.0/0 gwy of ISP2=y.y.y.y distance=10
0.0.0.0/0 gwy of ISP2=y.y.y.y distance=10 routing-mark=wan2-only

Where in your setup you add a second instance of the WAN2 route but add a routing mark and then fill in an associated route rule, with the command of lookup only in table.
As per the diagram, which in effect will take any internet bound traffic for my vlan31 and send it out on WAN2, all the time.

....
singlevlan.JPG
Config.png
sorry im still new in mikrotik and networking.
here is my configuration, its just a very simple config.
what i ask the original question is because my client have 2 x 1Gbps WAN with static public IP.
they want to make use of these 2 x 1Gbps to become 2Gbps bandwidth.
I done bonding before, but it doesnt work, ISP site doesnt create bonding at their end for us also.
We request ISP to create bonding at their end, but they replied me suggest to use BGP.
What is google BGP is normally use for ISP but not normal end user like us.

Thats why this scenario came in in my mind, why not I split different network to use different WAN.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8367
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Interface to difference WAN

Tue May 18, 2021 4:18 am

Yes for bonding to work I believe the ISP has also to do their bit at their end.
I am not familiar with BGP but others here may be.
https://help.mikrotik.com/docs/pages/vi ... eId=328220
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ICNIT
just joined
Topic Author
Posts: 5
Joined: Mon May 17, 2021 9:32 am

Re: Different Interface to difference WAN

Tue May 18, 2021 4:41 am

Yes for bonding to work I believe the ISP has also to do their bit at their end.
I am not familiar with BGP but others here may be.
https://help.mikrotik.com/docs/pages/vi ... eId=328220
but ISP doesnt allow or they lazy to do that.

i have a doubt, is load balance will make the bandwidth increase? cant right?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8367
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Interface to difference WAN

Tue May 18, 2021 12:58 pm

Yes for bonding to work I believe the ISP has also to do their bit at their end.
I am not familiar with BGP but others here may be.
https://help.mikrotik.com/docs/pages/vi ... eId=328220
but ISP doesnt allow or they lazy to do that.

i have a doubt, is load balance will make the bandwidth increase? cant right?
Correct, one person will not be able to access 2gig in on session. The most any one session will be able to utilize is 1gig.
However you have more bandwidth to distribute to the users.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Baidu [Spider] and 145 guests