Community discussions

MikroTik App
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Dual External IPs, multiple subnets

Tue May 18, 2021 5:44 am

Hi everyone,

I'm in need of some help. My ISP provides two IP addresses - each being provided by DHCP from their modem, one IP coming from port 1 on the model, the other IP coming from port 2.

On the Miktrotik Router (ccr2004-1g-12s) I'd like to configure various IP ranges/subnets so that machines on one subnet reach the internet via IP1, and other subnets access the internet via IP2.

Right now, I have configured internal network services to be provided from IP1, however I am not sure how to go about configuring a second connection from the same router providing service to a different range of IPs.

I'm not a networking expert (however have been learning), so I genuinely value any input to help solve this one.

Thank you!!
interface bridge
add name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=nuroWAN speed=10Gbps
set [ find default-name=sfp-sfpplus1 ] name=portLAN01
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=10.0.2.100-10.0.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=dhcp1
/interface bridge port
add bridge=bridge-LAN interface=portLAN01
/interface list member
add interface=nuroWAN list=WAN
add interface=bridge-LAN list=LAN
/ip address
add address=10.0.0.1/16 interface=portLAN01 network=10.0.0.0
/ip dhcp-client
add disabled=no interface=nuroWAN
/ip dhcp-server network
add address=10.0.0.0/16 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=16 \
    ntp-server=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!10.0.0.0/16 out-interface=\
    nuroWAN src-address=10.0.0.0/16
add action=masquerade chain=srcnat out-interface=nuroWAN
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: Dual External IPs, multiple subnets

Wed May 19, 2021 7:45 am

Hi.

If both IP- addresses are static, i would do it like that:

Add DHCP client on ether2, disable "add default root" on both DHCP Clients. And add manual routes for both IP Addresses.
Then add a mangle roule to mark specific traffic to be routed to the second route. And the change the route accordingly.

If you need a more detailed explenation, please ask.
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Wed May 19, 2021 9:42 am

Hi DeJoe,

Thanks for the reply. One of the IPs is static, the other is dynamic - however, the ISP is providing each IP via DHCP, so as far as I can tell, it shouldn't make a difference. The idea is to group servers behind the static IP, and wifi guests/desktops behind the non-static IP.

I'll give what you suggested a try!
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Thu Jun 03, 2021 9:59 am

Hi,

I'm having trouble setting this up - I've simplified the config as much as possible & set up a sandbox environment thanks to the VM offered by Mikrotik.

My setup is really simple.

Basically, I'd like traffic coming from 10.3.4.0/23 to be sent out of bridge local1 / ether3 interface and traffic coming from 10.3.6.0/23 to be sent out of bridge local2 / ether4

Both ether3 and ether4 are being handed out DHCP IPs from the ISP.

Could someone please help?
/interface bridge
add name=local1
add name=local2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.3.4.2-10.3.5.254
add name=dhcp_pool1 ranges=10.3.6.2-10.3.6.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=local2 name=dhcp2
/interface bridge port
add bridge=local1 interface=ether3
add bridge=local2 interface=ether4
/ip address
add address=10.3.4.1/23 interface=local1 network=10.3.4.0
add address=10.3.6.1/23 interface=local2 network=10.3.6.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=wan2 passthrough=no src-address=10.3.6.0/23
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.3.4.0/23
add action=masquerade chain=srcnat out-interface=ether2 src-address=10.3.6.0/23
/ip route
add distance=1 gateway=local2 routing-mark=wan2
/ip route rule
add dst-address=0.0.0.0/0 src-address=10.3.6.0/23 table=wan2
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Thu Jun 03, 2021 11:15 am

Here is an updated config:

I am able to get connectivity to the outside world under 10.3.6.0/23, however for machines under 10.3.4.0/23, I can't reach anything.

Thanks for your help!
/interface bridge
add name=local1
add name=local2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.3.4.2-10.3.5.254
add name=dhcp_pool1 ranges=10.3.6.2-10.3.7.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=local2 name=dhcp2
/interface bridge port
add bridge=local1 interface=ether3
add bridge=local2 interface=ether4
/ip address
add address=10.3.4.1/23 interface=local1 network=10.3.4.0
add address=10.3.6.1/23 interface=local2 network=10.3.6.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add add-default-route=no disabled=no interface=ether2
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.3.4.0/23
add action=masquerade chain=srcnat out-interface=ether2 src-address=10.3.6.0/23
/ip route
add distance=1 gateway=10.0.0.1 routing-mark=wan1
add distance=1 gateway=10.0.0.1 routing-mark=wan2
/ip route rule
add src-address=10.3.4.0/23 table=wan1
add src-address=10.3.6.0/23 table=wan2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual External IPs, multiple subnets

Thu Jun 03, 2021 7:11 pm

Simplify.
ONly need one bridge

you have two different subnets on two different ports.
So put both on the bridge.
I am not 100% sure if putting both on the bridge will allow layer 2 access between them.
If that is an issue only put one subnet on the bridge.

Use firewall rules to separate the two subnets at layer 3.

As far as mangling, don't need it, you have found the right mechanism in your scenario.
It should work.,

The problem is that the gateway is identical and thus there is no way to move traffic to the right WANIP,,, will think on this.
besides missing the ACTION entry in the route rule, and of course you need the standard table main entries.

add distance=1 gateway=10.0.0.1 routing-mark=wan1
add distance=1 gateway=10.0.0.1 routing-mark=wan2.

Are you sure the gateway is the same??? makes little sense to me that you have
a. one dynamic IP
b. one static IP
from the same provider from the samegateway.

Sounds fishy to me.
If the ISP is providing a static IP typically one needs an IP address entry and not a dhcp client entry for that etherport ??
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add add-default-route=no disabled=no interface=ether2
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Fri Jun 04, 2021 5:29 am

Hi Anav,

Thank you so much for your reply.

My ISP does provide two WAN IPs, however I am attempting to simulate the environment in a virtualized environment first. The two "WAN" IPs are bridged adapters within VMWare.

As far as I know that shouldn't make a difference and should be able to direct traffic to either adapter based on the subnet the VMs are in, however as you pointed out I am not familiar on how to do this since the two adapters share the same gateway.

Any thoughts?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual External IPs, multiple subnets

Fri Jun 04, 2021 6:19 am

Well my thoughts are let us know how your ISP actually handles it, no use setting up lab environment that is not accurate.
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Fri Jun 04, 2021 6:40 am

Basically the ISP hands out two IPs via their modem/router:

WAN1: static public IP
WAN2: dynamic public IP

For some subnets I'd like traffic to go out of WAN1, for other subnets traffic to go out through WAN2

We're a small company, and testing on production equipment is well, not a good idea. So my best solution (so far) has to been to test things out in VMs.
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Fri Jun 04, 2021 7:24 am

I think I've solved it:

added a separate VM to act as a fake gateway so that Mikrotik could now distinguish between gateways under the /ip route section
/interface bridge
add name=local1
add name=local2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.3.4.2-10.3.5.254
add name=dhcp_pool1 ranges=10.3.6.2-10.3.7.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=local2 name=dhcp2
/interface bridge port
add bridge=local1 interface=ether3
add bridge=local2 interface=ether4
/ip address
add address=10.3.4.1/23 interface=local1 network=10.3.4.0
add address=10.3.6.1/23 interface=local2 network=10.3.6.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add add-default-route=no disabled=no interface=ether2
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.3.4.0/23
add action=masquerade chain=srcnat out-interface=ether2 src-address=10.3.6.0/23
/ip route
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1
/ip route rule
add src-address=10.3.4.0/23 table=wan1
add src-address=10.3.6.0/23 table=wan2
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Fri Jun 04, 2021 11:02 am

I wrote too soon.

The machines can indeed reach the outside world via separate interfaces, but are unable to ping their gateways/internal resources. I've tried similar steps as above in terms of manually entering routes, but no success. Any idea(s)?

Cannot ping gateway from client:
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1
Can ping these gateways from client:
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual External IPs, multiple subnets

Fri Jun 04, 2021 2:25 pm

Yes you forgot the basic rule, that all routes must exist in main table in addition to specialized rules.

Thus this
/ip route
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1


should look like this
/ip route
add distance=1 gateway=192.168.88.1
add distance=1 gateway=10.0.0.1
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Sat Jun 05, 2021 4:47 am

Yes you forgot the basic rule, that all routes must exist in main table in addition to specialized rules.
should look like this
/ip route
add distance=1 gateway=192.168.88.1
add distance=1 gateway=10.0.0.1
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1
Unfortunately that didn't do the trick:

Image

I tried setting the destination address to be 10.3.4.0/23 and/or 10.3.6.0/23 as well as setting a routing mark for lan1, I was still unable to ping internal resources -

e.g: client 10.3.4.5 can reach outside google, but can't reach anything under 10.3.4.0/23

if I disable the two other routes with the routing marks 'wan2' or 'wan1' , the clients can reach internal IPs just fine, but nothing on the internet.

thanks for your help!
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Sun Jun 06, 2021 4:41 am

bumping this thread. could really use some help :)

I am able to split the traffic between interfaces & different subnets can reach the outside world via separate interfaces, however machines in these subnets cannot reach internal resources.

e.g. 10.3.4.5 cannot ping 10.3.4.1

If I disable:

add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1

I can reach internal IPs just fine.

If I set for example

/ip route rule
add src-address=10.3.4.0/23 dst-address=google,facebook,whatever table=wan1

Then I can reach both internal IPs & google, but I can't build a trillion rules for all the websites on the internet.

Been scratching my head over the past few days on this one. Please help!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual External IPs, multiple subnets

Sun Jun 06, 2021 2:58 pm

e.g. 10.3.4.5 cannot ping 10.3.4.1

You mean 10.3.4.5 cannot ping 10.3.6.8 for example ( the one above was within the same subnet LOL )

The fact of the mattter is that it should and the issue is that you are using a fake environment which is causing the issue or you have pc firewalls blocking traffic.
Nothing set on the router is causing the above problem.

As Ive stated before this
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1
should look like
THIS
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1 dns-server=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1 dns-server=10.3.6.1

and allow IP DNS remote requests>
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Mon Jun 07, 2021 5:22 am

Thanks for your reply
e.g. 10.3.4.5 cannot ping 10.3.4.1

You mean 10.3.4.5 cannot ping 10.3.6.8 for example ( the one above was within the same subnet LOL )
No, I meant what I wrote lol .. 10.3.4.5 cannot ping 10.3.4.1 once the routing marks are enabled.

add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1

If I disable them, from the clients I can ping anything internal - which leaves me to believe it's not a firewall issue on any of the clients.

The fact of the mattter is that it should and the issue is that you are using a fake environment which is causing the issue or you have pc firewalls blocking traffic.
Nothing set on the router is causing the above problem.
You are right, the fake environment isn't ideal, however I am working remotely and cannot jump over to the router if a mistake has been made. Thus I need to get the config working properly in a test environment before moving it over to production. If anyone has advice for a better/more accurate test environment, I'd certainly appreciate it! The Cloud Hosted Router VM image offered by Mikrotik has been a godsend so far for other issues I've had!

As Ive stated before this
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1
should look like
THIS
/ip dhcp-server network
add address=10.3.4.0/23 gateway=10.3.4.1 dns-server=10.3.4.1
add address=10.3.6.0/23 gateway=10.3.6.1 dns-server=10.3.6.1

and allow IP DNS remote requests>
I've tried these configs multiple times & variations of them, no such luck unfortunately!

Perhaps someone else could chime in? :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual External IPs, multiple subnets

Mon Jun 07, 2021 1:45 pm

Yes but you keep going back to incorrect configs instead of keeping what I give you, for instance this is wrong.

/ip route
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1
/ip route rule
add src-address=10.3.4.0/23 table=wan1
add src-address=10.3.6.0/23 table=wan2

It needs to be this.......
add distance=1 gateway=192.168.88.1
add distance=1 gateway=10.0.0.1

add distance=1 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1 routing-mark=wan1
/ip route rule
add src-address=10.3.4.0/23 table=wan1 Action: Lookup in table
add src-address=10.3.6.0/23 table=wan2 Action: lookup in table

As for two devices not being able to ping each other IN THE SAME SUBNET, has nothing to do with routing.

Please post complete config after making changes.
 
acte28
newbie
Topic Author
Posts: 30
Joined: Mon Nov 23, 2020 4:38 am

Re: Dual External IPs, multiple subnets

Tue Jun 08, 2021 1:58 am

Hi Anav,

When I add in

add distance=1 gateway=192.168.88.1
add distance=1 gateway=10.0.0.1

In Winbox, the entry 0.0.0.0/0 reachable ether2 gets highlighted in blue.

For this section:
add src-address=10.3.4.0/23 table=wan1 Action: Lookup in table
add src-address=10.3.6.0/23 table=wan2 Action: lookup in table

I can confirm that in Winbox as well as in the command line there are two options, both 'Lookup' and 'Lookup only in table', however when outputting the config after keying in the entries you've suggested, that portion is not reflected..

/ip route rule
add src-address=10.3.4.0/23 table=wan1
add src-address=10.3.6.0/23 table=wan2

Perhaps it is a limitation of the Cloud Router image provided by Mikrotik...





This is my complete config:
/interface bridge
add name=local1
add name=local2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.3.4.2-10.3.5.254
add name=dhcp_pool1 ranges=10.3.6.2-10.3.7.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=local1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=local2 name=dhcp2
/interface bridge port
add bridge=local1 interface=ether3
add bridge=local2 interface=ether4
/ip address
add address=10.3.4.1/23 interface=local1 network=10.3.4.0
add address=10.3.6.1/23 interface=local2 network=10.3.6.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add add-default-route=no disabled=no interface=ether2
/ip dhcp-server network
add address=10.3.4.0/23 dns-server=10.3.4.1 gateway=10.3.4.1
add address=10.3.6.0/23 dns-server=10.3.6.1 gateway=10.3.6.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.3.4.0/23
add action=masquerade chain=srcnat out-interface=ether2 src-address=10.3.6.0/23
/ip route
add distance=1 gateway=10.0.0.1 routing-mark=wan1
add disabled=yes distance=2 gateway=10.0.0.1 routing-mark=wan1
add distance=1 gateway=192.168.88.1 routing-mark=wan2
add disabled=yes distance=2 gateway=192.168.88.1 routing-mark=wan2
add distance=1 gateway=10.0.0.1
add distance=1 gateway=192.168.88.1
/ip route rule
add src-address=10.3.4.0/23 table=wan1
add src-address=10.3.6.0/23 table=wan2
[admin@MikroTik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual External IPs, multiple subnets

Tue Jun 08, 2021 1:54 pm

Correct, the second route on the main table will be in Blue as the router only chooses one route on the main table as being reachable at a time.
If that route became unreachable, then the other route would turn black.
However thats the main table, you are using different tables and the traffic should flow, regardless of what table main is displaying.

Just for giggles, prove it to yourself by DISABLING the first route and the second route should turn black.
IF it does not then there is something wrong with your connection to that WAN.

I would remove the source address from here...
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.3.4.0/23
add action=masquerade chain=srcnat out-interface=ether2 src-address=10.3.6.0/23

Not really required, adding source address here has nothing to do with routing if that was the intention.
Also for some reason during the day or for some period of time ISP1 was down, and your routing moved traffic to the available route, your masquerade rule would phuck it up.

Who is online

Users browsing this forum: ccrsxx, GoogleOther [Bot], onnyloh and 63 guests