Hi guys,
testing this conf of dual wan:
Before detailed example overview, in a setup where we have private IP addresses behind the public IP, we should configure source NAT:
/ip/firewall/nat
add chain=srcnat action=masquarade out-interface=ether1
add chain=srcnat action=masquarade out-interface=ether2
Let`s start with marking traffic with a firewall mangle rule, so we will have everything preconfigured when we go to the routing section:
/ip/firewall/mangle
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn out-interface=ether1
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1 out-interface=ether1
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn out-interface=ether2
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2 out-interface=ether2
We will split the routing configuration into three parts. First, we will configure Host1 and Host2 as a destination address in the routing section:
/ip/route/
add dst-address=8.8.8.8 scope=10 gateway=10.111.0.1
add dst-address=8.8.4.4 scope=10 gateway=10.112.0.1
Now configure routes that will be resolved recursively, so they will only be active when they are reachable with ping:
/ip/route/
add distance=1 gateway=8.8.8.8 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=8.8.4.4 routing-mark=to_ISP1 check-gateway=ping
Configure similar recursive routes for the second gateway:
/ip/route/
add distance=1 gateway=8.8.4.4 routing-mark=to_ISP2 check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-mark=to_ISP2 check-gateway=ping
This is my export:
# jun/28/2021 18:34:35 by RouterOS 6.48.3
# software id = IM7U-W6RH
#
# model = RB4011iGS+
# serial number = D4440C2E2717
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.201.100-192.168.201.253
/ip dhcp-server
add add-arp=yes address-pool=pool1 disabled=no interface=bridge1 name=server1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3 multicast-router=disabled
add bridge=bridge1 interface=ether4 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.10.10.2/30 interface=ether1-WAN network=10.10.10.0
add address=192.168.201.254/24 interface=bridge1 network=192.168.201.0
add address=10.10.10.6/30 interface=ether2-WAN2 network=10.10.10.4
/ip dhcp-server network
add address=192.168.201.0/24 dns-server=192.168.201.254 gateway=\
192.168.201.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2-WAN2 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether2-WAN2 protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=500,1701,1723,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1-WAN
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether2-WAN2
add action=accept chain=forward comment="IPSec IN" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSec OUT" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether2-WAN2
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=ISP1_conn out-interface=\
ether1-WAN
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1 out-interface=ether1-WAN
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=ISP2_conn out-interface=\
ether2-WAN2
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2 out-interface=ether2-WAN2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\
192.168.201.0/24
add action=masquerade chain=srcnat out-interface=ether2-WAN2 src-address=\
192.168.201.0/24
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=to_ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_ISP2
add disabled=yes distance=5 gateway=10.10.10.5
add distance=1 dst-address=8.8.4.4/32 gateway=10.10.10.5 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=10.10.10.1 scope=10
/system clock
set time-zone-name=Europe/Dublin
This configuration doesn't work for me! all I can do ping google that's it :)
Any advice welcome and appreciated !
