Community discussions

MikroTik App
 
himanshu7it
just joined
Topic Author
Posts: 7
Joined: Thu Jan 16, 2020 5:05 pm

Can't reach Winbox if Dual WAN in failover mode

Tue Jul 20, 2021 9:36 pm

Hello,
I'm having problems in configuring rb3011.
I have WAN1 (10mbps) which is a Leased Line with static public IP and WAN2 (500mbps) which is fiber connection with dynamic IP.
I have configured the WAN2 to provide internet on LAN with Distance 1 and WAN 1 with Distance 2. No mangle rules.
The problem is that i am unable to connect to winbox using WAN1 public ip from outside the network as WAN 2 is working as Primary Internet Gateway (Route distance 1). If i put WAN1 as primary gateway by changing the route to 1 then i am able to connect to winbox but the LAN speed gets slow as internet changes to 10mbps gateway.

I just want that i should be able to connect to winbox from WAN1 using public IP and LAN users get internet from WAN2. I don't need load balance but need failover just in case.. Please i would be very grateful if someone provide a solution. Thanks.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Can't reach Winbox if Dual WAN in failover mode  [SOLVED]

Wed Jul 21, 2021 12:49 pm

You need to use mangle and route.

Use mangle to mark the incoming connection on the 2nd priority connection.

Then you need a routing rule to send that connection BACK OUT the same connection it came in.

Right now... If you came in over 2. The router would default try to reply over 1. Braking the connection
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 1:21 pm

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 2:09 pm

I am confused are you trying to use winbox from within the LAN or externally via the WAN?
 
himanshu7it
just joined
Topic Author
Posts: 7
Joined: Thu Jan 16, 2020 5:05 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 3:49 pm

I am confused are you trying to use winbox from within the LAN or externally via the WAN?
I am trying to connect it from wan side.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 3:58 pm

I am confused are you trying to use winbox from within the LAN or externally via the WAN?
He's not marking incoming packets from WAN interfaces and routing them back to the origin interface,
 
himanshu7it
just joined
Topic Author
Posts: 7
Joined: Thu Jan 16, 2020 5:05 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 4:25 pm

I tried the pcc method but as both wan are insanely unequal so it failed giving a decreased bandwidth for lan usage. That's why I figured to use wan 1 for connecting to winbox & vpn from outside the network and wan 2 for lan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 5:29 pm

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 5:35 pm

I tried the pcc method but as both wan are insanely unequal so it failed giving a decreased bandwidth for lan usage. That's why I figured to use wan 1 for connecting to winbox & vpn from outside the network and wan 2 for lan.
You clearly did the PCC/Nth combo wrong then. If bandwidth is un-equal simply divide the traffic further like 20% goes to ISP1 and 80% goes to ISP2.

What messed up configuration yours is dude.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 5:35 pm

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
I open up Winbox to WAN with filter rules accepting only specific src address list, works fine. Good luck hacking that.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 5:52 pm

@DarkNate... It's too easy for you to say that... you're not the OP...
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 6:07 pm

@DarkNate... It's too easy for you to say that... you're not the OP...
I've used PCC/Nth combo for 5 WAN interfaces each with a different bandwidth allocation. It works well if done right.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 6:08 pm

Is about "Good luck hacking that.", not for the WAN ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 8:34 pm

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
I open up Winbox to WAN with filter rules accepting only specific src address list, works fine. Good luck hacking that.
You have no business promoting an unsafe method for new users or any user for that matter to access the router without appropriate security.
A source address list is nice but is not security but obscurity as any IP address can be spoofed............
Not my business to tell you what to do with your own system, but sure as heck not going to be quiet when you advise others so negligently.

Would fully expect to be corrected if I did the same disservice to other OPs..............
 
himanshu7it
just joined
Topic Author
Posts: 7
Joined: Thu Jan 16, 2020 5:05 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 9:37 pm

I tried the pcc method but as both wan are insanely unequal so it failed giving a decreased bandwidth for lan usage. That's why I figured to use wan 1 for connecting to winbox & vpn from outside the network and wan 2 for lan.
You clearly did the PCC/Nth combo wrong then. If bandwidth is un-equal simply divide the traffic further like 20% goes to ISP1 and 80% goes to ISP2.

What messed up configuration yours is dude.
I followed some videos on Youtube.. I guess I missed something thing. I'll follow the link you have provided and reconfigure my rb. Then I'll comeback with the results. Thanks for your help 🤠
 
himanshu7it
just joined
Topic Author
Posts: 7
Joined: Thu Jan 16, 2020 5:05 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 9:45 pm

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
I open up Winbox to WAN with filter rules accepting only specific src address list, works fine. Good luck hacking that.
You have no business promoting an unsafe method for new users or any user for that matter to access the router without appropriate security.
A source address list is nice but is not security but obscurity as any IP address can be spoofed............
Not my business to tell you what to do with your own system, but sure as heck not going to be quiet when you advise others so negligently.

Would fully expect to be corrected if I did the same disservice to other OPs..............
I totally agree with you. But my concern was that if I am able to connect to winbox basically from outside then I'll configure vpn for connecting and accessing the router either via vpn or any other means keeping in mind the security scenario.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Wed Jul 21, 2021 10:08 pm

Hi himanshu, using winbox works very well using VPN.

For example I have used IKEv2 VPN from my IPhone to establish a secure tunnel to the Router. I then used my MT app on the phone to configure the router which is akin to using winbox, same type of settings etc........ Works well.

For example using wireguard (disclaimer is only available on beta firmware at the moment) I can access the router acting as a client wireguard device at a remote location via winbox from my location.

The nice thing about vpn is that winbox has nothing to do with the input chain rules (dont need to make any allow rules etc - not exposed) One only opens a VPN connection (allows incoming traffic on vpn port) to the router, then the VPN tunnel is created.
Then one ensures that the interface one creates behind the router for the VPN traffic is allowed to access the router. When this is true winbox on your laptop or MT app on smart phone will be able to access and configure the router.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 12:07 am

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
I open up Winbox to WAN with filter rules accepting only specific src address list, works fine. Good luck hacking that.
You have no business promoting an unsafe method for new users or any user for that matter to access the router without appropriate security.
A source address list is nice but is not security but obscurity as any IP address can be spoofed............
Not my business to tell you what to do with your own system, but sure as heck not going to be quiet when you advise others so negligently.

Would fully expect to be corrected if I did the same disservice to other OPs..............
Anav where did you get your network engineering training? Are you not aware of rp-filtering? Spoofed packets can easily be dropped by the kernel.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 12:24 am

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
I open up Winbox to WAN with filter rules accepting only specific src address list, works fine. Good luck hacking that.
You have no business promoting an unsafe method for new users or any user for that matter to access the router without appropriate security.
A source address list is nice but is not security but obscurity as any IP address can be spoofed............
Not my business to tell you what to do with your own system, but sure as heck not going to be quiet when you advise others so negligently.

Would fully expect to be corrected if I did the same disservice to other OPs..............
Anav where did you get your network engineering training? Are you not aware of rp-filtering? Spoofed packets can easily be dropped by the kernel.
Got me, I am not a network engineer, I am a life engineer, and until I understand Rp-flitering and spoofed packets to the degree you I will refrain from using such techniques until I do understand and thus am comfortable with what I am doing.

PS. If this is an accepted and utilized technique by professionals why bother using VPN to configure the router externally??
In other words until i hear professionals I trust, with deep experience in MT, like MKX or sindy for example recommending such techniques, my response is no thankyou!

However you bring up a good point, I have set RP as loose not strict from the getgo based on either MT docs or advice from the very beginning,
Perhaps now is a good time to revisit that setting and revise my configs with more understanding of its purpose and uses................
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 12:53 am

...until i hear professionals I trust, with deep experience in MT, like MKX or sindy for example...
sindy: 2017 user #110.692
mkx: 2016 user #87.277




rextended: 2014 user #68.609
😢
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 3:38 am

Jajajaja

There is a sweet spot and then there is being around too long which may indicate a higher propensity for having Alzheimer's. ;-P
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 10:25 am

Anav as Bartoz has said a few times. You're a [cencored] with absolutely zero knowledge in network engineering. I have worked with multiple ISPs and deployed various configurations and firewalls and rp-filter is a basic security measure that everyone should know about.

I bet you wouldn't even know how to route inter-VLAN for 1000+ users behind 100 PPPoE servers on 100 VLANs.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 11:05 am

(Please, let's not begin to see who has it longer)

From the link on my signature:
IP Spoofing (...)
All ISPs should do this and 95% of DDoS attacks wouldn't exist ...

Not all know this setting on "/ip settings"
Incredibly, the default settings is rp-filter=no
(probably because can't be choiced per-interface and loopbak do not work?)
Instead to be one from:

suggested if route table must be persionalized: loose
Loose mode as defined in RFC3704 Loose Reverse Path.
Each incoming packet's source address is tested against the internal MAC database and if the source address is not reachable via any interface the packet check will fail.

the best if the routing table are not used: strict
Strict mode as defined in RFC3704 Strict Reverse Path.
Each incoming packet is tested against the internal MAC database and if the interface is not the best reverse path the packet check will fail.

By default failed packets are discarded.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 3:26 pm

Wow...

I just explained technically why it failed.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 3:38 pm

@gotsprings

do not worry,

the forum is frequented by users who are so insolent and know-it-all,
who, instead of helping, offend and compete with "who has it bigger",
not caring if they go off topic,
obviously those who are offended respond in turn
and this full the topic with garbage that has nothing to do with it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't reach Winbox if Dual WAN in failover mode

Thu Jul 22, 2021 3:46 pm

Hi Dark Nate,
The good thing, is I really dont care about your personal opinions or feelings, the goal here is to help the OP.

After reading and talking to some folks it seems that IP filter setting on the mT routers is really not a feature/function designed for the home or soho setting.
From what I have been informed is that this is a feature or function that is suited and designed for ISP routers and not home routers.

As rextended helped elucidate is that RP filtering is for the purpose of ensuring that incoming traffic (packets) are dropped if a a response to that incoming traffic would not be routed through the same interface it arrived in. With loose being applied to any route using the existing interface and strict requiring the interface to be on the preferred route.
In any home case where one has dual wans, RP strict would be in most cases a bad idea.

So lets get back to the question at hand. Why are you espousing RP filtering as some sort of home secure solution to access ones router without VPN and using source address list??

+++++++++++++++++++++++++
The OPs post was clear in that he/she had a dual wan scenario which was interfering with accessing the router externally via winbox.

Gotsprings was addressing solely the dual wan bit, being a very focused on the problem individual.
Then you posted with your very good dual wan setup building upon what gotsprings noted.

My initial simple query was trying to understand if the OP wanted dual wan usage capability for accessing the router (via winbox) externally because according to my limited knowledge, accessing the router externally without protection was a dangerous security no no. Both experienced poster gotsprings and yourself seemed to be happily helping the OP into a potentially 'dark' place ;-) by providing the means to do so through a legitimate configuration for a general case.

However, providing a method for the OP to potentially hang him/herself from a security breach perspective could not be left alone and is why i asked my question on security. As per my post I never questioned you or gotsprings and merely asked the OP a simple question!!!
The point being external access to the router via winbox without VPN or port knocking etc is not a safe or prescribed method for anyone, home user or network engineer of any repute.
Perhaps the OP was not aware of the dangers of exposing winbox to the external internet and thus its an education piece.

If we are to give advice, then I had to point out the potential problems with going ahead with the advice provided if indeed it was to access winbox etc.
If you think I am going to change on this outlook, you are very much mistaken.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Instead of that you arrogantly boasted that you access your winbox with a plain input chain rule using source address list. How does this help the conversation/education?

The OP has already stated he will use a VPN, which is the good news and that he/she just wanted to ensure that when setup the access would be accomplished with his/her particular dual WAN setup.

In summary, the dual wan setup provided is what he needed. I wanted to ensure the op understood that a secure method was required to access winbox , and the OP confirmed that VPN was going to be used to gain access to the router via the dual wan mangling.
So I am happy with the end result.

As for the solution, of dual wans and mangling
Why not use routes and route rules as I try to avoid mangling where possible.
If the OP comes in on WAN1

ISP1 route distance=10
ISP2 route distance=5
ISP1 route distance=10 routing-mark=configure-winbox

Route Rule
src address: {EITHER INTERNALLY ASSIGNED VPN ADDRESS}
or
Interface; {EITHER VPN INTERFACE}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Action: lookup only in table
Table: configure-winbox


PS. Dont worry I wont be answering threads or giving advice on route inter-VLAN for 1000+ users behind 100 PPPoE servers on 100 VLANs LOL.
 
himanshu7it
just joined
Topic Author
Posts: 7
Joined: Thu Jan 16, 2020 5:05 pm

Re: Can't reach Winbox if Dual WAN in failover mode

Sat Jul 31, 2021 9:08 am

Hi Dark Nate,
The good thing, is I really dont care about your personal opinions or feelings, the goal here is to help the OP.

After reading and talking to some folks it seems that IP filter setting on the mT routers is really not a feature/function designed for the home or soho setting.
From what I have been informed is that this is a feature or function that is suited and designed for ISP routers and not home routers.

As rextended helped elucidate is that RP filtering is for the purpose of ensuring that incoming traffic (packets) are dropped if a a response to that incoming traffic would not be routed through the same interface it arrived in. With loose being applied to any route using the existing interface and strict requiring the interface to be on the preferred route.
In any home case where one has dual wans, RP strict would be in most cases a bad idea.

So lets get back to the question at hand. Why are you espousing RP filtering as some sort of home secure solution to access ones router without VPN and using source address list??

+++++++++++++++++++++++++
The OPs post was clear in that he/she had a dual wan scenario which was interfering with accessing the router externally via winbox.

Gotsprings was addressing solely the dual wan bit, being a very focused on the problem individual.
Then you posted with your very good dual wan setup building upon what gotsprings noted.

My initial simple query was trying to understand if the OP wanted dual wan usage capability for accessing the router (via winbox) externally because according to my limited knowledge, accessing the router externally without protection was a dangerous security no no. Both experienced poster gotsprings and yourself seemed to be happily helping the OP into a potentially 'dark' place ;-) by providing the means to do so through a legitimate configuration for a general case.

However, providing a method for the OP to potentially hang him/herself from a security breach perspective could not be left alone and is why i asked my question on security. As per my post I never questioned you or gotsprings and merely asked the OP a simple question!!!
The point being external access to the router via winbox without VPN or port knocking etc is not a safe or prescribed method for anyone, home user or network engineer of any repute.
Perhaps the OP was not aware of the dangers of exposing winbox to the external internet and thus its an education piece.

If we are to give advice, then I had to point out the potential problems with going ahead with the advice provided if indeed it was to access winbox etc.
If you think I am going to change on this outlook, you are very much mistaken.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Instead of that you arrogantly boasted that you access your winbox with a plain input chain rule using source address list. How does this help the conversation/education?

The OP has already stated he will use a VPN, which is the good news and that he/she just wanted to ensure that when setup the access would be accomplished with his/her particular dual WAN setup.

In summary, the dual wan setup provided is what he needed. I wanted to ensure the op understood that a secure method was required to access winbox , and the OP confirmed that VPN was going to be used to gain access to the router via the dual wan mangling.
So I am happy with the end result.

As for the solution, of dual wans and mangling
Why not use routes and route rules as I try to avoid mangling where possible.
If the OP comes in on WAN1

ISP1 route distance=10
ISP2 route distance=5
ISP1 route distance=10 routing-mark=configure-winbox

Route Rule
src address: {EITHER INTERNALLY ASSIGNED VPN ADDRESS}
or
Interface; {EITHER VPN INTERFACE}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Action: lookup only in table
Table: configure-winbox


PS. Dont worry I wont be answering threads or giving advice on route inter-VLAN for 1000+ users behind 100 PPPoE servers on 100 VLANs LOL.
Hello,
I tried putting the rules as you described but it didn't worked for me or i guess i did something wrong. But I did solved it by following the tips that @gotsprings posted above. added some mangle rules to only mark the incoming and outgoing connections no pcc. added routes with marked connections too. now all is working as i wanted. Local users get gateway from WAN1 and VPN Users are able to connect from WAN2. However currently i'm unable to port forward my NVR as connection fails. I can see packets in NAT forwarding but no connection to NVR from remote side. Is there a solution for that.

Who is online

Users browsing this forum: No registered users and 63 guests