Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

CCR1009 WITH 2 WAN HELP

Post Reply
 
giangissimo2000
just joined
Topic Author
Posts: 4
Joined: Tue Apr 13, 2021 3:27 am

CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 4:06 pm

I have a CCR1009 (ROS 7.2.3) configured with the COMBO port as WAN_1 and the eth1 to eth5 ports as LAN, VOIP, and 3 SERVER with different subnets.

The ISP is fastweb (mixed fiber 100/100) which provides me with 5 public IP addresses and which I have assigned to each port to differentiate some services.

Since Vodafone arrives in direct fiber at 1000/200 I would like to connect it to eth7 as WAN_2 and divert all traffic from the LAN to it and leave VOIP and the 3 SERVER on WAN_1.

I researched for hours and I realized that you need to create 2 mangle rules (one for FASTWEB and one for VODAFONE) where the packets are marked, assign them to 2 routing tables and then modify the route by assigning the tables for the two connections.

Unfortunately despite all attempts I was unable to get the configuration to work.

Could anyone kindly help me?

Thanks in advance,

Gianluca

the current configuration without mangle rules is as follows:
Code: Select all
# jun/22/2022 13:59:29 by RouterOS 7.2.3
#
# model = CCR1009-7G-1C-1S+
# 

/interface bridge
add name=BRIDGE_LAN
add name=BRIDGE_SERVER

/interface ethernet
set [ find default-name=combo1 ] name=WAN_ISP1
set [ find default-name=ether1 ] name=LAN
set [ find default-name=ether2 ] name=VOIP
set [ find default-name=ether3 ] name=SERVER1
set [ find default-name=ether4 ] name=SERVER2
set [ find default-name=ether5 ] name=SERVER3
set [ find default-name=ether7 ] name=WAN_ISP2
set [ find default-name=sfp-sfpplus1 ] name=SFPPLUS

/ip pool
add name=dhcp_lan_pool ranges=192.168.98.100-192.168.98.254

/ip dhcp-server
add address-pool=dhcp_lan_pool interface=BRIDGE_LAN name=dhcp_lan

/routing table
add disabled=no fib name=TO_VODA
add disabled=no fib name=TO_FAST

/interface bridge port
add bridge=BRIDGE_SERVER ingress-filtering=no interface=SERVER1
add bridge=BRIDGE_SERVER ingress-filtering=no interface=SERVER2
add bridge=BRIDGE_SERVER ingress-filtering=no interface=SERVER3
add bridge=BRIDGE_LAN ingress-filtering=no interface=LAN

/ip address
add address=192.168.99.1/24 interface=BRIDGE_SERVER network=192.168.99.0
add address=192.168.98.1/24 interface=BRIDGE_LAN network=192.168.98.0
add address=192.168.1.1/24 interface=VOIP network=192.168.1.0

add address=xxx.xxx.xxx.142/29 comment="WAN_ISP1 EMPTY" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.141/29 comment="WAN_ISP1 VOIP" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.140/29 comment="WAN_ISP1 WEB" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.139/29 comment="WAN_ISP1 NAS" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.138/29 comment="WAN_ISP2 LAN" interface=WAN_ISP1 network=xxx.xxx.xxx.xxx


/ip dhcp-server network
add address=192.168.98.0/24 comment="GW LAN" dns-server=192.168.98.1 gateway=192.168.98.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABILISHED,RELATED" connection-state=established,related
add action=accept chain=input comment="ALLOW PING ROUTERBOARD" protocol=icmp
add action=drop chain=forward comment="DROP INVALID PACKET" connection-state=invalid
add action=drop chain=input comment="DROP ALL OTHER ON WAN" in-interface=WAN_ISP1


/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT VOIP 1:1 WITH HAIRPIN NAT" disabled=yes dst-address=xxx.xxx.xxx.141 dst-port=0-65535 protocol=udp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat comment="VOIP TEST TCP" dst-address=xxx.xxx.xxx.141 dst-port=40000-40999 protocol=tcp to-addresses=192.168.1.10 to-ports=40000-40999
add action=dst-nat chain=dstnat comment="VOIP TEST UDP" dst-address=xxx.xxx.xxx.141 dst-port=40000-40999 protocol=udp to-addresses=192.168.1.10 to-ports=40000-40999
add action=dst-nat chain=dstnat comment="NAT WEBSITE 1:1 WITH HAIRPIN NAT" dst-address=xxx.xxx.xxx.140 dst-port=0-65535 protocol=tcp to-addresses=192.168.99.16
add action=dst-nat chain=dstnat comment="VOIP SIM (SU LAN) TCP" dst-address=xxx.xxx.xxx.141 dst-port=45000-45999 protocol=tcp to-addresses=192.168.98.42 to-ports=45000-45999
add action=dst-nat chain=dstnat comment="VOIP SIM (SU LAN) UDP" dst-address=xxx.xxx.xxx.141 dst-port=45000-45999 protocol=udp to-addresses=192.168.98.42 to-ports=45000-45999
add action=src-nat chain=srcnat comment="NAT WEBSITE 1:1 OUT" src-address=192.168.99.0/24 to-addresses=xxx.xxx.xxx.140
add action=src-nat chain=srcnat comment="NAT VOIP 1:1 OUT" src-address=192.168.1.0/24 to-addresses=xxx.xxx.xxx.141
add action=src-nat chain=srcnat comment="NAT LAN 1:1 OUT" src-address=192.168.98.0/24 to-addresses=xxx.xxx.xxx.138


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.137 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 # route per fastweb


/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 4:31 pm

Poi dicono che sono finiti gli IP... Assegnare tutti gli IP a la stessa interfaccia è uno spreco e una cosa ridicola...
Top
 
giangissimo2000
just joined
Topic Author
Posts: 4
Joined: Tue Apr 13, 2021 3:27 am

Re: CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 4:43 pm

Hai ragione rextended ma io ho chiesto un aiuto, non una critica sul numero di indirizzi ip che fastweb mi ha dato 10 anni fa :D :D
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 5:22 pm

EN: Interview on Italian for understand better what the user want.

Fammi capire, vuoi navigare solo in fibra con la vodafone, e vuoi usare esclusivamente gli IP di fastweb per il NAT su gli IP dei servizi pubblicati?
Allora è molto più semplice: rendi solo vodafone principale, ignorando il routing, e NATta semplicemente gli IP esterni verso i server interni...

Poi se vuoi usare fastweb come failover non andasse vodafone per qualche motivo, si ingarbuglia tutto...
Top
 
giangissimo2000
just joined
Topic Author
Posts: 4
Joined: Tue Apr 13, 2021 3:27 am

Re: CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 5:55 pm

Esatto vorrei navigare solo con Vodafone sulla LAN ( 192.168.98.0/24) e lasciare il resto con fastweb ( 192.168.99.0/24, 192.168.1.0/24)
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 6:20 pm

Ok, all the LAN (192.168.98.0/24) must pass through Vodafone (WAN ISP2)
except that comes from the Server and VoIP (BRIDGE_SERVER 192.168.99.0/24 and VOIP 192.168.1.0/24) must pass through Fastweb (WAN_ISP1)

If you had RouterOS 6.x I would have told you to make Vodafone main and make another table only for Fastweb,
and with the rules in IP / Routes / Rules you could choose, without using mangle, to use the alternative routing table for Fastweb on the desired pools.

But unfortunately in RouterOS 7 things have changed, I don't have it installed with two WANs to try it out and I don't know how to help you.

Hope someone else with v7 reading this topic can help.
Top
 
giangissimo2000
just joined
Topic Author
Posts: 4
Joined: Tue Apr 13, 2021 3:27 am

Re: CCR1009 WITH 2 WAN HELP

Wed Jun 22, 2022 6:31 pm

Thank you so much rextended. if I can't find a solution I'll downgrade to version 6 ...
Top
Post Reply

Who is online

Users browsing this forum: freezerfcb and 27 guests
  4. RouterOS
  5. Beginner Basics