Community discussions

MikroTik App
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

Mangle - MultiWAN

Wed Jul 06, 2022 9:19 am

Good time to all. Colleagues have a question, ask for advice:

3 ISP, mangles brand connets on input and output solve only the task of giving input and output to the specified ISP, there are problems in NAT, advise how to make a complete list of Mangle sequence along with Preroute, Input, Forwarding, Output + Preroute for !WAN please, at least for one ISP example. I will be very grateful!

The problem, for example will be considered two ISP - 1.1.1.2 and 2.2.2.2 - addresses of external wires, forwarding port 21 through 1.1.1.1 does not return it through 1.1.1.1 as no answer, I understand that the FTP works with 20-21 passv and activ, as well as a number of the extra ports, now we are not so much about it. How to make the port forwarding is not limited to one ISP, namely worked, even when the given 1.1.1.1 has distance 2 and currently active distance 1 ISP 2.2.2.2? You need a complete chain Mangle: Preroute, Input, Forwarding, Output + Preroute for !WAN can you give an example please? Of course ip/route from mangle table are specified for isp1 and isp2 and have distance 1.

p.s. I certainly watched the presentation on MultiWAN and many other materials, but to make a FULL chain for all points, and the most problematic is NAT does not work. NAT of course divided by outgoing, each ISP.

Here is an example, I intentionally removed the parameters for the parameters (!connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options and others) to be exclusive schematic:

for information: passthrough=no is not enabled on yes, when enabled, immediately goes to no

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Preroute Mark ISP1" disabled=no in-interface=ISP1 new-connection-mark=PRE1 passthrough=no
add action=mark-connection chain=prerouting comment="Preroute Mark ISP2" disabled=no in-interface=ISP2 new-connection-mark=PRE2 passthrough=no

add action=mark-routing chain=prerouting comment="Routing Transit ISP1" connection-mark=PRE1 disabled=no in-interface-list=!WAN new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting comment="Routing Transit ISP2" connection-mark=PRE2 disabled=no in-interface-list=!WAN new-routing-mark=ISP2 passthrough=no

add action=mark-routing chain=output comment="Routing Output ISP1" connection-mark=PRE1 disabled=no new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output comment="Routing Output ISP2" connection-mark=PRE2 disabled=no new-routing-mark=ISP2 passthrough=no

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=ISP1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=ISP2 scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=2.2.2.1 scope=30 target-scope=10

Need a complete chain including Preroute, Input, Forward, Ouput + Preroute and Forward for the !WAN
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

Re: Mangle - MultiWAN

Wed Jul 06, 2022 2:50 pm

https://www.youtube.com/watch?v=Gwl-0bRxOY4
How to combine 2 markings??? In - Out 7:34 and Pre - Out 15:07 markings???
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mangle - MultiWAN

Wed Jul 06, 2022 4:04 pm

Good luck, trying to implement a config when you dont have a clear idea of the requirements is not the best plan.
a. network diagram
b. set of requirements
single or groups of users
singe or groups of devices,
what should each be able to do
what should each not be able to do.
USE case description of the work that needs to be done.
leave the configuration out of the discussion.
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

Re: Mangle - MultiWAN

Thu Jul 07, 2022 10:20 am

The task: we need to make a complete Mangle set, so that the input on each ISP comes out of the same ISP, and that the NAT ports respond and conduct to where the default route is now, and the route can change depending on which ISP is alive or not at the moment. These are all the requirements. There is nothing on users. I see 2 solutions 1: use Prerouting 2: use Input and Output, but neither one solves the whole range of problems. Hence the question, how can you make a complete Mangle, to describe everything that comes in and out of the ISP1, while including and LAN segment, in terms of NAT.
 
User avatar
AlexPebody
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Nov 12, 2021 3:50 pm

Re: Mangle - MultiWAN  [SOLVED]

Thu Jul 07, 2022 12:27 pm

As often happens to answer my own question, here are the right rules in all respects Mangle, overlapping Input and can be used in the case of Input for the Mikrotik and other cases:

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Preroute Mark ISP1" disabled=no in-interface=ISP1 new-connection-mark=PRE1 passthrough=no
add action=mark-connection chain=prerouting comment="Preroute Mark ISP2" disabled=no in-interface=ISP2 new-connection-mark=PRE2 passthrough=no

add action=mark-routing chain=prerouting comment="Routing Transit ISP1" connection-mark=PRE1 disabled=no in-interface-list=!WAN new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting comment="Routing Transit ISP2" connection-mark=PRE2 disabled=no in-interface-list=!WAN new-routing-mark=ISP2 passthrough=no

add action=mark-routing chain=output comment="Routing Output ISP1" connection-mark=PRE1 disabled=no new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output comment="Routing Output ISP2" connection-mark=PRE2 disabled=no new-routing-mark=ISP2 passthrough=no

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=ISP1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=ISP2 scope=30 target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=2.2.2.1 scope=30 target-scope=10

Good day to you all!

Who is online

Users browsing this forum: tjanas94 and 45 guests