Community discussions

MikroTik App
 
kiddy
just joined
Topic Author
Posts: 4
Joined: Fri Jun 24, 2022 2:40 pm
Location: Accra
Contact:

Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 3:18 pm

Greetings, Engineers!

In my case, two separate business entities share the same office space, each having its own source of internet. They operate from two different software but want to share information from the two software at the same time on their separate LAN networks. I advised that they get a Mikrotik router for that purpose, RB2011 to be precise.

I have two different sources of internet connections to one Mikrotik Router (RB2011). WAN1 is connected to ether1 of the router and WAN2 is connected to ether6. Now, I also have ether2 to ether5 on bridge1, and likewise ether7 to ether10 on bridge2. This explains that I have two different LAN IP blocks on both bridge1 and bridge2. I have been able to configure the router such that, LAN1 uses WAN1 as its internet gateway, and LAN2 uses WAN2 as its internet gateway. This is working perfectly for me without problems.

My aim is to have LAN1 and LAN2 go through their separate internet gateways as I have explained but still allow the two LAN networks on the same router to communicate with each other. I have realized that, when I disable the mangle rule, the 2 LAN networks are able to communicate, but lose internet connection.

Please, I need help to make the two LAN networks communicate with each other while they go through the different internet gateways... I really want a way to make the two LAN networks on the same router to reach each other.
/ip address
add address=192.168.10.10/24 comment=LAB-Net-WAN interface=ether1 network=192.168.10.0
add address=192.168.20.10/24 comment=Clinic-Net-WAN interface=ether7 network=192.168.20.0
add address=192.168.1.1/24 comment=LAB-Net interface=Lab-br0 network=192.168.1.0
add address=192.168.100.1/24 comment=Clinic-Net interface=Clinic-br0 network=192.168.100.0

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Lab-Net src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=Clinic-Net src-address=192.168.100.0/24

/ip route
add comment=Clinit distance=1 gateway=192.168.20.1 routing-mark=Clinic-Net
add comment=Lab distance=1 gateway=192.168.10.1 routing-mark=Lab-Net
add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input packet-size=0-128 protocol=icmp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether7 src-address=192.168.100.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 3:50 pm

Your requirements are poorly stated.
What exactly is required between the two lans, your title is misleading for example.
If a server on a LAN needs to be reached, then LANS must NOT be able to reach each other, only ONE lan but be able to reach another LAN.

Also you state somewhere that the Second WAN is on ether6 but your config shows ether7.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why do you mangle? Simply use route rules.......

Should have:
add dst-address=0.0.0.0/0 gwy=isp1 table=main
add dst-address=0.0.0.0/0 gwy=isp2 table=main

Add:
add dst-address=0.0.0.0/0 gwy=isp1 table=useISP1
add dst-address=0.0.0.0/0 gwy=isp2 table=useISP2

add table name=useISP1 fib
add table name=useISP2 fib

(route rules)
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useISP1
add src address=192.168.100.0/24 action=lookup-only-in-table table=useIPS2

+++++++++++++++++++++++++
No mangling required and maintain fastrack.
As for firewall rules.

Forward chain
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" src-address=192.168.1.0/24 out-interface=ether1
add action=accept chain=forward comment="allow internet traffic" src-address=192.168.100.0/24 out-interface=ether7
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat (remove it not required)
add action=accept chain=forward src-address=192.168.1.0/24 dst-address=IPofServer (on other LAN) ----------> example of single rule required.
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether7
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 4:40 pm

If a server on a LAN needs to be reached, then LANS must NOT be able to reach each other, only ONE lan but be able to reach another LAN.
It's not unusual to want not only for packets to reach the server, but also to get some response from it. ;) So on routing level, both LANs must be able to reach each other. And what can actually pass will be up to firewall rules.

And even OP's original config, think about it, if mangle rule sends all traffic to internet, including traffic that has other LAN as destination, then what's the simplest fix? Tell the rule to do what it does now, except for local traffic, e.g. with dst-address=!<other LAN> ("!" means "not").
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 4:42 pm

Disagree completely,
I NEVER repeat never have to allow LANA to LANB server rule AND allow LANB server to LANA rule.
Doesnt work that way on my MT, by allowing LANA to B server, any associated replies are automatically allowed.

You are stating that the server should be able to initiate traffic to LANA, what did you put in your coffee today, 10 shots of tequila??
I think you like erotic asphyxiation, why else would you strangle yourself with mangling and assorted work arounds ;-P
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 4:46 pm

Ding ding, the bell rings and round1 ends. Sob staggers back to his corner after getting pummeled by the llama... His cornerman is yelling at him not to mix it up with the opponent and that he wants to throw the white towel in now!!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 4:52 pm

Routes and firewall = two different things. Take your optimized config with routing rules, how is 192.168.1.x going to reach 192.168.100.y? Anything from there will have only one default route pointing to ISP, there's no route to second subnet. And after you fix that, you'll have exactly the same problem with responses not being able to reach first subnet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 5:11 pm

Minor details ...........
But both LANS are identified by DAC on the ip routes list and since the request from one LAN to another LAN will have a higher value from the routes perspective, why would that happen??
Thats why lan to lan works in the general sense...............
However, lets say there is some truth to your line of thinking (since the src address route rule as you state acts/overrides absolutely?)....................... then.

We simply add two route rules order is important

add dst-address=IPofServer action=lookup table=main
add src-address=IPofServer action=lookup table=main
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useISP1
add src address=192.168.100.0/24 action=lookup-only-in-table table=useIPS2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 5:12 pm

If that dont work, then mangle away as I am outta ideas.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 5:12 pm

I'll avoid the emotional tone and concentrate on the weak aspects and on the reasoning.

If configured the way you've posted it, your firewall filter effectively does nothing. The default action of the chain, i.e. what happens if the packet matches none of the rules, is accept, so a rule chain without any action=drop rule lets all packets go through.

The rules suggested by @anav address this for the forwarded traffic. You'll have to think also about restricting access to management of the router itself, i.e. a similar set of rules in chain input.

If we forget about firewalling and think about the routing alone, there are actually three sources of traffic - LAN of company A, LAN of company B, and the router itself. The router itself not only needs to download software updates and obtain information about the current time, which is not significant in terms of traffic volume, but it may also serve as a DNS cache for the hosts in LANs if configured that way. However, it is not possible to tell it to use WAN A for DNS queries coming from LAN A and to use WAN B for DNS queries coming from LAN B, so to separate the DNS traffic this way, the devices in the LANs must be configured to use external DNS servers rather than the Mikrotik itself, or you have to ensure this by means of dst-nat rules redirecting DNS queries coming to router's own address to external servers. The source address/input interface based routing will take care about sending them via the appropriate WAN. DNS queries are also not really significant in terms of traffic volume, but there may be some non-technical aspects of sending DNS queries via the "wrong" WAN.

Regarding routing itself - routes to connected subnets are added to routing table main, so to keep the configuration simple, we should use table main for routing between the LANs. You can modify your existing mangle rules by adding dst-address=!the.other.lan.sub/net to each of them, to exempt traffic from one LAN subnet to the other one from getting the routing-mark, which is the simple adjustment I've mentioned in the original topic. But we're talking about a 2011 here, so unless the bandwidth of your uplinks is in the range of very low tens of Mbps, you should use fasttracking, which excludes use of mangle rules. So instead of mangle rules, the following routing rules need to be used:
/ip route rule
add dst-address=192.168.1.0/24 action=lookup table=main
add dst-address=192.168.100.0/24 action=lookup table=main
add src-address=192.168.1.0/24 action=lookup-only-in-table table=Lab-Net
add src-address=192.168.100.0/24 action=lookup-only-in-table table=Clinic-Net

The available match conditions of routing rules are much simpler, and therefore much less CPU consuming, than those of firewall rules, that's why we have to use a different structure.

Also, there are some points that are not obvious - if you connect a Fast Ethernet (100 Mbit/s) device to a Gigabit Ethernet (1000 Mbit/s), it will slow down traffic from the router to the gigabit ports. In 2011, switch chip 1 is a gigabit one, whereas switch chip 2 is only a fast ethernet one. So it may not be optimal to connect everything from one company to one contiguous range of ports and everything from the other one to the other range, but you should optimize according to the actual equipment and its needs/capabilities.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 9:07 pm

Much thanks for the clarity Sindy and I hadnt even thought about the use or possible misdirection of DNS.......

In terms of how to approach this, is there not two clear paths?

1. Use IP DHCP client settings and if so what do you put in for the regular IP DNS settings??
...................
usepeer.jpg
.............
ipdns.JPG

2. Use DHCP dns settings, like 1.1.1.1 for LAN1 and 9.9.9.9 for LAN2 but as above then what do you then put in for regular IP DNS settings.
...............
dhcp.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Jul 05, 2022 10:49 pm

These two questions are only loosely related. It is up to you what you define as the DNS servers under /ip dhcp-server network, whether the Mikrotik itself or some other servers. But if you configure nothing, Mikrotik will forward the server addresses it has received as a DHCP client on the WANs.

As for what the Mikrotik itself uses - the thing here is that some ISPs do not accept DNS queries that did not come from customer side of the network. So if you let the Mikrotik accept DNS server addresses from both WANs' DHCP servers, and it sends the query to a randomly chosen server via the "wrong" WAN, the query may remain unresponded, which will make RouterOS use the next server on the list for subsequent queries, until it finds one that responds, and then it will keep using that one as long as it will keep responding.
 
kiddy
just joined
Topic Author
Posts: 4
Joined: Fri Jun 24, 2022 2:40 pm
Location: Accra
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Thu Jul 28, 2022 7:26 pm

Thank you very much everyone for all your suggestions. My laptop crashed, and I could not check your responses on time. I am very grateful.

I have gone through your responses and I am yet to try all possible suggestions one after another to see the best one that suits the solution I am looking for.

@anav: You mentioned that my topic was misleading. Yes, it could be in some way as at the time I was posting, I was very confused and didn't know how to present my post. The whole thing is that, on the same router, there are 2 separate WANs and 2 LANs. And I am looking for a solution that;

LAN1 gets internet through WAN1 only, and likewise, LAN2 gets internet from WAN2 only. But at the same time, LAN1 should be able to communicate with LAN2 without any hindrance so that two LAN networks can perform functions such as simple file transfers, ping each other, and accessing various servers on the two LAN networks at the same time. Aside from that, if WAN1's internet is down, LAN1 should not have internet access while LAN2 has access to the internet, and vice versa.

I want to try the option you have given @anav, but certain parameters seem not to be available in the commands that you have given in your suggestion. For instance;

(route rules)
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useISP1sr
add src address=192.168.100.0/24 action=lookup-only-in-table table=useIPS2

I cannot locate "action" and "table" in the route rules that you have given. Please, I will be very glad if you can specify what you are trying to mean by stating them in the rules you stated. I hope to get a response from you again soon for clarification. Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Thu Jul 28, 2022 8:23 pm

Hi there,,,,,
Yes please post complete config /export
It appears in Ver7, the route rules have to be done manually but that help can be done once I see the config.

Again, you need to be more precise with your LAN to LAN requirements.
Is it
Every LANA user/device needs access to every LANB user/device
OR
Every LANB user/device needs access to every LANA user device

(Note these are two distinct requirements).
Is it
one LANA user needs access to ALL of LANB
or
one LANAser needs access to one LANB device,
ETC ETC.

Right now its too vague.
The level of integration is not clear, it almost sounds like they should be in the same LAN but they dont want to share internet for some strange reason LOL.
Why, they should simply use both connections and load balance if there is no security between the LANs themselves.
Furthermore besides having more capacity overall for the both LANSs, the internet could be setup so that if one fails the other takes over and thus both have the opportunity to have a backup WAN.

If its the same provider then of course, there is no backup LOL.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Thu Jul 28, 2022 10:03 pm

What Kiddy is wanting to do is very similar to what I am doing at home. I have two internet services and a bunch of various LANs. Traffic on 192.168.1xx. LANs route to the internet via my cable based internet and traffic on 192.168.2xx LANs route to the internet via my fiber internet. For the most part, traffic on a 192.168.1xx LAN can not reach the 192.168.2xx LANs - except where I have poked holes in the firewall. Some of those firewall holes are very specific on either source or destination, and some are more generic. For example, everyone can reach my NTP server device.
All the routing to the internet is done with routing rules. I can give examples...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Thu Jul 28, 2022 10:22 pm

Thats nice, but adds nothing to clarifying the OPs user requirements in sufficient detail.
Shouldnt you be finding water, fighting fires or giving out water to people in tents pooping on your lawn??
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Fri Jul 29, 2022 2:02 am

I agree that the OP needs to give a bit more detail in his LAN to LAN requirements, but the LAN-1 to WAN-1 and LAN-2 to WAN-2 is exactly what I am doing and it works well. Note any examples I give will be in version 6 terminology.

And anav, other people are trying to figure out if we have any water, I am on call to provide communications for people fighting fires, and only the neighborhood cats and dogs poop on my browning lawn.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Fri Jul 29, 2022 4:52 am

Yeah tongue in cheek but the lack of water is damn serious, hope the situation doesnt get worse.
 
kiddy
just joined
Topic Author
Posts: 4
Joined: Fri Jun 24, 2022 2:40 pm
Location: Accra
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Fri Jul 29, 2022 5:16 pm

Yeah tongue in cheek but the lack of water is damn serious, hope the situation doesnt get worse.
Alright, @anav I will put my question in a different way to see if you will understand this time:

1. I have WAN1 and WAN2 connected to the same router
2. WAN1's IP is 192.168.10.10/24 with gateway, 192.168.10.1
3. WAN2's IP is 192.168.20.10/24 with gateway, 192.168.20.1
4. I also have LAN1 and LAN2 gateways set on the same router
5. LAN1 has the IP 192.168.1.1/24 as gateway to its users PCs (LAB Network)
6. LAN2 has the IP 192.168.100.1/24 as gateway to its Users PCs (Clinic Network)

Assume I have the following configuration on my router (basic confgs);
/ip address
add address=192.168.10.10/24 comment=WAN1 interface=ether1 network=192.168.10.0
add address=192.168.20.10/24 comment=WAN2 interface=ether2 network=192.168.20.0
add address=192.168.1.1/24 comment=LAN1 interface=ether3 network=192.168.1.0
add address=192.168.100.1/24 comment=LAN2 interface=ether4 network=192.168.100.0

/ip route
add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.100.0/24

Now,
1. I want every LAN1 user/device to reach a web server on LAN2. The server's IP address is 192.168.100.6/24.
AND
2. I want every LAN2 user/device to reach a web server on LAN1. The server's IP address is 192.168.1.10/24.

Also,
I want LAN1 users to be able to use the internet only through WAN1, and LAN2 users to have their internet access only through WAN2. No load balancing is required.

REASON:
* Though the LAB and Clinic are sharing the same office, they dont want to share the same internet service. They want to pay for their internet separately. They also want to have their independent LAN networks.
* There is 1 web server on each of the 2 LAN networks that need to be accessed from both LANs.

In my previous configuration, I got the internet bit working perfectly where LAN1 gets internet from WAN2 only, and LAN2 gets internet from WAN2 only. If the internet goes down on WAN1, LAN1 loses its internet connection while LAN2 has internet access (one part of the solution). But due to the mangle rules I set, LAN1 could not communicate with LAN2, and vice versa (this is where I need help).

Previous Configuration:
RouterOS Version 6.47.10

/ip address
add address=192.168.10.10/24 comment=LAB-Net-WAN interface=ether1 network=192.168.10.0
add address=192.168.20.10/24 comment=Clinic-Net-WAN interface=ether7 network=192.168.20.0
add address=192.168.1.1/24 comment=LAB-Net interface=Lab-br0 network=192.168.1.0
add address=192.168.100.1/24 comment=Clinic-Net interface=Clinic-br0 network=192.168.100.0

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Lab-Net src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=Clinic-Net src-address=192.168.100.0/24

/ip route
add comment=Clinit distance=1 gateway=192.168.20.1 routing-mark=Clinic-Net
add comment=Lab distance=1 gateway=192.168.10.1 routing-mark=Lab-Net
add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1

/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input packet-size=0-128 protocol=icmp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether7 src-address=192.168.100.0/24

I will appreciate your wonderful suggestions. Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Fri Jul 29, 2022 5:51 pm

(1) Forward chain, besides standard rules........ an Ip address of a server is /32 not /24 by the way.............................
/ip firewall filter
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

add action=accept chain=forward src-address=192.168.1.0/24 dst-address=192.168.100.6/32
add action=accept chain=forward src-address=192.168.100.0/24 dst-address=192.168.1.10/32

add action=drop chain=forward

(3) Remove mangling part of the config, not required or desired.

(4) Assuming using vers6 firmware....... 6.48.6 long term for example
Add some route rules to direct routing appropriately.
/ip route rule
add action=lookup-only-in-table src-address=192.168.1.0/24 table=Lab-Net
add action=lookup-only-in-table src-address=192.168.100.0/24 table=Clinic-Net


Where you have the routes as described
add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1
add comment=Lab distance=1 gateway=192.168.10.1 routing-mark=Lab-Net
add comment=Clinic distance=1 gateway=192.168.20.1 routing-mark=Clinic-Net

++++++++++++++++++++++++++++

In version 7 its a tad different.

add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1
add comment=Lab distance=1 gateway=192.168.10.1 table=Lab-Net
add comment=Clinic distance=1 gateway=192.168.20.1 table=Clinic-Net

Will need to use New Terminal and CLI commands to add tables and route rules.
/routing rule add src-address=192.168.1.0/24 action=lookup-only-in-table table=Lab-Net
/routing rule add src-address=192.168.100.0/24 action=lookup-only-in-table table=Clinic-Net


Add table.
/routing table add name=Lab-Net fib
/routing table add name=Clinic-Net fib
 
kiddy
just joined
Topic Author
Posts: 4
Joined: Fri Jun 24, 2022 2:40 pm
Location: Accra
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Fri Jul 29, 2022 10:37 pm

Minor details ...........
But both LANS are identified by DAC on the ip routes list and since the request from one LAN to another LAN will have a higher value from the routes perspective, why would that happen??
Thats why lan to lan works in the general sense...............
However, lets say there is some truth to your line of thinking (since the src address route rule as you state acts/overrides absolutely?)....................... then.

We simply add two route rules order is important

add dst-address=IPofServer action=lookup table=main
add src-address=IPofServer action=lookup table=main
add src-address=192.168.1.0/24 action=lookup-only-in-table table=useISP1
add src address=192.168.100.0/24 action=lookup-only-in-table table=useIPS2
Thank you very much once again for your idea @anav. I have applied your configuration suggestions to my router, and the following is what everything looks like:
After applying your scripts, I decided to test if it works this time, but it looks like it didn't. Please looks through what I have done now if I did not do something right. Thank you.

[admin@MikroTik] > ip address export
# jul/29/2022 19:20:39 by RouterOS 6.47.10
# software id = NKS0-DZRH
#
# model = RB2011UiAS-2HnD
# serial number = C44F0FF9C02D
/ip address
add address=192.168.10.10/24 comment=LAB-Net-WAN interface=ether1 network=192.168.10.0
add address=192.168.20.10/24 comment=Clinic-Net-WAN interface=ether7 network=192.168.20.0
add address=192.168.1.1/24 comment=LAB-Net interface=Lab-br0 network=192.168.1.0
add address=192.168.100.1/24 comment=Clinic-Net interface=Clinic-br0 network=192.168.100.0


[admin@MikroTik] > ip route export
# jul/29/2022 19:20:53 by RouterOS 6.47.10
# software id = NKS0-DZRH
#
# model = RB2011UiAS-2HnD
# serial number = C44F0FF9C02D
/ip route
add comment=Lab distance=1 gateway=192.168.10.1 routing-mark=Lab-Net
add comment=Clinic distance=1 gateway=192.168.20.1 routing-mark=Clinic-Net
add comment=Lab-Main distance=1 gateway=192.168.10.1
add comment=Clinic-Main distance=1 gateway=192.168.20.1

/ip route rule
add action=lookup-only-in-table src-address=192.168.1.0/24 table=Lab-Net
add action=lookup-only-in-table src-address=192.168.100.0/24 table=Clinic-Net
add dst-address=192.168.1.10/32 table=main
add dst-address=192.168.100.6/32 table=main


[admin@MikroTik] > ip firewall export
# jul/29/2022 19:21:06 by RouterOS 6.47.10
# software id = NKS0-DZRH
#
# model = RB2011UiAS-2HnD
# serial number = C44F0FF9C02D
/ip firewall filter
add action=accept chain=forward connection-state=established,related disabled=yes
add action=accept chain=input connection-state=established,related disabled=yes
add action=accept chain=input disabled=yes packet-size=0-128 protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward dst-address=192.168.100.6 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.10 src-address=192.168.100.0/24
add action=drop chain=forward

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=Lab-Net src-address=192.168.1.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=Clinic-Net src-address=192.168.100.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether7 src-address=192.168.100.0/24


[admin@MikroTik] > ip dns export
# jul/29/2022 19:21:21 by RouterOS 6.47.10
# software id = NKS0-DZRH
#
# model = RB2011UiAS-2HnD
# serial number = C44F0FF9C02D
/ip dns
set allow-remote-requests=yes servers=80.87.78.11,80.87.78.4
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Tue Aug 02, 2022 5:24 pm

[quote=anav post_id=948645 time=1659106293 user_id=115581]
(1) Forward chain, besides standard rules........ an Ip address of a server is /32 not /24 by the way.............................
/ip firewall filter
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

add action=accept chain=forward src-address=192.168.1.0/24 dst-address=192.168.100.6/32
add action=accept chain=forward src-address=192.168.100.0/24 dst-address=192.168.1.10/32

add action=drop chain=forward


(3) Remove mangling part of the config, not required or desired.

(4) Assuming using vers6 firmware....... 6.48.6 long term for example
Add some route rules to direct routing appropriately.
/ip route rule
add action=lookup-only-in-table src-address=192.168.1.0/24 table=Lab-Net
add action=lookup-only-in-table src-address=192.168.100.0/24 table=Clinic-Net


Where you have the routes as described
add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1
add comment=Lab distance=1 gateway=192.168.10.1 routing-mark=Lab-Net
add comment=Clinic distance=1 gateway=192.168.20.1 routing-mark=Clinic-Net

++++++++++++++++++++++++++++

In version 7 its a tad different.

add distance=1 gateway=192.168.10.1
add distance=1 gateway=192.168.20.1
add comment=Lab distance=1 gateway=192.168.10.1 table=Lab-Net
add comment=Clinic distance=1 gateway=192.168.20.1 table=Clinic-Net

Will need to use New Terminal and CLI commands to add tables and route rules.
/routing rule add src-address=192.168.1.0/24 action=lookup-only-in-table table=Lab-Net
/routing rule add src-address=192.168.100.0/24 action=lookup-only-in-table table=Clinic-Net


Add table.
/routing table add name=Lab-Net fib
/routing table add name=Clinic-Net fib

[/quote]


Literacy problem perhaps. ;-)
 
User avatar
ahmedramze
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Wed Aug 03, 2022 12:35 am

Hi
Did you solve it ?

Sol-1 its better to have a new LAN interface for the server even USB-WIFI connected to LAN2 this way each networks are separated and use different routers with same server.
Sol-2 use two different routers and connect both via for example ether2 , and just add route rule on router 2 show the path for Server IP only.

Your idea I did it before but its required more firewall rule and routing , but issues will have too much such as windows assign IPV6 automatically between host and share windows updates even host not in same subnet, virus conflicts etc issues from bad users will show on both networks.

always use hardware L1 separator better than software L2/L3
 
User avatar
Aokiji
just joined
Posts: 16
Joined: Sun Jan 26, 2020 6:06 pm

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Thu Oct 13, 2022 3:16 pm

I agree that the OP needs to give a bit more detail in his LAN to LAN requirements, but the LAN-1 to WAN-1 and LAN-2 to WAN-2 is exactly what I am doing and it works well. Note any examples I give will be in version 6 terminology.

And anav, other people are trying to figure out if we have any water, I am on call to provide communications for people fighting fires, and only the neighborhood cats and dogs poop on my browning lawn.
hi can you show your config on how you did that , want to do exactly the same setup
 
gyongyib
just joined
Posts: 1
Joined: Sat May 04, 2019 2:33 pm

Re: Dual WAN and Dual LAN on same mikrotik router, but LANs must reach each other to allow access to a server on 1 LAN.

Sat Nov 05, 2022 1:32 pm

Dear Sirs!

Or I have such a problem that I have an hAP ac3 router with 2 WAN and 2 LAN om.
LAN1 goes out to the Internet on WAN1, LAN2 is your Wan2.
A LAN1 192.168.1.1/24 a LAn2 192.168.10.1/24
ether1-WAN1
ether2-WAN2
ether3-LAN1
ether4-LAn2

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=WAN1_TO_LAN1 \
passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=WAN2_TO_LAN2 \
passthrough=yes src-address=192.168.10.0/24

/ip route
add distance=1 gateway=ether1 routing-mark=WAN1_TO_LAN1
add distance=1 gateway=ether1 routing-mark=WAN1_TO_LAN1
add distance=1 gateway=lte1 routing-mark=WAN2_TO_LAN2
That's how I solved it!
What is the solution to reach the LAN2 machine with the IP address 192.168.10.252 from the LAN1 subnet?
Who can help me with this?
Thanks in advance!

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], DanMos79, Google [Bot], jamesperks, sybadi and 93 guests