Community discussions

MikroTik App
 
kelarlee
newbie
Topic Author
Posts: 29
Joined: Thu Dec 27, 2018 5:48 pm

Dual WAN with dstnat and manual separation of clients by different ISPs

Sun Sep 04, 2022 12:37 pm

Hi i have a problem with config and cant figure out how to solve it. So i have the following task:
1.Server in local network must be available from two different ISPs through 21 port.
2.Clients from local network should goes on the internet through ISP1 but some part of local network should go through ISP2 which i manually set with address list.
3.Load balancing or failover not required.

My setup:
ISP1 public IP 10.0.0.1
ISP2 public IP 10.0.1.1
Local server 192.168.1.2
List of local IPs that should goes on the internet through ISP1 192.168.10.0/24 by default.
List of local IPs that should goes on the internet through ISP2 192.168.20.0/24 set manually from adress list.

I achieved that server available from two different ISPs through 21 port and everything working fine. But any demands to make manual separation of clients by different ISPs breaks the scheme with server accessibility from two ISPs at same time. Thank you for any help. Here my config:
/ip firewall nat
 0    chain=srcnat action=src-nat to-addresses=10.0.0.1 out-interface=ether1 
      log=no log-prefix="" 

 1    chain=srcnat action=src-nat to-addresses=10.0.1.1 out-interface=ether2 
      log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=21 
      protocol=tcp dst-address=10.0.0.1 in-interface=ether1 dst-port=21 
      log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=21 
      protocol=tcp dst-address=10.0.1.1 in-interface=ether2 dst-port=21 
      log=no log-prefix="" 


 /ip firewall mangle
 0    chain=input action=mark-connection new-connection-mark=isp1-conn 
      in-interface=ether1 log=no log-prefix="" 

 1    chain=input action=mark-connection new-connection-mark=isp2-conn 
      in-interface=ether2 log=no log-prefix="" 

 2    chain=output action=mark-routing new-routing-mark=isp1-conn log=no 
      log-prefix="" 

 3    chain=output action=mark-routing new-routing-mark=isp2-conn log=no 
      log-prefix="" 

 4    chain=forward action=mark-connection new-connection-mark=isp1-conn-f 
      in-interface=ether1 log=no log-prefix="" 

 5    chain=forward action=mark-connection new-connection-mark=isp2-conn-f 
      in-interface=ether2 log=no log-prefix="" 

 6    chain=prerouting action=mark-routing new-routing-mark=isp1-route 
      connection-mark=isp1-conn-f in-interface=bridge1 log=no log-prefix="" 

 7    chain=prerouting action=mark-routing new-routing-mark=isp2-route 
      connection-mark=isp2-conn-f in-interface=bridge1 log=no log-prefix=""


 /ip route
 0 A S  dst-address=0.0.0.0/0 gateway=10.0.0.254 
        gateway-status=10.0.0.254 reachable via  ether1 distance=1 scope=30 
        target-scope=10 routing-mark=isp1-route 

 1 A S  dst-address=0.0.0.0/0 gateway=10.0.1.254 
        gateway-status=10.0.1.254 reachable via  ether2 distance=1 scope=30 
        target-scope=10 routing-mark=isp2-route 

 2 A S  dst-address=0.0.0.0/0 gateway=10.0.0.254 
        gateway-status=10.0.0.254 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=10.0.1.254 
        gateway-status=10.0.1.254 reachable via  ether2 distance=2 scope=30 
        target-scope=10 

 4 ADC  dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 

 5 ADC  dst-address=10.0.1.0/24 pref-src=10.0.1.1 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10 
        
 7 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10         
        
  8 ADC  dst-address=192.168.20.0/24 pref-src=192.168.20.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10        
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual WAN with dstnat and manual separation of clients by different ISPs

Sun Sep 04, 2022 4:45 pm

It's usually good idea to show what you tried to do that didn't work. Anyway, something like this should do the trick if you put it before current rule #6:
/ip firewall mangle
add chain=prerouting in-interface=bridge1 connection-state=new src-address=192.168.20.0/24 action=mark-connection new-connection-mark=isp2-conn-f passthrough=yes

Who is online

Users browsing this forum: cdblue and 36 guests