Community discussions

MikroTik App
 
farisr
just joined
Topic Author
Posts: 7
Joined: Wed Feb 03, 2021 1:39 pm

Dual WAN - specific routing, not LB or failover

Fri Dec 16, 2022 12:06 am

I'm a little (a lot) lost and could do with a helping hand please?

I have a hAP ac3 which works perfectly for me out of the box with the QuickSet "Home AP Dual" configuration.

It is connected via ether1 (renamed ether1-WAN1) using PPPoE to my ISP's modem.

I now have a second PPPoE-based internet connection and I would like to use this alongside the first, but only for traffic going to a specific IP address.

Starting from the QuickSet "Home AP Dual" configuration, I've done the following:
Removed ether2 from the bridge (leaving ether3, 4 and 5 as LAN ports with DHCP),
Renamed ether2 to ether2-WAN2
Added a second PPPoE Client on ether2-WAN2 with the appropriate credentials and *removed tick from the default route tick box*.

On physically connecting ether2-WAN2 to the second ISP's modem, after a moment or two it shows as connected, is assigned the static public IP that ISP has allocated to me, and all therefore seems well on that front.

But at this point I get lost. Very lost.

Lets say that I want all traffic from the LAN going to 1.2.3.4 to go via this second ISP on ether2-WAN2, leaving the default route for all other traffic via the first ISP on ether1-WAN1

In my ignorance, I thought maybe all I had to do was add a Route to 1.2.3.4 via ether2-WAN2.

But of course it isn't as simple as that! It didn't work.

Based on the various howtos I've read and watched on YouTube, which are all to do with load balancing between WANs rather than what I want to do, I get the feeling that I need to do something with srcnat rules...err....I think...to ensure packets go out and replies come back in on the correct WAN interface, maybe?

Unfortunately I'm additionally confused by the fact that the "Home AP Dual" configuration makes use of Interface List items, with a LAN and WAN being defined.
LAN contains the bridge (LAN with DHCP).
By default, WAN contains ether1-WAN1 and pppoe-out1.

I wasn't sure whether to add ether2-WAN2 and pppoe-out2 to the existing WAN list item, or to create a new WAN2 and add ether2-WAN2 and pppoe-out2 to it, so that they can be manipulated separately from ether1-WAN1 pppoe-out1. In the end I did so, but then I realise I'll probably need to add Firewall Filter rules similar to the ones that are there by default for WAN - although there only seems to be one, right at the end, which drops anything from WAN that's not dstnat-ed.

But that's as far as I've got.

I was hoping that someone could point me in the right direction, please? I think the WAN interface list item may be bogging me down when trying to compare the howtos I'm reading and viewing with what I actually have as a starting point may not be helping, but I'm loath to start from a blank slate because (a) I'm new to this! and (b) the default Home Dual config really does seem to do everything I would need if I only needed one WAN interface.

Here's a version of my config (without my desired static route added) with what I think is the unrelated stuff (wlan, ntp, that sort of thing) removed and any usernames removed or redacted:
#
# Most stuff relating to wlan, ntp etc removed


/interface bridge
add admin-mac=[REDACTED] auto-mac=no name=bridge

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-LAN3
set [ find default-name=ether4 ] name=ether4-LAN4
set [ find default-name=ether5 ] name=ether5-LAN5

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN1 name=pppoe-out1 \
  use-peer-dns=yes user=USERNAME1
add disabled=no interface=ether2-WAN2 name=pppoe-out2 user=\
  USERNAME2

/interface list
add name=WAN
add name=LAN
add name=WAN2

/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.50

/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf


/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether3-LAN3
add bridge=bridge ingress-filtering=no interface=ether4-LAN4
add bridge=bridge ingress-filtering=no interface=ether5-LAN5

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface list member
add interface=bridge list=LAN
add interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2-WAN2 list=WAN2
add interface=pppoe-out2 list=WAN2


/ip address
add address=192.168.1.1/24 interface=bridge network=\
  192.168.1.0

/ip dhcp-client
add disabled=yes interface=ether1-WAN1
# I wonder if I need to disable DHCP for ether2-WAN2 as well?

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.1.1 name=router.lan

/ip firewall filter
add action=accept chain=input comment=\
  "defconf: accept established,related,untracked" connection-state=\
  established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
  invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
  "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
  in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
  ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
  ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
  connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
  "defconf: accept established,related, untracked" connection-state=\
  established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
  connection-state=invalid
add action=drop chain=forward comment=\
  "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
  connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
  ipsec-policy=out,none out-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN - specific routing, not LB or failover  [SOLVED]

Fri Dec 16, 2022 12:36 am

Well first of all one can ensure all traffic goes to the primary WANIP by setting distance on your second route to something greater.
Yes you do need your second route but generically speaking..............
Yes to interface lists, yours look fine! EXCEPT....... remove the twos....
both WAN 1 and WAN 2 should be on the same WAN interface list.

/interface list member
add interface=bridge list=LAN
add interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2-WAN2 list=WAN2
add interface=pppoe-out2 list=WAN2

NEXT. create a standard manual route for WAN2, but with distance of 2.

distance=2 dst-address=0.0.0.0/0 gatewayIP=wan2 gatewayIP table=main.

In this regard, the second wan is not used at all , as users will be directed by router to WAN1..

Next 3 steps
a. create table
add table=useWAN2 fib

b. create route
dst=2 dst-address=0.0.0.0/0 gateway=WAN2 gateway IP table=useWAN2

c. creating routing rule.
add dst-address=external address action=lookup-only-in-table table=useWAN2

Doing things this way ensure you can always down the line use WAN2 for other things............... with standard route on main table.
and with the new table and routing rule and additional route, you are able to route local LAN traffic out WAN 2 for specific external WANIPs.
Last edited by anav on Sat Dec 17, 2022 2:53 am, edited 1 time in total.
 
farisr
just joined
Topic Author
Posts: 7
Joined: Wed Feb 03, 2021 1:39 pm

Re: Dual WAN - specific routing, not LB or failover

Fri Dec 16, 2022 9:36 pm

Thank you Anav!

Can I just check this though please:

b. create route
dst=2 dst-address=0.0.0.0/0 gateway=WAN gateway IP table=useWAN2

Is that definitely WAN gateway IP and not WAN2 gateway IP?

If not then I think need to re-read the routing table documentation to try to understand it better..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN - specific routing, not LB or failover

Sat Dec 17, 2022 2:52 am

Sorry yes that should be wan2 gateway IP, good pickup, sorry for the confusion. Fixed it on the post above.
 
farisr
just joined
Topic Author
Posts: 7
Joined: Wed Feb 03, 2021 1:39 pm

Re: Dual WAN - specific routing, not LB or failover

Sat Dec 17, 2022 11:00 am

Brilliant. Thank you.

Don't say sorry! You are a one-man education centre. In a few lines you showed me things that pages and pages of other stuff did not!

I will attempt to get this going later today,. I'll report back one way or another.
 
farisr
just joined
Topic Author
Posts: 7
Joined: Wed Feb 03, 2021 1:39 pm

Re: Dual WAN - specific routing, not LB or failover

Sat Dec 17, 2022 12:58 pm

It worked perfectly.

Thank you again!

Who is online

Users browsing this forum: 0xAA55, Ahrefs [Bot], AtomikRoach, GoogleOther [Bot], Maxfadeev699, mszru and 38 guests