Community discussions

MikroTik App
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Support for WAN side connections for multiple links

Thu Dec 15, 2022 7:40 pm

Hello, I have a problem with the configuration in RouterOS v7.6 of the correct handling of return traffic when connections initiated from the WAN side to addresses served by a table other than main.

I currently have 2 links one has a default route in the main table the other has a default route in a separate WAN2 routing table.
The problem is that in this configuration, an example remote connection to the router through the second link causes the router to respond in accordance with the entry in the main table.

How (in RouterOS v7) to handle new connections directed to the WAN2 interface?

Thank you in advance
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Support for WAN side connections for multiple links

Thu Dec 15, 2022 8:58 pm

 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Re: Support for WAN side connections for multiple links

Tue Mar 14, 2023 1:43 pm

Sorry for the lack of response - I'm completing the topic now.

It's about handling incoming traffic TO MikroTik from 2 ISP

I have added 2 default routing routes in 2 different tables:
/ip route/print detail where dst-address="0.0.0.0/0"
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp 
 0  As   dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=x.x.x.x immediate-gw=x.x.x.x%vlan3730_WAN distance=1 scope=30 target-scope=10 suppress-hw-offload=no 
 1  As   dst-address=0.0.0.0/0 routing-table=LTE pref-src="" gateway=y.y.y.y immediate-gw=y.y.y.y%vlan10_LTE distance=1 scope=30 target-scope=10 suppress-hw-offload=no
 
/routing/table/print
Flags: D - dynamic; X - disabled, I - invalid; U - used 
 0 D   name="main" fib
 1     name="LTE" fib

Mangle configuration is:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=vlan10_LTE log=yes log-prefix=LTE_conn new-connection-mark=LTE_conn passthrough=yes
add action=mark-routing chain=output connection-mark=LTE_conn log=yes log-prefix=LTE_route new-routing-mark=LTE passthrough=yes

And finally, by pinging from the Internet to the address on the vlan10_LTE interface, the response is directed to the gateway in vlan3730_WAN - that is, the links work in the main routing table:
firewall,info LTE_conn prerouting: in:vlan10_LTE out:(unknown 0), connection-state:new src-mac a0:50:43:e5:11:02, proto ICMP (type 8, code 0), x.x.x.x->y.y.y.y, len 60
firewall,info LTE_route output: in:(unknown 0) out:vlan3730_WAN, connection-mark:LTE_conn connection-state:established proto ICMP (type 0, code 0), x.x.x.x->y.y.y.y, len 60

I have no idea what I'm doing wrong here
Thank you in advance for your help
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Support for WAN side connections for multiple links

Tue Mar 14, 2023 5:04 pm

1. The relationship between WAN1 and WAN2. ( assuming two different providers correct?)
Is one Primary, to be used by all users and the other secondary only if WAN1 fails.

2. How are external users directed to WAN2 for example, DYDNS name if dynamic, or BY WANIP if fixed/static?
All servers on WAN2 or some on WAN1?

3. Describe users behind Router, subnet A needs , Subnet B needs wrt to which WAN they go out.
Are there users with specific needs?
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Re: Support for WAN side connections for multiple links

Wed Mar 15, 2023 2:23 pm

1. The relationship between WAN1 and WAN2. ( assuming two different providers correct?)
Is one Primary, to be used by all users and the other secondary only if WAN1 fails.

2. How are external users directed to WAN2 for example, DYDNS name if dynamic, or BY WANIP if fixed/static?
All servers on WAN2 or some on WAN1?

3. Describe users behind Router, subnet A needs , Subnet B needs wrt to which WAN they go out.
Are there users with specific needs?

Hello, in the case is not about local network service.
It is about the ability to get to the MikroTik itself through one of the two active links.
So that the traffic to the client initiating the connection always returned through the same link with which it was initiated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Support for WAN side connections for multiple links

Wed Mar 15, 2023 3:41 pm

Okay got it.
Dont worry about how incoming users get to a particular WAN
Just be concerned that we ensure same in same out.

Basic concept

ip route
add route for WAN1 table=main
add route for WAN2 table=main
add route for WAN1 table=isp1-out
add route for WAN2 table =ISP2-OUT

Preroute mangle new connection marks coming in on WAN1 (no mark, in-interface=WAN1) viaWAN1
Preroute mangle new connections marks coming in on WAN2 (no mark, in-interface=WAN2 viaWAN2
Preroute mangle new routing mark (connection-mark=viaWAN1) isp1-out
Preroute mangle new routing mark (connection-mark=viaWAN2) ISP2-OUT

Adjustment to fastrackrule
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-marks=no-mark connection-state=established,related hw-offload=yes


+++++++++++++++++++++++++++++++
However, what about users ON THE LAN, ORIGINATING traffic, what are they supposed to do...........
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Re: Support for WAN side connections for multiple links

Wed Mar 15, 2023 4:23 pm

Hello, thank you for your reply - final managed to embrace the topic, below I am posting the final mangle rules:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=vlan10_LTE new-connection-mark=LTE_conn passthrough=yes
add action=mark-routing chain=output connection-mark=LTE_conn new-routing-mark=LTE passthrough=yes
In contrast, another problem has now arisen.
There are various networks connected to the MikroTik - ultimately through the link WAN1 or WAN2 we want to connect via WireGuard to access them. I should also add that I have tested accessing any WAN link to the MikroTik using SSH as an example, and the return already works correctly. On the other hand, with WireGuard, the return of UDP packets with the tunnel goes through the gateway in the main table (WAN1) regardless that it was initiated from WAN2. I assume there shouldn't be a problem with this, as WireGuard is an internal RouterOS process, so if packets from e.g. SSH login return correctly, they should also return correctly from WireGuard.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Support for WAN side connections for multiple links

Wed Mar 15, 2023 4:51 pm

The second rule ( mark routing ) change to passthrough=no!
and where are the rules to ensure same same for second WAN?

The same approach can be applied to wireguard, think about it.
The initial handshake has to come in and out of the same WAN.

So by using the endpoint or server address dyndns name etc, we can control which wan the client connects to.
How the router responds depends on how you setup your routes.

Since you fail to provide that information ( what your intentions are for wan1 and wan2 primary secondry, PCC load balance etc............and what the requirements are for the users behind the router) due to lack of planning or lack of cooperation, I am moving on.

At first it was ensuring incoming goes out same outgoing, then you are now talking wireguard, and now mention 'other networks connectd to the router"
Another reason is that I dont chase requirements, and am moving on, not a game to me to hide stuff when working on a config approach.........
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Mon Oct 02, 2017 1:25 pm

Re: Support for WAN side connections for multiple links

Wed Mar 15, 2023 5:15 pm

The second rule ( mark routing ) change to passthrough=no!
and where are the rules to ensure same same for second WAN?

The same approach can be applied to wireguard, think about it.
The initial handshake has to come in and out of the same WAN.

So by using the endpoint or server address dyndns name etc, we can control which wan the client connects to.
How the router responds depends on how you setup your routes.

Since you fail to provide that information ( what your intentions are for wan1 and wan2 primary secondry, PCC load balance etc............and what the requirements are for the users behind the router) due to lack of planning or lack of cooperation, I am moving on.

At first it was ensuring incoming goes out same outgoing, then you are now talking wireguard, and now mention 'other networks connectd to the router"
Another reason is that I dont chase requirements, and am moving on, not a game to me to hide stuff when working on a config approach.........
I changed the second rule (mark-routing output) to passthrough=no
Do there have to be rules for WAN1 since it is running in the main array and as a rule there are no problems with external communication?

As for the WireGuard handshake, since the SSH connection over the same link works fine then WireGuard should too.
At the same time, I actually noticed a strange thing - when trying to connect at a given peer, the time does not start counting but (it is still 00:00:00) but you can see the tx-rx data.
Zrzut ekranu 2023-03-15 161259.png
In reference to your last sentence - if I have to send an export of more configurations I can do it. Sorry but if I am doing something wrong just tell me about it :)
You do not have the required permissions to view the files attached to this post.
 
AngeloEllis
just joined
Posts: 1
Joined: Wed Apr 05, 2023 11:21 pm

Re: Support for WAN side connections for multiple links

Wed Apr 05, 2023 11:30 pm

Hello, I have a problem with the configuration in RouterOS v7.6 of the correct handling of return traffic when connections initiated from the WAN side to addresses served by a table other than main.

I currently have 2 links one has a default route in the main table the other has a default route in a separate WAN2 routing table.
The problem is that in this configuration, an example remote connection to the router through the second link causes the router to respond in accordance with the entry in the main table.

How (in RouterOS v7) to handle new connections directed to the WAN2 interface?

Thank you in advance
In the Firewall section of the RouterOS interface, create a new rule to allow incoming traffic on the WAN2 interface. This rule should be placed above any existing rules that deny incoming traffic.
Set up NAT rules to translate incoming traffic from the WAN2 interface to the correct destination addresses and ports on your local network.

Who is online

Users browsing this forum: Josephny and 96 guests