Community discussions

MikroTik App
 
garethiowc
just joined
Topic Author
Posts: 19
Joined: Wed Dec 03, 2014 12:33 am

Dual connection routing help required

Thu Mar 30, 2023 12:32 am

Hi All,

I have a RB1100 6.48.6 with two internet connections -

Connection 1 - Starlink - DHCP - Carrier grade nat - Default route cost 0
Connection 2 - Fixed Wireless Access - PPPOE - Public IPv4 - Default route cost 1

Due to CGN i would like to access my cctv via the public address but when i connect i see the traffic coming in using touch but the return traffic is trying to go via the CGN connection.

My CCTV NVR is on address 10.10.40.254 and i have configured a mangle rule
/ip firewall mangle
add action=mark-routing chain=prerouting log=yes \
    new-routing-mark=FWA_ACCESS passthrough=yes \
    src-address=10.10.40.254
/ip route
add distance=2 gateway=FWA routing-mark=FWA_ACCESS

Remote access is now working but only if torch is running on any interface, soon as it stops so does the remote access.

If i change the route cost around and remove the mangle remote access works fine when the FWA connection is being used as the main.

I can't get any remote winbox access with a mangle rule when the FWA is the secondary connection. But it works when it's the primary.

Any advise would be great.

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual connection routing help required

Thu Mar 30, 2023 12:50 am

CONFIG?

/export file=anynameyouwish ( minus router serial number and public wanip information )
 
garethiowc
just joined
Topic Author
Posts: 19
Joined: Wed Dec 03, 2014 12:33 am

Re: Dual connection routing help required

Thu Mar 30, 2023 1:01 am

Please see attached file

I might have made my life more difficult by updating to router OS 7.8
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual connection routing help required

Thu Mar 30, 2023 1:14 am

A diagram would help because you failed to describe a switch which seems central to your setup, hiding information is not helpful.

Since you didnt disclose the switch I will ignore it.

Put all vlans on bridge, not on ether1 and forget switch..........

Furthermore what are these half done dst nat rules??
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
src-address= to-addresses=10.10.40.254 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 protocol=tcp \
src-address= to-addresses=10.10.40.254 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 protocol=tcp \
src-address= to-addresses=10.10.10.254 to-ports=80


You can combine the two other good rules into one, since same protocol and to ports not required if same as dst-ports.
add action=dst-nat chain=dstnat dst-port=554,8000 in-interface=FWA protocol=tcp \
to-addresses=10.10.40.254


+++++++++++++++++++++++++++++++++++++++++++++

To the crux of your issue..........
Remove all the mangling not required......
Simply create one table, one route and one routing rule.

/routing table add name=useLTE fib

/ip route
add dst-address=0.0.0.0/0 gwy=FWA-gateway-IP table=useLTE

/routing rule add action=lookup-only-in-table src-address=10.10.40.0/24 table=useLTE


What this says in effect is that any traffic coming from the CCTV subnet, either originating traffic or return traffic is going out FWA and to no other gateway.
SO, if you need CCTV traffic to reach any other local subnets you will need this.

/routing rules (order is critical
add action=lookup-only-in-table dst-address=localsubnetA table=main
add action=lookup-only-in-table dst-address=localsubnetB table=main
......
add action=lookup-only-in-table src-address=10.10.40.0/24 table=useLTE
 
garethiowc
just joined
Topic Author
Posts: 19
Joined: Wed Dec 03, 2014 12:33 am

Re: Dual connection routing help required

Thu Apr 13, 2023 12:36 pm

Sorry for the delay I have only just had a chance to revisit the issue.

Thank you very much anav that works perfectly.

Am i able to route remote winbox sessions in the same way as it suffers with the same issue.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual connection routing help required

Thu Apr 13, 2023 5:46 pm

No one should be remotely accessing the router via winbox, one should remotely access the router via Wirguard and then use winbox.

Who is online

Users browsing this forum: No registered users and 63 guests