Community discussions

 
jmadedicato
just joined
Topic Author
Posts: 6
Joined: Fri Oct 02, 2015 3:27 pm

DUAL WAN setup?

Thu Jul 06, 2017 10:17 pm

I have two WAN connections, one 400 Mbps/400 Mbps and the second 200Mbps/200Mbp.

My router is working fine with one WAN connected (400Mbps) at port 12.
I have now connected the second WAN to port 2 (and disabled the port until I know how to configure this) and would like both WAN to work at the same time, giving the users in the LAN a total of 600 Mbps.
Could someone explain me in an easy to understand way (I am a beginner) how I should configure this using WinBox?
And what I should be careful about so that the users do not have any problems?
 
jebz
Member Candidate
Member Candidate
Posts: 233
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: DUAL WAN setup?

Fri Jul 07, 2017 2:08 am

https://wiki.mikrotik.com/wiki/Load_Balancing
PCC is generally the chosen method.
 
loveman
Member Candidate
Member Candidate
Posts: 277
Joined: Tue Mar 10, 2015 9:32 pm

Re: DUAL WAN setup?

Fri Jul 07, 2017 10:38 am

Using one of this method
1.NTH
2.PCC
 
jmadedicato
just joined
Topic Author
Posts: 6
Joined: Fri Oct 02, 2015 3:27 pm

Re: DUAL WAN setup?

Fri Jul 07, 2017 2:14 pm

Thanks for your replies. I think I will manage with the tutorial for PCC. But do I have to do something to make sure that the complete bandwidth is used in a correct way? I mean: the two WAN connections have different speeds. I would not want to see that both are used at only 200 Mbps because the load balancing is divided evenly instead of 400 - 200.
 
jmadedicato
just joined
Topic Author
Posts: 6
Joined: Fri Oct 02, 2015 3:27 pm

Re: DUAL WAN setup?

Sun Jul 09, 2017 6:28 am

I have configured the router to use both WAN with PCC.
WAN1 is on port 12
WAN2 is on port 1
Port 3 to 9 are bridged and is our LAN 192.168.0.0/22
When I enable both WAN addresses in the Adress List and I enable the mangle rules in the Firewall, it seems to work as expected. Both WAN are used.
But as soon as I turn on Mangle Rules I can also not connect to IP addresses from our own LAN unless I do not have pass through the router.
So the router blocks me from going to parts of our own network.

I assume I must add something to make sure that when someone tries to connect to a LAN IP through the router, it is redirected to the LAN?

Could someone please help me and tell me what I should add?

This is my configuration:

/ip firewall mangle
add action=mark-connection chain=input disabled=yes in-interface=ether12 \
new-connection-mark=traffic-wan1
add action=mark-connection chain=input disabled=yes in-interface=ether1 \
new-connection-mark=traffic-wan2
add action=mark-routing chain=output connection-mark=traffic-wan1 disabled=\
yes new-routing-mark=to-wan1
add action=mark-routing chain=output connection-mark=traffic-wan2 disabled=\
yes new-routing-mark=to-wan2
add chain=prerouting disabled=yes dst-address=XX.XX.XXX.XX/29 in-interface=\
LAN
add chain=prerouting disabled=yes dst-address=YY.YY.YYY.YY/30 in-interface=\
LAN
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan1 \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan2 \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=traffic-wan1 \
disabled=yes in-interface=LAN new-routing-mark=to-wan1
add action=mark-routing chain=prerouting connection-mark=traffic-wan2 \
disabled=yes in-interface=LAN new-routing-mark=to-wan2
 
jebz
Member Candidate
Member Candidate
Posts: 233
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: DUAL WAN setup?

Mon Jul 10, 2017 2:52 pm

I mean: the two WAN connections have different speeds. I would not want to see that both are used at only 200 Mbps because the load balancing is divided evenly instead of 400 - 200.
Add and extra line and make the selection 3/0, 3/1, 3/2 like (assuming WAN2 has more bandwidth) -

add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan2 \
per-connection-classifier=both-addresses-and-ports:3/2

Double the WAN interface selection for the interface with double the bandwidth.
 
jmadedicato
just joined
Topic Author
Posts: 6
Joined: Fri Oct 02, 2015 3:27 pm

Re: DUAL WAN setup?

Mon Jul 10, 2017 2:59 pm

Hi Jebz, thank you for your answer.

In my case WAN1 has double bandwidth
WAN 1 = 400 Mbps
WAN2 = 400 Mbps


So I add the line like this (bold)? And I leave the existing lines above?

add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan1 \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan2 \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan1 \
per-connection-classifier=both-addresses-and-ports:2/2




I have tested this and I see bytes and packets going through the first two mangle lines, not through the added third line. Am I doing something wrong?
 
jebz
Member Candidate
Member Candidate
Posts: 233
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: DUAL WAN setup?

Mon Jul 10, 2017 4:14 pm

I have tested this and I see bytes and packets going through the first two mangle lines, not through the added third line. Am I doing something wrong?
Yes you need to change to 3/0, 3/1, 3/2, note PCC 3 ways.
 
jmadedicato
just joined
Topic Author
Posts: 6
Joined: Fri Oct 02, 2015 3:27 pm

Re: DUAL WAN setup?

Mon Jul 10, 2017 4:16 pm

@Jebz Thx! That worked.
 
borajuanjo
just joined
Posts: 6
Joined: Fri May 10, 2019 9:43 am

Re: DUAL WAN setup?

Sat May 11, 2019 5:03 am

I have configured the router to use both WAN with PCC.
WAN1 is on port 12
WAN2 is on port 1
Port 3 to 9 are bridged and is our LAN 192.168.0.0/22
When I enable both WAN addresses in the Adress List and I enable the mangle rules in the Firewall, it seems to work as expected. Both WAN are used.
But as soon as I turn on Mangle Rules I can also not connect to IP addresses from our own LAN unless I do not have pass through the router.
So the router blocks me from going to parts of our own network.

I assume I must add something to make sure that when someone tries to connect to a LAN IP through the router, it is redirected to the LAN?

Could someone please help me and tell me what I should add?

This is my configuration:

/ip firewall mangle
add action=mark-connection chain=input disabled=yes in-interface=ether12 \
new-connection-mark=traffic-wan1
add action=mark-connection chain=input disabled=yes in-interface=ether1 \
new-connection-mark=traffic-wan2
add action=mark-routing chain=output connection-mark=traffic-wan1 disabled=\
yes new-routing-mark=to-wan1
add action=mark-routing chain=output connection-mark=traffic-wan2 disabled=\
yes new-routing-mark=to-wan2
add chain=prerouting disabled=yes dst-address=XX.XX.XXX.XX/29 in-interface=\
LAN
add chain=prerouting disabled=yes dst-address=YY.YY.YYY.YY/30 in-interface=\
LAN
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan1 \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
!local in-interface=LAN new-connection-mark=traffic-wan2 \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=traffic-wan1 \
disabled=yes in-interface=LAN new-routing-mark=to-wan1
add action=mark-routing chain=prerouting connection-mark=traffic-wan2 \
disabled=yes in-interface=LAN new-routing-mark=to-wan2
Hi! First of all, I'd like to mention that I'm super new to Mikrotik, I'm still learning as much as I can on my very limited free time.
I'm trying to do exactly the same as you did, but I can't help but notice the evident differences between what you did and the PCC tutorial (https://wiki.mikrotik.com/wiki/Manual:PCC).

For example, this line from the PCC Tutorial:
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
    per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
is somewhat different from what you did
add action=mark-connection chain=prerouting disabled=yes dst-address-type=\
    !local in-interface=LAN new-connection-mark=traffic-wan1 \
    per-connection-classifier=both-addresses-and-ports:2/0

Also, on the PCC tutorial, it says
connection-mark=no-mark
and in what you did it says
action=mark-connection

Finally, in your procedure it says this
disabled=yes
Does that mean that the rule would be added but it would be disabled?

Any help will be really appreciated.

Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: DUAL WAN setup?

Sat May 11, 2019 12:03 pm

The syntax of the firewall rules may be quite confusing for a newbie.

Each firewall rule has the following types of parameters:
  • action - what to do with the packet if it matches the rule's match conditions
  • chain - in which chain within a "table" (raw, mangle, nat, filter) the rule is placed
  • match conditions - names of "physical" fields of the packet header (like dst-address or protocol), or of packet meta-fields, which do not exist in the packet itself but have been attached to it during handling by previous stages of the firewall (such as packet-mark or connection-bytes). Each such field name comes with a list of values, ranges, or prefixes which the value in the field has to match in order that the condition would match. A rule matches if all of its conditions match.
  • action parameters - usually new values of packet header fields or packet metadata fields to be assigned when the action is performed
The group to which a given parameter belongs is not explicitly stated (even in the documentation), so you have to read the field description in the documentation, use common sense, and experiment where neither of the former two is sufficient. So in particular, connection-mark is a match condition, whereas new-connection-mark is an action parameter; dst-address is a match condition whereas to-addresses is an action parameter - the new value of either destination address or source address depending on whether it is used in dstnat or srcnat chain of the nat table.

So as an example, a rule in /ip firewall mangle saying chain=prerouting action=mark-connection connection-mark=none new-connection-mark=my-mark assigns the connection mark my-mark to any packet it receives for inspection provided that its metadata contain no connection-mark yet (none is a reserved match value).

A connection-mark is a spefic metafield because it is used to ensure the same handling to all packets belonging to the same "connection", i.e. a TCP session or a bi-directional UDP stream. As soon as the firewall rule assigns a connection-mark to a packet, that connection-mark is stored in the metadata of the whole connection, so each subsequent packet found to belong to that connection gets the same connection-mark automatically when passing through the connection tracker, which is a "hidden" but very important part of the firewall between the raw stage and the mangle stage.

When using PCC in particular, you can only deal with LAN->WAN connections, so you don't need to use connection-marks because the PCC rules inspect the same fields of each packet which the connection tracker does, so all packets of the same direction of the same connection match the same PCC rule. But when you use nth or random to choose the WAN, or when you need connections initiated by a device in the internet to be responded through the same WAN interface through which they came in, you need connection-tracking to ensure that all packets of a connection will be routed out via the same and proper WAN. See more here.
Last edited by sindy on Sat May 25, 2019 11:33 pm, edited 2 times in total.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
borajuanjo
just joined
Posts: 6
Joined: Fri May 10, 2019 9:43 am

Re: DUAL WAN setup?

Sat May 25, 2019 1:17 pm

The syntax of the firewall rules may be quite confusing for a newbie.

Each firewall rule has the following types of parameters:
  • action - what to do with the packet if it matches the rule's match conditions
  • chain - in which chain within a "table" (raw, mangle, nat, filter) the rule is placed
  • match conditions - names of "physical" headers of the packet (like dst-address or protocol, or of packet meta-fields, which do not exist in the packet itself but have been attached to the packet during handling by previous stages of the firewall (such as packet-mark or connection-bytes) along with a list of values, ranges, or prefixes which the field has to have in order to match the rule
  • action parameters - usually new values of packet header fields or packet metadata fields to be assigned when the action is performed
The group to which a given parameter belongs is not explicitly stated (even in the documentation), so you have to read the field description in the documentation, use common sense, and experiment where neither of the former two is sufficient. So in particular, connection-mark is a match condition, whereas new-connection-mark is an action parameter; dst-address is a match condition whereas to-addresses is an action parameter - the new value of either destination address or source address depending on whether it is used in dstnat or srcnat chain of the nat table.

So as an example, a rule in /ip firewall mangle saying chain=prerouting action=mark-connection connection-mark=none new-connection-mark=my-mark assigns the connection mark my-mark to any packet it receives for inspection provided that its metadata contain no connection-mark yet (none is a reserved match value).

A connection-mark is a spefic metafield because it is used to ensure the same handling to all packets belonging to the same "connection", i.e. a TCP session or a bi-directional UDP stream. As soon as the firewall rule assigns a connection-mark to a packet, that connection-mark is stored in the metadata of the whole connection, so each subsequent packet found to belong to that connection gets the same connection-mark automatically when passing through the connection tracker, which is a "hidden" but very important part of the firewall between the raw stage and the mangle stage.

When using PCC in particular, you can only deal with LAN->WAN connections, so you don't need to use connection-marks because the PCC rules inspect the same fields of each packet which the connection tracker does, so all packets of the same direction of the same connection match the same PCC rule. But when you use nth or random to choose the WAN, or when you need connections initiated by a device in the internet to be responded through the same WAN interface through which they came in, you need connection-tracking to ensure that all packets of a connection will be routed out via the same and proper WAN. See more here.
Thank you very much for your answer! I really appreciate it.
Your are right, the terminology is rather confusing.
I managed to get PCC running using a Youtube tutorial from which I didn't get much learning, so your explanation is really useful to me.
Thanks again.

Who is online

Users browsing this forum: No registered users and 49 guests