Community discussions

MikroTik App
 
paulobrien75
just joined
Topic Author
Posts: 8
Joined: Thu Aug 01, 2019 5:55 pm

Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Fri May 22, 2020 2:33 am

Hi All

I have a router running V6.39.2.

I have 2 WAN connections configured - WAN1 is FTTC 70MB / 17MB - WAN2 is 1GB Fibre.

No matter which interface traffic enters the router, from either WAN1 or WAN2, it always leaves via WAN1. This hasn't been too much of an issue, although it causes some problems, but the most recent thing we are trying to do is setup an L2TP IPSEC VPN between two sites - and if we use the WAN2 connection, it fails because the return connection is coming from the WAN1 address rather than WAN2 - so we have had to set the VPN connection up on WAN1 - which is limiting the speed at which we can transfer between sites.

Could anyone suggest a reason for this happening - I can share the config if that would be useful?

Thanks in advance.

Paul
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Fri May 22, 2020 4:00 am

First update your router to latest stable version.........
Second yes, config is important.
Third you have to decide what you want to do

a. load balance (probably not as wan1 is miniscule)
b. use wan2 as primary and wan1 as backup (more likely)

The more information we know about the users on the network and their requirements & limitations the better.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Fri May 22, 2020 11:45 am

Could anyone suggest a reason for this happening - I can share the config if that would be useful?
Check this post first, start reading it from the last paragraph which explains the relationship to your scenario, and then read the previous posts in that topic to find out how to use the routing-mark.

As @anav has pointed out, no one remembers how things used to work 3 years ago in 6.39, so if the solution described there doesn't work, you'll have to bite the bullet and upgrade - leaving aside that with all the vulnerabilities published and patched since 6.39, running that version on a VPN gateway is a Bad Idea, to put it softly.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulobrien75
just joined
Topic Author
Posts: 8
Joined: Thu Aug 01, 2019 5:55 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Fri May 22, 2020 3:14 pm

Thanks guys

We have tried routing-mark before without apparent success. Would prefer WAN2 to be the priority with WAN1 as fallback - ultimately removing WAN1 when I can get traffic to come in from and go back out of WAN2 :)

Will update the firmware and then may be back!

Kind regards

Paul
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Fri May 22, 2020 5:35 pm

We have tried routing-mark before without apparent success. Would prefer WAN2 to be the priority with WAN1 as fallback.
The routing-mark is actually a name of a routing table, so you can use the distance parameter to prioritize routes in each routing table differently, and you can have the same route in several routing tables.

You have to assign the routing-mark based on some criteria so that it was useful. If it is enough that the L2TP server responds through the same interface through which it has received the incoming request, you may use a single /ip route rule:

/ip route add gateway=wan.2.gw.ip routing-mark=via-wan2
/ip route rule add src-address=wan.2.own.ip action=lookup-only-in-table table=via-wan2
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulobrien75
just joined
Topic Author
Posts: 8
Joined: Thu Aug 01, 2019 5:55 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Sun May 24, 2020 12:40 am

Thanks Sindy

I've updated the firmware to the latest - have tried to implement your suggestion, but still not working :)

Attached is the export of the config? Would you mind taking a look please?

Thanks

Paul
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Sun May 24, 2020 12:48 am

Yes, one for sindy.
I am completely bamboozled by what you call LAN, and by the the lack of a LAN interface list and the plethora of interfaces that are seemingly tied to nothing, no port or vlan............

If I had to guess - your config is totally hosed.
You need to assign all those interfaces to vlans.
Create a bridge, and add the vlans to the bridge
Minor mods need for address, dhcp server, dhcp server network, ip address etc......

FW rules.........
add action=accept chain=input comment=Winbox dst-port=8291 in-interface=DAISY protocol=tcp

(1) Typically I don't like stating my winbox port in fw rules........ I also change it from default.
(2) I narrow down access to anything on the router like that to the admin only......
/ip firewall address list
add address=IPofadmindesktop list=adminaccess
add address=IPofadminipad list=adminaccess

add action=accept chain=input in-interface=(whatever vlan I use, or in your case DAISY) src-address-list=adminaccess
That way NOT everybody in daisy has access to the router!!!

Firewall forward rules, have many entries that dont make sense to me.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Sun May 24, 2020 1:14 pm

In the OP you say you have a problem that everything goes out via WAN1 (DAISY) no matter what and that you want that L2TP connections which came to pppoe-wan2 would be responded from there, but there is no /ip route rule row for this. Instead, there is such a rule, but for WAN1. Can you clarify?

Also, what made you add routing-mark=to_DAISY to the /ip route rule row? The routing rule is there to assign the routing table to the packets sent from that IP address on its own, regardless what one the mangle rules did or did not assign before. So by adding that match condition to it, you've effectively prevented it from affecting anything, because it only matches on packets which have already got the routing-mark before, in mangle.

It is true that it is not always clear which parameter of a firewall rule or a routing rule is a match condition and which is a new value to be assigned, so it is always good to check this in the documentation.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulobrien75
just joined
Topic Author
Posts: 8
Joined: Thu Aug 01, 2019 5:55 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Sun May 24, 2020 5:03 pm

Apologies - originally we had 3 WAN Connections - WAN1 - 80/20 FTTC, WAN2 - 80/20 FTTC and DAISY - 1GB Fibre. We disabled WAN1 - so now we have WAN2 and DAISY. So any connection that comes in on DAISY goes back out on WAN2.

I think we added that rule previously when trying to get this to work.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1  [SOLVED]

Sun May 24, 2020 7:09 pm

now we have WAN2 and DAISY. So any connection that comes in on DAISY goes back out on WAN2.
So you actually don't need a rule to keep what came in via WAN2 on WAN2 but a rule to keep what came in via DAISY on DAISY. So go step by step now:
  • open two command line windows
  • run /tool sniffer quick interface=DAISY ip-protocol=icmp ip-address=8.8.8.8 in one of them
  • run ping 8.8.8.8 routing-table=to_DAISY in the other one
If you can see the ping requests and responses in the sniffer window while pinging in the other one, the route with routing-mark=to_DAISY itself works.

If it doesn't work, show me the output of /ip route print.

If it works, remove the routing-mark=to_DAISY from the row in /ip route rule, and make sure that the src-address on that row is a single address (/32), not the whole subnet attached to the interface. Then, run /tool sniffer quick interface=DAISY ip-protocol=udp port=500,4500 and try to connect using L2TP over IPsec from outside (i. e. not from LAN) to that address. You should see the connection attempts coming, and if it works, also the responses; if it doesn't work, the client should give up after a while.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulobrien75
just joined
Topic Author
Posts: 8
Joined: Thu Aug 01, 2019 5:55 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Sun May 24, 2020 11:35 pm

Yeah! That appears to work - thanks so much for your help.

The first bit - the two command line windows - worked and I could see the traffic. Removing the Connection Mark in the IP Route Rule fixed it.

Thanks so much for your help.
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Sun May 24, 2020 11:45 pm

OK. Now you may extend the src-address in the /ip route rule row from a /32 to the whole /27, it should extend the functionality to all the public IPs associated to DAISY.

However, I still don't get why the mangle rules did not work, as they seemed fine to me.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulobrien75
just joined
Topic Author
Posts: 8
Joined: Thu Aug 01, 2019 5:55 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Mon May 25, 2020 2:02 am

Would it make any difference if the IP Addresses are setup in the following way -

We have a /27 address range - our first IP is .1 and our last one is .30 I think

The .1 address is a CISCO router before the mikrotik - then .2 and upwards are added to the mikrotik. Would this cause a problem? So currently the .2 address is set to /32 - if I change it to /27 we will see an issue appear?

Paul
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1

Mon May 25, 2020 1:20 pm

It depends on whether there will be any traffic between the Cisco itself and the Mikrotik. The thing is that the routing-mark is respected for any traffic for which any matching route with such a routing-mark exists, hence an incoming from the Cisco itself (not coming via the Cisco, the source address matters) would be sent via the gateway indicated in the marked route for DAISY. So if this is a concern, you can add an /ip route rule row before (above) the existing one, saying src-address=195.224.143.0/27 dst-address=195.224.143.0/27 action=lookup table=main.

Keeping the number of rules as low as possible, i.e. only using the necessary ones, has a positive impact on performance. So if you don't need that the Mikrotik and the Cisco talk to each other via this public subnet, don't add the rule above.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: almdandi, Baidu [Spider], Maggiore81, xvo and 82 guests