Community discussions

MikroTik App
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Dual WAN Routing

Sun May 15, 2022 10:49 am

Hey Guys,

i've tried nearly anything without an proper solution.

My Setup:
HAP AC3
eth1 --> WAN over PPPOE
eth2 --> WAN over COAX Router
eth3-5 --> Bridge

Standard Route through eth2 (400MBit)
I want ONE Client to go through eth1 because its SIP Telephonie and separated DSL for this.

I mark connections from the IP of the SIP Server, i set Routing Marks for all these connections, i created separate Routing Table where 0.0.0.0/0 goes over eth1, i see the tags in the connections Tab, but the Routing goes through eth2.

# may/15/2022 09:47:30 by RouterOS 7.2.2
# software id = FU2Y-5FQR
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0FF2DE05
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412,2437,2462 name=CH-24-Auto tx-power=9
/interface bridge
add admin-mac=DC:2C:6E:5C:AC:05 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Telekom
set [ find default-name=ether2 ] name=eth2_PYUR
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(6dBm), SSID: AC, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-5CAC09 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5680/20-eeCe/ac/DP(21dBm), SSID: AC, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-5CAC0A wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN2-GAST vlan-id=2
/caps-man configuration
add channel=CH-24-Auto country=germany datapath.bridge=bridge installation=\
indoor name=AC_24 security.authentication-types=wpa2-psk .encryption=\
aes-ccm,tkip ssid=AC
add country="etsi 5.5-5.7 outdoor" datapath.bridge=bridge name=AC_5 \
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=AC
add channel=CH-24-Auto country=germany datapath.bridge=bridge \
.client-to-client-forwarding=no .local-forwarding=yes .vlan-id=2 \
.vlan-mode=use-tag installation=indoor name=AC_24_GAST \
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=\
AC-Gast
/interface pppoe-client
add add-default-route=yes default-route-distance=20 disabled=no interface=\
eth1_Telekom name=pppoe-Telekom user=\
XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Gast ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=Gast interface=VLAN2-GAST name=GAST
/routing table
add disabled=no fib name=Pyur
add disabled=no fib name=Telekom
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,b \
master-configuration=AC_24 name-format=prefix-identity name-prefix=24
add action=create-dynamic-enabled hw-supported-modes=an,ac \
master-configuration=AC_5 name-format=prefix-identity name-prefix=5
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-Telekom list=WAN
add interface=eth2_PYUR list=WAN
add interface=eth1_Telekom list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
#
set certificate=request discovery-interfaces=bridge enabled=yes interfaces=\
wlan1,wlan2 lock-to-caps-man=yes
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN2-GAST network=192.168.20.0
add address=192.168.10.2/24 interface=bridge network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=10 interface=eth2_PYUR use-peer-dns=no
add default-route-distance=30 interface=bridge
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 list=LAN
add address=192.168.10.3-192.168.10.13 list=LANo3CX
add address=192.168.10.15-192.168.10.254 list=LANo3CX
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=3CX passthrough=no src-address=192.168.10.14
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=3CX passthrough=no src-address=192.168.10.15
add action=mark-routing chain=prerouting connection-mark=3CX \
new-routing-mark=Telekom passthrough=no
add action=mark-routing chain=output connection-mark=3CX new-routing-mark=\
Telekom passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Exchange SMTP" dst-address=\
192.168.10.253 dst-port=25 protocol=tcp to-addresses=192.168.10.253 \
to-ports=25
add action=dst-nat chain=dstnat comment="Exchange OWA" dst-address=\
192.168.10.253 dst-port=443 protocol=tcp to-addresses=192.168.10.253 \
to-ports=443
add action=dst-nat chain=dstnat comment="Exchange Lets Encrypt Challenge" \
dst-address=192.168.10.253 dst-port=80 protocol=tcp to-addresses=\
192.168.10.253 to-ports=80
add action=dst-nat chain=dstnat comment=Mailstore dst-address=192.168.10.13 \
dst-port=8462 protocol=tcp to-addresses=192.168.10.13 to-ports=8462
add action=dst-nat chain=dstnat comment="3CX Webclient" dst-port=5001 \
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14 \
to-ports=5001
add action=dst-nat chain=dstnat comment="3CX SIP TCP" disabled=yes \
dst-address=192.168.10.14 dst-port=5060 protocol=tcp to-addresses=\
192.168.10.14 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX RTP" dst-port=9000-10999 \
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14 \
to-ports=9000-10999
add action=dst-nat chain=dstnat comment="3CX Tunnel TCP" dst-port=5090 \
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14 \
to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Tunnel UDP" dst-port=5090 \
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14 \
to-ports=5090
add action=dst-nat chain=dstnat comment="3CX SIP UDP" disabled=yes \
dst-address=192.168.10.14 dst-port=5060 protocol=udp to-addresses=\
192.168.10.14 to-ports=5060
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-Telekom routing-table=Telekom suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=yes dst-address=::/0 src-address=\
192.168.10.13/32 table=Pyur
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AC-GW
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Routing

Sun May 15, 2022 3:20 pm

(1) You have fastrack and mangling selected and those are not compatible
(2) Luckily,. No mangling required, so get rid of those mangle rules and you can keep fastrack enabled!

(3) What is your SIP server.............. you seem to use randomly 192.168.10.13 192.168.10.14 and 192.168.10.15 ????

(4) With the setup below all users will go to cable for internet. If cable goes down all users will switch to pppoe until cable comes backup.
Now we have to account for the SIP connection and thus the table and routing rule are required. Just fill in the ????? with your actual server IP that needs to go outbound.
/ip route
add dst-address=0.0.0.0/0 gateway=cable-ISP  distance=5    check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-ISP   distance=10
/routing table add name=usePPPOE  fib
/routing rule add src-address=?????????   action=lookup-only-in-table  table=usePPPOE
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Dual WAN Routing

Sun May 15, 2022 3:41 pm

Hey,

my SIP Server is .14, the other two are for testing.

I tried rules too but without any success. So you say fasttrack is my problem?

I try Rules again with restarting Gateway or kill connections.
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Dual WAN Routing

Sun May 15, 2022 4:00 pm

So i did this and killed connections without any solution.

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-Telekom pref-src="" routing-table=Telekom scope=30 \
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 src-address=\
192.168.10.15/32 table=Telekom

10.14 is my SIP Server, 10.15 is my Test Server, it always goes thorugh cable...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Routing

Sun May 15, 2022 6:14 pm

One cannot help with snippets of a config that in of itself is wrong! Why are you giving the secondary pppoe route a distance of 1 for example and my examples dont have any table in a route itself.

Read this, it has all the information you need....... viewtopic.php?t=182373
PARAs I and J apply!
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Dual WAN Routing

Sun May 15, 2022 6:21 pm

One cannot help with snippets of a config that in of itself is wrong! Why are you giving the secondary pppoe route a distance of 1 for example and my examples dont have any table in a route itself.

Read this, it has all the information you need....... viewtopic.php?t=182373
PARAs I and J apply!
Hey Sorry, i snipped it down cause i did the changes you wrote in you last Post.

Here in complete.

If i do it with Routes i need an Second Routing Table didn't i?

# may/15/2022 14:57:23 by RouterOS 7.2.2
# software id = FU2Y-5FQR
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0FF2DE05
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412,2437,2462 name=CH-24-Auto tx-power=9
/interface bridge
add admin-mac=DC:2C:6E:5C:AC:05 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Telekom
set [ find default-name=ether2 ] name=eth2_PYUR
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(6dBm), SSID: AC, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-5CAC09 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5680/20-eeCe/ac/DP(21dBm), SSID: AC, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-5CAC0A wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN2-GAST vlan-id=2
/caps-man configuration
add channel=CH-24-Auto country=germany datapath.bridge=bridge installation=\
indoor name=AC_24 security.authentication-types=wpa2-psk .encryption=\
aes-ccm,tkip ssid=AC
add country="etsi 5.5-5.7 outdoor" datapath.bridge=bridge name=AC_5 \
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=AC
add channel=CH-24-Auto country=germany datapath.bridge=bridge \
.client-to-client-forwarding=no .local-forwarding=yes .vlan-id=2 \
.vlan-mode=use-tag installation=indoor name=AC_24_GAST \
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=\
AC-Gast
/interface pppoe-client
add add-default-route=yes default-route-distance=20 disabled=no interface=\
eth1_Telekom name=pppoe-Telekom user=\
XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Gast ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=Gast interface=VLAN2-GAST name=GAST
/routing table
add disabled=no fib name=Pyur
add disabled=no fib name=Telekom
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,b \
master-configuration=AC_24 name-format=prefix-identity name-prefix=24
add action=create-dynamic-enabled hw-supported-modes=an,ac \
master-configuration=AC_5 name-format=prefix-identity name-prefix=5
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-Telekom list=WAN
add interface=eth2_PYUR list=WAN
add interface=eth1_Telekom list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
#
set certificate=request discovery-interfaces=bridge enabled=yes interfaces=\
wlan1,wlan2 lock-to-caps-man=yes
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN2-GAST network=192.168.20.0
add address=192.168.10.2/24 interface=bridge network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=10 interface=eth2_PYUR use-peer-dns=no
add default-route-distance=30 interface=bridge
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 list=LAN
add address=192.168.10.3-192.168.10.13 list=LANo3CX
add address=192.168.10.15-192.168.10.254 list=LANo3CX
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Exchange SMTP" dst-address=\
192.168.10.253 dst-port=25 protocol=tcp to-addresses=192.168.10.253 \
to-ports=25
add action=dst-nat chain=dstnat comment="Exchange OWA" dst-address=\
192.168.10.253 dst-port=443 protocol=tcp to-addresses=192.168.10.253 \
to-ports=443
add action=dst-nat chain=dstnat comment="Exchange Lets Encrypt Challenge" \
dst-address=192.168.10.253 dst-port=80 protocol=tcp to-addresses=\
192.168.10.253 to-ports=80
add action=dst-nat chain=dstnat comment=Mailstore dst-address=192.168.10.13 \
dst-port=8462 protocol=tcp to-addresses=192.168.10.13 to-ports=8462
add action=dst-nat chain=dstnat comment="3CX Webclient" dst-port=5001 \
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14 \
to-ports=5001
add action=dst-nat chain=dstnat comment="3CX SIP TCP" disabled=yes \
dst-address=192.168.10.14 dst-port=5060 protocol=tcp to-addresses=\
192.168.10.14 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX RTP" dst-port=9000-10999 \
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14 \
to-ports=9000-10999
add action=dst-nat chain=dstnat comment="3CX Tunnel TCP" dst-port=5090 \
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14 \
to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Tunnel UDP" dst-port=5090 \
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14 \
to-ports=5090
add action=dst-nat chain=dstnat comment="3CX SIP UDP" disabled=yes \
dst-address=192.168.10.14 dst-port=5060 protocol=udp to-addresses=\
192.168.10.14 to-ports=5060
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-Telekom pref-src="" routing-table=Telekom scope=30 \
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 src-address=\
192.168.10.15/32 table=Telekom
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AC-GW
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Dual WAN Routing

Sun May 15, 2022 7:06 pm

Got It.

Thank you Anva, i Read you post before. After 100st rechecking of my config i've found my Problems:

1st: My dst address
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 src-address=\
192.168.10.15/32 table=Telekom


And 2nd: No Completely Routing Table Telekom --> this showed Up after deleting dst-address in my rule
I just had 0.0.0.0/0 --> pppoe
But i needed these 3 Rules:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-Telekom \
pref-src=0.0.0.0 routing-table=Telekom scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=62.156.244.25/32 gateway=pppoe-Telekom \
routing-table=Telekom scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=bridge \
routing-table=Telekom scope=10 suppress-hw-offload=no


Now i just ask myself, what Problems will accure if the Telekom Gateway IP changes dynamicly
 
User avatar
phistrom
just joined
Posts: 12
Joined: Sat Mar 11, 2017 8:45 pm
Location: Texas

Re: Dual WAN Routing

Mon May 16, 2022 10:50 pm

I just updated to 7.2.3 and now routing rules do not work for me. They were working in 7.2.1. If you are having trouble getting your routing rules to work, you may want to backup your current settings and then try downgrading to 7.2.1.

Who is online

Users browsing this forum: aoravent, Bing [Bot], loloski and 92 guests