Community discussions

MikroTik App
 
BeeKeeper
just joined
Topic Author
Posts: 10
Joined: Tue Aug 31, 2021 4:56 pm

Dual Wan directing subnet to 2nd ISP WAN doesn't work -- failover working

Mon Sep 05, 2022 10:56 am

Hi, my RB4011 was running fine and without problems based on the router.rsc template out of this forum.

After getting a second WAN connection from my ISP I started to change my configuration to use this 2nd connection
as failover link and directing one subnet to this 2nd wan connection.

My approach follows the Paragraph J from viewtopic.php?t=182373

Result:

1.) Failover works ( Removing connection 1 -> All traffic running on connection 2 and goes Back to connection 1 after reconnect )
2.) Never ever any packet from subnet 192.168.76.0/24 find its way to connection 2, all traffic still on connection 1

No log entries

Could you please help me to find the problem or give me some hint to enhance debugging this situation ?

You will find my configuration below. I removed the script lines because the scripts are running fine. They are only setting dyndns names and dhcp to dns.
# sep/05/2022 09:13:11 by RouterOS 6.49.6
# software id = ###
#
# model = RB4011iGS+
# serial number = ###
/interface bridge
add igmp-snooping=yes igmp-version=3 name=BR1 protocol-mode=none \
    vlan-filtering=yes
/interface vlan
add interface=BR1 name=AQUA_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=111
add arp=proxy-arp interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=LIME_VLAN vlan-id=60
add interface=BR1 name=RED_VLAN vlan-id=10
add interface=ether10 name=vlan-07-fiber vlan-id=7
add interface=ether1 name=vlan-07-telekom vlan-id=7
/interface pppoe-client
add comment="Magenta 100" disabled=no interface=vlan-07-telekom max-mtu=1480 \
    name=pppoe-Magenta user=##user1##
add comment="fiber 500 telekom" interface=vlan-07-fiber max-mtu=1500 name=\
    pppoe-fiber user=##user2##
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="contains all WAN interfaces" name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=BLUE_POOL ranges=192.168.111.100-192.168.111.200
add name=GREEN_POOL ranges=192.168.76.100-192.168.76.200
add name=RED_POOL ranges=192.168.222.100-192.168.222.200
add name=LIME_POOL ranges=192.168.10.100-192.168.10.200
add name=BASE_POOL ranges=192.168.1.102-192.168.1.199
add name=AQUA_POOL ranges=192.168.33.100-192.168.33.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=LIME_POOL disabled=no interface=LIME_VLAN name=LIME_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=AQUA_POOL disabled=no interface=AQUA_VLAN lease-script=\
    dhcp-leases-to-dns name=AQUA_DHCP
/caps-man manager interface
add disabled=no interface=ether3
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 multicast-router=disabled pvid=99
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3 \
    multicast-router=disabled
add bridge=BR1 interface=sfp-sfpplus1 multicast-router=disabled
add bridge=BR1 interface=ether5 multicast-router=disabled
add bridge=BR1 interface=ether4 multicast-router=disabled
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp-sfpplus1 untagged=ether2 \
    vlan-ids=99
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3 vlan-ids=111
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether5,ether4,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether3,ether4,ether5 vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-Magenta list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=LIME_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=AQUA_VLAN list=VLAN
add interface=pppoe-fiber list=WAN
/ip address
add address=192.168.1.254/24 interface=BASE_VLAN network=192.168.1.0
add address=192.168.111.254/24 interface=BLUE_VLAN network=192.168.111.0
add address=192.168.76.254/24 interface=GREEN_VLAN network=192.168.76.0
add address=192.168.222.254/24 interface=RED_VLAN network=192.168.222.0
add address=192.168.10.254/24 interface=LIME_VLAN network=192.168.10.0
add address=192.168.30.9/24 interface=ether1 network=192.168.30.0
add address=192.168.33.254/24 interface=AQUA_VLAN network=192.168.33.0
/ip dhcp-server lease
add address=192.168.1.243 client-id=1:8:55:31:a0:e8:1b mac-address=\
    08:55:31:A0:E8:1B server=BASE_DHCP
add address=192.168.76.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=GREEN_DHCP
add address=192.168.222.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=RED_DHCP
add address=192.168.10.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=LIME_DHCP
add address=192.168.1.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=BASE_DHCP
add address=192.168.111.101 client-id=1:0:8:9b:bd:b5:37 mac-address=\
    00:08:9B:BD:B5:37 server=BLUE_DHCP
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.10.0/24 dns-server=192.168.1.254 gateway=192.168.10.254
add address=192.168.33.0/24 dns-server=192.168.1.254 domain=##name## \
    gateway=192.168.33.254
add address=192.168.76.0/24 dns-server=192.168.1.254 gateway=192.168.76.254
add address=192.168.111.0/24 dns-server=192.168.1.254 gateway=192.168.111.254
add address=192.168.222.0/24 dns-server=192.168.1.254 gateway=192.168.222.254
/ip dns
set allow-remote-requests=yes servers=100:8:101:101:600:ff08:a011:0,9.9.9.9
/ip dns static
add address=192.168.33.102 comment=AQUA_DHCP-F4:D4:88:A5:B8:65 name=\
    ##name## ttl=15m
/ip firewall address-list
add address=232.0.0.0/16 list=iptv_destination
add address=239.35.0.0/16 list=iptv_destination
add address=224.0.0.0/4 list=iptv_destination
/ip firewall filter
add action=accept chain=input comment="L2TP VPN erlauben" dst-port=500 \
    protocol=udp src-port=""
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment=IGMP-Magenta dst-address-list=\
    iptv_destination
add action=drop chain=input comment=Drop log-prefix=drop-Inp
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=IGMP-Magenta dst-address-list=\
    iptv_destination
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat log-prefix=log-Accept-dstnat
add action=drop chain=forward comment="Drop Not dstnat" connection-nat-state=\
    !dstnat connection-state=new in-interface=pppoe-Magenta log=yes \
    log-prefix=fwd-drop
# pppoe-fiber not ready
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new connection-type="" in-interface=pppoe-fiber log=yes log-prefix=\
    fwd-drop
add action=accept chain=forward
add action=accept chain=forward comment="accept LAN->cable modem" \
    dst-address=192.168.30.1 in-interface=BR1 out-interface=ether1 \
    src-address=192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="VoIP Auerswald" dst-port=30000-31000 \
    in-interface=pppoe-Magenta protocol=udp to-addresses=192.168.111.111 \
    to-ports=30000-31000
add action=dst-nat chain=dstnat dst-port=40000-41000 in-interface=\
    pppoe-Magenta protocol=udp to-addresses=192.168.111.111 to-ports=\
    40000-41000
add action=dst-nat chain=dstnat dst-port=5070-5080 in-interface=pppoe-Magenta \
    protocol=udp to-addresses=192.168.111.111 to-ports=5070-5080
add action=dst-nat chain=dstnat comment=WWW dst-address=!0.0.0.0 dst-port=80 \
    in-interface=pppoe-Magenta protocol=tcp to-addresses=192.168.111.101 \
    to-ports=80
add action=dst-nat chain=dstnat comment=WWW-SSL dst-address=!0.0.0.0 \
    dst-port=443 in-interface=pppoe-Magenta protocol=tcp to-addresses=\
    192.168.111.101 to-ports=443
add action=masquerade chain=srcnat comment="masquerade LAN->cable modem" \
    dst-address=192.168.30.1 out-interface=ether1 src-address=192.168.0.0/16
/ip firewall service-port
set sip disabled=yes
[b]/ip route
add distance=10 gateway=pppoe-fiber routing-mark=useFiber
add check-gateway=ping comment="Magenta TV and all VLAN except Green" \
    distance=5 gateway=pppoe-Magenta
add comment="Only Green VLAN 192.168.76.0/32" distance=10 gateway=pppoe-fiber
/ip route rule
add action=lookup-only-in-table comment="All Green to table useFiber" \
    dst-address=0.0.0.0/0 routing-mark=useFiber src-address=192.168.76.0/24 \
    table=useFiber[/b]
/ip service
set www port=8080
set www-ssl port=4433
/ppp secret
add local-address=192.168.76.1 name=testuser remote-address=192.168.76.200 \
    service=l2tp
/routing igmp-proxy interface
add alternative-subnets=87.141.215.251/32 interface=pppoe-Magenta upstream=\
    yes
add interface=BLUE_VLAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=##name##
/system scheduler
add interval=10m name=DynamicHost on-event=DDDns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/27/2021 start-time=15:00:00
/system script
add comment="Dyndns ddnss.de" dont-require-permissions=no name=DDDns owner=\
    admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
 
add comment="Dyndns strato.de" dont-require-permissions=no name=Berlioz \
    owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
add dont-require-permissions=no name=dhcp-leases-to-dns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
/tool graphing interface
add interface=ether5
add interface=pppoe-Magenta
add interface=ether4
add interface=ether3
add interface=sfp-sfpplus1
add interface=GREEN_VLAN
add interface=pppoe-fiber
/tool graphing resource
add
/tool sniffer
set file-name=dumpqnap filter-interface=pppoe-Magenta,ether4 \
    filter-ip-address=192.168.111.97/32 filter-ip-protocol=tcp filter-port=\
    http
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual Wan directing subnet to 2nd ISP WAN doesn't work -- failover working  [SOLVED]

Mon Sep 05, 2022 3:00 pm

Routing rule.......
FROM:
/ip route rule
add action=lookup-only-in-table comment="All Green to table useFiber" \
dst-address=0.0.0.0/0 routing-mark=useFiber src-address=192.168.76.0/24 \
table=useFiber

TO::
/ip route rule
add action=lookup-only-in-table comment="All Green to table useFiber" \
src-address=192.168.76.0/24 table=useFiber



Since one of the conditioins you put on the exception was that the traffic was marked ( as would be done in mangling) and this condition was not met, as the traffic has no such markings, it would not go out fiber..................... No need for all those conditions, keep it simple. The rule applies to the source subnet........... DONE>
 
BeeKeeper
just joined
Topic Author
Posts: 10
Joined: Tue Aug 31, 2021 4:56 pm

Re: Dual Wan directing subnet to 2nd ISP WAN doesn't work -- failover working

Tue Sep 06, 2022 3:34 pm

I just found time to implement the new rule. Everything works as expected.

Thank you very much

Who is online

Users browsing this forum: abdullanetworking, carrionlee, ips and 41 guests