Community discussions

MikroTik App
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 5:16 pm

After struggling for several weeks to get dual-wan policy based routing running on RouterOs version 7.5, with the help of this forum and various trials, I finally found a solution.

My basic question (as I asked here viewtopic.php?t=189239):
What is /routing/table/ and /routing/rule/? How does it work on RouterOS 7.5?
Why my old /ip/firewall/mangle/ (version 6.4) no longer works on version 7.5?

600px-Fib.png

My requirement:
  1. Wan1 (PPPoE) for classroom, teacher, staff, server.
  2. Wan2 (DHCP) for student, guest, etc.
  3. If Wan1 goes down then all go to Wan2, and vice versa (but some not).

Disclaimer:
  • I'm using Mikrotik for 2 years, and only 2 weeks using RouterOS v7.5
  • Just a noob without networking background
  • Not tested this solution on other board except on my hEX RB750Gr3, so I don't know if this will works on other version.
  • Not tested this solution on on any version other than version 7.5. Definitely it won't works on version 6, but I also can't guarantee it will works on other v7 version.

# RouterOS 7.5 on RB750Gr3

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-VLAN
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5

#WAN1 (pppoe-WAN1): assume it provide public IP address 200.10.10.1 as gateway 
/interface pppoe-client
add name=pppoe-WAN1 profile=default-encryption interface=ether1-WAN1 use-peer-dns=no

#WAN1 (ether2-WAN2): assume it has DHCP 10.2.2.0/24, so 10.2.2.1 as gateway
/ip dhcp-client
add add-default-route=no interface=ether2-WAN2 use-peer-dns=no use-peer-ntp=no

/interface vlan
add interface=ether3-VLAN name=VLAN_10 vlan-id=10
add interface=ether3-VLAN name=VLAN_20 vlan-id=20
add interface=ether3-VLAN name=VLAN_30 vlan-id=30
add interface=ether3-VLAN name=VLAN_MGMT vlan-id=99

/ip address
add address=10.2.2.2/24 interface=ether2-WAN2 network=10.2.2.0
add address=10.199.99.1/25 interface=VLAN_MGMT network=10.199.99.0
add address=192.168.10.1/24 interface=VLAN_10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN_20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_30 network=192.168.30.0
add address=172.17.17.1/24 interface=ether4 network=172.17.17.0
add address=172.18.18.1/24 interface=ether5 network=172.18.18.0

/interface list
add name=WANs
add name=LANs

/interface list member
add list=WANs interface=pppoe-WAN1
add list=WANs interface=ether2-WAN2
add list=LANs interface=ether4
add list=LANs interface=ether5
add list=LANs interface=ether3-VLAN
add list=LANs interface=VLAN_MGMT
add list=LANs interface=VLAN_10
add list=LANs interface=VLAN_20
add list=LANs interface=VLAN_30

/routing table
add disabled=no fib name=rtab-WAN1
add disabled=no fib name=rtab-WAN2
add disabled=no fib name=rtab-GUEST

/routing rule
add interface=VLAN_MGMT action=lookup table=main
add interface=VLAN_10 action=lookup table=rtab-WAN1
add interface=VLAN_20 action=lookup table=rtab-WAN2
add interface=VLAN_30 action=lookup-only-in-table table=rtab-GUEST
add interface=ether4 action=lookup table=rtab-WAN1
add interface=ether5 action=lookup table=rtab-WAN2

/ip route
add distance=200 dst-address=0.0.0.0/0 gateway=200.10.10.1 \
    routing-table=main scope=30 target-scope=10
add distance=200 dst-address=0.0.0.0/0 gateway=10.2.2.1\
    routing-table=main scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=200.10.10.1 \
    routing-table=rtab-WAN1 scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 \
    routing-table=rtab-WAN2 scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 \
    routing-table=rtab-GUEST scope=30 target-scope=10

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WANs




The biggest mystery I found that the "interface(s)" in /Routing/Rule/ actually the interface of our LANs (vlan, ether/port, bonding, bridge, etc). So, it,s as simple as that to create Policy Based Routing on RouterOS v7.5.

mikrotik-routing-table.jpg

Suggestion and correction are welcome.
Thank you
You do not have the required permissions to view the files attached to this post.
Last edited by Lokamaya on Tue Sep 27, 2022 9:11 pm, edited 6 times in total.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 5:17 pm

Reserved
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 5:42 pm

There are some ideas here........... viewtopic.php?t=182373

See PARAs I thru K
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 5:45 pm

There are some ideas here........... viewtopic.php?t=182373
Thank you Anav. I've read that post and many others of your posts. You are my hero here and very helpful.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 6:16 pm

https://help.mikrotik.com/docs/display/ ... h+examples

The basic change at least for routing rules, other than change of location of how to find it, is the NEED to CREATE Routing Tables.
In version 7 we reference routing tables, and not routing marks in both routing rules and routes.

Thats it........ now go for it!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 6:45 pm

(1) Looking only at your routes, What is the purpose of the distance differences, need to understand your logic??

(2) It is not clear to me the difference between the management vlan and the vlan and etherport destined for WAN1 on the routing rules??

(3) One vlan and one etherport are directed to WAN1 and two vlans and an etherport are directed to WAN2. Two vlans and the two etherport are allowed to look for an alternate route on the main table.

(4) The other vlan going out WAN2, has no alternate routing allowed.

(5) You really dont have a primary and secondary at the moment, both have same distance and you dont have check-gateway=ping on the primary.

What is that you want to know???

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Personally I was doing it it would be a bit shorter assuming wan1 primary and wan2 failover (except for those so directed).
...
/routing table
add disabled=no fib name=rtab-WAN1
add disabled=no fib name=rtab-WAN2
add disabled=no fib name=rtab-GUEST

/routing rule
add interface=VLAN_20 action=lookup table=rtab-WAN2
add interface=ether5 action=lookup table=rtab-WAN2
add interface=VLAN_30 action=lookup-only-in-table table=rtab-GUEST

/ip route
add distance=2 dst-address=0.0.0.0/0 gateway=200.10.10.1 \
    check-gateway=ping routing-table=main scope=30 target-scope=10
add distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.1\
    routing-table=main scope=30 target-scope=10
add distance=5 dst-address=0.0.0.0/0 gateway=10.2.2.1 \
    routing-table=rtab-WAN2 scope=30 target-scope=10
add distance=5 dst-address=0.0.0.0/0 gateway=10.2.2.1 \
    routing-table=rtab-GUEST scope=30 target-scope=10

LOGIC:
a. There is no difference between management vlan99, vlan10 and etherport 4, they all should go out WAN1 on the main table, and if not available go out WAN2 and return to WAN1 when it becomes available.
b. Therefore there are no route rules required for those 3 subnets as they are not exceptions.
c. We keep the route rules to force vlan20, vlan30 and ether5 to go to WAN2, despite WAN1 being primary.
d. We allow vlan20 and ether5 get directed to WAN1 on the main table if WAN2 becomes unavailable.
e. We deny vlan30 any access to WAN1 if WAN2 becomes unavailable.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 8:34 pm

(1) Looking only at your routes, What is the purpose of the distance differences, need to understand your logic??

The differences is for fallback or failover.

/ip route
add distance=200 dst-address=0.0.0.0/0 gateway=200.10.10.1 routing-table=main scope=30 target-scope=10
add distance=200 dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-table=main scope=30 target-scope=10


/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=200.10.10.1 routing-table=rtab-WAN1 scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-table=rtab-WAN2 scope=30 target-scope=10
add distance=1 dst-address=0.0.0.0/0 gateway=10.2.2.1 routing-table=rtab-GUEST scope=30 target-scope=10


If the WAN1 gateway goes down (200.10.10.1 - rtab-WAN1) it goes to the main (distance: 200). The clients go to WAN2 gateway (10.2.2.1) because WAN1 gateway is going down.

As for VLAN_MGMT, it is just for this tutorial I set to main table.
And because the distance for main table are the same (200), this VLAN_MGMT can goes to both WAN1 or WAN2 and it is bad :? .

For browsing purposes, we wouldn't notice it. But for other thing like streaming to Facebook Live or Youtube, sometime we experience lag or delay.

I can change VLAN_MGMT to any rtab while I'm browsing, and all goes smoothly. I can ping to main gateway (VLAN_MGMT: 10.199.99.1) from other subnet/vlan without problem. I also traceroute to the web and all goes to different internet provider when the rtab changed.

The side note:
Because rtab-WAN2 and rtab-GUEST are using the same gateway, both goes to the same internet provider. It is just for this tutorial I add rtab-GUEST, to show that we can have different routing table for different interface using the same gateway. The difference is I set "lookup only in table" for rtab-GUEST, so this VLAN would not go to main table (distance 200) if it's gateway goes down.
Last edited by Lokamaya on Tue Sep 27, 2022 10:14 pm, edited 2 times in total.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 9:22 pm

(5) You really dont have a primary and secondary at the moment, both have same distance and you dont have check-gateway=ping on the primary.

Recursive route is another homework. I'm just digesting this one and the "recursive" thing is too difficult to handle for the beginner like me. While receiving more feedback, along the way I'll add more complex examples and complete solution for this PBR.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Tue Sep 27, 2022 11:00 pm

As I have explained, your method is not efficient and bound to cause issues. What I have proposed thus far has nothing to do with recursive!!

Follow what I have done and it will make sense!

If WAN1 is the primary then set dist=2, and if WAN2 is the failover set dist=3. DONE.
This means if you had no routing rules, ALL TRAFFIC would go to WAN1, and if WAN1 goes down the router would check table main for another available route
and would then move all traffic over to WAN2. When WAN one comes back up, due to the check-gateway=ping, all traffic would shift back to WAN1.

Your conclusion should be with this simple primary failover process I have solved my puzzle for vlan99,vlan10, and ether4, as according to your stated requirements, they all need to access WAN1 and if not available failover to WAN2. So now we have to add any new tables and routing rules required to handle the rest.

Since we are only directing traffic to another WAN, we should only need one extra Table. We create table that will be used in the extra route to WAN2 we need, and routing rules needed to point subnets to WAN2. In In your case we need to point vlan20, vlan 30 and etherport 5 to WAN2.

Then we create the associated routing rules for who or what we want to go out WAN2, instead of the primary WAN1.
We need three routing rules for traffic that should be heading to WAN2......... One for each subnet or interface..
1- The first two are identical other than interface as vlan20 and ether5 are allowed to access WAN1 if WAN2 is not available, AND
2- The third is modified because vlan30 is NEVER allowed to access WAN1.

Hence the following AND DONT WORRY about PUTTING ANY SPECIFIC SCOPE INFORMATION/SETTINGS!!!! Just use the defaults provided as we are NOT doing recursive.

I apologize I had extra crap in my previous post, namely an extra route and extra tables that are NOT required. Keep it clean.
.....
/routing table
add disabled=no fib name=rtab-WAN2

/routing rule
add interface=VLAN_20 action=lookup table=rtab-WAN2
add interface=ether5 action=lookup table=rtab-WAN2
add interface=VLAN_30 action=lookup-only-in-table table=rtab-WAN2

/ip route
add distance=2 dst-address=0.0.0.0/0 gateway=200.10.10.1 \
    check-gateway=ping routing-table=main scope=30 target-scope=10
add distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.1\
    routing-table=main scope=30 target-scope=10
add distance=5 dst-address=0.0.0.0/0 gateway=10.2.2.1 \
    routing-table=rtab-WAN2 scope=30 target-scope=10
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Wed Sep 28, 2022 10:34 am

/routing table
add disabled=no fib name=rtab-WAN2

/routing rule
add interface=VLAN_20 action=lookup table=rtab-WAN2
add interface=ether5 action=lookup table=rtab-WAN2
add interface=VLAN_30 action=lookup-only-in-table table=rtab-WAN2

/ip route
add distance=2 dst-address=0.0.0.0/0 gateway=200.10.10.1 \
    check-gateway=ping routing-table=main scope=30 target-scope=10
add distance=3 dst-address=0.0.0.0/0 gateway=10.2.2.1\
    routing-table=main scope=30 target-scope=10
add distance=5 dst-address=0.0.0.0/0 gateway=10.2.2.1 \
    routing-table=rtab-WAN2 scope=30 target-scope=10
I'll try it and reported it back.
Thanks
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Wed Sep 28, 2022 11:12 am

I have a chance to test it on 4 WANs, 1 PPPoe and 3 DHCP. But have to make some wiring to the 3th and 4th internet provider, maybe in the weekend.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Wed Sep 28, 2022 12:32 pm

I can confirm when VLAN_MGMT changed from main table to rtab-WAN1, I can not ping the DHCP modem (WAN2: 10.2.2.1) from outside the router. The WAN2 modem only accessible from inside the hEX router and its port.

I still can access internet through WAN2 internet provider, but I can not access the modem if I need to make some configuration.

LAN layout:

PPPoE (WAN1)----
||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||||----- hEX (RouterOS) ---- CRS326 ---- EdgeSwitch ---- Unifi AP ---- My PC
||||||||||||||||||||||||||||||||
DHCP (WAN2) ----



Here the snapshot from CRS326

ping-to-modem-2.jpg

When the CRS326 (VLAN_MGMT) can not ping to Modem-WAN2, my PC (VLAN_MGMT, connect using WIFI trough Unifi) also can not connect to Modem-WAN2.

Thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Multi-WAN's Policy Based Routing on RouterOS v7.5 (A Simplest Way)

Wed Sep 28, 2022 12:44 pm

So, the best practice is to let the VLAN_MGMT remain in the main table.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], mkx, mtkvvv, xstrid3rx and 90 guests