Force the router to use a specific WAN

Hyunckel · Mon Jan 01, 2024 6:38 am

Hello,

Can the router be forced to use a specific WAN to reach the internet? I have ECMP load balancing configured with 2 ISPs (WAN2/WAN3) and a 3rd one (WAN1) which provides several static public IP addresses and I'm using that ISP for specific tasks as shown below in the mangle firewall rules.

I know how to force a specific src-address or destination to use a specific WAN via mark routing but I don't know how to apply that on the router itself.

Here's my related config:

/routing table
add fib name=to_WAN1
add fib name=to_WAN2
add fib name=to_WAN3

/ip firewall mangle
add action=mark-connection chain=input comment="ECMP mrk-conn" connection-mark=\
    no-mark connection-state=new in-interface=WAN1-br new-connection-mark=\
    WAN1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark \
    connection-state=new in-interface=WAN2-br new-connection-mark=WAN2_conn \
    passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark \
    connection-state=new in-interface=WAN3-br new-connection-mark=WAN3_conn \
    passthrough=yes
add action=mark-routing chain=output comment="ECMP output" connection-mark=\
    WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting comment="local server via WAN1" \
    connection-mark=no-mark connection-state=new dst-address-type=!local \
    new-connection-mark=ls_conn passthrough=yes src-address=10.30.1.2
add action=mark-routing chain=prerouting connection-mark=ls_conn \
    new-routing-mark=to_WAN1 passthrough=no src-address=10.30.1.2
add action=mark-connection chain=prerouting comment="Gaming via WAN1" \
    connection-mark=no-mark dst-address-type=\
    !local dst-address-list=Gaming in-interface-list=LAN \
    new-connection-mark=Gaming_conn passthrough=yes \
    src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Gaming_conn \
    in-interface-list=LAN new-routing-mark=to_WAN1 passthrough=no \
    src-address-list=LAN

/ip firewall nat
add action=src-nat chain=srcnat comment="home public ip" \
    out-interface=WAN1-br src-address-list=Home to-addresses=x.x.x.x
add action=src-nat chain=srcnat comment="all public ip" \
    out-interface=WAN1-br to-addresses=x.x.x.x
add action=masquerade chain=srcnat comment="WAN2 masquerade" out-interface=\
    WAN2-br
add action=masquerade chain=srcnat comment="WAN3 masquerade" out-interface=\
    WAN3-br

/ip route
add comment=WAN2 disabled=no distance=1 dst-address=8.8.8.8/32 gateway=\
    x.x.x.x pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WAN2 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=30
add check-gateway=ping comment=WAN2 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=to_WAN2 scope=30 \
    suppress-hw-offload=no target-scope=30
add comment=WAN3 disabled=no distance=1 dst-address=8.8.4.4/32 gateway=\
    x.x.x.x pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WAN3 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=30
add check-gateway=ping comment=WAN3 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_WAN3 scope=30 \
    suppress-hw-offload=no target-scope=30
add comment=WAN1 disabled=no distance=1 dst-address=9.9.9.9/32 gateway=\
    x.x.x.x pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping comment=WAN1 disabled=no distance=3 dst-address=\
    0.0.0.0/0 gateway=9.9.9.9 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=30
add check-gateway=ping comment=WAN1 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=9.9.9.9 pref-src="" routing-table=to_WAN1 scope=30 \
    suppress-hw-offload=no target-scope=30

I tried unchecking the passthrough box in WAN1 output mangle rule as someone has suggested but the router still uses WAN1/WAN2.

loloski · Mon Jan 01, 2024 7:43 am

set the distance/cost of your preferred next-hop to 1 and the other remaining link to 2 in this way all traffic generated by the router itself will go to the default gateway with distance/cost of 1 no mangles involved, I hope this suffice enough to meet your requirement and use PBR to steer your traffic to your liking

anav · Mon Jan 01, 2024 7:45 am

The requirement is not clear.
The router provides services such as wireguard server for handshake, and there are ways to ensure that if traffic coming on WANX for that purpose goes out WANX.

Its not clear to me thats what you mean??

It is rare to see input chain in mangling as that is traffic to the router directly.
Perhaps you are thinking of prerouting chain??

Hyunckel · Mon Jan 01, 2024 8:29 am

set the distance/cost of your preferred next-hop to 1 and the other remaining link to 2 in this way all traffic generated by the router itself will go to the default gateway with distance/cost of 1 no mangles involved, I hope this suffice enough to meet your requirement and use PBR to steer your traffic to your liking

Changing the distance of WAN1 to 1 will make it part of the ECMP load balance and that's not my goal

Hyunckel · Mon Jan 01, 2024 8:32 am

The requirement is not clear.
The router provides services such as wireguard server for handshake, and there are ways to ensure that if traffic coming on WANX for that purpose goes out WANX.

Its not clear to me thats what you mean??

It is rare to see input chain in mangling as that is traffic to the router directly.
Perhaps you are thinking of prerouting chain??

With my current configuration, the router gets a dynamic public IP address from ISP2 or ISP3. I need to assign a static public IP for the router which is provided by ISP1.

anav · Mon Jan 01, 2024 6:59 pm

Yes but that has nothing to do with mangling or whatever.
Connect ISP1s modem or modem router to ether1 for example.
Then if its pppoe connection assign the parameters in the PPP menu.
IF its a ISP assigned dhcp scenario, add the parameters in IP DHCP.
IF its a Static Public IP assigned, you can do this two ways
a. sometimes through IP DHCP
b. other times by adding the address information IP address, only.

Its YOUR DECISION on which ether port to connect to the ISP........... so again your request makes no sense.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Once your WANS are all connected.............. Then we have to ensure we have IP ROUTES setup such that the users on the LAN can reach the internet in the manner you want.
It could be primary WAN1 ( all traffic ) and WANS2,3 are failover wans
It could be all three WANS provide their throughput in a PCC sharing capacity and the LAN has access to all three (not for increased speed but for more bandwidth to share at one time )
It could be some users use WAN1 all the time, others WAN2, and others WAN3, with failover to the others or not, if a WAN goes down.
It could be WAN1 is the primary but you want all user to use WAN3 for some specific function.
Etc etc etc.
Its up to you to decides the requirements in sufficient detail to put together a plan and a config.

(note we havent touched upon any port forwarding or vpns etc that may be in the mix).

Force the router to use a specific WAN

Force the router to use a specific WAN

Re: Force the router to use a specific WAN

Re: Force the router to use a specific WAN

Re: Force the router to use a specific WAN

Re: Force the router to use a specific WAN

Re: Force the router to use a specific WAN