Dual Wan (Non Failover Initially)

mmercerctu · Mon Jun 13, 2016 1:13 am

Have an RB3011 that currently has two WANs connected to it. ATT and Xfinity. Trying to do a very very basic setup using the RB3011 as a dual router, as I would do with my junipers, but seem to be having some issues.

My config is:
[admin@MikroTik] /ip route> /export compact hide-sensitive

# jun/12/2016 15:06:28 by RouterOS 6.35.2 
# software id = NS6T-J47L 
# 
/interface bridge 
add name=bridge-phones 
add name=bridge-users 
/interface ethernet 
set [ find default-name=ether2 ] name=att-lan 
set [ find default-name=ether1 ] name=att-wan 
set [ find default-name=ether3 ] master-port=att-lan 
set [ find default-name=ether4 ] master-port=att-lan 
set [ find default-name=ether7 ] name=xfinity-lan 
set [ find default-name=ether6 ] name=xfinity-wan 
/interface vlan 
add interface=bridge-phones name=vlan-phones vlan-id=5 
add interface=bridge-users name=vlan-users vlan-id=9 
/interface ethernet 
set [ find default-name=ether8 ] master-port=xfinity-lan 
set [ find default-name=ether9 ] master-port=xfinity-lan 
/ip pool 
add name=pool-phones ranges=172.16.50.50-172.16.50.62 
add name=pool-users ranges=10.0.19.2-10.0.19.62 
/ip dhcp-server 
add address-pool=pool-phones disabled=no interface=bridge-phones name=dhcp-phones 
add address-pool=pool-users disabled=no interface=bridge-users name=dhcp-users 
/interface bridge port 
add bridge=bridge-users interface=ether5 
add bridge=bridge-phones interface=ether10 
/ip address 
add address=172.16.50.49/28 interface=bridge-phones network=172.16.50.48 
add address=10.0.19.1/26 interface=bridge-users network=10.0.19.0 
/ip dhcp-client 
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=att-wan 
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=xfinity-wan 
/ip dhcp-server network 
add address=10.0.19.0/26 dns-server=208.67.220.220,208.67.222.222 gateway=10.0.19.1 
add address=172.16.50.48/28 dns-server=208.67.220.220,208.67.222.222 domain=.com gateway=172.16.50.49 
/ip firewall address-list 
add address=172.16.50.48/28 list=list-xfinity 
add address=10.0.19.0/26 list=list-att 
/ip firewall mangle 
add chain=prerouting dst-address=0.0.0.0/0 src-address-list=list-att 
add chain=prerouting dst-address=0.0.0.0/0 src-address-list=list-xfinity 
add action=mark-connection chain=prerouting in-interface=att-wan new-connection-mark=connection-att 
add action=mark-connection chain=prerouting in-interface=xfinity-wan new-connection-mark=connection-xfinity 
add action=mark-routing chain=prerouting connection-mark=connection-att new-routing-mark=route-att-wan src-address-list=list-att 
add action=mark-routing chain=prerouting connection-mark=connection-xfinity new-routing-mark=route-xfinity-wan src-address-list=list-att 
add action=mark-routing chain=output connection-mark=connection-att new-routing-mark=route-att-wan 
add action=mark-routing chain=output connection-mark=connection-xfinity new-routing-mark=route-xfinity-wan 
/ip firewall nat 
add action=masquerade chain=srcnat out-interface=xfinity-wan src-address-list=list-xfinity 
add action=masquerade chain=srcnat out-interface=att-wan src-address-list=list-att 
/ip route 
add check-gateway=ping distance=1 gateway=att-wan routing-mark=route-att-wan 
add check-gateway=ping distance=1 gateway=xfinity-wan routing-mark=route-xfinity-wan 
add check-gateway=ping distance=1 gateway=att-wan 
add check-gateway=ping distance=2 gateway=xfinity-wan 
/system clock 
set time-zone-name=America/Los_Angeles 
/system routerboard settings 
set protected-routerboot=disabled

Now, I can get the dhcp-client working, I can get the dhcp-servers working, even get the routes in 'place', but it doesn't matter how I go about setting up the mangle and the routing distances, I *cannot* traverse the second path. It never seems to activate.

I have tried *numerous* permutations of the dhcp-client add-default-route, distance, and ip route add routing-mark, ip route gateway, etc.

Unfortunately, I seem to be stuck at this point, and nothing I have seen explains why (even with them both set to disabled on the dhcp-client and manually added via route add), I can *never* reach any source via the xfinity interface. I should be able to /ping interface=xfinity-wan address=8.8.8.8 and it would traverse that...

Anyone mind pointing me in the direction of what it is I am overlooking? Normally, on my Juniper, I would setup 2 separate routing instances, and then attach the vlans/interfaces to the routing instances on a per config basis (multiple vlans can exist within the routing instance, obviously), so it manages the default route, etc...

Thanks,

th0massin0 · Mon Jun 13, 2016 2:30 pm

That will be helpfull:
https://aacable.wordpress.com/2011/07/2 ... t-by-zaib/

remeber to exclude https and other encrypted traffic from PCC

mmercerctu · Tue Jun 14, 2016 11:53 am

Well, not completely solved, but after banging my head for literally days, I was able to discover (Thanks to tons of searches on the forums, google, etc), that if you set the add-default-route=yes distance=# parameter, it creates a VRF interface. Now amusingly, I would have expected this to create the routing mark as well, but you still have to add the routing mark manually yourself. Unfortunately, it doesn't set the default route in the main routing table if you do it this way, but I am sure I will find a way around that as well. Once I have fixed that, I may post a 'slimmed down' version of my config for others to glean from, and maybe even point out optimizations.

Dual Wan (Non Failover Initially)

Dual Wan (Non Failover Initially)

Re: Dual Wan (Non Failover Initially)

Re: Dual Wan (Non Failover Initially)