Hello,
I have 2 internet connections through 2 different ISP's that I'm connecting to a Mikrotik router. One connection provides the Mikrotik with it's own public IP address. With the other one, I'm assigning a private IP to the Mikrotik and forwarding the appropriate management port to that IP from a modem, which has a public IP.
Remote access works on each WAN connection individually if I connect just one at a time. The problem I'm having is that when both WAN connections are connected to the Mikrotik, I can only access it remotely on the interface with the public IP. Does anyone have any idea why this might be happening?
Re: Multiple WAN remote access
Most likely because you have a default route pointing out one ISP. When you connect through the second ISP return traffic is still coming through the first ISP, with the IP address from that ISP. At that point your client on the Internet is receiving packets with a source IP it didn't initiate traffic with, so it discards them.
http://wiki.mikrotik.com/wiki/Manual:PCC
While you're not using PCC, that portion of configuration applies to your situation. Use connection marks, routing marks, and routes for those routing marks to ensure that all packets for connections established via a specific ISP remain on that ISP.
http://wiki.mikrotik.com/wiki/Manual:PCC
Code: Select all
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
Re: Multiple WAN remote access
Fewi, should he also take care of traffic in the forward chain? I use to mark this chain the same way as the input chain to make sure dst-nat is also working. I also saw you in another similar topic using the prerouting chain to mark the traffic, in this case no need to mark the forward chain since all traffic comming into wan1 and wan2 interface will be mark with the prerouting chain. Can you elaborate on which method you prefer and why?
Martin
Martin
Re: Multiple WAN remote access
In this case he's only talking about router access so input and output are sufficient. Once traffic through the router is added to the picture it is time to re-evaluate.
I personally prefer the prerouting chain because it happens before any NAT. I partially earn my living being a CCSP dealing with Cisco firewalls. Before 8.3 their ASA ACLs refer to before NAT IPs. That's all. Once I get comfortable with using 8.3+ where real IPs are used after NAT I will probably start preferring other chains like I should.
I personally prefer the prerouting chain because it happens before any NAT. I partially earn my living being a CCSP dealing with Cisco firewalls. Before 8.3 their ASA ACLs refer to before NAT IPs. That's all. Once I get comfortable with using 8.3+ where real IPs are used after NAT I will probably start preferring other chains like I should.
Re: Multiple WAN remote access
In this case he's only talking about router access so input and output are sufficient. Once traffic through the router is added to the picture it is time to re-evaluate.
I personally prefer the prerouting chain because it happens before any NAT. I partially earn my living dealing with Cisco firewalls. My main professional use of RouterOS is Hotspots. Before 8.3 their ASA ACLs refer to before NAT IPs. That's all. Once I get comfortable with using 8.3+ where real IPs are used after NAT I will probably start preferring other chains like I should.
I personally prefer the prerouting chain because it happens before any NAT. I partially earn my living dealing with Cisco firewalls. My main professional use of RouterOS is Hotspots. Before 8.3 their ASA ACLs refer to before NAT IPs. That's all. Once I get comfortable with using 8.3+ where real IPs are used after NAT I will probably start preferring other chains like I should.
Re: Multiple WAN remote access
Thanks for the info, Fewi. I used the configs you posted and now remote access works through both interfaces. I also checked out the PCC Manual you posted, adjusted the quick start configs, and got traffic moving through the router. Actually, I had traffic moving through before, but it seems like it's being balanced more evenly now and I have a feeling that adding those configs just solved some future problems. Thanks again!
Re: Multiple WAN remote access
Could someone please post the full configuration of this setup?
Thanks.
Thanks.
Re: Multiple WAN remote access
The rest to working config is what you already have, some configuration (IP address, gateway) for each WAN.
And all you need to do is add two duplicate default routes, only they won't be exactly duplicate, because each will be in different routing table. Then add the four mangle rules and you're done.
The best way for new routes depends on what type of config you have (static, DHCP, PPPoE, ...). So rather than asking for example config (which probably wouldn't help you anyway), better share what you have and decribe what you don't understand.
And all you need to do is add two duplicate default routes, only they won't be exactly duplicate, because each will be in different routing table. Then add the four mangle rules and you're done.
The best way for new routes depends on what type of config you have (static, DHCP, PPPoE, ...). So rather than asking for example config (which probably wouldn't help you anyway), better share what you have and decribe what you don't understand.
Re: Multiple WAN remote access
I have PCC setup, one router, two ISP, and three LAN.
The questions are:
1. Is it possible to connect from internet to both static IP addresses, becouse i can't connect to PPPoE IP of the router?
2. How to setup LAN1 and LAN3 to go via ISP1 to the internet, and LAN2 to go thru ISP2?
3. How to configure failover for LAN1?
The diagram:
The questions are:
1. Is it possible to connect from internet to both static IP addresses, becouse i can't connect to PPPoE IP of the router?
2. How to setup LAN1 and LAN3 to go via ISP1 to the internet, and LAN2 to go thru ISP2?
3. How to configure failover for LAN1?
The diagram:
You do not have the required permissions to view the files attached to this post.
Re: Multiple WAN remote access
1) If you had PCC based on example config (https://wiki.mikrotik.com/wiki/Manual:PCC), then connecting to both public addresses would already work. Check that page. First you mark incoming connections in prerouting, based on WAN interface. Then you mark routing for responses in output, based on connection marks.
2) One way is something like:
3) There are different methods. You can just add ISP2 gateway to ISP1 routing table with higher distance and check-gateway option for both, or you can try something more complex like Advanced Routing Failover without Scripting.
2) One way is something like:
Code: Select all
/ip firewall mangle
add chain=prerouting src-address=172.16.1.0/24 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting src-address=10.10.1.0/24 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting src-address=192.168.1.0/24 connection-mark=no-mark dst-address-type=!local action=mark-connection new-connection-mark=ISP2_connRe: Multiple WAN remote access
The "Advanced Routing Failover without Scripting" is even better. That is actually what I need.
I just need 3 LAN to have 2 ISP with failover, 2 of LAN to go thru 1st ISP and third LAN to go thru 2nd ISP, no load balancing is actually needed.
Can you please post the complete configuration, based on the setup from my diagram?
I just need 3 LAN to have 2 ISP with failover, 2 of LAN to go thru 1st ISP and third LAN to go thru 2nd ISP, no load balancing is actually needed.
Can you please post the complete configuration, based on the setup from my diagram?