Hi folks, I am asking for the most efficient (read easiest for me to config, for those without an MTUNA accreditation that means no scripts, and least number of lines or characters LOL) way to add a single device on my network that only uses the second Failover ISP.

The issue is that to change an Email password, one has to be on the domain of the ISP, and since its the backup ISP that simply isnt the case. Yes email traffic from the second ISP still exists (being our original and old provider)
I cannot always go to the router and change distance (and flip between ISPs) because I have users on the PCs 24/7, (no I am not running a strip cam site LOL) and therefore I need to be able to hook up a laptop to a managed switch and be connected to the second ISP.

What I am capable of doing is assigning a vlan for this singular purpose, but looking for the best way to ensure this vlan bypasses the primary routing to the primary ISP.
Bonus and maybe even kisses/smoochies...........don't get excited SOB, I mean the chocolate variety, if this can be done without a single MANGLE!!!

Something like this should do the trick:

When your default route to both ISP is like this:

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.91.1 distance=1 check-gateway=ping ; <- main internet via wan1
add dst-address=0.0.0.0/0 gateway=192.168.92.1 distance=2 check-gateway=ping ; <- second internet via wan2 for failover

Then you must duplicate that from WAN2-FailOver and add a routing-mark - means separate RouteTable.

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.92.1 distance=2 check-gateway=ping routing-mark=wan2 ; <- this create a Additional RouteTable

And send that one PC e.g. 192.168.0.2 in your network via WAN2-FailOver thanks for @Sob answer !!! like this:

/ip route rule
add action=lookup disabled=no src-address=192.168.0.2/32 dst-address=0.0.0.0/0 table=wan2 ; <- he outgoing via wan2 always.

Much thanks! Awesome we have the best technical support folks on the planet in these forums!!
One of these for each of you as promised!

Something like this should do the trick:

Code: Select all

/ip route rule
add action=lookup interface=<your new special vlan> table=<routing table containing default route to secondary ISP>

I have learned something new today! thank you!

I'd think this should also work?

Yes. But @anav didn't want mangle rules.

Aside from that, I don't like action=route much, it feels like kind of rough shortcut to me. There's nothing wrong with, but there's no flexibility, it's just one hardcoded gateway and that's it. If you'd want e.g. failover, you can't have it with this. I like separate routing table better, it seems more clear, is more flexible, and also reusable. For multiple mangle rules with action=route you'd have to repeat gateway over and over. With separate routing table you have gateway only in one place.

The action=route is invaluable if you'd want to route packet originally destined to some local address somewhere else. It's the only way how to do it in RouterOS, because routing to local addresses has always precedence over all other routing tables. But it's also something you'll hardly ever need.

Just so I understand,
Both you and SIb are suggesting I need to make another secondary wan route rule defining a TABLE (mine are recursive so will have to figure that out).
Then another route rule specific to the PC or in my case dont really care the whole VLAN works.

Its this second rule where you and sib diverge and for a cute bear just learning to walk, he's pretty damn smart LOL.
(i still walk on four legs so he's clearly more advanced on the evolutionary ladder)

add action=lookup src-address=192.168.0.2/32 dst-address=0.0.0.0/0 table=wan2 (his rule)
add action=lookup interface=<your new special vlan> table=<routing table containing default route to secondary ISP>

Seems to me he has extra stuff not required. Do they actually accomplish the same thing, just trying suss out the nuanced difference between the two.

My thoughts
His use of source address seems to pin point to the actual PC on the vlan, whereas you just use the VLAN, if I was to do this and wanted to specify the PC it would have been combining the two LOL.
add action=lookup interface=<your new special vlan>, src-address=192.168.0.2/32 table=<routing table containing default route to secondary ISP>

So that seems somewhat clear, its the latter half of this second rule I am having real trouble with.
Why go to the bother of stating a destination address, I cant think of the reason, since its a route rule for traffic heading out of the router and shouldnt affect vlan to vlan traffic for example???


@Solar77, one of the tenets of the MTUNA certification is 55A. which states: MT layperson assistance requires literacy LOL,,,,,,,,, no mangling please, by the way 55B. may also be germane as it states: MT layperson assistance requires paying attention to detail, and finally 55C. states: MT layperson assistance requires understanding the OPs requirements.

My understanding, possibly incorrect, was that if you'd create vlan for this, it would be e.g. one port on switch, where if you'd plug in some device, it would use ISP2 to access internet. So there would be another subnet in this vlan, and anything coming from there would use ISP2's routing table. Whether the rule uses interface=<vlan> or src-address=<subnet or address> doesn't matter, both would work.

Concur, too funny it always takes me 5 minutes to find RULES, vice route!!
So the next question is lookup table or lookup ONLY table.
In this case lookup ONLY table seems to be the most accurate as going to the main table to use BELL would be useless.

So far........
/ip route
add distance=10 gateway=24.xxx.xxx.xxx routing-mark=WAN2 (NEW)
add check-gateway=ping distance=3 gateway=1.0.0.1
add check-gateway=ping distance=4 gateway=9.9.9.9
add comment=SecondaryWAN distance=10 gateway=24.xxx.xxx.xxx
add comment=PrimaryRecursive distance=3 dst-address=1.0.0.1/32 gateway=\
15.yyy.yyy.yyy scope=10
add comment=ScondaryRecursive distance=4 dst-address=9.9.9.9/32 gateway=\
1515.yyy.yyy.yyy scope=10
add comment=Email_bypass distance=1 dst-address=24.222.0.20/32 gateway=\
24.xxx.xxx.xxx
/ip route rule
add action=lookup-only-in-table interface=EastlinkDirect table=WAN2 (NEW)

In this case it doesn't matter, because it's default route to 0.0.0.0/0, which covers every possible address, so lookup will always succeed in this table and router won't be looking elsewhere.

@Sob
thank you for detailed explanation! That's why I keep coming back to this forum !

Okay, question still lingers about my Route Rule............
/ip route rule
add action=lookup-only-in-table interface=EastlinkDirect table=WAN2 (NEW)

I wanted all traffic from vlan50 (EastlinkDirect) to go to ISP2. The above seems to do that!
There are two other arguments that one can use, source address and destination address.

So I could have used the lan subnet RIGHT, with no interface ??
/ip route rule
add action=lookup-only-in-table src-address=192.168.50.0/24 table=WAN2 (NEW)

Or both for that matter!! I dont see one being any different from the other
+++++++++++++++++++++++++++++++++++++++++++++++++

What is a pity is that they dont accept address lists here!!!.
For example what if I wanted to router requests for more than a single destination IP address (assume a mixed bag of known external WANIPs) to go out ISP 2, I could do it easily for one external destination but would have to make as many rules as destination addresses or use MANGLE.

In other words WHY in the route rule do they not INCLUDE source or destination address lists????????

You should know by now that there's often more than one way how to do something. :)

Address lists belong to IP firewall. In Linux, which is where RouterOS internals come from, it's related to netfilter/iptables. So I guess it's not so easy to connect it with routing, which is different part of system. But don't lose hope, if you can handle at least one mangle rule, you can mark routing based on source address list.

Or both for that matter!! I dont see one being any different from the other
...
In other words WHY in the route rule do they not INCLUDE source or destination address lists????????

they are matchers, if they match proper traffic by scr in-inteface or src-address then what ever what you setup. Until Route Rule match your traffic then action will work.

About Address List - this is a Firewall feature and in Mangle tab you can do the same what in Route Rule who are older, more static, near to PBR PolicyBaseRoute who is static.

Okay, understood all, address lists are specific to firewall rules and not routing (but it would nice .................. )
Yes, i get the message one cannot resist the Mangle Borg...........