Direct traffic From IPList out of Specific WAN

iaskakho · Tue Apr 12, 2022 7:53 pm

Hello,

I've been trying many different things and its not seems to be working traffic still goes to the best route and not out of specific gateway.

I marked the connections and marked the traffic with src-address and still no good I see it uses mac of wan2 instead of wan1.

Here is my set up 10 ports 1 and 2 are WAN's, 3-10 are bridged as are my 2 wlans.

so all LAN traffic is in BRIDGE.

I need some IP's from the LAN traffic to go through WAN1 where at WAN2 is the default.

Please help by posting a working configuration.

[@gateway1] /ip firewall mangle> 
25    ;;; ECMP
      chain=input action=mark-connection new-connection-mark=frontier_conn in-interface=ether1 
26    ;;; ECMP
      chain=input action=mark-connection new-connection-mark=xfinity_conn in-interface=ether2 
27    ;;; ECMP
      chain=output action=mark-routing new-routing-mark=to_frontier connection-mark=frontier_conn 
28    ;;; ECMP
      chain=output action=mark-routing new-routing-mark=to_xfinity connection-mark=xfinity_conn 
      
[@gateway1] /ip firewall mangle> /ip route print where !disabled
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; to_frontier
        0.0.0.0/0                          x.x.x.x               1
 1 A S  ;;; to_xfinity
        0.0.0.0/0                          x.x.x.x              1
 2 A S  ;;; ECMP_xfinity_frontier
        0.0.0.0/0                          x.x.x.x              1
                                           x.x.x.x      
                                           x.x.x.x 
[@gateway1] /ip firewall nat> print where !disabled          
Flags: X - disabled, I - invalid, D - dynamic 
 2    chain=srcnat action=masquerade out-interface=ether1 
 3    chain=srcnat action=masquerade out-interface=ether2 
 
 [@gateway1] /interface bridge port> export 
# apr/10/2022 23:53:53 by RouterOS 6.48.4
# software id = NUTA-4YVB
#
# model = RB4011iGS+5HacQ2HnD
# serial number = F03C0EEDBD0B
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether5

Lets say my bridge network is 192.168.0.0/24, 192.168.1.1 is the bridge IP.

I want LAN ip of 192.168.1.38 to go out of WAN1 ONLY never to use WAN2. Can this be achieved. I want to see the MAC between it and WAN2 in the sniffer, how can this be achieved?

Thank you for your help!

k6ccc · Tue Apr 12, 2022 8:13 pm

You are doing somewhat similar to what I am doing. I also have two ISPs and some traffic goes out on one of them and some traffic goes out on the second ISP. I am not trying to use failover. In my case, I am using different LANs as the separation. I am using routing rules to direct the traffic. If something like that will work for you, I can give more details and examples.

anav · Tue Apr 12, 2022 9:48 pm

How many IPs are we talking???

No mangling required!!!

dst-address=0.0.0.0/0 gwy=ISP1  table=main  distance=5 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 table=main distance=10
dst-address=0.0.0./0 gwy=ISP2 table=useSecondary distance=10

/routing table add name=useSecondary fib

/routing rule add src-address=IP1 action=lookup  table=useSecondary   { for first IP }
/routing rule add src-address=IP2 action=lookup  table=useSecondary   { for second IP }
...
...
/routing rule add src-address=IPXX action=lookup  table=useSecondary   { for last IP }

Action=Lookup means that the router will direct such IPs to the secondary ISP and if the secondary ISP is not available will move the traffic to WAN1
If you decided to choose Action=Lookup-only-in-table, the router would NOT move the IP to an available route if WAN2 went down.

iaskakho · Wed Apr 13, 2022 7:34 am

K6cc,

Yes please.

Anav, I don’t think I have these options my version is 6.48 there is no /routing table or rule option if I am not mistaken I will double check otherwise this should suffice.

anav · Wed Apr 13, 2022 1:56 pm

Yes you do!!..........

Its similar....... the only difference is that one doesnt create a table with a separate Table rule, one simply uses routing-mark in the route itself

dst-address=0.0.0.0/0 gwy=ISP1 distance=5 check-gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2 distance=10
dst-address=0.0.0./0 gwy=ISP2 distance=10 routing-mark=useSecondary

Route Rules are found in IP Routes as another tab selection at the top and one enters them like so (same as before really).
add src-address=IP1 action=lookup table=useSecondary

and so on...

In other words, the only real difference is
a. dont create a table.
b. use Routing Mark in the Route
c. refer to the Routing Mark in the Route rule via the Table designator/parameter in the Route Rule.

mimel · Wed Apr 13, 2022 6:54 pm

Hello,

I've been trying many different things and its not seems to be working traffic still goes to the best route and not out of specific gateway.

I marked the connections and marked the traffic with src-address and still no good I see it uses mac of wan2 instead of wan1.

Here is my set up 10 ports 1 and 2 are WAN's, 3-10 are bridged as are my 2 wlans.

so all LAN traffic is in BRIDGE.

I need some IP's from the LAN traffic to go through WAN1 where at WAN2 is the default.

Please help by posting a working configuration.

[@gateway1] /ip firewall mangle> 
25    ;;; ECMP
      chain=input action=mark-connection new-connection-mark=frontier_conn in-interface=ether1 
26    ;;; ECMP
      chain=input action=mark-connection new-connection-mark=xfinity_conn in-interface=ether2 
27    ;;; ECMP
      chain=output action=mark-routing new-routing-mark=to_frontier connection-mark=frontier_conn 
28    ;;; ECMP
      chain=output action=mark-routing new-routing-mark=to_xfinity connection-mark=xfinity_conn 
      
[@gateway1] /ip firewall mangle> /ip route print where !disabled
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; to_frontier
        0.0.0.0/0                          32.214.16.1               1
 1 A S  ;;; to_xfinity
        0.0.0.0/0                          73.142.142.1              1
 2 A S  ;;; ECMP_xfinity_frontier
        0.0.0.0/0                          73.142.142.1              1
                                           73.142.142.1      
                                           32.214.16.1 
[@gateway1] /ip firewall nat> print where !disabled          
Flags: X - disabled, I - invalid, D - dynamic 
 2    chain=srcnat action=masquerade out-interface=ether1 
 3    chain=srcnat action=masquerade out-interface=ether2 
 
 [@gateway1] /interface bridge port> export 
# apr/10/2022 23:53:53 by RouterOS 6.48.4
# software id = NUTA-4YVB
#
# model = RB4011iGS+5HacQ2HnD
# serial number = F03C0EEDBD0B
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether5

Lets say my bridge network is 192.168.0.0/24, 192.168.1.1 is the bridge IP.

I want LAN ip of 192.168.1.38 to go out of WAN1 ONLY never to use WAN2. Can this be achieved. I want to see the MAC between it and WAN2 in the sniffer, how can this be achieved?

Thank you for your help!

Did you fix it?

iaskakho · Wed Apr 13, 2022 8:09 pm

This is all I have in the routing menu:

[igor@gateway1] /routing> 

.. -- go up to root
bfd -- 
bgp -- 
export -- Print or save an export script that can be used to restore configuration
filter -- 
mme -- 
ospf -- 
prefix-lists -- 
rip --

anav · Wed Apr 13, 2022 9:01 pm

Are you using mikrotik products LOL ??? on a another planet??
I would understand if you said you are from NYC, as its another world, but the rest of NY state is plain hicksville.

.................................................

wrong1.jpg

wrong2.jpg

OR if you insist on using draconian, victorian methods....... here is the command line details.............
/ip route> add
Creates new item with specified property values.
bgp-as-path --
bgp-atomic-aggregate --
bgp-communities --
bgp-local-pref --
bgp-med --
bgp-origin --
bgp-prepend --
check-gateway -- Whether all nexthops of this route are checking reachability of gateway by sending arp requests every 10 seconds
comment -- Short description of the item
copy-from -- Item number
disabled -- Defines whether item is ignored or used
distance -- Administrative distance of the route
dst-address -- Destination address
gateway --
pref-src --
route-tag --
routing-mark -- It's used for policy-routing
scope --
target-scope --
type --
vrf-interface --

AND

/ip route rule> add
Creates new item with specified property values.
action --
comment -- Short description of the item
copy-from -- Item number
disabled -- Defines whether item is ignored or used
dst-address --
interface -- Interface through which the gateway can be reached
place-before -- Item number
routing-mark --
src-address --
table --

iaskakho · Wed Apr 13, 2022 9:45 pm

Sorry I never used the /ip route rule, before:

[igor.astakhov@gateway1] /ip route> export  
# apr/12/2022 01:44:36 by RouterOS 6.48.4
# software id = NUTA-4YVB
#
# model = RB4011iGS+5HacQ2HnD
# serial number = F03C0EEDBD0B
/ip route
add comment=to_xfinity distance=1 gateway=x.x.x.x routing-mark=to_xfinity
add comment=to_frontier1 distance=2 gateway=x.x.x.x routing-mark=to_frontier1
add check-gateway=ping comment=ECMP_xfinity_frontier distance=1 gateway=x.x.x.x,x.x.x.x,x.x.x.x
add comment=frontier distance=2 gateway=x.x.x.x

/ip route rule
add src-address=192.168.0.38/32 table=to_frontier1

I've updated above, I think its working, this is very nice, I'll try couple other ones and get back to you thank you very much!

anav · Wed Apr 13, 2022 9:52 pm

Awesomeness but please please if those are your actual Public IPs, then delete them from the thread !!!

k6ccc · Sun Apr 17, 2022 8:02 pm

I'm sorry that I did not get back to this thread. Been dealing with the death of my Dad.
iaskakho, Do you still need my examples?

anav · Sun Apr 17, 2022 8:54 pm

Sorry to hear that k6ccc, my condolences to you and your family.

iaskakho · Mon Apr 18, 2022 2:58 am

I'm sorry that I did not get back to this thread. Been dealing with the death of my Dad.
iaskakho, Do you still need my examples?

I am good thank you very much we worked it out with Anav. But I would like to see your example as well!

Anav, I removed the gateway ips. Why can someone use the gateway IPS to harm someone?

anav · Mon Apr 18, 2022 5:22 am

I'm sorry that I did not get back to this thread. Been dealing with the death of my Dad.
iaskakho, Do you still need my examples?
I am good thank you very much we worked it out with Anav. But I would like to see your example as well!

Anav, I removed the gateway ips. Why can someone use the gateway IPS to harm someone?

I am not sure, but many experienced trained IT pros here always give that advice........... they are the ones that have to deal with hacked Routers.........

Direct traffic From IPList out of Specific WAN

Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Re: Direct traffic From IPList out of Specific WAN

Who is online