MikroTik

Greetings from Athens, Greece.

I have this configuration:
2 WAN interfaces (WAN1 & WAN2) and 1 LAN.
I want to route these specific destination addresses (10.10.10.1 & 10.10.10.2) through WAN1 (gateway is 192.168.1.1) and simultaneously block all other traffic to use this WAN interface.
I also want to route all other destinations to WAN2 (gateway: 172.10.10.1) except these above 2 destination IPs, (which are routed through WAN1 ofcourse)
How can I accomplish this?

Can anyone help me with that please?

Hi,

Create a mangle rule and apply a routing mark to the 2 subnets you want to route to WAN 1

Then add a 0.0.0.0/0 route gateway=192.168.1.1 routing-mark=your mark;

then just add a second gateway to 172.10.10.1.

All the marked traffic will go over WAN1 and all the other WAN2

Two /32 routes to 192.168.1.1 interface WAN1, and 0.0.0.0/0 to WAN2 gateway IP interface WAN2 without any marking. Traffic won't go to 10.10.10.1 and 10.10.10.2 though WAN2, because we always have specific long prefix routes in RIB.

Anumurak do you mean

/ip route
add dest-address=0.0.0.0/0 gatewayIP (of ISP2) distance=1
add dest-address=10.10.10.1/32 gatewayIP (of ISP1) distance=1
add dest-address=10.10.10.2/32 gatewayIP (of ISP1) distance=1

Or you can use:

/ip route
add dest-address=0.0.0.0/0 gatewayIP (of ISP2) distance=1
add dest-address=10.10.10.0/30 gatewayIP (of ISP1) distance=1

Nice (you subnetmask god you ) cheeky but efficient!

I'd also suggest updating your router to a version that is not years behind and has known security holes.

Thank you guys for all your answers!

Well, that's what I have setup so far:

/ip route
add dest-address=0.0.0.0/0 gatewayIP (of ISP2) distance=1
add dest-address=10.10.10.0/30 gatewayIP (of ISP1) distance=1

It works OK, the traffic flows correctly, but:
When I disable the ISP1 interface, or just unplug this cable and the clients keep requesting these IPs (10.0.0.1 & 10.0.0.2), all requests are rejected for a while (that's OK) but after many refreshes, finally the traffic goes through ISP2 interface (NOT OK!). I dont know whats the reason for that, but it happens...
That's why I need to allow all traffic through ISP2 WAN except (with a firewall rule maybe?) these 2 IPs.

Hi guys,

I'm coming back with this post, as I said, can anyone help me about how to allow all traffic through ISP2 WAN except these 2 IPs: 10.10.10.1 & 10.10.10.2?

Thank you guys for all your answers!

Well, that's what I have setup so far:

/ip route
add dest-address=0.0.0.0/0 gatewayIP (of ISP2) distance=1
add dest-address=10.10.10.0/30 gatewayIP (of ISP1) distance=1

It works OK, the traffic flows correctly, but:
When I disable the ISP1 interface, or just unplug this cable and the clients keep requesting these IPs (10.0.0.1 & 10.0.0.2), all requests are rejected for a while (that's OK) but after many refreshes, finally the traffic goes through ISP2 interface (NOT OK!). I dont know whats the reason for that, but it happens...
That's why I need to allow all traffic through ISP2 WAN except (with a firewall rule maybe?) these 2 IPs.

Instead of fancy pants Mikrotik guru solutions from the getgo, lets approach this from a requirements perspective.

a. WAN1 shall only be used for two external destination IP addresses
b. WAN2 shall be used for all other external destination IP addresses
c. WAN2 shall not be used for the two "special" destination IP addresses"
d. by inference: No Fail Over is required (1-->2). If WAN1 is down, the two destination IP addresses will not be available period (not even through WAN2.
e. by inference: No Fail Over is required (2-->1). If WAN2 is down, ONLY the two destination addresses will be available and through WAN1.

Now go design the fancy pants solution.

my stealing guess:
assuming ether1=WAN1=ISP1
assuming ether2=WAN2=ISP2

/ip firewall address list
add special_sites address=10.10.10.1
add special_sites address=10.10.10.2

/ip firewall NAT
add chain=srcnat action=srcnat dest-address=192.168.1.1 (ether1-ISP1)
add chain=srcnat action=srcnat dest-address=172.10.10.1 (ether2-ISP2)

/ip route
add dest-address=0.0.0.0/0 gatewayIP (of ISP2) distance=1
add dest-address=10.10.10.0/30 gatewayIP (of ISP1) distance=1

/ip firewall filter
FORWARD CHAIN order
- drop invalid
- accept established, connected, untracked
- accept in-interface=LAN destination-address-list=special_sites out-interface=ether1
- accept in-interface=LAN destination-address-list=! special_sites out-interface=ether2
- log log=yes prefix="VIEW ALL BEING DROPPED TO CONFIRM"
- drop all else

/ip firewall filter
FORWARD CHAIN order
- drop invalid
- accept established, connected, untracked
- accept in-interface=LAN destination-address-list=special_sites out-interface=ether1
- accept in-interface=LAN destination-address-list=! special_sites out-interface=ether2
- log log=yes prefix="VIEW ALL BEING DROPPED TO CONFIRM"
- drop all else

Thank you for your aswer!
Can you explain how can I implement these commands? (in console or in Winbox)
Are they based on hierarchy?

I use winbox for most everything and the CLI (new terminal) for itsy bitsy commands or if I am recovering from one my much too frequent freeze outs on the router cause I forget to use SAFE mode.

IN winbox you can plug in all the filter rules and then put them in the order you want (drag and drop).
Basically most people keep it clean by ensuring the input chain, the forward chain and the output chain are in blocks (kept together).
The order within a chain is important. You can mix up chains in that you could put rules together in some othe fashion

like
input - accept established
forward- accept established

etc.......... but as long as you respect the order of rules within each chain over the entire set it works.

Order does matter
Obviously one doesnt put drop all else until they have the rules they want to allow before this as the router goes rule by rule to find a match. If a packet is match the rule is conducted and the packet doesnt see any of the other rules.

Whether drop invalid packets comes before or after accept established connected untracked, is a good question, I have not heard a convincing argument either way.
The conventional default is invalid comes after, but I think its best to get rid of malformed packets right away.
The LAN rules could be in either order

The log rule is there so yo can see all the forward traffic that doesnt match any of the rules you have that will get dropped. I like to do this to see if there is traffic I did want captured and not dropped, so that you can adjust or add rules that you may have forgotten to do. You can disable it or remove it later.