Hello,

I'm configuring a CCR 1009-8G-1S on RouterOS v6.49.6 and currently trying to figure out how would I establish a parallel connection while having both ISPs active. The only reason for doing this and not a failover, is a client with a OpenVPN (1194 port) client-to-site via internal PFsense (192.168.254.150) that needs to have our 2nd ISP as their main connection with us, and only revert to our 1st ISP in case our line is down.

The 1st ISP is currently assigned on the SFP1 interface on the router, and the 2nd is on Ether7.

What I have done currently is the setup on the IP Addresses (redacted for security) :

/ip address
add address=Y.Y.Y.Y/30 interface=ether7 network=Y.Y.Y.Y comment=ISP2
add address=X.X.X.X/29 interface=sfp1 network=X.X.X.X comment=ISP1
add address=192.168.254.254/24 interface=bridge network=192.168.254.0 comment="Subnet I need routed for 2nd ISP"
add address=192.168.1.254/24 interface=bridge network=192.168.1.0 comment="Rest of the traffic"

/ip firewall nat
add action=masquerade chain=srcnat comment=ISP2 out-interface=ether7
add action=masquerade chain=srcnat comment=ISP1 out-interface=sfp1 src-address=!X.X.X.X/29

/ip route
add check-gateway=ping distance=1 gateway=X.X.X.X comment=ISP1
add distance=2 gateway=Y.Y.Y.Y comment=ISP2

Let me know if you need more info, but I'm trying to figure out a way with this setup to get everything going and have a failover in place without the need of my input each time there's a failure.

So, essentially I'm trying to route 192.168.254.0/24 towards the 2nd ISP (ether7) while the rest of my traffic is going through the 1st ISP. In case of failure from our 2nd ISP, I would like this traffic to be sent back out the sfp1 where our 1st ISP is.

Is it possible to set this up?

Thank you in advance.

It seems, that you need to solve 2 problems:

1. Disable route if gateway is unreachable. You already done it with `check-gateway`
2. Use different route for different source. This is called "policy routing" and could be done with several routing tables: https://help.mikrotik.com/docs/display/ ... cy+Routing

It seems, that you need to solve 2 problems:

1. Disable route if gateway is unreachable. You already done it with `check-gateway`
2. Use different route for different source. This is called "policy routing" and could be done with several routing tables: https://help.mikrotik.com/docs/display/ ... cy+Routing

Hello,

would it make sense then to add:

/routing rule add src-address=192.168.254.0/24 action=lookup table=2ndISP interface=ether7

and I suppose after this implementation I would have to bring the distance of the 2nd gateway to 1 just like the 1st?

It would seem what you need conceptually is.

add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ISP1 routing-table=main
add distance=4 dst-address=0.0.0.0/0 gateway=ISP2 routing-table=main.

As stated, all traffic will go to WAN and if it goes down failover will move traffic to WAN2 and if WAN1 comes back then traffic will go back to WAN1.
Now you have it would appear one subnet that needs to go out out WAN2 instead of WAN1 when originating traffic, but ensure WAN1 can be used if WAN2 goes down.

One problem I see is you have two identical bridges with a different IP address.

So one can have two bridges, Or one bridge and one ethernet port, or TWO or more vlans and one bridge.

Q1. Does either LAN traffic only use one ethernet port?
Q2. how does the client use WAN2. Originates an outgoing connection? Coming in on VPN and going out WAN2 for internet??

It would seem what you need conceptually is.

add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ISP1 routing-table=main
add distance=4 dst-address=0.0.0.0/0 gateway=ISP2 routing-table=main.

As stated, all traffic will go to WAN and if it goes down failover will move traffic to WAN2 and if WAN1 comes back then traffic will go back to WAN1.
Now you have it would appear one subnet that needs to go out out WAN2 instead of WAN1 when originating traffic, but ensure WAN1 can be used if WAN2 goes down.

One problem I see is you have two identical bridges with a different IP address.

So one can have two bridges, Or one bridge and one ethernet port, or TWO or more vlans and one bridge.

Q1. Does either LAN traffic only use one ethernet port?
Q2. how does the client use WAN2. Originates an outgoing connection? Coming in on VPN and going out WAN2 for internet??

Hey,

Q1. There's traffic coming in the same ethernet port on the Mikrotik (let's say ether 3) from multiple subnets due to how the environment is set up. I can try to isolate one specific port for just the 254 subnet, but what would be your recommendation afterwards to solve the issue?
Q2. We're connecting to their OpenVPN server as a client and using the 2nd ISP's public IP. This isn't the case yet however, due to the problem I'm having, so we're using our 1st ISP to establish the connection.

Each post adds more confusion, not clarity.
What do you mean multiple subnets............... do you mean vlans??
You should really provide network diagrams/topology and full config........

Each post adds more confusion, not clarity.
What do you mean multiple subnets............... do you mean vlans??
You should really provide network diagrams/topology and full config........

Hello,

there are no VLANs configured on the network, I've only used subnetting to sort the network into different departments etc.
As an example:
192.168.1.0/24 for DHCP
192.168.2.0/24 for Finance
192.168.3.0/24 for tech support
192.168.254.0/24 for other traffic (the one I need to redirect to the other ISP).

What I managed to do yesterday was using mangle with prerouting to achieve it somewhat, like so:
/ip firewall mangle
chain=prerouting src-address=192.168.254.0/24 action=mark-routing new-routing-mark="2nd ISP"

What this did was all the endpoints on the 192.168.254.0/24 subnet were now going through the 2nd ISP for their traffic, however they had no communication whatsoever to the other subnets that I have, more importantly, no communication to our Windows Server to resolve DNS. It also seemed that communication from the other subnets to this rerouted one wasn't happening at all. I suppose an additional configuration must be made to have cross-communication.

What would you like from the network diagram? What exactly is confusing so I can draw that section?

No need, this is advanced networking I am not qualified to speak on. Hopefully others with more networking experience will assist.
- There's traffic coming in the same ethernet port on the Mikrotik (let's say ether 3) from multiple subnets
- there are no VLANs configured on the network, I've only used subnetting to sort the network into different departments

Sorry for the bump,

could really use an extra set of eyes on this one if possible.