Community discussions

MikroTik App
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Two WAN - But I can only log in on one

Sat Sep 03, 2022 3:02 pm

I have an rb4011 with Routeros 7.4.1
I have two WAN interfaces.
I want to be able to access remotely through either one or the other, but I can only access the one in the main routing table.
I use mangle marking for connections through the secondary WAN interface (wan-01) but when I try to access with winbox (3.37) it shows me the message:
'error: router does not support secure connection, please enable Legacy Mode if you want to connect anyway'
I enable Legacy Mode but winbox does not connect.

I have read in the forum that traffic should be marked and so I do but what am I doing wrong?
Apparently a basic question but one that is giving me a big headache.
Any candid soul who can help me?

Thank you

CODE:
/ip firewall mangle

add action=mark-routing chain=prerouting comment=To_WAN-01 connection-mark=wan-01 new-routing-mark=wan01 passthrough=no
add action=mark-connection chain=input comment="To_WAN-01 input" connection-mark=no-mark in-interface=pppoe-WAN-01 new-connection-mark=wan-01 passthrough=yes
add action=mark-routing chain=output comment="To_WAN-01 out" connection-mark=wan-01 new-routing-mark=wan01 passthrough=no 
 
add action=mark-routing chain=prerouting comment=To_WAN-02 connection-mark=WAN-MM new-routing-mark=mm passthrough=no
add action=mark-connection chain=input comment="To_WAN-02 input" connection-mark=no-mark in-interface=vlan_MM new-connection-mark=WAN-MM passthrough=no
add action=mark-routing chain=output comment="To_WAN-02 out" connection-mark=WAN-MM new-routing-mark=mm passthrough=no

/routing table
add fib name=mm
add disabled=no fib name=wan01

/ip/address> print
Columns: ADDRESS, NETWORK, INTERFACE
 #   ADDRESS             NETWORK         INTERFACE             
1  D 22.x.y.z/22         22.x.y.0        vlan_MM                 
2  D 60.a.b.c/32         192.168.1.1     pppoe-WAN-01     

/ip/route> print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, d, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
 #     DST-ADDRESS        GATEWAY              DISTANCE   ROUTING TABLE
 
   D v 0.0.0.0/0                 pppoe-WAN-01                2    main
   DAd 0.0.0.0/0               22.x.y.z                             1    main
   DAc 192.168.1.1/32     pppoe-WAN-01                 0    main
   DAc 22.x.y.0/22            vlan_MM                          0    main
__  As 0.0.0.0/0               pppoe-WAN-01                2    wan01

/ip/settings> print
    ip-forward: yes
    send-redirects: yes
    accept-source-route: no
    accept-redirects: no
    secure-redirects: yes
   [b] rp-filter: loose[/b]
    tcp-syncookies: yes
    max-neighbor-entries: 8200
    arp-timeout: 30s
    icmp-rate-limit: 10
    icmp-rate-mask: 0x1818
    route-cache: yes
    allow-fast-path: no
    ipv4-fast-path-active: no
   ipv4-fasttrack-active: no

why if i add this route:
add distance=1 dst-address=0.0.0.0/0 gateway=22.x.y.z pref-src="" routing-table=mm scope=30 suppress-hw-offload=no target-scope=10
I can no longer access through the interface that I was able to access before?


Best regards
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Two WAN - But I can only log in on one  [SOLVED]

Sat Sep 03, 2022 6:00 pm

You don't want those rules in prerouting. Previously they were harmless, but recent change in routing marks priority "activated" them and now they are redirecting incoming packets back to internet.
 
iwlet
just joined
Topic Author
Posts: 9
Joined: Mon May 31, 2021 3:22 pm

Re: Two WAN - But I can only log in on one

Sat Sep 03, 2022 7:13 pm

You don't want those rules in prerouting. Previously they were harmless, but recent change in routing marks priority "activated" them and now they are redirecting incoming packets back to internet.
thanks, I have deleted only the prerouting mangle rule, and works!!

I had previously misunderstood your comment and did the following (removing all mangle rules), without success:
/routing rule
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 routing-mark=wan-01 table=wan01

SOLUTION: out prerouting rule!!
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Two WAN - But I can only log in on one

Sat Sep 03, 2022 8:27 pm

Routing rule would be possible solution too. Main advantage of that approach is no need for any mangle rules. But you'd need to work with source addresses, which is easier done when they are static and not dynamic like yours. But what you have now is fine too.

Who is online

Users browsing this forum: No registered users and 7 guests