Dual Gateway Setup in Mikrotik

Question

I'm new to Mikrotik environment, and I need some help for the following scenario:

• I have an ADSL router (main internet connection) with IP range of 192.168.1.0/24, connected to Ethernet 1 of my Mikrotik router (WAN Port)

• I have another ADSL router (VPN connection to connect to main branch) with IP range of 172.200.1.0/24, connected to Ethernet 2 of my Mikrotik router

• I have WiFi enabled Mikrotik as Ap bridge with IP range of 192.168.88.0/24 (everyone connect to this router using WiFi and physical connection)

What I want to do is as follows:

• When people want to access the Internet, the Mikrotik router should route packets automatically to Ethernet 1 interface (first ADSL).

• If people want to go to certain destinations (e.g. 221.35.12.x) their packet has to be routed to Ethernet 2, which is the Second ADSL to connect to main branch.

Additional information

The gateway for first ADSL is 192.168.1.1, and for second one is 172.200.1.17.

So far, I have managed to access the gateway of the second ADSL, but when I ping the actual destination address of 221.35.12.x, it returns unreachable and when I tracert that address, it shows the packet goes to 192.168.88.1 and from there drops.

Can anyone help for the above scenario with a complete solution?

Answer 1

Preliminary setup: You will need to set up the two WAN connections. Assume IFC1 to be the first WAN port (e.g. ether1) interface and IFC2 to be the second WAN port (e.g. ether5).

/interface list member add interface=IFC1 list=WAN
/interface list member add interface=IFC2 list=WAN
/ip dhcp-client add interface=IFC1 default-route-distance=1
/ip dhcp-client add interface=IFC2 default-route-distance=1

Some of this may already be configured. If using a different type of WAN connection such as PPPoE then adjust accordingly.

When the DHCP client connects, routes should be added, below is an example.

[admin@mikrotik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          yyy.yy.yyy.1              1
 1 ADS  0.0.0.0/0                          xxx.xxx.xxx.1             1
 2 ADC  xxx.xxx.xxx.0/22   xxx.xxx.xxx.xxx IFC2                      0
...

If you don't see two 0.0.0.0/0 routes with the correct gateways, you can create them as static routes (/ip route add ...). This is basic Mikrotik stuff beyond the scope of this answer.

Differentiating between the two WAN connections will be done using policy routing. On each default WAN route set a routing mark.

/ip route set 0 routing-mark=unid2rm
/ip route set 1 routing-mark=unid3rm

The values unid2rm and unid3rm are arbitrary text strings. This means the Mikrotik will send packets marked with a given routing mark through the given gateway IP.

Second, configure the firewall. Look at the FORWARD chain. The goal here is to exclude marked connections for the secondary (non-default) WAN from going through fasttrack.

/ip firewall filter add 8 chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!unid2cm
/ip firewall filter add 9 chain=forward action=accept connection-state=established,related

Change the numbers 8 and 9 so that the rules are positioned at the start of your FORWARD chain.

Now in the PREROUTING chain, mark the incoming connections. If you're only steering outbound connections, you can skip this.

/ip firewall mangle add 3 chain=prerouting action=mark-connection new-connection-mark=unid2cm passthrough=no connection-mark=no-mark in-interface=IFC1
/ip firewall mangle add 4 chain=prerouting action=mark-connection new-connection-mark=unid3cm passthrough=no connection-mark=no-mark in-interface=IFC2

The next step involves the MANGLE table and is where the magic happens for you. Here you mark a connection based on the criteria you set.

/ip firewall mangle add 5 chain=prerouting action=mark-connection new-connection-mark=unid2cm passthrough=yes dst-address=221.35.12.5 connection-mark=no-mark in-interface-list=LAN

This is saying "when there is a connection to 221.35.12.5 which is not already marked, mark it with connection mark unid2cm". You can set it based on source IP, MAC, etc. and add as many of these as needed. Then the companion is:

/ip firewall mangle add 6 chain=prerouting action=mark-routing new-routing-mark=unid2rm passthrough=no connection-mark=unid2cm in-interface-list=LAN
/ip firewall mangle add 7 chain=output action=mark-routing new-routing-mark=unid2rm passthrough=no connection-mark=unid2cm
/ip firewall mangle add 8 chain=prerouting action=mark-routing new-routing-mark=unid3rm passthrough=no connection-mark=unid3cm in-interface-list=LAN
/ip firewall mangle add 9 chain=output action=mark-routing new-routing-mark=unid3rm passthrough=no connection-mark=unid3cm

Note the difference between unid2rm and unid2cm. These rules take packets from a marked connection and give them a routing mark. The routing mark is then used in Mikrotik's route table as mentioned earlier.

Every setup is a bit different, so you might need to play around to make it work for you.

---

Added: Mikrotik usually sets up NAT automatically on the WAN interface list. The very first step at the top of the answer ensures that both interfaces are in the list.

[admin@mikrotik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no
      log-prefix=""