Mikrotik CCR1009 ROS 7 dual WAN configuration

Question

i have a CCR1009 (ROS 7.2.3) configured with the COMBO port as WAN_1 and the eth1 to eth5 ports as LAN, VOIP, and 3 SERVER with different subnets.

The ISP is fastweb (mixed fiber 100/100) which provides me with 5 public IP addresses and which I have assigned to each port to differentiate some services.

Since Vodafone arrives in direct fiber at 1000/200 I would like to connect it to eth7 as WAN_2 and divert all traffic from the LAN to it and leave VOIP and the 3 SERVER on WAN_1.

I researched for hours and I realized that you need to create 2 mangle rules (one for FASWEB and one for VODAFONE) where the packets are marked, assign them to 2 routing tables and then modify the route by assigning the tables for the two connections.

Unfortunately despite all attempts I was unable to get the configuration to work.

Could anyone kindly help me?

Thanks in advance,

Gianluca

the current configuration without mangle rules is as follows:

# jun/22/2022 13:59:29 by RouterOS 7.2.3
#
# model = CCR1009-7G-1C-1S+
# 

/interface bridge
add name=BRIDGE_LAN
add name=BRIDGE_SERVER

/interface ethernet
set [ find default-name=combo1 ] name=WAN_ISP1
set [ find default-name=ether1 ] name=LAN
set [ find default-name=ether2 ] name=VOIP
set [ find default-name=ether3 ] name=SERVER1
set [ find default-name=ether4 ] name=SERVER2
set [ find default-name=ether5 ] name=SERVER3
set [ find default-name=ether7 ] name=WAN_ISP2
set [ find default-name=sfp-sfpplus1 ] name=SFPPLUS

/ip pool
add name=dhcp_lan_pool ranges=192.168.98.100-192.168.98.254

/ip dhcp-server
add address-pool=dhcp_lan_pool interface=BRIDGE_LAN name=dhcp_lan

/routing table
add disabled=no fib name=TO_VODA
add disabled=no fib name=TO_FAST

/interface bridge port
add bridge=BRIDGE_SERVER ingress-filtering=no interface=SERVER1
add bridge=BRIDGE_SERVER ingress-filtering=no interface=SERVER2
add bridge=BRIDGE_SERVER ingress-filtering=no interface=SERVER3
add bridge=BRIDGE_LAN ingress-filtering=no interface=LAN

/ip address
add address=192.168.99.1/24 interface=BRIDGE_SERVER network=192.168.99.0
add address=192.168.98.1/24 interface=BRIDGE_LAN network=192.168.98.0
add address=192.168.1.1/24 interface=VOIP network=192.168.1.0

add address=xxx.xxx.xxx.142/29 comment="WAN_ISP1 EMPTY" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.141/29 comment="WAN_ISP1 VOIP" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.140/29 comment="WAN_ISP1 WEB" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.139/29 comment="WAN_ISP1 NAS" interface=WAN_ISP1 network=xxx.xxx.xxx.136
add address=xxx.xxx.xxx.138/29 comment="WAN_ISP2 LAN" interface=WAN_ISP1 network=xxx.xxx.xxx.xxx


/ip dhcp-server network
add address=192.168.98.0/24 comment="GW LAN" dns-server=192.168.98.1 gateway=192.168.98.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABILISHED,RELATED" connection-state=established,related
add action=accept chain=input comment="ALLOW PING ROUTERBOARD" protocol=icmp
add action=drop chain=forward comment="DROP INVALID PACKET" connection-state=invalid
add action=drop chain=input comment="DROP ALL OTHER ON WAN" in-interface=WAN_ISP1
add action=drop chain=input comment="DROPPA DROP ALL OTHER" disabled=yes

/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT VOIP 1:1 WITH HAIRPIN NAT" disabled=yes dst-address=xxx.xxx.xxx.141 dst-port=0-65535 protocol=udp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat comment="VOIP TEST TCP" dst-address=xxx.xxx.xxx.141 dst-port=40000-40999 protocol=tcp to-addresses=192.168.1.10 to-ports=40000-40999
add action=dst-nat chain=dstnat comment="VOIP TEST UDP" dst-address=xxx.xxx.xxx.141 dst-port=40000-40999 protocol=udp to-addresses=192.168.1.10 to-ports=40000-40999
add action=dst-nat chain=dstnat comment="NAT WEBSITE 1:1 WITH HAIRPIN NAT" dst-address=xxx.xxx.xxx.140 dst-port=0-65535 protocol=tcp to-addresses=192.168.99.16
add action=dst-nat chain=dstnat comment="VOIP SIM (SU LAN) TCP" dst-address=xxx.xxx.xxx.141 dst-port=45000-45999 protocol=tcp to-addresses=192.168.98.42 to-ports=45000-45999
add action=dst-nat chain=dstnat comment="VOIP SIM (SU LAN) UDP" dst-address=xxx.xxx.xxx.141 dst-port=45000-45999 protocol=udp to-addresses=192.168.98.42 to-ports=45000-45999
add action=src-nat chain=srcnat comment="NAT WEBSITE 1:1 OUT" src-address=192.168.99.0/24 to-addresses=xxx.xxx.xxx.140
add action=src-nat chain=srcnat comment="NAT VOIP 1:1 OUT" src-address=192.168.1.0/24 to-addresses=xxx.xxx.xxx.141
add action=src-nat chain=srcnat comment="NAT LAN 1:1 OUT" src-address=192.168.98.0/24 to-addresses=xxx.xxx.xxx.138


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.137 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 # route per fastweb

Can't you use simple static routes towards the SIP gateway and the "3 Server"? — Zac67, Jun 22 '22 at 17:14

Mikrotik CCR1009 ROS 7 dual WAN configuration

0 Answers0