Hi all,
Pulling my hear out on this one. I was working on a recursive WAN fail-over set-up. The main WAN for normal traffic, and an LTE WAN for backup. The main WAN has a dedicated dynamic Wireguard interface that connect to a static remote WG peer. The LTE WAN needs another (backup) dynamic WG interface/peer that is always up/accessible over LTE. Hence, even when the recursive fail-over is still using the main WAN. That turned out be become a multi-day dilemma...
So I reset the whole device and started over. BTW I'm on 7.17.
Turns out that the mangle routing rule also doen not work with an extremely basic config (not even using any recursive failover, wireguard interfaces, firewall rules etc)!
wifi1 and wifi2 are the 2 WANs in this basic test set-up (no LTE modem in this case). Ether1 is the LAN. Bridge is unused.
Either I'm completely stupid, or something weird is happening here. This is the basic config:
Note that when I use the 'routing rule' for policy based routing, it actually does work as expected. I left it in the config (as disabled) just for reference.
The traffic (e.g. ping to 8.8.8.8 ) keeps going over the main WAN interface (wifi1). If I disable wifi1 no connection is being made to the second (wifi2) gateway.
Any clue why this mangle rule refuses to work?
Pulling my hear out on this one. I was working on a recursive WAN fail-over set-up. The main WAN for normal traffic, and an LTE WAN for backup. The main WAN has a dedicated dynamic Wireguard interface that connect to a static remote WG peer. The LTE WAN needs another (backup) dynamic WG interface/peer that is always up/accessible over LTE. Hence, even when the recursive fail-over is still using the main WAN. That turned out be become a multi-day dilemma...
So I reset the whole device and started over. BTW I'm on 7.17.
Turns out that the mangle routing rule also doen not work with an extremely basic config (not even using any recursive failover, wireguard interfaces, firewall rules etc)!
wifi1 and wifi2 are the 2 WANs in this basic test set-up (no LTE modem in this case). Ether1 is the LAN. Bridge is unused.
Either I'm completely stupid, or something weird is happening here. This is the basic config:
Code:
# 2025-01-29 19:45:50 by RouterOS 7.17# software id = UXH4-3WB2## model = L23UGSR-5HaxD2HaxD# serial number = /interface bridgeadd admin-mac=D4:01:C3:A9:D0:43 auto-mac=no comment=defconf fast-forward=no name=bridge/interface ethernetset [ find default-name=sfp1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,1G-baseX/interface wifiset [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=station .ssid=WIFI1 disabled=\ no name=wifi1_WAN1 security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yesset [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.antenna-gain=0 .chains=0,1 .country=\ Netherlands .mode=station .ssid=WIFI2 .tx-chains=0,1 disabled=no name=wifi2_WAN2 security.authentication-types=wpa2-eap \ .eap-certificate-mode=dont-verify-certificate .eap-methods=peap .eap-username=USERNAME .encryption="" .ft=yes .ft-over-ds=yes/interface listadd name=WAN/routing tableadd disabled=no fib name=WAN2/ipv6 settingsset disable-ipv6=yes/interface list memberadd interface=wifi1_WAN1 list=WANadd interface=wifi2_WAN2 list=WAN/ip dhcp-clientadd add-default-route=no comment=" " interface=ether1 use-peer-dns=no use-peer-ntp=noadd add-default-route=no interface=wifi1_WAN1 use-peer-dns=no use-peer-ntp=noadd add-default-route=no interface=wifi2_WAN2 use-peer-dns=no use-peer-ntp=no/ip firewall mangleadd action=mark-routing chain=prerouting dst-address=8.8.8.8 log=yes new-routing-mark=WAN2 passthrough=no/ip firewall natadd action=masquerade chain=srcnat log=yes out-interface-list=WAN/ip routeadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.30.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.80.1 routing-table=WAN2 scope=30 suppress-hw-offload=no target-scope=10/ip serviceset telnet disabled=yesset ftp disabled=yesset api disabled=yesset api-ssl disabled=yes/routing ruleadd action=lookup-only-in-table disabled=yes dst-address=8.8.8.8/32 table=WAN2/system noteset show-at-login=noThe traffic (e.g. ping to 8.8.8.8 ) keeps going over the main WAN interface (wifi1). If I disable wifi1 no connection is being made to the second (wifi2) gateway.
Any clue why this mangle rule refuses to work?
Statistics: Posted by willemjan — Wed Jan 29, 2025 10:00 pm
