System Administration & Network Administration
networking routing traffic mikrotik
Updated Tue, 13 Sep 2022 22:01:51 GMT

Mikrotik - Add second WAN IP and route specific traffic

After 20 pages of SO results about Mikrotik and some more google results, I'm come here, down on my knees to request some enlightment.

I have a network with static IP and some public IP (248 mask).

So far I've configured the network to use one of those public IP and use it for 2 subnets (192.168.85.X and 192.168.5.X) wich are isolated from each other and both can access internet.

What I'm trying to achieve is to add a second WAN ip to the same interface, and route traffic to a specific server to use that IP.

What i mean is:

Any PC from 192.168.X.X should use WAN IP1 and use internet with it. Any PC from 192.168.X.X trying to access INSERT RANDOM SITE/IP HERE should use WAN IP2 to browse and navigate to that website (while all the rest of the traffic goes through WAN IP1). The device that gives me the WAN link only has 1 "out" port, so there is no way to put 2 cables from the "modem" to the Mikrotik, right now there is 1 cable going from the modem to the Mikrotik device. I've seen some forum post where the first part can be solved by just connecting 2 cables and then assign different IP for each interface.

As you may notice, I'm really raw in networking and routing, so any GUI/Winbox instruction is appreciated, but CLI commands would be just fine.


You should be able do this by using src-nat with destination address lists and setting to-address to the desired ip. for the default ip, copy the rule and don't set a dest. address list. For dns names you'll want to create a script to run using the scheduler which will update an address-list with the ip addresses the website uses. The firewall rules work using IP addresss rather than dns names.

A somewhat similar example would be 1 router with multiple subnets and different IP addresses per subnet but rather than use the src-address in the nat rule, you're basing it of the dst-address.

The info below should help get your on your way to what you're looking to do.

/ip address
add address= interface=ether1-gateway
add address= interface=ether1-gateway
/ip route
add dst-address= gateway=
/ip firewall address-list
add address x.x.x.x list=alt-ip-list
add address y.y.y.y list=alt-ip-list
add address z.z.z.z list=alt-ip-list
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=alt-ip-list \
out-interface=ether1-gateway to-addresses=
add action=src-nat chain=srcnat out-interface=ether1-gateway to-addresses=

You can use src-nat instead on masquerade when you need to specify the external ip address. You'll need to make sure that the ip address you specify is set on the outbound interface. This is called IP aliasing.

For the script to update the address list you'll need a create one that can lookup the ip addresses used by whatever website you want to have use the alternate ip.

For facebook addresses, this would be the linux command for ipv4 addresses.

whois -h -- '-i origin AS32934' | grep ^route:

For IPV6 you would use.

whois -h -- '-i origin AS32934' | grep ^route6: