2 WAN port forwarding

RouterOS Beginner Basics
1

Ugg. I have two issues I believe are partially related. I have a 2 WAN 1 LAN setup where I have static IPs on each WAN. Id like to be able to port forward from each WAN static IP to the same internal LAN server. I can get one or the other working. Im NOT trying to load balance or anything special other than dual wan port forwarding. We want to be able to reach a terminal server, for instance, by way of either WAN carrier. Im positive this is because Im an idiot with Mikrotik. Ive tried several suggestions in the forum for input chain marking but it didn’t work either. I tried just entering 0.0.0.0/0 to Gate1 distance 1 and 0.0.0.0/0 to Gate2 distance 1 or 2, in either case, only one side will forward.

Related to this, I have a 3 WAN load balance setup at another location working perfect for its designed use. All three WANs have multiple static IPs but I have the same issue as above here too. I can get forwarding to work on WAN1 but not WAN2 or WAN3 unless I disable the other forward NATs and create new ones for one of the other WANs.

Would anyone be willing to make me a small copy and paste script to plunk in this test box and play with to get me started? Unfortunately I came from a point and click PFSense world and am trying to learn RouterOS under pressure.

Example:
WAN1 = 80.80.80.80/24 Gate = 80.80.80.1
WAN2 = 70.70.70.70/24 Gate = 70.70.70.1
LAN = 10.75.75.253/24
SERVER = 10.75.75.59 TCP 3389

Thanks,
Tim

2

First, the NAT rules:

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=WAN1 dst-address=80.80.80.80 dst-port=3389 to-address=10.75.75.59
add chain=dstnat action=dst-nat in-interface=WAN2 dst-address=70.70.70.70 dst-port=3389 to-address=10.75.75.59

Now, mark all connections coming into WAN1 as such, do the same for WAN2:

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection 
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection

Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

And lastly install some routers that fire for those routing marks to make sure the packets go back out the right pipe:

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=80.80.80.1
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=70.70.70.1
3

THANKS FOR THE QUICK REPLY! I plopped that in from scratch and now the server gets destination host unreachable trying to get out the router, but oddly enough, 3389 works from WAN2 but not from WAN1?? Any ideas there? I dumped everything else config wise so other than what you sent above and the IP Assignment, is there anything else I need? Masq. rules?

Thanks

4

Yes, you do need source NAT as well. If you dumped everything, you probably want to add something like:

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

Edit: since you probably also took out the routes when ‘clearing everything else’, you will also need:

/ip route
add dst-address=0.0.0.0/0 gateway=80.80.80.1 distance=1
add dst-address=0.0.0.0/0 gateway=70.70.70.1 distance=2

That will prefer WAN1 over WAN2 for all traffic except the stuff we’re specifically marking to go back out WAN2 because it came in through WAN2 in the first place.

5

Struck out again. Dumber question from your first post:
/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection

second line WAN1 a typo? Your comment was to do the same for wan2, could you elaborate a bit more on this section please.


Thanks
Tim

6

Yes, that’s a typo.

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection

should be

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=prerouting in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection

My bad. Also please see the post above yours for the edit - I was adding that in while you were posting your reply.

7

U rock! Are you for hire in any capacity?

trr.usa@gmail.com

8

It’s working now?

And no - I suspect my wife would kill me if I actually hard committed more of my time than I already do to my job. Playing on forums is fine because I can drop it at any time…

9

It is working like a charm. However…dang theres always a however…I have a similar issue. From the outside, I can ping the WAN1 interface but not WAN2 unless I reverse the distance. Anyway around that? My monitoring system is spitting on me. 3389 works inbound over either link great though! Spot project work at your own pace?

10

Try adding this:

/ip firewall mangle
add chain=output connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

So far we were only applying routing marks to return traffic that flows through the router and came in through the LAN interface - that doesn’t cover ICMP to the router itself. The above lines should fix that.

11

and while I have the Guru online, I have another issue I cant figure out in RouterOS and I guess its called hairpin NAT. In PFSense it was called NAT reflection. …inside hosts trying to access services hosted internal across the wan. You any good with that? Even worse, the whole reason I bought another one of these RB750Gs was to just stick the servers behind that and clients route out the other one. all because I couldn’t figure out that! But hey, $99.00 bucks verses another week of me screaming at the wall. :slight_smile:

12

damn what i wouldn’t give to borrow your brain for a few days! That worked. Pings from both WANs now.

Thanks!!!

13

Read this thread: http://forum.mikrotik.com/t/wan-services-not-available-to-local-users-please-help/32923/1

It contains hairpin NAT discussions.

14

Anything similar for the Router itself outbound? If I try to ping from inside the router using WAN1, its happy, selecting WAN2, its not.

15

How exactly are you pinging?

16

winbox - tools - ping - choosing different interfaces to test.

17

Try

/ip firewall mangle
add chain=output src-address=80.80.80.80 action=mark-routing new-routing-mark=to_WAN1
add chain=output src-address=70.70.70.70 action=mark-routing new-routing-mark=to_WAN2
18

same results

19

Fewi,

I have been wondering why would you mark connection in the prerouting chain instead of input and forward. I understand that you save mangle rules by doing so, but if you follow the PCC wiki, they mark input chain only.

If you do dst-nat without adding any other rules than the one in this wiki, you would end up without dst-nat not working. To go around this I added some rule in the forward chain as follow

/ip firewall mangle
add chain=forward in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=forward in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection

I guess both will work out, but is there any advantages of runnning one over the other?

Thank you

20

Hi, Guys
This solution looke really great, can anybody make a conclusion with description in WIKI?
Thanks Fewi.