Community discussions

MikroTik App
 
porch
just joined
Topic Author
Posts: 7
Joined: Sat Mar 12, 2016 9:51 am

Dual WAN with DMZ

Wed Feb 22, 2017 5:58 am

After a lot of work and great help from this forum, I have my dual WAN working. The only issue is with the DMZ.
ether6-master 172.16.0.0/16 is my DMZ and ether2-master 192.168.1.0/24 is my local network. I can not access anything on my DMZ from my local network.
Looking at the connections tab, it looks like it is marking the packets as "WAN2_conn". I have had not had any luck making it exclude this network from the WAN routing.
Any help is appreciated.

/ip address
add address=172.16.1.2/16 interface=ether6-master network=172.16.0.0
add address=192.168.1.20/24 interface=ether2-master network=192.168.1.0
add address=172.31.1.10/24 interface=WAN1 network=172.31.1.0
add address=172.31.2.10/24 interface=WAN2 network=172.31.2.0



/ip firewall mangle
add chain=prerouting dst-address=172.16.0.0/16
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add chain=prerouting dst-address=172.31.1.0/24 in-interface=ether2-master
add chain=prerouting dst-address=172.31.2.0/24 in-interface=ether2-master
add chain=prerouting dst-address=172.31.1.0/24 in-interface=ether6-master
add chain=prerouting dst-address=172.31.2.0/24 in-interface=ether6-master
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether2-master new-connection-mark=WAN1_conn per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether2-master new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether6-master new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether6-master new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=ether2-master new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=ether2-master new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=ether6-master new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=ether6-master new-routing-mark=to_WAN2

/ip route
add distance=1 gateway=172.31.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=208.67.222.123 routing-mark=to_WAN1
add check-gateway=ping distance=2 gateway=208.67.220.123 routing-mark=to_WAN1
add distance=1 gateway=172.31.2.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=208.67.220.123 routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=208.67.222.123 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=172.31.1.1
add check-gateway=ping distance=2 gateway=172.31.2.1
add distance=1 dst-address=208.67.220.123/32 gateway=172.31.2.1 scope=10
add distance=1 dst-address=208.67.222.123/32 gateway=172.31.1.1 scope=10


 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual WAN with DMZ

Fri Feb 24, 2017 3:59 pm

It's reply packets. You skip any route marking for LAN->DMZ, but first packet coming back is caught by connection marking rules with in-interface=ether6-master (btw, you have new-connection-mark=WAN2_conn for both) and instead of back to LAN, it's sent somewhere to internet.

Check out routing rules, you can use them to tell router to search for destination only in given routing table, so even when packet has different routing mark, it will go where you want it to:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table dst-address=172.16.0.0/16 table=main
 
porch
just joined
Topic Author
Posts: 7
Joined: Sat Mar 12, 2016 9:51 am

Re: Dual WAN with DMZ

Mon Feb 27, 2017 8:23 am

The ip route rule did the trick. But I also understand the problem too. Thank you.

Who is online

Users browsing this forum: CGGXANNX, seriosha and 62 guests