Web Proxy - advanced settings | System logging

eXtremer · Mon Jan 03, 2011 11:07 am

Hi all.
I worked with squid before, but how you know already the rules in RouterOS are different.

I need to deny downloading files that have more than 200MB, but I need this rule to work for everyone except 2 computers, hot to do it ?

Thank you in advance

Boar name: RB750G

And a easy one, I want to have 2 subnet: Nr.1 192.168.0.1/24 and Nr.2 192.168.10.1/24, I need to make a rule that will not allow subnet Nr.2 to see and have access to subnet Nr.1 but at the same time both would have internet access. Thanks

fewi · Mon Jan 03, 2011 4:07 pm

You can't until they have already downloaded the first 200MB, which would waste that bandwidth.

eXtremer · Mon Jan 03, 2011 4:22 pm

You can't until they have already downloaded the first 200MB, which would waste that bandwidth.

But, if it is the same squid why it doesn't have this option ?

In squid under linux there was something like that:

reply_body_max_size 200000000 deny LAN !allowADMIN

janisk · Mon Jan 03, 2011 4:30 pm

it is not squid in RouterOS. (older versions had squid, but that was 2.9.x)

for a lot of downloads you cannot predict the size, so they will download 200MB and then you disable them. In these cases I usually suggest throttling, so these big downloads get lower data rate. You can look up queues for this and how to do this.

eXtremer · Mon Jan 03, 2011 4:39 pm

it is not squid in RouterOS. (older versions had squid, but that was 2.9.x)

for a lot of downloads you cannot predict the size, so they will download 200MB and then you disable them. In these cases I usually suggest throttling, so these big downloads get lower data rate. You can look up queues for this and how to do this.

So practically you can do nothing about it, not good, not good

What about the other question, how to deny access to a specific website (I did it already) it's working, for all except my IP and my boss for example ?

fewi · Mon Jan 03, 2011 4:46 pm

http://wiki.mikrotik.com/wiki/Manual:IP ... ccess_List
Make two proxy access rules that accept traffic unconditionally from the two IP addresses, and put them higher in the list than the deny rule.

eXtremer · Mon Jan 03, 2011 5:30 pm

http://wiki.mikrotik.com/wiki/Manual:IP ... ccess_List
Make two proxy access rules that accept traffic unconditionally from the two IP addresses, and put them higher in the list than the deny rule.

Understood, thank again

eXtremer · Mon Jan 03, 2011 7:13 pm

Another thing, how could I see what websites a user (IP) is surfing ? there is no such information in the logs area!
Thank you in advance.

fewi · Mon Jan 03, 2011 7:25 pm

http://wiki.mikrotik.com/wiki/Manual:System/Log

Add a logging action for the 'web-proxy' topic.

eXtremer · Mon Jan 03, 2011 8:13 pm

http://wiki.mikrotik.com/wiki/Manual:System/Log

Add a logging action for the 'web-proxy' topic.

Thank you fewi, just one thing, I changed the action from memory to disk, because I want to keep the logs for a few day and to check it from time to time, my question is for how long the system will save the logs ? I don't want to remain without disk space on my router, can I delete them somehow or how it works ?

Feklar · Mon Jan 03, 2011 8:16 pm

The router will save so many lines that you specify in the logging action disk. I think it's default is 100 lines, and once the 100 lines are used up it will drop the old one to add on the new one. It would be much better if you wanted to save these logs to use the remote action and set up a syslog server. There you can define retention policies.

eXtremer · Mon Jan 03, 2011 9:08 pm

The router will save so many lines that you specify in the logging action disk. I think it's default is 100 lines, and once the 100 lines are used up it will drop the old one to add on the new one. It would be much better if you wanted to save these logs to use the remote action and set up a syslog server. There you can define retention policies.

Yes this is the only wise thing to do in this situation, tomorrow I'll find a free Syslog Server and se wht will happen. Thanks.

Another unsolved problem I have is reaching my (web) Mail Server from my LAN using the public IP, fewi gave me the wiki link - Hairpin NAT, but it seems that I don't have enough brain to configure the rule properly, so:

One important thing to add, I made a firewall rule that is forwarding the port 80 to 81 on 192.168.0.200 (81 is the port for the Web mail) so that when I go to my public IP in my browser it will automatically show the web mail interface without putting the port number, ex. 87.233.82.82:81 -> but only 87.233.82.82

So standard example:

/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2
add chain=srcnat out-interface=WAN action=masquerade

1.1.1.1 - is my public ip (87.233.82.82) ?

My code should be like this?:

/ip firewall nat
add chain=dstnat dst-address=87.233.82.82 protocol=tcp dst-port=80 \
action=dst-nat to-address=192.168.0.200 - my local mail server
add chain=srcnat out-interface=WAN1 action=masquerade - WAN1 is my interface

then

Standard example:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.2 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade

My code should be like this?:

/ip firewall nat
add chain=srcnat src-address=192.168.0.1/24 \
dst-address=192.168.0.200 protocol=tcp dst-port=80 \
out-interface=LAN1 action=masquerade - LAN1 my Lan interface

I don't know why but I still cannot reach my mail server using the public IP from my LAN! (but I can reach it from any other network, from home, so on...)

Really need help with this one, thank you.

fewi · Mon Jan 03, 2011 9:55 pm

Here the complete NAT ruleset you need:

/ip firewall nat
add chain=dstnat dst-address=87.233.82.82 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.200 to-port=81
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade
add chain=srcnat out-interface=WAN1 action=masquerade

eXtremer · Mon Jan 03, 2011 10:05 pm

Here the complete NAT ruleset you need:

/ip firewall nat
add chain=dstnat dst-address=87.233.82.82 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.200 to-port=81
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade
add chain=srcnat out-interface=WAN1 action=masquerade

Works like a charm, but not quite...when I use the IP 87.233.82.82 it works great I see the web mail, but when I use the domain name: mail.domain.com it's not working

fewi · Mon Jan 03, 2011 10:09 pm

Then you have a DNS problem. If it works via IP, it works via IP. Check what IP address the domain name resolves to.

eXtremer · Mon Jan 03, 2011 10:24 pm

Then you have a DNS problem. If it works via IP, it works via IP. Check what IP address the domain name resolves to.

The thing is that, I'm at home at the moment and I can use both ways, IP or domain and it's working, but at work it isn't working when trying with domain name, so I don't thing it is a DNS issue. But what could it be ?

fewi · Mon Jan 03, 2011 10:37 pm

It IS a DNS issue. DNS just helps you resolve a name to an IP, the browser then actually uses the IP address to access the service. Access by IP is working, so the problem MUST be with DNS.

Go to the command line both at work and at home and run "nslookup whatever.domain.com" and compare the output. There'll be a difference.

eXtremer · Mon Jan 03, 2011 11:10 pm

It IS a DNS issue. DNS just helps you resolve a name to an IP, the browser then actually uses the IP address to access the service. Access by IP is working, so the problem MUST be with DNS.

Go to the command line both at work and at home and run "nslookup whatever.domain.com" and compare the output. There'll be a difference.

Stupid me, now I understood why it wasn't working, on the server I was testing the DNS server was set to the Domain server, but when I tried my personal computer that had the router DNS it worked

Thank you

But, there is another but, when I set the public IP in outlook it doesn't work, nor IP or domain:

Here are my NAT rules:

Rules 3 to 15 are made manually, all other ones are made automatically except last 3 (33-35), that are made by you.

fewi · Mon Jan 03, 2011 11:24 pm

You never mentioned there were more ports being forwarded. You need to make the same hairpin NAT exceptions for ALL ports. Since you have a bunch of ports, it's easier to just do it for the entire host.

Remove the following line:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade

and replace it with:

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 out-interface=LAN action=masquerade

eXtremer · Tue Jan 04, 2011 8:51 am

You never mentioned there were more ports being forwarded. You need to make the same hairpin NAT exceptions for ALL ports. Since you have a bunch of ports, it's easier to just do it for the entire host.

Remove the following line:
Code: Select all
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 protocol=tcp dst-port=81 out-interface=LAN action=masquerade
and replace it with:
Code: Select all
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.200 out-interface=LAN action=masquerade

Sorry for not mentioning other port forwards, I disabled the rule you said and added the new one, but I receive the same error in Outlook, I want to say that not all ports are forwarded to the same IP (192.168.0.2) there are about 3 rules (remote desktop) for other IP's .
Thank you.

eXtremer · Tue Jan 04, 2011 9:16 am

Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP

ERROR: Gateway Timeout

While trying to retrieve the URL http://mail.domain.com/:

* Connection refused

Your cache administrator is Webmaster.
Generated Tue, 04 Jan 2011 09:15:15 GMT by 192.168.0.1 (Mikrotik HttpProxy)

Tue Jan 04, 2011 9:18 am

Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP

ERROR: Gateway Timeout

While trying to retrieve the URL http://mail.domain.com/:

* Connection refused

Your cache administrator is Webmaster.
Generated Tue, 04 Jan 2011 09:15:15 GMT by 192.168.0.1 (Mikrotik HttpProxy)

which ports are you redirecting to the proxy? only 80? do you have some rules in the proxy access list ?

eXtremer · Tue Jan 04, 2011 9:31 am

Another thing - I just enabled Web Proxy and I get the "ERROR: Gateway Timeout" when trying to reach web mail server with the public IP

ERROR: Gateway Timeout

While trying to retrieve the URL http://mail.domain.com/:

* Connection refused

Your cache administrator is Webmaster.
Generated Tue, 04 Jan 2011 09:15:15 GMT by 192.168.0.1 (Mikrotik HttpProxy)
which ports are you redirecting to the proxy? only 80? do you have some rules in the proxy access list ?

Everything is done as it is stated here: http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy
Yes only the 80 port, there are no other rules in the proxy access list.
But one thing there is a nat rule, that redirects port 80 to 81 - I don't know if it has something to do with it, all the rules are in the print screen above.

Tue Jan 04, 2011 9:34 am

why would you need a NAT rule like that? disable it and see if it changes something

eXtremer · Tue Jan 04, 2011 9:47 am

why would you need a NAT rule like that? disable it and see if it changes something

I said in the above posts why I needed, I disabled it - nothing changed.

Tue Jan 04, 2011 9:50 am

are all other sites working? for example other web mail servises like gmail or yahoo?

eXtremer · Tue Jan 04, 2011 10:17 am

are all other sites working? for example other web mail servises like gmail or yahoo?

Solved, so I just put the 80 to 81 forward rule above the transparent proxy rule and it works!

eXtremer · Tue Jan 04, 2011 10:38 am

But, I still have the Outlook issue...

If I remove the ! from the Src. Address for the rule nr. 7 and 8 (port forward for POP3 and SMTP ports 110 and 25) - it works in the LAN using the public IP (87.233.82.82), but it doesn't work outside the LAN, if I add the ! then it works outside my LAN and it doesn't work inside my LAN. I want outlook to use the public IP both outside and inside my LAN.

eXtremer · Tue Jan 04, 2011 12:45 pm

Played a little bit with the rules, completely removed the Src. Address (192.168.0.0/24) from all port forward rules and now it's working in both situation. [SOLVED]

Tue Jan 04, 2011 12:48 pm

your port forward rules had the address inverted - "!192.168.88.1" means "Not This Address!". Do not check the exclamation mark (!) in the rules.

eXtremer · Tue Jan 04, 2011 12:58 pm

your port forward rules had the address inverted - "!192.168.88.1" means "Not This Address!". Do not check the exclamation mark (!) in the rules.

If I don't check exclamation it doesn't work from the outside, only in LAN. But it doesn't matter now with port forwards it is solved.

The router will save so many lines that you specify in the logging action disk. I think it's default is 100 lines, and once the 100 lines are used up it will drop the old one to add on the new one. It would be much better if you wanted to save these logs to use the remote action and set up a syslog server. There you can define retention policies.

I installed the trial version of Kiwi today, I receive the logs on the syslog server but it shows just one hostname - router address (192.168.0.1) so I can't verify what user opened a website or another, is there a workaround ? If I choose the memory option I see all Ip's surfing, if on remote I see only 192.168.0.1

About the !debug option, I added this rule, don't know why I still get the debug info, not only the wesites...

Note: it's a good idea to add another topic in the same rule: !debug. This would be to ensure you don't get any debug stuff, only the visited sites.

Tue Jan 04, 2011 1:00 pm

yes, and the exclamation mark made the difference - either from outside (with !), or from inside (no !). you needed to have two rules then (for each network).

i'm just trying to explain what caused it, I know that you solved it.

eXtremer · Tue Jan 04, 2011 3:02 pm

yes, and the exclamation mark made the difference - either from outside (with !), or from inside (no !). you needed to have two rules then (for each network).

i'm just trying to explain what caused it, I know that you solved it.

Understand, thank you

Actually it didn't work properly, yahoo mai and gmail, a few other websites didn't open at all, so I did ti as you said, two rules for each network.

eXtremer · Tue Jan 04, 2011 4:46 pm

Nope it isn't working, If I add the same rules without ! my mail server will not send email from LAN. And the SSL websites (port 443) wont work, damn it will I ever solve this...

fewi · Tue Jan 04, 2011 5:13 pm

Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

eXtremer · Tue Jan 04, 2011 5:50 pm

Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

Arax/WAN1 (PPPoE) - first provider
WAN2 (static) - second provider
LAN1 - LAN

Both providers work at the same time - kind of load balancing. One connection through WAN1 one though WAN2 - works quite well.
There are port forwards for a Mail server (pop3, smtp, ...) and terminal server (rdp).

The issues I have now:

1. The failover isn't working properly, if one provider fails, packets still go through both routes, when it should go only through that one that has internet, I had a situation a few days ago when one provider had only intranet access but no internet, the pages didn't open because packets were going through the route that didn't had internet.
2. I can connect to my server from home only through the first provider (Arax/WAN1) IP but not thourgh second provider WAN2, although port forward rules allow connection from any Network/IP. I can connect to the router with Winbox only by WAN1 IP but not WAN2 IP, although I can ping WAN2.
3. I need to access the public IP (of both providers) from external network and from LAN too.

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN1 actual-interface=LAN1 

 1   address=77.X.X.X/30 network=77.X.X.X broadcast=77.X.X.X interface=WAN2 actual-interface=WAN2 

 2 D address=87.X.X.X/32 network=217.X.X.X broadcast=0.0.0.0 interface=Arax actual-interface=Arax 
[admin@MikroTik] >

[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=Arax,WAN2 gateway-status=Arax reachable,WAN2 reachable distance=1 scope=30 target-scope=10 

 1 A S  dst-address=77.X.X.X/24 gateway=WAN2 gateway-status=WAN2 reachable distance=1 scope=30 target-scope=10 

 2 ADC  dst-address=77.X.X.X/30 pref-src=77.X.X.X gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10 

 3 A S  dst-address=87.X.X.X/24 gateway=Arax gateway-status=Arax reachable distance=1 scope=30 target-scope=10 

 4 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=LAN1 gateway-status=LAN1 reachable distance=0 scope=10 

 5 ADC  dst-address=217.X.X.X/32 pref-src=87.X.X.X gateway=Arax gateway-status=Arax reachable distance=0 scope=10 
[admin@MikroTik] >

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                                                                                                              TYPE             MTU   L2MTU
 0  R  ;;; interface WAN
       WAN1                                                                                                                                              ether            1500  1524 
 1  R  WAN2                                                                                                                                              ether            1500  1524 
 2  R  ;;; interface LAN
       LAN1                                                                                                                                              ether            1500  1524 
 3  R  LAN2                                                                                                                                              ether            1500  1524 
 4  R  LAN3                                                                                                                                              ether            1500  1524 
 5  R  Arax                                                                                                                                              pppoe-out        1480 
[admin@MikroTik] >

[admin@MikroTik] > /ip firewall export
# jan/04/2011 19:25:07 by RouterOS 4.11
# software id = HT2T-Y3XQ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN1 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN2 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=Arax protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
add action=accept chain=input comment="" disabled=no dst-port=8291 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN1
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN1
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN2
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN1
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN2 jump-target=customer
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN1 jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
add action=drop chain=input comment="" disabled=yes dst-port=8291 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=WAN2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=Arax
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=21 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=21
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=25 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=25
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=110 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=110
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=143 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=143
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=443 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=433
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=465 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=465
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=993 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=993
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=995 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.200 to-ports=995
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=2222 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.250 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3333 protocol=tcp src-address=!192.168.0.0/24 to-addresses=192.168.0.187 to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=87.233.82.82 dst-port=80 protocol=tcp to-addresses=192.168.0.200 to-ports=81
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp to-addresses=192.168.0.1 to-ports=8080
add action=masquerade chain=srcnat comment="" disabled=no dst-address=192.168.0.200 out-interface=LAN1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061
set pptp disabled=yes
[admin@MikroTik] >

eXtremer · Wed Jan 05, 2011 11:24 am

Somebody ?

fewi · Wed Jan 05, 2011 7:02 pm

Your configuration is messed up in many ways. Your loadbalancing scheme is badly breaking things since you're just using ECMP instead of a stable scheme such as PCC, and your NAT rules are all over the place (and ECMP doesn't work well with servers behind NAT). Things are made worse by the fact that you appear to be using the web proxy.
My advice would be to get with a consultant to fix things up for you, this is nearly impossible to fix all at once in a forum environment - and fixing it bit by bit would mean downtime for you when sections haven't been implemented yet.

eXtremer · Thu Jan 06, 2011 11:53 am

Your configuration is messed up in many ways. Your loadbalancing scheme is badly breaking things since you're just using ECMP instead of a stable scheme such as PCC, and your NAT rules are all over the place (and ECMP doesn't work well with servers behind NAT). Things are made worse by the fact that you appear to be using the web proxy.
My advice would be to get with a consultant to fix things up for you, this is nearly impossible to fix all at once in a forum environment - and fixing it bit by bit would mean downtime for you when sections haven't been implemented yet.

I understand, the think is I don't know anybody that is good in Mikrotik, about the ECMP/PCC schme, should I chage to PCC ? Is this Load Balancing - Application Example good enough in my case ? Will I solve the port forwarding issues ?
Still have to do it by myself, step by step...

eXtremer · Thu Jan 06, 2011 6:35 pm

One issue solved:

/ip firewall filter
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN1 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=WAN2 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment="" disabled=no dst-port=8080 in-interface=Arax protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
add action=accept chain=input comment="" disabled=no dst-port=8291 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN1
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN2
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN1
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN2
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN1
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN2 jump-target=customer
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN1 jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
add action=drop chain=input comment="" disabled=yes dst-port=8291 protocol=tcp

The line that is underlined was the problem, because of this line I couldn't use second provider from outside lan, I disabled it and now I can use both IP's to connect to my server.

Who is online