2 WAN, 2 router, 2 network problem

RouterOS Beginner Basics
1

Hello!
I have the following network: A RB450G router with a PPPOE connection (static address), and a D-Link router with DSL connection.

network.PNG
network.PNG858×410 13 KB

I set up the masqueade, firewall rules, and it works fine, for the PPPOE connection (ether5), but I can not reach the server(s) from the 192.168.2.0 network. I tried to configure both of the routers, but I don't know what could be wrong (there is a dst-nat on the ether2 in interface, at the desired port). The packet arrives properly at the MT router, I can see in the NAT statistics, but the socket connection will not establish.
Secondly, I can not reach (not even ping) servers through MT Ether2 interface. In the MT rouring table there are two 0.0.0.0/0 routes, for the PPPOE connection (ether5) the distance is 0, for the Ether2 interface the distance is 3 (to make a failover internet connection). In the winbox the second def.gateway is not active (ether2). How should I configure the router, if the ether5 interface fails, then the ether2 interface should take the def.gateway role?

Edit:
So my routing table looks like this:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

1 ADS 0.0.0.0/0 reachable 192.168.128.253 1 pppoe-out1
2 DS 0.0.0.0/0 reachable 192.168.2.1 3 ether2
3 ADC 10.10.10.0/24 10.10.10.1 0 ether1
4 ADC 192.168.1.0/24 192.168.1.1 0 ether1
5 ADC 192.168.2.0/24 192.168.2.63 0 ether2
6 ADC 192.168.128.253/32 93.XXX.113.XX 0 pppoe-out1

And the NAT roule:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.1.0/24
.....
3 ;;; permanent test from PPPOE
chain=dstnat action=dst-nat to-addresses=192.168.1.31 to-ports=3333 protocol=tcp in-interface=pppoe-out1 dst-port=3333
...
59 ;;; GPRS permanant test from DSL
chain=dstnat action=dst-nat to-addresses=192.168.1.31 to-ports=3333 protocol=tcp in-interface=ether2 dst-port=3333

2

Post the firewall rules.

3

I haven’t made any firewall filter rules.

4

I think maybe the masquerade is interfering. Remove the src-address rule and use this:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether5

or whatever name you assigned to ether5.

ADD: And you will probably need a route to the 192.168.1.0/24 net from 192.168.2.0/24 net. I don’t know the format for the dlink, but in RouterOS, it would be

/ip route
add dst-address=192.168.1.0/24 gateway=192.168.2.63

5

I have tried the new masquerade, You wrote above, but the result was, that I couldn’t reach the internet, so I restored my settings.
And of course, I edited the D-Link router as You wrote, and there is a NAT rule for that server I want to reach from the other network ( in 3333 port → 192.168.2.63:3333).

6

Please post "/ip address print " and “/ip route print” from the MT router.

ADD: I see “/ip route” above. Did you use “pppoe-out1” for the nat out-interface? You have nothing connected or assigned to ether5 (interface name).

The masquerade must be on the pppoe-out1 interface if your failover is going to work. Without it, the D-Link router will be unable to connect to the internet through its backup route, considering the same setup is in it. There should be no reason for a NAT between the two routers, only on each out-interface.

The reason you can’t connect between the networks is your current masquerade. When the request packets from the 192.168.2.x net get to the 192.168.1.x net, all is still ok. But when the response packet comes back to the D-Link net, the source address is now masqueraded as 192.168.2.63.

7

Ok, here it is my route table in MT:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

1 ADS 0.0.0.0/0 reachable 192.168.128.253 1 pppoe-out1
2 DS 0.0.0.0/0 reachable 192.168.2.1 3 ether2
3 ADC 10.10.10.0/24 10.10.10.1 0 ether1
4 ADC 192.168.1.0/24 192.168.1.1 0 ether1
5 ADC 192.168.2.0/24 192.168.2.63 0 ether2
6 ADC 192.168.128.253/32 93.XXX.113.XX 0 pppoe-out1

And my IP addresses:
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.1.1/24 192.168.1.0 192.168.1.255 ether1
1 10.10.10.1/24 10.10.10.0 10.10.10.255 ether1
2 D 192.168.2.63/24 192.168.2.0 192.168.2.255 ether2
3 D 93.XXX.113.XX/32 192.168.128.253 0.0.0.0 pppoe-out1

And as for the /ip firewall nat add chain=srcnat action=masquerade out-interface=pppoe-out1 rule, first I made it wrong, I wrote it with eth5, and of course, it didn't work. But with pppoe-out1 interface the "primary" net goes ok, but I couldn't reach PC's int the 192.168.2.0 network, which I could with rule chain=srcnat action=masquerade src-address=192.168.1.0/24 (RDP, and so on).

8

If it works with NAT that means that D-Link router doesn’t have a route back to 192.168.1.0/24 just like Tim posted early on. The NAT would translate the 192.168.1.0/24 range to 192.168.2.63, which the D-Link subnet can reach because it is directly connected.

That has nothing to do with NAT or port forwarding on the D-Link - what you need to do is find the routing section in that D-Link router and enter a static route to 192.168.1.0/24 through 192.168.2.63. All consumer routers I’ve ever come across did have a section for static routes, so it’s very likely it can do that - you just have to read the manual and find that section or click your way through the web interface until you come across it.

9

Ok, thx for everybody, now it works. I just updated my router FW’s (and OS), and now the work well. I restored my old masquerade, and settings, and it works well. Thanks again.