2 WAN link and dst-nat configuration

RouterOS Beginner Basics
1

Hello everyone
at first, I apologize if my post is repetitious, my search for a good result was unsuccessful and also I have not enough time, thank you if there are any links or hints.
suppose my scenario as follows:
I have 2 WAN link:
ether1-WAN1 → 1.1.1.1 (public IP)
ether2-WAN2 → 2.2.2.2 (public IP)

I have 1 local network (192.168.70.0/24)
ether3-LAN → 192.168.70.1

I have 1 Server that is connected to ether3-LAN interface with remote desktop enabled:
Server IP: 192.168.70.20 Server Gateway: 192.168.70.1

what I want to do is:
remote desktop users be enable connect to server with both WAN links ( 1.1.1.1 and 2.2.2.2).

so what is my wrong with following configuration:


/ ip firewall nat
add chain=srcnat out-interface=ether1-WAN1 action=masquerade
add chain=srcnat out-interface=ether2-WAN2 action=masquerade
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.70.20 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 protocol=tcp to-addresses=192.168.70.20 to-ports=3389
/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 action=mark-connection new-connection-mark=ether1-WAN1_conn
add chain=forward in-interface=ether2-WAN2 action=mark-connection new-connection-mark=ether2-WAN2_conn
add chain=forward connection-mark=ether1-WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=forward connection-mark=ether2-WAN2_conn action=mark-routing new-routing-mark=to_WAN2
/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=1 routing-mark=to_WAN1
add dst-address=0.0.0.0/0 gateway=2.2.2.2 distance=1 routing-mark=to_WAN2

thanks in advance

2

Are the public IPs, static or dynamic? Same provider or different provider.


RDP is not secure, dont recommend.
Much better off installing wireguard and have your users securely access the router and then you can have them access any LAN device, including an RDP server from the LAN side.

3

thanks for your reply and warning about rdp (there are some conditions that VPN is not possible, so ignore this issue)
both IP are static from different provider

my server has 2 network card, can I add another IP to server and solve the problem
for example:
my server IPs: 192.168.70.20 and 192.168.80.20 (gateway: 192.168.70.1)
ether3-LAN2 → 192.168.80.1

4

(1) Keep single NIC card and LANIP…

/ ip firewall nat
add chain=srcnat out-interface=ether1-WAN1 action=masquerade
add chain=srcnat out-interface=ether2-WAN2 action=masquerade
add action=dst-nat chain=dstnat dst-port=3389 dst-address=StaticWANIP1 protocol=tcp to-addresses=192.168.70.20
add action=dst-nat chain=dstnat dst-port=3389 dst-address=StaticWANIP2 protocol=tcp to-addresses=192.168.70.20

/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 connection-mark=no-mark
action=mark-connection new-connection-mark=ether1-WAN1_conn passthrough=yes
add chain=forward in-interface=ether2-WAN2 connection-mark=no-mark
action=mark-connection new-connection-mark=ether2-WAN2_conn passthrough=yes
add chain=prerouting action=mark-routing connection-mark=ether1-WAN1_conn
new-routing-mark=to_WAN1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=ether2-WAN2_conn
new-routing-mark=to_WAN2 passthrough=no

/ ip route
Assuming either default routes are in place or manual routes for both ISPs in MAIN TABLE.
{ add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main
{ add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-table=main
PLUS
add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=1 routing-mark=to_WAN1
add dst-address=0.0.0.0/0 gateway=2.2.2.2 distance=1 routing-mark=to_WAN2

MODIFY FAST TRACK RULES IN forward chain by simply adding connection-mark=no-mark

++++++++++++++++++++++++++++++++++++++++++
Nothing changes from the above if you prefer to use two different nics…

5

Thank you very much!
now, users can access server from both public IPs, but only there is another problem
RDP works randomly, after every 3-4 times, users can not connect and should wait some seconds or minutes.
I put fasttrack on the top of other mangles:
add action=fasttrack-connection chain=forward connection-mark=no-mark
is it in correct place?
my RouterOS version is 7.13.5
how can I solve this problem.
thanks again

6

The fastrack rule is NOT a mangle rule its a forward chain filter rule and should be typically the first forward chain rule.
Without seeing the whole config ( less any public IP info ) will be hard to pinpoint the issue

7

This is my full config:

  • ether2-AntenPishgamanWAN has a ppoe-client connection with public IP (x.y.z.89)
  • there is an GRE tunnel with another company branch (x.y.z.126)
  • ether1-SimCardWAN is connected to a GSM Modem, the IP of GSM Modem is 192.168.43.1 and is DMZ to 192.168.43.2 (my router), GSM Public IP is x.y.z.178
    with following config users can connect only with x.y.z.89 and trying to connect with x.y.z.178 will stuck on "configuring remote session ..."
  • as I notice there is no packet counter with ether1-SimCardWAN NAT rule.
    ............................................................................

2024-02-29 08:57:26 by RouterOS 7.13.5

/interface ethernet
set [ find default-name=ether1 ] name=ether1-SimCardWAN
set [ find default-name=ether2 ] name=ether2-AntenPishgamanWAN
set [ find default-name=ether3 ] name=ether3-AntenToBazar
set [ find default-name=ether4 ] name=ether4-toServer
set [ find default-name=ether5 ] name=ether5-HP-iLO
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface gre
add local-address=x.y.z.89 mtu=1420 name=gre-Teh remote-address=
x.y.z.126
/interface pppoe-client
add disabled=no interface=ether2-AntenPishgamanWAN keepalive-timeout=100
name=pppoe-out-pishgaman user=9131562068
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
/ip address
add address=192.168.43.2/24 interface=ether1-SimCardWAN network=192.168.43.0
add address=192.168.70.1/24 interface=ether4-toServer network=192.168.70.0
add address=192.168.80.1/24 interface=ether5-HP-iLO network=192.168.80.0
add address=192.168.93.5/24 interface=ether3-AntenToBazar network=
192.168.93.0
add address=10.10.10.1 interface=gre-Teh network=10.10.10.2
add address=192.168.110.2/24 interface=ether3-AntenToBazar network=
192.168.110.0
/ip dns
set servers=8.8.8.8,5.200.200.200
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark
hw-offload=yes
add action=drop chain=input comment="Block Ping Request" protocol=icmp
add action=drop chain=input comment="Block Invalid Input Conn"
connection-state=invalid disabled=yes
add action=drop chain=input comment="Block port scanners" src-address-list=
"port scanners"
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=1h chain=input dst-port=22,23,80,8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2d chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=ether1-SimCardWAN new-connection-mark=WAN1_Conn passthrough=
yes
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=ether2-AntenPishgamanWAN new-connection-mark=WAN2_Conn
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_Conn
new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out-pishgaman
add action=masquerade chain=srcnat out-interface=ether1-SimCardWAN
to-addresses=192.168.43.2
add action=dst-nat chain=dstnat comment=test dst-address=192.168.43.2
dst-port=62404 protocol=tcp to-addresses=192.168.70.12 to-ports=62404
add action=dst-nat chain=dstnat comment="RDP- Mr Ramin Windows 2"
dst-address=5.202.251.89 dst-port=62404 protocol=tcp to-addresses=
192.168.70.12 to-ports=62404
add action=dst-nat chain=dstnat comment="RDP- Mr Alikhani" dst-address=
5.202.251.89 dst-port=63301 protocol=tcp to-addresses=192.168.70.4
to-ports=63301
add action=dst-nat chain=dstnat comment="RDP- Mr Ghasemkhani" dst-port=63302
protocol=tcp to-addresses=192.168.70.5 to-ports=63302
add action=dst-nat chain=dstnat comment="RDP- Mr Ramin" dst-port=63303
protocol=tcp to-addresses=192.168.70.6 to-ports=63303
add action=dst-nat chain=dstnat comment="HP iLO Web" disabled=yes dst-port=
65104 protocol=tcp to-addresses=192.168.80.10 to-ports=65104
/ip route
add disabled=no dst-address=192.168.16.0/24 gateway=192.168.110.1
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman
pref-src="" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=192.168.110.1
pref-src="" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no dst-address=192.168.89.0/24 gateway=10.10.10.2 routing-table=
main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.91.0/24 gateway=10.10.10.2
pref-src="" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.43.1
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.43.1
pref-src="" routing-table=to_WAN1 scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman
pref-src="" routing-table=to_WAN2 scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes port=23322
set ftp disabled=yes port=22221
set www disabled=yes port=24812
set ssh port=63700
set www-ssl port=32443
set api disabled=yes port=28728
set winbox port=63800
set api-ssl disabled=yes port=28729

................................................................
thank you

8

So far looks okay…

  1. On two IP main table routes, would add check-gateway=ping.
    _add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman routing-table=main comment=WAN2
    add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=192.168.43.1 routing-table=main comment=WAN1
    add distance=1 dst-address=0.0.0.0/0 gateway=192.168.43.1 routing-table=to_WAN1
    add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman routing-table=to_WAN2
    \
  2. Mangles.
    / ip firewall mangle
    add chain=forward in-interface=ether1-WAN1 connection-mark=no-mark action=mark-connection
    new-connection-mark=ether1-WAN1_conn passthrough=yes
    add chain=forward in-interface**=pppoe-out-pishgaman** connection-mark=no-mark action=mark-connection
    new-connection-mark=ether2-WAN2_conn passthrough=yes
    add chain=prerouting connection-mark=ether1-WAN1_conn action=mark-routing
    new-routing-mark=to_WAN1 in-interface-list=LAN passthrough=no
    add chain=prerouting connection-mark=ether2-WAN2_conn action=mark-routing
    new-routing-mark=to_WAN2 in-interface-list=LAN passthrough=no


    In your case, better to simply replace in-interface-list=LAN with:
    in-interface-list=SERVERS

    where you add all your Server IPs.
    /ip firewall address-list
    add address192.168.70.4 list=SERVERS
    add address=192.168.70.5 list=SERVERS
    add address=192.168.70.6 list=SERVERS
    add address=192.168.70.12 list=SERVERS
    etc…
    \
  3. Firewall rules are incomplete…

    /ip firewall filter
    add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
    established,related,untracked
    add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
    add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
    add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
    add action=accept chain=input comment=“allow LAN to Router traffic” in-interface-list=LAN
    ==== add any more allow rules here ==== perhaps for gre tunnel???
    add action=drop chain=input comment=“drop all else”
    +++++++++++++++++++++++++++++++++++++++++++
    add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
    hw-offload=yes connection-mark=no-mark
    add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
    established,related,untracked
    add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
    add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
    add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
    ==== add any more allow rules here ==== perhaps for gre tunnel???
    add action=drop chain=forward comment=“drop all else”_