2 Wan

RouterOS General
1

I have 2 public IP addresses, A.A.A.A and B.B.B.B

Now I want to set up port forwarding, port 443 over IP A.A.A.A and port forwarding port 443 over IP B.B.B.B. Unfortunately this does not work, because both hosts communicate over IP A.A.A.A to the intert.
How do I set this up so that both hosts can communicate via their IP incoming as well as outgoing?

Greetings Roger

2

Its either Mark Connection + Mark Routing in Firewall->Mangle table or Routing->Rules.

I am not sure if Routing->Rules will work with dstnat. In this way you create 2 routing tables(for each of ISPs):
Routing-Tables-> New, dont forget FIB, u can take “isptable1” and “isptable2” names for example.

Add default route to each table with corresponding gate IP: you can do it in IP->Routes, it looks the same as original default route (the 0.0.0.0/0 one), but u also select “routing table field”

And make lookup rule in Routing->Rules, like if src address = AAAA then u lookup in routing table “isptable1”, second rule - if src address = BBBB lookup in “isptable2”.

This way both ISPs will now answer correctly for ingress traffic

Buuuut in case of dst-nat, I don’t remember on which stage it changes IP back for egress packets, which src network/ip up-rules will take into account.

If it still does not work, and I am sure it wont u have to add extra rules in Firewall-Mangle. There is a lot of stuff in internet “How-To-2IPS on mikrotik”.

In short:
In IP-Firewall->Mangle, in exact order:

  1. If-Connection-Mark=default, action=Accept;
  2. If-Connection-Mark=isp1,If-in-interface=main, action=Mark-Routing-Table=isptable1(passthrough=NO); – “main - interface for local network, if multiple, use interface-list”
  3. If-Connection-Mark=isp2,If-in-interface=main, action=Mark-Routing-Table=isptable2(passthrough=NO);
  4. If-Connection-Mark=!no-mark, action=Accept; --“! - means NOT, the button left form conection-mark field”
  5. if-in-interface=ether-isp1, action=Mark-Connection=isp1(passthrough=NO); – “ether-isp1 interface of ISP1”
  6. if-in-interface=ether-isp2, action=Mark-Connection=isp2(passthrough=NO); – “ether-isp2 interface of ISP2”
  7. action=Mark-Connection=default(passthrough=NO);

7 rules in total i guess, looks ugly but I cant write them in console commands, or attack any links, maybe later, sorry
These 7 rules marks new incoming connections from ISP1 and ISP2 interfaces, and using these mark to mark routing when packet moves back from local network (interface “main”)

Also don’t forget to disable or change fasttrack rule in Ip-Firewall-Filter, fasttrack disables some Firewall stuff.
And disable passthrough where passthrough=NO.

These is a lot of info how to 2 ISP on mikrotik (on forums and internet)
Maybe I will write it in normal Code, when get time