3 WAN and 1 LAN - Port Forwarding problem

RouterOS General
1

Hello,

I have a problem with a port forwarding .
It’s ok for the WAN1 but nok for WAN2 et WAN3 . The DMZ is OK for WAN1 2 et 3 .
My config :
WAN1 : GW 192.168.4.250
WAN2 : GW 192.168.6.240
WAN3 : GW 192.168.7.240
LAN : 192.168.3.0/24

/ip firewall nat 
add chain=dstnat dst-address=192.168.4.252 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.3.241 to-ports=80
add chain=dstnat dst-address=192.168.6.252 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.3.242 to-ports=80
add chain=dstnat dst-address=192.168.7.252 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.3.243 to-ports=80

Thank you for your answer

GreG

2

The Mikrotik doesn’t automatically remember which interface packets came in on, so replys from your internal server are always going out on WAN1 (which is why your port forwarding for WAN1 works)

Firs you have to mark connections as to which WAN interface they came in on. Next you have to mark outbound packets that belong to that connection. Then you can route marked packets out of specific routes.

To mark connections, in Winbox go to:
IP > Firewall > Mangle

  • Add Entry, Chain: Forward, In-Interface: WAN2, Connection State: new, Action: Mark Connection, New Connection Mark: WAN 2
  • Add Entry, Chain: Forward, In-Interface: WAN3, Connection State: new, Action: Mark Connection, New Connection Mark: WAN3

Now under IP > Firewall > Connections tab you will see inbound connections being flagged with connection marks.

Now you have to mark outbound packets

IP > Firwall > Mangle

  • Add Entry, Chain: prerouting, connection-mark: WAN2, Action: Mark Routing, Routing Mark: WAN2
  • Add Entry, Chain: prerouting, connection-mark: WAN3, Action: Mark Routing, Routing Mark: WAN3

Now in IP > Routes you have to create a route for WAN2 and WAN3

  • Add Entry, Dst-Address: 0.0.0.0/0, Routing-Mark: WAN2, Gateway: 192.168.6.240
  • Add Entry, Dst-Address: 0.0.0.0/0, Routing-Mark: WAN3, Gateway: 192.168.7.240

Don’t forget to masquerade packets leaving WAN interfaces.
IP > Firewall > NAT

  • Add Entry, Chian:srcnat, Out-Interface: WAN2, action: masquerade
  • Add Entry, Chian:srcnat, Out-Interface: WAN3, action: masquerade

Now your inbound port forwarding should work. Also note with this setup, all connections that are initiated from the 192.168.3.0 network will always go out WAN1.

3

I have au round robin for my 4 wan :

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn
add chain=input in-interface=WAN4 action=mark-connection new-connection-mark=WAN4_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3
add chain=output connection-mark=WAN4_conn action=mark-routing new-routing-mark=to_WAN4 

add chain=prerouting dst-address=192.168.4.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.6.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.7.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.8.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN3
add chain=prerouting connection-mark=WAN4_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN4

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.4.250 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.6.240 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.7.240 routing-mark=to_WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.8.240 routing-mark=to_WAN4 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.4.250 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.6.240 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.7.240 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.8.240 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
add chain=srcnat out-interface=WAN3 action=masquerade
add chain=srcnat out-interface=WAN4 action=masquerade

It’s not ok for my port forwarding ?