Hello!!
I work for a Company which give help desk to many customers
We have different Mikrotiks in different customers, some as router and some as Access point.
I know about Mikrotik just the basic settings
I have seen more than 1 mikrotik (as router) in different customers with the same problem:
-The Mikrotik have more than 1 internet connection
-Suppose I have 1 internet connection in ether1 and a second internet connection in ether2, ether1 with less distance
-I can Access (Winbox) Mikrotik from another site through public IP in ether1, but not though public IP in ether2
-I set less distance to ether2, and everything start to go out through ether2
-I can Access (Winbox) Mikrotik from another site through public IP in ether2, but not though public IP in ether1
What could be the problem? What throubleshooting should I do to find the problem?
I think the problem is caused by the traffic from 1 ISP travailing back through the other ISP.
you can set up rules in Firewall, Filter to check this , Action: Log. and see the out-interface of those packet.
I cannot test but would think the Accept related and established on Input Chain (in Firewall, Filter) should do this for you?
If not working, you will have to mark connection from ISP2 and then mark routing based on this connection mark, then add routing entry so this routing mark goes out on ISP2.
this ensure the traffic comes from one ISP, goes out through the same ISP.
Just a thought. welcome input from others
Trying to understand the logic here.
- This appears to be communication from WAN to Router and Router back to WAN (either WAN1 or WAN2) via WINBOX.
- Since the traffic is not hitting the LAN, I would say this has nothing to do with Masquerade type NAT rules.
- So how does the ROUTE rules in place frig with the traffic and mess it up?
a. as SOLAR pointed out, the traffic going to the Working WAN gets returned with no problem, while the traffic going to the standby WAN does not get returned.
b. it appears that even for outside initiated traffic that is only intended to talk to the router (no LAN), the router to return traffic will follow the ROUTE rule in place with distance = 1.
(why this is I do not know)
As Solar states, the solution is to ensure that return traffic goes out the same interface it came in.
Solar, just to confirm, are you suggesting the following, and in such a way it doesn’t matter which ISP is primary and which is standby?
IP Mangle
- mangle in-interface WAN1, protocol TCP, WINBOX port xxxx Route Mark “ManageViaWan1”
- mangle in-interface WAN2 protocol TCP, WINBOX port xxxx Route Mark “ManageViaWan2”
(source if required 0.0.0.0/0)
Then create associated Routes
IP Route
destination 0.0.0.0/0
Gateway (GW address of WAN1)
Mark “ManageViaWan1”
IP Route
destination 0.0.0.0/0
Gateway (GW address for WAN2)
Mark “ManageViaWAN2”
Would it be important to place these two rules before the other two more general Route Rules (more designed for LAN output traffic??
Distance 1 etc.
Distance 2 etc.
yes, that’s what I had in mind.
for ref: https://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing
you don’t need the load balancing part but the idea is the same
Also winbox uses port 8291.
As for the routing, you cannot decide where to place those rules , the router will do this for you. the decision making starts from the more specific rules, so when I have two rules, both have destination IP range 0.0.0.0/0, distance 1, but the one with routing mark will be under the general one therefore will be checked first.
Routing table display 0.0.0.0 on top and 192.168.1.0/24 at the bottom but the check starts from the bottom. Hope that make sense.
Thanks a lot Solar77 and Anav,
Sorry about the delay, I have a lot of work and usually leave the not urgent tasks to later.
I know about the more specific routes are considered first but I didnt know that allways the traffic goes out through the connection with less distance, I thought that when the traffic come from one WAN, it return through the same WAN.
I will do those rules and test.
Thanks again
Regards
Damián
Sorry, I didnt want to revive an old thread but I am worried about the following:
Why I have this behavior in some routers and not in other routers?
I compared all settings in 2 routers with different behavior and didnt find anything, I just saw that the router with this behavior have the IP from the main WAN dinamically and the router where I can access through any interface has many static IPs in the main WAN
Both routers I used to compare have the same HW and same RouterOS versión.
Anyone knows why is that?
Thanks in advance.
Regards
What kind of IPs (static or dynamic) depends on what the ISP is providing and not under our control.
The difference from what I understand is that:
a. for dynamic WANIPs use the action=masquerade for chain=srcnat
b. for static WANIPs use the action=srcnat for chain=srcnat.
The to-addresses that shows when action srcnat is selection is where you put the static IP of your WAN.
In both cases I have static IP,
In one router I am obtaining allways the same IP through DHCP Client
In the other router I have set static IP through “/ip address” instead
In both cases I use masquerade
That is the only difference I found in both routers, anyone knows why can be this different behavior on identical routers?
Even if the IP stays the same it sounds like its a dynamic IP address scenario as the provider can change it any time.
In the latter case they have given you the IP to use and you manually insert it (static).
So in the first case use masquerade (doing it correctly now) in the second case use srcnat for action (need to fix it) and the to-addresses that becomes available is where you would put the static wanIP.
Thanks Anav,
Now, I need to change anything in the router with the dinamyc IP and the masquerade, because this is the router affected
While the other router have no any problem, I dont care if this is using masquerade or src-nat, because everything is working fine
Well you can try and use the srcnat rule for the first one and see if it works better.
There should no issues as you state the IP never changes. GIve it a try/
Anav,
It seems we are speaking a different languaje
Case 1: 1 router, static IP, masquerade: I should change it to src-nat but not needed to do that because this router is working fine, I can connect to this throught any interface
Case 2: 1 router, dinamyc IP, masquerade, What I need to change to make it Works to connect using the secondary WAN?
Haha right you are I thought you said in the last post previous was the reverse 1 was not working and 2 was working fine.
Okay for WAN2 lets say the gateway is 172.145.66.1
and the fixed IP they give you is 172.145.66.10
Then your rule would look lik
/ip firewall nat
add chain=srcnat in-interface-list=LAN out-interface=ether2 action=srcnat to-addresses=172.145.66.10
In general what we are saying is that for any private packets coming from the LAN interface and going to the internet, give them the public IP of the router.
I have two dynamic WANIPs so I have two rules both masquerade like the one above (dont use srcnat) with the out-interface=ISPX as appropriate.
So in this rule we are saying for any Lan initiated packets going out the internet on ether 2, give them the public IP address 172.145.66.10
Thanks Anav,
I am busy right now with other issue, I Will try this as soon as I can and I Will tell you
Is this 1 router with 2 WAN’s, 1 static IP and other dynamic IP? If so, you need to use mangle to mark routing so that packets leave the same WAN they came in.
Reason it is not working is that packet leaves the router on a different IP / interface than it came in on, your PC does not recognize this "connection " and drops the packet
Thanks to all,
Sorry about the delay
I didnt reallice before, but as the issue was between an external device and the Mikrotik (chain input for the Mikrotik), nat is not relative
I could check what you asked and that is correct, when I try to connect through the secondary connection, it is responding through the primary connection, and this is the issue
I could mark packets and it worked fine
The next question is: Why it is working in other routers without any mangle rule?
I copy next the mangle rules:
/ip firewall mangle
add action=accept chain=prerouting dst-address=
190.19.63.0/24 src-address=192.168.0.0/24
add action=accept chain=prerouting dst-address=
181.46.108.0/22 src-address=192.168.0.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1-wan new-connection-mark=ISP1_conn passthrough=
yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2-wan new-connection-mark=ISP2_conn passthrough=
yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn new-routing-mark=To_ISP2
passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=To_ISP2
passthrough=no