Hi,

I can’t access my Internal Servers from the Internet. I have setup my NAT and filters rules but evidently I did something wrong or I missed something… Can anybody help me, please?

Her are my NAT and Filters rules:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-Iplan protocol=tcp to-addresses=10.0.0.66 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3050 in-interface= ether1-Iplan protocol=tcp to-addresses=10.0.0.5 to-ports=3050
add action=dst-nat chain=dstnat dst-port=14147 in-interface=ether1-Iplan protocol=tcp to-addresses=10.0.0.5 to-ports=14147
add action=dst-nat chain=dstnat dst-port=20-22 in-interface=ether1-Iplan protocol=tcp to-addresses=10.0.0.5 to-ports=20-22
add action=dst-nat chain=dstnat dst-port=9000-9999 in-interface=ether1-Iplan protocol=tcp to-addresses=10.0.0.5 to-ports=9000-9999
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1-Iplan protocol=tcp to-addresses=10.0.0.3 to-ports=5060
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-Iplan
add action=masquerade chain=srcnat out-interface=ether5-Fibertel

ip firewall filter
add chain=input dst-port=8291 protocol=tcp
add chain=input protocol=icmp
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether1-Iplan
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1-Iplan


Can anyone please help me?

Hello,

try disabling this rule and test again :

add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1-Iplan

Thanks… I tried it. In fact, I did Disable all three DROP rules to test it but I can’t connect anyway!.

rbullrich,
Are you use only 1 ISP?
If not, you must use mangle.

No, I have 2 ISP. What’s Mangle? How I configure it?

/ip firewall mangle
chain=prerouting action=mark-connection new-connection-mark=ISP1_con passthrough=no in-interface=ether1-gateway
chain=prerouting action=mark-routing new-routing-mark=ISP1_route passthrough=no connection-mark=ISP1_con
chain=output action=mark-routing new-routing-mark=ISP1_route connection-mark=ISP1_con passthrough=no

chain=prerouting action=mark-connection new-connection-mark=ISP2_con passthrough=no in-interface=ether2-gateway
chain=prerouting action=mark-routing new-routing-mark=ISP2_route passthrough=no connection-mark=ISP2_con
chain=output action=mark-routing new-routing-mark=ISP2_route connection-mark=ISP2_con passthrough=no

/ip route
add gateway=ISP1 routing-mark=ISP1_route
add gateway=ISP2 routing-mark=ISP2_route

Many Thanks! This also works when you do Load Balancing and failover?

Yes it work.

hi devi1… Mind if I ask for more help?

I have done that but the moment I Activate my second ISP (It’s a Cable connection, so I activate the DHCP Client) I lost all inbound connections and my outbound becomes very slow and erratic.

When I activate the second ISP (NO inbound connections), my config is:

may/04/2016 11:54:57 by RouterOS 6.35.1

/ip address
add address=10.0.0.2/16 comment=defconf interface=ether2-master network=
10.0.0.0
add address=190.2.50.113 interface=ether1-Iplan network=190.2.50.114

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no
interface=ether5-Fibertel

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=ether1-Iplan
new-connection-mark=ISP1_con passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1_con
new-routing-mark=ISP1_route passthrough=no
add action=mark-routing chain=output connection-mark=ISP1_con new-routing-mark=
ISP1_route passthrough=no
add action=mark-connection chain=prerouting in-interface=ether5-Fibertel
new-connection-mark=ISP2_con passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_con
new-routing-mark=ISP2_route passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_con new-routing-mark=
ISP2_route passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=
ether1-Iplan
add action=masquerade chain=srcnat out-interface=ether5-Fibertel
add action=dst-nat chain=dstnat comment=FSI dst-port=3050 in-interface=
ether1-Iplan protocol=tcp to-addresses=10.0.0.5 to-ports=3050
add action=dst-nat chain=dstnat comment=FTP dst-port=20-22 in-interface=
ether1-Iplan protocol=tcp to-addresses=10.0.0.5 to-ports=20-22
add action=dst-nat chain=dstnat dst-port=9000-9999 in-interface=ether1-Iplan
protocol=tcp to-addresses=10.0.0.5 to-ports=9000-9999

/ip route
add distance=1 gateway=ether1-Iplan routing-mark=ISP1_route
add distance=1 gateway=ether5-Fibertel routing-mark=ISP2_route
add distance=1 gateway=190.2.50.114

I also get the following:

/ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
10.0.0.2/16 10.0.0.0 ether2-master
1 190.2.50.113/32 190.2.50.114 ether1-Iplan
2 D 181.28.66.204/24 181.28.66.0 ether5-Fibertel


/ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 X S 0.0.0.0/0 ether1-Iplan 1
1 X S 0.0.0.0/0 ether5-Fibertel 1
2 ADS 0.0.0.0/0 181.28.66.1 0
3 S 0.0.0.0/0 190.2.50.114 1
4 ADC 10.0.0.0/16 10.0.0.2 bridge 0
5 ADC 181.28.66.0/24 181.28.66.204 ether5-Fibertel 0
6 ADC 190.2.50.114/32 190.2.50.113 ether1-Iplan 0

Thanks a lot!!

rbullrich,
I think, that

/ip route
add distance=1 gateway=190.2.50.114 routing-mark=ISP1_route
add distance=1 gateway=ether5-Fibertel routing-mark=ISP2_route


because your gateway on ether1 is 190.2.50.114.

If this not help you, please, attache network schema.

Sorry for my English =)