Cant port forward after Load Balance

RouterOS Beginner Basics
1

Dear All after successfully setup my CRS109 tp Load Balance 4 Wan’s i have found my self in a bump. The thing is that im using 4 ddns services together and i want to port forward a specific internal ip to a specific ddns that is bind in to wan but with no success.

Im using the following configuration.

Any ideas…

4WAN PPPOE LOAD BALANCE




/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.15.255 interface=Local
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out3
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out4
/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=pppoe-out1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out3 new-connection-mark=wan3_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out4 new-connection-mark=wan4_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan3_conn disabled=no new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=output connection-mark=wan4_conn disabled=no new-routing-mark=to_wan4 passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:4/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:4/2
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan4_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:4/3
add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no in-interface=Local new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no in-interface=Local new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan3_conn disabled=no in-interface=Local new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan4_conn disabled=no in-interface=Local new-routing-mark=to_wan4 passthrough=yes
add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2
add action=accept chain=prerouting disabled=no in-interface=pppoe-out3
add action=accept chain=prerouting disabled=no in-interface=pppoe-out4
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=to_wan3 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out4 routing-mark=to_wan4 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=pppoe-out4 scope=30 target-scope=10
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
2

add a mangle rule marking route so that traffic from that IP/port gets route-marked to the desired WAN.

3

Can you set an example if possible.


Thanks for taking the time to reply.

4

Let’s suppose you want to port forward 192.168.1.180 port tcp 80 (a web server) through WAN2, you want to make sure responses from the web server always go through WAN2:

[...]
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_conn passthrough=no protocol=tcp src-address=192.168.1.180 src-port=80

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:4/1
[...]
5

Thanks a lot, I will test it tomorrow morning and post back. Thanks again for everything

6

Seems to be missing something here

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=LOCAL_NETWORK new-connection-mark=WAN_2_conn passthrough=no protocol=tcp src-address=192.168.10.64 src-port=32400

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=LOCAL_NETWORK new-connection-mark=WAN_1_conn per-connection-classifier=both-addresses-and-ports:4/0

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=LOCAL_NETWORK new-connection-mark=WAN_2_conn per-connection-classifier=both-addresses-and-ports:4/1

add action=dst-nat chain=dstnat dst-port=32400 in-interface=WAN_2 protocol=tcp to-addresses=192.168.10.64 to-ports=32400
7

What do you mean?

8

I cant make it work, Am in doing something wrong!!! Mind buster :slight_smile:

Edit:

I have used this one and its working, but i have a 4 seconds delay until it go through. Now im missing the Nat command to make it public via WAN_4

/ ip route
add check-gateway=ping distance=1 dst-address=192.168.10.64/32 gateway=WAN_2 routing-mark=to_WAN_4

/ ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/20 new-routing-mark=to_WAN_4 src-address=192.168.10.64

/ ip firewall nat
add action=src-nat chain=srcnat routing-mark=to_WAN_4 to-addresses=192.168.10.64
9

Why are you setting gateway=WAN2 when route mark is WAN4?

10

very simple.

/ip firewall filter
add action=accept chain=forward disabled=no dst-address="wan ip" dst-port=80 protocol=tcp

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=1234 in-interface="interface name" protocol=tcp to-addresses="server ip" to-ports=80
11

That’s because the specified ip address uses wan’s 4 public ip address.

12

Thanks mate, i will try and report back.

13

i understand all the code in load balancing script but i cant figure out these lines what are used for and why are needed?

add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2
add action=accept chain=prerouting disabled=no in-interface=pppoe-out3
add action=accept chain=prerouting disabled=no in-interface=pppoe-out4