Hi all,
I am struggling with this problem so I would appreciate some help.
My setup is shown in the picture below:
I have an HTTP server in private address space (DMZ) and two incoming internet connections. I want to make HTTP from internal server accessible through both links. Default route is through ISP1, using policy routing I am able to return packets incoming through ISP2 link. However when I setup dst-nat for port 80, it only works for ISP1, I cannot reach HTTP on internal server through ISP2.
This is what I did so far:
/ip firewall mangle
add chain=input in-interface=ether2 action=mark-connection new-connection-mark=ISP2_conn
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
/ip route
add dst-address=0.0.0.0/0 gateway=198.51.100.1 routing-mark=to_ISP2
add dst-address=0.0.0.0/0 gateway=192.0.2.1
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.10.5 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether2 protocol=tcp to-addresses=192.168.10.5 to-ports=80
I’ve tried to include the forwarding chain in the mangle, but with no success.
/ip firewall mangle
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether1 new-connection-mark=ISP1_conn passthrough=no
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether2 new-connection-mark=ISP2_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1_conn disabled=no new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_conn disabled=no new-routing-mark=to_ISP2 passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=192.0.2.1 routing-mark=to_ISP1
What did I do wrong or what did I miss?
Thank you.