dst-nat possibly assymetrical

RouterOS General
1

Hi

I just configured a 2011 mikrotik with load balancing/PCC with 2 WAN connections (one PPPOE and 1 Cable modem DHCP), and everything is
working fine from a load balancing point of view (going out to the Internet) apart from a strange problem with dst-nat.

As you can see from the config below, i am doing a few port redirects to internal hosts using dst-nat.

I am running tcpdump on the internal host(s) and I can see my external connection coming in and hitting the host everytime.

Hoewever, from to time the time, the reply from the internal host (SYN/ACK) does not get back to the Internet located hosts that initiated the connection.

My suspicion is that there is some sort of asymetrical routing happening on the way back sometimes, which leads to the packet being dropped.

When I disconnect my WAN2 connection, the problem disappears…

Anyone could help please, would be appreciated.

Thanks

Config below


ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=172.20.210.1/24 network=172.20.210.0 interface=LAN actual-interface=LAN

1 D address=999.999.154.38/22 network=999.999.152.0 interface=WAN2 actual-interface=WAN2

2 D address=888.888.69.180/32 network=666.666.145.224 interface=WAN_1 actual-interface=WAN_1




/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=WAN_1 gateway-status=WAN_1 reachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_wan1

1 A S dst-address=0.0.0.0/0 gateway=999.999.152.1 gateway-status=999.999.152.1 reachable via WAN2 check-gateway=ping distance=1 scope=30 target-scope=10
routing-mark=to_wan2

2 A S ;;; Force BT connection
dst-address=0.0.0.0/0 gateway=WAN_1 gateway-status=WAN_1 reachable check-gateway=ping distance=5 scope=30 target-scope=10 routing-mark=force_BT

3 A S dst-address=0.0.0.0/0 gateway=WAN_1 gateway-status=WAN_1 reachable check-gateway=ping distance=1 scope=30 target-scope=10

4 S ;;; test distance
dst-address=0.0.0.0/0 gateway=999.999.152.1 gateway-status=999.999.152.1 reachable via WAN2 check-gateway=ping distance=2 scope=30 target-scope=10

5 ADC dst-address=999.999.152.0/22 pref-src=999.999.154.38 gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10

6 ADC dst-address=172.20.210.0/24 pref-src=172.20.210.1 gateway=LAN gateway-status=LAN reachable distance=0 scope=10

7 ADC dst-address=666.666.145.224/32 pref-src=888.888.69.180 gateway=WAN_1 gateway-status=WAN_1 reachable distance=0 scope=10



/ip firewall export

[admin@MikroTik] > /ip firewall export

jan/02/1970 02:16:22 by RouterOS 5.24

software id = BIL3-3746

/ip firewall address-list
add address=172.20.210.0/24 disabled=no list=management-servers
add address=172.20.210.14 disabled=no list=BT_forced_hosts
add address=172.20.210.132 disabled=no list=BT_forced_hosts
add address=172.20.210.10 disabled=no list=BT_forced_hosts
add address=172.20.210.153 disabled=no list=BT_forced_hosts
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=
10s
/ip firewall filter
add action=accept chain=input disabled=no dst-port=21,22,23,53,80,443,2000,8291 in-interface=LAN protocol=tcp src-address-list=management-servers
add action=drop chain=input disabled=no dst-port=“” in-interface=WAN_1 protocol=tcp
add action=drop chain=input disabled=no dst-port=“” in-interface=WAN2 protocol=tcp
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=input connection-state=invalid disabled=no
/ip firewall mangle
add action=mark-connection chain=input disabled=yes in-interface=WAN_1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input disabled=yes in-interface=WAN2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=wan1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=“Mark Forced BT connection” disabled=no dst-address-type=!local new-connection-mark=forced_BT_connection
passthrough=yes src-address-list=BT_forced_hosts
add action=mark-routing chain=prerouting comment=“Route Forced BT connection” connection-mark=forced_BT_connection disabled=no in-interface=LAN
new-routing-mark=force_BT passthrough=no
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=wan2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no in-interface=LAN new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no in-interface=LAN new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting comment=test disabled=no in-interface=WAN_1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting comment=test2 disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN_1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=dst-nat chain=dstnat comment=Newznab disabled=no dst-port=60501 in-interface=WAN_1 protocol=tcp to-addresses=172.20.210.153
add action=dst-nat chain=dstnat comment=“Openvpn BT” disabled=no dst-port=80 in-interface=WAN_1 protocol=tcp to-addresses=172.20.210.151 to-ports=444
add action=dst-nat chain=dstnat comment=“Adito VPN BT” disabled=no dst-port=443 in-interface=WAN_1 protocol=tcp to-addresses=172.20.210.151 to-ports=443
add action=dst-nat chain=dstnat comment=“Adito VPN Virgin” disabled=no dst-port=443 in-interface=WAN2 protocol=tcp to-addresses=172.20.210.151 to-ports=443
add action=dst-nat chain=dstnat comment=“Openvpn Virgin” disabled=no dst-port=80 in-interface=WAN2 protocol=tcp to-addresses=172.20.210.151 to-ports=444
add action=dst-nat chain=dstnat comment=“SSH To VPN server” disabled=no dst-port=64531 in-interface=WAN_1 protocol=tcp to-addresses=172.20.210.151 to-ports=22
add action=dst-nat chain=dstnat comment=“SSH To Raspberry server” disabled=no dst-address-type=“” dst-port=64533 in-interface=WAN_1 protocol=tcp to-addresses=
172.20.210.125 to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no