Dstnat issue on 1 ISP but not the other.

MLubbe · January 6, 2017, 7:19am

Good day,

We used to have 4 ISP connections now currently have only 2 connections in, and 1 LAN out as follows:
LAN | [Gateway IP : 192.168.10.1/24] Connected LAN to ether5 on RB2011.
ISP 1 | SXT 5 AC (WISP, Static Public IP) - DMZ [192.168.4.1 > 192.168.4.2] Connected ISP 1 to ether4 on RB2011.
ISP 2 | TP-Link TD-W9970 (Axxess ADSL, Dynamic Public IP) - DMZ [192.168.3.1 > 192.168.3.2] Connected ISP 2 to ether3 on RB2011.

When I test port forwarding through ISP 1, both forwarded and input (58291) ports work perfectly. However, when I try through ISP 2 it hits both my firewall filter accept rule, as well as the DSTNAT rule, but it is as if the response differs. When I setup PPPoE to dial out from the the mikrotik, the port forwarding works correctly however it is required for another network to make use of the ISP 2 connection directly through the DSL router.

/ip firewall address-list
add address=192.168.1.0/24 list=Connected
add address=192.168.2.0/24 list=Connected
add address=192.168.3.0/24 list=Connected
add address=192.168.4.0/24 list=Connected
add address=192.168.10.0/24 list=Connected
add address=192.168.10.0/24 list=LAN
add address=192.168.10.2-192.168.10.49 list=Office
add address=192.168.10.50-192.168.10.200 list=Other
add address=192.168.10.254 list=PBX
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=accept chain=input comment="Accepts LAN Traffic in on LAN interface" \
    in-interface=ether5 src-address=192.168.10.0/24
add action=accept chain=input comment=\
    "Accepts Established & Related Connections" connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment=\
    "Accepts ICMP / Ping inbound on all interfaces" protocol=icmp
add action=accept chain=forward comment="Accept DSTNAT" connection-nat-state=\
    dstnat
add action=accept chain=input connection-nat-state=dstnat
add action=accept chain=output connection-nat-state=dstnat
add action=accept chain=input comment="Accept VOIP SIP Signaling [Register]" \
    dst-port=5060 protocol=udp
add action=accept chain=input comment="Accept VOIP RTP Media Ports [Audio]" \
    dst-port=10000-12000 protocol=udp
add action=accept chain=input comment="Accepts Winbox in on all interfaces" \
    dst-port=58291 protocol=tcp
add action=drop chain=input comment=\
    "Drops other traffic destined for WAN interface" in-interface=ether1
add action=drop chain=input in-interface=ether2
add action=drop chain=input in-interface=ether3
add action=drop chain=input in-interface=ether4
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting comment="Accept LAN->LAN/WAN traffic" \
    dst-address-list=Connected src-address-list=Connected
add action=mark-packet chain=prerouting comment="Accept LAN->LAN/WAN traffic" \
    dst-address-list=!Connected new-packet-mark=internet_traffic passthrough=\
    yes src-address-list=LAN
add action=mark-connection chain=input comment=\
    "Marks new WAN->Router connections inbound" connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether4 new-connection-mark=WAN4_conn passthrough=yes
add action=mark-routing chain=output comment=\
    "Marks Router->WAN responses outbound" connection-mark=WAN1_conn \
    new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=WAN3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4_conn \
    new-routing-mark=WAN4 passthrough=no
add action=mark-connection chain=forward comment=\
    "Marks new WAN->LAN connections inbound" connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=\
    ether2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=\
    ether3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=\
    ether4 new-connection-mark=WAN4_conn passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "Mark LAN->WAN responses outbound" connection-mark=WAN1_conn \
    new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    new-routing-mark=WAN3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
    new-routing-mark=WAN4 passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Marks LAN->WAN Connections" connection-mark=no-mark dst-address-list=\
    !Connected dst-address-type=!local new-connection-mark=LAN->WAN \
    src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load-Balancing Rule" \
    connection-mark=LAN->WAN new-routing-mark=ISP4_Route src-address-list=LAN
add action=mark-connection chain=prerouting comment="Marks Sticky Connections" \
    connection-mark=LAN->WAN new-connection-mark=Sticky_ISP1 routing-mark=\
    ISP1_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_ISP2 routing-mark=ISP2_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_ISP3 routing-mark=ISP3_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
    new-connection-mark=Sticky_ISP4 routing-mark=ISP4_Route
add action=mark-routing chain=prerouting comment="Marks Sticky Routes" \
    connection-mark=Sticky_ISP1 new-routing-mark=ISP1_Route src-address-list=\
    LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_ISP2 \
    new-routing-mark=ISP2_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_ISP3 \
    new-routing-mark=ISP3_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_ISP4 \
    new-routing-mark=ISP4_Route src-address-list=LAN
/ip firewall nat
add action=accept chain=srcnat comment="Accept LAN to LAN Traffic" \
    dst-address-list=LAN src-address-list=LAN
add action=accept chain=dstnat comment="Keep Winbox on Mikrotik" dst-port=58291 \
    protocol=tcp
add action=redirect chain=dstnat comment=\
    "Redirect default Winbox Port for easier access from LAN" dst-address=\
    192.168.10.1 dst-address-type=local dst-port=8291 in-interface=ether5 \
    protocol=tcp to-ports=58291
add action=dst-nat chain=dstnat comment="Camera" dst-port=81 \
    in-interface=!ether5 protocol=tcp to-addresses=192.168.10.251 to-ports=81
add action=dst-nat chain=dstnat comment=PBX dst-port=83 in-interface=!ether5 \
    protocol=tcp to-addresses=192.168.10.254 to-ports=83
add action=dst-nat chain=dstnat comment="SRV RDP" dst-port=53389 \
    in-interface=!ether5 protocol=tcp to-addresses=192.168.10.13 to-ports=3389
add action=dst-nat chain=dstnat comment="DVR HTTP" dst-port=8080 in-interface=\
    !ether5 protocol=tcp to-addresses=192.168.10.250 to-ports=8080
add action=dst-nat chain=dstnat comment="DVR Stream" dst-port=37777 \
    in-interface=!ether5 protocol=tcp to-addresses=192.168.10.250 to-ports=\
    37777
add action=masquerade chain=srcnat comment="Src-Nat out Connections" \
    out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat comment="Masquerade out LAN" dst-address=\
    192.168.10.0/24 log=yes out-interface=ether5 src-address=!192.168.10.0/24 \
    to-addresses=192.168.1.2
add action=masquerade chain=srcnat disabled=yes
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=58291
set api-ssl disabled=yes

MLubbe · September 7, 2017, 8:21pm

After troubleshooting the problem for a couple of hours, I found the the reply’s were being routed out my default route, and therefore breaking the TCP connections.

Managed to resolve the issue by:

Marking new connections in on WAN1 with “WAN1_conn”
Marking new connections in on WAN2 with “WAN2_conn”
Marking routing marks for reply traffic based on the connection marks (In on LAN interface & output)
Create Routes for WAN1 & WAN2 Respectively.