Hi all.
I am willing to test a dual WAN setup as per the “Failover (dual WAN)” wiki.
I don’t know whether this configuration allows for DNAT to reach a server from any of the avilable WANs.
How does that part work?
P.S.
I am on latest v7.11.2
Lets be clear.
You have two WANS,
You want to use WAN1 as primary for all outgoing LAN traffic and WAN2 as secondary using recursive routing etc.
However although WAN1 is primary you have external users coming on servers and you want them to use WAN2 instead?
Without such details, hard to assist.
Thanks for your attention and your patience. 
I would like to use “failover wan” for outbound traffic, let’s say WAN1 master and WAN2 backup,
And I would like to be able to use both WANs for inbound traffic (TCP connections coming from the internet to an internal server).
I can imagine I need a NAT rule for each WAN both pointing at the same LAN host (where the server sits).
Correct, most people use DYNDNS name to point to a specific WAN connection for external users.
In your case you will need to mangle to ensure the traffic for those users goes out same WAN came in.
Modify the fastrack rule so that all other traffic can still use it.
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related connection-mark=no-mark
as for mangling rules… basically need
/ip firewall mangle
{ handle traffic originating outside router to ensure return traffic goes out same WAN }
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=incoming-ISP1
passthrough=yes in-interface=ether1 comment=WAN1
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=incoming-ISP2
passthrough=yes in-interface=ether2 comment=WAN2
add action=mark-routing chain=output connection-mark=incoming-ISP1
new-routing-mark=use-ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=incoming-ISP2
new-routing-mark=use-ISP2 passthrough=no
In your IP routes you will need additional IP routes for each WAN using the routing-table=use-ISP1 and routing-table=use-ISP2 respectively.
/routing table
add fib name=use-ISP1
add fib name=use-ISP2
/ip route
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip routing-table=use-ISP1
add dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip routing-table=use-ISP2
In your case you will need to mangle to ensure the traffic for those users goes out same WAN came in.
TRUE!
I will post my results as soon as I’ll get a chance to do it.
Thanks gain.
The wiki example seems to have some errors in it…
As far as the recursive goes, no need to do both WANs, just on the primary.
The reason is if the primary is not available, there is no other option but to go to secondary.
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=11 target-scope=11
add comment=SecondaryISP distance=5 dst-address=0.0.0.0/0 gateway=SecondaryISP-gatewayIP scope=10 target-scope=30
Is all you really need.
This basically checks an external DNS server IP to see if its reachable to prove that the Primary is a good route to use.
If its not reachable the router will use the Secondary ISP, until the Primary comes back on line.
In your case you will also need the additional routes
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=11 target-scope=11
add comment=SecondaryISP distance=5 dst-address=0.0.0.0/0 gateway=SecondaryISP-gatewayIP scope=10 target-scope=30
++++++++++++++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip routing-table=use-ISP1
add dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip routing-table=use-ISP2
It looks like the NAT part of the setup isn’t quite there.
While “direct” links work fine, I have no idea on how to make the “dual” NAT work.