I Have dual wan setup with Load Balancing and FTP server on my local pc. When i try to access it from outside the router it doesnt work bbut as soon as i disable WAN1 everything works perfectly
Check your mangle rules. It should I believe look like this. Your mangle was missing forward chain.
Remember the order is important prerouting - input - forward - output
FTP is not firewall-friendly by itself and adding two WANs does not help. What you need, if it’s server accessible using both WANs, and if it should work with all possible configurations, is close to impossible. With some compromises (e.g. server accessible only using one WAN, or just “good old” plaintext FTP without any encryption) it could be better.
True, order of rules is important, but not like this. Router processes only one table at the time, so if you have rules in tables A, B and C, the order or rules (as you see in WinBox/WebFig/CLI) can be “B1 A1 C1 C2 A2 B2 B3 C3” or “A1 A2 B1 B2 B3 C1 C2 C3” and it will make no difference. The latter is better only for user, because it’s more readable (IMHO). Also, packet will never take the path prerouting-input-forward-output. It will be either prerouting-forward-postrouting or prerouting-input for incoming ones, or output-postrouting for outgoing (plus src/dstnat for first packets of each connection).
Can you try disable your PCC rules as these could be marking traffic incorrectly ie incoming traffic will not go out the same connection it came in on because the traffic is being marked before it reaches other rules.
I wanted to do some tests, but I didn’t find time for it…
You need to start with marking incoming connections. You already do it for connections to router, but not for forwarded ones. Just move it from input to prerouting and it will cover both:
Then you need to make sure that your PCC rules won’t rewrite existing connection marks, so add connection-mark=no-mark to all of them. With these steps, the main control connection will work ok.
Next step is data connections. If you use unencrypted FTP (not the best idea), it might just work (I’m not sure, that’s what I wanted to test). Otherwise you need to identify data connections and send them the right way. I don’t think there’s a way to make it work with dual WANs without server specifically supporting that. So you need to put other rules before your PCC ones to mark FTP data connections:
Active data connections from server to client should use source port 20:
Passive data connections don’t have any specific defining features. But they are generally more important, because they are better for clients. So you need manual config. Tell your server to only use selected port range and right public address (you need to set both somewhere in server config). Then forward required ports, e.g.:
someone please help me