Dual wan input with DNAT

xeriou · September 21, 2016, 8:41am

Hello ,

I have two WAN
WAN-1 : 1.1.1.1/24 GW-1 : 1.1.1.254
WAN-2 : 2.2.2.1/24 GW-2 : 2.2.2.254

and a LAN for server
LAN : 192.168.1.0/24 192.168.1.254(GW is one of RB interface)

I want that if user get http://1.1.1.1, it will access 192.168.1.1:18000
and get http://2.2.2.1 , it will access 192.168.1.1:18000, too

so, here is my configuration

I add default route , one in main, another in RouteTable-WAN2

/ip route
add distance=1 gateway=2.2.2.254 routing-mark=RouteTable-WAN2
add distance=1 gateway=1.1.1.254
/ip route rule
add action=lookup-only-in-table src-address=2.2.2.2/24 table=RouteTable-WAN2

add two dst-nat to foward

add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=192.168.1.1 to-ports=18000
add action=dst-nat chain=dstnat dst-address=2.2.2.1 dst-port=80 protocol=tcp to-addresses=192.168.1.1 to-ports=18000

I think the next step is mark connection to filter which connection should to mark routing RouteTable-WAN2 that can reply in right way …
but, i get stuck ORZ…
dose any one has idea ?? …

Sob · September 21, 2016, 1:58pm

In short, watch for new connections coming from WAN without connection marks and add them. And then mark routing based on these connection marks.

Something like this:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 \
    new-connection-mark=WAN1conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 \
    new-connection-mark=WAN2conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1conn \
    new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2conn \
    new-routing-mark=WAN2 passthrough=yes
/ip route
add distance=1 gateway=1.1.1.254 routing-mark=WAN1
add distance=1 gateway=2.2.2.254 routing-mark=WAN2
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

xeriou · September 22, 2016, 11:08am

Sob:

In short, watch for new connections coming from WAN without connection marks and add them. And then mark routing based on these connection marks.

Something like this:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 \
    new-connection-mark=WAN1conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 \
    new-connection-mark=WAN2conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1conn \
    new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2conn \
    new-routing-mark=WAN2 passthrough=yes
/ip route
add distance=1 gateway=1.1.1.254 routing-mark=WAN1
add distance=1 gateway=2.2.2.254 routing-mark=WAN2
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

THANKS FOR YOUR HELP !!!
I think this is key point …

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main