I followed this turtorial to set up Dual Wan:
https://www.youtube.com/watch?v=3R6GloC-Ltk
It works well, like load balancer between 2 ISP
Now i need to forward ports from both ISP to local network, so i’ve created 2 dstnat rule for both ISP, but it works randomly (i can’t connect from 1st external ISP ip, sometimes from 2nd ISP) and if i’ll disable one ISP it starts to work well from another ISP
How i can properly setup port forwarding with 2 ISP?
I have DHCP for both WAN
Gateway 1 - 92.244.127.129
Gateway 2 - 109.86.14.254
LAN - 192.168.1.0/24
/ip address
add address=192.168.1.2/24 interface=ether3 network=192.168.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN1
add add-default-route=no disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.2
/ip firewall address-list
add address=192.168.1.3-192.168.1.254 list=LAN_USERS
add address=92.244.127.0/24 list=WAN_SUBNET
add address=109.86.14.0/24 list=WAN_SUBNET
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_USERS
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN_SUBNET
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN1 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 \
src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN2 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 \
src-address-list=LAN_USERS src-address-type=!local
/ip route
add check-gateway=ping distance=1 gateway=92.244.127.129 routing-mark=TO_WAN1
add distance=1 gateway=92.244.127.129 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=109.86.14.254 routing-mark=TO_WAN2
add distance=1 gateway=109.86.14.254 routing-mark=TO_WAN2
add check-gateway=ping distance=1 gateway=92.244.127.129
add distance=1 gateway=109.86.14.254
add check-gateway=ping distance=2 gateway=109.86.14.254
add distance=2 gateway=92.244.96.113
So i’ve created port forwarding rule for both WAN:
add action=dst-nat chain=dstnat comment="RDP SRV1" dst-port=4000 \
in-interface=WAN1 protocol=tcp to-addresses=192.168.1.201 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP SRV1" dst-port=4000 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.1.201 to-ports=3389
But it works from time to time…
What’s the correct way to make port forwarding?
Read this - start from the last paragraph of that post, which links it to your context.
Assuming you have two port forwards from the two ISPs to the same internal host then then problem you need to address is how to route the host’s reply out of the correct ISP. It might be easier if you can assign two IP addresses to the host. Then your two port forwards would point to two different inside addresses. And you can configure some sort of policy-based routing to make sure that traffic sourced on one IP goes to ISP1 and sourced from the other goes to ISP2.
Hope this is some use, but if you could give more information on exactly what you have configured that that would help people to advise you.
I’ve posted config on second post, configured by the video from 1st post, nothing to give more %)
you have to add the mangle rules to make sure the traffic that coming from ISP1 will be replied to ISP1 and vice versa.
otherwise, the traffic that coming from ISP1 will be replied randomly to ISP1 or ISP2
P
Indeed, for some reason my post which was written before you had your first reply, didn’t appear until later.
However I can see you have exactly the issue I was afraid of. You have two NATs mapping different outside IP addresses onto the same inside address 192.168.1.201. On the way in that’s fine as either will route to your host. On the way back there’s a problem, all you have is two different packets sourced on 192.168.1.201 to two different Internet destinations. How is the host, the network or your router expected to know which should be transmitted to ISP1 and which to ISP2?
So my suggestion still stands, give your internal host two different IP addresses so you have two different NAT entries, then create configuration on the router so traffic sourced on 192.168.1.201 always routes to ISP1 and 192.168.1.202 (or whatever) routes to ISP2.
how can I do that? I’m newbie =(
That’s the problem with tutorials telling you what to do but not annoying you with the why.
What your existing mangle rules do is that they assign a routing-mark (a routing table name), which leads in several subsequent steps to a choice of WAN interface for them, to all packets sent by a device in your LAN. These mangle rules make their choice solely based on source and destination addresses and ports of these packets; for all packets with everything in these four fields the same, the assigned routing-mark is always the same.
But when a client in the internet connects to a server in LAN, it comes each time from another port. So for some connections, the responses of the server go via WAN 1, whereas for other ones, they go via WAN 2, regardless via which WAN the requests came in.
What you have to do is to use other mangle rules to provide a distinct treatment to these server responses, instead of the generic one provided by the per-connection-classifier rules.
One way is the one suggested by @aesmith - you would have two IP addresses, or two listening ports, at the servers, and let those additional mangle rules match on src-address and/or src-port; the other way is the one I’ve suggested in my first post, where you let RouterOS “note down” the WAN through which the client request come in, and use that note when assigning a routing-mark to the response.
see the example explained at https://wiki.mikrotik.com/wiki/Manual:PCC
P
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=WAN1 \
new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting in-interface=WAN2 \
new-connection-mark=WAN2_connection
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN1 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 \
src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN2 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 \
src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
in-interface=ether3 new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
in-interface=ether3 new-routing-mark=TO_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address-list=WAN_SUBNET
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_USERS
add action=dst-nat chain=dstnat comment="RDP SRV1" dst-port=4000 \
in-interface=WAN1 protocol=tcp to-addresses=192.168.1.201 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP SRV1" dst-port=4000 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.1.201 to-ports=3389
/ip route
add check-gateway=ping distance=1 gateway=[WAN1_GATEWAY] routing-mark=TO_WAN1
add distance=1 gateway=92.244.127.129 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=[WAN2_GATEWAY] routing-mark=TO_WAN2
add distance=1 gateway=109.86.14.254 routing-mark=TO_WAN2
Tried this, but still same issue…
I have more than 20 devices to forward ports, adding second ip to all of them is not a solution, so need second option
If so, take the universal way I’ve suggested in my first post. But anyone opening access to their network from the whole internet should really understand how stuff works, so do study that example rather than asking here “what should I change in these rules”. On the long run, it will pay off.
remember that all commands under /ip firewall having sequence number and the sequence is matter.
just follow the example on that wiki and only make the necessary modification according to your network.
imho, you shoud put mark-routing from mark-connection BEFORE the pcc rule.
p
What is pcc rule?))
PCC is an abbreviation of “Per-Connection Classifier”.
Removed some mangle rules and added from another topic, port forwarding started to work correctly, but load balancer stopped to work…
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=WAN1 \
new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting in-interface=WAN2 \
new-connection-mark=WAN2_connection
add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
in-interface=ether3 new-routing-mark=TO_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
in-interface=ether3 new-routing-mark=TO_WAN2 passthrough=yes
Disabled:
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
TO_WAN1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0 src-address-list=LAN_USERS src-address-type=\
!local
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
TO_WAN2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1 src-address-list=LAN_USERS src-address-type=\
!local
Personally its clear you dont understand the rules you are applying and just hoping a config sticks.
Not the right approach.
In the meantime without mangles you could have a working system very easily
dst-address=0.0.0.0/0 gwy=WAN1-gwy distance=5 check-gateway=ping
dst-address=0.0.0.0/0 gwy=WAN2-gwy distance=10
dst-address=0.0.0.0/0 gwy=WAN2-gwy distance=10 table=ForServers
Create the table (assuming vers 7.1.1.)
/routing-table add name=ForServers fib
Create Route Rule
src-address: Subnet of Servers (for ex. 192.168.5.0/24)
Action: lookup-only-in-table
Table: ForServers
In this way ALL users will go out WAN1, and if WAN1 goes down they still have access via WAN2
No mangling required. All servers will be directed to send their traffic out WAN2.
I think you can understand the rules above as they are clear, unlike the jungle of PCC and load balancing which you should understand before applying, like drawing on a piece of paper what each rule is actually doing to packets and connections !!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now all your external Server users should be provided the PUBLIC IP of your WAN2 and if its dynamic then the associated dyndns URL (lots of free ones on the internet). Thus all traffic heading for the servers is coming in on WAN2 and all the traffic heading out from the servers is heading towards WAN2. A good clean situation for now.
Personally I would never expose a server on the internet without.
a. ensuring the access/login was encrypted ex. SFTP
b. ensuring that all Servers has a source address list of authorized users as there is no excuse not to have one, and there should be no UNK users.
Thus every dst nat rule should be in the format (assuming fixed public IP)
add chain=dstnat action=dst-nat dst-address=IPofWAN1 dst-port=xxxxx protocol=yyy
to-addresses=IPofServer src-address-list=AuthorizedUsersONE (to ports not required if same as dst-ports)
Note that that all the users on SERVER ONE should provide you with their Static/fixed Public IP OR if dynamic their associated dyndns URL, as the MT will resolve the address for you and as stated there are free ones people can get (no excuses).
Split the whole process into parts.
One part is to sort the connections into classes, another part is to handle packets of any connection in a given class the same way.
So one class consists of connections initiated from outside (the internet), and while handling the initial packet of these, you have to mark these connections with some connection-mark value; the other class are connections initiated from the inside (the LAN), which you may leave without any connection-mark, as its absence can also be matched against.
The handling of LAN->internet packets differs by class - for the marked connections, you translate the connection-mark to a routing-mark, whereas for the non-marked ones, you use the per-connection-classifier rules to assign the routing-mark value.
The thing is that you have to place the rules translating the connection-mark to a routing-mark before those assigning the routing-mark up to the per-connection-classifier ones, and set passthrough=no on them, or you must add a connection-mark=no-mark condition to the per-connection-classifier rules.
In your particular scenario, the rules assigning the connection-mark only need to match on initial packets (connection-state=new) coming in via WAN, whereas the rules translating connection-mark values into routing-mark ones only have to match on the LAN->internet packets, so their mutual order is not important.
Take the advice Sindy has offered in helping to understand what the mangle rules are trying to accomplish, in a visual way.
I highly suggest you go through this presentation, SLOWLY, and draw diagrams of packet flow on a piece of paper and how the packets and connections are being marked.
Its in great detail and accurate. It should be read and reviewed as many times as it take so that at the end you understand and
can tell a friend how you are controlling the traffic by explaining in words and drawing diagrams to illustrate.