Dual WAN not responding to external telnet/WinBox requests

terminal205 · September 15, 2017, 2:14pm

I have two WAN ports assigned to two separate ISPs (eth6=ISP1, eth1=ISP2)

My firewall and Mangle rules are working for outbound traffic. I am running into an issue with outside-initiated connections (Winbox, Telnet, ssh, etc). Both WAN ports respond to PING, but neither respond to WinBox or Telnet. I can see in my firewall when the connect attempts are made, but the external party sees nothing besides “unable to connect” messages.

Any thoughts on how to resolved this? I was thinking PCC might be a solution, but I’m not 100% sure how how to implement it.

tomaskir · September 15, 2017, 3:00pm

You need to properly handle WAN->Router connections in Mangle.
Meaning, if a connection from a certain WAN is iniciated, it needs to be replied to over the same WAN.

Look at this presentation, it should explain everything:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that’s when the Mangle stuff starts.

terminal205 · September 15, 2017, 3:39pm

I already have the mangle setup. The below commands mark the connections that come into the respective ISP ports. Following, those connections get marked with the respective routing marks. Am I missing something?

 0    chain=prerouting action=mark-routing new-routing-mark=toISP1 passthrough=yes dst-address-type=!local in-interface=ether7 log=no log-prefix="" 

 1    chain=prerouting action=mark-routing new-routing-mark=toISP2 passthrough=yes dst-address-type=!local in-interface=ether2 log=no log-prefix="" 

 2    ;;; NTP Routing through ISP1
      chain=prerouting action=mark-routing new-routing-mark=toISP1 passthrough=yes dst-address=24.56.178.140 log=no log-prefix="" 

 3    ;;; New Inbound ISP2 Connections
      chain=prerouting action=mark-connection new-connection-mark=ISP2 Connections passthrough=yes connection-state=related,new 
      dst-address=ISP2_IP in-interface=ether1 log=no log-prefix="" 

 4    chain=prerouting action=mark-routing new-routing-mark=toISP2 passthrough=yes connection-mark=ISP2 Connections log=no log-prefix="" 

 5    ;;; New Inbound ISP1 Connections
      chain=prerouting action=mark-connection new-connection-mark=ISP1 Connections passthrough=yes connection-state=related,new 
      dst-address=ISP1_IP in-interface=ether6 log=no log-prefix="" 

 6    chain=prerouting action=mark-routing new-routing-mark=toISP1 passthrough=yes connection-mark=ISP1 Connections log=no log-prefix=""

tomaskir · September 15, 2017, 4:11pm

You Mangle is wrong.
You need to handle incoming conections in the input change, and set the routing mark in output.

Do it like in the presentation, and it will work:
/ip firewall mangle
add chain=input connection-mark=no-mark in-interface=ISP_1 action=mark-connection new-connection-mark=WAN1->ROS
add chain=input connection-mark=no-mark in-interface=ISP_2 action=mark-connection new-connection-mark=WAN2->ROS
add chain=output connection-mark=WAN1->ROS action=mark-routing new-routing-mark=ISP1_Route
add chain=output connection-mark=WAN2->ROS action=mark-routing new-routing-mark=ISP2_Route

terminal205 · September 20, 2017, 3:34pm

Still no luck. I’ve changed the mangle to the following (just like your example)

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-type=!local in-interface=ether7 new-routing-mark=toISP1 passthrough=yes
add action=mark-routing chain=prerouting dst-address-type=!local in-interface=ether2 new-routing-mark=toISP2 passthrough=yes
add action=mark-connection chain=input comment="WAN Control" connection-mark=no-mark in-interface=ether6 new-connection-mark=ISP1_connection \
    passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_connection new-routing-mark=toISP1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP2_connection passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_connection new-routing-mark=toISP2 passthrough=yes

Do the passthrough settings matter?

tomaskir · September 20, 2017, 4:17pm

Post your entire ‘/ip firewall mangle export’ please.

morituruz · September 21, 2017, 6:47am

tomaskir is not quite right because it’s better to mark connections in prerouting rather then in input.
Look at pcc example:
https://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing

May be you forgot to add respective routes for that routing marks (like in pcc example). And your default routes to ISP1 and ISP2 should have bigger distances than routes with routing mark.

tomaskir · September 21, 2017, 11:57am

Actually, prerouting and input are different, and should be used for different purposes.

You can check the RouterOS packet flow diagram here to see the difference:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

Look specifically at the L3 packet processing logic.

Processing input packets in the prerouting change is inefficient, and error-prone.
Thats why the “input” chain exists in Mangle.

If you want to learn more, I suggest to review this presentation, which digs into it heavily:
https://youtu.be/67Dna_ffCvc

morituruz · September 21, 2017, 12:32pm

Marking in prerouting is conveniently because covers both port forwarding (dst-nat) and input staff (ping, winbox). I think that is why it’s used in wiki, so this is right approach.

terminal205 · September 25, 2017, 1:25pm

That is my entire mangle export.

terminal205 · September 26, 2017, 2:47pm

While on site, I grabbed a copy of the entire export. Is there anything in particular that would be useful to see?

tomaskir · October 2, 2017, 4:24pm

Sorry for the late reply, I finally had some time to look at your Mangle export today.

move the rules which handle WAN->ROS connections to the top.
Before those prerouting rules.
do the input/output chain Mangle rules capture any traffic?
That is, is the packet counter on all of them increasing?
Are you using FastTrack, or the Raw firewall table?