Dual Wan Port Fowarding

Hey folks.
I’ve been searching about my problem here, but unfortunately any topic could help me.
So, what I need is:
Actually I’ve 2 wan link and I need to do port forwarding through both links.
Wan1: 1.1.1.1
Wan2: 2.2.2.2
Lan: 8.8.8.0/24
Server: 8.8.8.8
E.g. Acess my server 8.8.8.8 through Wan1 and Wan2 on ssh port 22.
Listed below my mangle and nat rules
NAT:
1 chain=dstnat action=dst-nat to-addresses=8.8.8.8 to-ports=22 protocol=tcp in-interface=eth_Wan2 dst-port=522 log=no log-prefix=“”

Mangle:
1 chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes connection-state=new in-interface=eth_Wan1 connection-mark=no-mark log=no log-prefix=“”
2 chain=prerouting action=mark-routing new-routing-mark=WAN1 passthrough=no in-interface=LAN connection-mark=wan1_conn log=no log-prefix=“”
3 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes connection-state=new in-interface=eth_Wan2 connection-mark=no-mark log=no log-prefix=“”
4 chain=prerouting action=mark-routing new-routing-mark=WAN2 passthrough=yes in-interface=eth7 connection-mark=wan2_conn log=no log-prefix=“”

Am I doing something wrong?

Yes. If you want it to work from both WANs, then you can’t have in-interface=eth_Wan2 in dstnat rule. If you don’t want to have duplicate rules, use dst-address-type=local dst-address=!.

Sob, thanks for reply, but still not working.

Let me explain a little more about it.
My primary internet link is Wan1, if I change dst-interface of this NAT, from Wan2 to Wan1, it works perfectly through wan1, and through wan2 doesn’t work.
And if I change my internet connection to go out through Wan2, this NAT works perfectly as well, and of course, it’ll not work through wan1.

What I want is make port forwarding through both links, independently which is the primary.

I’m not sure if we understand each other. If your dstnat rule has in-interface=eth_Wan1, then it will only work from WAN1, that’s what this condition is for. And if it has in-interface=eth_Wan2, it will only work from WAN2. If you remove it, then it will work from everywhere, which might be too much. So you should add at least dst-address-type=local condition (= any address owned by router). You might want to also exclude LAN address, but since it’s non-standard port, it’s not strictly required. So your dstnat rule should look like this:

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=8.8.8.8 to-ports=22 protocol=tcp dst-address-type=local dst-port=522

Edit: One more thing, your route marking rules have one in-interface=LAN and the other one in-interface=eth7. One of that is wrong, it should be internal interface where server is connected for both.

Yes I know, if I put dst-interface at NAT it will works only from that specific interface.
I’ve already made this changes, it works from wan1 but not from wan2.
Remembering, wan1 is my primary link, if I set wan2 as primary, than the nat works through wan2 but not through wan1
My Nat rule:
chain=dstnat action=dst-nat to-addresses=8.8.8.8 to-ports=22 protocol=tcp dst-address-type=local dst-port=522 log=no log-prefix=“”

About rule mangle nuber 4, it supposed to be LAN and not eth7, my bad when I was typing.

What about routes? In addition to ones in main routing table, you also have following routes, right?

/ip route
add dst-address=0.0.0.0/0 gateway=<gateway for WAN1> routing-mark=WAN1
add dst-address=0.0.0.0/0 gateway=<gateway for WAN2> routing-mark=WAN2

Yes, it is
dst-address=0.0.0.0/0 gateway=wan2_gw gateway-status=wan2_gw reachable via eth_wan2 check-gateway=ping distance=1 scope=30
target-scope=10 routing-mark=WAN2
dst-address=0.0.0.0/0 gateway=wan1_gw gateway-status=wan1_gw reachable via eth_wan1 check-gateway=ping distance=1 scope=30
target-scope=10 routing-mark=WAN1

This is a common mistake with implementing mangle rules, and oddly enough correct solutions are hard to find. In short, you are missing mangle rules in order to make this work properly, but sadly I don’t have time to write them now. If noone jumps in I’ll post them tonight.

Thanks Che, I’m looking forward to reading your reply!!

In order for you to inderstand this logic I need to state my optimizing argument: since you are doing simple failover WAN, to prevent excess CPU usage I will advise you to mangle only connections that go via secondary gateway, because even without any mangle rules all connections will go through WAN1 anyway. If you want more complicated solution (load balancing), we would need to add more rules and strain to the router. Depending on your line speeds, this could mean difference between 20% and 100% CPU usage.

/ip firewall mangle
add chain=prerouting in-interface=eth_Wan2
add action=mark-connection chain=forward connection-state=new in-interface=eth_Wan2 new-connection-mark=WAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2 new-routing-mark=WAN2 passthrough=no

These are all the rules you need to make your DST-NAT rules incoming via secondary inactive gateway work, so basically you were missing only forward mangle. Note that my first mangle rule has to be #1 on your mangle list, and default action is accept!

Hope you like this approach as much as I do.

Hey Che.
Man still not working, here are the rules.
I could see the packets incoming at NAT and Mangle0 rule, but the connection still failing with timeout.
What else could be?

Thanks for the effort

0 chain=prerouting action=accept in-interface=eth_Wan2 log=yes log-prefix=“”
1 chain=forward action=mark-connection new-connection-mark=wan2_conn passthrough=no connection-state=new in-interface=eth_Wan2 log=no log-prefix=“”
2 chain=prerouting action=mark-routing new-routing-mark=WAN2 passthrough=yes connection-mark=wan2_conn log=no log-prefix=“”

You literally need only 2 DST-NAT rules (for both WAN links, or only 1 rule if you know how to make address/interface lists), those 3 mangle rules and 1 policy routing rule for DST-NAT to work via both gateways. If you don’t see counter going up on any magle rules but 0, you haven’t have done proper NAT.

che,
Here is my NAT rule. Is there something wrong?

chain=dstnat action=dst-nat to-addresses=8.8.8.8 to-ports=22 protocol=tcp dst-port=522 log=no log-prefix=""

As I told you before, I could see the packets arriving at nat rule.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WAN1ADDRESS dst-port=522 protocol=tcp to-addresses=8.8.8.8 to-ports=22
add action=dst-nat chain=dstnat dst-address=WAN2ADDRESS dst-port=522 protocol=tcp to-addresses=8.8.8.8 to-ports=22

Make sure that you are allowing connections to ports you need in firewall, and also make sure your rules have your server’s IP instead of 8.8.8.8 (I hope this was fictional address you used to cover your local IP for whatever the reason).

I’ve already tested this configuration, specifying the IP address from each wan interface, and still not working.

There’s nothing obviously wrong (or we all missed it…) in what you posted so far. Maybe it’s something you didn’t post yet. You can always try exporting and posting your whole config, and if it’s not kilometer long, someone might spot something interesting in there.

I have the same problem, and cannot despite countless rules in mangle get it to function.

I see ICMP packets arrive on the second interface, but are returned on the first interface - despite mangle rules forcing all ICMP via the second interface.

Both my gateways are PPPoE with the same provider and therefore same gateway - I do not know if this is what causes the confusion?

One idea, can’t it be fasttrack? I don’t normally use it, so I’m not sure, but it makes packets skip some steps, maybe that includes routing? Check that, I’m too lazy to look it up right now myself.

Thank you, but I do not use fast track rules in the firewall, so I do not think that is the issue.

In your case, you didn’t post many details about your config, but if you have two gateways with same address, you should try routes with gateway=% (e.g. gateway=1.2.3.4%ether1).