dual wan / single lan / port forwarding / policy routing

maroon · October 14, 2009, 2:14pm

My scenario is very simple

I have two internet connections:

1- Primary connection dedicated for Exchange server that is published to the internet (Ports published: TCP/443; TCP/25 only)
2- Secondary connection dedicated for local users and it’s main purpose to allow the users surf the internet and as a backup access to the exchange server if the primary connection goes down.

All PC’s and Servers are on the same LAN (192.200.200.0/24)

My questions are:

1- how to configure a policy routing to always allow exchange server pass through primary connection (src-nat or masquerade) and to serve any external request to the exchange that is published (dst-nat)?

2- how to configure a policy routing to always allow traffic from users to pass through the secondary connection? and how can I make sure that if I request exchange server (OWA service on port TCP/443) on secondary connection will route to the published service (HTTPS OWA)?

BTW, I have read the following tutorial http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/ but unfortunately no luck, no support and no dice!

bellis · October 14, 2009, 7:13pm

using a mangle rule, chain=prerouting, action=mark routing

set the other variables, such as src-add and dst-add for catching incoming traffic that you want to rout specifically, then set the action to a routing mark based on the connection you want it to go out

then create routes as you normally would, but also include the routing mark you specified in your mangle.

maroon · October 15, 2009, 4:57am

Thanks for the hints… but please I need more tips about the routing table… since I have two gateways!!!

rpress · October 15, 2009, 3:25pm

Yes it is a tricky thing to have dstnat services on two gateways…

Setup your routing table like so:

/ip route
add check-gateway=ping comment="Internet - Primary" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=xxx.xxx.240.193 scope=30 target-scope=10
add comment="Internet - Failover" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=xxx.xxx.184.66 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    xxx.xxx.184.66 routing-mark=dsl scope=30 target-scope=10

You can see the primary internet has a check-gateway=ping and the failover has a distance of 2. The third entry will force the routing through the failover if the routing-mark=dsl.

Then set up the mangle rules:

/ip firewall mangle
add action=mark-connection chain=forward comment="From DSL interface" \
    connection-state=new disabled=no in-interface=inet_dsl \
    new-connection-mark=inet_dsl passthrough=no
add action=mark-routing chain=prerouting comment="For DSL interface from LAN" \
    disabled=no dst-address=xxx.xxx.60.102 dst-address-list=!exclude_nat \
    in-interface=lan new-routing-mark=dsl passthrough=no
add action=mark-routing chain=output comment="For DSL interface from router" \
    disabled=no dst-address-list=!exclude_nat new-routing-mark=dsl \
    passthrough=no src-address=xxx.xxx.60.102

This does the routing-mark so packets can return to the DSL interface. It also adds a connection-mark if the packet arrived from the DSL interface. exclude_nat is a list of local subnets that don’t go to the internet.

Now using that connection mark do a srcnat rule so that the packets from the LAN coming back to the router will go out the correct interface:

/ip firewall nat
add action=src-nat chain=srcnat comment="Incoming NAT for DSL interface" \
    connection-mark=inet_dsl disabled=no to-addresses=xxx.xxx.60.102

Simple as that, hah! I’m sure there are other ways to do it too. Then just add your dstnat rules and everything should work ok.

cusco · October 16, 2012, 2:33pm

Hello, I am still having trouble figuring this out.

What is address xxx.xxx.60.102 ? it is neither gateway… is it any random address just to mark the source, thus routing trough the right gateway ?

does connection-mark stick even when the server replies with new packets?