I have two Mikrotik routers, each has a BGP session to a different ISP.
Router 1 has a BGP session and a routed subnet 207.xxx.xxx.132/29, one of these IP 207.162.xxx.135 is routed to Router 2.
Router 2 has a BGP session and a routed subnet 216.xxx.xxx.192/30.
Subnets are smaller than a /24 because they are ISP specific. We have a 205.xxx.xxx.0/24 which is why we have BGP.
- I can ping 207.162.xxx.135 from both routers and the public internet.
I have two routing tables one is the main while the 2nd is for WAN2.
Mangle rules were added for the single PC to test connectivity. Without them it would just src-nat to a WAN1 IP.
There is no default masquarade rule, each subnet gets assigned a src-nat with a dedicated IP.
As it is at the moment, the PC cannot ping or access the internet using a WAN2 ip. If i drop the WAN 2 rules it works fine for a WAN1 ip. I ran packet sniffer and I see pings are being sent, they get nat’d and then look like they are coming back through Router 1 to Router 2 and the private IP shows up but don’t make it to the PC. I added logs to the drop and forward catch all firewall rules and didn’t see any of the ping packets make it to the logs. I see the connection-new pings show up and get nat’d but that is about it. At this point I’m not sure what I’m doing wrong here or how to troubleshoot it further.
Code for the NAT
/ip firewall nat
add action=src-nat chain=srcnat out-interface=WAN1 realm=0 src-address=172.19.10.0/24 to-addresses=216.xxx.xxx.192
add action=src-nat chain=srcnat dst-address-type="" log=yes log-prefix=srcnat_wan2 out-interface=sfp-sfpplus1 src-address=172.17.20.103 to-addresses=207.xxx.xxx.235
add action=src-nat chain=srcnat dst-port=25,587 out-interface-list=WAN protocol=tcp src-address=172.19.110.101 to-addresses=205.xxx.xxx.254
add action=src-nat chain=srcnat out-interface=WAN1 src-address=172.17.20.0/24 src-address-list=!NAT_Exclude to-addresses=216.xxx.xxx.192
Mangle Rules
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=!172.16.0.0/12 dst-address-type=!local new-connection-mark=mark_router2 passthrough=yes src-address-list=ROUTING_WAN2
add action=mark-routing chain=prerouting connection-mark=mark_cdlou3edge06 dst-address-type=!local new-routing-mark=cd_edge passthrough=no src-address-list=ROUTING_WAN2
add action=mark-connection chain=prerouting connection-state=new disabled=yes in-interface=sfp-sfpplus1 new-connection-mark=mark_router2 passthrough=yes
add action=mark-routing chain=output connection-mark=mark_router2 disabled=yes new-routing-mark=wan2 passthrough=no