Dual WAN, SSH slow with port forward

vmiklos · April 22, 2019, 7:59am

Hi Everyone,

I’m kind of new to MikoTik and I wanted to setup a dual wan configuration with port forwards. WAN1 should be used as default connection, WAN2 as failover and for some incoming connections.
My configuration seems to work, but port forwarding on WAN2 is terribly slow. I think I’m missing something essential, but I wasn’t able to figure out what. If I disable WAN1, the forwarded SSH works as it should, but if WAN1 is enabled it takes seconds to have response from the server inside LAN.
I checked the forum but I wasn’t able to find the solution what works in my case. Can you help me please?

Here is my config:

/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether4 ] master-port=ether3
set [ find default-name=ether5 ] master-port=ether3
/ip neighbor discovery
set WAN1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.99
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.1.2/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.2/24 interface=WAN2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=bridge new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=29022 \
    protocol=tcp to-addresses=192.168.0.101 to-ports=22
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add distance=1 gateway=192.168.2.1 routing-mark=to_WAN2
add distance=1 gateway=192.168.1.1
add distance=2 gateway=192.168.2.1

anav · April 22, 2019, 7:11pm

Suggest you need to mangle any traffic coming from servers on the LAN that need to go out wan2 (assuming they came in on WAN2).
The router doesnt route according to which wan they came in… you have to program it.

vmiklos · April 22, 2019, 7:25pm

Correct me if I’m wrong, but as I understand it these rules should be responsible to route the traffic back where it came from:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=bridge new-routing-mark=to_WAN2 passthrough=no

vmiklos · April 23, 2019, 6:25am

Ok, so I think I found the answer. In the firewall filter rules there was a default fasttrack rule. If I add connection mark: no-mark to it, then the SSH on WAN2 is working again, but the speed drops down to half on WAN1. So I added connection mark: WAN1_conn and it seems to work.