Dual WAN with policy routing/routing marking and port forwarding

tuzok · November 10, 2016, 1:13pm

I am failing to get working router with two LANs connected at the same time. Since one connection bandwidth is much higher than the other, the target is to have failover switching. But I wanted to have both connections available to at the same time - ie. available services either from public1.domain.net and public2.domain.net. I will have several services ports forwarded from router (ftp, ssh, rdp) to LAN machines.

/ip route rule print
 0   routing-mark=wan1 action=lookup table=wan1 
 1   dst-address=192.168.10.0/24 action=lookup table=main 
 2   routing-mark=wan2 action=lookup table=wan2 
/ip route print detail
 0 A S  dst-address=0.0.0.0/0 gateway=10.10.30.1 
        gateway-status=10.10.30.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 routing-mark=wan1 
 1 A S  dst-address=10.10.30.0/24 pref-src=10.10.30.251 gateway=ether1 
        gateway-status=ether1 reachable distance=1 scope=10 target-scope=10 
        routing-mark=wan1 
 2   S  dst-address=0.0.0.0/0 gateway=10.10.20.1 
        gateway-status=10.10.20.1 unreachable distance=1 scope=30 
        target-scope=10 routing-mark=wan2 
 3   S  dst-address=10.10.20.0/24 pref-src=10.10.20.254 gateway=ether3 
        gateway-status=ether3 unreachable distance=1 scope=10 target-scope=10 
        routing-mark=wan2 
 4 A S  dst-address=0.0.0.0/0 gateway=10.10.30.1 
        gateway-status=10.10.30.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 
 5  DC  dst-address=10.10.20.0/24 pref-src=10.10.20.254 gateway=ether3 
        gateway-status=ether3 unreachable distance=255 scope=10 
 6 ADC  dst-address=10.10.30.0/24 pref-src=10.10.30.251 gateway=ether1 
        gateway-status=ether1 reachable distance=0 scope=10 
 7 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.130 gateway=ether2 
        gateway-status=ether2 reachable distance=0 scope=10

 /ip firewall nat print
 1   chain=srcnat action=masquerade to-addresses=10.10.30.251 
      src-address=192.168.0.0/16 routing-mark=wan1 out-interface=ether1 log=no 
      log-prefix="" 
 2   chain=srcnat action=src-nat to-addresses=10.10.20.254 
      src-address=192.168.0.0/16 routing-mark=wan2 out-interface=ether3 log=no 
      log-prefix="" 
 3    chain=dstnat action=dst-nat to-addresses=192.168.10.253 to-ports=22 
      protocol=tcp in-interface=!ether2 dst-port=22 log=no log-prefix=""

/ip firewall mangle print
 0  D ;;; special dummy rule to show fasttrack counters chain=prerouting 
 1  D ;;; special dummy rule to show fasttrack counters chain=forward 
 2  D ;;; special dummy rule to show fasttrack counters chain=postrouting 
 3    chain=input action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=new 
      in-interface=ether3 connection-mark=no-mark log=no log-prefix="new wan2" 
 4    chain=input action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=new 
      in-interface=ether1 connection-mark=no-mark log=no log-prefix="wan1" 
 5    ;;; determining default connectivity...
      chain=prerouting action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=new 
      dst-address=!192.168.0.0/16 in-interface=ether2 connection-mark=no-mark log=no log-prefix="" 
 6    chain=output action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=new 
      out-interface=ether1 connection-mark=no-mark log=yes log-prefix="wan1" 
 7    chain=postrouting action=mark-connection new-connection-mark=wan2 passthrough=yes 
      connection-state=related,new out-interface=ether3 connection-mark=no-mark log=yes log-prefix="post! " 
 8    ;;; wan1
      chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no connection-mark=wan1 log=no 
      log-prefix="" 
 9    ;;; wan2
      chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no connection-mark=wan2 log=no 
      log-prefix="" 
10 XI  chain=forward action=accept connection-state=related,new connection-mark=no-mark log=no log-prefix="" 
11    chain=forward action=log connection-state=new connection-mark=no-mark log=no log-prefix="new no" 
12    chain=forward action=log connection-state=new connection-mark=wan1 log=no log-prefix="new w1"

Unfortunately it doesn’t work, but I can’t find out why! I can see returning packets from upstream router during my testing not being considered being part of the same connection. Why?? Snippet from my log illustrating the case:

14:03:12 firewall,info new w1 forward: in:ether2 out:ether1, src-mac 00:1d:60:55:58:83, proto UDP, 192.168.10.253:60135->10.10.10.4:53, len 65
14:03:12 firewall,info new no forward: in:ether1 out:ether2, src-mac 4c:5e:0c:1f:45:3d, proto UDP, 10.10.10.4:53->192.168.10.253:60135, len 117
14:03:17 firewall,info new w1 forward: in:ether2 out:ether1, src-mac 00:1d:60:55:58:83, proto UDP, 192.168.10.253:35805->10.10.10.3:53, len 65
14:03:17 firewall,info new w1 forward: in:ether2 out:ether1, src-mac 00:1d:60:55:58:83, proto UDP, 192.168.10.253:35805->10.10.10.3:53, len 65
14:03:17 firewall,info new no forward: in:ether1 out:ether2, src-mac 4c:5e:0c:1f:45:3d, proto UDP, 10.10.10.3:53->192.168.10.253:35805, len 117
14:03:22 firewall,info new w1 forward: in:ether2 out:ether1, src-mac 00:1d:60:55:58:83, proto UDP, 192.168.10.253:60135->10.10.10.4:53, len 65

I would appreciate someone checking it, because I have been labouring with this supposedly simple matter about three days without advancing any further… :-/

Sob · November 10, 2016, 10:23pm

Few things I would try, would be to simplify routing rules to just one rule:

/ip route rule
add action=lookup-only-in-table dst-address=192.168.10.0/24 table=main

And then you need to mark incoming connections from two WANs. You already do that, but only for router itself (chain=input, rules #3 and #4). You also need it for forwarded ports. Change those two rules to chain=prerouting and it will cover both connections to router and forwarded ports.

tuzok · November 18, 2016, 11:04am

Thank you very much, Sob! Work like charm!
I am not sure why, but initially it appeared to only worked if I rules to look up in wan1 or wan2 tables. I guess I had another settings wrong then.

Any idea if there is a reliable way to specify port forwarding without having to duplicate port forwards due mentioning both destination addresses?

Sob · November 18, 2016, 2:57pm

I would use something like this:

/ip firewall nat
add action=jump chain=dstnat dst-address=<WAN1 address> jump-target=port-forward
add action=jump chain=dstnat dst-address=<WAN2 address> jump-target=port-forward
add action=dst-nat chain=port-forward dst-port=80,443 protocol=tcp to-addresses=192.168.10.x
add action=dst-nat chain=port-forward dst-port=25,110 protocol=tcp to-addresses=192.168.10.y
add action=dst-nat chain=port-forward dst-port=3389 protocol=tcp to-addresses=192.168.10.z
...

Addresses are entered only once and can be easily changed. Or you can replace rules with “dst-address=” with just one and “dst-address-type=local dst-address=!<router’s LAN address>”.

tuzok · November 24, 2016, 2:52pm

Thank you very much! What an elegant solution! I would not have realized merge the the using a jump table action!
Indeed you’re kind of a guru here