Ensure incoming connection goes out same interface

RouterOS Beginner Basics
1

Hi!

I have 2 WAN connections. One ISP seems to block incoming port 80, which I use for tunneling SSH session to port 22 on openwrt metarouter. I can connect to port 80 through 2nd WAN connection. Default route for outgoing traffic is 1st WAN connection (route 0.0.0.0/0 to WAN1).

However, when I ssh in on 2nd WAN interface I can see the connection going to the metarouter, but that default route sends the response out on 1st WAN interface. If I add route to the remote IP to ensure use of WAN2 then it works just fine.

Can’t rely on that static route though as I might connect from somewhere else externally and might get it right to come through on WAN1. I would like to ensure that a connection coming in on either WAN gets the response going out on the same WAN interface.

Could someone help with the mangle rules for this? I have tried these found in the wiki:

/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan2

/ ip route
add dst-address=0.0.0.0/0 gateway=WAN1 routing-mark=to_wlan1
add dst-address=0.0.0.0/0 gateway=WAN2 routing-mark=to_wlan2

Have given the routes a distance smaller than the default route.

Yet it still winds up sending the response out the default route (WAN1) unless I add in a static route.

Sorry if I’m being daft. I have done this before on a WRT54GL with custom firmware but for the life of me I just can’t remember.

How to have traffic come and go on same connection?
2

If the connection is going to a metarouter it won’t be in input and output as it - strictly speaking - isn’t terminated on the router, that is RouterOS itself. It will be in the forward chain. Instead of the rules you have, use something like

/ip firewall mangle
add chain=forward in-interface=WAN1 connection-state=new protocol=tcp dst-port=80 dst-address=1.1.1.1 action=mark-connection new-connection-mark=to-WAN1
add chain=forward in-interface=WAN2 connection-state=new protocol=tcp dst-port=80 dst-address=1.1.1.1 action=mark-connection new-connection-mark=to-WAN2
add chain=forward connection-mark=to-WAN1 src-address=1.1.1.1 action=mark-routing new-routing-mark=to-WAN1
add chain=forward connection-mark=to-WAN2 src-address=1.1.1.1 action=mark-routing new-routing-mark=to-WAN2

First you mark all new connections coming in, then you set a routing mark for return traffic to enforce it going out the right circuit.

The routing marks stay the same, and of course replace 1.1.1.1 with the metarouter IP address.

3

Thank you! I’ll give that a try. Yes, the use of input/output chains is wrong in my scenario. I’ll change the rules to the forward chain.

I need to find out from my ISP what incoming ports they allow, otherwise I’ll have to keep buying 2 DSL accounts. Gotta love this country’s DSL offerings. :stuck_out_tongue:

4

That might not work. Routing mark not allowed in forward chain it seems. I’ll try setting it in pre-routing, but that seems arse-about-face.

5

You’re absolutely right, and pre-routing will work just fine and is the right thing to do.

6

I’ve done in pre-routing and it works fine. Thanks for the help. :slight_smile:

I’ve done passthru=false on 2nd half of the rules and placed them all at the top of the mangle rules. Just need to make sure nothing lower down gets affected by these. Then again, since the connection mark is done on the inbound connection and carried through it should not affect my other rules which are all outbound connection orientated anyway.