I have a small webservice behind a mikrotik RB1100, when I do a “normal” portforward (dst-addr=“WAN IP provided by ISP” dst-addr=“Server Local IP”) it works fine, but I want to add additional IP’s to it.

So I created an EOIP tunnel from my router to another site and assigned several Public IP’s of mine to the tunnel interface, those IP’s respond to pings from outside (ping.eu) but my webservice is unavailable on those IP’s.

I did the exact same firewall rule but only replaced the destination address with the address of my EOIP tunnel.

Any ideas?

Without seeing the actual configuration, I’d expect the routing to be the issue. You need that the response from the server in the LAN subnet is routed out the same WAN through which the corresponding request came in, and this does not happen automatically, you need to use policy routing to ensure that. Look here, start reading from the last paragraph of that post, which explains the relevance to your case.

/interface eoip
add local-address=1.1.1.1 name=eoip remote-address=2.2.2.2 tunnel-id=1

/ip address
add address=1.1.1.1/30 comment=“Default OUT/IN” disabled=yes interface=wan1 network=1.1.1.0
add address=2.2.2.3/29 interface=eoip network=2.2.2.0
add address=2.2.2.4/29 interface=eoip network=2.2.2.0
add address=2.2.2.5/29 interface=eoip network=2.2.2.0
add address=2.2.2.6/29 interface=eoip network=2.2.2.0
add address=2.2.2.7/29 interface=eoip network=2.2.2.0
add address=10.255.255.2/24 interface=lan network=10.255.255.0

/ip firewall mangle
add action=mark-connection chain=input comment=“WAN1 Input” connection-mark=no-mark disabled=yes in-interface=wan1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=forward comment=“WAN1 Input” connection-mark=no-mark disabled=yes in-interface=wan1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting comment=“WAN1 Input” connection-mark=no-mark in-interface=wan1 new-connection-mark=WAN1 passthrough=yes
add action=mark-routing chain=output comment=“WAN1 Output” connection-mark=WAN1 new-routing-mark=WAN1_OUT passthrough=yes
add action=mark-routing chain=prerouting comment=“LAN to WAN1 marking” connection-mark=WAN1 in-interface=br-lan new-routing-mark=WAN1_OUT passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.255.255.0/24 src-address=10.255.255.0/24
add action=dst-nat chain=dstnat comment=“API” disabled=yes dst-address=1.1.1.1 dst-port=80 protocol=tcp to-addresses=10.255.255.42 to-ports=80
add action=dst-nat chain=dstnat comment=“API” disabled=yes dst-address=2.2.2.3 dst-port=80 protocol=tcp to-addresses=10.255.255.42 to-ports=80


The last NAT rule is the one not woring

It is always better to post full configuration (between [code] and [/code] tags), following the anonymisation hints in my automatic signature below, as a lot of things need to be guessed otherwise. I assume that the gateway of the default route in routing table main (i.e. the one with no routing-mark assigned) is the IP of the gateway in the public subnet accessible via the EoIP (so probably 2.2.2.1 in your obfuscation transformation); if true, your mangle rules look fine (in terms that without them everything goes out via the EoIP). So there must be something else somewhere in the configuration that causes the issue.

jul/30/2019 13:40:00 by RouterOS 6.44

model = 1100AHx2

/interface bridge
add fast-forward=no name=br-lan
add fast-forward=no name=lo0

/interface ethernet
set [ find default-name=ether6 ] name=lan1 speed=100Mbps
set [ find default-name=ether7 ] name=lan2 speed=100Mbps
set [ find default-name=ether8 ] name=lan3 speed=100Mbps
set [ find default-name=ether9 ] name=lan4 speed=100Mbps
set [ find default-name=ether1 ] name=wan1 speed=100Mbps

/interface eoip
add local-address=1.1.1.2 name=eoip remote-address=2.2.2.2 tunnel-id=30219

/ip pool
add name=LAN1 ranges=172.16.5.10-172.16.5.200

/ip dhcp-server
add address-pool=LAN1 disabled=no interface=br-lan lease-time=8h name=LAN1

/ipv6 dhcp-server
add address-pool=dhcpv6-1 disabled=yes interface=ether13 name=server1

/queue simple
add disabled=yes dst=172.16.0.0/16 name=LocalNets target=172.16.0.0/16
add disabled=yes limit-at=50M/50M max-limit=50M/50M name=Ops target=172.16.5.0/24
add disabled=yes limit-at=50M/50M max-limit=55M/55M name=Net5_WAN packet-marks=Net5_WAN target=172.16.5.0/24
add limit-at=100M/100M max-limit=100M/100M name=Test1 target=172.16.11.0/24
add disabled=yes limit-at=1M/1M max-limit=1M/1M name=Test target=172.16.13.196/32

/queue type
add kind=pcq name=1M_Down pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=5M_UP pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=5M_Down pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=5M pcq-src-address6-mask=64
add kind=pcq name=1M_Up pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64

/queue simple
add disabled=yes dst=172.16.5.102/32 limit-at=100k/100k max-limit=100k/100k name=172.16.5.102 queue=5M_UP/1M_Down target=“”

/system logging action
set 0 memory-lines=10000
set 3 bsd-syslog=yes remote=172.16.5.164 src-address=172.16.5.1 syslog-facility=syslog

/interface bridge port
add bridge=br-lan hw=no interface=lan1
add bridge=br-lan hw=no interface=lan2
add bridge=br-lan hw=no interface=lan3
add bridge=br-lan hw=no interface=lan4

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip neighbor discovery-settings
set discover-interface-list=all

/ipv6 settings
set accept-redirects=no accept-router-advertisements=no forward=no

/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all

/ip address
add address=1.1.1.2/30 comment=“Default OUT/IN” disabled=yes interface=wan1 network=1.1.1.0
add address=172.16.5.1/24 interface=br-lan network=172.16.5.0
add address=2.2.2.2/29 interface=eoip network=2.2.2.0/29
add address=2.2.2.3/29 interface=eoip network=2.2.2.0/29
add address=2.2.2.4/29 interface=eoip network=2.2.2.0/29
add address=2.2.2.5/29 interface=eoip network=2.2.2.0/29

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=172.16.5.0/24 dns-server=172.16.5.1 gateway=172.16.5.1 netmask=24

/ip dns
set allow-remote-requests=yes cache-max-ttl=8h cache-size=1000KiB max-concurrent-queries=200000 max-concurrent-tcp-sessions=200000 max-udp-packet-size=8192 query-server-timeout=1s query-total-timeout=5s servers=8.8.8.8,4.2.2.2

/ip firewall address-list
add address=74.82.4.55 disabled=yes list=ULTRASURF
add address=64.62.232.84 disabled=yes list=ULTRASURF
add address=66.160.178.72 disabled=yes list=ULTRASURF
add address=65.49.126.64 disabled=yes list=ULTRASURF
add address=66.160.199.70 disabled=yes list=ULTRASURF
add address=72.52.112.25 disabled=yes list=ULTRASURF
add address=64.62.175.59 disabled=yes list=ULTRASURF
add address=64.62.232.65 disabled=yes list=ULTRASURF
add address=64.71.174.72 disabled=yes list=ULTRASURF
add address=66.160.199.25 disabled=yes list=ULTRASURF
add address=72.52.112.72 disabled=yes list=ULTRASURF
add address=72.52.112.80 disabled=yes list=ULTRASURF
add address=64.62.232.59 disabled=yes list=ULTRASURF
add address=64.62.197.53 disabled=yes list=ULTRASURF
add address=74.82.17.90 disabled=yes list=ULTRASURF
add address=64.62.175.35 disabled=yes list=ULTRASURF
add address=72.52.87.71 disabled=yes list=ULTRASURF
add address=171.159.228.150 disabled=yes list=BOA
add address=171.161.148.150 disabled=yes list=BOA
add address=172.16.5.0/24 list=LOCAL_LAN

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related in-interface=wan1
add action=drop chain=input in-interface=wan1
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid

/ip firewall mangle
add action=mark-connection chain=prerouting comment=“WAN1 Input” connection-mark=no-mark disabled=yes in-interface=wan1 new-connection-mark=WAN1 passthrough=yes
add action=mark-routing chain=output comment=“WAN1 Output” connection-mark=WAN1 disabled=yes new-routing-mark=WAN1_OUT passthrough=yes
add action=mark-routing chain=prerouting comment=“LAN to WAN1 marking” connection-mark=WAN1 disabled=yes in-interface=br-lan new-routing-mark=WAN1_OUT passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.0.0/16 src-address=172.16.0.0/16
add action=masquerade chain=srcnat out-interface=wan1
add action=dst-nat chain=dstnat comment=“API” disabled=yes dst-address=1.1.1.2 dst-port=80 protocol=tcp to-addresses=172.16.5.224 to-ports=80
add action=dst-nat chain=dstnat comment=“API” disabled=yes dst-address=2.2.2.3 dst-port=80 protocol=tcp to-addresses=172.16.5.224 to-ports=80

/ip route
add distance=1 gateway=1.1.1.1 routing-mark=WAN1_OUT
add check-gateway=ping distance=1 gateway=1.1.1.1

/queue simple
add disabled=yes limit-at=4M/4M max-limit=5M/5M name=Efra queue=5M_UP/5M_Down target=*18 total-queue=default

I am not sure the configuration mess you have started is necessary…’
In other words I am still stuck at understanding your first post!

You have a webservice behind a MT router and it works for Port forwarding. Assuming its on a LAN subnet of 192.168.10.0/24 and lets say its lanip is 192.168.10.55
What do you mean you want to add additional IPs to it???
A very confusing and vague statement. Please elaborate in detail the requirement.

If wan1 is your uplink, then you don’t need to mark stuff there, because everything will go there by default anyway. What you do need to mark is what’s coming in via tunnel (connection marks) and then route reponses back (routing marks). So what you have should be correct, only it’s on wrong interface. Although I’d say that right now it can’t do anything at all, when 1.1.1.2 (local end of tunnel and this site’s public address) is disabled.

@anav: Big boys’ stuff, multiple public addresses on one router, don’t try it at home!

You are right I have my little boy pants on!