Good morning my friends,
I’m new to mikrotik’s world but I really want to solve this problem. This is the situation:
I have a mikrotik CCR1009-7G-1C-1S+ cloud router and two vdsl routers from different providers.
I cannot ppp my provider routers cause in italy they don’t release any user or password, so I have a double nat for each provider.
eth1 is connected to provider 1 vdsl router 192.168.30.1 - eth1 mikrotik address 192.168.30.2
eth2 is connected to provider 2 vdsl router 192.168.130.1 - eth2 mikrotik address 192.168.130.2
eth7 is my local lan 192.168.25.0/25
I have 2 routes one for provider 1
0.0.0.0/0 gateway 192.168.30.1 distance 1
and the second one for provider 2
0.0.0.0/0 gateway 192.168.130.1 distance 2
For eth1 interface everything is working perfect(firewall,filter rules, internet, forwarding etc) problems come when I want to forward ports to eth2
I forwarded port 80 to 192.168.25.6 through eth2 in nat rules and then
what I did is an ip->firewal->mangle mark routing for this specific src addres and added a route to this mark so all traffic for this ip is forced through eth2
and this is working very well.
Problems comes with firewall filter rules, they simply won’t work, I can’t drop or specify traffic filters cause they don’t affect eth2 but only eth1.
I have searched a lot and find some posts about this problem, they talk about the fact that firewall filter rules only affects main routing table, so marked tables are excluded, this can be fixed with the function ip->routes->rules “lookup only in table”.
But I cannot make this to works.. any suggestion?
many thanks
with this as I said firewall rules on input interface ether2 fibra backup simply won’t work, you can see that there is a drop rule on top for input interface fibra backup but I can easily access the web server 192.168.25.6:80.
why this? with ether1 - fibra telecom the drop input chain is working for everything that comes outside of my network. anyway I tried your suggestion and is working but this drop also the traffic from the server to the world.
dstnat happens before filter. That’s why it is working.
A dstnatted connection is kept in the forward chain, not in input.
And then k6cc’s answer is correct.
-Chris
ok thanks for your clarification it was very useful, but with a drop forward rule I cannot access internet anymore for the local server 192.168.25.6 that have traffic forced throuh ether2.
That means that your drop rule is to loose.
add src-address=0.0.0.0.0/0 (every unknown address, i.e. from the outside world)
add connection-state=new,invalid (this will only drop attempts for new or invalid connections - established and related are not affected)
Add another accept rule for “established, related” on top of that rule.
ok is working, but I really can’t understand why I have to specify so many parameters. with ether1 is simple, just add the drop rule for everything and then on top the accept rule for external ip that I want to autorize.
As said before - you’re dealing with the forward chain and there’s more paramters to keep track of.
Input is simple - do I want a connection to my router? Yes or no.
Forward: Do I want a connection to (a huge list of clients follows). Do I want reply traffic? To where? From where? Is my client allowed to establish new connection or should it only reply to requests?
Are other clients allowed to do so?
Don’t forget to copy your ether-1 input rule for ether2 as well, in case you just changed the chain from input to forward. If you don’t your router is now wide open to the world on ether2.