Forwarding connection with 2 ISP

Kelob · November 17, 2022, 8:55am

Hello everyone,
I have a network like in the drawing. The main router is a Mikrotik at work connected to my old ISP1 with an privat IP address. From there I have a connection to several places including my home with a Mikrotik. Recently I got a new ISP2 at my home. I configured everything so, that only my home is using ISP2, the rest uses ISP1, but I have the possibilty to connect to every device from my home, and with my home router from work. Used to do that static routing table. Every forwarding from outside trough the router at work is working perfect, until it’s the network before my home router.
The problem is, when I wanna use my ISP1 IP address to connect from outside with my home router, with f.e. winbox. When I send a packet for WOL, it’s getting trough and wakes up a computer. I’m aware that the problem is, that the incoming connection is going to my home router, but the router sends it back to the wrong gate.
I tried something like this, but its not working.

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=8728 in-interface=ether3 new-connection-mark=\
    API_c passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting connection-mark=API_c new-routing-mark=API_r passthrough=yes

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.65 routing-mark=API_r

192.168.1.65 is my gate for eth3 at home.

Can you please help me with that?

Sob · November 17, 2022, 12:41pm

You’re almost there. Aside from everything in your config that might conflict with it, and which we know nothing about because you didn’t post it:

second mangle rule (which is for other connected devices) needs in-interface=eth2, because you want it only for response packets
if you want to access router itself, you need similar rule also in output chain

Kelob · November 17, 2022, 1:38pm

Did what you suggested and now it looks like this and everything is working fine, thank you very much!

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=8728 in-interface=ether3 new-connection-mark=API_c passthrough=yes \
    protocol=tcp
add action=mark-routing chain=output new-routing-mark=API_r passthrough=yes protocol=tcp src-port=8728

Is that ok or should I change something in it?

Sob · November 17, 2022, 2:59pm

If you do it this way, then you don’t use connection marks for anything, because the only condition for route marking is src-port=8728. So it will work for access from eth3, but it will break it for eth2 (could be influenced by other parts of config). So I’d replace src-port=8728 in second rule with connection-mark=API_c.

anav · November 17, 2022, 3:34pm

I have to ask… are you all trying to shove bandaids on a wound?
In other words is there a more logical approach to meeting the requirements…

Sob · November 17, 2022, 4:16pm

What exactly seems wrong to you? If it’s connected this way, then for the router it’s basically like dual WAN config, nothing wrong with that.

anav · November 17, 2022, 4:52pm

My bad, I didnt realize that the office and home routers were at the same location and thus connected via ethernet.
Not sure I get the diagram I guess, nor how everything is mysteriously connected. In fact, since none of it makes senses,
I will leave now and not stress about it … no explanation required.

Kelob · November 17, 2022, 8:29pm

My bad - don’t know why I put the src-port instead of the connection-mark
Changed it how it supposed to be. Thanks again for your help!