Hello,
I’m sure I’m missing something obvious but I’m a bit stuck on this.
I have two ADSL connections and I’m using both through a mikrotik RB750. The outgoing connections work as expected and the GW used is the one I want on each situation.
The problem is that I want to open several services through both of the ADSLs so if one of them fails my users from the WAN can access the services through the other ADSL.
The configuration I have basically is:
#| configuración de las interfaces:
/interface ethernet set ether1 name ether1-gateway
/interface ethernet set ether2 name ether2-gateway
/interface ethernet set ether3 name ether3-local-master
/interface ethernet set ether4 name ether4-local-slave
/interface ethernet set ether5 name ether5-local-slave
# el switch (espero) lo formarán las interfaces 3, 4 y 5
/interface ethernet set ether4-local-slave master-port=ether3-local-master
/interface ethernet set ether5-local-slave master-port=ether3-local-master
# Ip lan para el mikrotik
/ip address add address=192.168.1.1/24 interface=ether3-local-master comment "lan default gateway"
# IP para la wan telefónica (ether1-gateway), ruta y nat (En producción será 10.0.0.x)
/ip address add address=10.0.0.254/24 interface=ether1-gateway
/ip route add gateway=10.0.0.0
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1-gateway
# IP para la wan vodafone (ether2-gateway), ruta y nat (En producción será 10.0.1.x)
/ip address add address=10.0.1.254/24 interface=ether2-gateway
/ip route add gateway=10.0.1.0
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2-gateway
# marcas para las rutas (en pruebas, las ips cambian en producción)
# Escritorios remotos < 98
/ip firewall mangle add chain=prerouting src-address=192.168.1.1-192.168.1.98 action=mark-routing new-routing-mark=GrupoA
# servidores linux > 99 < 210
/ip firewall mangle add chain=prerouting src-address=192.168.1.99-192.168.1.209 action=mark-routing new-routing-mark=GrupoB
# ips dinámicas > 210 < 250
/ip firewall mangle add chain=prerouting src-address=192.168.1.210-192.168.1.250 action=mark-routing new-routing-mark=GrupoC
# Resto > 250
/ip firewall mangle add chain=prerouting src-address=192.168.1.251-192.168.1.254 action=mark-routing new-routing-mark=GrupoD
# rutas en función de las marcas (en pruebas, las ips cambian en producción)
# Grupos A,C y D -> GW vodafone
/ip route add dst-address=0.0.0.0/0 gateway=10.0.1.1 routing-mark=GrupoA
/ip route add dst-address=0.0.0.0/0 gateway=10.0.1.1 routing-mark=GrupoC
/ip route add dst-address=0.0.0.0/0 gateway=10.0.1.1 routing-mark=GrupoD
# Grupo B -> GW telefonica
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=GrupoB
As I’ve said all outgoing connections work as a charm despite of the group of the source IP.
The problem arises when I try to port-forward through both WANs. I want all the services to be available from both wans. These are the rules I’ve been applied:
# WWW (both WAN routers map 80 to 80 in 10.0.0.254 and 80 to 81 in 10.0.1.254, just to avoid using the same port in the mikrotik)
/ip firewall nat add chain=dstnat dst-address=10.0.1.254 protocol=tcp dst-port=81 action=dst-nat to-addresses=192.168.1.107 to-ports=80 comment="WWW desde vodafone"
/ip firewall nat add chain=srcnat dst-address=10.0.1.254 protocol=tcp dst-port=81 action=src-nat to-addresses=192.168.1.107 to-ports=80 comment="WWW desde vodafone"
/ip firewall nat add chain=dstnat dst-address=10.0.0.254 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.107 to-ports=80 comment="WWW desde telefonica"
/ip firewall nat add chain=srcnat dst-address=10.0.0.254 protocol=tcp dst-port=80 action=src-nat to-addresses=192.168.1.107 to-ports=80 comment="WWW desde telefonica"
# RDP (both WAN routers map 3389 to 3389 in 10.0.0.254 and 3389 to 3390 in 10.0.1.254, just to avoid using the same port in the mikrotik)
/ip firewall nat add chain=dstnat dst-address=10.0.1.254 protocol=tcp dst-port=3390 action=dst-nat to-addresses=192.168.1.55 to-ports=3389 comment="rdesktop desde vodafone"
/ip firewall nat add chain=srcnat dst-address=10.0.1.254 protocol=tcp dst-port=3390 action=src-nat to-addresses=192.168.1.55 to-ports=3389 comment="rdesktop desde vodafone"
/ip firewall nat add chain=dstnat dst-address=10.0.0.254 protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.1.55 to-ports=3389 comment="rdesktop desde telefonica"
/ip firewall nat add chain=srcnat dst-address=10.0.0.254 protocol=tcp dst-port=3389 action=src-nat to-addresses=192.168.1.55 to-ports=3389 comment="rdesktop desde telefonica"
Those are just a couple of the ports I’ve forwarded
when I access to 80 from ISP1 (wan port 10.0.0.254) everything works as expected. But accessing WWW form ISP2 (wan port 10.0.1.254) I get a timeout (seems as if the port is filtered)
However if I access RDP from ISP1 here is where the timeout happens. The ISP2 access through RDP works fine.
I’m not sure what is happening here. I’ve tried to mess with firewall rules to see if I can solve the problem but with no succeed.
Any help would be appreciated TIA
