How to enable NAT for second WAN?

zhouson · December 27, 2016, 3:59am

Hi, all,

My scenario should be simple but make me confusing.

I have a LAN and two WAN.

LAN
WAN1
WAN2

and I have a server located in LAN.

I am hoping both WAN1 and WAN2 can accept connection from internet and forward the connection to that server in LAN.

So ,I did following configuration

all traffic from LAN goes to WAN1 and connect to internet ,by adding default route 0.0.0.0/0 to gateway of WAN1.
add NAT masquerade for traffic to internet
add dst-nat for WAN1 and WAN2, redirect to the server and port in LAN

then , I met following problems

Server can get connection from internet through WAN1,and works fine.
Server can not get connection from internet through WAN2.
Ping WAN2 from internet, no ICMP response.

then I add following rules,

Add mangle rule to mark routing “WAN2” for in interface WAN2
Add route ,for Routing mark “WAN2” goes to gateway of WAN2.

After above configuration, Ping WAN2 from internet works.
But still,Server can not get connection from internet through WAN2.

Would anyone help how I can make it working?

networkfudge · December 27, 2016, 6:46am

Post your configuration.

Sob · December 28, 2016, 2:03am

Every time I’m sure I answered the same question not long ago, with nice explanation and everything, and just want to link to it, I can’t find the thread…

Anyway, the idea is simple, you need to mark incoming connections and then mark routing for outgoing packets of those connections. Minimal version would be like this:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 \
    new-connection-mark=from_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from_wan2 in-interface=<LAN> \
    new-routing-mark=WAN2 passthrough=yes