Inbound NAT, multiple ISP's traffic flow

jamiewatson69 · November 2, 2010, 6:04pm

Hi all,

I am trying to get two IP addresses that are presented on the MT from two different ISP’s to be natted to the same internal host, this is basically to provide redundancy! I have go it working in that the nat’ed addresses do work and I can contact the servers using these addresses, though I don’t think the traffic is flowing back via the address / connection it was natted from and is using its standard route. Anybody any experience with this or any examples of the setup?

Thanks
Jamie
http://www.fusionmanageit.co.uk
Fusion IT Management Limited

Feklar · November 4, 2010, 7:03pm

add action=mark-connection chain=forward comment="" \
    connection-state=new disabled=no in-interface=WAN1 new-connection-mark=\
    outside1_connection passthrough=no
add action=mark-connection chain=forward comment="" connection-state=new \
    disabled=no in-interface=WAN2 new-connection-mark=outside2_connection \
    passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=\
    outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=\
    no
add action=mark-routing chain=prerouting comment="" connection-mark=\
    outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=\
    no

You’ll need routes with the appropriate routing mark in your routing table.

infidel · November 5, 2010, 3:15pm

I have been trying to make this work for ages and have tried the above solution too. It does not seem to work. I can only remote desktop from the default route. If I change the default route to the other wan interface, i can connect but not from the first. The only difference is that i do not masquarade each interface individually but more like this
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=NAT disabled=no out-interface=
“!Lan Interface”

changeip · November 5, 2010, 3:25pm

you need to mark connections, mark packets, and then mark routing. in your example below you are not marking packets, only connections, which is pretty much just the SYN packets.

infidel · November 5, 2010, 3:28pm

Where you refering to my post? I just noted that i do not have a rule for each wan interface, i bundled them all together and i was nor sure if it made any differece.

infidel · November 5, 2010, 4:12pm

add action=mark-connection chain=forward comment=
“New packets from Wan Interfaces” connection-state=new disabled=no
in-interface=ether2 new-connection-mark=“New Incoming Eth2” passthrough=
no
add action=mark-packet chain=prerouting comment=“” connection-mark=
“New Incoming Eth2” disabled=no new-packet-mark=“New Incoming Eth2”
passthrough=no
add action=mark-routing chain=prerouting comment=
“New packets to Wan Interfaces” disabled=no new-routing-mark=
“New Outgoing Eth2” packet-mark=“New Incoming Eth2” passthrough=no
You mean something like this? This does not work too. Tried with connection-state=new and without it. Without it i noticed that the counters are exactly the same for packet mark and packet routing. I still cannot connect though.
Tried every possible variation with prerouting and forward.

changeip · November 5, 2010, 5:21pm

change the first rule to prerouting. change all rules to passthru=yes

Sam

infidel · November 5, 2010, 5:46pm

Tried that. Seems to work, but:

I cannot access the gateway itself. If I exclude the gateway’s ip from the first rule, then I can access it. Any thoughts on this?
If the default route is down, it stops working.

changeip · November 5, 2010, 6:00pm

did you basically duplicate your main routing table in the ‘New Outgoing Eth2’ routing table? you need to add the connected routes into that table as well as the alternate default gateway. I think you might also need a single mangle output chain rule to catch the traffic from the router itself (pings to router).

changeip · November 5, 2010, 6:04pm

i guess its time for me to make a screen video and post it : )

infidel · November 5, 2010, 6:06pm

add action=mark-connection chain=input comment=“New connections from Wan Interfaces” disabled=no in-interface=ether2 new-connection-mark=“New Incoming Eth2”
passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether4 new-connection-mark=“New Incoming Eth4” passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether5 new-connection-mark=“New Incoming Eth5” passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether6 new-connection-mark=“New Incoming Eth6” passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether7 new-connection-mark=“New Incoming Eth7” passthrough=yes
add action=mark-routing chain=output comment=“New Connections to Wan Interfaces” connection-mark=“New Incoming Eth2” disabled=no new-routing-mark=
“New Outgoing Eth2” passthrough=no
add action=mark-routing chain=output comment=“” connection-mark=“New Incoming Eth4” disabled=no new-routing-mark=“New Outgoing Eth4” passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=“New Incoming Eth5” disabled=no new-routing-mark=“New Outgoing Eth5” passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=“New Incoming Eth6” disabled=no new-routing-mark=“New Outgoing Eth6” passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=“New Incoming Eth7” disabled=no new-routing-mark=“New Outgoing Eth7” passthrough=no

With this set of rules I can connect to microtik itself from all wan interfaces
This is the route table
/ip route
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-mark=“New Outgoing Eth2” scope=30 target-scope=
10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.254 routing-mark=“New Outgoing Eth4” scope=30 target-scope=
10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 routing-mark=“New Outgoing Eth5” scope=30 target-scope=
10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.254 routing-mark=“New Outgoing Eth6” scope=30 target-scope=
10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.6.254 routing-mark=“New Outgoing Eth7” scope=30 target-scope=
10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark=“Server Traffic” scope=30 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 routing-mark=HTTP scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark=“Online Games” scope=30 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark=ICMP scope=30 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 scope=30 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.5.254 scope=30 target-scope=10

When 194.30.234.129 gateway is down 192.168.5.254 gateway takes over. 192.168.1.254,192.168.3.254 etc gateways are adsl modems
194.30.234.129 is a bridged cisco leased line with static ips (no natting)

ubunet · March 26, 2013, 5:00pm

Hello, although this is very old post I have an identical scenario with the same rules and the NAT does not work.
I have two ISP connected to mikrotik and NAT to several different servers on the LAN. As described “infidel” just above: “If I change the default route to the other wan interface, i can connect but not from the first” …

The rules:

/ip firewall mangle
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=pppoe-wan2 new-connection-mark=pppoe_forward passthrough=yes
add action=mark-routing chain=prerouting connection-mark=in_pppoe_forward disabled=no in-interface=bridge-local new-routing-mark=pppoe_forward \
    passthrough=no
add action=mark-connection chain=input disabled=no in-interface=pppoe-wan2 new-connection-mark=pppoe-wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-wan2 disabled=no new-routing-mark=in_pppoe-wan2 passthrough=no

Routing Table:

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=62.xxx.xxx.x routing-mark=in_pppoe-wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=62.xxx.xxx.x routing-mark=to_pppoe_forward scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=62.xxx.xxx.x scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=217.xxx.xxx.1 scope=30 target-scope=10

NAT:

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=22 protocol=tcp src-address-list=arminet to-addresses=\
    192.168.4.10 to-ports=22

Mikrotik v5.24 on RB-751G-2HnD. I hope some help!

Thanks in advance.

ubunet · March 29, 2013, 8:03pm

The problem is resolved. Under those rules had mangle for QoS and other one was particularly crushing the mark-connection and mark-route is not applied.
Best regards.