Hello everyone!

I'm facing some challenges with a MikroTik configuration that involves dual WAN connections and HTTPS access. My goal is to allow access to HTTPS (port 443) through two different links (pppoe-FBNET and pppoe-GOLDEN) and ensure that return traffic exits through the same interface it entered on.

Current Problem:

I’m setting up connection and routing marks to ensure connections enter and exit through the same link.
In some cases, outgoing traffic fails to find the correct interface and shows out: (unknown 0).
I noticed that adding connection-mark=no-mark in the mangle rules can help maintain routing consistency, but I still encounter issues in certain scenarios.
Current Configuration:

NAT Rules:
/ip firewall nat

Masquerade for outgoing traffic on each WAN interface

add chain=srcnat out-interface=pppoe-FBNET action=masquerade comment="Masquerade for outbound FBNET"
add chain=srcnat out-interface=pppoe-GOLDEN action=masquerade comment="Masquerade for outbound GOLDEN"

Destination NAT to redirect RDP traffic to the internal server

add action=dst-nat chain=dstnat dst-port=443protocol=tcp to-addresses=192.168.50.30 comment="NAT RDP for FBNET"
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.50.30 comment="NAT RDP for GOLDEN"


Mangle Rules with Connection Mark:
/ip firewall mangle

Mark connections entering via FBNET only for new connections

add chain=forward in-interface=pppoe-FBNET connection-mark=no-mark action=mark-connection new-connection-mark=FBNET_conn passthrough=yes comment="New connection mark for FBNET"

Mark connections entering via GOLDEN only for new connections

add chain=forward in-interface=pppoe-GOLDEN connection-mark=no-mark action=mark-connection new-connection-mark=GOLDEN_conn passthrough=yes comment="New connection mark for GOLDEN"

Route mark for outbound traffic via FBNET using connection marks

add chain=prerouting connection-mark=FBNET_conn action=mark-routing new-routing-mark=to_FBNET passthrough=no comment="Routing mark for FBNET"

Route mark for outbound traffic via GOLDEN using connection marks

add chain=prerouting connection-mark=GOLDEN_conn action=mark-routing new-routing-mark=to_GOLDEN passthrough=no comment="Routing mark for GOLDEN"

Routing Rules with Marking:
/ip route

Primary and backup routes in the main routing table

add dst-address=0.0.0.0/0 gateway=pppoe-FBNET distance=1 check-gateway=ping comment="Primary route for FBNET"
add dst-address=0.0.0.0/0 gateway=pppoe-GOLDEN distance=2 check-gateway=ping comment="Backup route for GOLDEN"

Marked routes to ensure return traffic exits via FBNET

add dst-address=0.0.0.0/0 gateway=pppoe-FBNET distance=1 routing-mark=to_FBNET comment="Return route for FBNET traffic"

Marked routes to ensure return traffic exits via GOLDEN

add dst-address=0.0.0.0/0 gateway=pppoe-GOLDEN distance=1 routing-mark=to_GOLDEN comment="Return route for GOLDEN traffic"

Notes:
When I remove the marks, traffic flows through the primary link, and NAT works fine, but with the marks in place, routing does not work as expected.
I'm open to any suggestions on how to reliably enforce routing for inbound and outbound traffic on the same link with marking, without facing the out: (unknown 0) issue.
Thanks a lot for any help or ideas!

Hi,

It isn’t indicated in your listings, but if the default fasttrack rule is in place, it will break marked packets.

You could put an accept rule just prior to the fasttrack rule, with a connection-mark=!no-mark
(Or add connection-mark=no-mark to the fasttrack rule)

Your 2 dst nat rules are identical, you could just use one.

Your route marking likely needs to only apply to outbound traffic, eg. in-interface=!pppoe_FBNET comment=“Routing mark for FBNET”

What is not clear to me, is if you are connecting to the https Router provided service?
OR
Do you mean connecting to an HTTPS server you have on the LAN?
(if so are connections coming in on two different wans, going to the same LAN Https server ???)

Hello everyone,

I was advised to add connection-mark=no-mark to my FastTrack rule to ensure it only applies to connections without specific marks. However, I’m not sure how exactly to modify the FastTrack rule to include this condition. I’ve attached my current filter and NAT tables for reference.

Could anyone guide me on how to properly set up this rule?

Thank you!


/ip firewall filter
add action=accept chain=input comment=“LIBERA ESTABILIZADAS E RELACIONADAS” \ connection-state=established,related in-interface-list=WAN

add action=drop chain=input comment=“BLOQUEIA INVALIDAS” connection-state=invalid in-interface-list=WAN

add action=accept chain=input comment=“LIBERA ICMP” in-interface-list=WAN protocol=icmp

add action=accept chain=input comment=“LIBERA VPN SSTP” disabled=yes dst-port=4443 protocol=tcp

add action=accept chain=input comment=“LIBERA OPENVPN” dst-port=1194 in-interface-list=WAN protocol=tcp

add action=accept chain=input comment=“LIBERA INPUT OLICENTER” in-interface-list=WAN src-address-list=OLICENTER

add action=accept chain=output comment=“LIBERA OUTPUT” out-interface-list=WAN

add action=drop chain=input comment=“BLOQUEIA O RESTO” in-interface-list=WAN

add action=log chain=input comment=LOGS in-interface-list=WAN



/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=pppoe-FBNET

add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=pppoe-GOLDEN

add action=dst-nat chain=dstnat dst-port=443protocol=tcp to-addresses=192.168.50.30 comment=“NAT RDP for FBNET”

add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=192.168.50.30 comment=“NAT RDP for GOLDEN”

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Last chance, bud, I asked specific questions… still not answered.
Also if you want answers, need complete config only, not bits please, as all is connected!

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

I think he is not here anymore.