I have a bit odd setup: imagine LAN with two routers (Mikrotiks, ROS is the latest current), each connected to its own ISP (so WAN IPs of course different). LAN is the same network, only IPs on routers are different:
So Host 1 uses internet via Router 1, and host 2 uses internet via router 2.
Now I try to do dst-nat to allow say packet to 22222/tcp порт он router 1 to reach 22 port on host 1. I do that on Router 1 and it works. But as I try to set the same on router 2, I got no return packets.
The packet flow is simple, host 1 send its reply packets to router 1 (not to router 2 where it expected to be).
So the question is, how can I mark packets that’s enter via router 2 so router 1 will know it should be forwarded to router 2? Connection marks are just inside single router, and no flags I can else use, so please help!
One idea, do you need two routers, can’t it be done using just one? One router can handle multiple WANs and you wouldn’t have a problem with return path then.
Other way is to solve it on host, watch what connections come from each gateway and send replies back there. But it depends on host OS, e.g. Linux can do it, Windows most likely not.
Or you can forward reply packets from router 1 to router 2, but since there are no shared connection marks between routers, it’s not exactly easy, but perhaps doable. For router 1, replies for connections coming via router 2 should be seen as invalid, because router 1 never saw any incoming packet for them. So this might do the trick (on router 1):
Maybe if Host 1 can have two IPs? Windows and linux both support this I think. Then you can mark packets that come into Router 1 from IP2 of Host 1, you can forward that packet to Router 2.
No, sorry, in fact I try to do smooth move between different server rooms in different buildings so I’ll move servers one by one have two different routers (and even ISP) in places. Messy, but that’s for plan. As a backup plan I’ll move it all at once (as fast as we can).
Just tried, looks like it won’t work even that I can see packets are forwarded to another router. The problem maybe is that these packats are become invalid in transition (not sure at all)? Anyway, thank you for the idea, I never though about!
I gave it a try and it looked good at first, I could access internal server through router 2. But then I looked at packets and found out that router 1 forwards first reply packet and sends icmp redirect to server, telling it to use router 2 as gateway for client address. Server accepts it and does exactly that for further reply packets. But when I blocked the redirect, it turned out that router 1 sees only first reply packet as invalid. Following ones are seen as new and it ruins the whole plan.
Simple solution:
on router 1 you create two nat rules one is dst-nat and second is src-nat, you NAT src-address to your router LAN IP, so it hides the public IP of the packet.
Example:
on router one you create two rules:
DST-NAT:
/ip fire nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=22 to-addresses=192.168.88.210 (host 2 that have default gateway through router 2)
then you create SRC-NAT, so that host will see incoming packet as it came from router 1 192.168.88.1, and will reply back to router 1, and the router 1 will have NAT table session, and process the package correctly.