OK so here it is
Wan1 = internet 1 no fixed ip double natted by isp provider
Wan2 = internet 2 fixed ip provided by isp provider
Wan3 = internet 3 no fixed ip double natted by isp provider
Router
1 Wan1 → on failure Wan2 ->on failure Wan3
How do i make Mr Mik Route the cloud services to Wan2 so that i can access the Router from outside?
On the Mangles Facility create a Rule on the output chain, with destination address cloud.mikrotik.com or cloud2.mikrotik.com (depends on the device ROS version) and then create a new Routing Mark to the WAN you want to use (that Routing Mark should ofcorse exist in your Routing Table)…
You could as well create an address list with the above servers… (Recommended)
Another choice would be the Routing Rules instead of the Mangles Facility…
SO Chain output. dst address to address list say (cloud) and cloud has entry cloud.mikrotik.com which it shows resolved to ipaddress . mark routing new routing mark(ispB)
Now in routing table
dst address 0.0.0.0/0
gateway is wan2 which is static ipaddress.
distance 1
routing mark (ispB)
doesnot work with any cloud or cloud 2 the only way it will work is if i give want to distance 1 in routing table which is generally 2
i had tried accessing previously through ipaddress and routed the winbox port to the wan2 in routing table then also it did not work
Routing mark (ispB)
well does not work the cloud feature picks up ipaddress of the wan1
My config is exactly same as your example and the ip does update. but in the bottom it says router is behind a nat.
this is to update the ipaddress on the cloud . so cloud will hit back on my ipaddress.
Back to the same problem i have static ipaddress from provider. This static ip is on wan2. with distance 2 in route.
if i make it distance one and all other internet are greater (2,3) then i can access it through direct static ip i do not need cloud and same thing is happening with the cloud.
SO finally how do i keep the static ip to distance 2 yet still access the router remotely.
Lastly what i have tried now is adding under NAT
chain dstnat
Protocol tcp6
dst port 8291 (for winbox )
in interface WAN2
action dstnat
to address (ip address to the mikrotik router Lan)
to port 8291
so what now i am getting is if i use the log feature
dstnat: in:WAN_2 out:(unknown 0), src-mac cc:d8:1f:1a:49:ce, proto TCP (SYN), muremoteipaddress from where i am accessing:1035->wan2staticipaddressof mikro router to be accessed:8291, len 52
That is a route with a Routing Mark, in my case there was no reason to set it to 1 or 100…
When you update the IP address successfully you will be able to access your Router through your static IP… Ofcorse you should allow TCP 8291 on your Firewall (not good for Security reasons)
Also, you need to NAT rules to access the Mikrotik itself that already has a Public IP address assigned to one of its interfaces…
If it still doesn’t work, you might have a conflicting rule on your Mangles…
You need no NAT, i already said that before…
If the Cloud is updated with a public IP, it is accessible…
Check in your firewall the Drop rules in the Input chain..
Or just creat an accept rule on chain input for 8291 and place it on top (we always prefer VPN Tunnels to access our Devices)…
if you see at fixed ipadress Mik
input: in:WAN_2 out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 103.72.xxx.xxx:1059->182.76.xxx.xxx:8291, len 52
/interface ethernet
set [ find default-name=ether1 ] name=WAN_1 comment=wan1_interface
set [ find default-name=ether2 ] name=WAN_2 comment=wan2_interface ((((fixed ip)))
set [ find default-name=ether3 ] name=WAN_3 comment=wan3_interface
set [ find default-name=ether4 ] name=LAN_4 comment=lan4_interface disabled=yes
set [ find default-name=ether5 ] name=LAN_5 comment=lan5_interface
/interface pppoe-client
add disabled=no interface=WAN_1 name=pppoe-out-wan1 password=test\
user=8test
/ip pool
add name=Lan5_Dhcp_pool ranges=192.168.88.100-192.168.88.150
/ip dhcp-server
add address-pool=Lan5_Dhcp_pool authoritative=after-2sec-delay \
disabled=no interface=LAN_5 lease-time=23h59m59s name=Lan5_Dhcp
/ip address
add address=192.168.88.254/24 interface=LAN_5 network=192.168.88.0 \
comment=Local_Lan
add address=192.168.1.200/24 interface=WAN_1 network=192.168.1.0 disabled=yes
add address=192.168.2.200/24 interface=WAN_2 network=192.168.2.0 disabled=yes
add address=192.168.3.200/24 interface=WAN_3 network=192.168.3.0 disabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.254 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN_1
add action=masquerade chain=srcnat out-interface=WAN_2
add action=masquerade chain=srcnat out-interface=WAN_3
add action=masquerade chain=srcnat out-interface=pppoe-out-wan1
/ip route
add check-gateway=ping comment=WAN_1_ROUTE distance=1 gateway=192.168.1.1 \
disabled=yes
add check-gateway=ping comment=WAN_2_ROUTE distance=2 gateway=192.168.2.254
add check-gateway=ping comment=WAN_3_ROUTE distance=3 gateway=192.168.3.254
add check-gateway=ping comment=pppoe-out-wan1_ROUTE distance=1 \
gateway=pppoe-out-wan1
add check-gateway=ping comment=WAN_2_ROUTE distance=2 gateway=192.168.2.254
add check-gateway=ping comment=WAN_3_ROUTE distance=3 gateway=192.168.3.254
add check-gateway=ping comment=pppoe-out-wan1_ROUTE distance=1 \
gateway=pppoe-out-wan1
add comment=WAN_1_Redundancy_check distance=1 gateway=pppoe-out-wan1 \
dst-address=8.8.8.8
add comment=WAN_2_Redundancy_check distance=1 gateway=192.168.2.254 \
dst-address=8.8.4.4
add comment=WAN_3_Redundancy_check distance=1 gateway=192.168.3.254 \
dst-address=8.8.4.4
/ip firewall filter (these were diabled to check fixed ip)
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add chain=input comment="Accept all connections from local network" \
in-interface=LAN_5
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" \
in-interface=WAN_1 src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" \
in-interface=WAN_2 src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" \
in-interface=WAN_3 src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network"\
in-interface=pppoe-out-wan1 src-address-list=NotPublic
/ip firewall filter (these were diabled to check fixed ip)
add chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN_1
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN_2
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN_3
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out-wan1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN_1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN_2 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN_3 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=pppoe-out-wan1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN_5
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN_5 src-address=!192.168.88.254/24
/ip firewall filter (these were disabled to check fixed ip)
add chain=input in-interface=LAN_5 protocol=icmp action=accept comment="allow ICMP2";
add chain=input in-interface=LAN_5 protocol=tcp port=8291 action=accept comment="allow Winbox2";
add chain=input in-interface=LAN_5 protocol=tcp port=22 action=drop comment="allow SSH";
add chain=input in-interface=LAN_5 action=drop comment="block everything else";
Here is the last code i tried the ips are changed but you can see wan2 is the fixed ip
Above + the address list of cloud and mangle for cloud in firewall
If you create a Route with a Routing Mark, the Route will not be used unless you Route traffic specifically to that Route, by using Mangles for example…
I would suggest you to add the Route and give it some time… it might take some time to update the IP of the Cloud.. normally it should be 60 seconds…
You could also try to force-update the cloud from terminal…