Mikrotik D-NAT from two public PPPOE IPs

adispy · January 23, 2024, 12:28pm

Hi everyone,
I have two public IPs using PPPOe and I’m having a difficult time forwarding traffic from the second IP to my internal services. When I configured the connection I set a higher route distance for the second PPPOE connection since I don’t want it to load balance or anything. This is just for email to come in and for the web server.
Port forwarding is working great if I do it for the first IP (public IP).

From what I have read on the internet, I kind of have the feeling I need to use Mangle rules, just don’t know how. I have configure D-NAT rules setting the destination as the second public IP, but it is not working. I can’t even PING the second public IP even tough it is allowed in the firewall.
Most of the firewall rules are the default ones since this Mikrotik router just replaced yesterday a different router from another vendor.

Bellow is my firewall config, maybe someone can clear things out for me. Thanks in advance.

# 2024-01-23 12:23:16 by RouterOS 7.13.2
# software id = 7WQ9-KEY5
#
# model = RB5009UG+S+
# serial number = HEP0926CA13
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat comment="Hairpin NAT Sophos Proxy" \
    dst-address-list=!192.168.10.254 dst-address-type=local dst-port=80,443 \
    protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.10
add action=dst-nat chain=dstnat comment="Sophos UTM9 Proxy" connection-mark=\
    "" dst-address=PUBLIC_IP_01 dst-port=443,80,8080,8443 in-interface=\
    RDS_PPOE_01 protocol=tcp to-addresses=192.168.10.10
add action=dst-nat chain=dstnat comment="qBittorrent on ROCLJVKRHV02" \
    connection-mark="" dst-address=PUBLIC_IP_01 dst-port=50100 in-interface=\
    RDS_PPOE_01 protocol=tcp to-addresses=192.168.10.4 to-ports=50100
add action=dst-nat chain=dstnat comment=OPNSense connection-mark="" \
    dst-address=PUBLIC_IP_01 dst-port=8400,8600,8511 in-interface=RDS_PPOE_01 \
    protocol=tcp to-addresses=192.168.10.61
add action=dst-nat chain=dstnat comment="SMTP on ROCLJVKRSMTP" \
    connection-mark="" dst-address=PUBLIC_IP_02 dst-port=25,465,587 \
    in-interface=RDS_PPOE_02 protocol=tcp to-addresses=192.168.10.55
add action=dst-nat chain=dstnat comment="VPS Blog" connection-mark="" \
    dst-address=PUBLIC_IP_02 dst-port=80,443 in-interface=RDS_PPOE_02 log=yes \
    protocol=tcp to-addresses=192.168.10.7
add action=src-nat chain=srcnat connection-mark="" dst-port=80,443 \
    out-interface=RDS_PPOE_02 protocol=tcp src-address=192.168.10.7 \
    to-addresses=PUBLIC_IP_02
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none

adispy · January 23, 2024, 9:45pm

So I have created the bellow mangle rules thanks to this post https://www.reddit.com/r/mikrotik/comments/o2sfo1/how_do_i_port_forwarding_on_multiple_wan/ and it kind of works, but I am having an issue with my SMTP server.
The SMTP gateway is rejecting emails since they come from the internal IP address of Mikrotik. Is there any way I can fix this so it passes the public IP of the sender?

/ip firewall mangle
add action=mark-connection chain=input comment="Policy based routing for VPS Blog on RDS_PPPOE_02" connection-state=new \
    dst-address=192.167.10.7 in-interface=RDS_PPOE_02 new-connection-mark=PPPOE_02_WAN-Connection passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-address=192.168.10.7 dst-port=80,443 in-interface=RDS_PPOE_02 new-connection-mark=\
    PPPOE_02_WAN-Connection out-interface=bridge_LAN passthrough=yes protocol=tcp
add action=mark-connection chain=postrouting dst-port=80,443 new-connection-mark=PPPOE_02_WAN-Connection out-interface=RDS_PPOE_02 \
    passthrough=yes protocol=tcp src-address=192.168.10.7
add action=mark-routing chain=output connection-mark=PPPOE_02_WAN-Connection new-routing-mark=PPPOE_02 passthrough=yes \
    src-address=192.168.10.7
add action=mark-routing chain=prerouting in-interface=bridge_LAN new-routing-mark=PPPOE_02 passthrough=yes src-address=\
    192.168.10.7
add action=mark-connection chain=input comment="Policy based routing for ICMP on RDS_PPPOE_02" connection-state=new in-interface=\
    RDS_PPOE_02 new-connection-mark=PPPOE_02_WAN-Connection passthrough=yes protocol=icmp
add action=mark-connection chain=forward disabled=yes in-interface=RDS_PPOE_02 new-connection-mark=PPPOE_02_WAN-Connection \
    passthrough=yes protocol=icmp
add action=mark-connection chain=postrouting disabled=yes new-connection-mark=PPPOE_02_WAN-Connection out-interface=RDS_PPOE_02 \
    passthrough=yes protocol=icmp
add action=mark-routing chain=output connection-mark=PPPOE_02_WAN-Connection new-routing-mark=PPPOE_02 passthrough=yes protocol=\
    icmp
add action=mark-connection chain=input comment="Policy based routing for SMTP Server on RDS_PPPOE_02" connection-state=new \
    dst-address=192.167.10.55 in-interface=RDS_PPOE_02 new-connection-mark=PPPOE_02_WAN-Connection passthrough=yes
add action=mark-connection chain=forward dst-address=192.168.10.55 in-interface=RDS_PPOE_02 new-connection-mark=\
    PPPOE_02_WAN-Connection out-interface=bridge_LAN passthrough=yes
add action=mark-connection chain=postrouting new-connection-mark=PPPOE_02_WAN-Connection out-interface=RDS_PPOE_02 passthrough=yes \
    src-address=192.168.10.55
add action=mark-routing chain=output connection-mark=PPPOE_02_WAN-Connection new-routing-mark=PPPOE_02 passthrough=yes \
    src-address=192.168.10.55
add action=mark-routing chain=prerouting in-interface=bridge_LAN new-routing-mark=PPPOE_02 passthrough=yes src-address=\
    192.168.10.55

accarda · January 24, 2024, 5:08am

I see in your mangle rules you have indicated 2 wrong addresses at the beginning of each block: 192.167.10.7 (instead of 192.168.10.7) and 192.167.10.55 (instead of 192.168.10.55).
You can start debugging your problem by fixing those first.

adispy · January 24, 2024, 6:53am

Hi, thank for the reply.
Yes, it was late last night but the problem is the masquerading rule. If I masquerade the just the first public IP it works, I can see the public IPs of the email sender, but then I don’t have any internet on the machines.

Any idea?

accarda · January 24, 2024, 7:27am

In general when dealing with 2 WANs and the need to direct certain traffic to certain WAN, you have to create also a second routing table where you install the default route for the second WAN in there.
Then with mangle rules you can address with routing marks to reach the second routing table for traffic to exit and enter from the same side.
With wrong setup you end up with traffic exiting one way and reply being answered the other one, so connection gets broken.

accarda · January 24, 2024, 7:39am

If you have 2 WANs and you can’t define routes on the WAN devices, you will have to set SRC NAT for both your WANs and masquerading if they have dynamic IPs.
If you have disabled one SRC NAT, then you won’t have internet if your LAN is trying to get to internet through that WAN which does not have SRC NAT defined.

adispy · January 24, 2024, 8:12am

Hi,
This is the first thing that I have done after reading the forums. Until then not even the mangle rules were not working.

#      DST-ADDRESS      GATEWAY        DISTANCE
  DAv  0.0.0.0/0        RDS_PPOE_01           1
  DAc+ 10.0.0.1/32      RDS_PPOE_02           0
  DAc+ 10.0.0.1/32      RDS_PPOE_01           0
;;; OpenSense_VPN
0  As  10.10.9.0/24     192.168.10.61         1
;;; SophosUTM VPN
1  As  10.10.10.0/24    192.168.10.10         1
;;; OpenSense_VPN
2  As  10.10.11.0/24    192.168.10.61         1
  DAc  192.168.10.0/24  bridge_LAN            0
3  As  0.0.0.0/0        RDS_PPOE_02           1

Here are my NAT rules. As you can see I have configure the masquerading rule only for the first public IP (PUBLIC_IP_01). This is the only way I found it working, but it disables internet on the machines that are using the second public IP.

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Sophos UTM9 Proxy
      chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp dst-address=<PUBLIC_IP_01> connection-mark="" 
      in-interface=RDS_PPOE_01 dst-port=443,80,8080,8443 log=no log-prefix="" 

 1    ;;; 
      chain=dstnat action=dst-nat to-addresses=192.168.10.4 to-ports=50100 protocol=tcp dst-address=<PUBLIC_IP_01> 
      connection-mark="" in-interface=RDS_PPOE_01 dst-port=50100 log=no log-prefix="" 

 2    ;;; OPNSense
      chain=dstnat action=dst-nat to-addresses=192.168.10.61 protocol=tcp dst-address=<PUBLIC_IP_01> connection-mark="" 
      in-interface=RDS_PPOE_01 dst-port=8400,8600,8511 log=no log-prefix="" 

 3    ;;; SMTP on ROCLJVKRSMTP
      chain=dstnat action=dst-nat to-addresses=192.168.10.55 protocol=tcp dst-address=<PUBLIC_IP_02> connection-mark="" 
      in-interface=RDS_PPOE_02 dst-port=25,465,587 log=no log-prefix="" 

 4    ;;; VPS Blog
      chain=dstnat action=dst-nat to-addresses=192.168.10.7 protocol=tcp dst-address=<PUBLIC_IP_02> connection-mark="" 
      in-interface=RDS_PPOE_02 dst-port=80,443 log=no log-prefix="" 

 5    ;;; Hairpin NAT Sophos Proxy
      chain=dstnat action=dst-nat to-addresses=192.168.10.10 protocol=tcp src-address=192.168.10.0/24 dst-address=<PUBLIC_IP_01> 
      dst-address-type=local dst-address-list=!192.168.10.254 dst-port=80,443 log=no log-prefix="" 

 6    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=RDS_PPOE_01 log=no log-prefix="" ipsec-policy=out,none

adispy · January 24, 2024, 8:28am

One other thing that I have noticed is that if I masquerade just one public IP (primary one) the hairpin NAT rules is not working anymore.

accarda · January 24, 2024, 8:41am

As I said, if you disable SRC NAT on the second WAN, all LAN devices trying to use that route won’t get to internet, since your WAN2 router does not know anything about your LAN devices.
NAT with masquerading for WAN2 fixes that.
Also when using MANGLE and at the same time you have fasttrack enabled on your firewall forward chain, that is going to not make mangle rules to be working fine, as fasttrack bypasses those actions.
So you also have to exempt those mangled connection from being fasttracked.
As you have defined some connection mark in mangle, you can use that to make such exemption in filter rule for fasttrack

add action=fasttrack-connection chain=forward connection-mark=no-mark connection-state=established,related

adispy · January 24, 2024, 8:58am

Just created another NAT rules for WAN2 but then the public IPs of the incoming email and web traffic (for the web server) are NAT-ed. Traffic appears to be coming from from the internal interface of the Mikrotik router and I don’t want that.

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade src-address=192.168.10.55 out-interface=RDS_PPOE_02 log=no log-prefix="" ipsec-policy=out,none

Fastrack its disabled since the beginning. I read that it will impact mangle rules. Should I delete it in order to remove its “power”?

 9 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""

Bear in mind that this is like my third day working with Mikrotik routers, so my knowledge is kind of low. Thank for your patience.

accarda · January 24, 2024, 9:18am

If you don’t want to use SRC-NAT for second WAN, then your only way to have traffic through WAN2 to reach internet is that you can define routing rules in the WAN2 device.
As I said before, if you can manage that router and set the return routes from that device back to your MikroTik router (where your LAN resides), then you can define the routes on how from WAN2 you can reach your LAN devices. In such case you can avoid SRC-NAT for WAN2.
About fasttrack rule, if you have disabled it then it’s not affecting your traffic, so you can leave it there if you like; just make sure it stays disabled as long as you use mangle, otherwise you can apply that change that I posted above where you are telling fasttrack to work only on connection which does not have any marker (given that your mangle rules assign markers to proper traffic).

adispy · January 24, 2024, 5:17pm

I just replaced a Ubiquiti router with this Mikrotik that did all of the work without me setting routes on client machines. I can’t believe it cannot be done with Mikrotik the same way.

What I don’t understand is why does a masquerading rule hides the clients public addresses since the traffic is coming in and hits the web and SMTP gateway server. It doesn’t go out (at least to my thinking), except when I update the machines.

adispy · January 25, 2024, 10:05am

Since people a bit shy on this forum, eventually I managed figure this out thanks to this post http://forum.mikrotik.com/t/portforward-with-preserved-source-ip/79995/1 I was in a bit of hurry since spam started to get into my email server.

Here is my config just in case someone is having the same issue:

Remove the second public IP from the default route. Un-check Add Default Route from the interface
Manually create a new routing table Routing > Tables. Name it whatever you want.
Manually create a new route for the second public IP/PPPOE connection. If you also have a PPPOE connection like I do, in the Gateway box you need to put the name of the interface. It won’t not work if you type your public IP (at least for the PPPOE connection). Make sure that you select the new routing table that you just created.
Create Mangle rule

chain=prerouting action=mark-routing new-routing-mark=PPPOE_02 passthrough=yes src-address=192.168.10.55 in-interface=bridge_LAN log=no log-prefix=""

Create NAT rules.

chain=dstnat action=dst-nat to-addresses=192.168.10.55 protocol=tcp dst-address=<YOUR PUBLIC IP> in-interface=RDS_PPOE_02 dst-port=25,465,587 log=no log-prefix="" 
chain=srcnat action=src-nat to-addresses=<YOUR PUBLIC IP> src-address=192.168.10.55 routing-mark=PPPOE_02 out-interface=RDS_PPOE_02 log=no log-prefix=""

Set you masquerading rule to send traffic only on the first public IP/PPPOE connection. This will cause another problem with the hairpin NAT rule if you have one, in that it is not going to work anymore.

It should work now, your internal server should get the public IPs of clients that connect to it. This is what I have used, so maybe it will work for you also.