Mikrotik Dual WAN Services access (ROS 6.47.9)

AlexKNV · February 20, 2024, 5:41pm

Good day,

I have the following Mikrotik script (it is truncated, pw and user replaced)

#/system reset-configuration no-defaults=yes skip-backup=yes

:global wan1ip "172.30.10.13"
:global wan1gw "172.30.10.1"
:global wan1Subnet "24"
:global wan2ip "10.22.229.13"
:global wan2gw "10.22.229.1"
:global wan2Subnet "24"
:global lan2Ip "192.168.2.254"
:global lan2Subnet "192.168.2.0"
:global lan1Ip "192.168.123.254"
:global lan1Subnet "192.168.123.0"
:global lanSubnetMask "24"

:global adminName "1"
:global adminPwd "2"

:log info ("Initial configuration started")

/interface list
add name=LAN comment="LAN list"

# Bridge setup
/interface bridge add name=localbridge disabled=no auto-mac=yes protocol-mode=rstp comment="LAN bridge"
/interface bridge port add interface=ether3 bridge=localbridge comment="Connect ether3 to bridge"
/interface bridge port add interface=ether4 bridge=localbridge comment="Connect ether4 to bridge"
/interface bridge port add interface=ether5 bridge=localbridge comment="Connect ether5 to bridge"

/interface set "ether1" name="WAN1"
/interface set "ether2" name="WAN2"

/ip address add address=($wan1ip . "/" . $wan1Subnet) interface=WAN1 comment="WAN1 IP"
/ip address add address=($wan2ip . "/" . $wan2Subnet) interface=WAN2 comment="WAN2 IP"


/ip address add address=($lan2Ip . "/" . $lanSubnetMask) network=$lan2Subnet interface=localbridge comment="bridge 2 IP"
/ip address add address=($lan1Ip . "/" . $lanSubnetMask) network=$lan1Subnet interface=localbridge comment="bridge 1 IP"

/interface list member
add interface=localbridge list=LAN comment="LAN list members"

# User administration

/user add name=$adminName password=$adminPwd group=full
/user remove admin

# Initial firewall setup

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="Accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept protocol=icmp comment="Accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="Accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface=!localbridge comment="Drop all not coming from LAN (OPTIONAL)"
add chain=forward action=accept ipsec-policy=in,ipsec comment="Accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="Accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="Fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="Accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN1 comment="Drop all from WAN1 not DSTNATed"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN2 comment="Drop all from WAN2 not DSTNATed"

# Mark all connections coming into WAN1 as such, do the same for WAN2:

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection comment="Mark WAN1 packets"
add chain=prerouting in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection comment="Mark WAN2 packets"

# Mark ICMP going to the router itself:

/ip firewall mangle
add chain=output connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

# Set routing marks for all packets in those connections that come in from the localbridge and go back out to the internet:

/ip firewall mangle
add chain=prerouting in-interface=localbridge connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=localbridge connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

# Make dst-nat workable

/ip firewall mangle
add chain=forward in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=forward in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection 

#the NAT rules *** Something is wrong here; I should use marked routes ***
/ip firewall nat
add chain=srcnat out-interface=localbridge action=masquerade comment="NAT Masquerade WAN1"
add chain=srcnat out-interface=localbridge action=masquerade comment="NAT Masquerade WAN2"

/ip firewall nat

#WAN1

# VNC
add chain=dstnat action=dst-nat in-interface=WAN1 dst-port=5902 to-address=192.168.2.2 to-ports=5900 protocol=tcp comment="PM WAN1:5902 -> 192.168.2.2:5900 (VNC 192.168.2.2)"
add chain=dstnat action=dst-nat in-interface=WAN1 dst-port=5903 to-address=192.168.2.3 to-ports=5900 protocol=tcp comment="PM WAN1:5903 -> 192.168.2.3:5900 (VNC 192.168.2.3)"
add chain=dstnat action=dst-nat in-interface=WAN1 dst-port=9030 to-address=192.168.123.12 to-ports=9030 protocol=tcp comment="PM WAN1:9030 -> 192.168.123.12:9030 (Host 9030)"


#WAN2

add chain=dstnat action=dst-nat in-interface=WAN2 dst-port=5902 to-address=192.168.2.2 to-ports=5900 protocol=tcp comment="PM WAN2:5902 -> 192.168.2.2:5900 (VNC 192.168.2.2)"
add chain=dstnat action=dst-nat in-interface=WAN2 dst-port=5903 to-address=192.168.2.3 to-ports=5900 protocol=tcp comment="PM WAN2:5903 -> 192.168.2.3:5900 (VNC 192.168.2.3)"
add chain=dstnat action=dst-nat in-interface=WAN2 dst-port=9030 to-address=192.168.123.12 to-ports=9030 protocol=tcp comment="PM WAN2:9030 -> 192.168.123.12:9030 (Host 9030)"


# Install routers that fire for those routing marks to make sure the packets go back out the right pipe:

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=$wan1gw
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=$wan2gw

# Prefer WAN1 over WAN2 for all traffic except the stuff we're specifically marking to go back out WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=$wan1gw distance=1
add dst-address=0.0.0.0/0 gateway=$wan2gw distance=2

# Disable uneccessary services

/ip service disable telnet,ftp,api
/ip upnp set enabled=no

# Allow to communicate with other Mikrotik routers and MAC discovering from the LAN only

/ip neighbor discovery-settings set discover-interface-list=all
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

# Set default SSH port 3000 

/ip service set ssh port=3000 address=($lan2Subnet . "/" . $lanSubnetMask . "," . $lan1Subnet . "/" . $lanSubnetMask)
/ip service set winbox address=($lan2Subnet . "/" . $lanSubnetMask . "," . $lan1Subnet . "/" . $lanSubnetMask)
/ip service set www address=($lan2Subnet . "/" . $lanSubnetMask . "," . $lan1Subnet . "/" . $lanSubnetMask)

:log info ("Initial configuration completed")

I added a simplified topology as an attachment.

We have Mikrotik 1, with two WAN interfaces.

WAN1 172.30.10.13/24 GW 172.30.10.1
WAN2 10.22.229.13/24 GW 10.22.229.1

The LAN has two networks on ether3 - ether5, the same rules and network access from any (only one of them in use at a time)

LAN 192.168.123.0/24, Mikrot IP 192.168.123.254
LAN 192.168.2.0/24, Mikrot IP 192.168.2.254

There are some services in the LAN (see script) that are available from WAN1/2 (for example, port 5902 has port mapping)

What we currently have:

Mikrotik is only one;

PC1 is a physical PC with IP 172.30.10.1/24 GW 172.30.10.13 or another router

I can use the declared services in the inner network (for example, from PC1 telnet 172.30.10.13 5902 is mapped to 192.168.2.2 5900)
I can use all services on PC1 from inner Network (eg from 192.168.2.2 telnet 172.30.10.1 25 works if 192.168.30.1 has SMTP)

What doesn’t work:

I cannot reach telnet 172.30.10.13 5902 from PC 172.30.10.2 (it is not GW for Mikrotik)
I can’t reach telnet 172.30.10.2 25 from PC 192.168.123.2 (172.30.10.2 is not GW for Mikrotik)

What is needed:

To have several Mikrotiks, for example:

o Mikrotik1 WAN1 172.30.10.13/24 WAN2 10.22.229.13/24
o Mikrotik2 WAN1 172.30.10.14/24 WAN2 10.22.229.14/24

All 172.30.10.0/24 computers can telnet 172.30.10.13 5902 or 172.30.10.14 5902 (Access to Inner Network Services)
Computers 172.30.10.0/24 do not have Default GW to Mikrotik 1 or Mikrotik 2 in their network properties (This is impossible without Multiple Gateways, do I need Proxy ARP?)
Computers from Network 1 / Network 2 can use all services from WAN1 (172.30.10.0/24)
Computers from Network 1 / Network 2 can use all services from WAN2 (10.22.229.0/24)
Requests from Network → 172.30.10.0/24 go to WAN1
Requests from Network → 10.22.229.0/24 go to WAN2
The remaining NETWORK → OUTSIDE requests go to WAN1 Mikrotik GW

Any advice is appreciated.

Mesquite · February 20, 2024, 6:10pm

Any reason you have to stick to RoS 6. Can be done in both vers6 and vers7

AlexKNV · February 20, 2024, 6:35pm

It is possible but not preferable. All our Mikrotik routers have ROS6

AlexKNV · February 20, 2024, 9:22pm

I believe the problem is fixed.