Hi.
I have a topology consisting of 2 MikroTik routers, each having their own internet uplinks and internal subnets routed between each other internally with 2 web servers, one server on Router1’s subnet and the second server on Router2’s subnet.
On Router1, I have port forwarding configured but to the downstream WebServer2 on the subnet of Router2 and the opposite on Router2 port forwarding to WebServer1 on the subnet of Router1.
The problem with this topology is that due to each router having their own internet uplink, the incoming traffic reaches the respective web server but the return path would obviously send the traffic back out it’s gateway’s internet connection instead of back through the router where the initial request came from.
Router1 configuration:
/interface bridge
add admin-mac=50:01:00:01:00:01 auto-mac=no name=internal
/routing table
add disabled=no fib name=uplink1
/interface bridge port
add bridge=internal interface=ether2
add bridge=internal interface=ether4
/ip address
add address=192.168.100.1/24 interface=internal network=192.168.100.0
add address=192.168.101.1/24 interface=ether3 network=192.168.101.0
/ip dhcp-client
add interface=ether1
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark connection-state=new in-interface=ether1 new-connection-mark=uplink1 passthrough=yes
add action=mark-routing chain=output connection-mark=uplink1 new-routing-mark=uplink1 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80,443 protocol=tcp to-addresses=192.168.102.2
/ip route
add disabled=no distance=1 dst-address=192.168.102.0/24 gateway=192.168.100.2%internal routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Router2 configuration:
/interface bridge
add admin-mac=50:01:00:02:00:01 auto-mac=no name=internal
/routing table
add disabled=no fib name=uplink1
/interface bridge port
add bridge=internal interface=ether2
add bridge=internal interface=ether4
/ip address
add address=192.168.100.2/24 interface=internal network=192.168.100.0
add address=192.168.102.1/24 interface=ether3 network=192.168.102.0
/ip dhcp-client
add interface=ether1
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark connection-state=new in-interface=ether1 new-connection-mark=uplink1 passthrough=yes
add action=mark-routing chain=output connection-mark=uplink1 new-routing-mark=uplink1 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80,443 protocol=tcp to-addresses=192.168.101.2
/ip route
add disabled=no dst-address=192.168.101.0/24 gateway=192.168.100.1%internal routing-table=main suppress-hw-offload=no
I am able to get this scenario to work correctly if the two routers are connected to each other via a dedicated link with policy based routing as if it was another uplink, eg configuration on Router1 and obviously the opposite on Router2:
/interface vlan
add interface=internal name=vlan100 vlan-id=100
/ip address
add address=192.168.99.1/30 interface=vlan100 network=192.168.99.0
/routing table
add disabled=no fib name=router2
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=vlan100 new-connection-mark=router2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=router2 new-routing-mark=router2 passthrough=no
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.2%vlan100 routing-table=router2 suppress-hw-offload=no
This does not work if there are other hosts on the same network between the two routers as traffic for those devices would then follow those mangle rules and route their traffic incorrectly.
Another thing to mention is that the routing should not be dedicated to just those two web servers and should be more universal in case port forwarding is done from Router1 to a different host on Router2’s subnet and vice versa, the same would need to apply if there was a server on the 192.168.100.0/24 range with it’s gateway being either one of the routers, eg: incoming request from Router1 to SomeServer on 192.168.100.x with Router2 being it’s gateway and vice versa.
I am aware that adding a src nat rule to the routers would make this work, however; the source IP would then be the IP address of the router where the request was initiated from and this must not be the case, the source IP needs to be retained.
What would be the correct way to configure the routing in order for the return traffic to go back through the correct router, any guidance would greatly be appreciated.