Multi WAN NAT Problems

jpineira · August 7, 2013, 10:27pm

Hello. I have a network were I just installed a 1100AHx2 to replace 3 routers. 2 of the routers I replaced each have email servers and other servers that host web services and other publicly available services (DVR, RDP, etc…). The router has 3 WAN ports with their own subnet and 1 LAN bridge port with 3 LAN IPs in the same subnet. The server can’t send email to each other now as somehow the router doesn’t allow communication to ports 25, 110, 443, etc.. I’m thinking I either have a NAT rule wrong, or I have to add another rule to allow that traffic. Can you please help me figure this out. Thanks. I have attached the config as well.

/interface bridge
add l2mtu=1598 name=bridge1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=5M/5M name=BW_Limit_1 target=192.168.10.0/23
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip address
add address=199.0.0.1/30 comment=“WAN 1” interface=ether1 network=
199.0.0.0
add address=199.0.0.5/30 comment=“WAN 2” interface=ether2 network=
199.0.0.4
add address=199.0.0.9/30 comment=“WAN 3” interface=ether3 network=
199.0.0.8
add address=192.168.11.36/23 comment=“LAN 1” interface=bridge1 network=
192.168.10.0
add address=192.168.11.165/23 comment=“LAN 2” interface=bridge1 network=
192.168.10.0
add address=192.168.11.202/23 comment=“LAN 3” interface=bridge1 network=
192.168.10.0
/ip dns static
add address=192.168.88.1 name=router
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.4
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.6
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.13
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.16
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.31
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.33
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.55
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.71
add action=mark-routing chain=prerouting new-routing-mark=WAN1 passthrough=no
src-address=192.168.11.184
add action=mark-routing chain=prerouting new-routing-mark=WAN3 passthrough=no
src-address=192.168.11.254
add action=mark-routing chain=prerouting new-routing-mark=WAN3 passthrough=no
src-address=192.168.11.171
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=
199.0.0.1
add action=masquerade chain=srcnat out-interface=ether2 to-addresses=
199.0.0.5
add action=masquerade chain=srcnat out-interface=ether3 to-addresses=
199.0.0.9
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether3 protocol=tcp
to-addresses=192.168.11.254 to-ports=25
add action=dst-nat chain=dstnat dst-port=110 in-interface=ether3 protocol=tcp
to-addresses=192.168.11.254 to-ports=110
add action=dst-nat chain=dstnat dst-port=143 in-interface=ether3 protocol=tcp
to-addresses=192.168.11.254 to-ports=143
add action=dst-nat chain=dstnat dst-port=32000 in-interface=ether3 protocol=
tcp to-addresses=192.168.11.254 to-ports=32000
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether3 protocol=tcp
to-addresses=192.168.11.171 to-ports=80
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether3 protocol=
tcp to-addresses=192.168.11.171 to-ports=3389
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=25
add action=dst-nat chain=dstnat dst-port=110 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=110
add action=dst-nat chain=dstnat dst-port=143 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=143
add action=dst-nat chain=dstnat dst-port=366 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=366
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=465
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=993
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.4 to-ports=995
add action=dst-nat chain=dstnat dst-port=52222 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.4 to-ports=52222
add action=dst-nat chain=dstnat dst-port=32000 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.4 to-ports=32000
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.6 to-ports=80
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.6 to-ports=3389
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp
to-addresses=192.168.11.13 to-ports=443
add action=dst-nat chain=dstnat dst-port=4550 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=4550
add action=dst-nat chain=dstnat dst-port=5511 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=5511
add action=dst-nat chain=dstnat dst-port=5550 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=5550
add action=dst-nat chain=dstnat dst-port=6550 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=6550
add action=dst-nat chain=dstnat dst-port=8008 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=8008
add action=dst-nat chain=dstnat dst-port=8554 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=8554
add action=dst-nat chain=dstnat dst-port=8866 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.13 to-ports=8866
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.16 to-ports=80
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.33 to-ports=1723
add action=dst-nat chain=dstnat dst-port=5900 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.55 to-ports=5900
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.55 to-ports=8081
add action=dst-nat chain=dstnat dst-port=8443 in-interface=ether1 protocol=
tcp to-addresses=192.168.11.184 to-ports=8443
/ip route
add distance=1 gateway=199.0.0.2 routing-mark=WAN1
add distance=1 gateway=199.0.0.10 routing-mark=WAN3
add distance=1 gateway=199.0.0.6 routing-mark=WAN2
add distance=1 gateway=199.0.0.6
add distance=1 dst-address=10.1.0.0/24 gateway=192.168.11.228
add comment=“VPN to Pan American” distance=1 dst-address=10.1.1.0/24 gateway=
192.168.11.3
add distance=1 dst-address=10.2.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.3.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.4.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.8.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.9.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.12.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.13.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=10.14.0.0/24 gateway=192.168.11.228
add distance=1 dst-address=172.16.10.0/24 gateway=192.168.11.2
/ip route rule
add dst-address=192.168.10.0/23 table=main
add dst-address=10.1.1.0/24 table=main
add dst-address=10.1.0.0/24 table=main
add dst-address=10.2.0.0/24 table=main
add dst-address=10.3.0.0/24 table=main
add dst-address=10.4.0.0/24 table=main
add dst-address=10.8.0.0/24 table=main
add dst-address=10.9.0.0/24 table=main
add dst-address=10.12.0.0/24 table=main
add dst-address=10.13.0.0/24 table=main
add dst-address=10.14.0.0/24 table=main
add dst-address=172.16.10.0/24 table=main
add dst-address=199.0.0.0/30 table=main
add dst-address=199.0.0.4/30 table=main
add dst-address=199.0.0.8/30 table=main
add dst-address=199.0.0.0/30 table=WAN1
add dst-address=199.0.0.4/30 table=WAN2
add dst-address=199.0.0.8/30 table=WAN3
add routing-mark=WAN1 table=WAN1
add routing-mark=WAN2 table=WAN2
add routing-mark=WAN3 table=WAN3
/ip service
set telnet address=192.168.10.0/23
set ftp address=192.168.10.0/23
set www port=58080
set ssh port=62222
set api address=192.168.10.0/23
set winbox address=192.168.10.0/23
set api-ssl address=192.168.10.0/23
/system clock
set time-zone-name=America/Denver
/system identity
set name=Tecma_MT
/tool graphing interface
add interface=ether1
add interface=ether2
add interface=ether3
add interface=bridge1
/tool graphing queue
add simple-queue=BW_Limit_1
/tool graphing resource
add
export08072013.txt (8.67 KB)

rkau045 · August 8, 2013, 5:19am

You may want to rewrite your dst-nat rules.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=199.0.0.1/30 protocol=tcp dst-port=25 to-address=192.168.11.254

I think NAT works better when you specify the original destination address rather than the interface.
Also, you can leave out the to-port unless you are changing it from the port on which it is received.

Sent from my XT912 using Tapatalk 2

jpineira · August 8, 2013, 3:20pm

OK, let me try that. Thanks.