Multiwan configuration: unable to forward port. Connection stuck at syn_sent with 0 repl

quyetnd · July 16, 2018, 6:55pm

I’m sorry since it must be posted a ton before but I’ve been looking through the forum to find out how to forward port but was still unable to do so.
Package somehow unable to find the way out

Here is my interface config.
Ether7 is the lan port, other ports are all pppoe wan, vrrps are used for users to specify which WAN out.

# jul/17/2018 01:51:27 by RouterOS 6.42.2
# software id = ML4Y-UY7M
#
# model = CCR1009-7G-1C-1S+
# serial number = 849707127F56
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether1 name=pppoe-out1 password=\
    ##### user=#######
add allow=pap,chap disabled=no interface=ether2 name=pppoe-out2 password=\
    ##### user=#######
add disabled=no interface=ether3 name=pppoe-out3 password=####### user=\
    ########
/interface vrrp
add interface=ether7 name=vrrp1 version=2 vrid=4
add interface=ether7 name=vrrp2 version=2 vrid=5
add interface=ether7 name=vrrp3 version=2 vrid=6
/interface vlan
add interface=ether7 name=of10 vlan-id=10

Here is my firewall config:

# jul/17/2018 01:38:30 by RouterOS 6.42.2
# software id = ML4Y-UY7M
#
# model = CCR1009-7G-1C-1S+
# serial number = 849707127F56
/ip firewall address-list
add address=192.168.0.0/20 list=LAN
add address=172.16.0.0/24 list=LAN
/ip firewall mangle
add action=accept chain=prerouting comment="No mangle for LAN to LAN " \
    dst-address-list=LAN src-address-list=LAN
add action=mark-connection chain=prerouting comment=\
    "Mark connection from outside" connection-mark=no-mark in-interface=\
    pppoe-out1 log=yes log-prefix="outside connection" new-connection-mark=\
    conn_wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out2 log=yes log-prefix="outside connection" \
    new-connection-mark=conn_wan2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out3 log=yes log-prefix="outside connection" \
    new-connection-mark=conn_wan3 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Directly mark route for connection from vrrp" connection-mark=no-mark \
    dst-address-type=!local in-interface=vrrp1 new-connection-mark=conn_wan1 \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=vrrp2 new-connection-mark=conn_wan2 \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=vrrp3 new-connection-mark=conn_wan3 \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "PCC connection from inside" connection-mark=no-mark dst-address-type=\
    !local in-interface=ether7 new-connection-mark=conn_wan1 passthrough=yes \
    per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=ether7 new-connection-mark=conn_wan2 \
    passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=ether7 new-connection-mark=conn_wan3 \
    passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting comment=\
    "PCC connection from VLAN" connection-mark=no-mark dst-address-type=\
    !local in-interface=all-vlan new-connection-mark=conn_wan1 passthrough=\
    yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=all-vlan new-connection-mark=\
    conn_wan2 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=all-vlan new-connection-mark=\
    conn_wan3 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting comment=\
    "From marked connection > mark routing" connection-mark=conn_wan1 \
    in-interface=ether7 new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_wan2 \
    in-interface=ether7 new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_wan3 \
    in-interface=ether7 new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_wan1 \
    in-interface=all-vlan new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_wan2 \
    in-interface=all-vlan new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_wan3 \
    in-interface=all-vlan new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_wan1 \
    new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=conn_wan2 \
    new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=output connection-mark=conn_wan3 \
    new-routing-mark=to_wan3 passthrough=no
add action=mark-packet chain=forward comment=0k connection-bytes=1-512000 \
    new-packet-mark=0bytes passthrough=yes
add action=mark-packet chain=forward comment=1M connection-bytes=\
    512000-1000000 new-packet-mark=1Mbyte passthrough=yes
add action=mark-packet chain=forward comment=3M connection-bytes=\
    1000000-3000000 new-packet-mark=3Mbyte passthrough=yes
add action=mark-packet chain=forward comment=Infinite connection-bytes=\
    3000000-0 dst-address=!192.168.3.0/24 in-interface=pppoe-out1 \
    new-packet-mark=Infinite-1 passthrough=yes protocol=tcp src-address=\
    !192.168.3.0/24
add action=mark-packet chain=forward comment=Infinite connection-bytes=\
    3000000-0 dst-address=!192.168.3.0/24 in-interface=pppoe-out2 \
    new-packet-mark=Infinite-2 passthrough=yes protocol=tcp src-address=\
    !192.168.3.0/24
add action=mark-packet chain=forward comment=Infinite connection-bytes=\
    3000000-0 dst-address=!192.168.3.0/24 in-interface=pppoe-out3 \
    new-packet-mark=Infinite-3 passthrough=yes protocol=tcp src-address=\
    !192.168.3.0/24
add action=mark-packet chain=forward comment=ack new-packet-mark=misc-fast \
    packet-size=40 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward dst-port=53 new-packet-mark=misc-fast \
    passthrough=no protocol=udp
add action=mark-packet chain=forward comment=League dst-port=5000-5500 \
    new-packet-mark=gaming passthrough=no protocol=udp
add action=mark-packet chain=forward comment=SC2 dst-port=1119 \
    new-packet-mark=gaming passthrough=no protocol=udp
add action=mark-packet chain=forward comment=HotS dst-port=1120,3724 \
    new-packet-mark=gaming passthrough=no protocol=udp
add action=mark-packet chain=forward comment="BW + HotS" dst-port=6112-6113 \
    new-packet-mark=gaming passthrough=no protocol=udp
add action=mark-packet chain=forward comment="Valve Games" dst-port=\
    27000-27060 new-packet-mark=gaming passthrough=no protocol=udp
add action=mark-packet chain=forward comment=PUBG dst-port=7000-8000 \
    new-packet-mark=gaming passthrough=no protocol=udp
add action=mark-packet chain=forward comment=Streaming dst-port=1935 \
    new-packet-mark=streaming passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="Web Browsing" dst-port=80,443 \
    new-packet-mark=http passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pppoe-out3
add action=dst-nat chain=dstnat dst-port=3389 in-interface=!ether7 protocol=\
    tcp to-addresses=192.168.1.1 to-ports=3389
add action=dst-nat chain=dstnat dst-port=14147 in-interface=!ether7 protocol=\
    tcp to-addresses=192.168.1.1 to-ports=14147
add action=dst-nat chain=dstnat dst-port=21 in-interface=!ether7 protocol=tcp \
    to-addresses=192.168.1.1 to-ports=21
add action=dst-nat chain=dstnat dst-port=2223 in-interface=!ether7 log=yes \
    log-prefix=dst-nat protocol=tcp to-addresses=192.168.1.10 to-ports=22

and here is route configuration:

# jul/17/2018 01:38:35 by RouterOS 6.42.2
# software id = ML4Y-UY7M
#
# model = CCR1009-7G-1C-1S+
# serial number = 849707127F56
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=pppoe-out3 routing-mark=to_wan3
add check-gateway=ping distance=2 gateway=pppoe-out1
add check-gateway=ping distance=3 gateway=pppoe-out2
add check-gateway=ping distance=4 gateway=pppoe-out3

Sob · July 18, 2018, 1:22am

There’s nothing sticking out as clearly wrong. So it’s time to catch some packets. Try with your port 14147, it’s unique enough and not likely to be used by anything else. Use either Tools->Torch or logging rules in prerouting/postrouting. First you must see incoming packet to :14147, then you must see it leaving via ether7 to 192.168.1.1:14147, then a reply from 192.168.1.1:14147 must come back and continue back to client. As long as 192.168.1.1 uses default gw on ether7 and not one of vrrps, and you’re testing from outside (not from same LAN), it should work.