Multiwan remote access : Mangle rules but no remote access

apophyth · January 28, 2015, 10:26pm

Dear MK enthusiasts,

I need your help to understand a scenario :

I use two internet connection, connected on a CCR :

MAIN : 8 Mbps symmetrical, NAT behind cisco router, 192.168.0.0/24
BACKUP : 2Mbps symetrical, public ip 92.xx.xx.xx/32

Default route via MAIN LINK is set, failover is done with distance=2 with backup link.
A route is made to reach VPN server with backup link. VPN is ok.
I set few mangles to put some protocols ( ssh, .. ), via backup link. All is ok.

Now, I need to reach the router from outside for SNMP via BACKUP link.

Hmm.

I read this post : http://forum.mikrotik.com/t/multiple-wan-remote-access/39676/1

I put mangle rules to mark connection and routing.

But, it’s still impossible to reach the router from outsite. It’s also impossible to ping google dns with backup link. If I made a static route, it’s working without any issue.

Here is mangles & routes :

/ip firewall mangle
add chain=prerouting comment="MARQUAGE WAN PCC"  dst-address=\
    192.168.1.0/24 in-interface=VL_LAN_11
add chain=prerouting  dst-address=92.*.*.*/29 in-interface=\
    VL_LAN_11
add action=mark-connection chain=input connection-mark=no-mark  \
    in-interface=ether1_WAN1_SDSL_EFM new-connection-mark=SDSL1_connection
add action=mark-connection chain=input connection-mark=no-mark  \
    in-interface=ether2_WAN2_SDSL_ATM new-connection-mark=SDSL2_connection
add action=mark-connection chain=prerouting  dst-address-list=\
    !local in-interface=VL_LAN_11 new-connection-mark=SDSL1_connection \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting  dst-address-list=\
    !local in-interface=VL_LAN_11 new-connection-mark=SDSL2_connection \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=output connection-mark=SDSL1_connection \
     new-routing-mark=par_SDSL1
add action=mark-routing chain=output connection-mark=SDSL2_connection \
     new-routing-mark=par_SDSL2
add action=mark-routing chain=prerouting connection-mark=SDSL1_connection \
     in-interface=VL_LAN_11 new-routing-mark=par_SDSL1
add action=mark-routing chain=prerouting connection-mark=SDSL2_connection \
     in-interface=VL_LAN_11 new-routing-mark=par_SDSL2
add action=mark-routing chain=output connection-mark=SDSL1_connection \
     new-routing-mark=par_SDSL1
add action=mark-routing chain=output connection-mark=SDSL2_connection \
     new-routing-mark=par_SDSL2
    
/ip route
add check-gateway=ping  distance=1 gateway=192.168.1.254 \
    routing-mark=par_SDSL1
add check-gateway=ping  distance=1 gateway=92.*.*.* \
    routing-mark=par_SDSL2
add check-gateway=ping distance=1 gateway=192.168.1.254
add check-gateway=ping distance=2 gateway=92.*.*.*

Can you help me to see what I have forgotten ?

Thanks a lot

Armel