NAT issue

bledar · January 11, 2010, 1:36pm

Hello.

I have 3 wan interfaces. I am trying with remote desktop to connect from internet to my home server (ip:192.168.12.122) with NAT but when I have success only via 2 interfaces (with pppoe authentication) and with other sometimes I have and sometimes not. the config is same
I disabled all rules on ip firewall filter but no success
I am using PCC shaping and also some other traffic mangle for priority purposes
I cant find where the problem is.

/ip firewall nat> pr
   chain=dstnat action=dst-nat to-addresses=192.168.12.122 protocol=tcp 
   dst-address=x.x.x.43 in-interface=WAN1 
   chain=dstnat action=dst-nat to-addresses=192.168.12.122 to-ports=3389 
   protocol=tcp dst-address=x.x.x.247 in-interface=WAN0 dst-port=3389

May someone help me with any idea, please?

Feklar · January 11, 2010, 9:09pm

The problem that you are having in that case is that the Mikrotik is trying to reply back to you on the default route with the highest priority. What you need to do is set up a group of mangle rules that will watch for incoming connections on the 3 different interfaces and mark the connection and routing to send it out of the same interface.

It should look something like this I think:

add action=mark-connection chain=input comment=\
    "Reply to traffic going to ISP1 side with ISP1 connection" disabled=no \
    dst-address=1.1.1.0/24 new-connection-mark=outside1_connection \
    passthrough=yes src-address=!192.168.50.0/23
add action=mark-connection chain=input comment=\
    "Reply to traffic going to ISP2 side with ISP2 connection" \
    disabled=no dst-address=2.2.2.0/24 new-connection-mark=\
    outside2_connection passthrough=yes src-address=!192.168.50.0/23

bledar · January 12, 2010, 10:59am

Hello.

Thanx for reply.

I added these rules:

17 X ;;; Reply to traffic going to WAN1 side with WAN1 connection
     chain=input action=mark-connection new-connection-mark=outside_WAN1_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.247 

18 X ;;; Reply to traffic going to WAN1 side with WAN1 connection
     chain=prerouting action=mark-routing new-routing-mark=outside_WAN1_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.247 
     connection-mark=outside_WAN1_connection 

19 X ;;; Reply to traffic going to WAN2 side with WAN2 connection
     chain=input action=mark-connection new-connection-mark=outside_WAN2_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.3.43 

20 X ;;; Reply to traffic going to WAN2 side with WAN2 connection
     chain=prerouting action=mark-routing new-routing-mark=outside_WAN2_connection passthrough=yes connection-mark=outside_WAN2_connection 

21 X ;;; Reply to traffic going to WAN3 side with WAN3 connection
     chain=input action=mark-connection new-connection-mark=outside_WAN3_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.3.207 

22 X ;;; Reply to traffic going to WAN3 side with WAN3 connection
     chain=prerouting action=mark-routing new-routing-mark=outside_WAN3_connection passthrough=yes connection-mark=outside_WAN3_connection 

\ip route
add gateway=WAN1 routing-mark=outside_WAN1_connection dest-address=0.0.0.0/0

I guess that I did a mistake because it does not works.

Let me post upper mangle rules and routing table also.

[Admin@Center] > ip firewall mangle pr
Flags: X - disabled, I - invalid, D - dynamic 
 3   chain=input action=mark-connection new-connection-mark=pub1_conn passthrough=yes in-interface=WAN1 

 4   chain=input action=mark-connection new-connection-mark=pub2_conn passthrough=yes in-interface=WAN2

 5   chain=input action=mark-connection new-connection-mark=pub3_conn passthrough=yes in-interface=WAN3 

 6   chain=output action=mark-routing new-routing-mark=to_pub1 passthrough=yes connection-mark=pub1_conn 

 7   chain=output action=mark-routing new-routing-mark=to_pub2 passthrough=yes connection-mark=pub2_conn 

 8   chain=output action=mark-routing new-routing-mark=to_pub3 passthrough=yes connection-mark=pub3_conn 

 9   chain=prerouting action=accept dst-address=xx.xx.75.0/24 in-interface=Local 

10   chain=prerouting action=accept dst-address=xx.xx.xx.3.0/24 in-interface=Local 

11   chain=prerouting action=mark-connection new-connection-mark=pub1_conn passthrough=yes dst-address-type=!local in-interface=Local 
     per-connection-classifier=both-addresses:3/0 

12   chain=prerouting action=mark-connection new-connection-mark=pub2_conn passthrough=yes dst-address-type=!local in-interface=Local 
     per-connection-classifier=both-addresses:3/1 

13   chain=prerouting action=mark-connection new-connection-mark=pub3_conn passthrough=yes dst-address-type=!local in-interface=Local 
     per-connection-classifier=both-addresses:3/2 

14   chain=prerouting action=mark-routing new-routing-mark=to_pub1 passthrough=yes in-interface=Local connection-mark=pub1_conn 

15   chain=prerouting action=mark-routing new-routing-mark=to_pub2 passthrough=yes in-interface=Local connection-mark=pub3_conn 

16   chain=prerouting action=mark-routing new-routing-mark=to_pub3 passthrough=yes in-interface=Local connection-mark=pub2_conn 

17 X ;;; Reply to traffic going to WAN1 side with WAN1 connection
     chain=input action=mark-connection new-connection-mark=outside_WAN1_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.247 

18 X ;;; Reply to traffic going to WAN1 side with WAN1 connection
     chain=prerouting action=mark-routing new-routing-mark=outside_WAN1_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.247 
     connection-mark=outside_WAN1_connection 

19 X ;;; Reply to traffic going to WAN2 side with WAN2 connection
     chain=input action=mark-connection new-connection-mark=outside_WAN2_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.3.43 

20 X ;;; Reply to traffic going to WAN2 side with WAN2 connection
     chain=prerouting action=mark-routing new-routing-mark=outside_WAN2_connection passthrough=yes connection-mark=outside_WAN2_connection 

21 X ;;; Reply to traffic going to WAN3 side with WAN3 connection
     chain=input action=mark-connection new-connection-mark=outside_WAN3_connection passthrough=yes src-address=!192.168.12.0/24 dst-address=xx.xx.xx.3.207 

22 X ;;; Reply to traffic going to WAN3 side with WAN3 connection
     chain=prerouting action=mark-routing new-routing-mark=outside_WAN3_connection passthrough=yes connection-mark=outside_WAN3_connection 

[Admin@Center] > ip route pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 X S  0.0.0.0/32                         Local              1       
 1 A S  0.0.0.0/0                          xx.xx.xx.225       1       
 2 A S  0.0.0.0/0                          xx.xx.xx.3.1%WAN3  1       
 3 A S  0.0.0.0/0                          xx.xx.xx.3.1%WAN3  1       
 4 A S  0.0.0.0/0                          xx.xx.xx.225       1       
 5 X S  0.0.0.0/0                          Local              1       
 6 A S  0.0.0.0/0                          xx.xx.xx.3.1         1       
 7 A S  0.0.0.0/0                          xx.xx.xx.225       1       
 8   S  0.0.0.0/0                          xx.xx.xx.3.1         2       
 9 A S  0.0.0.0/0                          WAN1              1       
10 A S  0.0.0.0/0                          WAN3        1       
11 A S  0.0.0.0/0                          Local              1       
12 X S  0.0.0.0/0                          xx.xx.xx.225       1       
13 X S  0.0.0.0/0                          WAN2       1       
                                           WAN3       
14 X S  0.0.0.0/0                          WAN1              1       
15 A S  0.0.0.0/0                          WAN3        1       
                                           WAN2      
                                           WAN1             
16  DS  0.0.0.0/0                          xx.xx.xx.3.1         1       
17  DS  0.0.0.0/0                          xx.xx.xx.3.1         1       
18 X S  0.0.0.0/0                          xx.xx.xx.225       1       
19 X S  0.0.0.0/0                          xx.xx.xx.3.1         2       
20 X S  ;;; MainRoute%
        0.0.0.0/0                          WAN2       1       
                                           WAN3       
                                           WAN1             
21 ADC  xx.xx.xx.3.1/32      xx.xx.xx.3.207    WAN3        0       
                                           WAN2      
22 ADC  xx.xx.xx.224/27    xx.xx.xx.247    WAN1              0       
23 A S  192.168.11.0/24                    Local              1       
24 ADC  192.168.12.0/24    192.168.12.1    Local              0

Thank you and Best Regards

Feklar · January 12, 2010, 2:43pm

I think I see the issue. You are going to have to change the order of the mangle rules. What is happening is that the other mangle rules are already processing and marking the connections/routing before it hits your new rules. So place those mangle rules higher up on the list, I think having them start at rule number 8 should be fine. Basically all of the firewall rules start at the first number, and work their way down from there, so if another rule catches and processes it first, it won’t ever reach the rule you want.

Also modify rule number 18 to match 20 or 22, figure that’s a typo though.

bledar · January 13, 2010, 9:38am

Hi.

I moved those rules upper on top of all rules.
But no success.

Please how may I resolve this problem?

Best Regards

Feklar · January 13, 2010, 2:30pm

Change the chain from prerouting to output. I didn’t notice that there the last time.

bledar · January 14, 2010, 8:53am

I did it but no success again. At least this time I can connect to router via this gateway (I tested with WAN1 interface firstly)

I see that is 0B routing mark rule (please see attached print scrn), what does it means that it was never matched?

Thank you again.
reply from same gateway.JPG

janisk · January 14, 2010, 1:37pm

do step by step check:

if mangle rule marks connection coming in from certain WAN (connection to your router)
if other mangle rules does not catch same packets/connections (rules that should not catch those)
if correct routing-mark is set up for that connection
correct route is set up for that routing mark

you can use /tool sniffer to check if you are receiving the packets and sending out them correct way.

please see corresponding pages in manual.

EDIT:

as starter, you can set up simple plain configuration with one gateway, and then add rules and see how your system responds to that.

fatonk · January 14, 2010, 1:47pm

Hi,

First you have to mark connections destined for the router itself, than you should mark the routing also you should make sure that other mangle rules do not interfere with these rules. Below you have an example that works fine for me.

/ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no in-interface=WAN1 new-connection-mark=wan1-conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=WAN2 new-connection-mark=wan2-conn passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=wan1-conn disabled=no new-routing-mark=pbr-wan1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=wan2-conn disabled=no new-routing-mark=pbr-wan2 passthrough=yes

Regards.

Faton

bledar · January 19, 2010, 11:54am

Hello.
I resolved it. Removed LAN ip addresses from PCC selection on upload and redirected them to a specific gateway.
I will see how might do for all IPseach incoming gateway.

Thank you for your help.