nat on dual wan. dst-nat not working. How to fix?

dh28 · June 26, 2017, 5:27pm

Hi all. I have been struggling with my mikrotik a couple of weeks without success. I have omnitik that have dual wan ports:

192.168.21.5
2 192.168.22.3

Dual wan working correctly, but i have problems with port forwarding. When there is single nat masquerade rule port forward also works good. But there is no internet in wan2 users. When i add second masquerade rule, internet appears. How to fix the problem?

firewall nat rules

1 ;;; WEB-CAP
chain=dstnat action=netmap to-addresses=10.1.0.15 to-ports=81 protocol=tcp dst-address=!10.1.0.15 dst-address-type=“” src-address-list=OFF_Users
dst-address-list=!WhiteHosts in-interface=lan dst-port=80 log=yes log-prefix=“”

2 ;;; USERS NAT wan2
chain=srcnat action=masquerade out-interface=wan2 log=no log-prefix=“”

3 ;;; USERS NAT wan1
chain=srcnat action=masquerade out-interface=wan1 log=no log-prefix=“”

routes

0 A S ;;; wan2_balance
dst-address=0.0.0.0/0 gateway=192.168.21.5 gateway-status=192.168.21.5 reachable via wan2 distance=1 scope=30 target-scope=10
routing-mark=wan2_MARK

1 A S ;;; wan1_balance
dst-address=0.0.0.0/0 gateway=192.168.22.3 gateway-status=192.168.22.3 reachable via wan1 distance=1 scope=30 target-scope=10
routing-mark=wan1_MARK

2 A S dst-address=0.0.0.0/0 gateway=192.168.22.3 gateway-status=192.168.22.3 reachable via wan1 distance=4 scope=30 target-scope=10

pe1chl · June 26, 2017, 7:56pm

You don’t show how you apply the wan1_MARK and wan2_MARK but it probably needs additional rule(s) there.

ZeroByte · June 26, 2017, 8:08pm

The most common mistake I’ve seen is that people don’t do any kind of per-ISP route marking based on which WAN interface a new connection comes in through.
This is why port forwards fail to work: if a connection comes in via a dstnat on WAN2 for a client that is normally mapped to WAN1, then the replies get mapped to WAN1 (with the wrong IP address).

The correct solution is to add two more classifiers that match in-interface=wan1 and in-interface=wan2. Once you connection-mark new connections on these criteria, the replies will go out the appropriate WAN, even if the LAN host should normally be mapped to the opposite ISP.

pe1chl · June 26, 2017, 8:25pm

that is what I mean… the incoming connections probably do not get the mark that outgoing connections are getting.
I would use “ip route rule” instead of this type of balancing, and select the ip route depending on the source address (wan address).

Sob · June 26, 2017, 8:56pm

I don’t think that routing rules will work together with NAT. When you have reply packet coming from internal server, it will always have server’s internal address as source, no matter to which WAN it will eventually go to. Or perhaps you’re thinking about some different way I missed?

pe1chl · June 27, 2017, 8:48am

That could be a problem… I never encountered that because I rarely use NAT for servers, I mostly have the case of multiple external connections and need to send the traffic back out the right connection based on source (internal) address.
You can use a mark and then use that for the routing rules. But it may be pointless.