I have a real head-scratcher at the moment. I have a setup using two gateway’s and two local area networks. with each WAN going to it’s own LAN. For example WAN1 to LAN1 and WAN2 to LAN2. I’ve created a two gateway’s using the usual mark connection and mark routing setup as seen below.
The thing is, I am able to connect of forward port 80 on my first WAN but if I try to forward port 80 from my second WAN I can only reach the page from the same subnet. I think my the firewall is treating this second wan as a local network?
But for some reason it won’t set this second route to active…
add dst-address=0.0.0.0/0 gateway=x.x.x.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=x.x.x.2 distance=1 check-gateway=ping
I have internet on both connections and am able to forward ports through the first gateway, but this second gateway can only be reached from the same subnet. For example: My second external address is 1.1.1.1 and I can reach the router page from 1.1.1.5 but not from 50.50.50.50 (My phone)..
You haven’t posted the complete output of /export hide-sensitive so I had to activate my crystal ball, and it tells me that you either don’t use connection marking at all and only use routing marks directly, or you forgot to connection-mark connections initiated from the WAN side. So the packet to wan2.public.ip:80 establishes a connection, but this connection is not marked as a wan2 one, so the response from the server on the LAN is routed via WAN1 and thus the client or some firewall along the way doesn’t accept it as it comes from an address different from the one to which the request was sent.
If the crystal ball’s answer is not correct, you’ll have the post the configuration export. If you don’t want to reveal the public IP address, use the find&replace functionality of a text editor to systematically replace all occurrences of each address by a distinctive pattern like my.public.ip.1.
Lan1 only to go through WAN1
LAN2 only to go through WAN2
Did you need failover in one or both directions?
In other words if ISP1 is not working do you need all traffic to move to ISP 2
AND/OR
If ISP2 is not working do you need all traffic to move to ISP1?
Once we know your Routing requirements we can deal with that portion but the key is in the source and destination NAT it seems.
Sounds to me like you need two SCRNAT rules (not masquerade)
rule1 for LAN1traffic - srcnat chain (use in-interface LAN1) to address after selecting action scrnat, in this case is WAN1 IP
rule 2 for LAN2traffic - srcnat chain (use in-interface LAN2) to address after selecting action scrnat, in this case is WAN2 IP
Then destination NAT for port forwarding
rule1 - dstnat chain (use in-interface WAN1) protocol TCP, port 80, to address after selecting action dstnat is the lanip of the LAN1 server
rule2 - dstnat chaing (use-in-interface WAN2) protocol TCP, port 80, to address after selecting action dstnat is the lanip of the LAN2 server.
I would note that to make a more secure connection for the destination forwarding rules would be to add a SOURCE ADDRESS LIST (of allowed external users -their public WANIPs) to limit who can access your servers in the first place.