OS 7.X Use 2 WAN and Port Forwarding

tigro11 · July 7, 2022, 4:16pm

After various tests on how to configure Port Forwarding with 2 WAN, I still can’t make it work.
On the WAN1 (Static Public IP use and that’s what I use for Portforwarding)
Wan2 I use it as the main to navigate. (USA DYNAMIC IP)
When the audience pays off the public: 8181 to access my weather webcam, I do not display anything, the moment that disabled the Route Wan2, it works wonderfully.
Where can I make a mistake?

Valerio

anav · July 7, 2022, 5:03pm

A. network diagram
B. /export config (hide any public IPs)
C. detailed description of user requirements, which users from where need port forwarding,

Light reading:
https://forum.mikrotik.com/viewtopic.php?t=179343

This forum is for useful articles, beginner and general issues are where you should post next time!

tigro11 · July 7, 2022, 5:39pm

thanks, this is my configuration:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN-SKY
set [ find default-name=ether4 ] name=ether4-WIFI
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0

/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether4-WIFI
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set route-cache=no tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=ether2-WAN-SKY list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
add address=10.7.2.1/16 comment=INTERNET interface=ether1-WAN network=
10.7.0.0
add address=192.168.10.100/24 interface=ether2-WAN-SKY network=192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=“defconf: RFC6890” list=no_forward_ipv4
add address=169.254.0.0/16 comment=“defconf: RFC6890” list=no_forward_ipv4
add address=224.0.0.0/4 comment=“defconf: multicast” list=no_forward_ipv4
add address=255.255.255.255 comment=“defconf: RFC6890” list=no_forward_ipv4
add address=127.0.0.0/8 comment=“defconf: RFC6890” list=bad_ipv4
add address=192.0.0.0/24 comment=“defconf: RFC6890” list=bad_ipv4
add address=192.0.2.0/24 comment=“defconf: RFC6890 documentation” list=
bad_ipv4
add address=198.51.100.0/24 comment=“defconf: RFC6890 documentation” list=
bad_ipv4
add address=203.0.113.0/24 comment=“defconf: RFC6890 documentation” list=
bad_ipv4
add address=240.0.0.0/4 comment=“defconf: RFC6890 reserved” list=bad_ipv4
add address=0.0.0.0/8 comment=“defconf: RFC6890” list=not_global_ipv4
add address=10.0.0.0/8 comment=“defconf: RFC6890” disabled=yes list=
not_global_ipv4
add address=100.64.0.0/10 comment=“defconf: RFC6890” list=not_global_ipv4
add address=169.254.0.0/16 comment=“defconf: RFC6890” list=not_global_ipv4
add address=172.16.0.0/12 comment=“defconf: RFC6890” list=not_global_ipv4
add address=192.0.0.0/29 comment=“defconf: RFC6890” list=not_global_ipv4
add address=192.168.0.0/16 comment=“defconf: RFC6890” disabled=yes list=
not_global_ipv4
add address=198.18.0.0/15 comment=“defconf: RFC6890 benchmark” list=
not_global_ipv4
add address=255.255.255.255 comment=“defconf: RFC6890” list=not_global_ipv4
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=drop chain=input comment=“BLOCK DNS Wan” connection-state=new
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment=“BLOCK DNS Wan” connection-state=new
dst-port=53 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=smb-flood
address-list-timeout=none-dynamic chain=forward comment=
“SMB Flood Gathering” connection-limit=100,32 dst-port=445 in-interface=
bridge protocol=tcp
add action=add-src-to-address-list address-list=snpp-flood
address-list-timeout=none-dynamic chain=forward comment=
“SNPP/Backdoor Flood\r
\nGathering” connection-limit=20,32 dst-port=444 in-interface=bridge
protocol=tcp
add action=add-src-to-address-list address-list=msf-indication
address-list-timeout=none-dynamic chain=forward comment=
“Metasploit Indication” connection-limit=20,32 dst-port=4444
in-interface=bridge protocol=tcp
add action=add-src-to-address-list address-list=ssh-flood
address-list-timeout=none-dynamic chain=forward comment=
“SSH Flood Gathering” connection-limit=20,32 dst-port=22 in-interface=
bridge protocol=tcp
add action=add-src-to-address-list address-list=telnet-flood
address-list-timeout=none-dynamic chain=forward comment=
“Telnet Flood\r
\nGathering” connection-limit=20,32 dst-port=23 in-interface=bridge
protocol=tcp
add action=log chain=forward comment=“Abnormal Traffic” connection-bytes=
80000000 disabled=yes limit=1,5:packet log-prefix=Abnormal-Traffic
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=forward comment="Port scanners to list "
in-interface=!bridge log-prefix=“port scanner” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=DoS_Attacked
address-list-timeout=5m chain=input comment=DoS_Attacked
connection-limit=32,32 protocol=tcp
add action=tarpit chain=input comment=DoS_Attacked connection-limit=10,32
protocol=tcp src-address-list=DoS_Attacked
add action=drop chain=forward comment=“Bloccare IP addresses BOGON”
src-address=0.0.0.0/8
add action=return chain=detect-ddos comment=“SYN-ACK Flood” dst-limit=
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=drop chain=forward comment=“dropping port scanners”
src-address-list=“port scanners”
add action=drop chain=input comment=“dropping port scanners”
src-address-list=“port scanners”
add action=drop chain=input comment=“drop echo request” icmp-options=8:0
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment=“echo reply” icmp-options=0:0 protocol=
icmp
add action=accept chain=icmp comment=“net unreachable” icmp-options=3:0
protocol=icmp
add action=accept chain=icmp comment=“host unreachable” icmp-options=3:1
protocol=icmp
add action=accept chain=icmp comment=
“host unreachable fragmentation required” icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment=“allow source quench” icmp-options=4:0
protocol=icmp
add action=accept chain=icmp comment=“allow echo request” icmp-options=8:0
protocol=icmp
add action=accept chain=icmp comment=“allow time exceed” icmp-options=11:0
protocol=icmp
add action=accept chain=icmp comment=“allow parameter bad” icmp-options=12:0
protocol=icmp
add action=accept chain=input comment=“Allow Established connections”
connection-state=established,related
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“ACCETTA TRAFFICO DA WIREGUARD”
in-interface=TUNNEL-NEGOZIO src-address=192.168.0.0/24
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=add-src-to-address-list address-list=FW_Block_unkown_port
address-list-timeout=1d chain=input comment=
“Add IP of user to access list if they have tried port that is not open.”
disabled=yes in-interface-list=WAN log-prefix=FI_AS_port-test
src-address=!10.7.0.1
add action=drop chain=icmp comment=“deny all other types”
add action=drop chain=input comment=“Drop Invalid connections”
connection-state=invalid in-interface-list=!LAN
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=drop chain=input comment=“BLOCCO BLACKLIST” connection-state=new
in-interface-list=!LAN src-address-list=blacklist
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC”
connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB
in-interface-list=!LAN
add action=accept chain=forward comment=
“defconf: accept all that matches IPSec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC”
connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB
in-interface-list=WAN
add action=drop chain=forward comment=“defconf: drop bad forward IPs”
src-address-list=no_forward_ipv4
add action=drop chain=forward comment=“defconf: drop bad forward IPs”
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment=“Drop invalid connections”
connection-state=invalid
/ip firewall mangle
add action=change-ttl chain=prerouting comment=“NO TRaceroute” new-ttl=
increment:1 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=“WEBCAM CASA” dst-port=8181
in-interface=ether1-WAN protocol=tcp src-address=!192.168.0.0/24
to-addresses=192.168.1.51 to-ports=8080

add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=icmp4 comment=“defconf: echo reply” icmp-options=0:0
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment=“defconf: net unreachable”
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: host unreachable”
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: protocol unreachable”
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: port unreachable”
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: fragmentation needed”
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: echo” icmp-options=8:0 limit=
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment=“defconf: drop other icmp” protocol=icmp
add action=drop chain=prerouting comment=DDOS dst-address-list=ddos-target
src-address-list=ddos-attackers
add action=drop chain=prerouting comment=“DNS Amplification” dst-port=53
in-interface-list=WAN protocol=udp
add action=drop chain=prerouting comment=
“Well-Known Virus/Flooding Port- esscludo ip nas” dst-address-list=!SMB
dst-port=445,2000,4444,444 in-interface-list=LAN protocol=tcp
add action=drop chain=prerouting comment=“Memcached Flood” in-interface-list=
LAN protocol=udp src-port=11211
add action=drop chain=prerouting comment=“drop port scanner”
src-address-list=“port scanners”
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s”
src-address-list=bad_ipv4
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s”
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s”
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment=“defconf: drop bogon IP’s”
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment=“defconf: drop non global from WAN”
in-interface-list=WAN log=yes src-address-list=not_global_ipv4
add action=drop chain=bad_tcp comment=“defconf: TCP flag filter” protocol=tcp
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment=“defconf: TCP port 0 drop” port=0
protocol=tcp
add action=accept chain=icmp4 comment=“defconf: echo reply” icmp-options=0:0
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment=“defconf: net unreachable”
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: host unreachable”
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: protocol unreachable”
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: port unreachable”
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: fragmentation needed”
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment=“defconf: echo” icmp-options=8:0 limit=
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment=“defconf: drop other icmp” protocol=icmp
add action=drop chain=prerouting in-interface-list=WAN protocol=!tcp
src-address=!x.x.x.x src-address-list=FW_Block_unkown_port
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
10.7.0.1 pref-src=0.0.0.0 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=192.168.5.0/24 gateway=192.168.1.100
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=192.168.0.0/24
gateway=10.0.8.1 pref-src=0.0.0.0 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.10.1 pref-src=0.0.0.0 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24,10.0.8.0/30,192.168.0.11/32 port=1170
set api-ssl disabled=yes
/system ntp client
set mode=broadcast

/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1-WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Sob · July 7, 2022, 5:55pm

Quick tip before @anav tears your config to shreads: You have default gateway using WAN2, so even where there’s incoming connection from WAN1, responses will go to WAN2. You need to mark (using mangle rules) new incoming connections on WAN1 and then mark routing for responses, to use default gateway on WAN1, for which you’ll need another routing table with such default route.

tigro11 · July 7, 2022, 7:52pm

You’re right sob, the problem I have tried so at the survey that I can’t solve the problem.
If maybe you give me help I would be grateful to you.

Sob · July 7, 2022, 11:32pm

From top of my head, it should be something like:

/routing table
add name=WAN1 fib
/ip route
add dst-address=0.0.0.0/0 gateway=10.7.0.1 routing-table=WAN1
/ip firewall mangle
add chain=prerouting in-interface=ether1-WAN connection-state=new action=mark-connection new-connection-mark=WAN1_conn
add chain=prerouting in-interface-list=LAN connection-mark=WAN1_conn action=mark-routing new-routing-mark=WAN1

tigro11 · July 8, 2022, 7:07am

Perfect sob, it works.
thank you very much for the help.
Valerio

anav · July 11, 2022, 5:44pm

Is there a way to do this and avoid mangling…? That is always my first question.
Assuming port forwarding comes in on WAN1 as described.

If WAN2 is the primary already why not… do something similar but without mangling.
/routing table
add name=WAN1 fib
/ip route
add dst-address=0.0.0.0/0 gateway=10.7.0.1 routing-table=WAN1
/ip route rule
add dst-address=static_Public_IP action=lookup-in-table-only table=WAN1

(or that will not work because I actually need the remote users public IP as dst-address??)

And thus alternatively what about.
/ip route rule
add src-address=internal_Server_LANIP action=lookup-in-table-only table=WAN1

Sob · July 11, 2022, 9:06pm

First won’t work, at least not for general port forwarding accessible from anywhere.

If by static_Public_IP you mean local address on WAN1, then it won’t work at all for port forwarding, because source address in prerouting phase is the internal one. It will work for access to router itself (to static_Public_IP).

If by static_Public_IP you mean client’s address, then it will work for port forwarding accessible from that client only. And also if you want any communication with that client (incoming and outgoing) use only WAN1.

Second one will work, if internal server should use WAN1 exclusively, including outgoing connections.

anav · July 12, 2022, 12:30am

As per the stated requirements of the OP…

Static Public IP use and that’s what I use for Portforwarding
Wan2 I use it as the main to navigate. (USA DYNAMIC IP)

Neither statement was exclusive, ( no only statement ) but I think it was implied.