This gets me to my destination but if I use a different IP with the same port it still takes me here, what am I missing?
Furthermore, I want to enable a second gateway with route routing mark mangle address list and this works fine splitting traffic but then the port forwarding doesn’t work.
Ok I suppose either I’m asking questions that nobody knows the answer who has read this post so far or it’s something I have to learn/figure out myself. All good and well if it’s the latter, as I don’t just want the answer handed to me - I prefer to understand it.
So I’ll ask a different question, perhaps it will yield some results. In order for me to learn how to configure this which I need to, what study material is recommended? In the the sense of books or video tutorials etc. If I have to pay I will but i need to get this sorted.
if you don’t want the rule to apply to any interface or ip address the router is listening to you’ll either have to specify a destination ip address or an inbound interface. For instance, to apply the port nat to any traffic coming in through ether2 use this:
This is the preferred way for a wan connection that’s connected using dynamic addresses (e.g. PPPoE via xDSL). If you rather prefer to restrict the nat rule to a specific ip address simply use dst-address=$TARGETIP instead of in-interface:
Where as XX.XX.XX.XX is to be replaced with a static ip assigned to your router. Please note that for both examples to work properly you’d require an additional firewall rule in the forward chain to permit traffic to the ip address specified within the to-addresses field.
Furthermore, I want to enable a second gateway with route routing mark mangle address list and this works fine splitting traffic but then the port forwarding doesn’t work.
Thank you for your time, I really do appreciate it.
I thought that might be the case with in-interface but your 2nd example shows me another way - could I add two or more IP’s in one rule though (dst-address=$TARGETIP instead of in-interface)?
Port forwarding doesn’t work when A is enabled. I haven’t tried changing setup as you described yet but I don’t know if that will resolve this problem:
Yes, either by creating a separate rule for each additional ip address or by using an address list instead.
If you’re trying to port forward traffic designated to an ip address on the router the return traffic from 1.1.1.1/24 or 2.2.2.2/24 respectively will now use the routing table which only contains the default gateway. Lets assume you want to forward traffic from 192.168.1.100:12345/tcp (your routers wan ip address) to 2.2.2.50:443/tcp the return traffic would be send to the default gateway as specified in the respective routing table for the connection.
Actually, you’ll have to mark traffic in both directions. Meaning, for each subnet you’ll require four mangle rules - two for marking the connections (up/down) as well as two marking the packets based on those connections marks (up/down respectively). Right now you’re only marking connections originating from network 2.2.2.20/24 which from the routers perspective is upload/outbound. Without handling the download/inbound traffic as well all download traffic generated by hosts within the respective network will be unlimited.
I’m attaching a GNS3 lab of a simple multi-wan setup that’s almost identical to what you’re trying to do.
Here are the configs for further reference:
R1
The wan subnets are private class networks hence source nat (masq) is applied to any traffic that’s leaving towards the emulated upstream through interface ether1.
Same here, traffic leaving through wan1 and wan2 is masqueraded as well. Additionally we only apply policy based routing to traffic designated to public address space (!Rfc1918). All remaining traffic is handled by the main routing table of R2.
Please bear with me here and forgive my ignorance, but something hasn’t ‘clicked’ for me yet.
I have another MikroTik further down the network with IP 192.168.192.240, I can ping it and have a range of ports being forwarded to it and working well. I have other ports here and there being forwarded to some other IP’s in 10.10.10.0 range and also working fine.
When I enable the Routing Mark on the route and mangle rule for it then I cannot see the rest of the network, no pings and of course no port forwarding functioning then.
Depending on the situation you might want to create additional routing marks which ensure that traffic that comes in through a certain interface will leave through the same interface. Check out this post on how to do that. Eventually you’ll have to add this for each wan-link to ensure that return traffic is routed properly for port-forwardings to work.
Perhaps my problem lies with my IP addressing, I know it isn’t well and want to revamp it but perhaps it should occur sooner than later. Recommendations are very welcome in this regard
Here is my current mess:
ether1-Fibre (public IP)
ether2-DSL 192.168.1.2/24
bridge1-ether6/7/8 192.168.192.250/24; 10.50.10.1/24
ether13-Radius 10.10.10.1/24
Radius 10.10.10.5/24
Backhaul Antennas 192.168.192.0/24 - transparent bridges, switched, no routers
Clients 10.10.10.0/24 - each IP specified in Radius so I know where to port forward, there is probably a
better way but I don’t know how.
RouterBoard at a tower 192.168.192.240/24
I did not exclude anything in routing marks as I don’t know what to exclude.
This is going way beyond the topic initially addressed in this post. You should request for general feedback on your setup by opening a new post. Make sure to provide all the proper details of your setup including a network diagram. However, if you’re seeking professional advise feel free to send me your contact information via PM
