port forward with 2 wan's and 1 lan

eleftherios · February 13, 2022, 4:48pm

Hello guys,
i try for over 2 years load balance with port forward, my load balance works fine, but the problem is for my nat port forward, if someone can help me,

thanks in advance

model = RB3011UiAS

/interface ethernet
set [ find default-name=ether3 ] comment=“ETH 3 LAN” name=LAN
set [ find default-name=ether1 ] comment=“ETH 1 WAN 1 MIKE G ROUTER” name=
WAN1
set [ find default-name=ether2 ] comment="ETH 2 WAN 2 LELLIS ROUTER " name=
WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.2.1/24 interface=LAN network=192.168.2.0
add address=192.168.1.200/24 interface=WAN1 network=192.168.1.0
add address=192.168.3.200/24 interface=WAN2 network=192.168.3.0
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512
servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=
LAN
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=
LAN
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=
WAN1_mark passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=
WAN2_mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_mark
new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_mark
new-routing-mark=to_ISP2 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=local
in-interface=LAN new-connection-mark=WAN1_mark passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=LAN new-connection-mark=WAN2_mark passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_mark
in-interface=LAN new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_mark
in-interface=LAN new-routing-mark=to_ISP2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat comment=“HAP LELLIS ROOM TEST” dst-address=
192.168.3.200 dst-port=8050 protocol=tcp to-addresses=192.168.2.100
to-ports=8050
add action=dst-nat chain=dstnat comment=“SIGMA HTTP” dst-address=
192.168.3.200 dst-port=5053 protocol=tcp to-addresses=192.168.2.100
to-ports=5053
add action=dst-nat chain=dstnat comment=“SIGMA DL” dst-address=192.168.3.200
dst-port=5051 protocol=tcp to-addresses=192.168.2.100 to-ports=5051
add action=dst-nat chain=dstnat comment=“RASPBERRY UNIFI SERVER” dst-address=
192.168.2.100 dst-port=8443 protocol=tcp to-addresses=192.168.2.100
to-ports=8443
add action=dst-nat chain=dstnat comment=“GALATAS ROOMS CCTV” dst-address=
192.168.3.200 dst-port=8000 protocol=tcp to-addresses=192.168.2.100
to-ports=8000
add action=dst-nat chain=dstnat comment=UBIFI dst-address=192.168.3.200
dst-port=8080 protocol=tcp to-addresses=192.168.2.100 to-ports=8080
add action=dst-nat chain=dstnat comment=STUN dst-address=192.168.3.200
dst-port=3478 protocol=tcp to-addresses=192.168.2.100 to-ports=3478
add action=dst-nat chain=dstnat comment=“FTP NAS” dst-address=192.168.3.200
dst-port=21 protocol=tcp to-addresses=192.168.2.100 to-ports=21
add action=dst-nat chain=dstnat comment="MICHALA CCTV " dst-address=
192.168.3.200 dst-port=8001 protocol=tcp to-addresses=192.168.2.100
to-ports=8001
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add distance=1 gateway=10.0.0.1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_ISP2
add distance=2 gateway=10.0.0.2 routing-mark=to_ISP2
add distance=1 gateway=10.0.0.1
add distance=2 gateway=10.0.0.2
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.3.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.1/32 gateway=8.8.8.8
scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.2/32 gateway=8.8.4.4
scope=10
/system clock
set time-zone-name=Europe/Athens

anav · February 13, 2022, 4:56pm

I dont see any firewall rules ???

Zacharias · February 13, 2022, 5:25pm

There are mistakes in your Mangle Rules…
Destination address type must be as follows :

dst-address-type=!local

Also, you should let only the packets without connection mark to enter the hashing process… so you should use:

connection-mark=no-mark

Otherwise, when a packet enters e.g. wan 1, it will still enter the hashing procedure, since you do not define that only unmarked packets can be part of the hashing…

eleftherios · February 13, 2022, 5:39pm

thanks for your reply, i am not professional in mikrotik, but you mean that below ?

add action=dst-nat chain=dstnat comment=“RASPBERRY UNIFI SERVER” dst-address=
192.168.2.100 dst-address-type=local dst-port=8443 protocol=tcp
to-addresses=192.168.2.100 to-ports=8443

i want all port to get out from WAN2

thanks

Zacharias · February 13, 2022, 5:54pm

No, am talking about your Mangle rules…
Also check the implementation of your recursive routing here http://forum.mikrotik.com/t/advanced-routing-failover-without-scripting/136599/1

Sob · February 13, 2022, 5:54pm

In addition to what @Zacharias wrote, those two connection marking rules that you have in chain=input should be in chain=prerouting.

anav · February 13, 2022, 6:12pm

Please read this…
https://mum.mikrotik.com/presentations/US12/steve.pdf