Port forwarding dst-nat on 2nd WAN

bisar · April 23, 2021, 7:00am

Hi guys,

I need help here.
I have two ISPs, WAN1 RDS (which is my default ISP on ether1), WAN2 (Orange, which was installed later on, ether2)
I want to expose port 5201 (iperf3) also on WAN2 (Orange) the problem is that when trying the public IP with telnet on port 5201 it is not reachable and I don’t know why.
Moreover the same port is already exposed on WAN1 (RDS) and it is working without any issues.
Somehow, I think that I am missing something.

Please see my screenshots attachments.

Thank you!
Screenshot 2021-04-23 at 09.53.37.png
Screenshot 2021-04-23 at 09.56.03.png
Screenshot 2021-04-23 at 09.55.48.png

anav · April 23, 2021, 12:41pm

/export hide-sensitive file=anynameyouwish

rextended · April 23, 2021, 1:12pm

If you have two gateway, only one at the time is used

about nothing of your routing are know,

simply your reply still go trough RDS, not Orange

bisar · April 24, 2021, 8:49am

That’s strange becausr I used the same setup on PfSense and I was able to expose a port on two WANs in the same time, using dstnat rules for each wan

anav · April 24, 2021, 10:47am

What is strange is that you think two different products from two different vendors will behave the same.
Whats annoying is you asked for help and still have not provided you config so that we can see what the issue 0r issues may be.

bisar · April 24, 2021, 11:12am

I am going to provide the config, but bot now, I am on the road

bisar · April 24, 2021, 11:15am

I don’t know why you are getting annoyed so fast, it was just an example, of course I know that there’s two different products
I am new to Mikrotik, just bought two GWs, I am still a noob, I am learning, please be patient with me
As I said, I’ll arrive home and I’ll provide the conf

bisar · April 24, 2021, 11:29am

Hi Anav, I have attached the conf file.
conf_output.rsc (7.75 KB)

anav · April 24, 2021, 4:34pm

My apologies, will look at the config…

anav · April 24, 2021, 4:57pm

Below is a line by line look at the config without context.

(1) Set this rule to NONE as its use is unclear and it is known to potentially cause issues.
/interface detect-internet
set detect-interface-list=all

(2) Bit Confused on the purpose of ETHER2 Orange (is it a second WAN?) It has no definition otherwise as a dhcp client or a subnet with dhpc server or subnet etc… ???

(3) Remove the reference to RDS here, it is not required because you have already used out-interface-list=WAN which includes RDS!!
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=RDS out-interface-list=WAN

(4) Remove this until the reason for having another source nat rules is clear and the config matches up with other parts. There is nothing defined in the config for 192.168.1.0??
Also a source nat VALID ‘action’ is either scr-nat or masquerade!!
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\

(5) One destination NAT rule is different from the others… LOL Without some matching config setup its not going to accomplish too much.
add action=dst-nat chain=dstnat comment=“IPERF3 Orange” dst-port=5201
in-interface=Orange protocol=tcp to-addresses=192.168.2.10 to-ports=5201
192.168.2.0/24

(6) Okay I see you have added a router for a second WAN, but again where is the IP DHCP client info??
Im starting to think that WAN is a fixed static WANIP???
I am also not sure if the construction of the route is correct.
Typically one would have a clean router without the pref source info and then a second Route for the preferred source.
Also not sure why the ping check is there and the distance… Is this a primary or secondary wan, or a fail over wan etc…

Summary, okay so you have a second WAN, why dont I see in the confg the following.

ip dhcp client for WAN2 ??
Ip route for WAN1 ??

++++++++++
FW rules

(7) No clue what the purpose of this rule is…
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp

(8) not up on ipv6 so will not be able to comment on those rules, other than saying I am not sure its a good thing to open up port 139 (but maybe thats my ipv4 showing ??)

(9) You seem to have the same sets of rules for VPN on both the input chain and forward chain, my limited experience tells me that is not correct and suspect that they should not be on the forward chain??

(10) This I would set to NONE for security reasons.
/tool mac-server
set allowed-interface-list=LAN

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN

bisar · April 25, 2021, 9:18am

Below is a line by line look at the config without context.

(1) Set this rule to NONE as its use is unclear and it is known to potentially cause issues.
/interface detect-internet
set detect-interface-list=all

Will do!

(2) Bit Confused on the purpose of ETHER2 Orange (is it a second WAN?) It has no definition otherwise as a dhcp client or a subnet with dhpc server or subnet etc… ???

Ether2 is the second WAN, the Orange ISP, they are providing a fixed public IP.

(3) Remove the reference to RDS here, it is not required because you have already used out-interface-list=WAN which includes RDS!!
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=RDS out-interface-list=WAN

Will do

(4) Remove this until the reason for having another source nat rules is clear and the config matches up with other parts. There is nothing defined in the config for 192.168.1.0??
Also a source nat VALID ‘action’ is either scr-nat or masquerade!!
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\

There’s an IPSEC tunnel between this location an a 2nd location, 192.168.1.0 is the subnet of the other location, my subnet from this location is 192.168.2.0

(5) One destination NAT rule is different from the others… LOL Without some matching config setup its not going to accomplish too much.
add action=dst-nat chain=dstnat comment=“IPERF3 Orange” dst-port=5201
in-interface=Orange protocol=tcp to-addresses=192.168.2.10 to-ports=5201
192.168.2.0/24

I understand, I just copied the existing rule for WAN1 (RDS)

(6) Okay I see you have added a router for a second WAN, but again where is the IP DHCP client info??
Im starting to think that WAN is a fixed static WANIP???
I am also not sure if the construction of the route is correct.
Typically one would have a clean router without the pref source info and then a second Route for the preferred source.
Also not sure why the ping check is there and the distance… Is this a primary or secondary wan, or a fail over wan etc…

Summary, okay so you have a second WAN, why dont I see in the confg the following.

ip dhcp client for WAN2 ??
Ip route for WAN1 ??

++++++++++
FW rules

Not sure here, so, basically on Ether2 I plugged in a patch cord which goes into the Orange ONT (it is set in bridge mode) which provides a static public IP and the intent is to be used a secondary WAN (failover) which was not set yet.

(7) No clue what the purpose of this rule is…
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp

No clue, I haven’t set it, maybe it was there by default, dunno.

(8) not up on ipv6 so will not be able to comment on those rules, other than saying I am not sure its a good thing to open up port 139 (but maybe thats my ipv4 showing ??)

Really I don’t know why port 139 is open, I haven’t set that rule up, I will have a look into it

(9) You seem to have the same sets of rules for VPN on both the input chain and forward chain, my limited experience tells me that is not correct and suspect that they should not be on the forward chain??

This is corrected.

(10) This I would set to NONE for security reasons.
/tool mac-server
set allowed-interface-list=LAN

Will do

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN

Will do.

Note: On RDS which is on ether1 uses a PPPoE connection.

jvanhambelgium · April 25, 2021, 9:37am

But you do state that this DNAT setup works fine with only 1 ISP.
Therefore, the “generic rule to permit dst-nat” must be already in place (or DNAT will not function)
So how can that be if your config does not contain it ?

EDIT : It seems you do not have ANY IPv4 firewall-rules ? (except for the generic scr-nat/masq rule to go out to Internet). That’s quite dangerous as there is no default “deny” policy !!

anav · April 25, 2021, 10:42am

What? Can someone explain why one needs ipv4 rules if they are using ipv6.
This is all too confusing and stupid, if one has to set two sets of rules LOL.

tdw · April 25, 2021, 2:05pm

The IPv6 rules appear to be the default, and as there is no other IPv6 configuration likely that the IPv6 package is enabled but not used.

Not having any IPv4 firewall rules is really bad, especially as the DNS server allows remote requests so can be used in UDP amplification attacks.

Going back to the original issue - as there is no connection and routing marking the incoming traffic from either WAN will return via the default route through WAN1, so likely fail for WAN2. The WAN2 connection traffic should be marked and have an additional routing table to return the marked traffic via that WAN.

anav · April 25, 2021, 2:27pm

THere is nothing default about IPV6 setup, the OP would have had to put them in and set them up and thus one should assume its an ipv6 connection in which case I should depart as I have no experience with IPV6

bisar · April 25, 2021, 3:11pm

(11) You seem to be missing the generic rule required to permit dst-nat to come through the WAN interface (port forwarding).
This new rule needs to be placed before the LAST Rule you have in the forward chain which blocks all not coming from the LAN.
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN

But you do state that this DNAT setup works fine with only 1 ISP.
Therefore, the “generic rule to permit dst-nat” must be already in place (or DNAT will not function)
So how can that be if your config does not contain it ?

EDIT : It seems you do not have ANY IPv4 firewall-rules ? (except for the generic scr-nat/masq rule to go out to Internet). That’s quite dangerous as there is no default “deny” policy !!

Somehow I secured the box by adding also the IPV4 using the rules here:

https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

I’ve also added the IPV6 rules

I have also IPV6 enabled, because if I don’t nothing works on IPV4, I don’t know if this is ISP related, or if it is a problem between the keyboard and the chair :))

Anyway I am still learning, I am not a networking guru.
On interfaces status I see that on Orange WAN there’s no traffic, which is kind of normal if nothing is set, but DST nat rule on port 5201 for Orange still doesn’t work. I feel that I am stuck here. Somehow I feel that WAN2 is not responsive, If I ping the public IP of Orange (WAN2, ether2) from another location it doesn’t answer, this doesn’t apply for WAN1 (RDS) which responds to ping.

I’ve uploaded the new conf output.
conf_output2.rsc (12.5 KB)

jvanhambelgium · April 25, 2021, 4:57pm

And if you unplug ISP1 and only use Orange do things then work ?

bisar · April 25, 2021, 6:05pm

I’ll try when I’ll be on the location.
Thanks for the advice.