Port Forwarding in MikroTiK, using multiple providers

RouterOS General
1

Hello.
Configured MikroTiK for publication: geektimes.ru/post/186284 and there is a problem with port forwarding on no priority provider does not return a response (and maybe another problem) until the priority lies provider.

What is evident:
if RAdmin’om connect, then prompts you to enter your login and password, I enter, then RAdmin logo. The logo will disappear and all the desktop is not likely, the connection reset.

The situation is similar with OpenVPN, there is a problem with TLS.

ether1 - a fast connection, but hanging on the VPN ether2 - slower connections, so the route, the distance is higher (for normal connections)

Code:

/ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; (ISP1)
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 1    ;;; (ISP 2)
      chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix="" 

 2 I  ;;; USB Modem
      ;;; Huawei not ready
      chain=srcnat action=masquerade out-interface=Huawei log=no log-prefix="" 

 3    ;;; OpenVPN 
      chain=dstnat action=netmap to-addresses=192.168.1.25 to-ports=1194 protocol=udp dst-address-list=Gateway dst-port=1194 log=no log-prefix="" 

 4   ;;; RAdmin
      chain=dstnat action=netmap to-addresses=192.168.1.1 to-ports=4899 protocol=tcp in-interface=ether2 dst-port=4899 log=no 
      log-prefix=""




/ip firewall mangle print where disabled=no
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=mark-connection new-connection-mark=ISP 1 -> Input passthrough=no dst-address=xx.xx.xx.246 in-interface=ether1 
      log=no log-prefix="" 

 1    chain=output action=mark-routing new-routing-mark=ISP 1 passthrough=no connection-mark=ISP 1 -> Input log=no log-prefix="" 

 2    chain=input action=mark-connection new-connection-mark=ISP 2 -> Input passthrough=no dst-address=xx.xx.xx.21 in-interface=ether2 
      log=no log-prefix="" 

 3    chain=output action=mark-routing new-routing-mark=ISP 2 passthrough=no connection-mark=ISP 2 -> Input log=no log-prefix="" 

 4    ;;; T
      chain=prerouting action=mark-routing new-routing-mark=T passthrough=no src-address-list=LocalNet dst-address-list=T-Adresses log=no log-prefix="" 

 5    chain=prerouting action=mark-routing new-routing-mark=Office 1 passthrough=no src-address=192.168.1.0/24 dst-address-list=!LocalNet log=no log-prefix=""




/ip route print where disabled=no 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          xx.xx.xx.1%ether1        10
 1 A S  0.0.0.0/0                          xx.xx.xx.254%...       11
 2 A S  0.0.0.0/0                          xx.xx.xx.1%ether1        10
 3   S  0.0.0.0/0                          xx.xx.xx.254%...       11
 4 A S  0.0.0.0/0                          xx.xx.xx.254%...       11
 5 A S  ;;; ethernet mikrotik
        0.0.0.0/0                          xx.xx.xx.1%ether1         1
 6   S  ;;; ethernet mikrotik
        0.0.0.0/0                          xx.xx.xx.254%...        2
 7 A S  8.8.4.4/32                         xx.xx.xx.254%...        1
 8 A S  8.8.8.8/32                         xx.xx.xx.1%ether1         2
 9 A S  ;;; OVPN
        10.20.30.0/24                      192.168.1.25              1
10 ADC  xx.xx.xx.0/24    xx.xx.xx.21   ether2                    0
11 ADC  xx.xx.xx.0/24      xx.xx.xx.246    ether1                    0
12 ADC  192.168.1.0/24     192.168.1.111   bridge2                   0
13 ADC  192.168.1.0/24     192.168.1.88    bridge2                   0
14 A S  172.27.0.0/16                      192.168.1.25              1
15  DC  192.168.11.0/24    192.168.11.1    Guest                   255
2

Your marking is wrong. If you mark connections in input chain, you only catch those to router itself. But connections to forwarded ports don’t get any mark, because they don’t go to input chain. You need something like this:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=xx.xx.xx.246 in-interface=ether1 \
    new-connection-mark=ISP1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=xx.xx.xx.21 in-interface=ether2 \
    new-connection-mark=ISP2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2 new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=ISP2 passthrough=no

And to make sure there are no problems reaching your internal network, it’s best to use this:

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
3

So you can or better as you wrote?

0    chain=input action=mark-connection new-connection-mark=ISP 1 -> Input passthrough=no dst-address=xx.xx.xx.246 in-interface=ether1 
      log=no log-prefix="" 

 1    chain=output action=mark-routing new-routing-mark=ISP 1 passthrough=no connection-mark=ISP 1 -> Input log=no log-prefix="" 

 2    chain=input action=mark-connection new-connection-mark=ISP 2 -> Input passthrough=no dst-address=xx.xx.xx.21 in-interface=ether2 
      log=no log-prefix="" 

 3    chain=output action=mark-routing new-routing-mark=ISP 2 passthrough=no connection-mark=ISP 2 -> Input log=no log-prefix="" 


 4    chain=forward action=mark-connection new-connection-mark=in_isp1_for passthrough=no in-interface=ether1 log=no log-prefix="" 

 5    chain=forward action=mark-connection new-connection-mark=in_isp2_for passthrough=yes in-interface=ether2 log=no log-prefix="" 

 6    chain=prerouting action=mark-routing new-routing-mark=ISP 1 passthrough=no src-address=192.168.1/24 connection-mark=in_isp1_for log=no log-prefix="" 

 7    chain=prerouting action=mark-routing new-routing-mark=ISP 2 passthrough=no src-address=192.168.1/24 connection-mark=in_isp2_for log=no log-prefix=""
4

You don’t need to mark connections separately in input and forward chains. Mark them in prerouting and it will work for both traffic to router and forwarded traffic. It will also save you connection marking rules, you’ll have only two instead of four.