Port Forwarding not working for WAN VRRP setup

bootika · February 3, 2023, 10:04am

Hello, I`m trying to implement WAN high availability (WAN over VRRP) using 2 Mikrotik routers (CCR2004-16G-2S-PC).

Each router have one interfaces for LAN and one for WAN. We use NAT between LAN and WAN
The VRRP WAN public addresses (IPs) are a.a.a.1 for router 1, a.a.a.2 for router 2 and a.a.a.3 for the VRRP floating IP.
The Port Forwarding works fine for a.a.a.1 and a.a.a.2. But it doesn’t work for a.a.a.3 (the floating IP)
BTW, I also have VRRP for LAN setup on the same routers, and it works ok (LAN subnet is b.b.b.0/24)

My NAT Firewall rules for Port Forwarding:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.1 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3390 in-interface-list=WAN protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.2 to-ports=3389

Please, can you help me figure it out?
We need to setup Port Forwarding on the VRRP floating IP and we’re stuck on this issue

Sob · February 9, 2023, 1:43am

Your rules don’t use destination addresses, the only condition related to that is in-interface-list=WAN. Possible explanation is that your WAN list contains parent interface, but not the VRRP one. But since that one is seen as incoming interface for packets to x.x.x.3, it doesn’t work. But you probably want to use dst-address=a.a.a.3 instead anyway.

bootika · February 14, 2023, 6:03am

Thank you. Your post really helped me fix the issue. Everything works great now

My firewall rules now:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 dst-address=a.a.a.3 protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.1 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3390 dst-address=a.a.a.3 protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.2 to-ports=3389