Port Forwarding on Loads Balanced Setup

taylormadearmy · May 15, 2010, 9:27am

Hi All,

I’m a MicroTik newbie - I bought it in order to learn a bit about how to use a “proper firewall”

I’ve managed to set up a Load Balanced setup that seems to be working well using the PCC example as a guide.

However I have one issue that is confusing me.

I have set up some destination NAT port forwards to enable me to acees internal servers that are behind my NAT. These are working when the try to access them to access : but not :. If I disable WAN2 then it does work for WAN1 but stops working again as soon as I enable WAN2.

Any ideas as to how to debug / address this issue?

Many Thanks!
T

sergejs · May 17, 2010, 10:17am

Study this configuration example and use policy-routing to deal with traffic coming to router and from the router,
http://wiki.mikrotik.com/wiki/PCC

taylormadearmy · May 18, 2010, 11:48am

Hi,

Many thanks for the reply.

I believe I have already followed that example. In general it is working well - but dst-nat seems to not work to one of the WAN links at any one time.

I’m using rules such as this:

add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=22 protocol=tcp to-addresses=192.168.0.20 to-ports=22

to forward an internall SSH server from the WAN links. It only works to one of the WAN links though, will work to the other WAN link if I disable the first one. Should I need to do anything different to get it to work for both links at the same time?

Is it worth posting more of my config here?

Many Thanks
T

fewi · May 18, 2010, 1:24pm

Please do.

The main point in that PCC wiki article to look for is how they mark incoming connections the moment they come in to ensure you send return traffic out back the same circuit.

taylormadearmy · May 18, 2010, 3:19pm

Hi. Your help is appreciated. I’m sure I’m doing something stupid - but I just can’t see what…

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=\
    10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=WAN1
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=WAN1
add action=drop chain=input comment="default configuration" disabled=no in-interface=WAN1
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=WAN2
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=WAN2
add action=drop chain=input comment="default configuration" disabled=no in-interface=WAN2
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=wlan1_conn passthrough=no
add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=wlan2_conn passthrough=no
add action=accept chain=prerouting comment="" disabled=no dst-address=78.86.112.0/20 in-interface=ether3-local-Master
add action=accept chain=prerouting comment="" disabled=no dst-address=78.105.0.0/20 in-interface=ether3-local-Master
add action=mark-routing chain=output comment="" connection-mark=wlan1_conn disabled=no new-routing-mark=to_wlan1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=wlan2_conn disabled=no new-routing-mark=to_wlan2 passthrough=no
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether3-local-Master new-connection-mark=wlan1_conn passthrough=yes \
    per-connection-classifier=dst-address:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether3-local-Master new-connection-mark=wlan2_conn passthrough=yes \
    per-connection-classifier=dst-address:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wlan1_conn disabled=no in-interface=ether3-local-Master new-routing-mark=to_wlan1 passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=wlan2_conn disabled=no in-interface=ether3-local-Master new-routing-mark=to_wlan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=WAN2
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=22 protocol=tcp to-addresses=192.168.0.20 to-ports=22
/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=78.86.112.1 routing-mark=to_wlan1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=78.105.0.1 routing-mark=to_wlan2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=78.86.112.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=78.105.0.1 scope=30 target-scope=10

taylormadearmy · May 25, 2010, 10:29am

Hi All,

I’ve tried various things and still am unable to make this work.

Again - in summary the issue is that from any remote site I am only able to connect internal servers via dst-nat successfully from only one of my two WAN interfaces at any one time - so I suspect that traffic is incorrectly being sent to the wrong gateway when connecting to the non-working WAN interface.

Can anyone see an issue with the above config that could cause this? Is there any further debug I can take to help track down the issue?

Many Thanks!
T

Feklar · May 25, 2010, 2:01pm

Mark connections both on the input chain and forward chain for the physical interface, and then mark for routing based off of the connection mark. Be sure to have the appropriate routes with the routing mark in your routing table.

add action=mark-connection chain=input comment=\
    "Reply to pings going from ISP1 side with ISP1 connection" disabled=no \
    in-interface=ether1 new-connection-mark=input1_connection passthrough=yes
add action=mark-connection chain=input comment=\
    "Reply to pings going from ISP2 side with ISP2 connection" disabled=\
    no in-interface=ether2 new-connection-mark=input2_connection passthrough=\
    yes
add action=mark-routing chain=output comment="" connection-mark=\
    input1_connection disabled=no new-routing-mark=to_outside1 passthrough=\
    yes
add action=mark-routing chain=output comment="" connection-mark=\
    input2_connection disabled=no new-routing-mark=to_outside2 passthrough=\
    yes
add action=mark-connection chain=forward comment=\
    "Forward ISP1" connection-state=new disabled=no \
    in-interface=ether1 new-connection-mark=outside1_connection passthrough=\
    yes
add action=mark-connection chain=forward comment=\
    "Forward  ISP2" connection-state=new disabled=no \
    in-interface=ether2 new-connection-mark=outside2_connection passthrough=\
    yes
add action=mark-routing chain=prerouting comment=\
    "Send connections marked for ISP1 out ISP1" connection-mark=\
    outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=\
    no src-address-list=Local_NAT_Network
add action=mark-routing chain=prerouting comment=\
    "Send connections marked for ISP2 out ISP2" connection-mark=\
    outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=\
    no src-address-list=Local_NAT_Network