Dear MikroTik Gurus,

I am new to MikroTik and I have problems with port forwarding in a 2 WAN 1 LAN setup with a RB760iGS running RouterOS 6.46.6.
Port forwarding works for the WAN1 but not for WAN2.
I am trying to forward some ports to a single server in the LAN (connected to a switch, not directly to the Router)
WAN 1 "PPPoE-RDS": PPPoE connection with Dynamic IP
WAN 2 "VDF-Uplink": CATV NTU set up in bridge mode, also with Dynamic IP.
I have a simple fail-over setup with WAN1 route set with distance 1 and WAN2 route set with distance 2. I am not running BGP or any other routing protocols.
I did my best to adapt the info from here: 2 WAN port forwarding and some other posts to my setup but it still doesn't work.

Route Table:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 PPPoE-RDS 1
1 A S 0.0.0.0/0 VDF-Uplink 2
2 ADS 0.0.0.0/0 PPPoE-RDS 1
3 DS 0.0.0.0/0 78.97.136.1 2
4 ADC 10.0.0.1/32 188.25.78.147 PPPoE-RDS 0
5 ADC 78.97.136.0/21 78.97.140.162 VDF-Uplink 0
6 ADC 192.168.1.0/24 192.168.1.10 bridge 0

Firewall NAT:
chain=srcnat action=masquerade out-interface=RDS-Uplink log=no log-prefix="" ipsec-policy=out,none
1 chain=srcnat action=masquerade out-interface=PPPoE-RDS log=no log-prefix=""
2 chain=srcnat action=masquerade out-interface=VDF-Uplink log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.1.20 to-ports=2112 protocol=tcp in-interface-list=WAN dst-port=2112 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.1.20 to-ports=2112 protocol=udp in-interface-list=WAN dst-port=2112 log=no log-prefix=""

Firewall Mangle:
3 chain=prerouting action=mark-connection new-connection-mark=PPPoE-RDS passthrough=yes in-interface=PPPoE-RDS log=no log-prefix=""
4 chain=prerouting action=mark-connection new-connection-mark=VDF-Uplink passthrough=yes in-interface=VDF-Uplink log=no log-prefix=""
5 chain=prerouting action=mark-routing new-routing-mark=To-PPPoE-RDS passthrough=yes connection-mark=PPPoE-RDS in-interface-list=LAN log=no log-prefix=""
6 chain=prerouting action=mark-routing new-routing-mark=To-VDF-Uplink passthrough=yes connection-mark=VDF-Uplink in-interface-list=LAN log=no log-prefix=""
7 chain=output action=mark-routing new-routing-mark=To-PPPoE-RDS passthrough=yes connection-mark=PPPoE-RDS log=no log-prefix=""
8 chain=output action=mark-routing new-routing-mark=To-VDF-Uplink passthrough=yes connection-mark=VDF-Uplink log=no log-prefix=""
9 chain=input action=mark-connection new-connection-mark=PPPoE-RDS passthrough=yes in-interface=PPPoE-RDS log=no log-prefix=""
10 chain=input action=mark-connection new-connection-mark=VDF-Uplink passthrough=yes in-interface=VDF-Uplink log=no log-prefix=""

Firewall filters are still in default.
*Another very odd behavior: after applying the above setup, when falling back to WAN2, a host from inside the LAN can only ping 8.8.88 once and then all rest fails:
"Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=29ms TTL=55
Request timed out.
Request timed out.
Request timed out."

What am I missing / doing wrong here ?

Not sure off the bat.
Curious as to why you have three masquerade rules but only two WANs?
Also perhaps the mangling is getting in the way?

How do folks access your servers ? dyndns name? Does it switch to the other ISP automatically?

Hi anav,

Correct, one (first) masquerade rule was added extra by mistake. It is now removed.
I have dynamic DNS provided for WAN1 by the ISP.
I will probably move to a different DynDNS provider to update the IPs for both WANs. This is a work in progress and I haven’t gotten to that yet.
Regarding the mangle rules… I did my best to adapt the info from here: http://forum.mikrotik.com/t/2-wan-port-forwarding/39425/1 and some other posts to my setup, since I don’t have any fixed IP on any WAN.
I also presume that I did something awfully wrong but can’t quite figure out what.

Later Edit: The ping problem mentioned in the first post on the WAN2 first started after I added the mangle rules… So even more reason to suspect that the problem is there.

Yeah, I am no mangle expert, hopefully someone else will chime in.