Good morning all,
I have one RB750Gr2 that is now set up with two WAN connections, each corresponding to its own LAN, no load balancing.
LAN 192.168.100.x sits on ether2 and all outbound traffic goes out on A.A.A.249 via ether1.
LAN 192.168.1.x sits on ether4 and all outbound traffic goes out on A.A.A.250 via ether3.
Both A.A.A.249 and A.A.A.250 use the same gateway, thus the “%” magic in the routing section.
To add to the fun, there is another RB750Gr2 at another satellite office that establishes an IPSec tunnel to this RB750Gr2.
The issue is that after the second WAN connection was added earlier this week:
- port forwarding is now broken, so inbound connections to 192.168.100.210 and 192.168.1.12 are dropping.
- the IPSec tunnel to the satellite office RB750Gr2 is no longer established.
- this RB750Gr2 unit is no longer remotely accessible from our office.
I know the issue just comes down to adjusting the filter/nat rules accordingly, but I am at a complete loss here, and at a disadvantage since I can only troubleshoot via one of their internal remotely-accessible workstations (TeamViewer) after hours. Thoughts?
/ip address
add address=A.A.A.249/29 interface=ether1 network=A.A.A.248
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=A.A.A.250/29 interface=ether3 network=A.A.A.248
add address=192.168.1.1/24 interface=ether4 network=192.168.1.0
/ip firewall filter
add chain=input in-interface=ether1 protocol=ipsec-ah
add chain=input in-interface=ether1 protocol=ipsec-esp
add chain=forward dst-address=192.168.100.210 dst-port=80 protocol=tcp
add chain=forward dst-address=192.168.1.12 dst-port=4105 protocol=tcp
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=forward dst-address=192.168.100.0/24 src-address=192.168.101.0/24
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward out-interface=ether2
add action=drop chain=forward out-interface=ether4
/ip firewall mangle
add action=mark-connection chain=forward connection-state=new in-interface=ether1 new-connection-mark=IN-ISP1
add action=mark-connection chain=forward connection-state=new in-interface=ether3 new-connection-mark=IN-ISP2
add action=mark-routing chain=prerouting new-routing-mark=ISP1 passthrough=no src-address=192.168.100.0/24
add action=mark-routing chain=prerouting new-routing-mark=ISP2 passthrough=no src-address=192.168.1.0/24
add action=mark-connection chain=input in-interface=ether1 new-connection-mark=IN-WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=IN-WAN1 new-routing-mark=TO-WAN1 passthrough=no
/ip firewall nat
add chain=srcnat dst-address=192.168.101.0/24 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat dst-address=A.A.A.249 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.100.210 to-ports=80
add action=dst-nat chain=dstnat comment=Watchguard1 dst-port=4105 protocol=tcp src-address=192.168.1.12 to-addresses=A.A.A.250 to-ports=4105
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add check-gateway=ping distance=1 gateway=A.A.A.254%ether1 pref-src=A.A.A.249 routing-mark=ISP1
add check-gateway=ping distance=2 gateway=A.A.A.254%ether3 pref-src=A.A.A.250 routing-mark=ISP2
add check-gateway=ping distance=1 gateway=A.A.A.254%ether1 pref-src=A.A.A.249 routing-mark=IN-WAN1