Port Forwarding

RouterOS Beginner Basics
1

I’ve installed RB5009 and terminated my 3 WAN connections in it. I am using 1 ethernet port for my LAN-Users and another for my servers’ LAN. When I create a NAT rule to forward a port to specific IP from my server LAN, sometimes a rule works on WAN1, sometimes on WAN2 or sometimes on WAN3.
Here is my router configuration. Real IP addresses of my WAN are replaced with 123.123.123.202 for WAN1, 181.191.111.43 for WAN2 and 123.123.200.250 for WAN3.
My WAN1 and WAN3 routes are configured as bridge whereas WAN2 router is configured as router mode,

2024-10-30 16:50:34 by RouterOS 7.16.1

software id = ICP1-4SCV

model = RB5009UG+S+

serial number =

/interface ethernet
set [ find default-name=ether1 ] comment=LAN name=ether1-HO_LAN
set [ find default-name=ether2 ] comment=Servers-LAN name=ether2-Servers
set [ find default-name=ether5 ] comment=Wateen name=ether5-WAN_1
set [ find default-name=ether6 ] comment=PTCL name=ether6-WAN_2
set [ find default-name=ether7 ] comment=VPN_Link name=ether7-WAN_3
set [ find default-name=ether8 ] comment=“Link to AMG” name=ether8-VPN_AMG
/interface list
add comment=“WAN Interfaces” name=WAN
/interface list member
add interface=ether5-WAN_1 list=WAN
add interface=ether6-WAN_2 list=WAN
add interface=ether7-WAN_3 list=WAN

/ip dhcp-server
add interface=ether5-WAN_1 lease-time=1d name=ISP-1
add interface=ether6-WAN_2 lease-time=1d name=ISP-2
add interface=ether1-HO_LAN lease-time=1d10m name=HO-LAN
add interface=ether2-Servers lease-time=1d name=Servers
add interface=ether8-VPN_AMG lease-time=1d name=AMG

/ip pool
add name=VPN_Pool ranges=10.10.10.51-10.10.10.150

/ppp profile
add local-address=10.10.10.1 name=OpenVPN remote-address=VPN_Pool

/routing table
add fib name=To_WAN1
add fib name=To_WAN2
add fib name=To_WAN3

/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256-cbc default-profile=OpenVPN
enabled=yes require-client-certificate=yes
/ip address
add address=123.123.123.202/30 comment=Wateen interface=ether5-WAN_1 network=
123.123.123.200
add address=192.168.200.10/24 comment=PTCL interface=ether6-WAN_2 network=
192.168.200.0
add address=192.168.6.1/24 comment=HO_LAN interface=ether1-HO_LAN network=
192.168.6.0
add address=192.168.15.1/24 comment=AMG-Network interface=ether8-VPN_AMG
network=192.168.15.0
add address=192.0.0.99/24 comment=Servers interface=ether2-Servers network=
192.0.0.0
add address=10.10.1.1/24 comment=WireGuard interface=wireguard1 network=
10.10.1.0
add address=123.123.200.250/30 comment=VPN interface=ether7-WAN_3 network=
125.125.200.248

/ip dns
set allow-remote-requests=yes servers=192.0.0.9,192.0.0.10

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent_Conn
address-list-timeout=2m chain=forward layer7-protocol=BitTorrent
src-address-list=!allow-bit
add action=add-src-to-address-list address-list=Streaming_Conn
address-list-timeout=2m chain=forward layer7-protocol=streaming
src-address-list=!allow-bit
add action=accept chain=output comment=“For Netwatch” dst-address=
123.123.200.249 out-interface=ether5-WAN_1 protocol=icmp
add action=drop chain=output dst-address=123.123.200.249 out-interface=
ether6-WAN_2 protocol=icmp
add action=drop chain=output dst-address=123.123.200.249 out-interface=
ether7-WAN_3 protocol=icmp
add action=accept chain=output dst-address=181.191.111.43 out-interface=
ether6-WAN_2 protocol=icmp
add action=drop chain=output dst-address=181.191.111.43 out-interface=
ether5-WAN_1 protocol=icmp
add action=drop chain=output dst-address=181.191.111.43 out-interface=
ether7-WAN_3 protocol=icmp
add action=accept chain=output dst-address=123.123.123.201 out-interface=
ether7-WAN_3 protocol=icmp
add action=drop chain=output dst-address=123.123.123.201 out-interface=
ether6-WAN_2 protocol=icmp
add action=drop chain=output dst-address=123.123.123.201 out-interface=
ether5-WAN_1 protocol=icmp
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.0.0.0/24
add action=accept chain=prerouting dst-address=192.168.10.0/24
add action=accept chain=prerouting dst-address=192.168.15.0/24

add action=mark-connection chain=input comment=“Input Rules for WAN Links”
in-interface=ether5-WAN_1 new-connection-mark=WAN1_Conn passthrough=yes
add action=mark-connection chain=input in-interface=ether6-WAN_2
new-connection-mark=WAN2_Conn passthrough=yes
add action=mark-connection chain=input in-interface=ether7-WAN_3
new-connection-mark=WAN3_Conn passthrough=yes
add action=mark-connection chain=prerouting comment=“Mark Connection Rules”
connection-mark=no-mark connection-state=new in-interface=ether5-WAN_1
new-connection-mark=WAN1_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new in-interface=ether6-WAN_2 new-connection-mark=
WAN2_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new disabled=yes in-interface=ether7-WAN_3
new-connection-mark=WAN3_Conn passthrough=yes
add action=mark-connection chain=prerouting comment=“PCC Rules”
connection-mark=no-mark connection-state=new dst-address-type=!local
in-interface=ether1-HO_LAN new-connection-mark=WAN1_Conn passthrough=yes
per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new dst-address-type=!local in-interface=ether1-HO_LAN
new-connection-mark=WAN2_Conn passthrough=yes per-connection-classifier=
src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark
connection-state=new disabled=yes dst-address-type=!local in-interface=
ether1-HO_LAN new-connection-mark=WAN3_Conn passthrough=yes
per-connection-classifier=src-address-and-port:3/2
add action=mark-routing chain=output comment=“Output Rules for WAN Links”
connection-mark=WAN1_Conn new-routing-mark=To_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_Conn
new-routing-mark=To_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_Conn
new-routing-mark=To_WAN3 passthrough=no
add action=mark-routing chain=prerouting comment=“Mark Routes Rules”
connection-mark=WAN1_Conn in-interface=ether1-HO_LAN new-routing-mark=
To_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_Conn
in-interface=ether1-HO_LAN new-routing-mark=To_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_Conn disabled=
yes in-interface=ether1-HO_LAN new-routing-mark=To_WAN3 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=“Masquerading for WAN_Connections”
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“PlayStore IIS” dst-port=80
in-interface=ether5-WAN_1 log=yes log-prefix=192.0.0.3 protocol=tcp
to-addresses=192.0.0.3 to-ports=80
add action=dst-nat chain=dstnat comment=“WebServer (SSL)” dst-port=443
in-interface=ether5-WAN_1 protocol=tcp to-addresses=192.0.0.8 to-ports=
443
add action=dst-nat chain=dstnat comment=“VPN Proxmox” dst-port=1193
in-interface=ether6-WAN_2 log=yes protocol=tcp to-addresses=192.0.0.11
to-ports=1194
add action=dst-nat chain=dstnat comment=WebServer connection-mark=“”
dst-port=80 in-interface=ether7-WAN_3 protocol=tcp to-addresses=
192.0.0.17 to-ports=80
add action=dst-nat chain=dstnat comment=“WebServer (SSL)” dst-port=443
in-interface=ether7-WAN_3 protocol=tcp to-addresses=192.0.0.17 to-ports=
443
add action=dst-nat chain=dstnat comment=PRAL_FTP dst-port=3221 in-interface=
ether5-WAN_1 protocol=tcp to-addresses=192.0.0.17 to-ports=21
add action=dst-nat chain=dstnat comment=DashBoard dst-port=9898 in-interface=
ether5-WAN_1 protocol=tcp to-addresses=192.0.0.22 to-ports=80
add action=dst-nat chain=dstnat comment=WMS_Backup dst-port=421 in-interface=
ether5-WAN_1 protocol=tcp to-addresses=192.0.0.22 to-ports=21
add action=dst-nat chain=dstnat comment=VPN dst-port=1195 in-interface=
ether5-WAN_1 protocol=tcp to-addresses=192.0.0.23 to-ports=1195
add action=dst-nat chain=dstnat comment=AR-GoogleSheets dst-port=9899
in-interface=ether5-WAN_1 protocol=tcp to-addresses=192.0.0.222 to-ports=
80
add action=dst-nat chain=dstnat comment=OwnCloud dst-port=9998 in-interface=
ether5-WAN_1 log=yes log-prefix=222 protocol=tcp to-addresses=192.0.0.222
to-ports=9998
add action=dst-nat chain=dstnat comment=Spider dst-port=9696 in-interface=
ether5-WAN_1 protocol=tcp to-addresses=192.0.0.222 to-ports=80

/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.15.2
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Wateen disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
123.123.123.201 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
123.123.123.201 routing-table=To_WAN1 scope=30 suppress-hw-offload=no
target-scope=10
add comment=PTCL disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
192.168.200.1 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add comment=WAN2 disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
192.168.200.1 routing-table=To_WAN2 scope=30 suppress-hw-offload=no
target-scope=10
add comment=VPN disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
123.123.200.249 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add comment=WAN3 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
123.123.200.249 routing-table=To_WAN3 scope=30 suppress-hw-offload=no
target-scope=10
/tool netwatch
add comment=Wateen disabled=no down-script=“/ip route disable [find comment="
Wateen"]\r
\n/ip route disable [find comment="WAN1"]\r
\n/tool e-mail send to="noc@tlpk.com" subject="Your Wateen-Internet Lin
k is Down" body="Your Wateen-Internet Link is Down. Please check. "”
host=123.123.123.201 http-codes=“” interval=30s start-delay=0ms
startup-delay=0s test-script=“” timeout=1s type=simple up-script=“/ip rout
e enable [find comment="Wateen"]\r
\n/ip route enable [find comment="WAN1"]\r
\n/tool e-mail send to="noc@tlpk.com" subject="Your Wateen-Internet Lin
k is Up" body="Your Wateen-Internet Link is Up. "”
add comment=PTCL disabled=no down-script=“/ip route disable [find comment="PT
CL"]\r
\n/ip route disable [find comment="WAN2"]\r
\n/tool e-mail send to="noc@tlpk.com" subject="Your PTCL-Internet Link
is Down" body="Your PTCL-Internet Link is Down. Please check. "” host=
181.191.111.43 http-codes=“” interval=30s start-delay=0ms startup-delay=
0s test-script=“” timeout=1s type=simple up-script=“/ip route enable [find
_comment="PTCL"]\r
\n/ip route enable [find comment="WAN2"]\r
\n/tool e-mail send to="noc@tlpk.com" subject="Your PTCL-Internet Link
is Up" body="Your PTCL-Internet Link is Up. "”
add comment=“VPN Link” disabled=no down-script=“/tool e-mail send to="noc@tlp
k.com" subject="Your VPN Link is Down" body="Your VPN Link is Down. Pl
ease check. "” host=123.123.200.249 http-codes=“” interval=30s
start-delay=0ms startup-delay=0s test-script=“” timeout=1s type=simple
up-script=“/tool e-mail send to="noc@tlpk.com" subject="Your VPN Link i
s UP" body="Your VPN Link is Up now."”
add comment=“AMG Link” disabled=no down-script=“/tool e-mail send to="noc@tlp
k.com" subject="Your AMG Link is Down" body="Your AMG Link is Down. Pl
ease check. "” host=192.168.10.1 http-codes=“” interval=30s start-delay=
0ms startup-delay=0s test-script=“” timeout=1s type=simple up-script=“/too
l e-mail send to="noc@tlpk.com" subject="Your AMG Link is UP" body="Y
our AMG Link is Up now."”

2
  1. Regardiing external users and port forwarding --. the question I have is what is the plan?

Are some users supposed to reach server A on WAN1, other users reach server A by WAN2, and even different users supposed to reach server A by WAN3.
AND/OR
Are some users supposed to reach server A on WAN1, other users reach server B by WAN2, and even different users supposed to reach server C by WAN3.

  1. Do any User on the USER subnet access the servers on the SERVER subnet?
    If so do they access by LANIP or by dyndnsULR or static WANIP address?

  2. Are all three WANS public or private IPs, and also are they static or dynamic.

  3. Why do you need bridges for two of the WANs??

  4. What is the purpose of the OVPN server???

3

Hi
Q.1 = Are some users supposed to reach server A on WAN1, other users reach server A by WAN2, and even different users supposed to reach server A by WAN3.
Answer = No
AND/OR
Q. 2 = Are some users supposed to reach server A on WAN1, other users reach server B by WAN2, and even different users supposed to reach server C by WAN3.
Answer = Yes
Q. 3 = Do any User on the USER subnet access the servers on the SERVER subnet?
Answer = Yes. My LAN users are accessing servers without any problem with their LAN IPs.
Q. 4 = Are all three WANS public or private IPs, and also are they static or dynamic.
Answer= All three WANs IPs are public and static.
Q. 5 = Why do you need bridges for two of the WANs??
Answer = I do not need bridges for WANs. I’ve only made a list of WAN connections not bridges.
Q. 6 = What is the purpose of the OVPN server
Answer = All remote users are accessing servers through OpenVPN with their LAN IPs.
Q.7 = what is the plan?
Previously my all WAN connections were configured on different routers (Modems) provided by service providers. I configured port forwarding for my different services on their modems / routers. It was working fine. Then I placed another server and when I forwarded its port in my modem, it was not working. I asked help from my service proider and they told me that I cannot do multiple port forwardings on this modem. So they asked me to convert our connectivity to bridge mode in mikrotik so static IPs will be assigned directly to the Mikrotik router and there you can forward multiple ports as required. So I converted WAN1 and WAN3 from router mode to bridge mode. Everything (Internet. load balancing etc) is working fine except port forwarding.

4

I am getting a clearer picture, much thanks. Few more questions!!

  1. If all three WAN IPs are static and private then can I assume
    a. the three ISP modem/routers in front of the MT have public IPs
    b. that you can port forward from each ISP modem/router to the MT

Note: if a is not true, then you cannot do port forwarding from that ISP
Note: if a is true but b is not true then you cannot do port forwarding from that ISP.

  1. Understand now, that you have lets say at least 3 servers, all different and wan1 should point to server1, wan2 should point to server2, wan3 should point to server 3

  2. Understand that internal users access local servers by their IP address and thus you have forward chain rule allowing user subnet to access server subnet.

  3. Understand you have PCC for all other traffic, so we have to make sure that Server Return traffic does not get PCCd ( which is why your accept rules at start of mangles are done - will see if there is a better way to accomplish same but looks okay )

  4. Mangle rules do have some issues.

  5. Okay good no bridges for WANS, my error.
    I read this, WHICH IS STILL CONFUSING ME - due to the fact you said wans were alll private static IPs.
    My WAN1 and WAN3 routes are configured as bridge whereas WAN2 router is configured as router mode,

There is no such thing as configuring the WANS on the mikrotik as bridge or router mode in the sense of terminating ISP connections.
These are words that are more appopriate to describe the ISP equipment.
So lets get clarity here.
ISP1 - company? - modem or modem/router → Bridge mode (provides public WAN IP1) or router mode ( provides private WANIP .X on its router LAN to the MT)
ISP2 - company? - modem or modem/router → Bridge mode (provides public WAN IP2) or router mode ( provides private WANIP .Y on its router LAN to the MT)
ISP3 - company? - modem or modem/router → Bridge mode (provides public WAN IP3) or router mode ( provides private WANIP .Z on its router LAN to the MT)

(please describe in detail what actually exists(devices) and what occurs.)

  1. About OVPN, do you mean that your users DO NOT access the WANS directly for port forwarding?
    In other words, ALL external users enter the router via OVPN first, and then from there access the servers from an internal position??
5

First of all, Sorry, my mistake as I said WANs were all private static IPs.
WAN1 and WAN2 = Public and static IPs are Configured on MT. Nothing is configured on ISPs’ routers as they are acting as media converter.
WAN2 = ISP modem has Public and static IP and a Private IP subnet 192.168.200.0/24 is connected with MT.

Port forwarding for WAN1, WAN2 and WAN3 is configured on MT whereas DMZ is configred on ISP modem WAN2 to redirect all traffic to MT. Then MT do port forwarding.

ISP1 - WATEEN - modem/router → Bridge mode (provides public WAN IP1)
ISP2 - PTCL - modem/router → Router mode ( ISP provides public static WAN IP2 to router. NAT is configured on this router and has LAN IP 192.168.200.1 coonted to the MT)
ISP3 - WATEEN - modem/router → Bridge mode (provides public WAN IP3)

About OVPN, All external users enter the router via OVPN and then access the servers by their LAN IP Addresses.
And for some applications, remote users access the WANS directly for port forwarding.

mangle rules are there for load balancing of LAN Users’ internet traffic. As WAN1 and WAN2 are also providing internet services to LAN users.

I hope it is now cleared.

6

99% Clear.

When you say external users access SOME APPLICATIONS, via the WAN, do you mean SERVERS?
Are they port based applications ??

7
  1. Missing Interface list=LAN
  2. Missing pool for ether1 LAN and ether2 Servers
  3. Your Firewall Rules are non-existent and basically don’t protect anything. * until you have useful firewall rules it will be hard to progress *
  4. One of the first accept rules in mangles makes no sense, 192.168.10.0 (does not exist!!) I think you meant 192.168.6.0/24
  5. Not sure about this accept rule because it addresses any local or vpn traffic to the server…
    add action=accept chain=prerouting dst-address=192.0.0.0/24
    But it also captures any traffic coming in externally from the WANS via port forwarding and thus bypasses other rules…
    Perhaps if we put src-address-type=local ??
  6. Mangles adjusted as required
  7. DSTNAT rules adjusted as required.
  8. I dont understand the relationship between the ether8 VPN and its subnet 192.168.15.0/24 and the VPN pool - 10.10.10.51-10.10.10.150
    Specifically this routing rule is challenging:
    add dst-address=192.168.10.0/24 gateway=192.168.15.2 routing-table=main

First of all I think you meant, as discussed, 192.168.6.0/24 ( the LAN ), so your saying is that the router should route all traffic to the LANIPs, through the VPN gateway.
What traffic is heading to the LAN Users??? and why would it go to the VPN gateway?
There may be traffic from the VPN users going to the Servers???
However since the VPN is local routing may not be required but firewall rules will be to allow such traffic,

  1. What is the intent of the netwatch scripts??
  2. Just noticed where are /ip dhcp-server network
/interface list
add comment="WAN Interfaces" name=WAN
add name=LAN
/interface list member
add interface=ether5-WAN_1 list=WAN
add interface=ether6-WAN_2 list=WAN
add interface=ether7-WAN_3 list=WAN
add interface=ether2  list=LAN
add interface=ether1-HO_LAN  list=LAN
/ip pool
add name=VPN_Pool ranges=10.10.10.51-10.10.10.150
add name=SVR_Pool ranges =192.0.0.100-192.0.0.150
add name=LAN_Pool ranges=192.168.6.2-192.168.6.254
/ip firewall mangle
{ ACCEPT RULES for LAN to LAN  Type TRAFFIC }
add action=accept chain=prerouting dst-address=192.0.0.0/24  src-address-type=local
add action=accept chain=prerouting dst-address=192.168.6.0/24
add action=accept chain=prerouting dst-address=192.168.15.0/24
{ MANGLES FOR TRAFFIC TO ROUTER }
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether5-WAN_1 \
new-connection-mark=incoming-WAN1 passthrough=yes
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether6-WAN_2 \
new-connection-mark=incoming_WAN2 passthrough=yes
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether7-WAN_3 \
new-connection-mark=incoming_WAN3 passthrough=yes
++++++++++++++++++++++++++++++
add action=mark-routing chain=output connection-mark=incoming_WAN1 \
new-routing-mark=To_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=incoming_WAN2 \
new-routing-mark=To_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=incoming_WAN3 \
new-routing-mark=To_WAN3 passthrough=no
{ MANGLES for External Users to SERVER TRAFFIC }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether5-WAN_1 \
new-connection-mark=server-WAN1 dst-address=192.0.0.0/24 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether6-WAN_2 \
new-connection-mark=server-WAN2 dst-address=192.0.0.0/24 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether7-WAN_3 \
new-connection-mark=server-WAN3 dst-address=192.0.0.0/24 passthrough=yes
+++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=server_WAN1 \
new-routing-mark=To_WAN1  passthrough=no
add action=mark-routing chain=prerouting connection-mark=server_WAN2 \
new-routing-mark=To_WAN2  passthrough=no
add action=mark-routing chain=prerouting connection-mark=server_WAN3 \
new-routing-mark=To_WAN3  passthrough=no
{ MANGLES FOR PCC }
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=ether1-HO_LAN new-connection-mark=LAN1_Conn \
passthrough=yes per-connection-classifier=src-address-and-port:3/0
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=ether1-HO_LAN new-connection-mark=LAN2_Conn \
passthrough=yes per-connection-classifier=src-address-and-port:3/1
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=ether1-HO_LAN new-connection-mark=LAN3_Conn \
passthrough=yes per-connection-classifier=src-address-and-port:3/2
++++++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=LAN1_Conn \
new-routing-mark=To_WAN1  passthrough=no
add action=mark-routing chain=prerouting connection-mark=LAN2_Conn \
new-routing-mark=To_WAN2  passthrough=no
add action=mark-routing chain=prerouting connection-mark=LAN3_Conn \
new-routing-mark=To_WAN3  passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerading for WAN_Connections" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="PlayStore IIS" dst-port=80 \
dst-address=PUBLICIP-ISP1  log=yes log-prefix=192.0.0.3 protocol=tcp \
to-addresses=192.0.0.3
add action=dst-nat chain=dstnat comment="WebServer (SSL)" dst-port=443 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.0.0.8
add action=dst-nat chain=dstnat comment="VPN Proxmox" dst-port=1193 \
dst-address=PRIVATEIP_WAN2  log=yes protocol=tcp to-addresses=192.0.0.11 \
to-ports=1194
add action=dst-nat chain=dstnat comment=WebServer connection-mark="" \
dst-port=80 dst-address=PUBLICIP-ISP3 protocol=tcp to-addresses=\
192.0.0.17
add action=dst-nat chain=dstnat comment="WebServer (SSL)" dst-port=443 \
in-interface=dst-address=PUBLICIP-ISP3  protocol=tcp to-addresses=192.0.0.17
add action=dst-nat chain=dstnat comment=PRAL_FTP dst-port=3221 \ 
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.0.0.17 to-ports=21
add action=dst-nat chain=dstnat comment=DashBoard dst-port=9898 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.0.0.22 to-ports=80
add action=dst-nat chain=dstnat comment=WMS_Backup dst-port=421 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.0.0.22 to-ports=21
add action=dst-nat chain=dstnat comment=VPN dst-port=1195 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.0.0.23
add action=dst-nat chain=dstnat comment=AR-GoogleSheets dst-port=9899 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.0.0.222 to-ports=80
add action=dst-nat chain=dstnat comment=OwnCloud dst-port=9998 \
dst-address=PUBLICIP-ISP1 log=yes log-prefix=222 protocol=tcp to-addresses=192.0.0.222
add action=dst-nat chain=dstnat comment=Spider dst-port=9696 \
dst-address=PUBLICIP-ISP1  protocol=tcp to-addresses=192.0.0.222 to-ports=80
/ip route
add comment=Wateen check-gateway=ping  dst-address=0.0.0.0/0 gateway=123.123.123.201 routing-table=main 
add comment=PTCL  check-gateway=ping distance=2  gateway=192.168.200.1 routing-table=main
add comment=VPN  check-gateway=ping distance=3  dst-address=0.0.0.0/0 gateway=123.123.200.249 routing-table=main 
{Special Tables}
add comment=WAN1  dst-address=0.0.0.0/0 gateway=123.123.123.201 routing-table=To_WAN1 
add comment=WAN2  dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-table=To_WAN2
add comment=WAN3  dst-address=0.0.0.0/0 gateway=123.123.200.249 routing-table=To_WAN3
8

Yes. Some applications are web (port) based for which I am using different ports. Our users are using a mobile app too which connects the server on port 9998.

9

Sorry for late reply.
Thnakyou so much for your support. Here are the answers to your questions.

  1. Missing Interface list=LAN
    Only port # 1 is used for LAN which is terminated in core switch for LAN.

  2. Missing pool for ether1 LAN and ether2 Servers
    I am assiging static IPs using MAC Addresses. Therefore there is no pool for LAN and Servers.

  3. Your Firewall Rules are non-existent and basically don’t protect anything. * until you have useful firewall rules it will be hard to progress *
    Yes. As I am new to this. I am configuring this router step by step.

  4. One of the first accept rules in mangles makes no sense, 192.168.10.0 (does not exist!!) I think you meant 192.168.6.0/24
    We also have a dedicated (VPN) link to our corporate office. 192.168.10.0 is a LAN for that office. They are also accessing our servers on that link 192.168.15.0. To access that network, there is a mangle rule.

  5. Not sure about this accept rule because it addresses any local or vpn traffic to the server…
    add action=accept chain=prerouting dst-address=192.0.0.0/24
    But it also captures any traffic coming in externally from the WANS via port forwarding and thus bypasses other rules…
    Perhaps if we put src-address-type=local ??
    OK

  6. Mangles adjusted as required
    OK. I’ll check these.

  7. DSTNAT rules adjusted as required.
    OK I’ll check these.

  8. I dont understand the relationship between the ether8 VPN and its subnet 192.168.15.0/24 and the VPN pool - 10.10.10.51-10.10.10.150
    Specifically this routing rule is challenging:
    add dst-address=192.168.10.0/24 gateway=192.168.15.2 routing-table=main
    We have DEDICATED link to our corporate officeby our ISP. They installed their router which has IP address 192.168.15.2. To access their network 192.168.10.0/24, this route is added. Whereas 10.10.10.51 is for OVPN clients.

First of all I think you meant, as discussed, 192.168.6.0/24 ( the LAN ), so your saying is that the router should route all traffic to the LANIPs, through the VPN gateway.
What traffic is heading to the LAN Users??? and why would it go to the VPN gateway?
No traffic is going to LAN 192.168.6.0/24 VPN gateway is only for 192.0.0.0/24 (Server LAN).
There may be traffic from the VPN users going to the Servers???
Yes
However since the VPN is local routing may not be required but firewall rules will be to allow such traffic,
Without a route, it was not working.

  1. What is the intent of the netwatch scripts??
    Just to monitor the links’ status.



10

Based on your feedback and TWO comments

  1. DO not use a public IP address to define the servers local subnet.
    use 192.168 / 172.16. / 10.0.0 but NOT 192.0.0.

  2. Also regarding the first mangle rule the correct way, apologies for confusion is to state it like this:
    /ip firewall mangle
    { ACCEPT RULES for LAN to LAN Type TRAFFIC }
    add action=accept chain=prerouting dst-address=192.168.99.0/24 src-address-list=LOCAL/VPN
    add action=accept chain=prerouting dst-address-list=LOCAL/VPN

Where
/ip firewall address-list
add address=192.168.99.0/24 list=LOCAL/VPN { replaces 192.0.0.0 )
add address=192.168.6.0/24 list=LOCAL/VPN
add address=10.10.10.0/24 list=LOCAL/VPN
add address=192.168.10.0/24 list=LOCAL/VPN
add address=192.168.15.0/24 list=LOCAL/VPN

Note: I included both .10 and .15 subnets as I do not which source addresses actually hit the servers??

 /interface list
add comment="WAN Interfaces" name=WAN
add name=LAN
/interface list member
add interface=ether5-WAN_1 list=WAN
add interface=ether6-WAN_2 list=WAN
add interface=ether7-WAN_3 list=WAN
add interface=ether2  list=LAN
add interface=ether1-HO_LAN  list=LAN
add interface=ether8-VPN_AMG  list=LAN
/ip pool
add name=VPN_Pool ranges=10.10.10.51-10.10.10.150
add name=SVR_Pool ranges =192.168.99.100-192.168.99.150
add name=LAN_Pool ranges=192.168.6.2-192.168.6.254
[i]/ip firewall address-list
add address=192.168.99.0/24 list=LOCAL-VPN   { replaces 192.0.0.0 )
add address=192.168.6.0/24 list=LOCAL-VPN
add address=10.10.10.0/24 list=LOCAL-VPN
add address=192.168.10.0/24  list=LOCAL-VPN
add address=192.168.15.0/24  list=LOCAL-VPN[/i]
/ip firewall mangle
{ ACCEPT RULES for LAN to LAN  Type TRAFFIC }
add action=accept chain=prerouting dst-address=192.168.99.0/24 src-address-list=LOCAL-VPN
add action=accept chain=prerouting dst-address-list=LOCAL-VPN
{ MANGLES FOR TRAFFIC TO ROUTER }
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether5-WAN_1 \
new-connection-mark=incoming-WAN1 passthrough=yes
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether6-WAN_2 \
new-connection-mark=incoming_WAN2 passthrough=yes
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether7-WAN_3 \
new-connection-mark=incoming_WAN3 passthrough=yes
++++++++++++++++++++++++++++++
add action=mark-routing chain=output connection-mark=incoming_WAN1 \
new-routing-mark=To_WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=incoming_WAN2 \
new-routing-mark=To_WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=incoming_WAN3 \
new-routing-mark=To_WAN3 passthrough=no
{ MANGLES for External Users to SERVER TRAFFIC }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether5-WAN_1 \
new-connection-mark=server-WAN1 dst-address=192.168.99.0/24 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether6-WAN_2 \
new-connection-mark=server-WAN2 dst-address=192.168.99.0/24 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether7-WAN_3 \
new-connection-mark=server-WAN3 dst-address=192.168.99.0/24 passthrough=yes
+++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=server_WAN1 \
new-routing-mark=To_WAN1  passthrough=no
add action=mark-routing chain=prerouting connection-mark=server_WAN2 \
new-routing-mark=To_WAN2  passthrough=no
add action=mark-routing chain=prerouting connection-mark=server_WAN3 \
new-routing-mark=To_WAN3  passthrough=no
{ MANGLES FOR PCC }
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=ether1-HO_LAN new-connection-mark=LAN1_Conn \
passthrough=yes per-connection-classifier=src-address-and-port:3/0
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=ether1-HO_LAN new-connection-mark=LAN2_Conn \
passthrough=yes per-connection-classifier=src-address-and-port:3/1
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=ether1-HO_LAN new-connection-mark=LAN3_Conn \
passthrough=yes per-connection-classifier=src-address-and-port:3/2
++++++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=LAN1_Conn \
new-routing-mark=To_WAN1  passthrough=no
add action=mark-routing chain=prerouting connection-mark=LAN2_Conn \
new-routing-mark=To_WAN2  passthrough=no
add action=mark-routing chain=prerouting connection-mark=LAN3_Conn \
new-routing-mark=To_WAN3  passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerading for WAN_Connections" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="PlayStore IIS" dst-port=80 \
dst-address=PUBLICIP-ISP1  log=yes log-prefix=192.168.99.3 protocol=tcp \
to-addresses=192.168.99.3
add action=dst-nat chain=dstnat comment="WebServer (SSL)" dst-port=443 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.168.99.8
add action=dst-nat chain=dstnat comment="VPN Proxmox" dst-port=1193 \
dst-address=PRIVATEIP_WAN2  log=yes protocol=tcp to-addresses=192.168.99.11 \
to-ports=1194
add action=dst-nat chain=dstnat comment=WebServer connection-mark="" \
dst-port=80 dst-address=PUBLICIP-ISP3 protocol=tcp to-addresses=\
192.168.99.17
add action=dst-nat chain=dstnat comment="WebServer (SSL)" dst-port=443 \
in-interface=dst-address=PUBLICIP-ISP3  protocol=tcp to-addresses=192.168.99.17
add action=dst-nat chain=dstnat comment=PRAL_FTP dst-port=3221 \ 
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.168.99.17 to-ports=21
add action=dst-nat chain=dstnat comment=DashBoard dst-port=9898 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.168.99.22 to-ports=80
add action=dst-nat chain=dstnat comment=WMS_Backup dst-port=421 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.168.99.22 to-ports=21
add action=dst-nat chain=dstnat comment=VPN dst-port=1195 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.168.99.23
add action=dst-nat chain=dstnat comment=AR-GoogleSheets dst-port=9899 \
dst-address=PUBLICIP-ISP1 protocol=tcp to-addresses=192.168.99.222 to-ports=80
add action=dst-nat chain=dstnat comment=OwnCloud dst-port=9998 \
dst-address=PUBLICIP-ISP1 log=yes log-prefix=222 protocol=tcp to-addresses=192.168.99.222
add action=dst-nat chain=dstnat comment=Spider dst-port=9696 \
dst-address=PUBLICIP-ISP1  protocol=tcp to-addresses=192.168.99.222 to-ports=80
/ip route
add comment=Wateen check-gateway=ping  dst-address=0.0.0.0/0 gateway=123.123.123.201 routing-table=main 
add comment=PTCL  check-gateway=ping distance=2  gateway=192.168.200.1 routing-table=main
add comment=VPN  check-gateway=ping distance=3  dst-address=0.0.0.0/0 gateway=123.123.200.249 routing-table=main 
{Special Tables}
add comment=WAN1  dst-address=0.0.0.0/0 gateway=123.123.123.201 routing-table=To_WAN1 
add comment=WAN2  dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-table=To_WAN2
add comment=WAN3  dst-address=0.0.0.0/0 gateway=123.123.200.249 routing-table=To_WAN3
11

Hi
Thanks for your help but nothing workied for me. So I installed a seprate Mikrotik for a WAN connection used for maximum port forwards.

Then I noticed a thing on my previous router that, Internet Detect is not working. As I’ve not terminated my internet connecton on ether-1, it is not detecting Internet. But on all other routers, I terminated my WAN on ether-1 and on thse routers, internet Detect is working. May be this would be the reason that Port forwarding worked on my pervious router but on random WAN interfaces. Not on any fixed WAN interface.

12

Most of us turn internet detect to NONE, as it can have bad effects.