Hello! I was reading other posts on the forum on the topic of port forwarding but I couldn’t find a solution to my problem.
I have 2 WANs (one PPPoE and one DHCP). The PCC configuration is working fine, but I need port forwarding to be on WAN-6 (DHCP). The main connection is through WAN-1 (PPPoE).
This is my configuration:
ether1: WAN PPPoE
ether6: WAN DHCP
ether2 / 3: LAN Bridge
I also cannot connect to OpenVPN with Mikrotik itself being the server.
Try reading this post, starting from the last paragraph that links it to your context. If it does not help resolve your case, say so here, we shall proceed with your particular configuration.
Certainly dont want to drop ICMP its used for good reasons.
Conceptually speaking Discussing Port FORWARDING IN GENERAL
In terms of PCC plus port forwarding.
Consider that PCC forces LAN traffic to specific WANIPs and you have no real control over which sessions.
Therefore, one has to ensure that server traffic is taken care of FIRST.
There are several ways to accomplish this.
In any case it would be logical to create a firewall address list for all the servers in question
/ip firewall address-list
add address=server1 list=SERVERS
add address=server2 list=SERVERS
etc.
FACT: —> ENSURE Server Traffic is handled prior to PCC traffic in mangle rules.
We have to consider 3 types of server users.
a. those local using LANIP directly
b. those local using DYNDNS name of server
c. those coming in external to the router.
This rule first in the mangle chain takes any outgoing traffic from the servers and allows it to happen.
Thus this is a good logic start as apparently we would no longer worry about the traffic being PCCd. add action=accept chain=forwarding src-address-list=SERVERS
However, do you see any issues with this rule used in isolation, running through the 3 scenarios above?
What if the external user request came in on WAN2, but WAN1 is the primary route on the router.
So for external traffic we still have to consider Routing. Thus we cannot avoid mangling for servers, seems to be the outcome:
The proposed solution is a joint effort of the two /ip firewall mangle
{ for direct LAN user to server traffic - avoiding mangling by PCC } add chain=forward action=accept in-interface-list=LAN dst-address-list=SERVERS
add chain=forward action=accept src-address-list=SERVERS out-interface-list=LAN
+++++++++++++
{ ENSURING EXTERNAL TRAFFIC COMING IN ON WANX HEADING FOR SERVERS goes out WANX } add chain=forward action=mark-connection connection-mark=no-mark interface=ether1(wan1)
new-connection-mark=incoming-WAN1 passthrough=yes add chain=forward action=mark-connection connection-mark=no-mark interface=ether2(wan2)
new-connection-mark=incoming-WAN2 passthrough=yes
+++++ add chain=prerouting action=mark-routing connection-mark=incoming-WAN1
src-address-list=SERVERS new-routing-mark=To_Movistar passthrough=no add chain=prerouting action=mark-routing connection-mark=incoming-WAN2
src-address-list=SERVERS new-routing-mark=To_Telecentro passthrough=no
Notes:
NOW YOU CAN ADD PCC MANGLES AFTER THE ABOVE.
I see you have already mangle input/output rules, so assuming you have services on the router VPNs?? etc that need to respond on correct WAN??
They probably should remain first in the order of Mangle Rules. Whats important is above is before PCC rules.
I configged both WAN1 and WAN2 for the port forwarding mangling because it is not clear if ALL servers go through WAN2 and none through WAN1 or a mix.
If only WAN2 is used then by all means ignore the WAN1 part. I highlighted WAn2.