Port Mapping for the 2 WAN's; Default LAN GW

Hi there.
I have some questions about my Mikrotik setup with 2 WAN ports; 1 LAN port (bridge is preferable to use any available ethernet port) and port mapping

Initial:

WAN1 IP: 70.70.70.70/24 GW 70.70.70.1
WAN2 IP: 80.80.80.80/24 GW 80.80.80.1
LAN IP: 192.168.2.254/24 NO GW

I do not need any load balancing. Also, I do not need to allow any system from LAN go to the WAN except allowed connection by port mapping

I checked the forum posts and I prepared the initial configuration:

#/system reset-configuration no-defaults=yes skip-backup=yes

:global wan1ip "70.70.70.70"
:global wan1gw "70.70.70.1"
:global wan2ip "80.80.80.80"
:global wan2gw "80.80.80.1"

:global lanIpTest "192.168.2.254"
:global lanNetworkTest "192.168.2.0"
:global lanSubnet "24"

:log info ("Initial configuration started")

/interface set "ether1" name="WAN1"
/interface set "ether2" name="WAN2"
/interface set "ether3" name="LAN"

/ip address add address=($wan1ip . "/" . $lanSubnet) interface=WAN1 comment="WAN1 IP"
/ip address add address=($wan2ip . "/" . $lanSubnet) interface=WAN2 comment="WAN2 IP"
/ip address add address=($lanIpTest . "/" . $lanSubnet) network=$lanNetworkTest interface=LAN comment="LAN IP (Test)"

# Initial firewall setup

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="Accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept protocol=icmp comment="Accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="Accept to local loopback (for CAPsMAN)"
add chain=input action=accept protocol=tcp dst-port=8291 comment="Allow remote connection using WinBox from WAN1 and WAN2"
add chain=input action=drop in-interface=!LAN comment="Drop all not coming from LAN (OPTIONAL)"
add chain=forward action=accept ipsec-policy=in,ipsec comment="Accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="Accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="Fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="Accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN1 comment="Drop all from WAN1 not DSTNATed"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN2 comment="Drop all from WAN2 not DSTNATed"

# Mark all connections coming into WAN1 as such, do the same for WAN2:

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection comment="Mark WAN1 packets"
add chain=prerouting in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection comment="Mark WAN2 packets"

# Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

# Make dst-nat workable

/ip firewall mangle
add chain=forward in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=forward in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection 

# Mark ICMP going to the router itself:

/ip firewall mangle
add chain=output connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2


#the NAT rules

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade comment="NAT Masquerade WAN1"
add chain=srcnat out-interface=WAN2 action=masquerade comment="NAT Masquerade WAN2"

/ip firewall nat
add chain=dstnat action=dst-nat dst-port=5902 in-interface=WAN1 to-address=192.168.2.2 to-ports=5900 protocol=tcp comment="PM WAN1:5902 -> 192.168.2.2:5900 (VNC 192.168.2.2)"
add chain=dstnat action=dst-nat dst-port=5902 in-interface=WAN2 to-address=192.168.2.2 to-ports=5900 protocol=tcp comment="PM WAN2:5902 -> 192.168.2.2:5900 (VNC 192.168.2.2)"

# Install routers that fire for those routing marks to make sure the packets go back out the right pipe:

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=$wan1gw
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=$wan2gw

# Prefer WAN1 over WAN2 for all traffic except the stuff we're specifically marking to go back out WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=$wan1gw distance=1
add dst-address=0.0.0.0/0 gateway=$wan2gw distance=2

# Disable uneccessary services

/ip service disable www,api,ftp,telnet
/ip upnp set enabled=no

# Allow to communicate with other Mikrotik routers and MAC discovering from the LAN only

/ip neighbor discovery-settings set discover-interface-list=all
/tool mac-server set allowed-interface-list=all
/tool mac-server mac-winbox set allowed-interface-list=all

# Set default SSH port 3000

/ip service set ssh port=3000

:log info ("Initial configuration completed")

I’m trying to test it with just one PC with IP 192.168.2.2 with no GW defined
The rest of the systems in 192.168.2.0/24 have 192.168.2.2 as the default gateway

Could you please help me with several questions:

1. Port mapping to 192.168.2.2:5900 does not work unless I define 192.168.2.254 (router IP) in 192.168.2.2 system as a default gateway. Is it possible to avoid that? I probably missed one of the needed routes.
2. I need to prepare two scripts with two different LAN IP subnets and rules. What is the correct way to prepare one merged scrit that can handle both LAN subnets at the same time?
   Like I need thandle 192.168.2.0/24 (port mapping WAN:5900 → 192.168.2.1:5900 and WAN:5920 → 192.168.3.1:5900)
3. I need to allow access SMB share from WAN to 192.168.2.1. Will mapped ports TCP/UDP 139 and TCP 445 be enough to use SMBv3? I need to access 192.168.2.1\Shared_folder as WAN1_IP\Shared_folder and WAN2_IP\Shared_folder.
4. I need to prevent any other network connections from LAN to WAN1/WAN2. (i think it is done)

I have another script I made before that seems to be work OK except I can’t use SMB share access, but I can use VNC, two LAN subnets, and I have no default GW set in 192.168.2.2
I believe it has a problem with packet routing from LAN to WAN1/WAN2

#/system reset-configuration no-defaults=yes skip-backup=yes

:global wan1ip "80.80.80.1"
:global wan2ip "70.70.70.1"
:global lanIp1 "192.168.2.254"
:global lanNetwork1 "192.168.2.0"
:global lanIp2"192.168.3.254"
:global lanNetwork2 "192.168.3.0"
:global lanSubnet "24"

:log info ("Initial configuration started")

# Bridge setup

/interface bridge add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment="LAN bridge"
/interface bridge port add interface=ether3 bridge=bridge comment="Connect ether3 to bridge"
/interface bridge port add interface=ether4 bridge=bridge comment="Connect ether4 to bridge"
/interface bridge port add interface=ether5 bridge=bridge comment="Connect ether5 to bridge"

/ip address add address=($lanIp1 . "/" . $lanSubnet) network=$lanNetwork1 interface=bridge comment="bridge IP LAN1"
/ip address add address=($lanIp2 . "/" . $lanSubnet) network=$lanNetwork2 interface=bridge comment="bridge IP LAN2"

/interface list add name=WAN1 comment="WAN1"
/interface list add name=WAN2 comment="WAN2"
/interface list add name=LAN comment="LAN"

/interface list member add list=LAN interface=bridge comment="LAN -> bridge"
/interface list member add list=WAN1 interface=ether1 comment="WAN1 -> ether1"
/interface list member add list=WAN2 interface=ether2 comment="WAN2 -> ether2"

/ip address add address=($wan1ip . "/" . $lanSubnet) interface=ether1 comment="WAN1 GW"
/ip address add address=($wan2ip . "/" . $lanSubnet) interface=ether2 comment="WAN2 GW"

# User administration

# Initial firewall setup

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="Accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept protocol=icmp comment="Accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="Accept to local loopback (for CAPsMAN)"
add chain=input action=accept protocol=tcp dst-port=8291 comment="Allow remote connection using WinBox from WAN1 and WAN2"
add chain=input action=drop in-interface-list=!LAN comment="Drop all not coming from LAN (OPTIONAL)"
add chain=forward action=accept ipsec-policy=in,ipsec comment="Accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="Accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="Fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="Accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN1 comment="Drop all from WAN1 not DSTNATed"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN2 comment="Drop all from WAN2 not DSTNATed"

# Mark all connections coming into WAN1 as such, do the same for WAN2:

/ip firewall mangle
add chain=prerouting in-interface-list=WAN1 action=mark-connection new-connection-mark=WAN1_connection comment="Mark WAN1 packets"
add chain=prerouting in-interface-list=WAN2 action=mark-connection new-connection-mark=WAN2_connection comment="Mark WAN2 packets"

# Mark ICMP going to the router itself:

/ip firewall mangle
add chain=output connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

# Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:

/ip firewall mangle
add chain=prerouting in-interface-list=LAN connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface-list=LAN connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

# Make dst-nat workable

/ip firewall mangle
add chain=forward in-interface-list=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=forward in-interface-list=WAN2 action=mark-connection new-connection-mark=WAN2_connection 

#the NAT rules

/ip firewall nat
add chain=srcnat out-interface=bridge action=masquerade comment="NAT Masquerade WAN1"
add chain=srcnat out-interface=bridge action=masquerade comment="NAT Masquerade WAN2"

/ip firewall nat

add chain=dstnat action=dst-nat dst-port=20 to-address=192.168.2.1 to-ports=20 protocol=tcp comment="PM WAN:20 -> 192.168.2.1:20 (FTP)"
add chain=dstnat action=dst-nat dst-port=21 to-address=192.168.2.1 to-ports=21 protocol=tcp comment="PM WAN:21 -> 192.168.2.1:21 (FTP)"
add chain=dstnat action=dst-nat dst-port=23 to-address=192.168.2.1 to-ports=23 protocol=tcp comment="PM WAN:23 -> 192.168.2.1:23 (Telnet)"

add chain=dstnat action=dst-nat dst-port=5900 to-address=192.168.2.2 to-ports=5900 protocol=tcp comment="PM WAN:5900 -> 192.168.2.2:5900 (VNC 192.168.2.2)"
add chain=dstnat action=dst-nat dst-port=5920 to-address=192.168.3.1 to-ports=5900 protocol=tcp comment="PM WAN:5920 -> 192.168.3.1:5900 (VNC 192.168.3.11)"

# Install routers that fire for those routing marks to make sure the packets go back out the right pipe:

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=$wan1ip
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=$wan2ip

# Prefer WAN1 over WAN2 for all traffic except the stuff we're specifically marking to go back out WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=$wan1ip distance=1
add dst-address=0.0.0.0/0 gateway=$wan2ip distance=2

# Disable uneccessary services

/ip service disable www,api,ftp,telnet
/ip upnp set enabled=no

# Allow to communicate with other Mikrotik routers and MAC discovering from the LAN only

/ip neighbor discovery-settings set discover-interface-list=all
/tool mac-server set allowed-interface-list=all
/tool mac-server mac-winbox set allowed-interface-list=all

# Set default SSH port 3000

/ip service set ssh port=3000

:log info ("Initial configuration completed")

The main difference are:

• I have no in-interface defined in dst-nat (and one rule instead of 2 WAN1/WAN2)
• I’m using interface lists
• 80.80.80.1 and 70.70.70.1 are both mikrotik IPs and i used these values in routes.

Please advise, how I need to change Script #1 to achieve my goals.
Thank you!

Short update - I was able to use VNC through port mapping

I changed NAT masquerade rules. I removed “out-interface=WAN1 (2)” and I added Connection Mark WAN1_connection (WAN2_connection) instead
It seems like VNC works now and packets are going fine.

DANGER DANGER, No way commenting on any assistance until you fix this error.

add chain=input action=accept protocol=tcp dst-port=8291 comment=“Allow remote connection using WinBox from WAN1 and WAN2”

This is a big security infraction allowing the whole internet access to your router regardless of which port, and in this case to the port where one configurees the router.

The proper way to remotely manage the router is to VPN into the router and then manage it.

Another security error here.

/ip neighbor discovery-settings set discover-interface-list=all
/tool mac-server set allowed-interface-list=all
/tool mac-server mac-winbox set allowed-interface-list=all

It should be set to LAN!! (not allowed external direct access)

Would add your interface settings for WAN are weird!!

Typically it looks like this…
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

Normally one adds to this list if they need specific groupings of subnets identified. For the interface list members, one adds segments to the existing list titles above via the members list. Lets say we had two wans.

/interface list members
add ether1 list=WAN where ether1 is the default name of the etherport
add ether2 list=WAN where ether2 is the default name of the etherport.
Most people change the name of the wan etherports so important to identify it accordingly.

Some ISP connections are weird in that they are done via vlan or PPPOE where one has identified a working ISP interface that is different from the etherport 1 for example (where the port is the physical interface but not the ‘working interface’. It is correct in my understanding that the working interface is the only required to be indentified although there is no harm in putting the physical interface as well.

Thus adding members to the group WAN.
/interface list members
add ether1 list=WAN [no harm in adding]
add ether2 list=WAN [no harm in adding]
add pppoe-1=WAN [required]
add pppoe-2=WAN [required]

Therefore any rules requiring one to identify the broad category of WAN, would use in-interface**-list**=WAN, if one needs to identify a single WAN in a rule, they simply use in-interface=pppoe-1 for example. Lets contrast the above to what you have done…
The first thing is you have named the ethernet ports with words that are already going to cause confusion, much better to have used ISP1 and ISP2, since the router already uses the word WAN for its purposes.

/interface set “ether1” name=“WAN1”
/interface set “ether2” name=“WAN2”

I would change to
/interface set “ether1” name=“ISP_1”
/interface set “ether2” name=“ISP_2”
+++++++++++++++++++++++++++++++++++++++++++++++++++++

In any case lets look at your settings for interface: Here one can clearly see that you have decided to create MORE GROUPS, that you will want to add members too.
But why? You have not created groups you have created single Entry Groups. These single entry groups are already identified by their interface WAN1, and WAN2 as singular entities that can be used in all rules. You add the single physical port to the the interface grouping, which accomplishes nothing as you are going around in circles.

/interface list add name=WAN1 comment=“WAN1”
/interface list add name=WAN2 comment=“WAN2”
/interface list add name=LAN comment=“LAN”
/interface list member add list=LAN interface=bridge comment=“LAN → bridge”
/interface list member add list=WAN1 interface=ether1 comment=“WAN1 → ether1”
/interface list member add list=WAN2 interface=ether2 comment=“WAN2 → ether2”

In my humble opinion it would look like this.

/interface list add name=WAN
/interface list add name=LAN comment=“LAN”
/interface list member add list=LAN interface=bridge comment=“LAN → bridge”
/interface list member add list=WAN interface=name of ether1 physical interface (or working name of interface ex. pppoe_1, in my case vlan_interface_name)
/interface list member add list=WAN interface=name of ether2 physical interface (or working name of interface ex. pppoe_2 etc.)

Anav, thank you for the answer!

Unfortunately, 8291 management from WAN is required and I can’t bypass that unless it would be removed from the requirements.
I can’t affect that now.

I’ve used interface lists before, I will return that.

The reason why I’m using WAN1 and WAN2 is that I need to mark traffic going from WAN1 and WAN2 respectively to route it back into the right out interface.