Problem in accessing router from outside

MrInfo2012 · June 22, 2017, 10:42am

Hi everybody

I explain my scenario.

I have a couple of WAN Connection. One of them is 50Mbps and other 30Mbps.
WAN1: 10.10.1.1 (30Mbps)
WAN2: 10.10.2.1 (50 Mbps)
My Lan has two group. Group 1 wants use WAN1 and Group 2 wants use WAN2.

Group1: 192.168.1.2 ~ 192.168.1.199
Group2: 192.168.1.200 ~ 192.168.1.254

First of all I defined addresses:

/ip address
add address=192.168.1.1/24 disabled=no interface=ether1-LAN network=192.168.1.0
add address=10.10.1.2/24 disabled=no interface=ether2-30M network=10.10.1.0
add address=10.10.2.2/24 disabled=no interface=ether3-50M network=10.10.2.0

with Address List I defined an address list of group 2:
/ip firewall address-list
add address=192.168.1.200-192.168.1.254 disabled=no list=Group 2

Then in Mangle I marked them:
IP/Firewall/Mangle
0 chain=prerouting action=mark-routing new-routing-mark=Group 2 passthrough=no src-address-list=Group 2

1 ;;; Internet
chain=prerouting action=mark-routing new-routing-mark=Group 1 passthrough=no src-address=192.168.1.0/24 src-address-list=!Group 2

configuration of NAT is:

ip/firewall/nat
1 chain=srcnat action=masquerade src-address=192.168.1.0/24 src-address-list=Group 2 out-interface=ether3-50M
2 chain=srcnat action=src-nat to-addresses=10.10.1.2 src-address=192.168.1.0/24 out-interface=ether1-30M

My routing table config is:

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.2.1 pref-src=10.10.2.2 routing-mark=Group 2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.10.1.1 pref-src=10.10.1.2 routing-mark=Group 2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.1.1 pref-src=10.10.1.2 routing-mark=Group 1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.10.2.1 pref-src=10.10.2.2 routing-mark=Group 1 scope=30 target-scope=10

for accessing winbox from outside I define a filter rule:
/ip firewall filter
add action=accept chain=input comment=winbox-remote disabled=no dst-port=8291 protocol=tcp

But my problem is:

I cannot access my winbox from outside
I cannot ping my WAN connections.
I cannot ping outside from router and I receive “no route to host” message

Thanks for your cooperation.

Sob · June 22, 2017, 12:04pm

You mark routing only for outgoing connections from LAN. But router also needs some help with incoming connections, specifically with reply packets. Whole working config with explanation can be seen in PCC manual. The part you’re interested in is (change it to your interface names and routing marks):

/ip firewall mangle
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
    new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
    new-connection-mark=ISP2_conn
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

You need to allow icmp.
I’m not sure if I understand what exactly you do.

Both 1) and 2) assume that your WAN connections have some modems with public addresses and you forward traffic from there to 10.10.x.2, otherwise you can’t have any connections from outside.

MrInfo2012 · June 24, 2017, 7:24am

Hello my friend.
Do I use this part only? or I have to use other parts?
with this code I just mark connections. Do I change in my routing table?

My main goal is to use mikrotik as a vpn server. But as long as I can not access mikrotik from outside, I can not use VPN.

Sob · June 24, 2017, 12:43pm

The best way is to understand what it does.

This is the usual problem with multiple WANs. You have two new routing tables and they work well for outgoing traffic, because you mark it to use these tables. But when a new connection from outside comes to router, router sends reply according to “main” routing table. It doesn’t automatically track from where the connection originally came from, it just uses active default route, which might or might not be the right one.

These new mangle rules fix it. First they they mark connections coming from each WAN (in chain=prerouting) and then they mark routing for outgoing packets of marked connections (in chain=output). It makes router look into the right routing table and reply packets will take the right way back.

If you’re only interested in access to router itself, these are enough. Just change them to your naming, i.e. “in-interface=ether2-30M” instead of “in-interface=ISP1”, “new-routing-mark=Group 1” instead of “new-routing-mark=to_ISP1”, etc.

If you’d want to have some forwarded ports to internals machines accessible from both WANs, you’d also need:

/ip firewall mangle
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ 
    new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
    new-routing-mark=to_ISP2

Plus you’d need to exclude already marked connections from your two original mangle rules by adding connection-mark=no-mark to them.