Hi all!

I have two internet links here, named wan1 and wan2 in mikrotik (RB450G OS 5.5), and both are working.

I also have a linux server inside my network, listening on port 22, and i would like to be able to accept incomin connections from both wan1 and wan2. There are no firewall rules in this server.

First, i added a nat rule to redirect external traffic to ssh host:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=22 in-interface=wan1 action=dst-nat to-addresses=192.168.0.1 to-ports=22
/ip firewall nat add chain=dstnat protocol=tcp dst-port=22 in-interface=wan2 action=dst-nat to-addresses=192.168.0.1 to-ports=22

Then i added a masquerade rule for my internal hosts to be able to access the internet:
/ip firewall nat add chain=srcnat src-address=192.168.0.0/24 action=masquerade disabled=no

Then i marked the traffic comming from both wan1 and wan2 to return from the same interface:
/ip firewall mangle add action=mark-connection chain=input in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes disabled=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_traffic passthrough=no disabled=no
/ip firewall mangle add action=mark-connection chain=input in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes disabled=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_traffic passthrough=no disabled=no

Then i marked the forwarded connections to return from the same interface:
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan1 connection-state=new new-connection-mark=wan1_pfw passthrough=no disabled=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan1_pfw new-routing-mark=wan1_traffic passthrough=no disabled=no
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan2 connection-state=new new-connection-mark=wan2_pfw passthrough=no disabled=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan2_pfw new-routing-mark=wan2_traffic passthrough=no disabled=no

Then i added the routes to the marked packets (the default routes are using wan1 (distance2) and wan2 (distance 3)):
/ip route add dst-address=0.0.0.0/0 gateway=wan1 distance=1 check-gateway=ping routing-mark=wan1_traffic disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=wan2 distance=1 check-gateway=ping routing-mark=wan2_traffic disabled=no

I think these steps covered everything needed to make this work, but look what is happening:

If i try to connect to port 22 using a telnet client from an external network using wan1 ip, it connects and i receive the message "OpenSSH Server version ...." from the server

telnet <wan1_ip> 22

Connected to <wan1_ip>.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.6

If i try to connect to port 22 using a ssh client from an external network using wan1 ip, it works as expected

If i try to connect to port 22 using a telnet client from an external network using wan2 ip, it connects but i don´t receive any message from the server

telnet <wan2_ip> 22

Trying <wan2_ip>...
Connected to <wan2_ip>.
Escape character is '^]'.

If i try to connect to port 22 using a ssh client from an external network using wan2 ip, it doesn´t connect. It doesn´t report an error, just stay waiting forever...

Do you have any clues about what can be happening, or what should i do to investigate it?

Regards,

Fabiano

Then i marked the forwarded connections to return from the same interface:
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan1 > connection-state=new > new-connection-mark=wan1_pfw passthrough=no disabled=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan1_pfw new-routing-mark=wan1_traffic passthrough=no disabled=no
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan2 > connection-state=new > new-connection-mark=wan2_pfw passthrough=no disabled=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan2_pfw new-routing-mark=wan2_traffic passthrough=no disabled=no

You are only marking the “connection-state=new”. Maybe that has something to do with it?

Removed the “connection-state=new” part, and it´s not working yet…
All examples i saw until now used this parameter, so i suppose it is not the cause.

Regards,

Fabiano

Narrow down these rules with either a subnet or an in-interface.
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wan1_pfw new-routing-mark=wan1_traffic passthrough=no disabled=no

That should hopefully take care of it. And you can keep connection-state=new on the mark-connection rules.

Hi, it didn´t work either.
If i add the option "in-interface=wan1" and "in-interface=wan2" to the prerouting rules, it seems things got worse. No connection at all, even that initial connection via telnet.
Here follows a resume of my configuration.

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 wan1 1
1 A S 0.0.0.0/0 wan2 1
2 ADS 0.0.0.0/0 189.55.8.1 2
3 S 0.0.0.0/0 wan2 3
4 ADC 189.55.8.0/21 189.55.13.179 wan1 0
5 ADC 192.168.0.0/24 192.168.0.254 lan 0
6 ADC 192.168.1.0/24 192.168.1.3 wan2-temp 0
7 ADC 192.168.5.0/24 192.168.5.254 hotspot 0
8 ADC 201.92.100.199/32 187.35.111.60 wan2 0

/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; in wan1,out wan1
chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=wan1
1 ;;; in wan1,out wan1
chain=output action=mark-routing new-routing-mark=wan1_traffic passthrough=no connection-mark=wan1_conn
2 ;;; in wan2,out wan2
chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=wan2
3 ;;; in wan2,out wan2
chain=output action=mark-routing new-routing-mark=wan2_traffic passthrough=no connection-mark=wan2_conn
4 ;;; pfw wan1, out wan1
chain=forward action=mark-connection new-connection-mark=wan1_pfw passthrough=no connection-state=new in-interface=wan1
5 ;;; pfw wan1, out wan1
chain=prerouting action=mark-routing new-routing-mark=wan1_traffic passthrough=no in-interface=wan1 connection-mark=wan1_pfw
6 ;;; pfw wan2, out wan2
chain=forward action=mark-connection new-connection-mark=wan2_pfw passthrough=no connection-state=new in-interface=wan2
7 ;;; pfw wan2, out wan2
chain=prerouting action=mark-routing new-routing-mark=wan2_traffic passthrough=no in-interface=wan2 connection-mark=wan2_pfw

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=22 protocol=tcp in-interface=wan1 dst-port=22
2 chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=22 protocol=tcp in-interface=wan2 dst-port=22
3 chain=srcnat action=masquerade src-address=192.168.0.0/24
4 chain=srcnat action=masquerade src-address=192.168.5.0/24

/ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 192.168.0.254/24 192.168.0.0 lan
1 192.168.5.254/24 192.168.5.0 hotspot
2 D 192.168.1.3/24 192.168.1.0 wan2-temp
3 D 187.35.111.60/32 201.92.100.199 wan2
4 D 189.55.13.179/21 189.55.8.0 wan1

I should have been more specific, the in-interface for the mark-routing rules should be the LAN interface. You are trying to get the return packets to use the correct route, so it needs to be the interface the return packets are coming in on.

Thank you, Feklar! It’s working now.

I will post the complete rule set here, so others with the same problem can follow.

Supposing you have a SSH (port 22) server inside your network and want both wan interfaces to talk to this host:

# redirect incoming traffic in wan1 and wan2 to the local server
/ip firewall nat add chain=dstnat protocol=tcp dst-port=22 in-interface=wan1 action=dst-nat to-addresses=192.168.0.1 to-ports=22
/ip firewall nat add chain=dstnat protocol=tcp dst-port=22 in-interface=wan2 action=dst-nat to-addresses=192.168.0.1 to-ports=22

# what comes from wan1, gets out from wan1
/ip firewall mangle add action=mark-connection chain=input in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes disabled=no comment="in wan1,out wan1"
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_traffic passthrough=no disabled=no comment="in wan1,out wan1"

# what comes from wan2, gets out from wan2
/ip firewall mangle add action=mark-connection chain=input in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes disabled=no comment="in wan2,out wan2"
/ip firewall mangle add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_traffic passthrough=no disabled=no comment="in wan2,out wan2"

# port forwards from wan1, gets out from wan1
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan1 connection-state=new new-connection-mark=wan1_pfw passthrough=no disabled=no comment="pfw wan1, out wan1"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=lan connection-mark=wan1_pfw new-routing-mark=wan1_traffic passthrough=no disabled=no comment="pfw wan1, out wan1"

# port forwards from wan2, gets out from wan2
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan2 connection-state=new new-connection-mark=wan2_pfw passthrough=no disabled=no comment="pfw wan2, out wan2"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=lan connection-mark=wan2_pfw new-routing-mark=wan2_traffic passthrough=no disabled=no comment="pfw wan2, out wan2"

# routing rules for wan1_traffic and wan2_traffic
/ip route add dst-address=0.0.0.0/0 gateway=wan1 distance=1 routing-mark=wan1_traffic disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=wan2 distance=1 routing-mark=wan2_traffic disabled=no