Hi guys,
The old router died, so I came up to the marvel that is called “RouterOS”. I try the last days to understand the principles and make things work as it was before the “meltdown”. So I have a critical situation here and I’m gonna try to be as analytical as I can be:
Mikrotik configuration so far is handling 2 WANs and 1 LAN interface:
WAN1 has 10.4.14.1 as gateway
WAN2 has 10.33.52.1 as gateway
The other task is to create a NAT. I need a server located inside LAN with IP 10.24.14.21 to be NATed with the public IP 10.33.52.242 at port 8080 but this must be done through WAN2 network.
The NAT configuration is the following:
This is NOT working. When I try to connect to the above public IP (10.33.52.242:8080) from another location (e.g home) it tries to connect but I get always a timeout error.
I would appreciate any help from you, I cant figure out where I’m doing wrong here.
Thanks in advance!
The best thing to do is post your config and that way we can confirm what has been done and what is needed.
/export hide-sensitive file=yourconfig
That being said…
I have a similar setup for my two wans
WAN1 primary WAN2 secondary, however I need WAN2 for my email traffic.
As for port forwarding you need two things.
a. A generic forward chain firewall to allowing incoming destination nat traffic.
b. A specific NAT rule for the server in question.
a. add action=accept chain=forward comment=
" Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat in-interface=etherX (your WAN2)
b. add action=dst-nat chain=dstnat comment="Server For ?? dst-port=8080
protocol=udp/tdp in-interface=etherX to-addresses=10.24.14.21
(I’m also assuming you have two source nat rules for your two WANs as well)
I would like to ask you in my posted configuration, did you notice any “flaws”?
I’ll try to post the exported conf. as soon as I get back to the office
RouterOS uses routes from “/ip route” to decide where to send packets. It doesn’t automatically send replies back the same way from where the request came. So you have incoming connection on WAN2, but default route uses WAN1, so response packets are sent there and of course it doesn’t work. Solution is to mark connections based on incoming interface and then mark routing for responses, to make them use the correct WAN.
You can see the config at https://wiki.mikrotik.com/wiki/Manual:PCC (ignore two rules with per-connection-classifier, those are for load balancing, which the article is primarily about).
If I may add / correct something here (See red text above) before there is a “Bug / problem” in Mikrotik again, that is how “IP Routing” works and how any router will handle IP Packets, not Mikrotik specific, you will get the same results with Cisco, Juniper, etc.
Dont let IT big heads scare you. No clear need to mangle yet!
As far as these lines go
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10
I would change them to something like this
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add disabled=no distance=10 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10
In this way you can add rules before after and in between (via distance).
For example my WAN1 has distance 5, my WAN2 has distance 10 but my WAN2 email routing has distance 1.
If the forwarded port on WAN2 should be accessible from anywhere, but you want use WAN1 by default, you need the marking, only one routing table won’t be enough.
@CZFan: I didn’t mean it as RouterOS-specific, just that someone can expect that this happens automatically.
Ok, one correction, you don’t necessarily have to mark incoming connections if the server (10.24.14.21) is going to alway use WAN2, even for own outgoing connections. In that case you can use simpler:
Do you mean to replace my ip route settings with yours? Or like this?
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 target-scope=10
add dst-addres=0.0.0.0/0 gateway=10.33.52.1 routing-mark=wan2
add disabled=no distance=1 dst-address=10.5.147.11/32 gateway=10.33.52.1 scope=30 target-scope=10
and after that just add the mangle rule?
/ip firewall mangle
add chain=prerouting src-address=10.24.14.21 action=mark-routing new-routing-mark=wan2
Add my route to yours like you wrote. The routing-mark=wan2 parameters tells router that it’s different routing table. And mangle rule instructs router to use it for selected packets.
Sob I will admit to meeting in the middle on this one, perhaps a little teensy weensy bit of mangling will do LOL.
I do have to ask though for my email traffic, why do I not need to mangle that traffic at all? I have at least two different IP addresses magically ( without mangling ;-p ) able to be routed to wan 2 for my email. Eagerly anticipating the answer whilst I eat the head of my chocolate bunny. (typical north american pagen easter ritual LOL)
That is correct, but what about incoming emails???
In any case, if traffic coming in on WAN2, hits the server and then heads out, even though there is conn track, the router will stupidly send the return traffic out the primary WAN1 with the standard routing for primary and secondary wan (via distance). That is the part that is annoying, the router knows where it came from…
So what you are saying is that the easiest thing to do is simply route all traffic from the one IP to wan2 (mark such traffic and refer to it in IP routing)
(I like this for another reason, even if the incoming traffic to the server comes in on WAN1, it will still go out WAN2).
What is the purpose of preferred source then???
Or how bout this combo…
/ip route
add distance=1 gateway=10.33.52.1 routing-mark=TEST
/ip route rule
add dst-address=0.0.0.0/0 interface=WAN2 src-address=10.24.14.21/32
table=TEST
Router knows where connection came from, but it can’t know that you also want to send replies there. If you have two independent WAN interfaces (often from different ISPs), the obvious reaction is “and where else it should send them?!”, but it’s not the only possible scenario. You might as well have two (or more) interfaces and use asymmetric routing, where incoming traffic uses one and outgoing another. And it’s perfectly valid too. But it must be supported by other ends too, so this most likely won’t work:
And yes, routing rule can be used too, if it’s static config where server uses only WAN2. But if you’d want server accessible from both WANs, it wouldn’t work.
@Anav, IIRC, you are using an email client with mail server hosted our side your network.
Then the client will send mails out, either directly to your hosted mail server or alternative Skype server.
The mail coming in, is being “pulled” by the mail client, so connection is into initiated from inside, so will only need a route rule for mail, no mangle required there
OK, good news, everything is up and working.
As reviewing the whole thing, the scenario was:
Mikrotik router is handling 2 WANs and 1 LAN interface: WAN1 has 10.4.14.1 as gateway
WAN2 has 10.33.52.1 as gateway
The router has two basic tasks:
Route all traffic through WAN1, except one specific destination IP that its being routed through WAN2.
The other task is to create a NAT. A server located inside LAN with IP 10.24.14.21 needs to be NATed with the public IP 10.33.52.242 at port 8080 but this must be done through WAN2 network.
I’m posting the final configuration. I’m pretty sure that some lines can be removed, so if you can help me with that I would be grateful:
Line 1: /interface ethernet
Line 2: set 0 arp=enabled auto-negotiation=yes cable-settings=default \
Line 3: disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
Line 4: mtu=1500 name=LAN speed=100Mbps
Line 5: set 1 arp=enabled auto-negotiation=yes cable-settings=default \
Line 6: disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
Line 7: mtu=1500 name=WAN1 speed=100Mbps
Line 8: set 2 arp=enabled auto-negotiation=yes cable-settings=default \
Line 9: disable-running-check=yes disabled=no full-duplex=yes l2mtu=16383 \
Line 10: mtu=1500 name=WAN2 speed=100Mbps
Line 12: /ip address
Line 13: add address=10.24.14.1/24 disabled=no interface=LAN network=10.24.14.0
Line 14: add address=10.4.14.2/24 disabled=no interface=WAN1 network=10.4.14.0
Line 15: add address=10.33.52.242/24 disabled=no interface=WAN2 network=10.33.52.0
Line 17: /ip firewall filter
Line 18: add action=accept chain=input disabled=no dst-address=10.33.52.242 dst-port=\
Line 19: 8080 in-interface=WAN2 protocol=tcp
Line 20: add action=accept chain=output disabled=no out-interface=WAN2 protocol=tcp \
Line 21: src-address=10.24.14.21 src-port=8080
Line 22: add action=accept chain=input disabled=yes dst-address=10.33.52.9 dst-port=80 \
Line 23: in-interface=WAN2 protocol=tcp
Line 24: add action=drop chain=input disabled=no in-interface=WAN2
Line 26: /ip firewall mangle
Line 29: add action=mark-connection chain=prerouting disabled=no in-interface=WAN1 \
Line 30: new-connection-mark=WAN1_connection passthrough=yes
Line 31: add action=mark-connection chain=prerouting disabled=no in-interface=WAN2 \
Line 32: new-connection-mark=WAN2_connection passthrough=yes
Line 33: add action=mark-routing chain=prerouting connection-mark=WAN1_connection \
Line 34: disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
Line 35: add action=mark-routing chain=prerouting connection-mark=WAN2_connection \
Line 36: disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes
Line 37: add action=mark-routing chain=output connection-mark=WAN2_connection \
Line 38: disabled=no new-routing-mark=to_WAN2 passthrough=yes
Line 40: /ip firewall nat
Line 41: add action=masquerade chain=srcnat disabled=no src-address=10.24.14.0/24
Line 42: add action=masquerade chain=srcnat disabled=no out-interface=WAN2
Line 43: add action=masquerade chain=srcnat disabled=no out-interface=WAN1
Line 50: add action=dst-nat chain=dstnat disabled=no dst-address=10.33.52.242 \
Line 51: dst-port=8080 in-interface=WAN1 protocol=tcp to-addresses=10.24.14.21 \
Line 52: to-ports=8080
Line 53: add action=dst-nat chain=dstnat disabled=no dst-address=10.33.52.242 \
Line 54: dst-port=8080 in-interface=WAN2 protocol=tcp to-addresses=10.24.14.21 \
Line 55: to-ports=8080
Line 57: /ip route
Line 60: add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.33.52.1 \
Line 61: routing-mark=to_WAN2 scope=30 target-scope=10
Line 62: add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.14.1 scope=30 \
Line 63: target-scope=10
Line 64: add comment=IRIS disabled=no distance=1 dst-address=10.5.14.0/24 gateway=\
Line 65: 10.33.52.1 scope=30 target-scope=10
Here are some questions that need clarification:
Q.1
Line 15:
Do I need to set the specific IP (meaning the .242), because the public address that needs to be NATed is 10.33.52.242, or that’s irrelevant? E.g can I set 10.33.52.4/24 with no impact?
Q.2
Lines 17-24:
The firewall rules are mandatory, or are there for security reasons?
Q.3
In the /ip firewall mangle section, I mangled almost everything! I guess that lines:
Line 29: add action=mark-connection chain=prerouting disabled=no in-interface=WAN1
Line 30: new-connection-mark=WAN1_connection passthrough=yes
Line 33: add action=mark-routing chain=prerouting connection-mark=WAN1_connection
Line 34: disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
are not needed?
Q.4
In the /ip firewall nat section, are all the rules needed here?
Q.5
Lines 60-61:
Do I have to set the distance in a higher value than the distance in line 62?
It should be the address you have for WAN2 (what you got from ISP). Or do you have more?
Most of your firewall filter is nonsense. If you forward port 8080 inside, it won’t ever go in input chain (17-18). Then 20-21 also doesn’t look like anything that could ever happen, 22-23 is for address that router doesn’t have, so it should be useless too. The only sort of useful is 24 which blocks access to router from WAN2, i.e. protecting its services like WinBox, but as it is now also effectively blocks all router’s own communication on WAN2.
You can live without them.
You don’t need 41, because anything from that network will go out via WAN1, so 43 will do same job. And 50-52 is probably useless, because when 10.33.52.242 is on WAN2, nothing to this address will come from WAN1. Assuming you have two independent WANs.
No, it’s the only rule in routing table to_WAN2, it doesn’t mix with others in default routing table, so distance here is useless.
