Routing Between Two WAN And Subnet

AntonioWolf · December 20, 2013, 10:18am

Hello Guys/Girls.

I have come here for help after two days searching the net , reading blogs , the Mikrotik manual and several posts here on the forum.

My Setup :
RB2011UAS , Router OS Version 6.3

Networks :

Interface ETH0
ISP A - 10.0.0.114/30 - The network that connects between the optical converter and our router.
ISP A Subnet - 10.0.1.8/29 - Another public subnet provided by this ISP for our public services

Interface ETH1
ISP B - 10.0.2.114/30 - The network that connects between the optical converter and our router.
ISP B Subnet - 10.0.3.224/29 - Another public subnet provided by this ISP for our public services

Interface ETH3
Internal Network - 192.168.0.0/24

Notes :
Unlike many other solutions i don’t want to LB the connections and the ISP will not exchange/accept traffic from each other.
My main objective is to allow the server on 192.168.0.100 to be accessible by the Subnet’s above.

What I Have Done :
I was able to be make the dst-nat to be accessible by both the subnets.

chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp src-address=0.0.0.0/0 dst-address=10.0.1.10 src-address-type=“” dst-port=8080

chain=dstnat action=dst-nat to-addresses=192.168.0.100 to-ports=80 protocol=tcp src-address=0.0.0.0/0 dst-address=10.0.3.226 src-address-type=“” dst-port=8080

This solves the NAT need , now going going to ensure that we leave by the same ISP we have entered.

chain=input action=mark-connection new-connection-mark=ISPA-IN passthrough=yes in-interface=eth0
chain=input action=mark-connection new-connection-mark=ISPB-IN passthrough=yes in-interface=eth1

chain=output action=mark-routing new-routing-mark=ISPA-IN passthrough=no connection-mark=ISPA-OUT
chain=output action=mark-routing new-routing-mark=ISPB-IN passthrough=no connection-mark=ISPB-OUT

And now for the routes
0.0.0.0/0 GW 10.0.1.113 Metric 1 Route Mark ISPA-OUT
0.0.0.0/0 GW 10.0.2.113 Metric 1 Route Mark ISPB-OUT
0.0.0.0/0 GW 10.0.2.113 Metric 1 Our Default Gateway For Internal Clients , We Use The ISP2 For This

Test :
Acessing from an external device a 3G phone ( On a completly unrelated network ) allows me to visit 10.0.2.226 but not 10.0.1.10.

Problems
I think i’m missing something AFTER we perform the nat on the connection tracking im stuck in the sync phase.

Thank you for your time.
Antonio

jaykay2342 · December 22, 2013, 8:22am

your chains a wrong, INPUT and OUTPUT a used for traffic which terminates/originates at the router itself.

thinks as marking connetion / packets you do in mangle ( post/pre-routing ) i suggest to have a look to the packetflow diagram