Hi
I’m new to Mikrotik routers but enjoying getting to know the os and setting up for my businesses.
I first setup with a basic configuration with one WAN attached to ether1, with my local network plugged into ether4
I have various port forwards setup that point to my server for email and remote web workplace. I set these up in NAT but also needed to accept them in firewall filter rules or it doesn’t open the ports. This went slightly against what I had read in documentation but it all works fine.
I then moved onto stage2 to add in a second WAN attached to ether2. I read quite a bit of documentation and setup using the following rules
/ip firewall mangle
add chain=prerouting dst-address=192.168.0.0/24 in-interface=ether4 action=accept
add chain=input in-interface=ether1 connection-mark=no-mark action=mark-connection new-connection-mark=WAN1 passthrough=no
add chain=input in-interface=ether2 connection-mark=no-mark action=mark-connection new-connection-mark=WAN2 passthrough=no
add chain=output out-interface=ether1 connection-mark=WAN1 action=mark-routing new-routing-mark=WAN1 passthrough=no
add chain=output out-interface=ether2 connection-mark=WAN2 action=mark-routing new-routing-mark=WAN2 passthrough=no
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=ether4 per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=ether4 per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2
add chain=prerouting connection-mark=WAN1 in-interface=ether4 action=mark-routing new-routing-mark=WAN1 passthrough=no
add chain=prerouting connection-mark=WAN2 in-interface=ether4 action=mark-routing new-routing-mark=WAN2 passthrough=no
/ip route
add dst-address=0.0.0.0/0 gateway=151.249.77.109 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.4 routing-mark=WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=151.249.77.109 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.4 distance=2 check-gateway=ping
/ip firewall nat
add chain=src-nat out-interface=ether1 action=masquerade
add chain=src-nat out-interface=ether2 action=masquerade
This works great with load balancing and failover.
I duplicated all my nat and firewall rules that worked with wan1 over to wan2.
When this is all activated, I have an issue with the port forwarding. When I test the to incoming ip addresses for open ports (specifically port 25 as emails are most important) it seems the system is only “opening” ports on 1 WAN at a time. I check WAN1 and it will say port 25 is open, WAN2 says closed. I keep checking and suddenly WAN2 will be open and then WAN1 closed… have I missed some important step regarding the 2 incoming connections?
In an ideal world both incoming WANS should accept the emails so if WAN1 goes down i’m still getting them come in…
Any help is greatly appreciated.
Thanks
Matt
