Hey guys,
I’ve to WAN uplinks. Default route goes over WAN1 (Telekom VDSL) and for WAN2 (clara.net SDSL) I set up policy based routing, so connections to WAN2 leave on WAN2.
The problem: port forwarding for the “Telekom WAN” works fine, port forwarding for the “clara.net WAN” which is routed based on policies (see mangle rules) does not work. In the connection table on the router I can see a “half opened” tcp connection to 212.6.176.99:80 with correct connection mark (cm_claranet), so my guess: The route “back” is somehow broken, because the ACK is not received by the caller. The same thing can be observed on the servers connection table (192.168.1.99).
Hardware: RB1100AHx2 running RouterOS 5.26
Anyone seeing my fault?
Is there a way to see the routing mark a packet or connection got?
Any help is really appreciated!
Please find my config below:
WAN Interfaces:
/interface ethernet
set 11 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
comment="WAN Telekom VDSL" disabled=no full-duplex=yes l2mtu=1598 \
mac-address=D4:CA:6D:43:CC:78 master-port=none mtu=1500 name=ether10 \
speed=1Gbps
set 12 arp=enabled auto-negotiation=yes comment="WAN clara.net SDSL" \
disabled=no full-duplex=yes l2mtu=1600 mac-address=D4:CA:6D:43:CC:79 mtu=\
1500 name=ether11 speed=100Mbps
IP config:
/ip address
add address=192.168.1.1/24 comment=servers disabled=no interface=ether1 \
network=192.168.1.0
add address=192.168.2.1/24 comment=clients disabled=no interface=ether2 \
network=192.168.2.0
add address=192.168.3.1/24 comment=printers disabled=no interface=ether3 \
network=192.168.3.0
add address=192.168.8.1/24 comment=voip disabled=no interface=ether4 network=\
192.168.8.0
add address=172.16.0.2/24 comment="WAN Telekom" disabled=no interface=ether10 \
network=172.16.0.0
add address=192.168.0.1/24 comment="administrative switch" disabled=no \
interface=ether9 network=192.168.0.0
add address=212.6.176.98/27 comment="WAN clara.net" disabled=no interface=ether11 network=\
212.6.176.96
add address=212.6.176.99/27 comment="WAN clara.net" disabled=no interface=ether11 network=\
212.6.176.96
firewall mangle config:
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=no dst-address=\
212.6.176.96/27 new-connection-mark=cm_claranet passthrough=yes
add action=mark-connection chain=input disabled=no dst-address=\
212.6.176.96/27 new-connection-mark=cm_claranet passthrough=yes
add action=mark-connection chain=forward disabled=no dst-address=\
212.6.176.96/27 new-connection-mark=cm_claranet passthrough=yes
add action=mark-routing chain=prerouting connection-mark=cm_claranet \
disabled=no new-routing-mark=rm_claranet passthrough=yes
add action=mark-routing chain=output connection-mark=cm_claranet disabled=no \
new-routing-mark=rm_claranet passthrough=yes
firewall NAT config:
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade SDSL clara.net" \
connection-mark=cm_claranet disabled=no
add action=masquerade chain=srcnat comment="masquerade VDSL Telekom" \
disabled=no out-interface=ether10
add action=dst-nat chain=dstnat comment=192.168.1.99:80 disabled=no \
dst-address=172.16.0.2 dst-port=8080 protocol=tcp to-addresses=\
192.168.1.99 to-ports=80
add action=dst-nat chain=dstnat comment=192.168.1.99:80 disabled=no \
dst-address=212.6.176.99 dst-port=80 protocol=tcp to-addresses=\
192.168.1.99 to-ports=80
Routes:
/ip route
add check-gateway=ping comment="policy based clara.net" disabled=no distance=200 dst-address=0.0.0.0/0 \
gateway=212.6.176.97 routing-mark=rm_claranet scope=30 target-scope=10
add check-gateway=ping comment="default WAN" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=172.16.0.1 scope=30 target-scope=10
Ape