Hi all!
I´m having some troubles to setup incoming traffic in my network.
I have 3 WAN connections:
- WAN1 (dhcp client)
/ip dhcp-client add interface=wan1 add-default-route=yes default-route-distance=11 use-peer-dns=no disabled=no
- WAN2 (pppoe)
/interface pppoe-client add name=wan2 interface=wan2-temp user=*** password=*** add-default-route=no use-peer-dns=no disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=wan2 distance=12
- WAN3 (dhcp client)
/ip dhcp-client add interface=wan3 add-default-route=yes default-route-distance=13 use-peer-dns=no disable=no
All 3 are configured and working, the priority are for WAN1, WAN2 and WAN3 respectively, NAT is enabled for local internet access and i can access the internet as it should be. If one interface is unplugged, the next in the priority list will be used, and so on…
I have a local server in my network, and i would like to forward incoming traffic from all WAN interfaces to this server (on some ports, for example 22).
First thing i did was to redirect incoming traffic on the desired ports to the local server (this is working as expected)
/ip firewall nat add chain=dstnat protocol=tcp in-interface=wan1 dst-port=22 action=dst-nat to-addresses=192.168.0.1 to-ports=22
/ip firewall nat add chain=dstnat protocol=tcp in-interface=wan2 dst-port=22 action=dst-nat to-addresses=192.168.0.1 to-ports=22
/ip firewall nat add chain=dstnat protocol=tcp in-interface=wan3 dst-port=22 action=dst-nat to-addresses=192.168.0.1 to-ports=22
Next, i had to make sure incoming traffic from one interface would always return through the same interface.
I did this creating a routing mark on forwarded traffic, to be able to create specific routes later.
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan1 connection-state=new new-connection-mark=wan1_pfw passthrough=no comment="pfw wan1, out wan1"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=lan connection-mark=wan1_pfw new-routing-mark=wan1_traffic passthrough=no comment="pfw wan1, out wan1"
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan2 connection-state=new new-connection-mark=wan2_pfw passthrough=no comment="pfw wan2, out wan2"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=lan connection-mark=wan2_pfw new-routing-mark=wan2_traffic passthrough=no comment="pfw wan2, out wan2"
/ip firewall mangle add action=mark-connection chain=forward in-interface=wan3 connection-state=new new-connection-mark=wan3_pfw passthrough=no comment="pfw wan3, out wan3"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=lan connection-mark=wan3_pfw new-routing-mark=wan3_traffic passthrough=no comment="pfw wan3, out wan3"
Finally, i created 3 routes, one for each routing mark, to make sure traffic is going out through the same interface it arrived.
/ip route add dst-address=0.0.0.0/0 gateway=wan1 distance=1 routing-mark=wan1_traffic
/ip route add dst-address=0.0.0.0/0 gateway=wan2 distance=1 routing-mark=wan2_traffic
/ip route add dst-address=0.0.0.0/0 gateway=wan3 distance=1 routing-mark=wan3_traffic
BUT, here i faced a big problem. For the WAN interfaces which uses DHCP to get theirs IP, the route above doesn´t work, because I can´t use the interface as the gateway. For the PPPOE interface, it works.
The only way to route the traffic correctly was changing the interface name to the gateway of the WAN interface, as the following example (189.55.0.1 is the gateway of the WAN1 interface)
/ip route add dst-address=0.0.0.0/0 gateway=189.55.0.1 distance=1 routing-mark=wan1_traffic
Doing this way everything works as expected, but the problem is that my provider assigns a dynamic IP to the connection, which changes regularly, so the WAN1 gateway changes also, and i am unable to make it work automatically. I have to change this IP manually every time the WAN ip changes.
Do someone have a workaround for this problem, which works automatically when the WAN ip changes?
There is another topic talking about this issue (http://forum.mikrotik.com/t/weird-dhcp-client-address/55094/1), but i could not implement the proposed workaround.
Regards,
Fabiano