Two Wan Dst-Nat setup

passarelli · March 15, 2017, 8:46pm

Hello everybody,
I’ve been searching about my problem here, but unfortunately any topic could help me, I’ve tried everything that I found.
So, my current scenario is: Link!!

Wan1 = 1.1.1.1
Wan2 = 2.2.2.2
Server= 192.168.0.2

What I need is:

The server (192.168.0.2) has nat rule to forward 3389 port, this rule must be available through both links
My mikrotik need to be available through both links as well (web and winbox access)

At this time, I just trying to make the Wan2 work in parallel.
Here are my rules:

Mangle
0 chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=eth4_Wan_Net log=yes
1 chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no connection-mark=wan2_conn out-interface=eth4_Wan_Net log=yes
2 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=no connection-state=new connection-mark=no-mark in-interface=eth4_Wan_Net log=no
3 chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=no connection-mark=wan2_conn in-interface=eth7 log=no

Route
0 A S ;;; WAN1_route-mark
dst-address=0.0.0.0/0 gateway=WAN1_GW gateway-status=WAN1_GW reachable via WAN1 check-gateway=ping distance=10 scope=30 target-scope=10 routing-mark=to_wan1
1 A S ;;; WAN2_route-mark
dst-address=0.0.0.0/0 gateway=WAN2_GW gateway-status=WAN2_GW reachable via WAN2 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_wan2
2 A S ;;; WAN1_main route
dst-address=0.0.0.0/0 gateway=WAN1_GW gateway-status=WAN1_GW reachable via WAN1 check-gateway=ping distance=1 scope=30 target-scope=10
3 S ;;; WAN2_secondary
dst-address=0.0.0.0/0 gateway=WAN2_GW gateway-status=WAN2_GW reachable via WAN2 check-gateway=ping distance=2 scope=30 target-scope=10

NAT
25 ;;;
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=3389 protocol=tcp in-interface=wan2 dst-port=3389 log=no log-prefix=“”

Somebody could help me!??

Sob · March 16, 2017, 12:29am

And what exactly doesn’t work?

On first look, access to router should work from WAN1 and if you remove out-interface=eth4_Wan_Net from mangle rule #2, it should then work for WAN2 too. Dstnat for RDP port is limited to WAN2, so either duplicate the rule for WAN1, or replace in-interface=wan2 with dst-address-type=local.

passarelli · March 16, 2017, 11:41am

Sob, sorry it was my mess during typing.
Where there is eth4_Wan_Net, is suppose to be Wan2. I’ve just changed to make it simple for you understand.
So forget about this. (Wan2 = eth4_Wan_Net)
About NAT, yes when I duplicate it works on Wan1, but Wan2 still not working.

What’s happening, the connection just doesn’t happen.
I can see the in packets counters increasing when I try to connect, but fail with timeout connection error.

Is there anything else I can do?

BartoszP · March 16, 2017, 1:50pm

Read this: http://forum.mikrotik.com/t/port-forwarding-problem/93224/16
and setup proper rules for both WANs.

passarelli · March 16, 2017, 2:00pm

Thanks, I will.

passarelli · March 16, 2017, 2:54pm

Analyzing with Torch, I found something that is strange.
The traffic arrives in WAN2_interface, but it doesn’t arrive in DMZ_interface (which is where the server is plugged).
Even if I disable mangles rules, the traffic still not arriving in DMZ_interface.
It seems like if the router doesn’t know where this network is.

Sob · March 16, 2017, 3:14pm

Or it can be blocked by firewall filter.

passarelli · March 16, 2017, 4:49pm

No, there is no rule blocking!
And to make sure, I have created a filter rule, that log traffic foward on port 3389 to my server IP, but no packets were registered.
But, when I make a connection to the server from local network, the packets were registered in filter rule.

Sob · March 16, 2017, 5:21pm

If you suspect that router might be getting lost in different routing tables, you can use rules like this, to make sure that it uses the right one for selected destination:

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

passarelli · March 16, 2017, 7:10pm

Sob:

If you suspect that router might be getting lost in different routing tables, you can use rules like this, to make sure that it uses the right one for selected destination:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

No success

Listed below are the log about prerouting rule.:
15:59:11 firewall,info prerouting: in:eth4_Wan_Net out:(none), src-mac 94:87:7c:3a:8c:a1, proto TCP (SYN), REMOTE_IP:51401->WAN2_IP:3389, len 52
15:59:14 firewall,info prerouting: in:eth4_Wan_Net out:(none), src-mac 94:87:7c:3a:8c:a1, proto TCP (SYN), REMOTE_IP:51401->WAN2_IP:3389, len 52

Sob · March 16, 2017, 9:59pm

This reminds me of something… did you by any chance do anything in “/ip settings”, specifically with “rp-filter” option?

passarelli · March 17, 2017, 1:35pm

I don’t, at least.
But here are my confs:
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: strict
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: no
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: no
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0

Sob · March 17, 2017, 2:38pm

That’s it, try “loose”.

passarelli · March 20, 2017, 10:54am

Maaan you are the best!!!
I’ve just switched to loose and it works!!!

Thanks a lot Sob

madmouser1 · May 31, 2017, 6:39pm

Any suggestions on what LOG Settings will catch the RP Filter that was on strict ?

Tnx