Two WANs, cause port forward to not function

iam8up · April 18, 2008, 9:08pm

I have an issue with a network that has two WAN interfaces and one LAN. They are set as a primary and secondary and will failover upon invoked by a netwatch script.

My issue is that when I want to remote desktop into the secondary WAN interface the port forward NAT rule counts up as if the connection is getting to it, but it isn’t routing back that way (I believe).

Not sure what information I can offer to help you help me, so just let me know =)

Thanks in advance!

/ ip address 
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \
    interface="ether2 - LAN" comment="" disabled=no 
add address=24.172.x.x/29 network=24.172.148.112 broadcast=24.172.148.119 \
    interface="ether3 - WAN4cable" comment="" disabled=no 
#this 10.x.x.x private IP has a public IP pointed to it for firewall reasons
add address=10.48.8.70/21 network=10.48.8.0 broadcast=10.48.15.255 \
    interface="ether4 - WAN4fiber" comment="" disabled=no

/ ip route 
add dst-address=24.29.x.x/32 gateway=24.172.y.y scope=255 \
    target-scope=10 comment="Force 24.29.x.x along the main path" \
    disabled=no 
add dst-address=0.0.0.0/0 gateway=24.172.y.y scope=255 target-scope=10 \
    comment="DEFAULT" disabled=no 
add dst-address=0.0.0.0/0 gateway=10.48.8.64 scope=255 target-scope=10 \
    routing-mark=secondary comment="t1" disabled=no 
add dst-address=0.0.0.0/0 gateway=24.172.y.y scope=255 target-scope=10 \
    routing-mark=primary comment="cable" disabled=no 
/ ip route rule 
add src-address=24.172.x.x/32 action=lookup table=primary comment="" \
    disabled=no 
add src-address=10.48.8.70/32 action=lookup table=secondary comment="" \
    disabled=no

/ ip firewall nat 
add chain=srcnat action=masquerade out-interface="ether3 - WAN4cable" \
    src-address=192.168.0.0/24 comment="" disabled=no 
add chain=srcnat action=masquerade out-interface="ether4 - WAN4fiber" \
    src-address=192.168.0.0/24 comment="" disabled=no 
add chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=3389 \
    in-interface="ether3 - WAN4cable" dst-port=3389 protocol=tcp \
    comment="REMOTE DESKTOP TO SERVER" disabled=no 
add chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=3389 \
    in-interface="ether4 - WAN4fiber" dst-port=3389 protocol=tcp \
    comment="REMOTE DESKTOP TO SERVER" disabled=no

jwcn · April 20, 2008, 2:05am

Its been a while. Basically you have to mark the packets coming in one wan and send them back out the same or it won’t work. Search around on the forum. The answer is here some place.