Web server on WAN2

RouterOS
1

Hi,
I’m asking help for a configuration that worked on v6 routerOS but doesn’t work on v7.

I have 2 PPPoE WAN and one LAN. All internet trafic from goes on WAN1 with distance 1 and on WAN2 as failover with distance 5 and this works well.
I need to made a web server reachable from both WAN and I made these rules:

WAN1 and WAN2 are masquerade and internet is working on both interfaces.

NAT of ports 80/443 from WAN1 to 192.168.10.10 ports 80/443.
NAT of ports 80/443 from WAN2 to 192.168.10.10 ports 80/443.

If I point to WAN1 public IP, I see the web server on 192.168.10.10

Then I made two firewall mangle rules:

on prerouting chain traffic incoming on wan2 mark-connection=from_wan2
on prerouting (or output) chain traffic marked with connection-mark=from_wan2: new-routing mark: to_WAN2

Last, a routing rule for 0.0.0.0/0 with routing mark = to_WAN2, distance 1 - gateway PPPoE2 (WAN2).
I made also a row on /route rules for to_WAN2 route.

This did work on v6 routerOS but not on v7… why ?

I want that the web server is reachable both from WAN1 and WAN2 public IP.

Thank you

2

I've never done this, but I would think RouterOS basic NAT would handle this without the mangling. It certainly will work up to the point where the router dst-nats the connection to the internal web server. When that server replies to the router, NAT should look at the reply and say, "Ah, this connection request came in on WAN2, so I should send it out that way, not via the default route."

But this is perhaps naive.

A possibly better guess: show your rules. Saying "NAT of ports" is vague by half, because you aren't specifying srcnat vs dstnat. Don't make us guess. Show us.

3

It probably doesn’t work because in v7 routing marks started applying to same-named routing tables and not routes (the routing-mark parameter was removed for them).

To adjust to this change, you will only add a routing table named "to_WAN2" or whatever the routing mark is, and add a default route pointing to WAN2 PPPoE interface in it:

/routing table
add fib name=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway="WAN2_PPPoE_int"
4

I think that nat rules are correct, because on WAN1 they work perfectly:

6 ;;; Web Server HTTP (WAN1)
chain=dstnat action=dst-nat to-addresses=192.168.12.80 to-ports=80
protocol=tcp dst-address=[WAN1 Public IP] in-interface=eth3_WAN1
dst-port=80 log=no log-prefix="WS-HTTP"

7 ;;; Web Server HTTPS (WAN1)
chain=dstnat action=dst-nat to-addresses=192.168.12.80 to-ports=443
protocol=tcp dst-address=[WAN1 Public IP] in-interface=eth3_WAN1
dst-port=443 log=no log-prefix="WS-HTTPS"

8 ;;; Web Server HTTP (WAN2)
chain=dstnat action=dst-nat to-addresses=192.168.12.80 to-ports=80
protocol=tcp dst-address=[WAN2 Public IP]
in-interface=pppoe-out(WAN2) dst-port=80 log=no
log-prefix="WS-HTTP"

9 ;;; Web Server HTTPS (WAN2)
chain=dstnat action=dst-nat to-addresses=192.168.12.80 to-ports=443
protocol=tcp dst-address=[WAN2 Public IP]
in-interface=pppoe-out(WAN2) dst-port=443 log=no
log-prefix="WS-HTTPS"

Rules 6 & 7 are working.
Rules 8 & 9 works only if I disable WAN1 (so all the traffic is routed on WAN2)

5

I think that doing this, all outgoing traffic will go on wan2. No routing table or mark is specified…

6

For RoS 7, apply the sections from 4:56 to 9:52 and from 12:57 to 13:49 of this MikroTik video.

Which means only the three "chapters":

4:56 - Routing tables and routes
6:47 - Match outgoing traffic to incoming
12:57 - LAN to Internet routing marks

Ignore the PCC section of that video!

7

the second command will make the route on the "main" routing table, should be - I believe - like this:

/routing table
add fib name=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway="WAN2_PPPoE_int" routing-table=to_WAN2

@Andale
It would be easier if you posted your complete current configuration, following this:

bits and pieces here and there are confusing and there could be something else that is seemingly unrelated that could make the config not work properly.

8

Thank you very much, this rule was missing, and now it works !!!

A.