Community discussions

MikroTik App
 
User avatar
DRSDavidSoft
just joined
Topic Author
Posts: 2
Joined: Sun Jan 13, 2019 4:02 pm
Location: California, CA
Contact:

How to forward ports to multiple WAN interfaces?

Sun Jan 13, 2019 5:26 pm

I have a MikroTik router that has multiple WAN interfaces from different ISPs connected to it, and I need to NAT all incoming traffic from any of the public IP addresses to a node on my local network.

How should I config a clean state router to achieve this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to forward ports to multiple WAN interfaces?

Mon Jan 14, 2019 5:41 pm

Hi there not sure what you mean but for example I have two dynamic WANIPs one cable and one bell fiber.
I have a masquerade rule for both. Be aware these rules do no routing, it simply tells the router that if traffic goes out
ISP one, it should be given the associated WANIP and similarly if it the traffic goes out on ISP2 it should be given the associated WANIP.
In other words, translate the private IP to a public IP outbound from the router.
This is for a fail over setup. The bell fiber runs all the time.
In general masquerade rules are for dynamic WANIPs
Source Nat rules are for static WANIPs

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
out-interface=vlanbell

If you want to portforward traffic from external public IPs to a server behind the router you need to include a general FORWARD chain firewall rule that allows dst-nat connections.
Then in the ip firewall nat side you create the necessary dstnat rules...........

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However I dont understand your request. Perhaps with the above discussion you can phrase your question with better fidelity.
(In general, traffic arriving at your router, unsolicited should be rejected!)
(Did you want to forward specific traffic to specific servers?)

For example.....
/ip firewall filter
add action=accept chain=forward comment=\
"Allow Port Forwarding" connection-nat-state=dstnat

/ip firewall nat
add action=dst-nat chain=dstnat comment=Utility_TCP disabled=yes dst-port=yyyyy\
in-interface-list=WAN log=yes protocol=tcp src-address-list=Allowed_Utility \
to-addresses=192.168.xx.zz
add action=dst-nat chain=dstnat comment=Utility_UDP disabled=yes dst-port=yyyyy \
in-interface-list=WAN log=yes protocol=udp src-address-list=Allowed_Utility\
to-addresses=192.168.xx.zz

Note that the in-interface is described as "in-interface-list" which includes all my WANs such that no matter what WAN the user comes in on, the traffic will reach the server.
I use source address list to further limit access to the servers (if known).
Unless port translation is required (port user comes in on is to be modified before hitting server), one does not need the to-ports= part of the rule.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: How to forward ports to multiple WAN interfaces?

Thu Jan 17, 2019 3:19 pm

In addition to port forwarding (Dst NAT to your LAN IP, port), you will have to make sure the return traffic goes back to the WAN interface they come from. to do this , you mark the incoming connection, the use this mark to route traffic out to the same Interface.
check load-balacing examples where this was part of the config. Sorry I have something scheduled in the next 10 mins and will have to get ready, otherwise I will find those examples for you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to forward ports to multiple WAN interfaces?

Thu Jan 17, 2019 9:59 pm

Solar, that is premature as we do not know what kind of WAN scenario the OP is envisioning?
If I told you it was 1 Main WAn with 5 for failover (unlikely) OR
1 Main WAn and 5 for direct public IPs to servers (could be) OR. etc.....

You are probably right but it bugs me to know end when people much smarter than myself on mikrotik stuff, start assuming requirements. :-)

The one question I do have is that for every outbound connection intiated behind the router, isnt connection tracking noting where it came from (lanip) and where it went (outbound WANIP) and thus return traffic from the same WANIP will then get routed to the right internal (LANIP)??

No mangling required there........

The next question alludes to lets say, INPUT FROM ANY of the 5 wans are coming in and they all point to SERVER (Im assuming that is what is meant by a node). In this case we are talking inbound unsolicited traffic and as such has a destination port (and maybe a source address list associated). IF the dst-nat router rule is such that
any inbound traffic in-interface-list=WAN, is routed to a specific server on a specific LAN, that traffic IS CONNECTION TRACKED by the router and thus the router know which WAN it came in on and where it went. Why is not safe to assume that server return traffic would then be sent to the correct WANIP by connection tracking?????????

In other words, I still see no need for mangling.

I feel I am missing something but what????
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: How to forward ports to multiple WAN interfaces?

Fri Jan 18, 2019 11:37 am

anav, I get what you are saying about making assumptions. yes that was an assumption in my part.
it was made based on my "best guess", if not correct, then we can change the solution .
second reason , is the mangle rules are needed whether it's a fail-over or load-balancing set up, in my humble opinion.

Now the fun bit: Connection Tracking. I'd love to discuss this and get to the bottom of it as I am not 100% clear myself. Reading Mikrotik Wiki regarding PCC https://wiki.mikrotik.com/wiki/Manual:PCC
(the load-balancing example) and also a old post here viewtopic.php?t=135991#p670032
both have mangle rules to ensure the traffic returns to the gateway it came. I think Connection tracking is to remember packets that belong to the same connection, when doing NAT, so it is more to do with source IP and Destination IP, knowing which IP address the return traffic should be send back to. In case of src-nat, the router send packet to 8.8.8.8 but return traffic only had dst-ip of router's public IP, it needs connection Tracking to send this traffic to one of the private IP, say 192.168.88.100, from which the packet was anticipated. So answer to your first question is yes, I think you are correct.

This is all very well, but I don't think Connection Tracking play a role in routing, in another words, to which gateway the traffic is sent to. So even Connection Tracking gives the packet correct source and destination IPs, it may ended up going out of Local network, via a different gateway.

so in case of a fail-over configuration, all traffic will be leaving the router from the primary gateway, (unless it fails) , which means incoming traffic from WAN2, WAN3, will be return to ti's source IP via WAN1. This would be a problem

OK this is the best I can do, I welcome more detailed explanations or corrections. @Sob ?

PS: I'd love to see more video tutorial on Packetflow Diagram, yes I am watching this one
https://www.youtube.com/watch?v=MF0lGclPa5E
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to forward ports to multiple WAN interfaces?

Fri Jan 18, 2019 3:40 pm

Thanks what you said makes sense, in that connection tracking works in the first case (no routing really involved on the return traffic) but on the incoming unsolicited traffic, after it reaches the server and return traffic is initiated by the server ( I am wrong and connection tracking doesn't actually route the traffic and thus one needs to look at route rules to figure out where the return traffic will go and thus the reason to mark such traffic on the inbound path so that the route rules can be correctly applied to this traffic when returned from the server heading on the outbound path).

I wonder in such cases if we give connection tracking a headache. If it was a person they would be thinking, WTF, why is that return traffic going out the wrong WAN, I know in my map here it should be going out the other WAN, STUPID ADMIN forgot to mangle the incoming traffic in the first place and he/she thinks I can route traffic outbound, the moron! )

Am I close?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to forward ports to multiple WAN interfaces?

Fri Jan 18, 2019 4:13 pm

@anav, you're close. But RB administrator has to keep in mind that there are a few processes running inside RB and those are pretty separate (don't interfere with each other). Connection tracking is a function of firewall (it helps to determine if a packet should pass FW or not). FW itself does not do routing, it's the routing engine that does it. Even if NAT is part of FW, changed IP addresses (either SRC or DST) don't alone define routing ...
And routing engine per-se doesn't have state machine built in. So if there are some particular circumstances that affect routing engine when doing its job, we have to show it ... using {route,packet,connection} marking or similar hints.

Well, there are operations that seemingly tie things together, such as /ip firewall nat add action=masquerade chain=srcnat out-interface=<WAN address> ... which seemingly takes care of both address translation (action=masquerade) and routing (out-interface). But it's not, the example command actually looks at result of routing engine (send this packet via WAN interface) and applies appropriate src-address replacement (and src-port as well).
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: How to forward ports to multiple WAN interfaces?

Fri Jan 18, 2019 4:41 pm

@mkx, yes it does make more sense now (even when I have not finished that tutorial video regarding Packet Flow). as you say, out-interface is a condition of such masquerade rule, not the outcome of it. Traffic is going out on that particular interface because routing engine tells it to.

Now, out of curiosity, without this condition, the router should be masquerade all traffic on the src-nat chain and to whatever IP is assigned to the interface it leaves from. so I tested on my home router, tings are still working. I think it's because
the traffic leaving WAN interface, is masqueraded , so Internet is working fine
traffic going to another PC on my LAN, still work, because the traffic is within the same local bridge so it never got to the routing process.

then my question, under what situation, the missing out-interface=<> condition, would cause a problem? traffic from one bridge to another? but then it's masqueraded and Connection tracking will remember the source IP anyway...
Maybe I am thinking too much but It will bother me tonight when I try to sleep....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to forward ports to multiple WAN interfaces?

Fri Jan 18, 2019 5:27 pm

Solar77, a good bottle of wine will help with the insomnia.
MKX, awesome breakdown as usual!

One question though......
Lets say I had three WAN IPs
Lest say I had one server that needed to be accessible to all Three WANIPs
Lets say I am allergic to mangle rules.
Lets say I had three nic cards on the server
Lets say I gave each nic card a different IP address

Could I do something like...
/ip route
add route to go to IP1 for source address server one
add route to go to iP2 for source address server two
add route to go to IP3 for source address server three

I suppose that is overly complicated because I would have to ensure users come in on the correct WAN interface, but HOW are they instructed to do so now is my question.
In other words, the solution would be best completed on knowing how the users are informed to access teh server? Does the op give them five DYNDNS names or 5WANIPs to try???

Now I am questioning everything (such as why am I here)
Does it really matter which WANIP IP return traffic goes out of as long as it is returned to the originator,,, strange thought but it popped into my head.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: How to forward ports to multiple WAN interfaces?

Fri Jan 18, 2019 7:07 pm

OK lets see.

@anav

if you have 3 NIC on the server, then you can route each IP to a chosen gateway but I cannot think of a way of doing it without mangle (which you are allergic to :-D
because try add a static route, your dst-address is 0.0.0.0/0 and gateway is GatewayX, there is no way to add source IP, and then you need a routing mark, where do you get a routing mark from? Yes, mangle.... :lol:

the OP might say to his / her user, use xxxx to access my service, but if it is down or slow, use yyyy, or use zzzz,

finally,
Does it really matter which WANIP IP return traffic goes out of as long as it is returned to the originator,,, strange thought but it popped into my head.
I think it does, because when user PC send traffic to xxxx and got a reply from src-ip yyyy, it will have a WTF moment and this packet will be rejected, I think.

if you don't see a reply from me , I am out shopping for more Wine. :lol:

@mkx, any thoughts on the "what if" scenario where out-interface=WAN is removed from the masquerade rule?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to forward ports to multiple WAN interfaces?

Sat Jan 19, 2019 12:37 pm

If one (temporarily :wink:) keeps in mind, that action=masquerade is a special variant of action=src-nat ... then becomes clear that without stating out-interface router will masquerade (src-nat) all passing traffic. Which is harmless only in single scenario that I can think of: single WAN, single LAN, no port forwarding. Even if user adds single port forwarding (read: dst-nat rule), it will mess things up (internal server will see incoming connection as if it originated from router ... which messes potential access filtering on service level). If there are more than one LAN in the mix, all traffic between two LANs will get src-nated. Which might be desirable, but in this case it's better to create additional masquerade rules just to make configuration more apparent (I'm not a believer in obfuscated config for getting minor performance gains).

Now, if one uses action=src-nat, usually one also defines the new src-address (usually to router's address on the corresponding out-interface, but can be any other address valid on that interface ... which is handy in scenario where user has a subnet of public addresses available on WAN interface). If the replacement address is wrong, the peer router (i.e. ISP access router) might rightfully (might seem as a source-routed packet) drop such packet on ingress. If out-interface is not set for action=src-nat, it is very probable that replaced src-address will not match allowed values for particular out-interface.
Action=masquerade makes such case highly improbable (automagically uses correct router's address).

Who is online

Users browsing this forum: LeoNaXe, NimbuS and 43 guests