Wan 1 : 192.168.10.2
Wan 2 : 192.168.20.2
The load balance work but a NAT rule i have set for a webserver seems not working well. If 2 Wan are connected the NAT sometimes work, sometimes no. If it work, the connection is slow. If i disable the Wan 2 (the NAT rule is only on WAN 1).
The nat rule connect a webserver IP 192.168.1.200 that on the LAN respond on 443 (https, tcp) but is mapped on the ISP router Wan 1 on port 35000.
Mangle rule:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 ;;; Accept da WAN1
chain=prerouting action=accept dst-address=192.168.178.0/24 log=no
log-prefix=""
4 ;;; Accept da WAN2
chain=prerouting action=accept dst-address=10.0.2.0/24
5 ;;; PCC stream WAN1
chain=prerouting action=mark-connection new-connection-mark=WAN1
passthrough=yes dst-address-type=!local connection-mark=no-mark
in-interface=bridge per-connection-classifier=both-addresses:2/0
6 ;;; PCC stream WAN2
chain=prerouting action=mark-connection new-connection-mark=WAN2
passthrough=yes dst-address-type=!local connection-mark=no-mark
in-interface=bridge per-connection-classifier=both-addresses:2/1
7 chain=prerouting action=mark-routing new-routing-mark=WAN1-mark
passthrough=yes connection-mark=WAN1 in-interface=bridge
8 chain=prerouting action=mark-routing new-routing-mark=WAN2-mark
passthrough=yes connection-mark=WAN2 in-interface=bridge
9 chain=output action=mark-routing new-routing-mark=WAN1-mark passthrough=ye>
connection-mark=WAN1
10 chain=output action=mark-routing new-routing-mark=WAN2-mark passthrough=ye>
connection-mark=WAN2
11 chain=prerouting action=mark-connection new-connection-mark=WAN1
passthrough=yes connection-mark=no-mark in-interface=WAN1
12 chain=prerouting action=mark-connection new-connection-mark=WAN2
passthrough=yes connection-mark=no-mark in-interface=WAN2
13 chain=forward action=mark-connection new-connection-mark=WAN1
in-interface=WAN1
14 chain=forward action=mark-connection new-connection-mark=WAN2
in-interface=WAN2
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN
ipsec-policy=out,none
2 chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=443
protocol=tcp in-interface=WAN1 dst-port=35000
3 chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=443
protocol=udp in-interface=WAN1 dst-port=35000 log=no log-prefix=""
Code: Select all
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
7 ;;; defconf: fasttrack
P.s. I don't know why code block after first aren't working... @normis