Community discussions

 
matbevis
just joined
Topic Author
Posts: 4
Joined: Wed Oct 28, 2015 11:34 am

smtp port forwarding

Wed Oct 28, 2015 11:56 am

Hi

I'm new to Mikrotik routers but enjoying getting to know the os and setting up for my businesses.

I first setup with a basic configuration with one WAN attached to ether1, with my local network plugged into ether4

I have various port forwards setup that point to my server for email and remote web workplace. I set these up in NAT but also needed to accept them in firewall filter rules or it doesn't open the ports. This went slightly against what I had read in documentation but it all works fine.

I then moved onto stage2 to add in a second WAN attached to ether2. I read quite a bit of documentation and setup using the following rules

/ip firewall mangle
add chain=prerouting dst-address=192.168.0.0/24 in-interface=ether4 action=accept

add chain=input in-interface=ether1 connection-mark=no-mark action=mark-connection new-connection-mark=WAN1 passthrough=no
add chain=input in-interface=ether2 connection-mark=no-mark action=mark-connection new-connection-mark=WAN2 passthrough=no

add chain=output out-interface=ether1 connection-mark=WAN1 action=mark-routing new-routing-mark=WAN1 passthrough=no
add chain=output out-interface=ether2 connection-mark=WAN2 action=mark-routing new-routing-mark=WAN2 passthrough=no

add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=ether4 per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=ether4 per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2

add chain=prerouting connection-mark=WAN1 in-interface=ether4 action=mark-routing new-routing-mark=WAN1 passthrough=no
add chain=prerouting connection-mark=WAN2 in-interface=ether4 action=mark-routing new-routing-mark=WAN2 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=151.249.77.109 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.4 routing-mark=WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=151.249.77.109 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.4 distance=2 check-gateway=ping

/ip firewall nat
add chain=src-nat out-interface=ether1 action=masquerade
add chain=src-nat out-interface=ether2 action=masquerade


This works great with load balancing and failover.

I duplicated all my nat and firewall rules that worked with wan1 over to wan2.

When this is all activated, I have an issue with the port forwarding. When I test the to incoming ip addresses for open ports (specifically port 25 as emails are most important) it seems the system is only "opening" ports on 1 WAN at a time. I check WAN1 and it will say port 25 is open, WAN2 says closed. I keep checking and suddenly WAN2 will be open and then WAN1 closed... have I missed some important step regarding the 2 incoming connections?

In an ideal world both incoming WANS should accept the emails so if WAN1 goes down i'm still getting them come in...

Any help is greatly appreciated.

Thanks

Matt
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: smtp port forwarding

Fri Oct 30, 2015 5:21 am

You also need to mark the connection coming in from your wan ports to your mail server and ensure the reply goes back the same wan it arrived on.

See the following excellent presentation from Steve Discher http://mum.mikrotik.com/presentations/US12/steve.pdf

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes

These rules should be above your PCC rules (just below the Output chain rules should work).
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
matbevis
just joined
Topic Author
Posts: 4
Joined: Wed Oct 28, 2015 11:34 am

Re: smtp port forwarding

Fri Oct 30, 2015 9:06 pm

Thanks, I'll add those and see how it goes :D

Thanks again
 
matbevis
just joined
Topic Author
Posts: 4
Joined: Wed Oct 28, 2015 11:34 am

Re: smtp port forwarding

Fri Oct 30, 2015 10:22 pm

thanks - this seems to have done the trick

thanks a lot for the help, its really appreciated :)
 
matbevis
just joined
Topic Author
Posts: 4
Joined: Wed Oct 28, 2015 11:34 am

Re: smtp port forwarding

Sun Nov 01, 2015 12:28 am

Thanks for this it worked great, help is really appreciated.

(This is the third time in 2 days I've posted thanks, won't seem to send)
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: smtp port forwarding

Mon Nov 02, 2015 9:14 am

You are welcome :-)
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz

Who is online

Users browsing this forum: Google [Bot] and 77 guests