Dear Forum experts:

I was using a modem (ADSL router) including the pppoe dialup connection. The mikrotik is connected to the ADSL router with a subnet in between. Port forwarding rules on both the ADSL router and the mikrotik to an internal HTTPS server with self-issued certificate was working perfectly.

I wanted to dialup the pppoe of the ADSL on the mikrotik. I converted the ADSL router into a bridge and created the pppoe connection on the mikrotik. I converted the dst-nat to accept from pppoe instead of ether2. I also removed other rules that was created for the previious scenario. The internet works perfectly, however dst-nat did not work. I also tried on port 21 for testing purposes but it didn't work either.

Please, advise.

BR

Paste your router config here, please.

Paste your router config here, please.

Code: Select all

/export hide-sensitive

/interface lte
set [ find ] mac-address=00:A0:C6:00:00:00 name=lte1

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 service-name=TT use-peer-dns=yes user=3423200155

/ip dhcp-server
add disabled=no interface=ether3 lease-time=1d name=G

/ip pool
add name=G_Pool ranges=192.168.1.33-192.168.1.194
add name=E_Pool ranges=192.168.2.100-192.168.2.200
add name=Guest_Pool ranges=192.168.3.30-192.168.3.200

/ip dhcp-server
add address-pool=E_Pool disabled=no interface=ether4 lease-time=1d name=E
add address-pool=Guest_Pool disabled=no interface=ether5 lease-time=1d name=Guest

/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.3.1/24 interface=ether5 network=192.168.3.0
add address=192.168.20.1/24 disabled=yes interface=ether6 network=192.168.20.0
add address=192.168.21.2/24 interface=ether6 network=192.168.21.0

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=lte1
add default-route-distance=0 dhcp-options=hostname,clientid interface=ether2

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether5 new-routing-mark=GuestNET
add action=mark-routing chain=prerouting in-interface=ether4 new-routing-mark=E_NET
add action=mark-routing chain=prerouting in-interface=ether3 new-routing-mark=G_NET
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=443 fragment=no in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.230 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=21 fragment=no in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.79 to-ports=21
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.2.230 to-ports=443
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=7 gateway=192.168.5.1 routing-mark=GuestNET
add distance=8 gateway=pppoe-out1 routing-mark=GuestNET
add distance=4 gateway=192.168.5.1 routing-mark=E_NET
add distance=5 gateway=pppoe-out1 routing-mark=E_NET
add distance=6 gateway=192.168.0.1 routing-mark=E_NET
add distance=1 gateway=pppoe-out1 routing-mark=G_NET
add distance=2 gateway=192.168.5.1 routing-mark=G_NET
add distance=3 gateway=192.168.0.1 routing-mark=G_NET
add distance=1 dst-address=192.168.10.0/23 gateway=192.168.21.1 pref-src=0.0.0.0
add distance=1 dst-address=192.168.21.0/24 gateway=192.168.21.1
/ip route rule
add action=lookup-only-in-table dst-address=192.168.21.0/24 src-address=192.168.1.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.10.0/23 src-address=192.168.1.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl port=4443
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Istanbul
/system routerboard settings
set protected-routerboot=disabled

Try to hide the option "fragment=no" in extra tab of dst-address rule.
You can try disabling the mangle rule of ether3 too, for test:

Are you connected to two active ISP connections at the same time?
I see that ether1 is dhcp client, and pppoe-out1 is on ether2.

My guess (and I could be wrong) is that the dstnat works on your public IP address on ether1, but fail on the pppoe connection.....

If this is your scenario, then the problem is that the dstnat is working on the inbound leg, but the replies from the internal server are being routed out via ether1 and not pppoe1.

What you need to do is enable some connection tracking and route-marking so that the replies are forced out whatever ISP they arrived on.

Are you connected to two active ISP connections at the same time?
I see that ether1 is dhcp client, and pppoe-out1 is on ether2.

My guess (and I could be wrong) is that the dstnat works on your public IP address on ether1, but fail on the pppoe connection.....

If this is your scenario, then the problem is that the dstnat is working on the inbound leg, but the replies from the internal server are being routed out via ether1 and not pppoe1.

What you need to do is enable some connection tracking and route-marking so that the replies are forced out whatever ISP they arrived on.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Yes, I am connected but we have three different internal networks. Two of the three are using one ISP connection and the third one is using the other ISP connection. Then, fail-over on the three networks is applied on both ISP connections. If both ISP connections fail, then only E and G network go to the third ISP connection (LTE).
Also, there are one https server in E and G network and there are two related dst-nat rules correspond to each https server.

Previously, both ether1 and ether2 were dhcp client. I wanted to convert them into pppoe one by one. However, converting the one on ether2 resulted in such problem. This means that both server became inaccessible although the rules are there. However, Internet access works fine.

You might be right regarding your suggestion. If this is true, then this means that the existing mark-routing rule does not work properly after the conversion to pppoe.

Thanks for your feedback.

Try to hide the option "fragment=no" in extra tab of dst-address rule.
You can try disabling the mangle rule of ether3 too, for test:

Code: Select all

add action=mark-routing chain=prerouting in-interface=ether3 new-routing-mark=G_NET

I tried hiding fragment=no but it doesn't help.
I will now try to do it without any extra features on another mikrotik device using one ISP connection and one internal network (wiith pppoe and no mangle rules). I will feed you back.
Thanks

Ok, I hope that helps you. Please, consider ZeroByte's post too. He told about have about another outgoing interface.

However complicated your routing policy might be, the first 3 rules need to be:
new connection in ISP1? Connection Mark ISP1 (regardless of which LAN it's forwarding to)
new connection in ISP2? Connection Mark ISP2
new connection in ISP3? Connection Mark ISP3

This is because the inbound connection is tied to whichever public IP address the remote host is using to reach you, and ONLY that ISP's network can reply with the proper IP address.