I have a Mikrotik router with Routeros and Firmware v6.44, which has 2 internet connections (2 different ISPs) and 2 different internal networks: 192.168.1.0/24 and 192.168.10.0/24
I configured a time ago, the router to set marks to get 192.168.10.0/24 devices, to use ISP1 for Internet access, and 192.168.1.0/24 devices to use ISP2
This configuration was made alike https://wiki.mikrotik.com/wiki/Manual:PCC, but changing some settings, this work fine
Yesterday someone configured and connected a new NVR with many cameras connected to it, and I set a dst-nat to access it from Internet (port 8001)
Different mobiles phones should connect from outside, using an app, these devices can view the cameras using ISP2 public IP but they cannot access using the ISP1 public IP
If I disable the only route with the ISP1 routing mark, it works
If I dont mark the connections when they are using the port 8001, it works, but I prefer to understand why it is happening and I need to make it work using marks
When I see the connection in
Code: Select all
ip firewall connection
ISP2 is with less distance in default route table for 0.0.0.0/0, but if I change it to set ISP1 with less distance, the behavior is the same, still can access just using ISP2 public IP
Here I attach the settings:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="NVR 2" dst-port=8001 in-interface=ether2-WAN2 protocol=tcp to-addresses=192.168.1.X to-ports=8001
add action=dst-nat chain=dstnat comment="NVR 2" dst-port=8001 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.1.X to-ports=8001
/ip firewall mangle
add action=accept chain=prerouting in-interface-list=VPNs
add action=accept chain=prerouting dst-address=WAN2_Network in-interface-list=LAN
add action=accept chain=prerouting dst-address=WAN1_Network in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1-WAN1 in-interface-list=!VPNs new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2-WAN2 in-interface-list=!VPNs new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list="!Internal" in-interface-list=!VPNs new-connection-mark=ISP1_conn passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface-list=!VPNs new-routing-mark=to_ISP1 passthrough=yes src-address-list=Local
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface-list=!VPNs new-routing-mark=to_ISP2 passthrough=yes src-address-list=Local
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 out-interface-list=!VPNs passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 out-interface-list=!VPNs passthrough=yes
/ip route
add check-gateway=ping distance=1 gateway=ISP1_Default_Gateway routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=ISP2_Default_Gateway routing-mark=to_ISP2
add check-gateway=ping distance=10 gateway=ISP2_Default_Gateway
add check-gateway=ping distance=15 gateway=ISP1_Default_Gateway
Thanks in advance.
Regards