I have this setup:
- WAN1 (EOLO) (PPPoE on eth1) is my main ISP connection, I use it for UDP (low latency stuff), VoIP, and port-forwarded hosts on my network. It has a public static IP.
- WAN2 (Windtre) (LTE router on eth2) is my secondary bonding/failover connection. I use it to boost the internet access or when the first one fails to deliver. It does not have a public IP, I'm behind my ISP nat.
Sometimes, when I try to access my stuff I port forward, the connection fails. Looking in the connection tab I can see it failing due to the connection being received from the WAN1 but being replied from WAN2.
I don't know what I am doing wrong here and asking for help since I'm pretty inexperienced with ROS in general.
Below, my full (hopefully anonymized enough) export of /ip firewall.
Code: Select all
# sep/27/2021 07:14:46 by RouterOS 6.48.4
# software id = [REDACTED]
#
# model = RB760iGS
# serial number = [REDACTED]
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=192.168.10.0/30 list=deny
add address=192.168.1.0/24 list=deny
/ip firewall mangle
add action=mark-routing chain=prerouting comment="FORCE UDP on EOLO" in-interface="LAN " \
new-routing-mark=to_WAN1 passthrough=yes protocol=udp src-address-list=LAN
add action=mark-routing chain=prerouting comment="FORCE voip on EOLO" dst-address-list=!deny \
in-interface=EOLOED new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.10.0/30
add action=mark-routing chain=prerouting comment="FORCE ESXi on EOLO" dst-address=x.x.x.x \
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="FORCE vCenter on EOLO" dst-address=x.x.x.x \
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-connection chain=input comment="BONDING - capture wan1" in-interface=EOLO \
new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="BONDING - capture wan2" in-interface=ether2 \
new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output comment="BONDING - mark wan1 > routing wan1" \
connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="BONDING - mark wan2 > routing wan2" \
connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface="LAN " \
src-address-list=LAN
add action=mark-connection chain=prerouting comment="BONDING - LAN 2/0 > mark wan1" \
dst-address-list=!deny in-interface="LAN " new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=LAN
add action=mark-connection chain=prerouting comment="BONDING - LAN 2/1 > mark wan2" \
dst-address-list=!deny in-interface="LAN " new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=LAN
add action=mark-routing chain=prerouting comment="BONDING - LAN !udp wan1 > routing wan1" \
connection-mark=WAN1_conn in-interface="LAN " new-routing-mark=to_WAN1 passthrough=yes \
protocol=!udp src-address-list=LAN
add action=mark-routing chain=prerouting comment="BONDING - LAN !udp wan2 > routing wan2" \
connection-mark=WAN2_conn in-interface="LAN " new-routing-mark=to_WAN2 passthrough=yes \
protocol=!udp src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN wan1" out-interface=EOLO src-address-list=LAN
add action=masquerade chain=srcnat comment=voip out-interface=EOLO src-address=192.168.10.0/30
add action=masquerade chain=srcnat comment="LAN wan2" out-interface=ether2 src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="LAN wan2" dst-address=192.168.10.0/30 \
out-interface=EOLOED src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=80 in-interface=EOLO \
protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=25565 in-interface=EOLO \
protocol=tcp to-addresses=192.168.1.7 to-ports=25565
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=22 in-interface=EOLO \
protocol=tcp to-addresses=192.168.1.7 to-ports=22
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=443 in-interface=EOLO \
protocol=tcp to-addresses=192.168.1.10 to-ports=443
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=EOLO protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=EOLO protocol=udp
Is someone willing to help me sort out this issue?
Thanks a bunch to anyone willing to reply.