Community discussions

MikroTik App
  4. RouterOS
  5. General

Port forwarding dual wan, replies get sent over wrong wan

Post Reply
 
CappyT
just joined
Topic Author
Posts: 2
Joined: Mon Sep 27, 2021 8:20 am

Port forwarding dual wan, replies get sent over wrong wan

Mon Sep 27, 2021 8:29 am

Hi everyone, as the title says, I'm experiencing a problem with my dual wan setup.
I have this setup:
- WAN1 (EOLO) (PPPoE on eth1) is my main ISP connection, I use it for UDP (low latency stuff), VoIP, and port-forwarded hosts on my network. It has a public static IP.
- WAN2 (Windtre) (LTE router on eth2) is my secondary bonding/failover connection. I use it to boost the internet access or when the first one fails to deliver. It does not have a public IP, I'm behind my ISP nat.

Sometimes, when I try to access my stuff I port forward, the connection fails. Looking in the connection tab I can see it failing due to the connection being received from the WAN1 but being replied from WAN2.
I don't know what I am doing wrong here and asking for help since I'm pretty inexperienced with ROS in general.

Below, my full (hopefully anonymized enough) export of /ip firewall.
Code: Select all
# sep/27/2021 07:14:46 by RouterOS 6.48.4
# software id = [REDACTED]
#
# model = RB760iGS
# serial number = [REDACTED]
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
add address=192.168.10.0/30 list=deny
add address=192.168.1.0/24 list=deny
/ip firewall mangle
add action=mark-routing chain=prerouting comment="FORCE UDP on EOLO" in-interface="LAN " \
    new-routing-mark=to_WAN1 passthrough=yes protocol=udp src-address-list=LAN
add action=mark-routing chain=prerouting comment="FORCE voip on EOLO" dst-address-list=!deny \
    in-interface=EOLOED new-routing-mark=to_WAN1 passthrough=yes src-address=192.168.10.0/30
add action=mark-routing chain=prerouting comment="FORCE ESXi on EOLO" dst-address=x.x.x.x \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="FORCE vCenter on EOLO" dst-address=x.x.x.x \
    new-routing-mark=to_WAN1 passthrough=yes
add action=mark-connection chain=input comment="BONDING - capture wan1" in-interface=EOLO \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment="BONDING - capture wan2" in-interface=ether2 \
    new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output comment="BONDING - mark wan1 > routing wan1" \
    connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment="BONDING - mark wan2 > routing wan2" \
    connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface="LAN " \
    src-address-list=LAN
add action=mark-connection chain=prerouting comment="BONDING - LAN 2/0 > mark wan1" \
    dst-address-list=!deny in-interface="LAN " new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=LAN
add action=mark-connection chain=prerouting comment="BONDING - LAN 2/1 > mark wan2" \
    dst-address-list=!deny in-interface="LAN " new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=LAN
add action=mark-routing chain=prerouting comment="BONDING - LAN !udp wan1 > routing wan1" \
    connection-mark=WAN1_conn in-interface="LAN " new-routing-mark=to_WAN1 passthrough=yes \
    protocol=!udp src-address-list=LAN
add action=mark-routing chain=prerouting comment="BONDING - LAN !udp wan2 > routing wan2" \
    connection-mark=WAN2_conn in-interface="LAN " new-routing-mark=to_WAN2 passthrough=yes \
    protocol=!udp src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN wan1" out-interface=EOLO src-address-list=LAN
add action=masquerade chain=srcnat comment=voip out-interface=EOLO src-address=192.168.10.0/30
add action=masquerade chain=srcnat comment="LAN wan2" out-interface=ether2 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat comment="LAN wan2" dst-address=192.168.10.0/30 \
    out-interface=EOLOED src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=80 in-interface=EOLO \
    protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=25565 in-interface=EOLO \
    protocol=tcp to-addresses=192.168.1.7 to-ports=25565
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=22 in-interface=EOLO \
    protocol=tcp to-addresses=192.168.1.7 to-ports=22
add action=dst-nat chain=dstnat dst-address=my.public.ip.wan1 dst-port=443 in-interface=EOLO \
    protocol=tcp to-addresses=192.168.1.10 to-ports=443
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=EOLO protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=EOLO protocol=udp

Is someone willing to help me sort out this issue?
Thanks a bunch to anyone willing to reply.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Port forwarding dual wan, replies get sent over wrong wan

Mon Sep 27, 2021 5:03 pm

I can see it failing due to the connection being received from the WAN1 but being replied from WAN2.
This indicates that you do not mark your connections...

Take a look here https://wiki.mikrotik.com/wiki/Manual:P ... _Balancing
In /ip firewall mangle, lines 3 and 4 show the connection marking of the incoming traffic...
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Port forwarding dual wan, replies get sent over wrong wan

Mon Sep 27, 2021 5:28 pm

ISP 1 route check ping distance=5
ISP 2 route distance=10

With two basic routes in place in the main table ISP1 will always be your primary
and thus no confusion on port forwarding activities.
Dont see the need to mangle in this scenario.

However you stated, to boost internet access, so not sure what is meant by that.
What I would do is use a different subnet (192.168.55.0/24) for boosting and use a route rule

ISP 1 route check ping distance=5
ISP 2 route distance=10
ISP 2 route distance=10 route-mark=boost

Route rule
Source address=192.168.55.0/24
Action: Lookup only table
Table: boost

Therefore whenever someone uses the boost subnet they will always go out the LTE connection.
How I would do this is have a different port for the subnet or a differnt port on a switch etc................ and simply switch ethernet cable into the PC when wanting to use the LTE network.
I would do this before doing any mangling..........mainly because for me I can comprehend changing a cable and its not an inconvenience of any significance, probably good for me to stand up and get blood flowing in the limbs. Realistically I would have a switch on my desktop and simply move my PC cable from port 3 to port 5 etc...........
Top
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Port forwarding dual wan, replies get sent over wrong wan

Mon Sep 27, 2021 5:51 pm

Mangle for mark input & output traffic.

Full option when you have many IP range at every ISP you connected, viewtopic.php?f=13&t=166412&p=818011#p818011
Top
 
CappyT
just joined
Topic Author
Posts: 2
Joined: Mon Sep 27, 2021 8:20 am

Re: Port forwarding dual wan, replies get sent over wrong wan

Mon Sep 27, 2021 6:17 pm

ISP 1 route check ping distance=5
ISP 2 route distance=10

With two basic routes in place in the main table ISP1 will always be your primary
and thus no confusion on port forwarding activities.
Dont see the need to mangle in this scenario.

However you stated, to boost internet access, so not sure what is meant by that.
What I would do is use a different subnet (192.168.55.0/24) for boosting and use a route rule

ISP 1 route check ping distance=5
ISP 2 route distance=10
ISP 2 route distance=10 route-mark=boost

Route rule
Source address=192.168.55.0/24
Action: Lookup only table
Table: boost

Therefore whenever someone uses the boost subnet they will always go out the LTE connection.
How I would do this is have a different port for the subnet or a differnt port on a switch etc................ and simply switch ethernet cable into the PC when wanting to use the LTE network.
I would do this before doing any mangling..........mainly because for me I can comprehend changing a cable and its not an inconvenience of any significance, probably good for me to stand up and get blood flowing in the limbs. Realistically I would have a switch on my desktop and simply move my PC cable from port 3 to port 5 etc...........
With "boost" I mean load balance the connections on my router between the two interfaces, effectively adding more bandwidth to my internet access.
Still, I want to retain the failover, so when one of the two connections fails, is using just one of them.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port forwarding dual wan, replies get sent over wrong wan

Mon Sep 27, 2021 9:00 pm

@CappyT, maybe have a look at this post and start reading it from the last paragraph, which links it to your context.
Top
Post Reply

Who is online

Users browsing this forum: kolev87 and 51 guests
  4. RouterOS
  5. General