I have rb4011 running 7.5 stable with dual wan setup (https://www.reddit.com/r/mikrotik/comments/rfg8ga/guide_routeros_71_load_balancing_using_pcc/) however port forward doesn't work, it used to work with stable 7.4/7.3/7.2
I use address list called "DUAL" to tell mangle rules my lan network for the dual wan setup.
I use address list called "PORT" to port forward through only one isp as trying to do it by adding second isp to the "PORT" never worked.
The problem is, i get packets on the counter for these dst-nat rules and even the linux gets those packets but it looks like it doesn't go back to isp.
Here's my firewall export:
Code: Select all
# sep/03/2022 21:49:07 by RouterOS 7.5
# software id = xxxxxxxxxx
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxxxxx
/ip firewall address-list
add address=192.168.0.0/16 list=LAN
add address=10.10.10.10 list=WAN
add address=192.168.0.0/16 list=DUAL
add address=10.56.60.19 list=WAN
add address=10.10.10.10 list=PORT
/ip firewall filter
add action=accept chain=output src-address-list=LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input dst-port=53,8291,22 in-interface-list=WAN protocol=\
tcp
add action=drop chain=input dst-port=53,8291,22 in-interface-list=WAN protocol=\
udp
add action=accept chain=input comment="Allow limited pings" disabled=yes limit=\
1,5:packet protocol=icmp
add action=drop chain=input comment="Disable Pings" in-interface-list=!LAN \
limit=1,2:packet protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connections for hairpin NAT" dst-address-list=WAN \
new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=con-one passthrough=yes per-connection-classifier=\
src-address-and-port:2/0 src-address-list=DUAL
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=con-two passthrough=yes per-connection-classifier=\
src-address-and-port:2/1 src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-one \
new-routing-mark=Antik passthrough=no src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-two \
new-routing-mark=Telekom passthrough=no src-address-list=DUAL
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
add action=masquerade chain=srcnat comment=Antik ipsec-policy=out,none \
out-interface=ether2 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=Telekom ipsec-policy=out,none \
out-interface=Telekom
add action=dst-nat chain=dstnat dst-address-list=PORT dst-port=443,80 protocol=\
tcp to-addresses=192.168.0.15 to-ports=80-443
add action=dst-nat chain=dstnat dst-address-list=PORT dst-port=444 protocol=tcp \
to-addresses=192.168.0.20 to-ports=444-1194
add action=dst-nat chain=dstnat dst-address-list=PORT dst-port=1194 protocol=\
udp to-addresses=192.168.0.20 to-ports=444-1194
add action=dst-nat chain=dstnat comment="mc tcp linuxVM" dst-address-list=PORT \
dst-port=25565 protocol=tcp to-addresses=192.168.0.195 to-ports=25565
add action=dst-nat chain=dstnat comment="mc udp linuxVM" dst-address-list=PORT \
dst-port=25565 protocol=udp to-addresses=192.168.0.195 to-ports=25565
Here are my routes:
Code: Select all
# sep/03/2022 22:00:38 by RouterOS 7.5
# software id = xxxxxxxxxx
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxxxxx
/ip route
add check-gateway=ping comment=Antik disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.56.60.1 pref-src=0.0.0.0 \
routing-table=Antik scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=bfd comment=Telekom disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Telekom pref-src=0.0.0.0 \
routing-table=Telekom scope=30 suppress-hw-offload=no target-scope=10
and routing table:
Code: Select all
# sep/03/2022 22:02:07 by RouterOS 7.5
# software id = xxxxxxxxxx
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxxxxx
/routing table
add disabled=no fib name=Antik
add disabled=no fib name=Telekom