Hi

I am pretty new to Mikrotik, so be warned

I have set up a working solution, where i have :

3 eth
1 wlan

The wlan is not important at the moment.


Eth1 is WAN1
Eth2 is LAN
Eth3 is Wan2

I have set this up like this:

Route all traffic trough Wan1

Routed some networks trough Wan2 (Work related, only reachable trough WAN2)

WAN1 & 2 is masqueraded, with their respective interfaces as out-interface


Everything works as expected, i browse the web as normal, and can even connect to work servers without having to physically connect to another router.

I can not for the life of me port forward some ports, from Wan1 into the LAN. Testing 22/tcp for SSH at the moment.
I have tried the manuals NAT example, and a lot of varietys of this.

I can not ping LAN machines from WAN1 or WAN2 (Should i?)

I can ping WAN1 and WAN2 from LAN machines.

Please help, much appreciated.

M-sport

Can you post and

I have nothing on filters

Nat:

chain=srcnat action=masquerade out-interface=ETH-NNMGMNT (Wan2)

chain=srcnat action=masquerade out-interface=ETH-BBNett (Wan1)

What are you trying for the port 22 redirect?
xx.xx.xx.xx is your WAN1 public ip
yy.yy.yy.yy is your localnet ip
These should be before your other nat rules. Order is important.

You should be able to ping WAN interfaces from the LAN.
You should not be able to ping LAN interfaces from the WANs with your setup.

ADD: If you use ssh to enter this change, ssh in from WAN2. WAN1 will lose ssh connection with the router when you enter the dstnat rule.

Thanks for the reply!

I use Winbox' terminal.

place-before = 0 did not work, so i removed the masq rules,added your suggestion, and replaced the masq rules.

Unfortunately, no success

This is how it looks now:

0 chain=dstnat action=dst-nat to-addresses=95.**.**.** to-ports=22
protocol=tcp dst-address=10.0.0.53 dst-port=22

1 chain=srcnat action=src-nat to-addresses=10.0.0.53 to-ports=22
protocol=tcp src-address=95.**.**.** src-port=22

2 chain=srcnat action=masquerade out-interface=ETH-BBNett

3 chain=srcnat action=masquerade out-interface=ETH-NNMGMNT

M-sport

Good try, but the ip addresses are backwards. The 10.x.x.x addresses are localnet. The 95.x.x.x address is WAN1, correct?
Reverse the dst-address and to-addresses in the dstnat rule.
Reverse the src-address and to-addresses in the srcnat rule.

Ok,sorry about that.

95.* is Wan 1 yes.

This is how it looks, still not working. Seeing bytes increasing on the DST rule when i try to connect, but not on the SRC rule.


0 chain=dstnat action=dst-nat to-addresses=10.0.0.53 to-ports=22
protocol=tcp dst-address=95.**.**.** dst-port=22

1 chain=srcnat action=src-nat to-addresses=95.**.**.** to-ports=22
protocol=tcp src-address=10.0.0.53 src-port=22

2 chain=srcnat action=masquerade out-interface=ETH-BBNett

3 chain=srcnat action=masquerade out-interface=ETH-NNMGMNT

edit:
Here is my routes:

0 ADS 0.0.0.0/0 reachable 95.**.**.1 0 ETH-BBNett
1 ADC 10.0.0.0/24 10.0.0.1 0 LAN
2 ADC 95.**.**.0/23 95.**.**.** 0 ETH-BBNett
3 A S **.61.0.0/16 reachable 192.168.1.1 1 ETH-NNMGMNT
4 ADC 192.168.1.0/24 192.168.1.192 0 ETH-NNMGMNT
5 A S **.196.0.0/18 reachable 192.168.1.1 1 ETH-NNMGMNT


Running Wan1 as DHCP from ISP with add route enabled, and Wan2 as DHCP from a Dlink Router with add route disabled.

Will use static public ip's , but for now i use it like this for easy failover if i mess it up.

Do you have port 22 open on the destination localnet machine? It is blocked by the firewall by default in most operating systems.

Do you have port 22 open on the destination localnet machine? It is blocked by the firewall by default in most operating systems.

Yes, it is a Linux box, and it has been working fine when i was using simple broadband routers.

Else, see my edit on my last post.

I see no default route for WAN2. Should have the same 0.0.0.0/0 route to the WAN2 gateway ip.

ADD: AND...the distance on the WAN1 default route seems wrong. Normally, it will show a distance of 1. Yours shows 0. That usually indicates it is an address on this router. It should be the gateway address on your ISP's router.

The opposite is true for static rules 3 and 5. They should show a distance of 0, unless there is some ip set you are routing somewhere.

I see no default route for WAN2. Should have the same 0.0.0.0/0 route to the WAN2 gateway ip.

ADD: AND...the distance on the WAN1 default route seems wrong. Normally, it will show a distance of 1. Yours shows 0. That usually indicates it is an address on this router. It should be the gateway address on your ISP's router.

The opposite is true for static rules 3 and 5. They should show a distance of 0, unless there is some ip set you are routing somewhere.

Rule 3,4 and 5 is applying to WAN2, i do not use wan2 for internet at all, just to reach some networks (management) only reachable trough wan2 (not internet)

Rule 0 is 0.0.0.0/0 to ISP's Router. 95.*.*.1 i think this one is set by the dhcp client.

WAN2 has no dynamic rules, other than number 4, because i told the DHCP client to not add it.

The routing is working fine for what i want, but not for the port forwarding.

I still do not think that default route is correct. Or your ip assignment on WAN1 is not correct. It should show a distance of 1. Distance=0 means "the ip address is assigned to an interface on this router".

ADD: Distance=1 with the status=reachable means "the ip address is not assigned to an interface, but there is a network subnet assigned that includes that ip address".

The route is dynamic, and i told the dhcp client that the distance to use was 1, so now it is 1.

Still no NAT into the network.

I presumed you were testing in a static ip setup. If your WAN interfaces are dhcp clients, maybe changeip or someone that is familiar with dhcp client setup would be more help. I have static ip assignments from my provider, and they are not cheap. But I do make more than just my money back on what I do with them.

I can use a static ip on WAN2, since "i am" the ISP on that network. I dont think i can do a static at the other ISP, since i am only a customer there.

I am maintaining Wimax and Mikrotik WISP systems, but the Mikrotik i have not gotten much training in, our Mikrotik BST's are very simple set up. Only a bridged base-station with management in a VLAN,we shape and control the customers at other places in the network.

My goal with this setup is having one router, all internet trough external ISP, and work-related only trough WAN2. The WAN2 network is not available from internet, i am reaching this network via a vlan, directly via a Mikrotik CPE.

Thanks for your effort!

I solved this, here is the working code:

It does not show here i think, but i put port "22" under "any port" in the "General" tab in winbox. Port in dst or src would never work... The Hairpin and local-local rules are so that internal machines can reach my web server trough it's domain name "over the internet".

M-sport