Multi WAN and port forwarding

OliZi · Fri Dec 08, 2023 9:26 pm

Hello together.

I have a big problem and don't know why.
Here is what I like to do:

WAN1 -> DSL 4 Mbit fix IP Range
WAN2 -> LTE fix IP
WAN3 -> LTE fix IP
WAN4 -> LTE fix IP
WAN5 -> LTE fix I

All Modems are bridged, the static IP in available on the WAN ports

I setup the Mange in preroute chain and mark every incoming connection.
I setup mark routing.
I setup destNat for Port forwarding
Scenario a 5Webserver, here a docker container is availiable on each ip address.

And now the difficult to understand for me:

I setup the first WAN everything works, great.
I setup the second WAN, everything works.
I setup WAN 3 and the Webserver from WAN 2 is not responding, or better, I can see the connection come in, is correctly tagged but the return path is wrong?
I see a syn State on the connection but it will not establish?
If I disconnect WAN3, WAN 2 is working again?

Is it possible to debug the package flow?
How can I see or trace what's going wrong?
I think there is something wrong With the way back, but I can't see what's wrong.
I try to bring it up with Router OS 6.49 and with 7.2 but still the same.

The same config with the same hardware is running on a Zywall 11000 as a WAN trunk.

Any help / hint would be great.

config:

/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=WAN4
set [ find default-name=ether5 ] name=WAN5
set [ find default-name=ether10 ] name="ether10 INT"
set [ find default-name=ether11 ] name=ether11-LAN
/interface list
add name=WAN-list
add name=LAN-list
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether11-LAN lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=toWan1
add fib name=toWan2
add fib name=toWan3
add fib name=toWan4
add fib name=toWan5
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=WAN1 list=WAN-list
add interface=WAN2 list=WAN-list
add interface=WAN3 list=WAN-list
add interface=WAN4 list=WAN-list
add interface=WAN5 list=WAN-list
add interface=ether11-LAN list=LAN-list
add interface="ether10 INT" list=LAN-list
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=81.223.59.xxx/29 interface=WAN1 network=81.223.59.xxx
add address=10.0.0.1/24 interface=ether11-LAN network=10.0.0.0
add address=212.95.26.xxx/30 disabled=yes interface=WAN2 network=212.95.26.xxx
add address=212.95.26.xxx/29 disabled=yes interface=WAN3 network=212.95.26.xxx
add address=212.95.27.xxx/24 disabled=yes interface=WAN4 network=212.95.27.xxx
add address=176.66.79.xxx/16 disabled=yes interface=WAN5 network=176.66.0.xxx
add address=10.0.0.95/24 interface="ether10 INT" network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=WAN5 use-peer-ntp=no
add add-default-route=no interface=WAN2 use-peer-ntp=no
add add-default-route=no interface=WAN3 use-peer-ntp=no
add add-default-route=no interface=WAN4 use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.0.144 client-id=1:0:50:56:93:f0:9a mac-address=\
    00:50:56:93:F0:9A server=dhcp1
add address=10.0.0.122 client-id=1:0:23:a4:2:36:86 mac-address=\
    00:23:A4:02:36:86 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.25,10.0.0.1 domain=dom-01.net \
    gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.25
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall address-list
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="access only from inside" dst-port=\
    8291,22,80 in-interface-list=LAN-list protocol=tcp
add action=accept chain=input comment=\
    "Allow Established/Related/Untracked connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="DNS nicht von extern" dst-port=53 \
    protocol=tcp src-address-list=RFC1918
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
    RFC1918
add action=drop chain=input comment="Drop everything else" log-prefix=\
    _DROP_IN_
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=\
    WAN-list
add action=accept chain=forward comment="forward established" \
    connection-state=established,related
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN-list out-interface-list=WAN-list
add action=drop chain=forward comment="Forward Drop invalid " \
    connection-state=invalid
add action=drop chain=forward comment="forward drop anything"
/ip firewall mangle
add action=accept chain=prerouting comment=0001 dst-address-list=RFC1918 \
    src-address-list=RFC1918
add action=accept chain=prerouting comment=0002 dst-address=81.223.59.xxx/29 \
    in-interface-list=LAN-list
add action=accept chain=prerouting dst-address=212.95.26.xxx/30 \
    in-interface-list=LAN-list
add action=accept chain=prerouting dst-address=212.95.26.xxx/29 \
    in-interface-list=LAN-list
add action=accept chain=prerouting dst-address=212.95.27.xxx/24 \
    in-interface-list=LAN-list
add action=accept chain=prerouting dst-address=176.66.0.0/xxx \
    in-interface-list=LAN-list
add action=mark-connection chain=prerouting comment="Incomming WAN marking" \
    connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn \
    passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN4 log-prefix=_WAN4_inMark new-connection-mark=WAN4_conn \
    passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN5 new-connection-mark=WAN5_conn passthrough=no
add action=mark-connection chain=prerouting comment="Loadbalancing WAN 2- 5" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN-list new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-type=!local in-interface-list=LAN-list log-prefix=\
    mark_conn3 new-connection-mark=WAN3_conn passthrough=yes \
    per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-type=!local in-interface-list=LAN-list log-prefix=\
    mark_conn4 new-connection-mark=WAN4_conn passthrough=yes \
    per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-type=!local in-interface-list=LAN-list \
    new-connection-mark=WAN5_conn passthrough=yes per-connection-classifier=\
    both-addresses:4/3
add action=mark-routing chain=prerouting comment="outgoing routing" \
    connection-mark=WAN1_conn in-interface-list=LAN-list new-routing-mark=\
    toWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface-list=LAN-list new-routing-mark=toWan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface-list=LAN-list new-routing-mark=toWan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
    in-interface-list=LAN-list new-routing-mark=toWan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5_conn \
    in-interface-list=LAN-list new-routing-mark=toWan5 passthrough=no
add action=mark-routing chain=output comment="outgoing WAN routing" \
    connection-mark=WAN1_conn new-routing-mark=toWan1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=toWan2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3_conn log=yes \
    log-prefix=out_W3 new-routing-mark=toWan3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4_conn log=yes \
    log-prefix=out_W4 new-routing-mark=toWan4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5_conn \
    new-routing-mark=toWan5 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="testwebsite W5" dst-address=\
    176.66.79.xxx dst-port=80 protocol=tcp to-addresses=10.0.0.33
add action=dst-nat chain=dstnat comment="test destnat wan4" dst-address=\
    212.95.27.xxx dst-port=80 protocol=tcp to-addresses=10.0.0.33
add action=dst-nat chain=dstnat comment="test website W3" dst-address=\
    212.95.26.xxx dst-port=80 protocol=tcp to-addresses=10.0.0.33
add action=dst-nat chain=dstnat comment="test website W2" dst-address=\
    212.95.26.xxx dst-port=80 protocol=tcp to-addresses=10.0.0.33
add action=dst-nat chain=dstnat comment="testwebsite W1" dst-address=\
    81.223.59.xxx dst-port=80 protocol=tcp to-addresses=10.0.0.33 to-ports=\
    4400
add action=masquerade chain=srcnat comment="WAN Masquerade" \
    out-interface-list=WAN-list
/ip route
add comment="Standard WAN1" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=81.223.59.xxx%WAN1
add comment="Standard WAN2" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=212.95.26.xxx%WAN2
add comment="Standard WAN3" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=212.95.26.xxx%WAN3
add comment="Standard WAN4" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=212.95.27.xxx%WAN4 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Standard WAN5" disabled=no distance=2 dst-address=0.0.0.0/0 \
    gateway=176.66.0.1%WAN5
add comment="EXPL WAN1" disabled=no dst-address=0.0.0.0/0 gateway=\
    81.223.59.xxx%WAN1 routing-table=toWan1
add comment="EXPL WAN2" disabled=no dst-address=0.0.0.0/0 gateway=\
    212.95.26.xxx%WAN2 routing-table=toWan2
add comment="EXPL WAN3" disabled=no dst-address=0.0.0.0/0 gateway=\
    212.95.26.xxx%WAN3 routing-table=toWan3
add comment="EXPL WAN4" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.xxx%WAN4 pref-src="" routing-table=toWan4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="EXPL WAN5" disabled=no dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 routing-table=toWan5
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup disabled=no src-address=::/0 table=main
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.25
/tool sniffer
set streaming-enabled=yes streaming-server=10.0.0.122

Regards
Oliver

anav · Fri Dec 08, 2023 10:59 pm

WHY DID YOU FAIL TO MENTION YOU ARE ALSO DOING PCC for your LAN??
Do you not think that is important to know? So its not just port fowarding here.

What is your failover plan for PCC????

OliZi · Sat Dec 09, 2023 1:14 am

it makes no difference for my problem and its disabled in this config.

I don't understand why my routing fails on the way back.
Could you give me a hint?

Or how can I debug the connection flow?
Is there a way to trace the packages from outside -> trough the router -> and back?

regards

Oliver

OliZi · Sat Dec 09, 2023 1:17 am

oh - and no failover at the moment.
Outgoing is every thing working fine.
But if one connection goes down I could use the main table or recursive routing.

But first I thought I reduce the config to the necessary

regards
Oliver

OliZi · Sat Dec 09, 2023 1:18 am

I could remove PCC and use policy, but there is still the problem with the port forwarding.

anav · Sat Dec 09, 2023 1:30 am

I dont care about the config first, I care about the requirements.
What is your intent with the WANS..................
Do you want user to be able to share all the available WANS?
Do you want some subnets to use only WANS.

If you dont know what your plan is, I am not going to waste time helping a moving target.

OliZi · Sat Dec 09, 2023 2:44 am

Ok,
the DSL on WAN1 is weak.
So I must use WAN 2 - 5.
But these are LTE.
I also need static IPs so I ordered static IP for each WAN.

The idea behind is to use all the bandwidth outgoing.
Also WAN 2- 5 with load balancing.
This is working.

I also have a couple of servers.
These should be available from the outside (WAN)
This means I need Port forwarding.

WAN 1 IPs -> internal Server 1, 2 3 (3 static IPs on WAN 1)
WAN 2 IP -> internal Server 4
WAN 3 IP -> internal Server 5
WAN 4 IP -> internal Server 6
WAN 5 IP -> internal Server 7

anav · Sat Dec 09, 2023 3:57 am

Okay so basically WAN1 not included in PCC.
WANS 2-5 PCC.
Does each WAN (in 2 thru 5 ) have basically the same throughput?

Are the WANS 2-5 from the same provider?
The reason I ask is that if there is an issue with a provider it is likely that all internet from that provider will not be available.
One has to be real about failover!!

I see WAN1 will be used for servers as well as each of the other WANS.
Do you foresee VPN such as wireguard, to be able to manage the router or access the LAN remotely?

+++++++++++++++++++++++++++++
For failover of PCC you have options.
1. the failover will go to the WAN with the lowest distance only ( so lets say WAN5 had the lowest distance, then if Wan2,3, or 4 failed its traffic would go to WAN5, and that would continue.
So the load is given to the next available WAN depending upon distance. This would be the case for all the WANs. So basically a SET failover based on the distance for each wan route.

2. Organized failover, this is almost the same but we dictated for each WAN failure what will be the order of failover for each case of each WAN failing.
if wan2 fails go to wan4, and if 4 fails go to 3 and if 3 fails go to 5
if wan3 fails go to wan5, and if wan5 fails go to wan2 and if wan2 fails go to wan4

3. Finally we have spread failure. In this case if one WAN fails we spread the failure over the other 3 WANS in an equal way.

if wan4 fails go to wan2 and if wan2 fails go to wan5 and if wan5 fails go to wan3
if wan5 fails go to wan3 and if wan3 fails go to wan4 and if wan4 fails go to wan2

OliZi · Sat Dec 09, 2023 3:46 pm

that's right, WAN 1 is so weak, its not part of the outgoing load balancing.

Each WAN in WAN 2 - 5 has nearly the same bandwidth.
WAN 2,3,4 is the same. provider,WAN 5 is different.

I think about vpn for myself, and I think I will use WAN1 as in the past.

Failover, I think I will use option 2, organised failover.

But I struggle at the moment with the incoming connections. Why is a WAN connection working until I connect another?
I think I mark each connection when it comes in, and I can sell the sun state.

anav · Sat Dec 09, 2023 8:42 pm

/routing table
add fib name=useWan1
add fib name=useWan2
add fib name=useWan3
add fib name=useWan4
add fib name=useWan5

/ip firewall mangle
{ to ensure local traffic to the router is processed before any other mangle rules }
add action=accept chain=prerouting in-interface-list=LAN-list dst-address-type=local

{ to ensure local PCC affiliated LAN subnet local traffic to any other local sunbnets is processed before PCC - disabled as there are no other subnets }
add action=accept chain=prerouting in-interface-list=LAN-list out-interface-list=non-PCC-subnets (disabled=yes)

{ to the jump chain for connection-markings for any remaining traffic without any connection marks }
add action=jump chain=prerouting jump-target=mangleConnect connection-mark=no-mark

MARKING ROUTES
{ mark route rules to ensure external originated traffic going to servers through the WANs, coming in on each WAN goes out the same WAN }
add action=mark-routing chain=prerouting connection-mark=in-WAN1 new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN2 new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN3 new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN4 new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN5 new-routing-mark=useWan5 passthrough=no

{ mark routing rules to ensure external users connecting to router VPN services via WAN1 get replies from WAN1 }
add action=mark-routing chain=output connection-mark=in-WAN1 new-routing-mark=useWan1 passthrough=no

{ mark routing rules for PCC traffic }
add action=mark-routing chain=prerouting connection-mark=WAN2-conn new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-conn new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-conn new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-conn new-routing-mark=useWan5 passthrough=no

MARKING CONNECTIONS
{ jump chain rules for WAN connection-marks }
add action=mark-connection chain=mangleConnect in-interface=ether1 new-connection-mark=in-WAN1
add action=mark-connection chain=mangleConnect in-interface=ether2 new-connection-mark=in-WAN2
add action=mark-connection chain=mangleConnect in-interface=ether3 new-connection-mark=in-WAN3
add action=mark-connection chain=mangleConnect in-interface=ether4 new-connection-mark=in-WAN4
add action=mark-connection chain=mangleConnect in-interface=ether5 new-connection-mark=in-WAN5

{ jump chain rules for PCC connection-marks - in-interface-list=bridge-LAN OR in the case of no other local subnets involved in PCC }
{ we can use in-interface=!WAN, to ensure we dont capture packets originating on WAN side and returning back out }
add action=mark-connection chain=mangleConnect new-connection-mark=WAN2-conn per-connection-classifier=src-address:4/0 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN3-conn per-connection-classifier=src-address:4/1 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN4-conn per-connection-classifier=src-address:4/2 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN5-conn per-connection-classifier=src-address:4/3 in-interface-list=!WAN

ROUTES
/ip route
{ standard routes, via distance, WAN1 is only used for external access, Failover is completely selected by distance in all cases }
add comment="Standard WAN1" check-gateway=ping distance=10 dst-address=0.0.0.0/0 gateway=81.223.59.xxx%WAN1
add comment="Standard WAN2" check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2
add comment="Standard WAN3" check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3
add comment="Standard WAN4" check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4
add comment="Standard WAN5" check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5

{ routes for WAN route-marks and PCC route marks can be identical in this simple case }
add comment="marked WAN1" dst-address=0.0.0.0/0 gateway=81.223.59.xxx%WAN1 table=useWAN1
add comment="marked WAN2" dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=useWAN2
add comment="marked WAN3" dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=useWAN3
add comment="marked WAN4" dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=useWAN4
add comment="marked WAN5" dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=useWAN5

NOTE1: In this setup (for both PCC LAN traffic and if there were other subnets for regular traffic):
- ALL LAN originating traffic not specifically PCCed, will go out WAN5 and will follow the same failover as per the below
PCC Failover:
- if any WAN fails (2-4) its traffic will go to WAN5 ( distance=2)
- if WAN5 fails, all its traffic will go to WAN2 (distance=3)
- if WAN 5 and WAN2 fail, all there traffic will go to WAN3 (distance=4)
- if WAN5,2,3 fail all there traffic will go to WAN4 (distance=5)

NOTE2: If you wanted a specific order different from the above, something more complex such as:
5-->2-->4-->3
2-->3-->4-->5
3-->4-->5-->2
4-->5-->2-->3
OR WHATEVER SCHEMA WAS DESIRED............ but
It would create more work but one would need some rationale to differ from the offered simpler solution.

NOTE3: The only real alternative is to share the load equally with the other available WANs but that is very complex entailing a different set of tables and rules. This would entail 12 additional tables 12 PCC rules and 24 routes.

anav · Sat Dec 09, 2023 9:27 pm

Mangles for 4 WAN PCC - 12 additional tables, 12 pcc mangles, 24 routes.

The concept being that each table is getting 1/12 of the traffic and each WAN has 3 tables associated with it. So each WAN is getting 1/4 of the traffic which makes sense as we have four WANs in PCC. Thus when lets say WAN2 fails.......... 1/4 of the traffic is spread amongst the other 3 WANS.

1/12 to wan3, 1/12 to WAN4, 1/12 to WAN5 = 1/12+1/12+1/12= 3/12 = 1/4
...

/routing table
add fib name=useWan1
add fib name=useWan2
add fib name=useWan3
add fib name=useWan4
add fib name=useWan5
add fib name=2then3
add fib name=2then4
add fib name=2then5
add fib name=3then2
add fib name=3then4
add fib name=3then5
add fib name=4then2
add fib name=4then3
add fib name=4then5
add fib name=5then2
add fib name=5then3
add fib name=5then4


/ip firewall mangle
{ to ensure local traffic to the router is processed before any other mangle rules }
add action=accept chain=prerouting in-interface-list=LAN-list dst-address-type=local

{ to ensure local PCC LAN traffic to any other local sunbnets is processed before PCC - disabled as there are no other subnets }
add action=accept chain=prerouting in-interface-list=LAN-list out-interface-list=non-PCC-subnets (disabled=yes)

{ to the  jump chain for connection-markings }
add action=jump  chain=prerouting jump-target=mangleConnect  connection-mark=no-mark

{ mark route rules to ensure external originated traffic going to servers on the WAN, coming in on each WAN goes out the same WAN }
add action=mark-routing chain=prerouting connection-mark=in-WAN1  new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN2  new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN3  new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN4  new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN5  new-routing-mark=useWan5 passthrough=no

{ mark routing rules to ensure external users connecting to router VPN services via WAN1 get replies from WAN1 }
add action=mark-routing chain=output connection-mark=in-WAN1 new-routing-mark=useWan1 passthrough=no

{ mark routing rules for PCC traffic }
add action=mark-routing chain=prerouting connection-mark=WAN2-3 new-routing-mark=2then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-4 new-routing-mark=2then4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-5 new-routing-mark=2then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-2 new-routing-mark=3then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-4 new-routing-mark=3then4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-5 new-routing-mark=3then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-2 new-routing-mark=4then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-3 new-routing-mark=4then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-5 new-routing-mark=4then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-2 new-routing-mark=5then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-3 new-routing-mark=5then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-4 new-routing-mark=5then4 passthrough=no

{ jump chain rules for WAN connection-marks }
add action=mark-connection chain=mangleConnect in-interface=ether1 new-connection-mark=in-WAN1
add action=mark-connection chain=mangleConnect in-interface=ether2 new-connection-mark=in-WAN2
add action=mark-connection chain=mangleConnect in-interface=ether3 new-connection-mark=in-WAN3
add action=mark-connection chain=mangleConnect in-interface=ether4 new-connection-mark=in-WAN4
add action=mark-connection chain=mangleConnect in-interface=ether5 new-connection-mark=in-WAN5

{ jump chain rules for PCC connection-marks - in-interface-list=bridge-LAN OR in the case of no other local subnets involved in PCC }
{ we can use in-interface=!WAN, to ensure we dont capture packets originating on WAN side and returning back out }
...
add action=mark-connection chain=mangleConnect new-connection-mark=WAN2-3 per-connection-classifier=src-address:12/0 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN2-4 per-connection-classifier=src-address:12/1 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN2-5 per-connection-classifier=src-address:12/2 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN3-2 per-connection-classifier=src-address:12/3 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN3-4 per-connection-classifier=src-address:12/4 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN3-5 per-connection-classifier=src-address:12/5 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN4-2 per-connection-classifier=src-address:12/6 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN4-3 per-connection-classifier=src-address:12/7 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN4-5 per-connection-classifier=src-address:12/8 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN5-2 per-connection-classifier=src-address:12/9 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN5-3 per-connection-classifier=src-address:12/10 in-interface-list=!WAN
add action=mark-connection chain=mangleConnect new-connection-mark=WAN5-4 per-connection-classifier=src-address:12/11 in-interface-list=!WAN
...

/ip route
{ standard routes, via distance, WAN1 is only used for external access, distance is provided for any other traffic requiring failover, other than PCC }
add comment="Standard WAN1"  check-gateway=ping distance=10 dst-address=0.0.0.0/0 gateway=81.223.59.xxx%WAN1
add comment="Standard WAN2"  check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2
add comment="Standard WAN3"  check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3
add comment="Standard WAN4"  check-gateway=ping distance=5 dst-address=0.0.0.0/0  gateway=212.95.27.xxx%WAN4 
add comment="Standard WAN5"  check-gateway=ping distance=2 dst-address=0.0.0.0/0  gateway=176.66.0.1%WAN5

{ routes for WAN route-marks }

add comment="marked WAN2"  dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=useWAN2
add comment="marked WAN3"  dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=useWAN3
add comment="marked WAN4"  dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=useWAN4
add comment="marked WAN5"  dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=useWAN5

{ routes for PCC route-marks }

add comment="wan2 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=2then3
add comment="wan3 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=2then3
add comment="wan2 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=2then4
add comment="wan4 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=2then4
add comment="wan2 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=2then5
add comment="wan5 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5  table=2then5
add comment="wan3 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=3then2
add comment="wan2 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=3then2
add comment="wan3 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=3then4
add comment="wan4 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=3then4
add comment="wan3 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=3then5
add comment="wan5 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=3then5
add comment="wan4 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=4then2
add comment="wan2 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2  table=4then2
add comment="wan4 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=4then3
add comment="wan3 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=4then3
add comment="wan4 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=4then5
add comment="wan5 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=4then5
add comment="wan5 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=5then2
add comment="wan2 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN2 table=5then2
add comment="wan5 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=5then3
add comment="wan3 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.26.xxx%WAN3 table=5then3
add comment="wan5 gwy"  distance=1 dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 table=5then4
add comment="wan4 gwy"  distance=2 dst-address=0.0.0.0/0 gateway=212.95.27.xxx%WAN4 table=5then4

OliZi · Sun Dec 10, 2023 7:44 pm

Thank you so much!

I try to get it to work.
I need a NAT right?

I tried:
;;; WAN Masquerade
chain=srcnat action=masquerade out-interface-list=WAN-list

But from LAN I could not connect to the web, ping is also not working.

do you have a idea why it isn't working?

anav · Sun Dec 10, 2023 8:05 pm

Would have to see the latest config to investigate..........

OliZi · Thu Dec 14, 2023 12:31 am

I try hard to get it to work, but I don't get internet from LAN, so I can't get my port forwarding to work.

I don't get what I did wrong.

So, please can you help me again?

/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=WAN4
set [ find default-name=ether5 ] name=WAN5
set [ find default-name=ether10 ] name=ether10-INT
set [ find default-name=ether11 ] name=ether11-LAN
/interface list
add name=WAN-list
add name=LAN-list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.XXX00-10.0.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether11-LAN lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=useWan1
add fib name=useWan2
add fib name=useWan3
add fib name=useWan4
add fib name=useWan5
add fib name=2then3
add fib name=2then4
add fib name=2then5
add fib name=3then2
add fib name=3then4
add fib name=3then5
add fib name=4then2
add fib name=4then3
add fib name=4then5
add fib name=5then2
add fib name=5then3
add fib name=5then4
/interface list member
add interface=WAN1 list=WAN-list
add interface=WAN2 list=WAN-list
add interface=WAN3 list=WAN-list
add interface=WAN4 list=WAN-list
add interface=WAN5 list=WAN-list
add interface=ether11-LAN list=LAN-list
add interface=ether10-INT list=LAN-list
/ip address
add address=81.223.59.XXX94/29 interface=WAN1 network=81.223.59.XXX92
add address=10.0.0.XXX/24 interface=ether11-LAN network=10.0.0.0
add address=212.95.26.XXX/30 disabled=yes interface=WAN2 network=212.95.26.XXX
add address=212.95.26.XXX/29 disabled=yes interface=WAN3 network=212.95.26.80
add address=212.95.27.XXX/24 disabled=yes interface=WAN4 network=212.95.27.0
add address=176.66.79.XXX/16 disabled=yes interface=WAN5 network=176.66.0.0
add address=10.0.0.95/24 interface=ether10-INT network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=WAN5 use-peer-ntp=no
add add-default-route=no interface=WAN2 use-peer-ntp=no
add add-default-route=no interface=WAN3 use-peer-ntp=no
add add-default-route=no interface=WAN4 use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.25,10.0.0.XXX domain=dom-01.net \
    gateway=10.0.0.XXX
/ip dns
set allow-remote-requests=yes servers=10.0.0.25
/ip firewall address-list
add address=10.0.0.0/8 list=RFC1918
add address=172.XXX6.0.0/12 list=RFC1918
add address=192.XXX68.0.0/16 list=RFC1918
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="access only from inside" dst-port=\
    8291,22,80 in-interface-list=LAN-list protocol=tcp
add action=accept chain=input comment=\
    "Allow Established/Related/Untracked connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="DNS nicht von extern" dst-port=53 \
    protocol=tcp src-address-list=RFC1918
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
    RFC1918
add action=drop chain=input comment="Drop everything else" log-prefix=\
    _DROP_IN_
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=\
    WAN-list
add action=accept chain=forward comment="forward established" \
    connection-state=established,related
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN-list out-interface-list=WAN-list
add action=drop chain=forward comment="Forward Drop invalid " \
    connection-state=invalid
add action=drop chain=forward comment="forward drop anything" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN-list
/ip firewall mangle
add action=accept chain=prerouting dst-address-type=local in-interface-list=\
    LAN-list
add action=jump chain=prerouting connection-mark=no-mark jump-target=\
    mangleConnect
add action=mark-routing chain=prerouting connection-mark=in-WAN1 \
    new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN2 \
    new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN3 \
    new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN4 \
    new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN5 \
    new-routing-mark=useWan5 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN1 \
    new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-3 \
    new-routing-mark=2then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-4 \
    new-routing-mark=2then4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-5 \
    new-routing-mark=2then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-2 \
    new-routing-mark=3then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-4 \
    new-routing-mark=3then4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-5 \
    new-routing-mark=3then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-2 \
    new-routing-mark=4then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-3 \
    new-routing-mark=4then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-5 \
    new-routing-mark=4then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-2 \
    new-routing-mark=5then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-3 \
    new-routing-mark=5then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-4 \
    new-routing-mark=5then4 passthrough=no
add action=mark-connection chain=mangleConnect in-interface=WAN1 \
    new-connection-mark=in-WAN1
add action=mark-connection chain=mangleConnect in-interface=WAN2 \
    new-connection-mark=in-WAN2
add action=mark-connection chain=mangleConnect in-interface=WAN3 \
    new-connection-mark=in-WAN3
add action=mark-connection chain=mangleConnect in-interface=WAN4 \
    new-connection-mark=in-WAN4
add action=mark-connection chain=mangleConnect in-interface=WAN5 \
    new-connection-mark=in-WAN5
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN2-3 per-connection-classifier=src-address:12/0
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN2-4 per-connection-classifier=src-address:12/1
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN2-5 per-connection-classifier=src-address:12/2
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN3-2 per-connection-classifier=src-address:12/3
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN3-4 per-connection-classifier=src-address:12/4
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN3-5 per-connection-classifier=src-address:12/5
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN4-2 per-connection-classifier=src-address:12/6
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN4-3 per-connection-classifier=src-address:12/7
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN4-5 per-connection-classifier=src-address:12/8
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN5-2 per-connection-classifier=src-address:12/9
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN5-3 per-connection-classifier=src-address:12/10
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN5-4 per-connection-classifier=src-address:12/11
add action=mark-routing chain=output connection-mark=in-WAN1 \
    new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN2 \
    new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN3 \
    new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN4 \
    new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN5 \
    new-routing-mark=useWan5 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN1 \
    new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-3 new-routing-mark=\
    2then3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-4 new-routing-mark=\
    2then4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-5 new-routing-mark=\
    2then5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-2 new-routing-mark=\
    3then2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-4 new-routing-mark=\
    3then4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-5 new-routing-mark=\
    3then5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-2 new-routing-mark=\
    4then2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-3 new-routing-mark=\
    4then3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-5 new-routing-mark=\
    4then5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-2 new-routing-mark=\
    5then2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-3 new-routing-mark=\
    5then3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-4 new-routing-mark=\
    5then4 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="Testwebsite W5" dst-address=\
    176.66.79.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.64
add action=dst-nat chain=dstnat comment="Testwebsite W4" dst-address=\
    212.95.27.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.63
add action=dst-nat chain=dstnat comment="Testwebsite W3" dst-address=\
    212.95.26.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.62
add action=dst-nat chain=dstnat comment="Testwebsite W2" dst-address=\
    212.95.26.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.61
add action=dst-nat chain=dstnat comment="Testwebsite W1" dst-address=\
    81.223.59.XXX94 dst-port=80 protocol=tcp to-addresses=10.0.0.60 to-ports=0
add action=masquerade chain=srcnat comment=Hairpin dst-address=10.0.0.0/24 \
    src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=Hairpin dst-address-list=RFC1918 \
    src-address-list=RFC1918
add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.64 \
    to-addresses=176.66.79.XXX
add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.63 \
    to-addresses=212.95.27.XXX
add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.62 \
    to-addresses=212.95.26.XXX
add action=masquerade chain=srcnat comment="WAN Masquerade" \
    out-interface-list=WAN-list
/ip route
add check-gateway=ping comment="Standard WAN1" distance=10 dst-address=\
    0.0.0.0/0 gateway=81.223.59.XXX93%WAN1
add check-gateway=ping comment="Standard WAN2" distance=3 dst-address=\
    0.0.0.0/0 gateway=212.95.26.XXX%WAN2
add check-gateway=ping comment="Standard WAN3" distance=4 dst-address=\
    0.0.0.0/0 gateway=212.95.26.XXX%WAN3
add check-gateway=ping comment="Standard WAN4" distance=5 dst-address=\
    0.0.0.0/0 gateway=212.95.27.XXX%WAN4
add check-gateway=ping comment="Standard WAN5" distance=2 dst-address=\
    0.0.0.0/0 gateway=176.66.0.XXX%WAN5
add comment="marked WAN2" dst-address=0.0.0.0/0 gateway=212.95.26.XXX%WAN2 \
    routing-table=useWan2
add comment="marked WAN3" dst-address=0.0.0.0/0 gateway=212.95.26.XXX%WAN3 \
    routing-table=useWan3
add comment="marked WAN4" dst-address=0.0.0.0/0 gateway=212.95.27.XXX%WAN4 \
    routing-table=useWan4
add comment="marked WAN5" dst-address=0.0.0.0/0 gateway=176.66.0.XXX%WAN5 \
    routing-table=useWan5
add comment="wan2 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 routing-table=2then3
add comment="wan3 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 routing-table=2then3
add comment="wan2 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 routing-table=2then4
add comment="wan4 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.27.XXX%WAN4 routing-table=2then4
add comment="wan2 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 routing-table=2then5
add comment="wan5 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    176.66.0.XXX%WAN5 routing-table=2then5
add comment="wan3 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 routing-table=3then2
add comment="wan2 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 routing-table=3then2
add comment="wan3 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 routing-table=3then4
add comment="wan4 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.27.XXX%WAN4 routing-table=3then4
add comment="wan3 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 routing-table=3then5
add comment="wan5 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    176.66.0.XXX%WAN5 routing-table=3then5
add comment="wan4 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.XXX%WAN4 routing-table=4then2
add comment="wan2 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 routing-table=4then2
add comment="wan4 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.XXX%WAN4 routing-table=4then3
add comment="wan3 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 routing-table=4then3
add comment="wan4 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.XXX%WAN4 routing-table=4then5
add comment="wan5 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    176.66.0.XXX%WAN5 routing-table=4then5
add comment="wan5 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    176.66.0.XXX%WAN5 routing-table=5then2
add comment="wan2 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 routing-table=5then2
add comment="wan5 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    176.66.0.XXX%WAN5 routing-table=5then3
add comment="wan3 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 routing-table=5then3
add comment="wan5 gwy" distance=1 dst-address=0.0.0.0/0 gateway=\
    176.66.0.XXX%WAN5 routing-table=5then4
add comment="wan4 gwy" distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.27.XXX%WAN4 routing-table=5then4
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no

anav · Thu Dec 14, 2023 12:38 am

I a bit confused, how is that you have fixed IP addresses but have both IP address entry for WANIP but also have IP DHCP client entered for wans 2-5 ??
The config will work if your gateway IP addresses are fixd and DO NOT CHANGE.

OliZi · Thu Dec 14, 2023 1:23 am

I have static ip addresses, and normally my provider expect that I receive them via DHCP.
Expect from WAN 1.
To check if I fave the right gateways and subnet mask, I activate DHCP.
I receive always the same values, so it makes no difference between DHCP or static.
I put a screenshot to this post, so you could see.

But its not working.

I could not reach the web from LAN, I could not ping, no port forwarding is working, but I don't see why.
At the moment I have WAN 1 and 2 on the old router and try to get it work with 3 - 5

I don't know why is it not working.

anav · Thu Dec 14, 2023 2:12 am

Observations.

1. Mangle rules
All good up to and including the pCC connection marks.
a. allow prerouting traffic from LAN to router CHECK
b. allow prerouting traffic between LAN local subnets not required CHECK
c. Jump chain rule for no-marks traffic
d. mark routes to ensure external traffic hits servers and goes out same WAN ( prerouting all four WANS 2-5) CHECK
e. mark route to ensure external traffci TO router goes back out same WAN ( output chain on wan1) CHECK
f. Jump chain new connection marks for WANs 1-5 CHECK
g. Jump chain new connection marks for PCC traffic 12 Rules CHECK

H> PROBLEMS There should be no more MANGLE RULES after the PCC connection marking, the ones in g. >. DUPLICATES!!
You have kept old rules that should be removed!!
Shown here, by showing the last PCC mangle rule WAN5-4 pcc 12/11 and then the extra rules.
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
new-connection-mark=WAN5-4 per-connection-classifier=src-address:12/11
add action=mark-routing chain=output connection-mark=in-WAN1 \
new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN2 \
new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN3 \
new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN4 \
new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN5 \
new-routing-mark=useWan5 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN1 \
new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-3 new-routing-mark=\
2then3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-4 new-routing-mark=\
2then4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-5 new-routing-mark=\
2then5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-2 new-routing-mark=\
3then2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-4 new-routing-mark=\
3then4 passthrough=no
add action=mark-routing chain=output connection-mark=WAN3-5 new-routing-mark=\
3then5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-2 new-routing-mark=\
4then2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-3 new-routing-mark=\
4then3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN4-5 new-routing-mark=\
4then5 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-2 new-routing-mark=\
5then2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-3 new-routing-mark=\
5then3 passthrough=no
add action=mark-routing chain=output connection-mark=WAN5-4 new-routing-mark=\
5then4 passthrough=no

You should note in my example that these do not exist either!!!! Some clean up to do.

Now for ROUTE review.
Did not see any issues with routes.

anav · Thu Dec 14, 2023 2:20 am

1. YOu have a strange input rule setup for DNS, I would still add in-interface-list=LAN-list and scrap your RFC address list approach.
Its only DNS requests from the LAN that need to be allowed.

Other than that I cannot find where the issue may be.......

OliZi · Thu Dec 14, 2023 5:21 pm

I fixed the dns filter, In removed the additional outgoing mangle, but still not working.

If I disable the mangle for PCC internet from LAN is possible but not stable ?!?
Ping from tools is working, but not from terminal on / in winbox.
port forwarding is not working.

Perhaps its a problem in combination with the multiple WAN or because its LTE?

I have the same WAN Modems working on a Zywall and it works.
WAN as Trunk, port forwarding to servers, snat to the modem router, all works.

I don't get it why I cannot get it to work on MikroTik.

I must make a stupid mistake and I cannot see it.

here the cleanup config:

@anav thank you so much to help me

/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=WAN4
set [ find default-name=ether5 ] name=WAN5
set [ find default-name=ether10 ] name=ether10-INT
set [ find default-name=ether11 ] name=ether11-LAN
/interface list
add name=WAN-list
add name=LAN-list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether11-LAN lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=useWan1
add fib name=useWan2
add fib name=useWan3
add fib name=useWan4
add fib name=useWan5
add fib name=2then3
add fib name=2then4
add fib name=2then5
add fib name=3then2
add fib name=3then4
add fib name=3then5
add fib name=4then2
add fib name=4then3
add fib name=4then5
add fib name=5then2
add fib name=5then3
add fib name=5then4
/interface list member
add interface=WAN1 list=WAN-list
add interface=WAN2 list=WAN-list
add interface=WAN3 list=WAN-list
add interface=WAN4 list=WAN-list
add interface=WAN5 list=WAN-list
add interface=ether11-LAN list=LAN-list
add interface=ether10-INT list=LAN-list
/ip address
add address=81.223.59.XXX/29 disabled=yes interface=WAN1 network=\
    81.223.59.192
add address=10.0.0.1/24 interface=ether11-LAN network=10.0.0.0
add address=212.95.26.XXX/30 disabled=yes interface=WAN2 network=212.95.26.XXX
add address=212.95.26.XXX/29 disabled=yes interface=WAN3 network=212.95.26.XXX
add address=212.95.27.XXX/24 disabled=yes interface=WAN4 network=212.95.27.0
add address=176.66.79.XXX/16 disabled=yes interface=WAN5 network=176.66.0.0
add address=10.0.0.95/24 interface=ether10-INT network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=WAN5 use-peer-ntp=no
add add-default-route=no interface=WAN2 use-peer-ntp=no
add add-default-route=no interface=WAN3 use-peer-ntp=no
add add-default-route=no interface=WAN4 use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.25,10.0.0.1 domain=dom-01.net \
    gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.25
/ip firewall address-list
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="access only from inside" dst-port=\
    8291,22,80 in-interface-list=LAN-list protocol=tcp
add action=accept chain=input comment=\
    "Allow Established/Related/Untracked connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="DNS nicht von extern" dst-port=53 \
    protocol=tcp src-address=10.0.0.0/24
add action=accept chain=input dst-port=53 protocol=udp src-address=\
    10.0.0.0/24
add action=drop chain=input comment="Drop everything else" log-prefix=\
    _DROP_IN_
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=\
    WAN-list
add action=accept chain=forward comment="forward established" \
    connection-state=established,related
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN-list out-interface-list=WAN-list
add action=drop chain=forward comment="Forward Drop invalid " \
    connection-state=invalid
add action=drop chain=forward comment="forward drop anything" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN-list
/ip firewall mangle
add action=accept chain=prerouting dst-address-type=local in-interface-list=\
    LAN-list
add action=jump chain=prerouting connection-mark=no-mark jump-target=\
    mangleConnect
add action=mark-routing chain=prerouting connection-mark=in-WAN1 \
    new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN2 \
    new-routing-mark=useWan2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN3 \
    new-routing-mark=useWan3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN4 \
    new-routing-mark=useWan4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=in-WAN5 \
    new-routing-mark=useWan5 passthrough=no
add action=mark-routing chain=output connection-mark=in-WAN1 \
    new-routing-mark=useWan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-3 \
    new-routing-mark=2then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-4 \
    new-routing-mark=2then4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-5 \
    new-routing-mark=2then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-2 \
    new-routing-mark=3then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-4 \
    new-routing-mark=3then4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN3-5 \
    new-routing-mark=3then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-2 \
    new-routing-mark=4then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-3 \
    new-routing-mark=4then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN4-5 \
    new-routing-mark=4then5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-2 \
    new-routing-mark=5then2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-3 \
    new-routing-mark=5then3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN5-4 \
    new-routing-mark=5then4 passthrough=no
add action=mark-connection chain=mangleConnect in-interface=WAN1 \
    new-connection-mark=in-WAN1 passthrough=yes
add action=mark-connection chain=mangleConnect in-interface=WAN2 \
    new-connection-mark=in-WAN2 passthrough=yes
add action=mark-connection chain=mangleConnect in-interface=WAN3 \
    new-connection-mark=in-WAN3 passthrough=yes
add action=mark-connection chain=mangleConnect in-interface=WAN4 \
    new-connection-mark=in-WAN4 passthrough=yes
add action=mark-connection chain=mangleConnect in-interface=WAN5 \
    new-connection-mark=in-WAN5 passthrough=yes
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN2-3 passthrough=yes per-connection-classifier=\
    src-address:12/0
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN2-4 passthrough=yes per-connection-classifier=\
    src-address:12/1
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN2-5 passthrough=yes per-connection-classifier=\
    src-address:12/2
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN3-2 passthrough=yes per-connection-classifier=\
    src-address:12/3
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN3-4 passthrough=yes per-connection-classifier=\
    src-address:12/4
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN3-5 passthrough=yes per-connection-classifier=\
    src-address:12/5
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN4-2 passthrough=yes per-connection-classifier=\
    src-address:12/6
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN4-3 passthrough=yes per-connection-classifier=\
    src-address:12/7
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN4-5 passthrough=yes per-connection-classifier=\
    src-address:12/8
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN5-2 passthrough=yes per-connection-classifier=\
    src-address:12/9
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN5-3 passthrough=yes per-connection-classifier=\
    src-address:12/10
add action=mark-connection chain=mangleConnect in-interface-list=!WAN-list \
    new-connection-mark=WAN5-4 passthrough=yes per-connection-classifier=\
    src-address:12/11
/ip firewall nat
add action=dst-nat chain=dstnat comment="Testwebsite W5" dst-address=\
    176.66.79.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.64
add action=dst-nat chain=dstnat comment="Testwebsite W4" dst-address=\
    212.95.27.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.63
add action=dst-nat chain=dstnat comment="Testwebsite W3" dst-address=\
    212.95.26.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.62
add action=dst-nat chain=dstnat comment="Testwebsite W2" dst-address=\
    212.95.26.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.61
add action=dst-nat chain=dstnat comment="Testwebsite W1" dst-address=\
    81.223.59.XXX dst-port=80 protocol=tcp to-addresses=10.0.0.60 to-ports=0
add action=masquerade chain=srcnat comment=Hairpin dst-address=10.0.0.0/24 \
    src-address=10.0.0.0/24
add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.64 \
    to-addresses=176.66.79.XXX
add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.63 \
    to-addresses=212.95.27.XXX
add action=src-nat chain=srcnat comment="test src nat" src-address=10.0.0.62 \
    to-addresses=212.95.26.XXX
add action=masquerade chain=srcnat comment="WAN Masquerade" \
    out-interface-list=WAN-list
/ip route
add check-gateway=ping comment="Standard WAN1" disabled=no distance=10 \
    dst-address=0.0.0.0/0 gateway=81.223.59.193%WAN1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Standard WAN2" disabled=no distance=3 \
    dst-address=0.0.0.0/0 gateway=212.95.26.XXX%WAN2 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Standard WAN3" disabled=no distance=4 \
    dst-address=0.0.0.0/0 gateway=212.95.26.XXX%WAN3 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Standard WAN4" disabled=no distance=5 \
    dst-address=0.0.0.0/0 gateway=212.95.27.1%WAN4 pref-src="" routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Standard WAN5" disabled=no distance=2 \
    dst-address=0.0.0.0/0 gateway=176.66.0.1%WAN5 pref-src="" routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add comment="marked WAN2" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=212.95.26.XXX%WAN2 pref-src="" routing-table=useWan2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="marked WAN3" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=212.95.26.XXX%WAN3 pref-src="" routing-table=useWan3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="marked WAN4" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=212.95.27.1%WAN4 pref-src="" routing-table=useWan4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="marked WAN5" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=176.66.0.1%WAN5 pref-src="" routing-table=useWan5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan2 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 pref-src="" routing-table=2then3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan3 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 pref-src="" routing-table=2then3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan2 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 pref-src="" routing-table=2then4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan4 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.27.1%WAN4 pref-src="" routing-table=2then4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan2 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 pref-src="" routing-table=2then5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan5 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 pref-src="" routing-table=2then5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan3 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 pref-src="" routing-table=3then2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan2 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 pref-src="" routing-table=3then2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan3 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 pref-src="" routing-table=3then4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan4 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.27.1%WAN4 pref-src="" routing-table=3then4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan3 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 pref-src="" routing-table=3then5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan5 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 pref-src="" routing-table=3then5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan4 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.1%WAN4 pref-src="" routing-table=4then2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan2 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 pref-src="" routing-table=4then2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan4 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.1%WAN4 pref-src="" routing-table=4then3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan3 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 pref-src="" routing-table=4then3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan4 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    212.95.27.1%WAN4 pref-src="" routing-table=4then5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan5 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 pref-src="" routing-table=4then5 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan5 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 pref-src="" routing-table=5then2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan2 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN2 pref-src="" routing-table=5then2 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan5 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 pref-src="" routing-table=5then3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan3 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.26.XXX%WAN3 pref-src="" routing-table=5then3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan5 gwy" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    176.66.0.1%WAN5 pref-src="" routing-table=5then4 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="wan4 gwy" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    212.95.27.1%WAN4 pref-src="" routing-table=5then4 scope=30 \
    suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no

Ca6ko · Thu Dec 14, 2023 6:15 pm

/ip address
add address=10.0.0.1/24 interface=ether11-LAN network=10.0.0.0
add address=10.0.0.95/24 interface=ether10-INT network=10.0.0.0

You need to either bridge the LAN ports ether11-LAN, ether10-INT and set one address per bridge, or split them into different networks 10.0.0.1/25, 10.0.0.128/25. Assigning addresses to different ports does not join them into a single network. The router only looks for hosts for one port, which is the first one in the list

OliZi · Thu Dec 14, 2023 9:55 pm

ok, thanks for your help.
In production there is only ether-11-LAN in use.
But, at the moment I connect my self direct to ether-10-INT.

mn497 · Mon Dec 18, 2023 8:43 am

I have a hex router I created 3 DSTnat for 3 servers I want it to be a priority between nat , if one of the servers does not answer the request, it will be automatically transferred to the next net I checked the priority nat method and it didn't work
Does anyone suggest a better method?

anav · Mon Dec 18, 2023 2:15 pm

The automation has to be on the user side, the router cannot do that in regular programming.

OliZi · Thu Dec 21, 2023 10:10 am

for this kind of incoming load balancing I would setup a proxy like an IIS with ARR and config a server farm.
Here you could specify the loadbalancing, health test and so on.

regards
Oliver

Multi WAN and port forwarding

Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding

Re: Multi WAN and port forwarding