Community discussions

MikroTik App
 
dgtall
just joined
Topic Author
Posts: 4
Joined: Thu Jan 23, 2025 12:39 pm

Cannot Port Forward using PCC and VLan

Thu Jan 23, 2025 1:14 pm

Hi all ;

I always would rather find the answer before posting anything so i won't waste anyone time. So i tried to find the answer and tried a lot of config changes before posting. But unfortunatly i unable to do so. I am using 4 gbit internet at my house 3 vlans and a pcc load balancer. I have 2 manageble switches (1Poe ,1 normal) and only the WAN ports(PPPooe configed statik ip adresses) and SFP+ used on the device. I did config the other LAN ports just in case i have to access specific VLan. I don't have any problems with internet acess , vlan and load balance except i cannot port forward (dstnat or hairpin nat) using this config. Considering PCC or VLan however working can be still misconfigured and might cause problems i am posting the whole config.

I think i might have a routing or srcnat error on my hand (prerouting out error below) but never able to figure it out.
prerouting: in:Fiber_3 [b]out:(unknown 0)[/b], connection-state:established,snat src-mac d4:c1:c8:97:4f:90, proto TCP (ACK), 149.50.216.206:48721->[Public IP]:52549, NAT 149.50.216.206:48721->([Public IP]:52549->10.1.53.221:52549), len 52
Port forwarding also is working from time to time. But i have no idea what causes that.

This is my first mikrotik device so please let me have it easy if you see any config errors or problems.

I do have to create VPN tunnels (IKE2 , PPTP and L2TP)in near future. Any advice in config for that is most welcomed as well.

I am highly frasturated atm so thanks in advance for anyone whom even bothered to read the config.

/interface bridge
add name=Local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] name=LAN2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=sfp-sfpplus1 ] name=SFP
set [ find default-name=ether5 ] name=WAN1
set [ find default-name=ether6 ] name=WAN2
set [ find default-name=ether7 ] name=WAN3
set [ find default-name=ether8 ] name=WAN4
/interface vlan
add interface=Local name=SmartHome_vLan vlan-id=100
add interface=Local name=Management_vLan vlan-id=1
add interface=Local name=Private_vLan vlan-id=53
add interface=WAN1 name=ISP1 vlan-id=35
add interface=WAN2 name=ISP2 vlan-id=35
add interface=WAN3 name=ISP3 vlan-id=35
add interface=WAN4 name=ISP4 vlan-id=35
/interface pppoe-client
add add-default-route=yes comment="" disabled=no interface=\
    ISP1 name=Fiber_1 user=[username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP2 name=Fiber_2 user=[username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP3 name=Fiber_3 user=[username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP4 name=Fiber_4 user=[username]
/interface list
add name=WAN
add name=LAN
add name=Modems
add name=vLans
/ip pool
add name=Private_DHCP_Pool ranges=10.1.53.100-10.1.53.199
add name=Management_DHCP_Pool ranges=10.1.43.100-10.1.43.199
add name=SmartHome_DHCP_Pool ranges=10.1.100.100-10.1.100.199
/ip dhcp-server
add address-pool=Private_DHCP_Pool interface=Private_vLan name=Private_DHCP
add address-pool=Management_DHCP_Pool interface=Management_vLan name=\
    Management_DHCP
add address-pool=SmartHome_DHCP_Pool interface=SmartHome_vLan name=\
    SmartHome_DHCP
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=to_WAN4
/interface bridge port
add bridge=Local interface=LAN1 pvid=53
add bridge=Local interface=LAN2 pvid=53
add bridge=Local interface=LAN3
add bridge=Local interface=LAN4 pvid=100
add bridge=Local interface=SFP
/interface bridge vlan
add bridge=Local tagged=SFP,Local untagged=LAN4 vlan-ids=100
add bridge=Local tagged=Local,SFP untagged=LAN1,LAN2 vlan-ids=53
/interface list member
add interface=LAN2 list=LAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=SFP list=LAN
add interface=Fiber_1 list=Modems
add interface=Fiber_2 list=Modems
add interface=Fiber_3 list=Modems
add interface=Fiber_4 list=Modems
add interface=SmartHome_vLan list=vLans
add interface=Management_vLan list=vLans
add interface=Private_vLan list=vLans
add interface=LAN1 list=WAN
add interface=WAN1 list=LAN
add interface=WAN2 list=LAN
add interface=WAN3 list=LAN
add interface=WAN4 list=LAN
/ip address
add address=10.1.53.1/24 interface=Private_vLan network=10.1.53.0
add address=10.1.43.1/24 interface=Management_vLan network=10.1.43.0
add address=10.1.100.1/24 interface=SmartHome_vLan network=10.1.100.0
/ip arp
add address=10.1.53.53 interface=Private_vLan mac-address=CC:28:AA:CC:75:14
/ip dhcp-client
add interface=Local
/ip dhcp-server network
add address=10.1.43.0/24 gateway=10.1.43.1
add address=10.1.53.0/24 gateway=10.1.53.1
add address=10.1.100.0/24 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=[ISP1_Static_Adress] list=Internet
add address=[ISP2_Static_Adress] list=Internet
add address=[ISP3_Static_Adress] list=Internet
add address=[ISP4_Static_Adress] list=Internet
/ip firewall filter
add action=accept chain=forward dst-port=32400 in-interface-list=Modems \
    protocol=tcp
add action=accept chain=forward comment="Port Forward DstNat'd" \
    connection-nat-state=dstnat
add action=accept chain=input comment=\
    "Accept established,related connections" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Accept established,related connections" connection-state=\
    established,related
add action=accept chain=output comment=\
    "Accept established,related connections" connection-state=\
    established,related
add action=accept chain=input comment=UDP protocol=udp
add action=accept chain=forward comment="Allow LAN DNS queries-UDP" dst-port=\
    53 protocol=udp src-address-list="LAN Users"
add action=accept chain=forward comment="Allow LAN DNS queries-TCP" dst-port=\
    53 protocol=tcp src-address-list="LAN Users"
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1m chain=block-ddos log=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1m chain=block-ddos log=yes
add action=drop chain=input comment="ping port scanners" src-address-list=\
    "port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=\
    tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 \
    protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
    tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 \
    protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 \
    protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
    virus
add action=drop chain=input comment="invalid connections" connection-state=\
    invalid
add action=drop chain=forward comment="invalid connections" connection-state=\
    invalid
add action=drop chain=output comment="invalid connections" connection-state=\
    invalid
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Internet
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_1 new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_2 new-connection-mark=WAN2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_3 new-connection-mark=WAN3_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_4 new-connection-mark=WAN4_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3
add action=mark-routing chain=output connection-mark=WAN4_conn \
    new-routing-mark=to_WAN4
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN1_conn \
    per-connection-classifier=src-address-and-port:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN2_conn \
    per-connection-classifier=src-address-and-port:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN3_conn \
    per-connection-classifier=src-address-and-port:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN4_conn \
    per-connection-classifier=src-address-and-port:4/3
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=Local new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface=Local new-routing-mark=to_WAN3
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
    in-interface=Local new-routing-mark=to_WAN4
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN1_conn \
    per-connection-classifier=src-address-and-port:4/0
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN2_conn \
    per-connection-classifier=src-address-and-port:4/1
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN3_conn \
    per-connection-classifier=src-address-and-port:4/2
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN4_conn \
    per-connection-classifier=src-address-and-port:4/3
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
    out-interface-list=Modems protocol=tcp src-port=32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
    out-interface=Fiber_1 out-interface-list=Modems protocol=tcp src-port=\
    32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
    out-interface=Fiber_2 out-interface-list=Modems protocol=tcp src-port=\
    32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
    out-interface=Fiber_3 out-interface-list=Modems protocol=tcp src-port=\
    32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
    out-interface=Fiber_4 out-interface-list=Modems protocol=tcp src-port=\
    32400
add action=masquerade chain=srcnat out-interface=Fiber_1
add action=masquerade chain=srcnat out-interface=Fiber_2
add action=masquerade chain=srcnat out-interface=Fiber_3
add action=masquerade chain=srcnat out-interface=Fiber_4
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=Modems \
    protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
    Fiber_2 protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
    Fiber_3 protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
    Fiber_4 protocol=tcp to-addresses=10.1.53.221 to-ports=32400
/ip firewall raw
add action=drop chain=prerouting comment=Worm-Infected-p445 src-address-list=\
    Worm-Infected-p445
add action=drop chain=prerouting comment="Drop all DNS request from Internet" \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=\
    udp
add action=drop chain=prerouting comment=\
    "TCP invalid combination of flags attack (7 rules)" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" \
    protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" \
    protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment=\
    "Protecting device crash when size > 1024" packet-size=1025-1600 \
    protocol=icmp
add action=drop chain=prerouting comment="ICMP large packet attack" \
    packet-size=1601-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" \
    fragment=yes protocol=icmp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes \
    protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment=\
    "Fragment attack Interface Protection" dst-address-list="LAN Users" \
    fragment=yes
add action=drop chain=prerouting comment="IP option loose-source-routing" \
    ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
    ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" \
    ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" \
    ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=\
    timestamp
add action=drop chain=prerouting comment=\
    "IP options left, except IP Stream used by the IGMP protocol" \
    ipv4-options=any protocol=!igmp
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" \
    protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" \
    protocol=!tcp
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_1 routing-table=to_WAN1 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_2 routing-table=to_WAN2 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_3 routing-table=to_WAN3 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_4 routing-table=to_WAN4 scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Fiber_1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Fiber_2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=Fiber_3 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=Fiber_4 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22373
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cannot Port Forward using PCC and VLan

Thu Jan 23, 2025 2:23 pm

First question I have is, how do you propose to setup PCC when you have already setup the pppoe to make routes automatically?
If they all have the same distance, you already have ECMP load balancing in effect ???

Not sure what game you are playing, but your config seems focussed on viruses not needed traffic??

In summary, it looks like you have taken the worst MT videos from youtube and tried to apply it to your config.

Id be willing to assist, but it will be a clean and lean approach.
 
dgtall
just joined
Topic Author
Posts: 4
Joined: Thu Jan 23, 2025 12:39 pm

Re: Cannot Port Forward using PCC and VLan

Thu Jan 23, 2025 3:01 pm

Hi ;

I really don't have any proper answer for your first question. I was only following the instructions on the mikrotik youtube channel and it became like this. I just didn't add any ip address or subnets to setup. I was very confused about that and tried with ISP PPPoE and VLan with statik IP adresses whom all mikrotik configured by itself. I just tried to do same distances for marking and different distances for main routing table. I know it workes from speedtest that i did but i might screwed that up a bit.
Routes.JPG
Speedtest.JPG
For the second question i just loooked up a firewall template from forums and applied that until i can learn better and make a firewall setup more suited for my needs.
Forum link : viewtopic.php?t=132844

For the last part i could try to clean up a bit and post that config up if you want. I can delete the firewall and Raw rules then maybe also srcnat for each pppoe client to make mikrotik show the data i used in each WAN.

Cleaned Up Config (as well as i can):
# 2025-01-23 16:10:12 by RouterOS 7.17
#
# model = RB5009UG+S+
/interface bridge
add name=Local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] name=LAN2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=sfp-sfpplus1 ] name=SFP
set [ find default-name=ether5 ] name=WAN1
set [ find default-name=ether6 ] name=WAN2
set [ find default-name=ether7 ] name=WAN3
set [ find default-name=ether8 ] name=WAN4
/interface vlan
add interface=Local name=Management_vLan vlan-id=1
add interface=Local name=Private_vLan vlan-id=53
add interface=Local name=SmartHome_vLan vlan-id=100
add interface=WAN1 name=ISP_1 vlan-id=35
add interface=WAN2 name=ISP_2 vlan-id=35
add interface=WAN3 name=ISP_3 vlan-id=35
add interface=WAN4 name=ISP_4 vlan-id=35
/interface pppoe-client
add add-default-route=yes comment="" disabled=no interface=\
    ISP_1 name=Fiber_1 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_2 name=Fiber_2 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_3 name=Fiber_3 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_4 name=Fiber_4 user=[ISP_Username]
/interface list
add name=WAN
add name=LAN
add name=Modems
add name=vLans
/ip pool
add name=Private_DHCP_Pool ranges=10.1.53.100-10.1.53.199
add name=Management_DHCP_Pool ranges=10.1.43.100-10.1.43.199
add name=SmartHome_DHCP_Pool ranges=10.1.100.100-10.1.100.199
/ip dhcp-server
add address-pool=Private_DHCP_Pool interface=Private_vLan name=Private_DHCP
add address-pool=Management_DHCP_Pool interface=Management_vLan name=\
    Management_DHCP
add address-pool=SmartHome_DHCP_Pool interface=SmartHome_vLan name=\
    SmartHome_DHCP
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=to_WAN4
/interface bridge port
add bridge=Local interface=LAN1 pvid=53
add bridge=Local interface=LAN2 pvid=53
add bridge=Local interface=LAN3
add bridge=Local interface=LAN4 pvid=100
add bridge=Local interface=SFP
/interface bridge vlan
add bridge=Local tagged=SFP,Local untagged=LAN4 vlan-ids=100
add bridge=Local tagged=Local,SFP untagged=LAN1,LAN2 vlan-ids=53
/interface list member
add interface=LAN2 list=LAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=SFP list=LAN
add interface=Fiber_1 list=Modems
add interface=Fiber_2 list=Modems
add interface=Fiber_3 list=Modems
add interface=Fiber_4 list=Modems
add interface=SmartHome_vLan list=vLans
add interface=Management_vLan list=vLans
add interface=Private_vLan list=vLans
add interface=LAN1 list=WAN
add interface=WAN1 list=LAN
add interface=WAN2 list=LAN
add interface=WAN3 list=LAN
add interface=WAN4 list=LAN
/interface ovpn-server server
add mac-address=FE:8E:4B:31:D1:A7 name=ovpn-server1
/ip address
add address=10.1.53.1/24 interface=Private_vLan network=10.1.53.0
add address=10.1.43.1/24 interface=Management_vLan network=10.1.43.0
add address=10.1.100.1/24 interface=SmartHome_vLan network=10.1.100.0
/ip dhcp-server network
add address=10.1.43.0/24 gateway=10.1.43.1
add address=10.1.53.0/24 gateway=10.1.53.1
add address=10.1.100.0/24 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=[PublicIP] list=Internet
add address=[PublicIP] list=Internet
add address=[PublicIP] list=Internet
add address=[PublicIP] list=Internet
/ip firewall filter
add action=accept chain=forward comment="Port Forward DstNat'd" \
    connection-nat-state=dstnat
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Internet
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_1 new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_2 new-connection-mark=WAN2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_3 new-connection-mark=WAN3_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=Fiber_4 new-connection-mark=WAN4_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3
add action=mark-routing chain=output connection-mark=WAN4_conn \
    new-routing-mark=to_WAN4
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN1_conn \
    per-connection-classifier=src-address-and-port:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN2_conn \
    per-connection-classifier=src-address-and-port:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN3_conn \
    per-connection-classifier=src-address-and-port:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN4_conn \
    per-connection-classifier=src-address-and-port:4/3
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=Local new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
    in-interface=Local new-routing-mark=to_WAN3
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
    in-interface=Local new-routing-mark=to_WAN4
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN1_conn \
    per-connection-classifier=src-address-and-port:4/0
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN2_conn \
    per-connection-classifier=src-address-and-port:4/1
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN3_conn \
    per-connection-classifier=src-address-and-port:4/2
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=WAN4_conn \
    per-connection-classifier=src-address-and-port:4/3
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=Modems \
    protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=masquerade chain=srcnat out-interface-list=Modems
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_1 routing-table=to_WAN1 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_2 routing-table=to_WAN2 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_3 routing-table=to_WAN3 scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Fiber_4 routing-table=to_WAN4 scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Fiber_1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Fiber_2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=Fiber_3 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=Fiber_4 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
You do not have the required permissions to view the files attached to this post.
Last edited by dgtall on Thu Jan 23, 2025 3:17 pm, edited 1 time in total.
 
dgtall
just joined
Topic Author
Posts: 4
Joined: Thu Jan 23, 2025 12:39 pm

Re: Cannot Port Forward using PCC and VLan

Thu Jan 23, 2025 3:15 pm

Added previous post. Can not delete this post for some reason.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22373
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cannot Port Forward using PCC and VLan  [SOLVED]

Fri Jan 24, 2025 10:47 pm

Do not use VLAN1 if at all possible.
Make changes for ether2 and do all config from there.
RB4011 has two switch chips so put all your important data vlans on the same switch chip....... ports 6-10.

With version 7 firmware you are way better given four ISPs with the same throughput to use ECMP.
Keep the default route you have for each WAN in pppoe. Do not put any distance on these settings either.
We no longer need to mangle for PCC!!!
Additionally for failover if WAN1 is not available, the router will use the remaining equally and so on.
........
# model = RB5009UG+S+
/interface bridge
add name=Local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] name=OffBridge2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=sfp-sfpplus1 ] name=SFP
set [ find default-name=ether5 ] name=WAN1
set [ find default-name=ether6 ] name=WAN2
set [ find default-name=ether7 ] name=WAN3
set [ find default-name=ether8 ] name=WAN4
/interface vlan
add interface=Local name=Management_vLan vlan-id=10
add interface=Local name=Private_vLan vlan-id=53
add interface=Local name=SmartHome_vLan vlan-id=100
add interface=WAN1 name=ISP_1 vlan-id=35
add interface=WAN2 name=ISP_2 vlan-id=35
add interface=WAN3 name=ISP_3 vlan-id=35
add interface=WAN4 name=ISP_4 vlan-id=35
/interface pppoe-client
add add-default-route=yes comment="" disabled=no interface=\
    ISP_1 name=Fiber_1 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_2 name=Fiber_2 user=[ISP_Username]
add add-default-route=yes  comment="" disabled=no interface=\
    ISP_3 name=Fiber_3 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_4 name=Fiber_4 user=[ISP_Username]
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/ip pool
add name=Private_DHCP_Pool ranges=10.1.53.100-10.1.53.199
add name=Management_DHCP_Pool ranges=10.1.43.100-10.1.43.120
add name=SmartHome_DHCP_Pool ranges=10.1.100.100-10.1.100.199
/ip dhcp-server
add address-pool=Private_DHCP_Pool interface=Private_vLan name=Private_DHCP
add address-pool=Management_DHCP_Pool interface=Management_vLan name=\
    Management_DHCP
add address-pool=SmartHome_DHCP_Pool interface=SmartHome_vLan name=\
    SmartHome_DHCP
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=to_WAN4
/interface bridge port
add bridge=Local ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=LAN1 pvid=53 comment="private"
add bridge=Local ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=LAN3 comment="trunk to smart device1"
add bridge=Local ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=LAN4 pvid=100 comment="iot"
add bridge=Local ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=SFP comment="trunk to smart device2"
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=Local tagged=Local,SFP,LAN3  vlan-id=10
add bridge=Local tagged=Local,SFP,LAN3  untagged=LAN1 vlan-ids=53
add bridge=Local tagged=Local,SFP,LAN3  untagged=LAN4 vlan-ids=100
/interface list member
add interface=Fiber_1 list=WAN
add interface=Fiber_2 list=WAN
add interface=Fiber_3 list=WAN
add interface=Fiber_4 list=WAN
add interface=SmartHome_vLan list=LAN
add interface=Management_vLan list=LAN
add interface=Private_vLan list=LAN
add interface=Management_vLan list=TRUSTED
add interface=OffBridge2 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:8E:4B:31:D1:A7 name=ovpn-server1
/ip address
add address=10.1.53.1/24 interface=Private_vLan network=10.1.53.0
add address=10.1.43.1/24 interface=Management_vLan network=10.1.43.0
add address=10.1.100.1/24 interface=SmartHome_vLan network=10.1.100.0
add address=10.1.77.1/30  interface=OffBridge2  network=10.1.77.0
/ip dhcp-server network
add address=10.1.43.0/24 gateway=10.1.43.1 dns-server=10.1.43.1
add address=10.1.53.0/24 gateway=10.1.53.1 dns-server=10.1.53.1
add address=10.1.100.0/24 gateway=10.1.100.1 dns-server=10.1.100.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=IPserver1 list=MyServers
add address=IPserver2 list=MyServers
etc...
add address=10.1.43.XXX list=Authorized  comment="admin device1 on management subnet"
add address=10.1.43.YYY list=Authorized  comment="admin device2 on management subnet"
add address=10.1.77.2  list=Authorized comment="off bridge admin access"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
action=drop chain=input comment="Drop all else"   { insert this rule last }
+++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to lans" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
{ mangle for external port forwarding }
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_1 new-connection-mark=incomingWAN1-servers  passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_2 new-connection-mark=incomingWAN2-servers  passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_3 new-connection-mark=incomingWAN3-servers  passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_4 new-connection-mark=incomingWAN4-servers  passthrough=yes
+++++
add chain=prerouting action=mark-routing connection-mark=incomingWAN1-servers \
new-routing-mark=to_WAN1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=incomingWAN2-servers \
new-routing-mark=to_WAN2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=incomingWAN3-servers \
new-routing-mark=to_WAN3 passthrough=no
add chain=prerouting action=mark-routing connection-mark=incomingWAN4-servers \
new-routing-mark=to_WAN4 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.1.53.0/24 dst-address=10.1.53.0/24  comment="hairpin nat"
add action=masquerade chain=srcnat  out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=local dst-address-list=!rfc1918 \
dst-port=32400 protocol=tcp to-addresses=10.1.53.221
/ip route
{ main table - none  required }
{ special tables }
add  dst-address=0.0.0.0/0 gateway=Fiber_1 routing-table=to-WAN1
add  dst-address=0.0.0.0/0 gateway=Fiber_2 routing-table=to-WAN2
add  dst-address=0.0.0.0/0 gateway=Fiber_3 routing-table=to-WAN3
add  dst-address=0.0.0.0/0 gateway=Fiber_4 routing-table=to-WAN4
 
dgtall
just joined
Topic Author
Posts: 4
Joined: Thu Jan 23, 2025 12:39 pm

Re: Cannot Port Forward using PCC and VLan

Sat Jan 25, 2025 12:02 pm

Do not use VLAN1 if at all possible.
Make changes for ether2 and do all config from there.
RB4011 has two switch chips so put all your important data vlans on the same switch chip....... ports 6-10.

With version 7 firmware you are way better given four ISPs with the same throughput to use ECMP.
Keep the default route you have for each WAN in pppoe. Do not put any distance on these settings either.
We no longer need to mangle for PCC!!!
Additionally for failover if WAN1 is not available, the router will use the remaining equally and so on.
........
# model = RB5009UG+S+
/interface bridge
add name=Local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] name=OffBridge2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=sfp-sfpplus1 ] name=SFP
set [ find default-name=ether5 ] name=WAN1
set [ find default-name=ether6 ] name=WAN2
set [ find default-name=ether7 ] name=WAN3
set [ find default-name=ether8 ] name=WAN4
/interface vlan
add interface=Local name=Management_vLan vlan-id=10
add interface=Local name=Private_vLan vlan-id=53
add interface=Local name=SmartHome_vLan vlan-id=100
add interface=WAN1 name=ISP_1 vlan-id=35
add interface=WAN2 name=ISP_2 vlan-id=35
add interface=WAN3 name=ISP_3 vlan-id=35
add interface=WAN4 name=ISP_4 vlan-id=35
/interface pppoe-client
add add-default-route=yes comment="" disabled=no interface=\
    ISP_1 name=Fiber_1 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_2 name=Fiber_2 user=[ISP_Username]
add add-default-route=yes  comment="" disabled=no interface=\
    ISP_3 name=Fiber_3 user=[ISP_Username]
add add-default-route=yes comment="" disabled=no interface=\
    ISP_4 name=Fiber_4 user=[ISP_Username]
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/ip pool
add name=Private_DHCP_Pool ranges=10.1.53.100-10.1.53.199
add name=Management_DHCP_Pool ranges=10.1.43.100-10.1.43.120
add name=SmartHome_DHCP_Pool ranges=10.1.100.100-10.1.100.199
/ip dhcp-server
add address-pool=Private_DHCP_Pool interface=Private_vLan name=Private_DHCP
add address-pool=Management_DHCP_Pool interface=Management_vLan name=\
    Management_DHCP
add address-pool=SmartHome_DHCP_Pool interface=SmartHome_vLan name=\
    SmartHome_DHCP
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=to_WAN4
/interface bridge port
add bridge=Local ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=LAN1 pvid=53 comment="private"
add bridge=Local ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=LAN3 comment="trunk to smart device1"
add bridge=Local ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=LAN4 pvid=100 comment="iot"
add bridge=Local ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=SFP comment="trunk to smart device2"
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=Local tagged=Local,SFP,LAN3  vlan-id=10
add bridge=Local tagged=Local,SFP,LAN3  untagged=LAN1 vlan-ids=53
add bridge=Local tagged=Local,SFP,LAN3  untagged=LAN4 vlan-ids=100
/interface list member
add interface=Fiber_1 list=WAN
add interface=Fiber_2 list=WAN
add interface=Fiber_3 list=WAN
add interface=Fiber_4 list=WAN
add interface=SmartHome_vLan list=LAN
add interface=Management_vLan list=LAN
add interface=Private_vLan list=LAN
add interface=Management_vLan list=TRUSTED
add interface=OffBridge2 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:8E:4B:31:D1:A7 name=ovpn-server1
/ip address
add address=10.1.53.1/24 interface=Private_vLan network=10.1.53.0
add address=10.1.43.1/24 interface=Management_vLan network=10.1.43.0
add address=10.1.100.1/24 interface=SmartHome_vLan network=10.1.100.0
add address=10.1.77.1/30  interface=OffBridge2  network=10.1.77.0
/ip dhcp-server network
add address=10.1.43.0/24 gateway=10.1.43.1 dns-server=10.1.43.1
add address=10.1.53.0/24 gateway=10.1.53.1 dns-server=10.1.53.1
add address=10.1.100.0/24 gateway=10.1.100.1 dns-server=10.1.100.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
    servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=IPserver1 list=MyServers
add address=IPserver2 list=MyServers
etc...
add address=10.1.43.XXX list=Authorized  comment="admin device1 on management subnet"
add address=10.1.43.YYY list=Authorized  comment="admin device2 on management subnet"
add address=10.1.77.2  list=Authorized comment="off bridge admin access"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
action=drop chain=input comment="Drop all else"   { insert this rule last }
+++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to lans" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
{ mangle for external port forwarding }
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_1 new-connection-mark=incomingWAN1-servers  passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_2 new-connection-mark=incomingWAN2-servers  passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_3 new-connection-mark=incomingWAN3-servers  passthrough=yes
add chain=forward action=mark-connections connection-mark=no-mark dst-address-list=MyServers
 in-interface=Fiber_4 new-connection-mark=incomingWAN4-servers  passthrough=yes
+++++
add chain=prerouting action=mark-routing connection-mark=incomingWAN1-servers \
new-routing-mark=to_WAN1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=incomingWAN2-servers \
new-routing-mark=to_WAN2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=incomingWAN3-servers \
new-routing-mark=to_WAN3 passthrough=no
add chain=prerouting action=mark-routing connection-mark=incomingWAN4-servers \
new-routing-mark=to_WAN4 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.1.53.0/24 dst-address=10.1.53.0/24  comment="hairpin nat"
add action=masquerade chain=srcnat  out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=local dst-address-list=!rfc1918 \
dst-port=32400 protocol=tcp to-addresses=10.1.53.221
/ip route
{ main table - none  required }
{ special tables }
add  dst-address=0.0.0.0/0 gateway=Fiber_1 routing-table=to-WAN1
add  dst-address=0.0.0.0/0 gateway=Fiber_2 routing-table=to-WAN2
add  dst-address=0.0.0.0/0 gateway=Fiber_3 routing-table=to-WAN3
add  dst-address=0.0.0.0/0 gateway=Fiber_4 routing-table=to-WAN4


Works like a charm. Thanks a lot.

It had few small syntax errors (like mark-connections instead of mark-connection) which led me to believe you wrote all that from memory ?!? If thats the case you're damn amazing!!! :D

I had to change management vlan id to 1 yet again because i have aruba instant on switches and it doesnt allow me the change the management vlan id in any way.

I will clean and post the last working here when i am able to clear config from my personal data. Hope it will help a lot more people like myself.