Community discussions

MikroTik App
 
User avatar
bootika
just joined
Topic Author
Posts: 2
Joined: Fri Feb 03, 2023 11:45 am

Port Forwarding not working for WAN VRRP setup

Fri Feb 03, 2023 12:04 pm

Hello, I`m trying to implement WAN high availability (WAN over VRRP) using 2 Mikrotik routers (CCR2004-16G-2S-PC).

Each router have one interfaces for LAN and one for WAN. We use NAT between LAN and WAN
The VRRP WAN public addresses (IPs) are a.a.a.1 for router 1, a.a.a.2 for router 2 and a.a.a.3 for the VRRP floating IP.
The Port Forwarding works fine for a.a.a.1 and a.a.a.2. But it doesn't work for a.a.a.3 (the floating IP)
BTW, I also have VRRP for LAN setup on the same routers, and it works ok (LAN subnet is b.b.b.0/24)

My NAT Firewall rules for Port Forwarding:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.1 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3390 in-interface-list=WAN protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.2 to-ports=3389
Please, can you help me figure it out?
We need to setup Port Forwarding on the VRRP floating IP and we're stuck on this issue :)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Port Forwarding not working for WAN VRRP setup  [SOLVED]

Thu Feb 09, 2023 3:43 am

Your rules don't use destination addresses, the only condition related to that is in-interface-list=WAN. Possible explanation is that your WAN list contains parent interface, but not the VRRP one. But since that one is seen as incoming interface for packets to x.x.x.3, it doesn't work. But you probably want to use dst-address=a.a.a.3 instead anyway.
 
User avatar
bootika
just joined
Topic Author
Posts: 2
Joined: Fri Feb 03, 2023 11:45 am

Re: Port Forwarding not working for WAN VRRP setup

Tue Feb 14, 2023 8:03 am

Thank you. Your post really helped me fix the issue. Everything works great now :)

My firewall rules now:
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 dst-address=a.a.a.3 protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.1 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3390 dst-address=a.a.a.3 protocol=tcp src-address-list=allowed_ip_list to-addresses=b.b.b.2 to-ports=3389

Who is online

Users browsing this forum: TeWe, UkRainUa and 94 guests