Community discussions

MikroTik App
 
Dropkick6408
just joined
Topic Author
Posts: 1
Joined: Mon Mar 20, 2023 6:33 pm

help please with asymmetric (I think) routing

Mon Mar 20, 2023 6:43 pm

Hi: I have been struggling with trying to get my mikrotik RB450G (routeros 7.8 ) to work with two ISPs. Ether1 has slow speed dsl (192.168.0.x for incoming ssh connections) and Ether2 is home internet 5g (192.168.2.x default for everything else). Ether3-Ether5 is bridged to the LAN (192.168.88.x). I started with fresh install and defconf. Everything seems to work except for external ssh connections from the internet. Interface list WAN contains both ether1 and ether2. There is a static route to force connections to a speific host out ether1. I think the problem is with an asymmetric route.

Any help would be greatly appreciated!

-ron

Here are the log entries for an example connection attempt, I think that the return packet should be going out ether1 instead of ether2 at rule 10.

Mar 20 08:11:59 router firewall,info dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac 5c:6a:80:2d:ed:95, proto TCP (SYN), 172.56.208.46:32038->192.168.0.2:27235, len 60

Mar 20 08:12:01 router firewall,info rule 10 forward: in:bridge out:ether2, connection-state:invalid src-mac 1c:83:41:29:7b:63, proto TCP (SYN,ACK), 192.168.88.254:22->172.56.208.46:1027, len 60

Mar 20 08:12:01 router firewall,info rule 10 forward: in:bridge out:ether2, connection-state:invalid src-mac 1c:83:41:29:7b:63, proto TCP (SYN,ACK), 192.168.88.254:22->172.56.208.46:14601, len 60

Mar 20 08:12:04 router firewall,info rule 10 forward: in:bridge out:ether2, connection-state:invalid src-mac 1c:83:41:29:7b:63, proto TCP (SYN,ACK), 192.168.88.254:22->172.56.208.46:52278, len 60

Here are /ip firewal nat rules:

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade changed from o\

ut interface list WAN to out interface ether1" ipsec-policy=out,none \

out-interface-list=WAN

add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=27235,22 \

log=yes protocol=tcp to-addresses=192.168.88.254 to-ports=22

add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=22 log=yes \

protocol=tcp to-addresses=192.168.88.254 to-ports=22

/ip route

add disabled=no distance=1 dst-address=xxx.xxx.xxx.121/32 gateway=192.168.0.1 \

pref-src="" routing-table=main scope=30 suppress-hw-offload=no \

target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \

pref-src="" routing-table=main scope=30 suppress-hw-offload=no \

target-scope=10 vrf-interface=ether1


Here are the rules for /ip firewall filter:


/ip firewall filter

add action=accept chain=input comment=\

"defconf: accept established,related,untracked" connection-state=\

established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=\

invalid log=yes log-prefix="rule 2"

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment=\

"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" \

in-interface-list=!LAN log-prefix="rule 5"

add action=accept chain=forward comment="defconf: accept in ipsec policy" \

ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" \

ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \

connection-state=established,related hw-offload=yes

add action=accept chain=forward comment=\

"defconf: accept established,related, untracked" connection-state=\

established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \

connection-state=invalid log=yes log-prefix="rule 10"

add action=drop chain=forward comment=\

"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

connection-state=new in-interface-list=WAN log=yes log-prefix="rule 11"

Who is online

Users browsing this forum: Amazon [Bot] and 82 guests