Hi: I have been struggling with trying to get my mikrotik RB450G (routeros 7.8 ) to work with two ISPs. Ether1 has slow speed dsl (192.168.0.x for incoming ssh connections) and Ether2 is home internet 5g (192.168.2.x default for everything else). Ether3-Ether5 is bridged to the LAN (192.168.88.x). I started with fresh install and defconf. Everything seems to work except for external ssh connections from the internet. Interface list WAN contains both ether1 and ether2. There is a static route to force connections to a speific host out ether1. I think the problem is with an asymmetric route.
Any help would be greatly appreciated!
-ron
Here are the log entries for an example connection attempt, I think that the return packet should be going out ether1 instead of ether2 at rule 10.
Mar 20 08:11:59 router firewall,info dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac 5c:6a:80:2d:ed:95, proto TCP (SYN), 172.56.208.46:32038->192.168.0.2:27235, len 60
Mar 20 08:12:01 router firewall,info rule 10 forward: in:bridge out:ether2, connection-state:invalid src-mac 1c:83:41:29:7b:63, proto TCP (SYN,ACK), 192.168.88.254:22->172.56.208.46:1027, len 60
Mar 20 08:12:01 router firewall,info rule 10 forward: in:bridge out:ether2, connection-state:invalid src-mac 1c:83:41:29:7b:63, proto TCP (SYN,ACK), 192.168.88.254:22->172.56.208.46:14601, len 60
Mar 20 08:12:04 router firewall,info rule 10 forward: in:bridge out:ether2, connection-state:invalid src-mac 1c:83:41:29:7b:63, proto TCP (SYN,ACK), 192.168.88.254:22->172.56.208.46:52278, len 60
Here are /ip firewal nat rules:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade changed from o\
ut interface list WAN to out interface ether1" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=27235,22 \
log=yes protocol=tcp to-addresses=192.168.88.254 to-ports=22
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=22 log=yes \
protocol=tcp to-addresses=192.168.88.254 to-ports=22
/ip route
add disabled=no distance=1 dst-address=xxx.xxx.xxx.121/32 gateway=192.168.0.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=ether1
Here are the rules for /ip firewall filter:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix="rule 2"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix="rule 5"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix="rule 10"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix="rule 11"