Community discussions

 
User avatar
DRSDavidSoft
just joined
Topic Author
Posts: 1
Joined: Sun Jan 13, 2019 4:02 pm
Location: California, CA
Contact:

How to forward ports to multiple WAN interfaces?

Sun Jan 13, 2019 5:26 pm

I have a MikroTik router that has multiple WAN interfaces from different ISPs connected to it, and I need to NAT all incoming traffic from any of the public IP addresses to a node on my local network.

How should I config a clean state router to achieve this?
 
anav
Forum Guru
Forum Guru
Posts: 1299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to forward ports to multiple WAN interfaces?

Mon Jan 14, 2019 5:41 pm

Hi there not sure what you mean but for example I have two dynamic WANIPs one cable and one bell fiber.
I have a masquerade rule for both. Be aware these rules do no routing, it simply tells the router that if traffic goes out
ISP one, it should be given the associated WANIP and similarly if it the traffic goes out on ISP2 it should be given the associated WANIP.
In other words, translate the private IP to a public IP outbound from the router.
This is for a fail over setup. The bell fiber runs all the time.
In general masquerade rules are for dynamic WANIPs
Source Nat rules are for static WANIPs

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
out-interface=vlanbell

If you want to portforward traffic from external public IPs to a server behind the router you need to include a general FORWARD chain firewall rule that allows dst-nat connections.
Then in the ip firewall nat side you create the necessary dstnat rules...........

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However I dont understand your request. Perhaps with the above discussion you can phrase your question with better fidelity.
(In general, traffic arriving at your router, unsolicited should be rejected!)
(Did you want to forward specific traffic to specific servers?)

For example.....
/ip firewall filter
add action=accept chain=forward comment=\
"Allow Port Forwarding" connection-nat-state=dstnat

/ip firewall nat
add action=dst-nat chain=dstnat comment=Utility_TCP disabled=yes dst-port=yyyyy\
in-interface-list=WAN log=yes protocol=tcp src-address-list=Allowed_Utility \
to-addresses=192.168.xx.zz
add action=dst-nat chain=dstnat comment=Utility_UDP disabled=yes dst-port=yyyyy \
in-interface-list=WAN log=yes protocol=udp src-address-list=Allowed_Utility\
to-addresses=192.168.xx.zz

Note that the in-interface is described as "in-interface-list" which includes all my WANs such that no matter what WAN the user comes in on, the traffic will reach the server.
I use source address list to further limit access to the servers (if known).
Unless port translation is required (port user comes in on is to be modified before hitting server), one does not need the to-ports= part of the rule.
 
solar77
Member
Member
Posts: 321
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: How to forward ports to multiple WAN interfaces?

Thu Jan 17, 2019 3:19 pm

In addition to port forwarding (Dst NAT to your LAN IP, port), you will have to make sure the return traffic goes back to the WAN interface they come from. to do this , you mark the incoming connection, the use this mark to route traffic out to the same Interface.
check load-balacing examples where this was part of the config. Sorry I have something scheduled in the next 10 mins and will have to get ready, otherwise I will find those examples for you.
MTCNA MTCTCE UEWA
 
anav
Forum Guru
Forum Guru
Posts: 1299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to forward ports to multiple WAN interfaces?

Thu Jan 17, 2019 9:59 pm

Solar, that is premature as we do not know what kind of WAN scenario the OP is envisioning?
If I told you it was 1 Main WAn with 5 for failover (unlikely) OR
1 Main WAn and 5 for direct public IPs to servers (could be) OR. etc.....

You are probably right but it bugs me to know end when people much smarter than myself on mikrotik stuff, start assuming requirements. :-)

The one question I do have is that for every outbound connection intiated behind the router, isnt connection tracking noting where it came from (lanip) and where it went (outbound WANIP) and thus return traffic from the same WANIP will then get routed to the right internal (LANIP)??

No mangling required there........

The next question alludes to lets say, INPUT FROM ANY of the 5 wans are coming in and they all point to SERVER (Im assuming that is what is meant by a node). In this case we are talking inbound unsolicited traffic and as such has a destination port (and maybe a source address list associated). IF the dst-nat router rule is such that
any inbound traffic in-interface-list=WAN, is routed to a specific server on a specific LAN, that traffic IS CONNECTION TRACKED by the router and thus the router know which WAN it came in on and where it went. Why is not safe to assume that server return traffic would then be sent to the correct WANIP by connection tracking?????????

In other words, I still see no need for mangling.

I feel I am missing something but what????

Who is online

Users browsing this forum: 4lphanumeric and 43 guests