I am a RouterOS newbie trying to setup automatic load balancing and automatic fail-over and port forwarding trough 2 ISPs connected to my router.
I know, load balancing/fail-over was discussed numerous times for different generations of RouterOS and using different approaches, I've read and implemented them all with various degree of success. To me, ECMP seems to be the most simple and robust way of implementing this. However, none of the approaches properly support/describe how to make (same) port forwarding work in such setups.
In the setup below, port forwarding through ISP1 and ISP2 works as expected, but if I change the distance on 0.0.0.0/0 -> 192.168.2.1 route to 1, ECMP begin to work as expected, splitting connections roughly equally between both ISPs, however, the port forwarding through ISP1 stops working (but remains functional through ISP2).
Code: Select all/system resource print uptime: 1d21h10m50s version: 7.3.1 (stable) build-time: Jun/09/2022 08:58:15 factory-software: 6.44 free-memory: 45.8MiB total-memory: 128.0MiB cpu: ARM cpu-count: 4 cpu-frequency: 672MHz cpu-load: 2% free-hdd-space: 580.0KiB total-hdd-space: 15.2MiB write-sect-since-reboot: 32185 write-sect-total: 111282 bad-blocks: 0% architecture-name: arm board-name: hAP ac^2 platform: MikroTik
Code: Select all/interface list add name=ilist-lan1 add name=ilist-wan1 add name=ilist-wan2 add include=ilist-lan1 name=ilist-lan add include=ilist-wan1,ilist-wan2 name=ilist-wan /interface list member add interface=bridge1-lan1 list=ilist-lan1 add interface=ether1-wan1 list=ilist-wan1 add interface=ether2-wan2 list=ilist-wan2
Code: Select all/ip address add address=10.10.10.1/24 interface=bridge1-lan1 network=10.10.10.0 add address=192.168.1.2/24 interface=ether1-wan1 network=192.168.1.0 add address=192.168.2.2/24 interface=ether2-wan2 network=192.168.2.0
Code: Select all/routing table add fib name=rtab-ether1-wan1-only add fib name=rtab-ether2-wan2-only
Code: Select all/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main distance=2 add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=rtab-ether1-wan1-only add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=rtab-ether2-wan2-only
Code: Select all/ip firewall address-list add address=10.0.0.0/8 list=alist-lan add address=192.168.1.2 list=alist-wan-mapped add address=192.168.2.2 list=alist-wan-mapped add address=10.0.0.0/8 list=alist-connected add address=172.16.0.0/12 list=alist-connected add address=192.168.0.0/16 list=alist-connected
Code: Select all/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=ilist-wan src-address-list=alist-lan add action=dst-nat chain=dstnat dst-address-list=alist-wan-mapped dst-port=443 in-interface-list=ilist-wan protocol=tcp to-addresses=10.10.10.10 to-ports=443
Code: Select all/ip firewall mangle add action=accept chain=prerouting dst-address-list=alist-connected src-address-list=alist-connected add action=mark-connection chain=input connection-mark=no-mark in-interface=ether1-wan1 new-connection-mark=cmark-ether1-wan1-to-router add action=mark-connection chain=input connection-mark=no-mark in-interface=ether2-wan2 new-connection-mark=cmark-ether2-wan2-to-router add action=mark-routing chain=output connection-mark=cmark-ether1-wan1-to-router new-routing-mark=rtab-ether1-wan1-only add action=mark-routing chain=output connection-mark=cmark-ether2-wan2-to-router new-routing-mark=rtab-ether2-wan2-only add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether1-wan1 new-connection-mark=cmark-ether1-wan1-to-lan passthrough=yes add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2-wan2 new-connection-mark=cmark-ether2-wan2-to-lan passthrough=yes add action=mark-routing chain=prerouting connection-mark=cmark-ether1-wan1-to-lan in-interface-list=ilist-lan new-routing-mark=rtab-ether1-wan1-only add action=mark-routing chain=prerouting connection-mark=cmark-ether2-wan2-to-lan in-interface-list=ilist-lan new-routing-mark=rtab-ether2-wan2-only