Community discussions

MikroTik App
 
kulgan
just joined
Topic Author
Posts: 1
Joined: Sat Jul 02, 2022 3:52 pm

Dual WAN, unable to access LAN webServer when both ISP are up

Sat Jul 02, 2022 6:43 pm

Hi,

I recently bought a RB750Gr3 in order to setup a dual WAN connection with load balancing
setup seems to be ok.
So currently, to make is as simple as possible I have :
ISP1(ether1) is ADSL
ISP2(ether2) is 4G with carrier-grade NAT
LAN(ether3)

on LAN I have a webServer.

My issue is around accessing WebServer from WAN
When only ISP1 is up, no issue.
But when both ISP1 and ISP2 are up then I can't connect.

I guess this is due to the fact that when Both ISP are up, WAN request reach ether1 but reply goes to ether2
But I cant find how to fix this

below is my config:
# jul/02/2022 15:08:32 by RouterOS 7.3.1
# software id = FUD5-5Q6H
#
# model = RB750Gr3
# serial number = xxxxxxxxxxxx
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/ip firewall connection tracking
set enabled=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.2/30 interface=ether1 network=192.168.1.0
add address=192.168.2.2/30 interface=ether2 network=192.168.2.0
add address=192.168.0.1/30 interface=ether3 network=192.168.0.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=output disabled=yes dst-address=8.8.8.8 protocol=icmp
add action=drop chain=output disabled=yes dst-address=8.8.4.4 protocol=icmp
add action=accept chain=forward dst-address=192.168.0.2 dst-port=8443 \
    protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/30
add action=accept chain=prerouting dst-address=192.168.2.0/30
add action=accept chain=prerouting dst-address=192.168.0.0/30
add action=mark-connection chain=prerouting in-interface=ether3 \
    new-connection-mark=ISP1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting in-interface=ether3 \
    new-connection-mark=ISP2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1 in-interface=\
    ether3 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=\
    ether3 new-routing-mark=ISP2 passthrough=no
add action=mark-connection chain=prerouting in-interface=ether2 \
    new-connection-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=\
    ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\
    ISP2 passthrough=no
add action=mark-connection chain=prerouting in-interface=ether1 \
    new-connection-mark=ISP1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/30
add action=dst-nat chain=dstnat dst-port=8443 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.2 to-ports=8443
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=30
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=30
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.46.215.60
add address=162.159.200.123
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/tool bandwidth-server
set enabled=no
thanks for your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN, unable to access LAN webServer when both ISP are up

Sun Jul 03, 2022 10:41 pm

Did you follow this guide for PCC.
https://mum.mikrotik.com/presentations/US12/steve.pdf

Is this device public facing, you have no firewall rules to speak of ?????????
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Dual WAN, unable to access LAN webServer when both ISP are up

Sun Jul 03, 2022 11:11 pm

viewtopic.php?p=659676#p659676 - start reading from the EDIT in the end of the post, it will give you the context for your issue (routing server responses back via the same WAN through which the request came in).

Who is online

Users browsing this forum: artone, GoogleOther [Bot], uxertxo and 86 guests