Page 1 of 1

OS 7.X Use 2 WAN and Port Forwarding

Posted: Thu Jul 07, 2022 7:16 pm
by tigro11
After various tests on how to configure Port Forwarding with 2 WAN, I still can't make it work.
On the WAN1 (Static Public IP use and that's what I use for Portforwarding)
Wan2 I use it as the main to navigate. (USA DYNAMIC IP)
When the audience pays off the public: 8181 to access my weather webcam, I do not display anything, the moment that disabled the Route Wan2, it works wonderfully.
Where can I make a mistake?

Valerio

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Thu Jul 07, 2022 8:03 pm
by anav
A. network diagram
B. /export config (hide any public IPs)
C. detailed description of user requirements, which users from where need port forwarding,

Light reading:
viewtopic.php?t=179343


This forum is for useful articles, beginner and general issues are where you should post next time!

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Thu Jul 07, 2022 8:39 pm
by tigro11
A. network diagram
B. /export config (hide any public IPs)
C. detailed description of user requirements, which users from where need port forwarding,

Light reading:
viewtopic.php?t=179343


This forum is for useful articles, beginner and general issues are where you should post next time!
thanks, this is my configuration:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-WAN-SKY
set [ find default-name=ether4 ] name=ether4-WIFI
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0

/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether4-WIFI
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set route-cache=no tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=ether2-WAN-SKY list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.7.2.1/16 comment=INTERNET interface=ether1-WAN network=\
10.7.0.0
add address=192.168.10.100/24 interface=ether2-WAN-SKY network=192.168.10.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" disabled=yes list=\
not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" disabled=yes list=\
not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=drop chain=input comment="BLOCK DNS Wan" connection-state=new \
dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="BLOCK DNS Wan" connection-state=new \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=smb-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"SMB Flood Gathering" connection-limit=100,32 dst-port=445 in-interface=\
bridge protocol=tcp
add action=add-src-to-address-list address-list=snpp-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"SNPP/Backdoor Flood\r\
\nGathering" connection-limit=20,32 dst-port=444 in-interface=bridge \
protocol=tcp
add action=add-src-to-address-list address-list=msf-indication \
address-list-timeout=none-dynamic chain=forward comment=\
"Metasploit Indication" connection-limit=20,32 dst-port=4444 \
in-interface=bridge protocol=tcp
add action=add-src-to-address-list address-list=ssh-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"SSH Flood Gathering" connection-limit=20,32 dst-port=22 in-interface=\
bridge protocol=tcp
add action=add-src-to-address-list address-list=telnet-flood \
address-list-timeout=none-dynamic chain=forward comment=\
"Telnet Flood\r\
\nGathering" connection-limit=20,32 dst-port=23 in-interface=bridge \
protocol=tcp
add action=log chain=forward comment="Abnormal Traffic" connection-bytes=\
80000000 disabled=yes limit=1,5:packet log-prefix=Abnormal-Traffic
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward comment="Port scanners to list " \
in-interface=!bridge log-prefix="port scanner" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=DoS_Attacked \
address-list-timeout=5m chain=input comment=DoS_Attacked \
connection-limit=32,32 protocol=tcp
add action=tarpit chain=input comment=DoS_Attacked connection-limit=10,32 \
protocol=tcp src-address-list=DoS_Attacked
add action=drop chain=forward comment="Bloccare IP addresses BOGON" \
src-address=0.0.0.0/8
add action=return chain=detect-ddos comment="SYN-ACK Flood" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=drop chain=forward comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="drop echo request" icmp-options=8:0 \
in-interface-list=WAN protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=accept chain=input comment="Allow Established connections" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="ACCETTA TRAFFICO DA WIREGUARD" \
in-interface=TUNNEL-NEGOZIO src-address=192.168.0.0/24
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=add-src-to-address-list address-list=FW_Block_unkown_port \
address-list-timeout=1d chain=input comment=\
"Add IP of user to access list if they have tried port that is not open." \
disabled=yes in-interface-list=WAN log-prefix=FI_AS_port-test \
src-address=!10.7.0.1
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="BLOCCO BLACKLIST" connection-state=new \
in-interface-list=!LAN src-address-list=blacklist
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC" \
connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed NO DROP TUNNEL TRAFFIC" \
connection-nat-state=!dstnat connection-state=new dst-address-list=!SMB \
in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
/ip firewall mangle
add action=change-ttl chain=prerouting comment="NO TRaceroute" new-ttl=\
increment:1 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="WEBCAM CASA" dst-port=8181 \
in-interface=ether1-WAN protocol=tcp src-address=!192.168.0.0/24 \
to-addresses=192.168.1.51 to-ports=8080

add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting comment=DDOS dst-address-list=ddos-target \
src-address-list=ddos-attackers
add action=drop chain=prerouting comment="DNS Amplification" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=prerouting comment=\
"Well-Known Virus/Flooding Port- esscludo ip nas" dst-address-list=!SMB \
dst-port=445,2000,4444,444 in-interface-list=LAN protocol=tcp
add action=drop chain=prerouting comment="Memcached Flood" in-interface-list=\
LAN protocol=udp src-port=11211
add action=drop chain=prerouting comment="drop port scanner" \
src-address-list="port scanners"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN log=yes src-address-list=not_global_ipv4
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting in-interface-list=WAN protocol=!tcp \
src-address=!x.x.x.x src-address-list=FW_Block_unkown_port
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
10.7.0.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=192.168.5.0/24 gateway=192.168.1.100 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=192.168.0.0/24 \
gateway=10.0.8.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.10.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24,10.0.8.0/30,192.168.0.11/32 port=1170
set api-ssl disabled=yes
/system ntp client
set mode=broadcast

/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1-WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Thu Jul 07, 2022 8:55 pm
by Sob
Quick tip before @anav tears your config to shreads: You have default gateway using WAN2, so even where there's incoming connection from WAN1, responses will go to WAN2. You need to mark (using mangle rules) new incoming connections on WAN1 and then mark routing for responses, to use default gateway on WAN1, for which you'll need another routing table with such default route.

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Thu Jul 07, 2022 10:52 pm
by tigro11
Quick tip before @anav tears your config to shreads: You have default gateway using WAN2, so even where there's incoming connection from WAN1, responses will go to WAN2. You need to mark (using mangle rules) new incoming connections on WAN1 and then mark routing for responses, to use default gateway on WAN1, for which you'll need another routing table with such default route.
You're right sob, the problem I have tried so at the survey that I can't solve the problem.
If maybe you give me help I would be grateful to you.

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Fri Jul 08, 2022 2:32 am
by Sob
From top of my head, it should be something like:
/routing table
add name=WAN1 fib
/ip route
add dst-address=0.0.0.0/0 gateway=10.7.0.1 routing-table=WAN1
/ip firewall mangle
add chain=prerouting in-interface=ether1-WAN connection-state=new action=mark-connection new-connection-mark=WAN1_conn
add chain=prerouting in-interface-list=LAN connection-mark=WAN1_conn action=mark-routing new-routing-mark=WAN1

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Fri Jul 08, 2022 10:07 am
by tigro11
Perfect sob, it works.
thank you very much for the help.
Valerio

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Mon Jul 11, 2022 8:44 pm
by anav
Is there a way to do this and avoid mangling...........? That is always my first question.
Assuming port forwarding comes in on WAN1 as described.

If WAN2 is the primary already why not........ do something similar but without mangling.
/routing table
add name=WAN1 fib
/ip route
add dst-address=0.0.0.0/0 gateway=10.7.0.1 routing-table=WAN1
/ip route rule
add dst-address=static_Public_IP action=lookup-in-table-only table=WAN1

(or that will not work because I actually need the remote users public IP as dst-address??)

And thus alternatively what about.
/ip route rule
add src-address=internal_Server_LANIP action=lookup-in-table-only table=WAN1

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Tue Jul 12, 2022 12:06 am
by Sob
First won't work, at least not for general port forwarding accessible from anywhere.

If by static_Public_IP you mean local address on WAN1, then it won't work at all for port forwarding, because source address in prerouting phase is the internal one. It will work for access to router itself (to static_Public_IP).

If by static_Public_IP you mean client's address, then it will work for port forwarding accessible from that client only. And also if you want any communication with that client (incoming and outgoing) use only WAN1.

Second one will work, if internal server should use WAN1 exclusively, including outgoing connections.

Re: OS 7.X Use 2 WAN and Port Forwarding

Posted: Tue Jul 12, 2022 3:30 am
by anav
Second one will work, if internal server should use WAN1 exclusively, including outgoing connections.
As per the stated requirements of the OP....

Static Public IP use and that's what I use for Portforwarding
Wan2 I use it as the main to navigate. (USA DYNAMIC IP)

Neither statement was exclusive, ( no only statement ) but I think it was implied.