Hello everyone
at first, I apologize if my post is repetitious, my search for a good result was unsuccessful and also I have not enough time, thank you if there are any links or hints.
suppose my scenario as follows:
I have 2 WAN link:
ether1-WAN1 --> 1.1.1.1 (public IP)
ether2-WAN2 --> 2.2.2.2 (public IP)
I have 1 local network (192.168.70.0/24)
ether3-LAN --> 192.168.70.1
I have 1 Server that is connected to ether3-LAN interface with remote desktop enabled:
Server IP: 192.168.70.20 Server Gateway: 192.168.70.1
what I want to do is:
remote desktop users be enable connect to server with both WAN links ( 1.1.1.1 and 2.2.2.2).
so what is my wrong with following configuration:
/ ip firewall nat
add chain=srcnat out-interface=ether1-WAN1 action=masquerade
add chain=srcnat out-interface=ether2-WAN2 action=masquerade
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 protocol=tcp to-addresses=192.168.70.20 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 protocol=tcp to-addresses=192.168.70.20 to-ports=3389
/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 action=mark-connection new-connection-mark=ether1-WAN1_conn
add chain=forward in-interface=ether2-WAN2 action=mark-connection new-connection-mark=ether2-WAN2_conn
add chain=forward connection-mark=ether1-WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=forward connection-mark=ether2-WAN2_conn action=mark-routing new-routing-mark=to_WAN2
/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=1 routing-mark=to_WAN1
add dst-address=0.0.0.0/0 gateway=2.2.2.2 distance=1 routing-mark=to_WAN2
thanks in advance
Re: 2 WAN link and dst-nat configuration
Are the public IPs, static or dynamic? Same provider or different provider.
RDP is not secure, dont recommend.
Much better off installing wireguard and have your users securely access the router and then you can have them access any LAN device, including an RDP server from the LAN side.
RDP is not secure, dont recommend.
Much better off installing wireguard and have your users securely access the router and then you can have them access any LAN device, including an RDP server from the LAN side.
Re: 2 WAN link and dst-nat configuration
thanks for your reply and warning about rdp (there are some conditions that VPN is not possible, so ignore this issue)
both IP are static from different provider
......................................................
my server has 2 network card, can I add another IP to server and solve the problem
for example:
my server IPs: 192.168.70.20 and 192.168.80.20 (gateway: 192.168.70.1)
ether3-LAN2 --> 192.168.80.1
both IP are static from different provider
......................................................
my server has 2 network card, can I add another IP to server and solve the problem
for example:
my server IPs: 192.168.70.20 and 192.168.80.20 (gateway: 192.168.70.1)
ether3-LAN2 --> 192.168.80.1
Re: 2 WAN link and dst-nat configuration
(1) Keep single NIC card and LANIP..........
/ ip firewall nat
add chain=srcnat out-interface=ether1-WAN1 action=masquerade
add chain=srcnat out-interface=ether2-WAN2 action=masquerade
add action=dst-nat chain=dstnat dst-port=3389 dst-address=StaticWANIP1 protocol=tcp to-addresses=192.168.70.20
add action=dst-nat chain=dstnat dst-port=3389 dst-address=StaticWANIP2 protocol=tcp to-addresses=192.168.70.20
/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 connection-mark=no-mark \
action=mark-connection new-connection-mark=ether1-WAN1_conn passthrough=yes
add chain=forward in-interface=ether2-WAN2 connection-mark=no-mark \
action=mark-connection new-connection-mark=ether2-WAN2_conn passthrough=yes
add chain=prerouting action=mark-routing connection-mark=ether1-WAN1_conn \
new-routing-mark=to_WAN1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=ether2-WAN2_conn \
new-routing-mark=to_WAN2 passthrough=no
/ ip route
Assuming either default routes are in place or manual routes for both ISPs in MAIN TABLE.
{ add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main
{ add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-table=main
PLUS
add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=1 routing-mark=to_WAN1
add dst-address=0.0.0.0/0 gateway=2.2.2.2 distance=1 routing-mark=to_WAN2
MODIFY FAST TRACK RULES IN forward chain by simply adding connection-mark=no-mark
++++++++++++++++++++++++++++++++++++++++++
Nothing changes from the above if you prefer to use two different nics........
/ ip firewall nat
add chain=srcnat out-interface=ether1-WAN1 action=masquerade
add chain=srcnat out-interface=ether2-WAN2 action=masquerade
add action=dst-nat chain=dstnat dst-port=3389 dst-address=StaticWANIP1 protocol=tcp to-addresses=192.168.70.20
add action=dst-nat chain=dstnat dst-port=3389 dst-address=StaticWANIP2 protocol=tcp to-addresses=192.168.70.20
/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 connection-mark=no-mark \
action=mark-connection new-connection-mark=ether1-WAN1_conn passthrough=yes
add chain=forward in-interface=ether2-WAN2 connection-mark=no-mark \
action=mark-connection new-connection-mark=ether2-WAN2_conn passthrough=yes
add chain=prerouting action=mark-routing connection-mark=ether1-WAN1_conn \
new-routing-mark=to_WAN1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=ether2-WAN2_conn \
new-routing-mark=to_WAN2 passthrough=no
/ ip route
Assuming either default routes are in place or manual routes for both ISPs in MAIN TABLE.
{ add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main
{ add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-table=main
PLUS
add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=1 routing-mark=to_WAN1
add dst-address=0.0.0.0/0 gateway=2.2.2.2 distance=1 routing-mark=to_WAN2
MODIFY FAST TRACK RULES IN forward chain by simply adding connection-mark=no-mark
++++++++++++++++++++++++++++++++++++++++++
Nothing changes from the above if you prefer to use two different nics........
Re: 2 WAN link and dst-nat configuration
Thank you very much!
now, users can access server from both public IPs, but only there is another problem
RDP works randomly, after every 3-4 times, users can not connect and should wait some seconds or minutes.
I put fasttrack on the top of other mangles:
add action=fasttrack-connection chain=forward connection-mark=no-mark
is it in correct place?
my RouterOS version is 7.13.5
how can I solve this problem.
thanks again
now, users can access server from both public IPs, but only there is another problem
RDP works randomly, after every 3-4 times, users can not connect and should wait some seconds or minutes.
I put fasttrack on the top of other mangles:
add action=fasttrack-connection chain=forward connection-mark=no-mark
is it in correct place?
my RouterOS version is 7.13.5
how can I solve this problem.
thanks again
Re: 2 WAN link and dst-nat configuration
The fastrack rule is NOT a mangle rule its a forward chain filter rule and should be typically the first forward chain rule.
Without seeing the whole config ( less any public IP info ) will be hard to pinpoint the issue
Without seeing the whole config ( less any public IP info ) will be hard to pinpoint the issue
Re: 2 WAN link and dst-nat configuration
This is my full config:
- ether2-AntenPishgamanWAN has a ppoe-client connection with public IP (x.y.z.89)
- there is an GRE tunnel with another company branch (x.y.z.126)
- ether1-SimCardWAN is connected to a GSM Modem, the IP of GSM Modem is 192.168.43.1 and is DMZ to 192.168.43.2 (my router), GSM Public IP is x.y.z.178
with following config users can connect only with x.y.z.89 and trying to connect with x.y.z.178 will stuck on "configuring remote session ..."
- as I notice there is no packet counter with ether1-SimCardWAN NAT rule.
............................................................................
# 2024-02-29 08:57:26 by RouterOS 7.13.5
/interface ethernet
set [ find default-name=ether1 ] name=ether1-SimCardWAN
set [ find default-name=ether2 ] name=ether2-AntenPishgamanWAN
set [ find default-name=ether3 ] name=ether3-AntenToBazar
set [ find default-name=ether4 ] name=ether4-toServer
set [ find default-name=ether5 ] name=ether5-HP-iLO
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface gre
add local-address=x.y.z.89 mtu=1420 name=gre-Teh remote-address=\
x.y.z.126
/interface pppoe-client
add disabled=no interface=ether2-AntenPishgamanWAN keepalive-timeout=100 \
name=pppoe-out-pishgaman user=9131562068
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
/ip address
add address=192.168.43.2/24 interface=ether1-SimCardWAN network=192.168.43.0
add address=192.168.70.1/24 interface=ether4-toServer network=192.168.70.0
add address=192.168.80.1/24 interface=ether5-HP-iLO network=192.168.80.0
add address=192.168.93.5/24 interface=ether3-AntenToBazar network=\
192.168.93.0
add address=10.10.10.1 interface=gre-Teh network=10.10.10.2
add address=192.168.110.2/24 interface=ether3-AntenToBazar network=\
192.168.110.0
/ip dns
set servers=8.8.8.8,5.200.200.200
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark \
hw-offload=yes
add action=drop chain=input comment="Block Ping Request" protocol=icmp
add action=drop chain=input comment="Block Invalid Input Conn" \
connection-state=invalid disabled=yes
add action=drop chain=input comment="Block port scanners" src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input dst-port=22,23,80,8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=ether1-SimCardWAN new-connection-mark=WAN1_Conn passthrough=\
yes
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=ether2-AntenPishgamanWAN new-connection-mark=WAN2_Conn \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn \
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_Conn \
new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out-pishgaman
add action=masquerade chain=srcnat out-interface=ether1-SimCardWAN \
to-addresses=192.168.43.2
add action=dst-nat chain=dstnat comment=test dst-address=192.168.43.2 \
dst-port=62404 protocol=tcp to-addresses=192.168.70.12 to-ports=62404
add action=dst-nat chain=dstnat comment="RDP- Mr Ramin Windows 2" \
dst-address=5.202.251.89 dst-port=62404 protocol=tcp to-addresses=\
192.168.70.12 to-ports=62404
add action=dst-nat chain=dstnat comment="RDP- Mr Alikhani" dst-address=\
5.202.251.89 dst-port=63301 protocol=tcp to-addresses=192.168.70.4 \
to-ports=63301
add action=dst-nat chain=dstnat comment="RDP- Mr Ghasemkhani" dst-port=63302 \
protocol=tcp to-addresses=192.168.70.5 to-ports=63302
add action=dst-nat chain=dstnat comment="RDP- Mr Ramin" dst-port=63303 \
protocol=tcp to-addresses=192.168.70.6 to-ports=63303
add action=dst-nat chain=dstnat comment="HP iLO Web" disabled=yes dst-port=\
65104 protocol=tcp to-addresses=192.168.80.10 to-ports=65104
/ip route
add disabled=no dst-address=192.168.16.0/24 gateway=192.168.110.1 \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=192.168.110.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.89.0/24 gateway=10.10.10.2 routing-table=\
main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.91.0/24 gateway=10.10.10.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.43.1 \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.43.1 \
pref-src="" routing-table=to_WAN1 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman \
pref-src="" routing-table=to_WAN2 scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes port=23322
set ftp disabled=yes port=22221
set www disabled=yes port=24812
set ssh port=63700
set www-ssl port=32443
set api disabled=yes port=28728
set winbox port=63800
set api-ssl disabled=yes port=28729
................................................................
thank you
- ether2-AntenPishgamanWAN has a ppoe-client connection with public IP (x.y.z.89)
- there is an GRE tunnel with another company branch (x.y.z.126)
- ether1-SimCardWAN is connected to a GSM Modem, the IP of GSM Modem is 192.168.43.1 and is DMZ to 192.168.43.2 (my router), GSM Public IP is x.y.z.178
with following config users can connect only with x.y.z.89 and trying to connect with x.y.z.178 will stuck on "configuring remote session ..."
- as I notice there is no packet counter with ether1-SimCardWAN NAT rule.
............................................................................
# 2024-02-29 08:57:26 by RouterOS 7.13.5
/interface ethernet
set [ find default-name=ether1 ] name=ether1-SimCardWAN
set [ find default-name=ether2 ] name=ether2-AntenPishgamanWAN
set [ find default-name=ether3 ] name=ether3-AntenToBazar
set [ find default-name=ether4 ] name=ether4-toServer
set [ find default-name=ether5 ] name=ether5-HP-iLO
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface gre
add local-address=x.y.z.89 mtu=1420 name=gre-Teh remote-address=\
x.y.z.126
/interface pppoe-client
add disabled=no interface=ether2-AntenPishgamanWAN keepalive-timeout=100 \
name=pppoe-out-pishgaman user=9131562068
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
/ip address
add address=192.168.43.2/24 interface=ether1-SimCardWAN network=192.168.43.0
add address=192.168.70.1/24 interface=ether4-toServer network=192.168.70.0
add address=192.168.80.1/24 interface=ether5-HP-iLO network=192.168.80.0
add address=192.168.93.5/24 interface=ether3-AntenToBazar network=\
192.168.93.0
add address=10.10.10.1 interface=gre-Teh network=10.10.10.2
add address=192.168.110.2/24 interface=ether3-AntenToBazar network=\
192.168.110.0
/ip dns
set servers=8.8.8.8,5.200.200.200
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark \
hw-offload=yes
add action=drop chain=input comment="Block Ping Request" protocol=icmp
add action=drop chain=input comment="Block Invalid Input Conn" \
connection-state=invalid disabled=yes
add action=drop chain=input comment="Block port scanners" src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input dst-port=22,23,80,8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=ether1-SimCardWAN new-connection-mark=WAN1_Conn passthrough=\
yes
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=ether2-AntenPishgamanWAN new-connection-mark=WAN2_Conn \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1_Conn \
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_Conn \
new-routing-mark=to_WAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out-pishgaman
add action=masquerade chain=srcnat out-interface=ether1-SimCardWAN \
to-addresses=192.168.43.2
add action=dst-nat chain=dstnat comment=test dst-address=192.168.43.2 \
dst-port=62404 protocol=tcp to-addresses=192.168.70.12 to-ports=62404
add action=dst-nat chain=dstnat comment="RDP- Mr Ramin Windows 2" \
dst-address=5.202.251.89 dst-port=62404 protocol=tcp to-addresses=\
192.168.70.12 to-ports=62404
add action=dst-nat chain=dstnat comment="RDP- Mr Alikhani" dst-address=\
5.202.251.89 dst-port=63301 protocol=tcp to-addresses=192.168.70.4 \
to-ports=63301
add action=dst-nat chain=dstnat comment="RDP- Mr Ghasemkhani" dst-port=63302 \
protocol=tcp to-addresses=192.168.70.5 to-ports=63302
add action=dst-nat chain=dstnat comment="RDP- Mr Ramin" dst-port=63303 \
protocol=tcp to-addresses=192.168.70.6 to-ports=63303
add action=dst-nat chain=dstnat comment="HP iLO Web" disabled=yes dst-port=\
65104 protocol=tcp to-addresses=192.168.80.10 to-ports=65104
/ip route
add disabled=no dst-address=192.168.16.0/24 gateway=192.168.110.1 \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=192.168.110.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.89.0/24 gateway=10.10.10.2 routing-table=\
main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.91.0/24 gateway=10.10.10.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.43.1 \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.43.1 \
pref-src="" routing-table=to_WAN1 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman \
pref-src="" routing-table=to_WAN2 scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes port=23322
set ftp disabled=yes port=22221
set www disabled=yes port=24812
set ssh port=63700
set www-ssl port=32443
set api disabled=yes port=28728
set winbox port=63800
set api-ssl disabled=yes port=28729
................................................................
thank you
Re: 2 WAN link and dst-nat configuration
So far looks okay.....
1. On two IP main table routes, would add check-gateway=ping.
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman routing-table=main comment=WAN2
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=192.168.43.1 routing-table=main comment=WAN1
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.43.1 routing-table=to_WAN1
add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman routing-table=to_WAN2
2. Mangles.
/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 connection-mark=no-mark action=mark-connection \
new-connection-mark=ether1-WAN1_conn passthrough=yes
add chain=forward in-interface=pppoe-out-pishgaman connection-mark=no-mark action=mark-connection \
new-connection-mark=ether2-WAN2_conn passthrough=yes
add chain=prerouting connection-mark=ether1-WAN1_conn action=mark-routing \
new-routing-mark=to_WAN1 in-interface-list=LAN passthrough=no
add chain=prerouting connection-mark=ether2-WAN2_conn action=mark-routing \
new-routing-mark=to_WAN2 in-interface-list=LAN passthrough=no
In your case,,,,,,,, better to simply replace in-interface-list=LAN with:
in-interface-list=SERVERS
where you add all your Server IPs.
/ip firewall address-list
add address192.168.70.4 list=SERVERS
add address=192.168.70.5 list=SERVERS
add address=192.168.70.6 list=SERVERS
add address=192.168.70.12 list=SERVERS\
etc.....
3. Firewall rules are incomplete..........
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow LAN to Router traffic" in-interface-list=LAN
==== add any more allow rules here ==== perhaps for gre tunnel???
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
==== add any more allow rules here ==== perhaps for gre tunnel???
add action=drop chain=forward comment="drop all else"
1. On two IP main table routes, would add check-gateway=ping.
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman routing-table=main comment=WAN2
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=192.168.43.1 routing-table=main comment=WAN1
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.43.1 routing-table=to_WAN1
add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-pishgaman routing-table=to_WAN2
2. Mangles.
/ ip firewall mangle
add chain=forward in-interface=ether1-WAN1 connection-mark=no-mark action=mark-connection \
new-connection-mark=ether1-WAN1_conn passthrough=yes
add chain=forward in-interface=pppoe-out-pishgaman connection-mark=no-mark action=mark-connection \
new-connection-mark=ether2-WAN2_conn passthrough=yes
add chain=prerouting connection-mark=ether1-WAN1_conn action=mark-routing \
new-routing-mark=to_WAN1 in-interface-list=LAN passthrough=no
add chain=prerouting connection-mark=ether2-WAN2_conn action=mark-routing \
new-routing-mark=to_WAN2 in-interface-list=LAN passthrough=no
In your case,,,,,,,, better to simply replace in-interface-list=LAN with:
in-interface-list=SERVERS
where you add all your Server IPs.
/ip firewall address-list
add address192.168.70.4 list=SERVERS
add address=192.168.70.5 list=SERVERS
add address=192.168.70.6 list=SERVERS
add address=192.168.70.12 list=SERVERS\
etc.....
3. Firewall rules are incomplete..........
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow LAN to Router traffic" in-interface-list=LAN
==== add any more allow rules here ==== perhaps for gre tunnel???
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
==== add any more allow rules here ==== perhaps for gre tunnel???
add action=drop chain=forward comment="drop all else"
Who is online
Users browsing this forum: Bing [Bot] and 7 guests