DUAL WAN : DST NAT to Webserver Issue

ashishwadekar · Sun Oct 31, 2021 1:22 pm

Hello everyone

Absolute newbie here in Mikrotik world. Got my RB750GR3 about 3 days ago. Loving the fact that this platform is not limited by licenses or commercial commitment.
The fact that you can learn & experiment on basic network devices is really liberating.

Unfortunately, I am not a network guy & have fallen into the trap of solving the problem with different solution common in Mikrotik world(Which is a boon for people who understand what they are doing)

After going through several guides, Youtube videos, blog posts etc. I was able to setup Dual WAN load balancing with PCC.

My setup is as follows:

2 PPPOE ISP connections -> RB750GR3 -> Unifi Dream Machine -> Homelab server

Load balancing is working good. I was facing issues with SSL sites but that was resolved by changing PCC classifier to source address and port.

I am not able to access my web-server when both ISP’s are up. Please note that webserver is accessible when my WAN on ethernet port 1(DNA) is down.

Any help to resolve this is really appreciated. Thanks in advance.

Sharing my current configuration here:


# oct/31/2021 16:45:25 by RouterOS 6.49
#
# model = RB750Gr3

/interface ethernet
set [ find default-name=ether5 ] name=LAN
set [ find default-name=ether1 ] name=WAN1-DNA
set [ find default-name=ether2 ] name=WAN2-YOU
/interface pppoe-client
add disabled=no interface=WAN1-DNA name=DNA-PPPOE_OUT use-peer-dns=yes
add disabled=no interface=WAN2-YOU name=YOU-PPPOE_OUT use-peer-dns=yes

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=DHCP-LAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip address
add address=10.10.10.1/24 interface=LAN network=10.10.10.0

/ip dhcp-server lease
add address=10.10.10.2 client-id="Unifi Dream Machine" mac-address=\
    E0:63:DA:5C:5B:75 server=DHCP-LAN

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1

/ip dns
set allow-remote-requests=yes servers=10.10.10.2

/ip firewall mangle
add action=accept chain=prerouting in-interface=DNA-PPPOE_OUT
add action=accept chain=prerouting in-interface=YOU-PPPOE_OUT
add action=mark-connection chain=prerouting comment="PCC WAN1" dst-address-type=\
    !local log-prefix="WAN1 PCC" new-connection-mark=WAN1_DNA_CONN passthrough=\
    yes per-connection-classifier=src-address-and-port:2/0 src-address=\
    10.10.10.0/24
add action=mark-connection chain=prerouting comment="PCC WAN2" dst-address-type=\
    !local log-prefix="WAN2 PCC" new-connection-mark=WAN2_YOU_CONN passthrough=\
    yes per-connection-classifier=src-address-and-port:2/1 src-address=\
    10.10.10.0/24
add action=mark-routing chain=prerouting comment="MARK ROUTING WAN1" \
    connection-mark=WAN1_DNA_CONN new-routing-mark=TO_WAN1_DNA passthrough=yes \
    src-address=10.10.10.0/24
add action=mark-routing chain=prerouting comment="MARK ROUTING WAN2" \
    connection-mark=WAN2_YOU_CONN new-routing-mark=TO_WAN2_YOU passthrough=yes \
    src-address=10.10.10.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=DNA-PPPOE_OUT src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat out-interface=YOU-PPPOE_OUT src-address=\
    10.10.10.0/24
add action=dst-nat chain=dstnat comment=\
    "TCP 80,443 Syncthing(22000) RDP(25000) WAN2" dst-port=80,443,22000,25000 \
    in-interface=YOU-PPPOE_OUT log-prefix="TCP FWD" protocol=tcp to-addresses=\
    10.10.10.2
add action=dst-nat chain=dstnat comment="UDP L2TP IPSEC(500,1701,4500) WAN2" \
    dst-port=500,1701,4500,25000 in-interface=YOU-PPPOE_OUT log-prefix="UDP FWD" \
    protocol=udp to-addresses=10.10.10.2

/ip route
add check-gateway=ping distance=1 gateway=DNA-PPPOE_OUT routing-mark=TO_WAN1_DNA
add check-gateway=ping distance=1 gateway=YOU-PPPOE_OUT routing-mark=TO_WAN2_YOU
add check-gateway=ping comment="Default WAN1 Failover Route" distance=1 gateway=\
    DNA-PPPOE_OUT
add check-gateway=ping comment="Default WAN2 Failover Route" distance=2 gateway=\
    YOU-PPPOE_OUT
/tool sniffer
set streaming-server=10.10.10.2

anav · Mon Nov 01, 2021 4:45 pm

Okay, the config basically only expects Server connections to come in on WAN2.
However your IP routes is directing all traffic to go out WAN1.

It sounds as though your mangling rules are incomplete or incorrect.
You need to add in, when traffic comes in on WAN2 it needs to go out WAN2 is my guess.

Shorten source nat rules to.....
/ip firewall nat
add action=masquerade chain=srcnat out-interface=DNA-PPPOE_OUT
add action=masquerade chain=srcnat out-interface=YOU-PPPOE_OUT

anav · Mon Nov 01, 2021 5:01 pm

Just my guess and the reason I try to avoid mangling, as its very tedious:
FROM:
add action=mark-connection chain=prerouting comment="PCC WAN1" dst-address-type=\
!local log-prefix="WAN1 PCC" new-connection-mark=WAN1_DNA_CONN passthrough=\
yes per-connection-classifier=src-address-and-port:2/0 src-address=\
10.10.10.0/24
add action=mark-connection chain=prerouting comment="PCC WAN2" dst-address-type=\
!local log-prefix="WAN2 PCC" new-connection-mark=WAN2_YOU_CONN passthrough=\
yes per-connection-classifier=src-address-and-port:2/1 src-address=\
10.10.10.0/24

TO:
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local \
in-interface=ether5 new-connection-mark=WAN1_DNA_CONN passthrough=yes\
per-connection-classifier=both-addresses:2/0

add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local \
in-interface=ether5 new-connection-mark=WAN2_YOU_CONN passthrough=yes\
per-connection-classifier=both-addresses:2/1

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Similarly
FROM
add action=mark-routing chain=prerouting comment="MARK ROUTING WAN1" \
connection-mark=WAN1_DNA_CONN new-routing-mark=TO_WAN1_DNA passthrough=yes \
src-address=10.10.10.0/24
add action=mark-routing chain=prerouting comment="MARK ROUTING WAN2" \
connection-mark=WAN2_YOU_CONN new-routing-mark=TO_WAN2_YOU passthrough=yes \
src-address=10.10.10.0/24

TO:
add action=mark-routing chain=prerouting connection-mark=WAN1_DNA_CONN in-interface=ether5 \
new-routing-mark=TO_WAN1_DNA passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_YOU_CONNin-interface=ether5 \
new-routing-mark=TO_WAN2_YOU passthrough=yes

The second part of this step is completing the necessary output chain .........

add action=mark-routing chain=output connection-mark=WAN1_DNA_CONN new-routing-mark=TO_WAN1_DNA passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_YOU_CONN new-routing-mark=TO_WAN2_YOU passthrough=yes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

and you are totally missing the fourth mangle step................the WAN inbound marking, so outbound is correct........

add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
in-interface=DNA-PPPOE_OUT new-connection-mark=WAN1_DNA_CONN passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
in-interface=YOU-PPPOE_OUT new-connection-mark=WAN2_YOU_CONN passthrough=yes

ashishwadekar · Mon Nov 01, 2021 7:31 pm

Thanks a ton @anav for taking out the time & simplifying the rules for crystal clear understanding.

After dealing with the frustration & mounting pressure from my family for a stable internet connection, I caved in & reset my config

I followed this excellent guide from Daryll Swer & config is working great!

I am new to networking but really getting excited about this thanks to the open playground provided by Mikrotik devices.

Thanks again & wish you great day ahead

DUAL WAN : DST NAT to Webserver Issue [SOLVED]

DUAL WAN : DST NAT to Webserver Issue

Re: DUAL WAN : DST NAT to Webserver Issue

Re: DUAL WAN : DST NAT to Webserver Issue [SOLVED]

Re: DUAL WAN : DST NAT to Webserver Issue