Hi all,

I have a MKT connected to two xDSL Connections... Don't want Load Balancing but I want to access to one TS server on the LAN.

I can access the router via both connections with a routing rule and this is all ok.

I have a dst-nat over the default gateway to get the TS an it works ok. The problems com when I try to make a dst-nat with in interface the other gateway (not default) the rule don't work.

I have sniff in the mkt and I have seen that the packet arrives via the non default gateway, is translated to the lan server but is sent via the default gateway, not the interface where the packet arrives.

I have made a mangle rule that marks new connections to this server and then other that mark rounting based on this connection mark. I have created a routing policy to apply this routing mark, but still this don't work. I have sniffed in this situation and the packet arrives to the lan server but it don't return.

Here is my config; Does anyone has any suggestion?

Greeted in advance
Tete

No one that has configurated Load Balancing has an answer for this question?

I think it can be done, but I don't know were to continue.

Greetings

Greetings!

I see only one gateway in your rules, and no srcnat. I use mangle and routing marks in the prerouting, but to give an example, I need more info on gateway2. What interfaces are these gateways on, and what interface is your local net on? Gateways same or different subnets?

Thanks for the response.

To have a general idea let's make a test environment.

ADSL 1: 10.0.1.254
ADSL 2: 10.0.2.254
LAN: 192.168.100.0/24

Routes:
0.0.0.0/0 --> 10.0.1.1 (ADSL 1)

NAT:
masquerade for ADSL1
masquerade for ADSL2
dst-nat TCP 3389 --> 192.168.100.2 3389

In this environment the NATted server will be available via the ADSL 1 becouse it is the default gateway. But if I try to get access to it via ADSL2 the packet arrives the router and get to the server... the server return the connection to the router and the router send it to its default gateway ADSL1 so the connection is not stablished becouse the packet path is no the first one.

This is my problem... from this situation... What I have to do next?

Greetings

I would use this: xxx.xxx.xxx.xxx is the ether2 gateway
yyy.yyy.yyy.yyy is the ether1 gateway.

This will only send the packets from the server (192.168.100.2) out ether2. All else goes out ether1. The order is important with the mangle and nat rules.

ADD: I forgot the dstnat rule! I get better as the coffee kicks in! Change dst-address to the IP of ether2.

If you are a dhcp client on the dsl connections, you will not need the gateway entries in /ip route, just the masquerades in /ip firewall nat

I think you misunderstood his problem. I have the same issue so I may clarify.

Point is that both gateways are used for DST-NAT. Problem is that all responses to dst-natted connection are routed to default gateway.

Request is that each response is routed back to the gateway which from dst-nated request originated.

Seems the easy way would be to assign two local IPs to the server. Like 192.168.100.2 and 192.168.100.3. Then add a second dstnat

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=zz.zz.zz.zz to-addresses=192.168.100.3

This dst-address is the IP of ether1. This should go back out ether1 because it is not 192.168.100.2.

Just a thought. I have not tried it. You will not be able to access the MT router if you dstnat all the ports tho...

Hi,

Thanks all for the tips....

I am going to test this solutions and I will report if it works....


Greetings

same problem, two gates works, but nated ports not works in one time on two gates

Check http://wiki.mikrotik.com/wiki/Manual:PCC and ignore the actual PCC part. In short, you need to mark incoming connections based on where they came from, and then properly mark routing for replies, to make them go back the same way.

And don't dig up nine years old threads, please.

As per usual the lack of clarity makes it hard to understand what is being asked or explained.
The OP has two ADSL connections (two WAN ports).
Load Balancing between the two connections is not required, so a more typical
USE WAN2 only if WAN1 fails etc.............. should suffice,

To me this is a case to make TWO Routes and only one masquerade rule.
wan1
0.0.0.0/0 destination
gateway IP address of ISP1
ping gateway
Distance=1

wan2
0.0.0.0/0 destination
gateway IP addres of ISP2
disntance =2

At the Interface List Menu Selection, go to the Interface List Tab and ensure under the Wan Interface LIST you have your ISPs
WAN
ISP1
ISP2

Basic SRCNAT rule covering all traffic leaving the router.
Srcnat chain, out-inteface list - WAN
action masquerate

Next step is the OP discusses the Virtual Server or Port Forwarding requirement, via a NAT dstnat rule.
In-Interface List - WAN, Chain-dstnat, Protocol needed assuming TCP, Port needed -3389.
Select Dstnat for action and need to then enter in the destination IP ie the LANIP of the TS server -192.168.100.2
(No port translation required)

What I would say is missing is an accompanying FW rule, which has the same as above but adds source address list or source address if available (not just anybody on the net).

CONCERN
With the above setup, the router will keep track of what traffic comes in on what interface and return the traffic out the approriate interface,
The fact that WAN2 is only used for fail-over should only affect new sessions initiated behind the Microtik going out, in other words the MT will force all new LAN outgoing sessions through ISP1...........

I am assuming that people are using dyndns type urls to access both your ISP1 and ISP2............
There should be no problem for having a single TS IP address as the port forwarding is coming from different WAN interfaces.

I hope this helps and if any bright lights see holes in my thinking or rule knowledge please chime in!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Next the OP stated something that makes no sense to me....... but I have moved this part to the end because its distracting..
I can access the router via both connections with a routing rule and this is all ok.

Umm I have never heard of making a routing rule for access to the router from the internet ??????
I hate the assumptions
a. does he mean he uses dydns names to access the router via both ISPs dydns1 for isp1 and dydns2 for ISP2??
b. What exactly is he accessing when he hits the router?
i. does he mean winbox to manage the router?
ii. does he mean a server (and all that entails?
iii or simply he can ping the router from a remote site.
c. Its not clear whether or not he means he is making these intrusions on the wan side from a remote site or IS HE ATTEMPTING HAIRPIN crapola.




Next statement is at a tad more clearer but is still lacking in description.
he wants to access a TS server on his LAN but........
a. does he mean from the perspective of other users on the internet
b. does he mean from behind the MIkcrotick
i. in which case just use the LANIP of the TS server LOL
ii. or is this another case of Hairpin crapolo which to me is complicating an easy direct lan to lan line already available.

Forget the OP, this thread is from 2009, only someone decided to resurrect it with similar problem.

And no, it's not so simple. Lets say you have two WANs, with addresses 1.2.3.4 and 2.3.4.5. You want to have internal webserver reachable using both addresses. So you add the usual dstnat rul and make sure that it works for both addresses. You can use your in-interface list, dst-address-list with those two addresses, add separate rule for each address, anything. But you'll find out that there's only one default route, lets say it the one on WAN1. If connection comes from there, reply will go there too and everything will work. But if connection comes from WAN2, reply will be send to WAN1 (because that's default route) and it won't work. And it's not a mistake, because asymmetric routing might be what user wants (but not with this kind of setup with two different ISPs). That's why router needs a hint, where the traffic should go to. It's what connection/route marking on PCC page is for.

Thanks SOB learned something new!
So one cannot Port Forward using Two ISPs in a fail over scenario, but one can when load balancing??

You can definitely use dstnat from two WAN's... you just have to make sure you mange/mark new incoming connections and use a marked routing table that will have a default route to the correct WAN. If you use fasttrack you will want to make sure you don't fasttrack the mangled connections.

Thanks SOB learned something new!
So one cannot Port Forward using Two ISPs in a fail over scenario, but one can when load balancing??

To extend @skuykend's answer a bit:

Both failover and load balancing are based on policy routing where you choose a specific routing table based on some criteria. For connections coming from the WAN side, the key is that they must get connection-marked at arrival and the connection-marking done by the load balancing rules must not override that.

The failover is kind of a secondary effect of load balancing if you include source port into the hash (because if a connection fails, a new attempt to establish it uses another source port so there is a good chance that it gets another connection mark).

If you use the other WAN as a backup route for each routing mark as you do in the "failover-only" setup, you can establish new outgoing connections over the "wrong" WAN while the "proper" one is down, but in such case they fail at the moment the proper WAN comes back to life. So it is hard to say which behaviour is more user-friendly.

For dst-nat connections there is no difference, they always fail as soon as the WAN through which they came in goes down.