Community discussions

MikroTik App
  4. RouterOS
  5. General

Multi-WAN dynamic IP port forwarding

Post Reply
 
yinxiangyn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Mon May 31, 2010 3:14 pm

Multi-WAN dynamic IP port forwarding

Sun Jul 25, 2010 4:44 pm

hi all
Port forwarding only works in Single-line??
I use 5-line load balancing, and sometimes find the port forwarding is not working properly(download software, sometimes the red light on)
Please tell me how to set up is correct, or ignore the red light?
Thanks
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out3
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out4
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out5
add action=dst-nat chain=dstnat disabled=no dst-port=9364-9366 protocol=tcp \
    to-addresses=192.168.13.19 to-ports=9364-9366
add action=dst-nat chain=dstnat disabled=no dst-port=9364-9366 protocol=udp \
    to-addresses=192.168.13.19 to-ports=9364-9366
add action=dst-nat chain=dstnat disabled=no dst-port=23920 protocol=tcp \
    to-addresses=192.168.13.19 to-ports=23920
add action=dst-nat chain=dstnat disabled=no dst-port=23920 protocol=udp \
    to-addresses=192.168.13.19 to-ports=23920
You do not have the required permissions to view the files attached to this post.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Multi-WAN dynamic IP port forwarding

Sun Jul 25, 2010 10:28 pm

That setup is correct, though you should add 'dst-address-type=local' to those rules.
Top
 
yinxiangyn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Mon May 31, 2010 3:14 pm

Re: Multi-WAN dynamic IP port forwarding

Mon Jul 26, 2010 4:24 pm

That setup is correct, though you should add 'dst-address-type=local' to those rules.
Thank you fewi, I added
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out3
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out4
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out5
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=\
    9364-9366 protocol=tcp to-addresses=192.168.13.19 to-ports=9364-9366
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=\
    9364-9366 protocol=udp to-addresses=192.168.13.19 to-ports=9364-9366
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=\
    23920 protocol=tcp to-addresses=192.168.13.19 to-ports=23920
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=\
    23920 protocol=udp to-addresses=192.168.13.19 to-ports=23920
Top
 
yinxiangyn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Mon May 31, 2010 3:14 pm

Re: Multi-WAN dynamic IP port forwarding

Mon Jul 26, 2010 4:59 pm

@fewi
when you have time
1.Can you tell me why add 'dst-address-type=local' ,because of security reasons?
2.In addition, about load balancing, I would like to ask some questions,Hope you give me some guidance.
Code: Select all
add action=mark-connection chain=input disabled=no in-interface=pppoe-out1 \
    new-connection-mark=pppoe-out1_conn passthrough=yes

add action=mark-routing chain=output connection-mark=pppoe-out1_conn \
    disabled=no new-routing-mark=to_pppoe-out1 passthrough=yes

add action=mark-connection chain=prerouting disabled=no dst-address-type=\
    !local in-interface=LAN-1 new-connection-mark=pppoe-out1_conn \
    passthrough=yes per-connection-classifier=both-addresses:5/0

add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn \
    disabled=no in-interface=LAN-1 new-routing-mark=to_pppoe-out1 \
    passthrough=yes
I use the "both-addresses" type of load balancing,Everything works fine.
If I use the "both-addresses and both-port" type of load balancing will lead to failure to access some Forum Login,Similar NTH.
my settings are not correct?

Thank you
Regards
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Multi-WAN dynamic IP port forwarding

Mon Jul 26, 2010 5:18 pm

1.Can you tell me why add 'dst-address-type=local' ,because of security reasons?
You're port forwarding, so you should only destination NAT connections that initially were destined to a router IP address (dst-address-type=local). Otherwise you risk that a client behind the router connecting out to the Internet randomly chooses one of those ports to initiate a connection to, say, a webserver. The destination NAT rule you had would have taken that connection and port forwarded it, leading to connection failure on the client.
I use the "both-addresses" type of load balancing,Everything works fine.
If I use the "both-addresses and both-port" type of load balancing will lead to failure to access some Forum Login,Similar NTH.
my settings are not correct?
This explains the difference between settings: http://wiki.mikrotik.com/wiki/How_PCC_w ... eginner%29

The forum you're using probably keeps state over connections using something other than cookies. Using a different PCC algorithm leads to you being seen by the forum as having different IP addresses, which leads to a failure.
Top
 
yinxiangyn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Mon May 31, 2010 3:14 pm

Re: Multi-WAN dynamic IP port forwarding

Mon Jul 26, 2010 5:48 pm

Thank you very much :)
I will gradually learn to understand it.
Top
 
User avatar
kimssky
just joined
Posts: 23
Joined: Sat Jan 02, 2010 1:13 am

Re: Multi-WAN dynamic IP port forwarding

Fri May 27, 2011 6:39 pm

Tnx! :wink:
Top
Post Reply

Who is online

Users browsing this forum: baks, Elvis1991 and 93 guests
  4. RouterOS
  5. General