Ugg. I have two issues I believe are partially related. I have a 2 WAN 1 LAN setup where I have static IPs on each WAN. Id like to be able to port forward from each WAN static IP to the same internal LAN server. I can get one or the other working. Im NOT trying to load balance or anything special other than dual wan port forwarding. We want to be able to reach a terminal server, for instance, by way of either WAN carrier. Im positive this is because Im an idiot with Mikrotik. Ive tried several suggestions in the forum for input chain marking but it didn't work either. I tried just entering 0.0.0.0/0 to Gate1 distance 1 and 0.0.0.0/0 to Gate2 distance 1 or 2, in either case, only one side will forward.

Related to this, I have a 3 WAN load balance setup at another location working perfect for its designed use. All three WANs have multiple static IPs but I have the same issue as above here too. I can get forwarding to work on WAN1 but not WAN2 or WAN3 unless I disable the other forward NATs and create new ones for one of the other WANs.

Would anyone be willing to make me a small copy and paste script to plunk in this test box and play with to get me started? Unfortunately I came from a point and click PFSense world and am trying to learn RouterOS under pressure.

Example:
WAN1 = 80.80.80.80/24 Gate = 80.80.80.1
WAN2 = 70.70.70.70/24 Gate = 70.70.70.1
LAN = 10.75.75.253/24
SERVER = 10.75.75.59 TCP 3389

Thanks,
Tim

First, the NAT rules:
Now, mark all connections coming into WAN1 as such, do the same for WAN2:
Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:
And lastly install some routers that fire for those routing marks to make sure the packets go back out the right pipe:

THANKS FOR THE QUICK REPLY! I plopped that in from scratch and now the server gets destination host unreachable trying to get out the router, but oddly enough, 3389 works from WAN2 but not from WAN1?? Any ideas there? I dumped everything else config wise so other than what you sent above and the IP Assignment, is there anything else I need? Masq. rules?
'
Thanks

Yes, you do need source NAT as well. If you dumped everything, you probably want to add something like:
Edit: since you probably also took out the routes when 'clearing everything else', you will also need:
That will prefer WAN1 over WAN2 for all traffic except the stuff we're specifically marking to go back out WAN2 because it came in through WAN2 in the first place.

Struck out again. Dumber question from your first post:
/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection

second line WAN1 a typo? Your comment was to do the same for wan2, could you elaborate a bit more on this section please.


Thanks
Tim

Yes, that's a typo.
should be
My bad. Also please see the post above yours for the edit - I was adding that in while you were posting your reply.

U rock! Are you for hire in any capacity?

trr.usa@gmail.com

It's working now?

And no - I suspect my wife would kill me if I actually hard committed more of my time than I already do to my job. Playing on forums is fine because I can drop it at any time...

It is working like a charm. However....dang theres always a however......I have a similar issue. From the outside, I can ping the WAN1 interface but not WAN2 unless I reverse the distance. Anyway around that? My monitoring system is spitting on me. 3389 works inbound over either link great though! Spot project work at your own pace?

Try adding this:
So far we were only applying routing marks to return traffic that flows through the router and came in through the LAN interface - that doesn't cover ICMP to the router itself. The above lines should fix that.

and while I have the Guru online, I have another issue I cant figure out in RouterOS and I guess its called hairpin NAT. In PFSense it was called NAT reflection. ....inside hosts trying to access services hosted internal across the wan. You any good with that? Even worse, the whole reason I bought another one of these RB750Gs was to just stick the servers behind that and clients route out the other one. all because I couldn't figure out that! But hey, $99.00 bucks verses another week of me screaming at the wall.

damn what i wouldn't give to borrow your brain for a few days! That worked. Pings from both WANs now.

Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Read this thread: http://forum.mikrotik.com/viewtopic.php?f=13&t=36548

It contains hairpin NAT discussions.

Anything similar for the Router itself outbound? If I try to ping from inside the router using WAN1, its happy, selecting WAN2, its not.

How exactly are you pinging?

winbox - tools - ping - choosing different interfaces to test.

Try

same results

Fewi,

I have been wondering why would you mark connection in the prerouting chain instead of input and forward. I understand that you save mangle rules by doing so, but if you follow the PCC wiki, they mark input chain only.

If you do dst-nat without adding any other rules than the one in this wiki, you would end up without dst-nat not working. To go around this I added some rule in the forward chain as follow
I guess both will work out, but is there any advantages of runnning one over the other?

Thank you

Hi, Guys
This solution looke really great, can anybody make a conclusion with description in WIKI?
Thanks Fewi.

Here is my configuration, the different is WAN connection type is PPPoE
10.0.0.0/24 is internal bridge1 address(bridged with LAN and WLAN), port 6661 on 10.0.0.3 is my testing port (by http://www.utorrent.com/testport?port=6661)
2 PPPoE lines with dynamic address assigned by same ISP
PPC load balancing stuff is exactly followed PCC wiki instruction step by step, and looks like it works
Except the port forwarding thing, I have a NAS running torrent client seeding to Private Trackers which need incoming traffic.
Can someone point me out what's wrong with my configuration?
Thanks in advance.

First, the NAT rules:

Code: Select all

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=WAN1 dst-address=80.80.80.80 dst-port=3389 to-address=10.75.75.59
add chain=dstnat action=dst-nat in-interface=WAN2 dst-address=70.70.70.70 dst-port=3389 to-address=10.75.75.59

Now, mark all connections coming into WAN1 as such, do the same for WAN2:

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection 
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection 

Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

And lastly install some routers that fire for those routing marks to make sure the packets go back out the right pipe:

Code: Select all

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=80.80.80.1
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=70.70.70.1

Hello,

I`ve already configured router as you wrote before. But I have a few questions.
First, I had 2 routes because i have 2 WANs. Wan route was for one WAN and the second route was for the second WAN. Failover was setuped with simplest method. For the first route I`ve enabled check gateway and set distance 1, for the second route I`ve set distance 2. Failover works great. But when I`ve set routing marks for this routes in generally for WAN1 I lsot connection to Internet in LAN. And until I`ve added third route to ISP1 without routing mark I have not connection to Internet from LAN. Why?

Second question, why I can`t connect by WAN2 to resources that shared on mikrotik, for example, winbox or pptp server? I can connect for another ports after NAT that shared on another computers. But all services on mikrotik available only on first WAN. And I think if WAN1 failed and mikrotik switch to WAN2, then winbox and pptp server will be available on WAN2. I`ve not tested it yet. But this situation was before mangle configuration..

Sorry for my English

First, the NAT rules:

Code: Select all

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=WAN1 dst-address=80.80.80.80 dst-port=3389 to-address=10.75.75.59
add chain=dstnat action=dst-nat in-interface=WAN2 dst-address=70.70.70.70 dst-port=3389 to-address=10.75.75.59

Now, mark all connections coming into WAN1 as such, do the same for WAN2:

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection 
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection 

Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

And lastly install some routers that fire for those routing marks to make sure the packets go back out the right pipe:

Code: Select all

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=80.80.80.1
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=70.70.70.1

Hello,

I`ve already configured router as you wrote before. But I have a few questions.
First, I had 2 routes because i have 2 WANs. Wan route was for one WAN and the second route was for the second WAN. Failover was setuped with simplest method. For the first route I`ve enabled check gateway and set distance 1, for the second route I`ve set distance 2. Failover works great. But when I`ve set routing marks for this routes in generally for WAN1 I lsot connection to Internet in LAN. And until I`ve added third route to ISP1 without routing mark I have not connection to Internet from LAN. Why?

Second question, why I can`t connect by WAN2 to resources that shared on mikrotik, for example, winbox or pptp server? I can connect for another ports after NAT that shared on another computers. But all services on mikrotik available only on first WAN. And I think if WAN1 failed and mikrotik switch to WAN2, then winbox and pptp server will be available on WAN2. I`ve not tested it yet. But this situation was before mangle configuration..

Sorry for my English

First, the NAT rules:

Code: Select all

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=WAN1 dst-address=80.80.80.80 dst-port=3389 to-address=10.75.75.59
add chain=dstnat action=dst-nat in-interface=WAN2 dst-address=70.70.70.70 dst-port=3389 to-address=10.75.75.59

Now, mark all connections coming into WAN1 as such, do the same for WAN2:

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection 
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection 

Set routing marks for all packets in those connections that come in from the LAN and go back out to the internet:

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=WAN1_connection action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting in-interface=LAN connection-mark=WAN2_connection action=mark-routing new-routing-mark=to_WAN2

And lastly install some routers that fire for those routing marks to make sure the packets go back out the right pipe:

Code: Select all

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=80.80.80.1
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=70.70.70.1

Hello,

I`ve already configured router as you wrote before. But I have a few questions.
First, I had 2 routes because i have 2 WANs. Wan route was for one WAN and the second route was for the second WAN. Failover was setuped with simplest method. For the first route I`ve enabled check gateway and set distance 1, for the second route I`ve set distance 2. Failover works great. But when I`ve set routing marks for this routes in generally for WAN1 I lsot connection to Internet in LAN. And until I`ve added third route to ISP1 without routing mark I have not connection to Internet from LAN. Why?

Second question, why I can`t connect by WAN2 to resources that shared on mikrotik, for example, winbox or pptp server? I can connect for another ports after NAT that shared on another computers. But all services on mikrotik available only on first WAN. And I think if WAN1 failed and mikrotik switch to WAN2, then winbox and pptp server will be available on WAN2. I`ve not tested it yet. But this situation was before mangle configuration..

Sorry for my English

I`ve already found an answer on the second question.

i did it before with a routeros version 5 and its running fine ( dual wan, port forwarding + failover using this examples )

now i bought a RG750

and i can't get this to work properly,

wan2 port forwarding doesnt work. but if i disconnect wan1 it switches and runs smoothly. the counter of packets raises when i try to join wan2 through port 8080 (webserver) from outside but it doesnt access the website.

my routeros version is: 6.18 / RG750

could it be the version?

Yes, that's a typo.

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN2_connection 

should be

Code: Select all

/ip firewall mangle
add chain=prerouting in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_connection
add chain=prerouting in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connection 

My bad. Also please see the post above yours for the edit - I was adding that in while you were posting your reply.

hi, thanks for your help, but what if the WAN ip are DYNAMIC? i cant find a solution!!!, everyone uses static ip, why is so hard find a way for dynamic ISP?

my setup is one rb951 with pppoe-out1 at ether1 (bridge) and ether5 second wan (dhcp)
is this possible also for ip cloud with winbox (8291) to use just pppoe-1 for incoming connections for remote access?
if second wan is connected i have no access with winbox and ip cloud

Muito obrigado a TRRUSA e a todos que postaram o problema e discutiram aqui. Agradecimento especial ao Fewi que trouxe a solução para todos. Sou brasileiro e não encontrei nos fóruns nacionais uma solução tão direta simples e clara como esta. Passei este sdábado inteiro estudando RouterOS para solucionar um caso idêntico a este. Muito obrigado amigos.

Translation Google:

Many thanks to TRRUSA and everyone who posted the problem and discussed it here. Special thanks to Fewi who brought the solution for everyone. I am Brazilian and I did not find in the national forums a solution as direct and simple as this. I spent this entire Saturday studying RouterOS to solve a case identical to this one. Thank you very much friends.

Tchau