I am having difficulties to get a MT box itself to answer outside requests in case of dual WAN.
My setup is not exactly a dual WAN as described at http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways, but quite similar to that.
I can get access to MT box itself only from that WAN where I am setting a regular default gateway to the Internet.
How to set second default gateway to point to second WAN so every request originating from that WAN side will get answer going back to the very same WAN connection?
I tried to catch those connections by connection marking, but that seems to work only on those connections traversing the MT box, but all connection attempts to the MT box itself will fail.
Re: How to gain access to MT box itself in case of dual WAN?
For connections destined to the router
For connections being forwarded to devices behind the router
In either case you need the appropriate routes in your routing table.
Code: Select all
add action=mark-connection chain=input comment="" disabled=no in-interface=ether1 new-connection-mark=input1_connection passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether2 new-connection-mark=input2_connection passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=input1_connection disabled=no new-routing-mark=to_outside1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=input2_connection disabled=no new-routing-mark=to_outside2 passthrough=yes
Code: Select all
add action=mark-connection chain=forward comment="" connection-state=new disabled=no in-interface=ether1 new-connection-mark=outside1_connection passthrough=no
add action=mark-connection chain=forward comment="" connection-state=new disabled=no in-interface=ether2 new-connection-mark=outside2_connection passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=no
Re: How to gain access to MT box itself in case of dual WAN?
Thanks feklar for the answer.It sure solves my problems too.
I can use now the Wiki articl and your "input" rules and still have access to routerboard.
I have posted here the same issue with no answers:
http://forum.mikrotik.com/viewtopic.php?f=13&t=48005
I can use now the Wiki articl and your "input" rules and still have access to routerboard.
I have posted here the same issue with no answers:
http://forum.mikrotik.com/viewtopic.php?f=13&t=48005
Re: How to gain access to MT box itself in case of dual WAN?
Thanks a lot!
Somehow the "forward" chain tracking for a port redirecting (dstnat) didn't work, but another "prerouting" rule pointing to interface ether1 did the trick for me:
Note: I have no second WAN rules here because I have another MT box dealing with it, just a plain default gateway is pointing to that internal LAN gateway.
As that issue is set behind us then another routing extension:
how to make MT itself to ignore default gateway setting and direct all connections originating from itself to go out from ether1 and not take default gateway route?
It should be possible to read out what to manipulate from the packet flow diagram (http://wiki.mikrotik.com/wiki/Manual:Packet_Flow), but I fail to read it. For example what stages will the IP packet go through (is it always prerouting, input, forward, output and postrouting? etc) or where lies the RouterOS application layer on these diagrams?
Somehow the "forward" chain tracking for a port redirecting (dstnat) didn't work, but another "prerouting" rule pointing to interface ether1 did the trick for me:
Code: Select all
add action=mark-connection chain=input comment="" disabled=no in-interface=ether1 new-connection-mark=input1_connection passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=input1_connection disabled=no new-routing-mark=to_outside1 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no in-interface=ether1 new-connection-mark=input1_connection passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=input1_connection disabled=no new-routing-mark=to_outside1 passthrough=noAs that issue is set behind us then another routing extension:
how to make MT itself to ignore default gateway setting and direct all connections originating from itself to go out from ether1 and not take default gateway route?
It should be possible to read out what to manipulate from the packet flow diagram (http://wiki.mikrotik.com/wiki/Manual:Packet_Flow), but I fail to read it. For example what stages will the IP packet go through (is it always prerouting, input, forward, output and postrouting? etc) or where lies the RouterOS application layer on these diagrams?
Re: How to gain access to MT box itself in case of dual WAN?
It's a basic extension of the rules I posted, but doing it in your case may cause some unintended consequences, this is because the basic rule will force everything from the router (output chain) out of a specific interface, and there are some things like broadcast traffic you may not want to do this for. It's easier and better to assign the gateway you want the router to use by default a higher priority if at all possible.As that issue is set behind us then another routing extension:
how to make MT itself to ignore default gateway setting and direct all connections originating from itself to go out from ether1 and not take default gateway route?
It should be possible to read out what to manipulate from the packet flow diagram (http://wiki.mikrotik.com/wiki/Manual:Packet_Flow), but I fail to read it. For example what stages will the IP packet go through (is it always prerouting, input, forward, output and postrouting? etc) or where lies the RouterOS application layer on these diagrams?
Code: Select all
/ip firewall mangle
add action=mark-connection chain=output comment="" new-connection-mark=output1 disabled=no passthrough=yes connection-state=new
/ip firewall nat
add action=src-nat chain=srcnat comment="" connection-mark=output disabled=no out-interface=ether1 to-addresses="Your WAN IP"
For the port forwarding rules, I actually have those as the last rules in my chain. If something else is firing before or after your forward rules, that is probably what is messing them up.