I have a routerboard 1000 running version 5.12. I have quite a bit of experience with mikrotik but this is the first time I’ve tried to use the stateful connection tracking feature. I am trying to setup failover with two internet connections (labeled WAN-DSL and WAN-SC) but with a couple of caveats.

I want to:
1. Use WAN-DSL as primary connection for my LAN (10.0.0.0/24).
2. Failover to WAN-SC upon failure of WAN-DSL.
3. Assign traffic from a specific host (10.0.0.252) to always use WAN-SC.
4. Dst-nat (port-forward) tcp 3389 traffic to an internal host (10.0.0.12) over WAN-DSL.
5. Dst-nat (port-forward) tcp 3389 traffic to same internal host also over WAN-SC.

After going over tutorials and how-tos on the Internet, I have a basic configuration setup. However it does not work yet, and need some input on whether I am approaching this from the correct angle.

Mangle rules: NAT rules:
Here is my theory behind this:

1. Use mangle rules to mark any connections coming into each WAN connection (input chain).
2. Mark any connections from 10.0.0.252 with the WAN-SC-connections mark (prerouting chain). This rule is currently disabled. It doesn’t work when I enable it, I think due to the issue I am having with the routing marks.
3. Mark everything else from the LAN with the WAN-DSL-connections mark (prerouting chain).
4. On our output chain set a unique routing mark that corresponds with each of the two connection marks.
5. Set the gateway for each default route based on routing-mark and let each interface masquerade rule NAT the traffic.

I have two default routes with the ping probe enabled (one going to each provider), with the WAN-SC set to a higher distance (for the failover function). However when I try to set each default route to use its respective routing-mark (to-WAN-X), traffic just seems to be dropped and I get no traffic flow. Everything seems to be getting marked properly, but the routing table does not seem to be honoring the routing-marks.

Does anyone have any ideas why this isn’t working properly? Am I approaching this problem with the correct method? Thanks

I want to:
1. Use WAN-DSL as primary connection for my LAN (10.0.0.0/24).
2. Failover to WAN-SC upon failure of WAN-DSL.

This can be easily done without any routing marks. Just make sure you have two default routes in your main routing table pointing to two ISPs with different distances.

3. Assign traffic from a specific host (10.0.0.252) to always use WAN-SC.

Now you should create another routing table (routing-mark=to-WAN-SC) with only the default route pointing to WAN-SC. Don't remove it from the main table hovewer, create a duplicate. Also you should mark outgoing packets from src-address=10.0.0.252 with routing-mark=to-WAN-SC in the prerouting mangle chain. No need to mark connections here.

4. Dst-nat (port-forward) tcp 3389 traffic to an internal host (10.0.0.12) over WAN-DSL.
5. Dst-nat (port-forward) tcp 3389 traffic to same internal host also over WAN-SC.

Now you should remember the interface from which each connection was originated, and use connection marks for that. But mark only those connections, that were originated from WAN-SC. Then mark needed outgoing packets with a routing-mark. Do it in the prerouitng mangle chain like this:

NAT rules:

Code: Select all

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=dstnat action=dst-nat to-addresses=10.0.0.12 protocol=tcp in-interface=WAN-DSL dst-port=3389 
 1   chain=dstnat action=dst-nat to-addresses=10.0.0.12 protocol=tcp in-interface=WAN-SC dst-port=3389 
 2   chain=srcnat action=masquerade out-interface=WAN-SC connection-mark=WAN-SC-connections
 3   chain=srcnat action=masquerade out-interface=WAN-DSL connection-mark=WAN-DSL-connections

Remove connection-marks from NAT rules. Simplified version:

1. Use mangle rules to mark any connections coming into each WAN connection (input chain).

You misuse the input chain. It's only used for packets going to the router itself. Similarly, the output chain is only used for packets originating from the router itself. For packets going from one interface to another you should use the forward chain.

Most excellent. It seems I was trying to over complicate things. Thanks very much for your clear explanation, it seems to be working perfectly.

Thanks again