Hi all,
I am trying to get two IP addresses that are presented on the MT from two different ISP's to be natted to the same internal host, this is basically to provide redundancy! I have go it working in that the nat'ed addresses do work and I can contact the servers using these addresses, though I don't think the traffic is flowing back via the address / connection it was natted from and is using its standard route. Anybody any experience with this or any examples of the setup?
Thanks
Jamie
http://www.fusionmanageit.co.uk
Fusion IT Management Limited
Re: Inbound NAT, multiple ISP's traffic flow
Code: Select all
add action=mark-connection chain=forward comment="" \
connection-state=new disabled=no in-interface=WAN1 new-connection-mark=\
outside1_connection passthrough=no
add action=mark-connection chain=forward comment="" connection-state=new \
disabled=no in-interface=WAN2 new-connection-mark=outside2_connection \
passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=\
outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=\
no
add action=mark-routing chain=prerouting comment="" connection-mark=\
outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=\
no
Re: Inbound NAT, multiple ISP's traffic flow
I have been trying to make this work for ages and have tried the above solution too. It does not seem to work. I can only remote desktop from the default route. If I change the default route to the other wan interface, i can connect but not from the first. The only difference is that i do not masquarade each interface individually but more like this
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=NAT disabled=no out-interface=\
"!Lan Interface"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=NAT disabled=no out-interface=\
"!Lan Interface"
Re: Inbound NAT, multiple ISP's traffic flow
you need to mark connections, mark packets, and then mark routing. in your example below you are not marking packets, only connections, which is pretty much just the SYN packets.
Re: Inbound NAT, multiple ISP's traffic flow
Where you refering to my post? I just noted that i do not have a rule for each wan interface, i bundled them all together and i was nor sure if it made any differece.you need to mark connections, mark packets, and then mark routing. in your example below you are not marking packets, only connections, which is pretty much just the SYN packets.
Re: Inbound NAT, multiple ISP's traffic flow
add action=mark-connection chain=forward comment=\
"New packets from Wan Interfaces" connection-state=new disabled=no \
in-interface=ether2 new-connection-mark="New Incoming Eth2" passthrough=\
no
add action=mark-packet chain=prerouting comment="" connection-mark=\
"New Incoming Eth2" disabled=no new-packet-mark="New Incoming Eth2" \
passthrough=no
add action=mark-routing chain=prerouting comment=\
"New packets to Wan Interfaces" disabled=no new-routing-mark=\
"New Outgoing Eth2" packet-mark="New Incoming Eth2" passthrough=no
You mean something like this? This does not work too. Tried with connection-state=new and without it. Without it i noticed that the counters are exactly the same for packet mark and packet routing. I still cannot connect though.
Tried every possible variation with prerouting and forward.
"New packets from Wan Interfaces" connection-state=new disabled=no \
in-interface=ether2 new-connection-mark="New Incoming Eth2" passthrough=\
no
add action=mark-packet chain=prerouting comment="" connection-mark=\
"New Incoming Eth2" disabled=no new-packet-mark="New Incoming Eth2" \
passthrough=no
add action=mark-routing chain=prerouting comment=\
"New packets to Wan Interfaces" disabled=no new-routing-mark=\
"New Outgoing Eth2" packet-mark="New Incoming Eth2" passthrough=no
You mean something like this? This does not work too. Tried with connection-state=new and without it. Without it i noticed that the counters are exactly the same for packet mark and packet routing. I still cannot connect though.
Tried every possible variation with prerouting and forward.
Re: Inbound NAT, multiple ISP's traffic flow
change the first rule to prerouting. change all rules to passthru=yes
Sam
Sam
Re: Inbound NAT, multiple ISP's traffic flow
Tried that. Seems to work, but:
1. I cannot access the gateway itself. If I exclude the gateway's ip from the first rule, then I can access it. Any thoughts on this?
2. If the default route is down, it stops working.
1. I cannot access the gateway itself. If I exclude the gateway's ip from the first rule, then I can access it. Any thoughts on this?
2. If the default route is down, it stops working.
Re: Inbound NAT, multiple ISP's traffic flow
did you basically duplicate your main routing table in the 'New Outgoing Eth2' routing table? you need to add the connected routes into that table as well as the alternate default gateway. I think you might also need a single mangle output chain rule to catch the traffic from the router itself (pings to router).
Re: Inbound NAT, multiple ISP's traffic flow
i guess its time for me to make a screen video and post it : )
Re: Inbound NAT, multiple ISP's traffic flow
add action=mark-connection chain=input comment="New connections from Wan Interfaces" disabled=no in-interface=ether2 new-connection-mark="New Incoming Eth2" \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether4 new-connection-mark="New Incoming Eth4" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether5 new-connection-mark="New Incoming Eth5" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether6 new-connection-mark="New Incoming Eth6" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether7 new-connection-mark="New Incoming Eth7" passthrough=yes
add action=mark-routing chain=output comment="New Connections to Wan Interfaces" connection-mark="New Incoming Eth2" disabled=no new-routing-mark=\
"New Outgoing Eth2" passthrough=no
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth4" disabled=no new-routing-mark="New Outgoing Eth4" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth5" disabled=no new-routing-mark="New Outgoing Eth5" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth6" disabled=no new-routing-mark="New Outgoing Eth6" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth7" disabled=no new-routing-mark="New Outgoing Eth7" passthrough=no
With this set of rules I can connect to microtik itself from all wan interfaces
This is the route table
/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-mark="New Outgoing Eth2" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.254 routing-mark="New Outgoing Eth4" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 routing-mark="New Outgoing Eth5" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.254 routing-mark="New Outgoing Eth6" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.6.254 routing-mark="New Outgoing Eth7" scope=30 target-scope=\
10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark="Server Traffic" scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 routing-mark=HTTP scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark="Online Games" scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark=ICMP scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.5.254 scope=30 target-scope=10
When 194.30.234.129 gateway is down 192.168.5.254 gateway takes over. 192.168.1.254,192.168.3.254 etc gateways are adsl modems
194.30.234.129 is a bridged cisco leased line with static ips (no natting)
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether4 new-connection-mark="New Incoming Eth4" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether5 new-connection-mark="New Incoming Eth5" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether6 new-connection-mark="New Incoming Eth6" passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether7 new-connection-mark="New Incoming Eth7" passthrough=yes
add action=mark-routing chain=output comment="New Connections to Wan Interfaces" connection-mark="New Incoming Eth2" disabled=no new-routing-mark=\
"New Outgoing Eth2" passthrough=no
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth4" disabled=no new-routing-mark="New Outgoing Eth4" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth5" disabled=no new-routing-mark="New Outgoing Eth5" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth6" disabled=no new-routing-mark="New Outgoing Eth6" passthrough=yes
add action=mark-routing chain=output comment="" connection-mark="New Incoming Eth7" disabled=no new-routing-mark="New Outgoing Eth7" passthrough=no
With this set of rules I can connect to microtik itself from all wan interfaces
This is the route table
/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-mark="New Outgoing Eth2" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.254 routing-mark="New Outgoing Eth4" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 routing-mark="New Outgoing Eth5" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.254 routing-mark="New Outgoing Eth6" scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.6.254 routing-mark="New Outgoing Eth7" scope=30 target-scope=\
10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark="Server Traffic" scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 routing-mark=HTTP scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark="Online Games" scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=194.30.234.129 routing-mark=ICMP scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.254 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.5.254 scope=30 target-scope=10
When 194.30.234.129 gateway is down 192.168.5.254 gateway takes over. 192.168.1.254,192.168.3.254 etc gateways are adsl modems
194.30.234.129 is a bridged cisco leased line with static ips (no natting)
Re: Inbound NAT, multiple ISP's traffic flow
Hello, although this is very old post I have an identical scenario with the same rules and the NAT does not work.
I have two ISP connected to mikrotik and NAT to several different servers on the LAN. As described "infidel" just above: "If I change the default route to the other wan interface, i can connect but not from the first" ......
The rules:
Routing Table:
NAT:
Mikrotik v5.24 on RB-751G-2HnD. I hope some help!
Thanks in advance.
I have two ISP connected to mikrotik and NAT to several different servers on the LAN. As described "infidel" just above: "If I change the default route to the other wan interface, i can connect but not from the first" ......
The rules:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=pppoe-wan2 new-connection-mark=pppoe_forward passthrough=yes
add action=mark-routing chain=prerouting connection-mark=in_pppoe_forward disabled=no in-interface=bridge-local new-routing-mark=pppoe_forward \
passthrough=no
add action=mark-connection chain=input disabled=no in-interface=pppoe-wan2 new-connection-mark=pppoe-wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-wan2 disabled=no new-routing-mark=in_pppoe-wan2 passthrough=no
Code: Select all
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=62.xxx.xxx.x routing-mark=in_pppoe-wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=62.xxx.xxx.x routing-mark=to_pppoe_forward scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=62.xxx.xxx.x scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=217.xxx.xxx.1 scope=30 target-scope=10 Code: Select all
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=22 protocol=tcp src-address-list=arminet to-addresses=\
192.168.4.10 to-ports=22
Thanks in advance.
Re: Inbound NAT, multiple ISP's traffic flow
The problem is resolved. Under those rules had mangle for QoS and other one was particularly crushing the mark-connection and mark-route is not applied.
Best regards.
Best regards.