Scenario: we have a T1 and a DSL connection. I want to enable destination nat on both external IPs to an internal mail server. The DSL connection and T1 are set up as gateways (i.e. via a route to destination 0.0.0.0) with the DSL connection having a lower distance. I plan on configuring some machines to use the T1 connection via a mangle route-mark rule while the rest use the DSL connection as the default. The machine with the mail server is not part of this rule and sends out traffic over the DSL line by default.

Problem: Dnat works fine when coming in via the DSL connection. However, when I come via the T1 connection, I don't get a response.

I set up a mangle/pre-routing rule for:

1. Interface: T1, connection state: new, action = mark connection: T1, passthrough=y
2. Interface: T1, connection state: new, action = mark routing: T1, passthrough=n
3. Interface: DSL, connection state: new, action = mark connection: DSL, passthrough=y
4. Interface: DSL, connection state: new, action = mark routing: DSL, passthrough=n

I already have a pair of src-nat rules:

1. src-address:10.1.0.0/16, out-interface: DSL, action=src-nat to:x.x.x.x
2. src-address:10.1.0.0/16, out-interface: T1, action=src-nat to:y.y.y.y

I tried adding each of the following src-nat rules before these rules:

src-address:10.1.0.0/16, routing mark=t1, action=src-nat to:y.y.y.y
src-address:10.1.0.0/16, connection mark=t1, action=src-nat to:y.y.y.y

and neither seems to ever show a hit for bytes/packets

I also played with trying to add a route rule:

route destination: 0.0.0.0 gateway=z.z.z.z mark=t1 prefered source=y.y.y.y

but this doesn't work either...

I've read through the wikis and searched the board... I'm obviously not understanding something fundamental.. any help would be appreciated...

after who-knows-how-many hours, I finally got it working. I had to add a ton of logging statements through every possible chain to figure it out. *sigh*

solution:

mangle pre-routing: interface: t1 action: mark connection: t1
mangle pre-routing: interface: dsl action: mark connection: dsl
mangle pre-routing: interface: private action: mark routing: t1
mangle pre-routing: interface: private action: mark routing: dsl

routes:
destination: 0.0.0.0 routing mark: t1 gateway: y.y.y.y
destination: 0.0.0.0 routing mark: dsl gateway: x.x.x.x

hi,

I understand what you have done but I am not sure what this interface points to:

mangle pre-routing: interface: private action: mark routing: t1
mangle pre-routing: interface: private action: mark routing: dsl



Thanks Mark

hi,

I understand what you have done but I am not sure what this interface points to:

mangle pre-routing: interface: private action: mark routing: t1
mangle pre-routing: interface: private action: mark routing: dsl

Thanks Mark

I have three interfaces: DSL (x.x.x.x), T1 (y.y.y.y), and Private (z.z.z.z)

When destination NAT comes in on the non-default gateway, this rule marks the response packets (i.e. HTTP response, SMTP response, etc) with the routing rule so that they go out through the correct interface...

I ended up adding to the config I described above the following NAT/SRCNAT rules:

Src address: z.z.z.z out interface: T1 routing mark: t1 action:src-nat to address: y.y.y.y
Src address: z.z.z.z out interface: DSL routing mark: dsl action:src-nat to address: x.x.x.x

I need to do some more testing, but so far this seems to be working fine...

Hi can you post you syntax for adding the rules. I tried the one below but when I enable the routes I lose internet connection and I am not sure why?.

add chain=prerouting in-interface=l2tp-pip \
action=mark-connection \
new-connection-mark=in-pip-conn passthrough=yes \
comment="" disabled=yes
add chain=prerouting connection-mark=in-pip-conn \
action=mark-packet new-packet-mark=in-pip-packet \
passthrough=yes comment="" disabled=yes
add chain=prerouting packet-mark=in-pip-packet \
action=mark-routing new-routing-mark=out-pip \
passthrough=yes comment="" disabled=yes

Mark the connection, then mark the packets, then mark routing. Then, in your routing table, reproduce what you need for WAN2 (include connected routes as well) Add a route rule also (some versions need this, some don't):

/ ip route rule
add routing-mark=out-pip action=lookup table=out-pip \
comment="" disabled=no


Thanks Mark

I did everything through the GUI....

I didn't mark individual packets -- i.e. I did a mark connection and mark routing.

I also didn't use a routing lookup table, I just set up routes that are activated when a routing market is present (i.e. just add the route in the GUI as if it was a route for everything then enter the routing mark in the field...)