MikroTik

Hello everybody,
I've been searching about my problem here, but unfortunately any topic could help me, I've tried everything that I found.
So, my current scenario is: Link!!

Wan1 = 1.1.1.1
Wan2 = 2.2.2.2
Server= 192.168.0.2

What I need is:

• The server (192.168.0.2) has nat rule to forward 3389 port, this rule must be available through both links

• My mikrotik need to be available through both links as well (web and winbox access)

At this time, I just trying to make the Wan2 work in parallel.
Here are my rules:

Mangle
0 chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=eth4_Wan_Net log=yes
1 chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=no connection-mark=wan2_conn out-interface=eth4_Wan_Net log=yes
2 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=no connection-state=new connection-mark=no-mark in-interface=eth4_Wan_Net log=no
3 chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=no connection-mark=wan2_conn in-interface=eth7 log=no

Route
0 A S ;;; WAN1_route-mark
dst-address=0.0.0.0/0 gateway=WAN1_GW gateway-status=WAN1_GW reachable via WAN1 check-gateway=ping distance=10 scope=30 target-scope=10 routing-mark=to_wan1
1 A S ;;; WAN2_route-mark
dst-address=0.0.0.0/0 gateway=WAN2_GW gateway-status=WAN2_GW reachable via WAN2 check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_wan2
2 A S ;;; WAN1_main route
dst-address=0.0.0.0/0 gateway=WAN1_GW gateway-status=WAN1_GW reachable via WAN1 check-gateway=ping distance=1 scope=30 target-scope=10
3 S ;;; WAN2_secondary
dst-address=0.0.0.0/0 gateway=WAN2_GW gateway-status=WAN2_GW reachable via WAN2 check-gateway=ping distance=2 scope=30 target-scope=10

NAT
25 ;;;
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=3389 protocol=tcp in-interface=wan2 dst-port=3389 log=no log-prefix=""

Somebody could help me!??

And what exactly doesn't work?

On first look, access to router should work from WAN1 and if you remove out-interface=eth4_Wan_Net from mangle rule #2, it should then work for WAN2 too. Dstnat for RDP port is limited to WAN2, so either duplicate the rule for WAN1, or replace in-interface=wan2 with dst-address-type=local.

And what exactly doesn't work?

On first look, access to router should work from WAN1 and if you remove out-interface=eth4_Wan_Net from mangle rule #2, it should then work for WAN2 too. Dstnat for RDP port is limited to WAN2, so either duplicate the rule for WAN1, or replace in-interface=wan2 with dst-address-type=local.

Sob, sorry it was my mess during typing.
Where there is eth4_Wan_Net, is suppose to be Wan2. I've just changed to make it simple for you understand.
So forget about this. (Wan2 = eth4_Wan_Net)
About NAT, yes when I duplicate it works on Wan1, but Wan2 still not working.

What's happening, the connection just doesn't happen.
I can see the in packets counters increasing when I try to connect, but fail with timeout connection error.

Is there anything else I can do?

Read this: viewtopic.php?f=2&t=102483&p=509070&hilit=port#p508981
and setup proper rules for both WANs.

Read this: viewtopic.php?f=2&t=102483&p=509070&hilit=port#p508981
and setup proper rules for both WANs.

Thanks, I will.

Analyzing with Torch, I found something that is strange.
The traffic arrives in WAN2_interface, but it doesn't arrive in DMZ_interface (which is where the server is plugged).
Even if I disable mangles rules, the traffic still not arriving in DMZ_interface.
It seems like if the router doesn't know where this network is.

Or it can be blocked by firewall filter.

Or it can be blocked by firewall filter.

No, there is no rule blocking!
And to make sure, I have created a filter rule, that log traffic foward on port 3389 to my server IP, but no packets were registered.
But, when I make a connection to the server from local network, the packets were registered in filter rule.

If you suspect that router might be getting lost in different routing tables, you can use rules like this, to make sure that it uses the right one for selected destination:

If you suspect that router might be getting lost in different routing tables, you can use rules like this, to make sure that it uses the right one for selected destination:

Code: Select all

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main

No success

Listed below are the log about prerouting rule.:
15:59:11 firewall,info prerouting: in:eth4_Wan_Net out:(none), src-mac 94:87:7c:3a:8c:a1, proto TCP (SYN), REMOTE_IP:51401->WAN2_IP:3389, len 52
15:59:14 firewall,info prerouting: in:eth4_Wan_Net out:(none), src-mac 94:87:7c:3a:8c:a1, proto TCP (SYN), REMOTE_IP:51401->WAN2_IP:3389, len 52

This reminds me of something... did you by any chance do anything in "/ip settings", specifically with "rp-filter" option?

This reminds me of something... did you by any chance do anything in "/ip settings", specifically with "rp-filter" option?

I don't, at least.
But here are my confs:
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: strict
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: no
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: no
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0

rp-filter: strict

That's it, try "loose".

rp-filter: strict

That's it, try "loose".

Maaan you are the best!!!
I've just switched to loose and it works!!!

Thanks a lot Sob

Any suggestions on what LOG Settings will catch the RP Filter that was on strict ?

Tnx