MikroTik

Posted: **Thu Jan 18, 2018 7:33 pm**

I have a RB CCR1036-12G-4S and i need a precious help to configure correctly the PCC and the NAT and no have troubles like lost packages, SIP voice in only one way, etc

I'm have 2 WANs and 3 LANs

WAN1: 10.1.1.1/24 ISP1
WAN2: 10.2.2.2/24 ISP2

LAN1: 192.168.50.0/16 Users computers
LAN2: 192.168.1.0/24 Server Web/SSH
LAN3: 192.168.100.0/24 (Asterisk and IP Phones)

My objective to finish my setup are focused on Firewall rules (Mangel and NAT)

redirect incoming traffic in wan1 and wan2 to the local server

/ip firewall nat add chain=dstnat protocol=tcp dst-port=2222 in-interface=WAN1 action=dst-nat to-addresses=192.168.1.10 to-ports=22
/ip firewall nat add chain=dstnat protocol=tcp dst-port=2222 in-interface=WAN2 action=dst-nat to-addresses=192.168.1.10 to-ports=22
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface=WAN1 action=dst-nat to-addresses=192.168.1.10 to-ports=80
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface=WAN2 action=dst-nat to-addresses=192.168.1.10 to-ports=80

/ip firewall nat add chain=dstnat protocol=udp dst-port=5060-5061 in-interface=WAN2 action=dst-nat to-addresses=192.168.100.100 to-ports=5060-5061

what comes from wan1, gets out from wan1

/ip firewall mangle add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_connection passthrough=yes disabled=no comment="in wan1,out wan1"
/ip firewall mangle add action=mark-routing chain=output connection-mark=WAN1_connection new-routing-mark=to_WAN1 passthrough=no disabled=no comment="in wan1,out wan1"

what comes from wan2, gets out from wan2

/ip firewall mangle add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_connection passthrough=yes disabled=no comment="in wan2,out wan2"
/ip firewall mangle add action=mark-routing chain=output connection-mark=WAN2_connection new-routing-mark=to_WAN2 passthrough=no disabled=no comment="in wan2,out wan2"

port forwards from wan1, gets out from wan1

/ip firewall mangle add action=mark-connection chain=forward in-interface=WAN1 connection-state=new new-connection-mark=WAN1_pfw passthrough=no disabled=no comment="pfw wan1, out wan1"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface-list=LANs connection-mark=WAN1_pfw new-routing-mark=to_WAN1 passthrough=no disabled=no comment="pfw wan1, out wan1"

port forwards from wan2, gets out from wan2

/ip firewall mangle add action=mark-connection chain=forward in-interface=WAN2 connection-state=new new-connection-mark=WAN2_pfw passthrough=no disabled=no comment="pfw wan2, out wan2"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface-list=LANs connection-mark=WAN2_pfw new-routing-mark=to_WAN2 passthrough=no disabled=no comment="pfw wan2, out wan2"

routing rules for to_WAN1 and to_WAN2

/ip route add dst-address=0.0.0.0/0 gateway=WAN1 distance=1 routing-mark=to_WAN1 disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=WAN2 distance=1 routing-mark=to_WAN2 disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=WAN1 distance=1 disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=WAN2 distance=2 disabled=no

PROBLEMS

# Remote connections to web server going fine
# SSH connections have some troubles, sniffing the traffic see the follow extrange things, the connections are take a lot of time to complete the connection from WAN2, inclusive for WAN1 in some cases

TCP	125	[TCP Dup ACK 2121#1] 22 → 34577 [ACK] Seq=1 Ack=49 Win=173 Len=0 TSval=187060543 TSecr=8649041 SLE=97 SRE=145
TCP	113	[TCP Retransmission] 22 → 59824 [FIN, ACK] Seq=2593 Ack=2514 Win=196 Len=0 TSval=187080587 TSecr=8649921

The The VOIP call no works (incoming/outgoing) or are cutted after 5 seconds
The Firewall -> service ports -> SIP is disabled

OBJETIVES

1- Good natting for ssh and web services, in:WAN1/out:WAN1 and in:WAN2/out:WAN2
2- Load balance of outgoing connections of LAN1 to take advantage of my two FO connections
3- The LAN3 Voip server and sip-phones ever outgoinn/incoming from WAN2

Thanks for all help than can give to me.

Posted: **Thu Jan 25, 2018 1:59 pm**

The problem was solved and now all works like a charm

i expose the solution if anyone have the same trouble balancing 2 or more WANs and have 2 or more LANs with nating ports from outside and have a VoIP server inside outgoing for a unique WAN

1- the first is remove the rules of fastrack in /firewall filter because the fastrack mark connections and this cause troubles with your mangle marks (pcc), you need to reboot the router to see than the dummies rules disappear from your config.

2- if you have for example 2 WANs, the most common configuration of routes says, than you have 2 routes with mark connections like to_WAN1 to_WAN2 and another 2 rules for the rest of the traffic no marked, well, this two las rules can be delete and left only one with both gateways, after of this you can se than these rule have the distance 1 and the rule is printed on black (is the primary)

add action=accept chain=prerouting comment="Accept to use route tables (to_WANx) to all trafic comming from LAN networks and are connected to the WANs" dst-address=10.9.8.0/24 in-interface-list=LANs
add action=accept chain=prerouting comment="Accept to use route tables (to_WANx) to all trafic comming from LAN networks and are connected to the WANs" dst-address=10.9.7.0/24 in-interface-list=LANs
add action=mark-connection chain=prerouting comment="Mark all conections coming from WANs" connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=prerouting comment="Mark all conections coming from WANs" connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_connection passthrough=yes
add action=mark-connection chain=prerouting comment="Mark all conections comming from LANs and balance them with PCC" connection-mark=no-mark dst-address-list=!LocalIPs dst-address-type=!local in-interface-list=LANs new-connection-mark=WAN1_connection passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="Mark all conections comming from LANs and balance them with PCC" connection-mark=no-mark dst-address-list=!LocalIPs dst-address-type=!local in-interface-list=LANs new-connection-mark=WAN2_connection passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting comment="Mark all conections comming from LANs and balance them with PCC TEST VOIP" connection-mark=no-mark dst-address-list=!LocalIPs dst-address-type=!local in-interface=bridgeVOIP new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=prerouting comment="Mark the routes for LAN traffic previously marked in the connection" connection-mark=WAN1_connection in-interface-list=LANs new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting comment="Mark the routes for LAN traffic previously marked in the connection" connection-mark=WAN2_connection in-interface-list=LANs new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=prerouting comment="Mark the routes for LAN traffic previously marked in the connection" connection-mark=WAN2_connection in-interface=bridgeVOIP new-routing-mark=to_WAN2 passthrough=no
add action=mark-routing chain=output comment="Mark the routes for WAN traffic previously marked in the connection" connection-mark=WAN1_connection new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output comment="Mark the routes for WAN traffic previously marked in the connection" connection-mark=WAN2_connection new-routing-mark=to_WAN2 passthrough=no

NOTE: is important than you know than the mangle rules where you do mark_routing need to deselect the option of "Passthrough" to avoid than these connection/routed be remarked by the next rule

3- in the case than you have a voip server inside and you want than all connections comes out ever for the same WAN you only need to add a specific rule for this interface and no like the others were we use an " in-interface-list=LANs" NOTE: you need to be sure than these interface is not in the same interface list "LANs" because will be remarked previously by the rules before.

in this case is you have a voip server you need to disable SIP ALG on your router and in your mikrotik to avoid connection cuts, in mikrotik you can do this disabling in /ip firewall service-port disable sip, and its done

we hope this basic steps helps to prevent many headaches configuring your mikrotik infrastructure.

Posted: **Sat Mar 07, 2020 6:42 pm**

thanks mr. cmrp ... i will try

Posted: **Sat Mar 07, 2020 7:33 pm**

Nice...
Also noted some port translation on your rules which is cool. (2222 to 22) -----> required (external request on port 2222, changed to port 22 before hitting firewall.)
If the dst-ports and to-ports are the same, then you don't need the additional entry of to-ports (5060-5061 to 5060-5061) ------> not required

MikroTik

Big confusion PCC with NAT (Port Forwarding)

Big confusion PCC with NAT (Port Forwarding)

Re: Big confusion PCC with NAT (Port Forwarding)

Re: Big confusion PCC with NAT (Port Forwarding)

Re: Big confusion PCC with NAT (Port Forwarding)