MikroTik

Posted: **Tue Jan 17, 2006 8:41 pm**

I have been trying for a week to get policy-based routing to work on my RouterBoard 532 with RouterOS 2.9.10 and have not been successful. I have looked at the examples at http://www.mikrotik.com/docs/ros/2.9/ip/route several times but the given scenarios do not match what I'm trying to do.

Here is my setup: Ether1 is my local network (192.168.69.1/24), Ether2 is ISP1 and is obtained via DHCP (68.102.x.x). Ether3 is ISP2 and has a static IP (158.247.x.x/29).

What I'm trying to setup is that any traffic coming in from Ether2 is routed back out Ether2 and any traffic coming in on Ether3 goes back out Ether3. Ether2 is set as my default gateway so that all traffic originating from the local network is routed out that interface.

The way it is right now, all traffic works coming through Ether2, but no inbound or outbound traffic works through Ether3. I have set up route-marks for inbound traffic on Ether3 and have a routing rule but that has not worked. I set this up via winbox but here are the resulting commands:

/ ip firewall mangle 
add chain=prerouting in-interface=Ether3 action=mark-routing \
    new-routing-mark=ksnet passthrough=yes comment="" disabled=no 

/ ip route 
add dst-address=0.0.0.0/0 gateway=158.247.x.x distance=1 scope=255 \
    target-scope=10 routing-mark=ksnet comment="" disabled=no

What am I missing to make all of this work? I greatly appreciate any help provided.

Mezlo

Posted: **Wed Jan 18, 2006 9:07 am**

Hi Mezlo

Not sure what you are trying to do here.. .are you saying that you want all traffic generated on Ether3 (158.247.x.x/29) to be sent out again to the ISP gateway on that network?

If so, why would that traffic ever reach your Ether3? Traffic generated on that subnet should have the proper gateway already so why would it have to take the way by your router?

The rules look ok. However..... do you have any other rule further down in the mangle list that might match? Say on IP numbers? If so, that rule will add replace the new-routing-mark with what is specified in that rule

/Jörgen

Posted: **Wed Jan 18, 2006 4:20 pm**

Let me explain what's happening and maybe there's a different solution than policy-based routing.

Right now, the default gateway on my Microtik is Ether2. From the internet, I can connect to my local machines via dst-nat rules by using the Ether2 IP address. However, if I try to connect using the Ether3 address, connections time out.

If I change the default gateway on the Microtik to Ether3, then incoming connections to Ether3 work, but Ether2 no longer does.

The only interface which accepts inbound connections is the one with the default gateway. I assumed this behavior is because the traffic is coming in one interface and is going out the other, which is why I looked into policy-based routing.

What I need to do is be able to accept inbound connections on either interface and have the traffic forwarded to the appropriate local IP. I also need any locally-generated traffic (such as web browsing, etc) to go out Ether2, which is why I set it as the default gateway. I'm using rules similar to the following for the forwarding:

add chain=dstnat in-interface=Ether2 protocol=tcp dst-port=25 action=dst-nat \
    to-addresses=192.168.69.250 to-ports=25 comment="" disabled=no 

add chain=dstnat in-interface=Ether3 protocol=tcp dst-port=25 action=dst-nat \
    to-addresses=192.168.69.251 to-ports=25 comment="" disabled=no

Hopefully this clears up what I am trying to do.

Mezlo

Posted: **Wed Jan 18, 2006 4:50 pm**

Ah.. ok, now it makes sense! You have two ISPs for locally hosted services!

Hmm.... you need to do some kind of source-routed return traffic

How about if you..... and I am just typing without any verification now since I don't have two ISP nor the possibility to test anything right now so all typos and faults are mine

instead of marking packets mark connections
add chain=prerouting dst-address=your-localeth3-address protocol=tcp action=mark-connection new-connection-mark=con-eth3
this should kick off the connection tracker on all tcp traffic on eth3

then mark all packets belonging to this connection
add chain=prerouting connection-mark=con-eth3 action=mark-packet new-packet-mark=pkt-eth3 passthrough=no
this should mark all tracked connect packet with the proper packet mark

and then tell it to route all those packets to the proper gateway?
add dst-address!=your-local-net gateway=158.247.x.x routing-mark=pkt-eth3

Just a guess but it should be something along those lines, you'll have to do something with the dst-nat to

/Jörgen

Posted: **Thu Jan 19, 2006 3:30 am**

instead of marking packets mark connections
add chain=prerouting dst-address=your-localeth3-address protocol=tcp action=mark-connection new-connection-mark=con-eth3
this should kick off the connection tracker on all tcp traffic on eth3

then mark all packets belonging to this connection
add chain=prerouting connection-mark=con-eth3 action=mark-packet new-packet-mark=pkt-eth3 passthrough=no
this should mark all tracked connect packet with the proper packet mark

and then tell it to route all those packets to the proper gateway?
add dst-address!=your-local-net gateway=158.247.x.x routing-mark=pkt-eth3

Thanks for your help. I got the 2 prerouting commands added but when I goto /ip route and add the 3rd command, it says no such argument (dst-address!). Am I trying to add that in the right place?

Mezlo

Posted: **Thu Jan 19, 2006 9:24 am**

Hi again

As I said... I was typing straight out of my test without any test that it actually worked

I have a MT available now and you can't do a != (not like) in /ip route

If you just try with
add dst-address=0.0.0.0/0 gateway=158.247.x.x routing-mark=pkt-eth3

Does that work?

If you run winbox you will be able to see packet counters while testing so you will have a better view of what's going where... if you are able to test in a separated environment without to much non-related traffic

/jörgen

Posted: **Thu Jan 19, 2006 2:58 pm**

I have spent quite an amount of time with exactly this scenario, this is how I got it to work:

1. I have a router with 3 interfaces; 1 internal and two external:

 
/interface print

#    NAME                   TYPE             RX-RATE    TX-RATE    MTU  
0  R 1-ISP1                 ether            0          0          1500 
1  R 2-ISP2                 ether            0          0          1500 
2  R 3-Internal             ether            0          0          1500 
3  R 1-2 Bond               bonding          0          0          1500

2. As you can see above, I created a bonding interface with the two external adapters:

/interface bonding print:

0  R name="1-2 Bond" mtu=1500 mac-address=XX:XX:XX:XX:XX:XX arp=enabled 
     slaves=ISP1,ISP2 mode=balance-rr primary=none 
     link-monitoring=mii-type1 arp-interval=100ms mii-interval=100ms 
     down-delay=100ms up-delay=100ms lacp-rate=1sec

2. I added IP addresses to the interfaces:

 
/ip address print

#   ADDRESS            NETWORK         BROADCAST       INTERFACE
0   192.168.1.254/24   192.168.1.0     192.168.1.255   3-Internal
1   85.xx.xx.xx/30     85.xx.xx.xx     85.xx.xx.xx     1-2 Bond 
2   195.xx.xx.xx/30    195.xx.xx.xx    195.xx.xx.xx    1-2 Bond

3. I added Mangle policy to the traffic, NOTE! the dst-address for chain 0 and 1 ar NOT the same as the addresses for the bonding interface, they are on different subnets. I have a /30 net for routing all traffic to the destination /26 net to the Mikrotik from ISP1. The same applies to the incoming traffic from ISP2, i.e. a /30 net for routing all traffic to the destination /27 net from ISP2. NOTE! Rule 2 and 3 applies to traffic generated from the server on the inside in order to route this kind of traffic to one of the ISP's. The "new-routing" needs to be here in order to be able to direct all aoutgoing traffic through the ISP of my choice. Also note that rule #2 is the only one to have a "Passthrough=yes", this in order to achieve the forced routing:

/ip firewall mangle print

0   ;;; ISP1 incoming
    chain=prerouting in-interface=1-2 Bond dst-address=85.xx.xx.xx/26 
    connection-state=new dst-address-list=WAN-NetIT action=mark-connection 
    new-connection-mark=conn_ISP1 passthrough=no 

1   ;;; ISP2: incoming
    chain=prerouting in-interface=1-2 Bond dst-address=195.xx.xx.xx/27 
    connection-state=new action=mark-connection 
    new-connection-mark=conn_ISP2 passthrough=no 

2   ;;; Internal going out
    chain=prerouting in-interface=3-Internal dst-address=!192.168.0.0/16 
    connection-state=new action=mark-connection new-connection-mark=conn_out 
    passthrough=yes 

3   chain=prerouting in-interface=3-Internal connection-mark=conn_out 
    action=mark-routing new-routing-mark=route_ISP1 passthrough=no 

4   ;;; ISP1: answer to incoming
    chain=prerouting in-interface=3-Internal connection-mark=conn_ISP1 
    action=mark-routing new-routing-mark=route_ISP1 passthrough=no 

5   ;;; ISP2: answer to incoming
    chain=prerouting in-interface=3-Internal connection-mark=conn_ISP2
    action=mark-routing new-routing-mark=route_ISP2 passthrough=no

4. I added routes. NOTE! Route #5 *must* exist if you want to allow Mikrotik to make connection to external servers, i.e. for contacting NTP servers! Otherwise it is not necessary

:

 
/ip route print

#     DST-ADDRESS        PREFSRC         G GATEWAY         INTERFACE        ROUTING MARK
0 ADC 85.xx.xx.xx/30     85.xx.xx.xx                       1-2 Bond 
1 ADC 192.168.1.0/24     192.168.1.254                     3-Internal  
2 ADC 195.xx.xx.xx/30    195.xx.xx.xx                      1-2 Bond 
3 A S 0.0.0.0/0                          r 85.xx.xx.xx     1-2 Bond         route_ISP1 
4 A S 0.0.0.0/0                          r 195.xx.xx.xx    1-2 Bond         route_ISP2
5 A S 0.0.0.0/0                          r 85.xx.xx.xx     1-2 Bond

5. Then I added a lot of DNAT rules to direct the incoming traffic to the servers on the inside. Each server has an addres in the 192.168.1.x net with Mikrotik as the default gateway. Since each server needs to be addressable through 2 different ISP's (i.e. have 2 external IP addresses) I needed to setup 2 DNAT rules for each server:

chain=dstnat dst-address=85.xx.xx.yy 
protocol=tcp dst-port=80 action=dst-nat 
to-addresses=192.168.0.aa to-ports=80 

chain=dstnat dst-address=195.xx.xx.zz 
protocol=tcp dst-port=80 action=dst-nat 
to-addresses=192.168.0.aa to-ports=80

6. For each server that needed to initiate connection to servers on the outside (i.e. SMTP server) I needed to add SNAT rules for each ISP:

chain=srcnat routing-mark=route_ISP1 action=src-nat to-addresses=85.xx.xx.vv to-ports=0-65535

chain=srcnat routing-mark=route_ISP2 action=src-nat to-addresses=195.xx.xx.ww to-ports=0-65535

That about covers it

BUT! I have not been able to successfully mark and SNAT the traffic that gets generated by the Mikrotik itself in order to eliminate the need for an extra default gateway in the routing rules :-/ Perhaps someone is able to help me out with this, or is it a "feature"?

Posted: **Fri Jan 20, 2006 5:40 am**

Thanks for all the help you've provided so far. It will be this weekend before I have time to try what has been suggested. I'll definitely post back with either more questions or good news that it's working.

Mezlo

Posted: **Fri Jan 20, 2006 3:49 pm**

I've got it!!!!!!!

Had some time over so I decided to set up a test environment and try to figure this out..... I can say that it wasn't completely clear and I had quite a few thoughts about just giving up on the whole thing

Anyway, here's the setup.
6 MT routers
User1, ether1 192.168.101.50/24
- gateway 192.168.101.1
- connected ether1 to MT ISP1 / ether1
ISP1, ether1 192.168.101.1/24 / ether2 192.168.102.1
- connected ether2 to MT Central / ether2
- static route 192.168.2.0/24 to 192.168.102.2 (central -> my network)

User2, ether1 192.168.111.50/24
- gateway 192.168.111.1
- connected ether1 to MT ISP2 / ether1
ISP2, ether1 192.168.111.1/24 / ether2 192.168.112.1
- connected ether2 to MT Central / ether3
- static route 192.168.2.0/24 to 192.168.112.3 (central -> my network)

Central
- ether1 192.168.120.1/24
- ether2 192.168.102.2/24
- ether3 192.168.112.3/24
- ether4 192.168.2.221/24 (my network)

Firewall
- ether1 192.168.2.1
- ether2 DHCP from my ISP
- static routes for the networks added to 192.168.2.221

Setup on Central is as follows

/ ip route
  add dst-address=0.0.0.0/0 gateway=192.168.112.1 disabled=no
  add dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-eth2 disabled=no
I

am using the path to User2 as default, anything marked with route-eth2 should be sent over the path to User1

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-close-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s \
    udp-timeout=10s udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m

Make sure you have decent values here, EVERYTHING depends on the connection tracker! I used default for this test

/ ip firewall mangle
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=con-eth2 passthrough=yes disabled=no
add chain=prerouting in-interface=ether4 connection-mark=con-eth2 action=mark-routing new-routing-mark=route-eth2 passthrough=no disabled=no

This pulls it together;
- the first rules marks everything that comes in (that can be tracked by the connection tracker!) on ether2 with a connection mark con-eth2
- the second rule takes everything with connection mark con-eth2 and marks it for routing with routing mark route-eth2

NOTE that the second rule ALSO checks where the packets come from, ONLY packets with connection mark con-eth2 coming in on ether4 get the routing mark! Without that in-interface check nothing works at all since the traffic coming in on ether2 will also be marked for routing with route-eth2!

With this configuration in place I was able to run "/system telnet 192.168.2.1" from both the User1 and the User2 endpoint MT against the firewall MT that is behind Central MT

I hope this is clear enough for you all, I will try to make up a drawing later on

/Jörgen

Posted: **Fri Jan 20, 2006 4:21 pm**

As I said above... a quick drawing

And some code

User1
/interface enable ether1
/ip address add address=192.168.101.50/24 interface=ether1
/ip route add dst-address=0.0.0.0/0 gateway=192.168.101.1

User2
/interface enable ether1
/ip address add address=192.168.111.50/24 interface=ether1
/ip route add dst-address=0.0.0.0/0 gateway=192.168.111.1

ISP1
/interface enable ether1
/interface enable ether2
/ip address add address=192.168.101.1/24 interface=ether1
/ip address add address=192.168.102.1/24 interface=ether2
/ip route add dst-address=192.168.2.0/24 gateway=192.168.102.2

ISP2
/interface enable ether1
/interface enable ether2
/ip address add address=192.168.111.1/24 interface=ether1
/ip address add address=192.168.112.1/24 interface=ether2
/ip route add dst-address=192.168.2.0/24 gateway=192.168.112.3

Central
/interface enable ether1
/interface enable ether2
/interface enable ether3
/interface enable ether4
/ip address add address=192.168.120.1/24 interface=ether1
/ip address add address=192.168.102.2/24 interface=ether2
/ip address add address=192.168.112.3/24 interface=ether3
/ip address add address=192.168.2.221/24 interface=ether4
/ip route add dst-address=0.0.0.0/0 gateway=192.168.112.1 disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-eth2 disabled=no
/ ip firewall mangle add chain=prerouting in-interface=ether2 action=mark-connection new-connection

-mark=con-eth2 passthrough=yes disabled=no
/ ip firewall mangle add chain=prerouting in-interface=ether4 connection-mark=con-eth2 action=mark-

routing new-routing-mark=route-eth2 passthrough=no disabled=no

Firewall
/interface enable ether1
/ip address add address=192.168.1.1/24 interface=ether1
/ip route add dst-address=192.168.101.0/24 gateway=192.168.2.221
/ip route add dst-address=192.168.111.0/24 gateway=192.168.2.221

/Jörgen

Posted: **Sat Jan 21, 2006 8:27 pm**

Thanks for all of you who posted in the Policy Based Routing Thread - by a conbination of all of your collective wisdom a solution was formulated for a problem that had haunted me for 6+ weeks, except for one small thing.

I have three ISP's, a DMZ and the internal network on a Mikrotik router, (5 interfaces). Like some of you i had web servers in the dmz with public addresses on each of the ISP's so that i publish two different public ip addresses for what becomes the same webserver. The problem as many of you have seen is that a connection arriving on ISP1 to the webserver will reply with ISP1, ISP2 or ISP3 based on the current load of the interfaces? This is called by some asymetrical routing in that the reply packets arrive asymetrically back to your browser via different routes. It sorta worked but it seemed like somewhere upsteam in the ISP heirarchy the ISP blocked packets with a source address of ISP2 being sent out the interface belonging to ISP1 or ISP3. Using Policy based routing we finally got it to work.

The inside connection was masqueraded to all three ISP's for outgoing traffic.

To get the web servers to work we used mangle to connection mark every connection coming in thru each of the ISP interfaces. ISP1 was connection marked ISP1, ISP2 was connection marked ISP2, ISP3 was connection marked ISP3. The dst-nat rules mapped the incoming ISP connections to the webserver addresss in the DMZ.

The next thing was to mangle the connection returning from the DMZ using the connection mark defined previously, ISP1, ISP2, ISP3 and to now use the connection mark to create a routing mark of ISP1, ISP2, ISP3. By using the route table the routing marks are used to direct the traffic from the DMZ back out the interface it arrived on. (Also shows up in connection table)

Yeah!!! It worked for Http traffic and Ftp traffic ~ here is the problem!

ICMP to the Public web server address still ramdomly choses which interface to use as a reply. if i ping a public ip address on ISP1, the packet makes it to the server in the DMZ, the server replies, packet goes back into the mikrotik and it seems to chose ramdomly which interface to send the response on. Ping comes in on ISP1 and the reply goes out on ISP1, ISP2 or ISP3. The only time ping works is if the reply comes back on whichever interface it came in on.

Is there something else that needs to be defined to make ping work??

Posted: **Sun Jan 22, 2006 5:18 am**

I want to thank Jörgen and Krokodox for their advice. Jörgen's solution appeared more strait-forward to me so that's the one I implemented.

Funny thing is, I'd tried similar prerouting commands before, but I never turned on connection tracking so that was the key which made it all work.

Thanks again for all of your time and advice.

Mez

Posted: **Mon Jan 23, 2006 11:07 am**

Thanks for your kind words, it feels good to be appreciated (sp?, English is not my native language)

This was a interesting problem so I spent some extra time on it... and it worked more or less the way I thought it should work.

For those of you that wonder how someone can have 6 MT routers available for a test setup I can say that I did not have any spare units...

I used VmWare and configured 6 MT virtual machines, 5 virtual networks and one connection to my physical network, all MTs installed with the 24 hour license... put a pressure on me to complete the testing in a decent timeframe to

/Jörgen

Posted: **Mon Jan 23, 2006 11:14 am**

valcoman, your ping problem.... have you done a dst-nat for ping to your web-server?

I don't think that it will be handled by your connection-tracker / policy routing unless you run the pings through the MT (that is not having the MT answer them)... if you let the MT answer then the packets will never be handled by your policy routing, at least not in my configuration example

To see what happens just start winbox, look at the connections tab and try some pings from different hosts. You should see matching address pairs there if the connection-tracker is seeing the ICMP packets and mapping them correctly

/Jörgen

Posted: **Mon Jan 23, 2006 4:24 pm**

valcoman, your ping problem.... have you done a dst-nat for ping to your web-server?

I don't think that it will be handled by your connection-tracker / policy routing unless you run the pings through the MT (that is not having the MT answer them)... if you let the MT answer then the packets will never be handled by your policy routing, at least not in my configuration example

To see what happens just start winbox, look at the connections tab and try some pings from different hosts. You should see matching address pairs there if the connection-tracker is seeing the ICMP packets and mapping them correctly

/Jörgen

After I had all of this set up, I realized that I could not ping my ether3 IP from the internet. All services (ssh, ftp, etc) responded correctly, but ping would fail every time. Looking at the connection tracker in Winbox, the ICMP connection was not shown.

I added the following rule and it fixed the issue:

/ ip firewall nat
add chain=dstnat in-interface=ether3 protocol=icmp action=dst-nat to-addresses=192.168.69.250 to-ports=0 \
    comment="" disabled=no

The to-address is the IP of one of my servers. I tried pointing it to the IP of ether1 on the MT, but it did not work. The connection still is not listed in the tracker, but that doesn't bother me at all.

Mez

Posted: **Mon Jan 23, 2006 4:30 pm**

I've come across another little issue with this setup. While I can ping both ether2 and ether3 from ether1 (my LAN), I cannot connect to either of them via http, ftp, etc. Both ether2 and ether3 work beautifully from the internet, just not locally.

This isn't a major problem because I internally remap the DNS names to the private IPs of the servers anyway, but if it's something easily resolved, I might as well do it.

Mez

Posted: **Mon Jan 23, 2006 4:50 pm**

I think that this is another version of the problem I had when I didn't add the "in-interface=ether4 " on my mangle.

What happens is that the traffic gets tagged with route-eth2 packet mark and the only routing rule you have handling that traffic doesn't know where to send the packets (it only knows of the route 0.0.0.0/0 to your second ISP).

Try duplicating the local routes (your local networks, should have ADC flags in /ip route print) and add "routing-mark=route-eth2 " to them. That might help

/Jörgen

Posted: **Mon Jan 23, 2006 5:19 pm**

That did the trick, Http, ftp and icmp all are working as intended. It is actually pretty cool when i think about all the things that the mikrotik is keeping up with and counters too. Nice piece of software! Thanks again to the group for helping me through this configuration problem.

Posted: **Tue Jan 24, 2006 6:32 am**

What happens is that the traffic gets tagged with route-eth2 packet mark and the only routing rule you have handling that traffic doesn't know where to send the packets (it only knows of the route 0.0.0.0/0 to your second ISP).

I'm not sure I understand what you mean by this. I'm only tagging traffic on ether3, yet I can't access ether2 or ether3 locally. I'm sure I'm visualizing this wrong, but if it was a tagging issue, I would think that local connections to ether2 would work since it is my default gateway, but not ether3.

Try duplicating the local routes (your local networks, should have ADC flags in /ip route print) and add "routing-mark=route-eth2 " to them. That might help

I have 3 routes with ADC flags (one for each interface). None of them have a gateway address listed (only dst-address, prefsrc, and interface). However, when I try to copy them, I have to specify a gateway address so what do I put?

Thanks for bearing with me on this.

Mez

Posted: **Tue Jan 24, 2006 9:47 am**

Hmm.... I think I will have to wake up my testbed for this, unfortunately I have a traning session tonight so I might not be able to do anything until tomorrow evening. I'll let you know what I find....

/Jörgen

Posted: **Tue Jan 24, 2006 4:10 pm**

Hmm.... I think I will have to wake up my testbed for this, unfortunately I have a traning session tonight so I might not be able to do anything until tomorrow evening. I'll let you know what I find....

Hey, I really appreciate the time and effort you're putting into this. As I said, this isn't really a major issue so I don't want you to feel pressurred to get this done immediately. If you don't get to it for a few days or even a week, that's fine.

Thanks again,
Mez

Posted: **Thu Jan 26, 2006 8:59 am**

Hi again

I did spend some time with this yesterday and I had no luck at all getting a machine from the "inside" succesfully connecting to an external IP/port that dst-nat back in to the same local network.... not sure if it is even possible to do!

I know that MS ISA server in previous versions did not support this, accordning to my friends here at work it supposedly works now in MS ISA.

Anyone else managed to access a dst-nat IP/port from a machine on the same network that the dst-nat points to?

/Jörgen

Posted: **Fri Jan 27, 2006 8:40 pm**

Hi, I was reading your posts and get a little confused about, but if i am correct this is your problem.

2 isps, one static the other dynamic. If you set dafault gw to isp1 and If you try to access your MT from isp2 there is no access.. ANSWER= there is access but the router tries to send the response trough isp1 and it would not find you. If you switch the configruation it will happend the same.

The problem accours when you have dynamic ip becasue your isp change the ip and the gateway all the time and you cannot set two gateways. I suggest you to try this. Put a router infront your MT connected to the ISP that gives you the dynamic address (dhcp) and configure DMZ on it, with this you could have both interfaces (in your MT) with static address and you could set two gateways. Then MT will do the rest.... simple!!!

I have this configruation working in my MT and works great....

I apologize If I did not understand the problem correctly and for my bad english

Posted: **Mon Jan 30, 2006 6:02 am**

Hi again

I did spend some time with this yesterday and I had no luck at all getting a machine from the "inside" succesfully connecting to an external IP/port that dst-nat back in to the same local network.... not sure if it is even possible to do!

I know that MS ISA server in previous versions did not support this, accordning to my friends here at work it supposedly works now in MS ISA.

Anyone else managed to access a dst-nat IP/port from a machine on the same network that the dst-nat points to?

/Jörgen

Hey Jörgen,

I posted this question as a new topic and ended up answering my own question in case you're interested.

http://forum.mikrotik.com/viewtopic.php?p=27982#27982

Thanks once again for all the help you provided.
Mez

MikroTik

policy-based routing

policy-based routing

Here's what I'm trying to do

Thanks for all the help

Finally working - Almost!

It works!!!

Dst-Nat rule for Ping