hi all
i have two wan connection from two different ISP with different Gateway
i am using ISP1 for users and ISP for my servers
here is my configuration
/ ip firewall mangle
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
/ ip route
add dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=111.111.111.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 distance=2 check-gateway=ping
/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade
/ip firewall nat
add chain=srcnat comment="Clients SRC NAT" out-interface=ISP1 src-address-list="Clients SRC NAT"
add chain=srcnat comment="Servers SRC NAT" out-interface=ISP2 src-address-list="Servers SRC NAT"
add action=dst-nat chain=dstnat dst-address=222.222.222.19 routing-mark=to_ISP2 to-addresses=192.168.0.19
add action=src-nat chain=srcnat routing-mark=to_ISP2 src-address=192.168.0.19 to-addresses=222.222.222.19
i use dst nat for my ftp server, but its not working, and when i disable ISP1 connection the FTP server is reachable from outside of my network.
is there any problem in my configuration?
Re: tow wan connection
I guess the incoming connections from the internet don't get marked properly, so the outbound traffic from the server in such a connection uses the wrong (ISP1) default route.
You use connection marks in /ip firewall mangle, but I don't see any rule where you would apply these connection marks to the traffic.
You use connection marks in /ip firewall mangle, but I don't see any rule where you would apply these connection marks to the traffic.
Re: tow wan connection
hi
i marked the connection and route as well. you can see in mangle commands
could you please let me know the correct commands?
i marked the connection and route as well. you can see in mangle commands
could you please let me know the correct commands?
Re: tow wan connection
No, you have only marked routing, based on a connection mark, that has never been applied. You have no mangle rules with action=mark-connection and these apply the connection mark.
I would try adding these before your existing rules:
/ip fire man add chain=prerouting in-interf=ISP1 action=mark-conn new-connection-mark=ISP1_conn
/ip fire man add chain=prerouting in-interf=ISP2 action=mark-conn new-connection-mark=ISP2_conn
These should mark your incoming dst-nat'ed connections. You can check that in IP->firewall->connections. I can't guarantee it will work, I'm not good at theorizing with mangle, I would need to experiment with it.
I would try adding these before your existing rules:
/ip fire man add chain=prerouting in-interf=ISP1 action=mark-conn new-connection-mark=ISP1_conn
/ip fire man add chain=prerouting in-interf=ISP2 action=mark-conn new-connection-mark=ISP2_conn
These should mark your incoming dst-nat'ed connections. You can check that in IP->firewall->connections. I can't guarantee it will work, I'm not good at theorizing with mangle, I would need to experiment with it.
Re: tow wan connection
thank you so much. it has been solved.
Re: tow wan connection
You're welcome. 
Who is online
Users browsing this forum: sirbryan and 56 guests