Answer the question
In order to leave comments, you need to log in
A
A
ASKEL2016-11-17 23:41:40
ASKEL, 2016-11-17 23:41:40
How to set up external access to Mikrotik for 2 providers?
Greetings!
Studied a bunch of manuals. I read the articles. Doesn't work as needed. The problem is this:
There is CRS109-8G-1S-2HnD. It includes 2 providers. The first one immediately gives a static external IP to Mikrotik. The second one is also static external, but at the provider's iron level (MGTS). Just the IP that is given to Mikrotik is included in the DMZ on the provider's equipment.
Added marking of incoming packets. Added marking outgoing. Added routes for tagged packets. However, as before, the traffic that came through the second provider (MGTS) goes along the route of the first provider. And the chain=output action=mark-routing new-routing-mark=ISP2-output passthrough=no connection-mark=ISP2-input counter remains empty. And similar for the first is steadily increasing.
I'm trying to set up, using the example of port 5555, which I want to forward to the outside and so that it is available from both 1 and 2 providers.
Who can tell what is incorrectly configured? I have already read a lot of things, I can not understand and find the reason.
> ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=passthrough protocol=tcp src-port=5555 log=no log-prefix=""
1 chain=prerouting action=passthrough protocol=tcp in-interface=ether-gateway-1 src-port=5555 log=no log-prefix=""
2 chain=prerouting action=passthrough protocol=tcp in-interface=ether-gateway-2 src-port=5555 log=no log-prefix=""
3 chain=input action=passthrough protocol=tcp src-port=5555 log=no log-prefix=""
4 chain=input action=passthrough protocol=tcp in-interface=ether-gateway-1 src-port=5555 log=no log-prefix=""
5 chain=input action=passthrough protocol=tcp in-interface=ether-gateway-2 src-port=5555 log=no log-prefix=""
6 chain=forward action=passthrough protocol=tcp src-port=5555 log=no log-prefix=""
7 chain=forward action=passthrough protocol=tcp in-interface=ether-gateway-1 src-port=5555 log=no log-prefix=""
8 chain=forward action=passthrough protocol=tcp in-interface=ether-gateway-2 src-port=5555 log=no log-prefix=""
9 chain=postrouting action=passthrough protocol=tcp src-port=5555 log=no log-prefix=""
10 chain=postrouting action=passthrough protocol=tcp out-interface=ether-gateway-1 src-port=5555 log=no log-prefix=""
11 chain=postrouting action=passthrough protocol=tcp out-interface=ether-gateway-2 src-port=5555 log=no log-prefix=""
12 chain=output action=passthrough protocol=tcp src-port=5555 log=no log-prefix=""
13 chain=output action=passthrough protocol=tcp out-interface=ether-gateway-1 src-port=5555 log=no log-prefix=""
14 chain=output action=passthrough protocol=tcp out-interface=ether-gateway-2 src-port=5555 log=no log-prefix=""
15 ;;; ISP2
chain=prerouting action=mark-connection new-connection-mark=ISP2-input passthrough=no in-interface=ether-gateway-2 log=yes log-prefix="mcp2"
16 ;;; ISP2
chain=output action=mark-routing new-routing-mark=ISP2-output passthrough=no connection-mark=ISP2-input log=no log-prefix=""
17 ;;; ISP1
chain=prerouting action=mark-connection new-connection-mark=ISP1-input passthrough=no in-interface=ether-gateway-1 log=no log-prefix=""
18 ;;; ISP1
chain=output action=mark-routing new-routing-mark=ISP1-output passthrough=no connection-mark=ISP1-input log=no log-prefix=""@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Gateway - Main
chain=srcnat action=masquerade out-interface=ether-gateway-1 log=no log-prefix=""
1 ;;; Gateway - Reserve
chain=srcnat action=masquerade out-interface=ether-gateway-2 log=no log-prefix=""
2 ;;; Web
10 ;;; SoftEther VPN
chain=dstnat action=netmap to-addresses=192.168.7.29 to-ports=5555 protocol=tcp in-interface=ether-gateway-1 dst-port=5555 log=no log-prefix=""
11 ;;; SoftEther VPN - Reserve
chain=dstnat action=netmap to-addresses=192.168.7.29 to-ports=5555 protocol=tcp in-interface=ether-gateway-2 dst-port=5555 log=no log-prefix=""@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.100.1 5
1 A S 0.0.0.0/0 78.107.232.1 5
2 A S ;;; ISP1
0.0.0.0/0 78.107.232.1 10
3 S ;;; ISP2
0.0.0.0/0 192.168.100.1 30
4 A S ;;; GOOGLE
8.8.4.4/32 78.107.232.1 1
5 ADC 78.107.232.0/21 78.107.XXX.XXX ether-gateway-1 0
6 ADC 192.168.7.0/24 192.168.7.1 bridge-local 0
7 ADC 192.168.100.0/24 192.168.100.7 ether-gateway-2 0Configured for Routing Mark ISP2-output
0 AS 0.0.0.0/0 192.168.100.1 5
Configured for Routing Mark ISP1-output
1 AS 0.0.0.0/0 78.107.232.1 5
2 answer(s)
@ifaustrue
I'm sorry, what? What documentation did you read this in?
Incomprehensible rules, with src-port coming from nowhere, why are you bothering about this? If you need port forwarding through an ISP, then you can do it separately in NAT, but first set it up normally, _according to guides_ (I don’t know how to highlight this item even larger) routing.
Well, to fix
C
Cool Admin, 2016-11-18 @ifaustrue
action=passthrough
I'm sorry, what? What documentation did you read this in?
Incomprehensible rules, with src-port coming from nowhere, why are you bothering about this? If you need port forwarding through an ISP, then you can do it separately in NAT, but first set it up normally, _according to guides_ (I don’t know how to highlight this item even larger) routing.
Well, to fix
action=passthroughit means literally the following - to calculate the traffic, you don’t need to do anything with it, skip it further.
Similar questions
W
A
AlexVWill2022-03-31 16:29:28
Where is (and is there) an Address Lists update timeout setting?
1Reply
N
R
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question