Mikrotik multiple WAN: availability for all dst-nat port forwarding?

F

fella2017-03-20 07:26:07

Mikrotik

fella, 2017-03-20 07:26:07

There was a problem with setting up multiple connections from providers on miokrotik. There is no access to resources behind NAT. Where is the error in the mangle? It seems that the markers for incoming packets and the corresponding routes for them are also set.
Mikrotik itself is available from both external IPs. But port forwarding to a web server within the network does not give an answer
config:

# mar/20/2017 07:10:20 by RouterOS 6.38.5
/interface bridge
add name=localnet
/interface ethernet
set [ find default-name=ether3 ] comment="ISP1"
set [ find default-name=ether4 ] comment="ISP2"
/interface list
add name=WAN
/interface bridge port
add bridge=localnet interface=ether5
add bridge=localnet interface=ether6
add bridge=localnet interface=ether7
add bridge=localnet interface=ether8
/interface list member
add interface=ether3 list=WAN
add interface=ether4 list=WAN
/ip address
add address=192.168.2.253/24 interface=localnet network=192.168.2.0
add address=1.1.1.1/30 interface=ether4 network=1.1.1.0
add address=1.2.2.1/30 interface=ether3 network=1.2.2.0
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=forward
add action=accept chain=output
add action=accept chain=input
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether3 \
    new-connection-mark=ISP1-conn passthrough=yes
add action=mark-connection chain=input in-interface=ether4 \
    new-connection-mark=ISP2-conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-conn \
    new-routing-mark=ISP1-route passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1-f \
    in-interface-list=!WAN new-routing-mark=ISP1-route passthrough=no
add action=mark-connection chain=prerouting in-interface=ether3 \
    new-connection-mark=ISP1-f passthrough=no
add action=mark-connection chain=prerouting in-interface=ether4 \
    new-connection-mark=ISP2-f passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-f \
    in-interface-list=!WAN new-routing-mark=ISP2-route passthrough=no
add action=mark-connection chain=forward in-interface=ether3 \
    new-connection-mark=ISP1-f passthrough=no
add action=mark-connection chain=forward in-interface=ether4 \
    new-connection-mark=ISP2-f passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-conn \
    new-routing-mark=ISP2-route passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=jump chain=dstnat dst-address=1.1.1.1 jump-target=\
    port-forward
add action=jump chain=dstnat dst-address=1.2.2.1 jump-target=\
    port-forward
add action=dst-nat chain=port-forward dst-port=10080 protocol=tcp \
    to-addresses=192.168.2.2 to-ports=80
/ip route
add distance=1 gateway=1.1.1.2 routing-mark=ISP1-route
add distance=1 gateway=1.2.2.2 routing-mark=ISP2-route
add distance=1 gateway=1.1.1.2
add distance=2 gateway=1.2.2.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Viktor Belsky, 2017-03-20
@fella

Try to put passthrough=yes in the forward chain and instead of prerouting, for the ISP1-f label, use output.

O

Obsession, 2017-03-21
@Obsession

You have a lot of comments there, did not interfere.
Everything is easier to solve.
type rule:

/ip firewall nat add chain=dstnat protocol=нужный_протокол dst-port=внешний_порт action=dst-nat to-addresses=локальный_адрес to-ports=локальный_порт

this rule works well for me on the backbone router, and forwards ports for accessing the device in the segment behind the nat.