Возникла проблема с настройкой нескольких подключений от провайдеров на miokrotik. Нет доступности к ресурсам за NAT.
Где ошибка в mangle? Вроде задана и маркеры на входящие пакеты и соответствующие маршруты для них.
Сам mikrotik с обоих внешних IP доступен. А вот проброс порта до веб-сервера внутри сети не дает ответа
конфиг:
# mar/20/2017 07:10:20 by RouterOS 6.38.5
/interface bridge
add name=localnet
/interface ethernet
set [ find default-name=ether3 ] comment="ISP1"
set [ find default-name=ether4 ] comment="ISP2"
/interface list
add name=WAN
/interface bridge port
add bridge=localnet interface=ether5
add bridge=localnet interface=ether6
add bridge=localnet interface=ether7
add bridge=localnet interface=ether8
/interface list member
add interface=ether3 list=WAN
add interface=ether4 list=WAN
/ip address
add address=192.168.2.253/24 interface=localnet network=192.168.2.0
add address=1.1.1.1/30 interface=ether4 network=1.1.1.0
add address=1.2.2.1/30 interface=ether3 network=1.2.2.0
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=forward
add action=accept chain=output
add action=accept chain=input
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether3 \
new-connection-mark=ISP1-conn passthrough=yes
add action=mark-connection chain=input in-interface=ether4 \
new-connection-mark=ISP2-conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-conn \
new-routing-mark=ISP1-route passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP1-f \
in-interface-list=!WAN new-routing-mark=ISP1-route passthrough=no
add action=mark-connection chain=prerouting in-interface=ether3 \
new-connection-mark=ISP1-f passthrough=no
add action=mark-connection chain=prerouting in-interface=ether4 \
new-connection-mark=ISP2-f passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-f \
in-interface-list=!WAN new-routing-mark=ISP2-route passthrough=no
add action=mark-connection chain=forward in-interface=ether3 \
new-connection-mark=ISP1-f passthrough=no
add action=mark-connection chain=forward in-interface=ether4 \
new-connection-mark=ISP2-f passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-conn \
new-routing-mark=ISP2-route passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=jump chain=dstnat dst-address=1.1.1.1 jump-target=\
port-forward
add action=jump chain=dstnat dst-address=1.2.2.1 jump-target=\
port-forward
add action=dst-nat chain=port-forward dst-port=10080 protocol=tcp \
to-addresses=192.168.2.2 to-ports=80
/ip route
add distance=1 gateway=1.1.1.2 routing-mark=ISP1-route
add distance=1 gateway=1.2.2.2 routing-mark=ISP2-route
add distance=1 gateway=1.1.1.2
add distance=2 gateway=1.2.2.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes