Добрый день. Настроил dualwan по https://mum.mikrotik.com/presentations/RU18M/presentation_6157_1554717194.pdf Столкнулся с проблемой. Распределяю трафик по двум WAN. При нахождении IP адреса в листе First-NET все работает. Ключевой момент - могу подключиться к нему извне по разным WAN. К устройствам которые находятся в Second-NET, могу подключиться только с того WAN с которого они выходят в инет (2й ван). С первого WAN адреса недоступны. Помогите найти проблему, куда копать? Спойлер: Конфиг /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1-WAN1 list=WAN add interface=ether2-WAN2 list=WAN /ip address add address=192.168.88.1/24 comment=defconf interface=ether6 network=\ 192.168.88.0 add address=ip_inet1/29 interface=ether1-WAN1 network=ip_inet1_network add address=ip_inet2 interface=ether2-WAN2 network=ip_inet2_network /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\ 192.168.88.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8 /ip dns static add address=192.168.88.1 comment=defconf name=router.lan /ip firewall address-list add address=192.168.88.253 list=First-NET add address=192.168.88.254 list=Second-NET /ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=\ WAN protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=\ invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=input comment=In-Out in-interface=ether1-WAN1 \ new-connection-mark=con-WAN1 passthrough=yes add action=mark-connection chain=input in-interface=ether2-WAN2 \ new-connection-mark=con-WAN2 passthrough=yes add action=mark-routing chain=output connection-mark=con-WAN1 new-routing-mark=\ WAN1 passthrough=yes add action=mark-routing chain=output connection-mark=con-WAN2 new-routing-mark=\ WAN2 passthrough=yes add action=mark-connection chain=prerouting comment="FOR DST-NAT" \ connection-mark=no-mark in-interface=ether1-WAN1 new-connection-mark=\ con-WAN1 passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark \ in-interface=ether2-WAN2 new-connection-mark=con-WAN2 passthrough=yes add action=mark-routing chain=prerouting connection-mark=con-WAN1 \ in-interface-list=!WAN new-routing-mark=WAN1 add action=mark-routing chain=prerouting connection-mark=con-WAN2 \ in-interface-list=!WAN new-routing-mark=WAN2 add action=mark-connection chain=prerouting comment="STATIC ROUTE" \ new-connection-mark=con-WAN1 passthrough=yes src-address-list=First-NET add action=mark-connection chain=prerouting new-connection-mark=con-WAN2 \ passthrough=yes src-address-list=Second-NET add action=mark-routing chain=prerouting connection-mark=con-WAN1 \ in-interface-list=!WAN new-routing-mark=WAN1 add action=mark-routing chain=prerouting connection-mark=con-WAN2 \ in-interface-list=!WAN new-routing-mark=WAN2 /ip firewall nat add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=\ ip_inet1 add action=src-nat chain=srcnat out-interface=ether2-WAN2 to-addresses=\ ip_inet2_network2 add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=WAN protocol=\ tcp to-addresses=192.168.88.254 /ip route add distance=1 gateway=ip_inet1_gate routing-mark=WAN1 add distance=1 gateway=ip_inet2_network routing-mark=WAN2 add distance=1 gateway=ip_inet1_gate add distance=1 gateway=ip_inet2_gate add disabled=yes distance=1 gateway=ip_inet1_gate add disabled=yes distance=2 gateway=ip_inet2_network /ip route rule add action=lookup-only-in-table src-address=ip_inet1/32 table=WAN1 add action=lookup-only-in-table src-address=ip_inet2_network2/32 table=WAN2
Может вы приведёте конфиг? Вообще у вас должно быть 6 правил в mangle. 2 маркировки соединения в прероутинг 2 маркировки маршрута в прероутинг 2 маркировки маршрута в аутпут. Я могу предположить что вы явно маркируете маршрут проблемного узла, так что он уходит не в тот WAN.