Mikrotik. 2 WAN. DMZ services

To Do:

First, we have two independent wan links from two different wan operators. In second, we want, that our DMZ services, such as SMTP / IMAP, HTTP and, as example, SQL database – to be available simultaneously and independently on two wan links. Here is Mikrotik, as example, hAP ac lite with version 6.x.x (specifically in this lab – 6.34.4), services are connected to the global network through it. How to setup?

Mikrotik и два WAN

DMZ services in 2 wan link

To complete this task, you need to mark traffic so that the responses of DMZ services to client requests from the global network go from the same interface to which the request came.

Mikrotik interfaces are marked respectively: WAN1 and WAN2. And in order not to get confused, the interface comment contains the designation of the provider and the interface number on Mikrotik:

Обозначение WAN интерфейсов

Definition of WAN interfaces

The default rules in IP-> Firewall look like this (they come with the default configuration, only rules for WAN2 and permission for winbox are added):




Winbox steb by step instruction:

  1. IP-Firewall-Mangle. Add labeling of incoming connections for the chain prerouting:
    Вкладка General

    General tab

    Вкладка Action

    Action tab

    Новые правила добавлены

    New rules added

  2. IP->Firewall->Mangle. Add route marking for already marked connections for the prerouting chain, excluding network addresses associated with any interface (Dst. Address Type: ! local):
    Вкладка General




    copy these rules for chain = output if you want not only DMZ services, but the mikrotik itself was available on two different wan links, from two wan operators at the same time.

  3. Add the routes for the marked connections by copying the default routes, adding an indication of the Routing Mark according to the link. if using DHCP, you need to add a comment for later use in the gateway update script:"IP-
  4. If DHCP is used on any channel, add [spoiler title=”default gateway update script”]:global WAN2GWNEW [/ip dhcp-client get [find interface=”WAN2″ ] gateway ]
    :global WAN2GW [/ip route get [/ip route find comment=”WAN2″] gateway ]
    :if ($WAN2GWNEW != $WAN2GW) do={
    /ip route set [find comment=”WAN2″] gateway=$WAN2GWNEW
    [/spoiler] In this example, WAN2 receives the address via dhcp and we need to update the gateway for the rule that we created (comment is WAN2):


  5. Now we will add port forwarding to services (using ssh as an example) that we want to make available for external networks for each wan interface, the rules differ only in the incoming interface:
    Add NAT Rule


    Add NAT Rule

    Add NAT Rule

The problem of service availability on the links of two wan operators has been solved. The technology will work for more wan operators. However, the problem remains when using dynamic IPs and binding them to a permanent name in your domain. The current IP can be linked using the new RouterOS tool, starting from version 6.14  –  IP/Cloud . But what if you need to bind the second, backup channel to DNS? If anyone has a solution – please share in the comments, please

Additinal info:

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.