Dual wan port forwarding does not work on OpenWrt

                     ┌────────────┐
                     │            │
ip1:66.18.120.200----│veth1       │
gw1:66.18.120.1      │            │
                     │      br-lan│----192.168.1.200:8443
ip2:66.18.121.216----│veth2       │
gw2:66.18.120.1      │            │
                     └────────────┘
                         OpenWrt

veth1 and veth2 is MAC VLAN of wan device,
double dial the same ISP to get two Wan IP addresses.
gateway1 metric 10, gateway2 metric 20
Firewall Port Forwards:
wan1,wan2 port:8443 -> lan 192.168.1.200:8443
curl -k https://WAN_IP1:8443 -> ok
curl -k https://WAN_IP2:8443 -> timeout
How do I configure it? Thank you for your answers!

I can't test, but you probably need to add a second wan zone in Firewall - General settings, assign veth2 to it and then add new port forwards from this new zone.

Thank you for your reply. I added veth1 and veth2 to wan zone. It doesn't work. Then I change veth2 to wan2 zone. It still doesn't work. I don't know what's the problem?

On your original settings;
What occurs if you unplug ip1 that is working,
Does ip2 kick in?

You need to add port forwards again, for wan2.

@Bill If veth1 is disabled, then ip2 can work.

@m95d I have set port forward for wan2, but it still doesn't work.
I read some topic, and some said it was necessary to set the route to return to the original wan interface.

Had the same problem. It won't work because your server reply will go through the default wan. Thats why it works in WAN1 but not in WAN2 (unless you unplug WAN1 so WAN2 its the default gateway).

I guess we need to know what you expected to achieve. It is currently working as failover.

My goal is that both wan1 and wan2 can be port forwarded to the lan server to increase bandwidth. My ISP provides 30Mbps uplink per IP.

Would you be so kind as to list your device and what flavor of OpenWRT you're using?
Thank you..
Put that info in your OP/top post.

What I requesed is this:

Model	MikroTik RouterBOARD 951Ui-2nD
Architecture	Qualcomm Atheros QCA9533 ver 2 rev 0
Firmware Version	OpenWrt 19.07.9 r11405-2a3558b0de / LuCI openwrt-19.07 branch git-22.045.73925-36e5c1c
Kernel Version	4.14.267

Top Post please.

/etc/config/network

config device
        option type 'macvlan'
        option ifname 'wan'
        option mode 'vepa'
        option name 'veth1'

config device
        option type 'macvlan'
        option ifname 'wan'
        option mode 'vepa'
        option name 'veth2'
config interface 'wan1'
        option proto 'pppoe'
        option device 'veth1'
        option username 'USER'
        option password 'PASSWORD'
        option ipv6 'auto'
        option metric '10'
config interface 'wan2'
        option proto 'pppoe'
        option device 'veth2'
        option username 'USER'
        option password 'PASSWORD'
        option ipv6 'auto'
        option metric '20'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8443'
        option dest_ip '192.168.1.200'
        option dest_port '8443'


config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list device 'pppoe-wan1'
        list device 'pppoe-wan2'
        list network 'wan1'
        list network 'wan2'

config forwarding
        option src 'wan'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

As a temporary "fix" you can add a second LAN with another ip and add it to the server. Then set that this subnet goes over wan2. So when someone goes over wan2 you redirect them to the second ip of the server.

Thanks for all the answers! I have solved the problem of TCP protocol, but UDP protocol still doesn't work.

config rule 'wan1_only_rule'
        option proto 'all'
        option sticky '1'
        option use_policy 'wan1_only'
        option logging '1'

config rule 'wan2_only_rule'
        option proto 'all'
        option sticky '1'
        option use_policy 'wan2_only'

the sticky '1': Traffic from the same source IP address that previously matched this rule within the sticky timeout period will use the same WAN interface.
I have configured all protocols, but I don't know why UDP protocol doesn't work. My wireguard uses UDP protocol and can't access through WAN interface.