I've implemented some basic mangle rules to differentiate traffic flow between two users. (Pierre and Jeandre in the code below). The idea here is that each users traffic flow their respective adsl account. The two adsl accounts dialed from within the MT router I am using. The problem comes with dns resolution. I would like to keep everything as dynamic as possible on the network (that is no static assignment of node ip address, instead static dhcp leases). Thus, if both these users are occupying the same subnet, their needs to be some common dns server that both can access. I've decided to use the dns servers of the adsl account (Jeandre-Axxess) and in the mangle list, tried to forward all dns requests through this account (in addition to the user Jeandre's own data). That is if user 2 (Pierre) has a dns request, It will route through user 1 (Jeandre) account and use user 1 dns servers (as supplied by user 1 isp). Thus under ip/dns the setting there would be the dns servers obtained from user 1 (Jeandre) isp, and would be passed to all dchp leases.
I should also mention that both users have multiple devices that connect to the network and that are separated by address lists. The two active adsl accounts are Pierre = Pierre-ADSL, Jeandre = Jeandre-Axxess.
When implementing this, although everything should work in theory, I experience huge latency delays for both users. A simple 'ping' command to google from any of the users' nodes yields delays on the order of 1300ms to the next hop (which would be the isp default gateway). This is obviously influencing browsing experience hugely.
Code: Select all
[Jeandre@MikroTik] /interface pppoe-client> print
Flags: X - disabled, R - running
0 X name="Telkom-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=yes
allow=pap,chap,mschap1,mschap2
1 X name="Jeandre-OpenWeb" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
allow=pap,chap,mschap1,mschap2
2 R ;;; WebAfrica
name="Pierre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no
allow=pap,chap,mschap1,mschap2
3 R name="Jeandre-Axxess" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=yes
allow=pap,chap,mschap1,mschap2
4 X ;;; RSA-Web
name="Jeandre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no
dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2
[Jeandre@MikroTik] /interface pppoe-client>
[Jeandre@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Router 192.168.0.1
1 Router 192.168.1.2
2 Router 172.16.180.100
3 Local 192.168.0.0/24
4 Local 192.168.1.0/24
5 Local 172.16.0.0/16
6 X UCom-Global 192.168.0.10
7 Internal 192.168.0.0/24
8 Internal 192.168.1.0/24
9 Local 192.168.2.0/24
10 Local 192.168.3.0/24
11 Jeandre 192.168.4.2
12 X Pierre 192.168.0.10
13 X JeandreLocal 192.168.0.10
14 ;;; Jeandre-OpenWeb
Local x.x.x.x
.......
1060 D Jeandre 192.168.0.10 >
1061 D Jeandre 192.168.0.5 >
1062 D Jeandre 192.168.0.45 >
1063 D Pierre 192.168.0.65 >
1064 D Pierre 192.168.0.50 >
1065 D Jeandre 192.168.0.15 >
1066 D Pierre 192.168.0.61 >
1067 D Pierre 192.168.0.60 >
1068 D Jeandre 192.168.0.20 >
1069 D Jeandre 192.168.0.21 >
[Jeandre@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=Jeandre-Axxess
1 chain=srcnat action=masquerade out-interface=Pierre-ADSL
2 chain=srcnat action=masquerade out-interface=Ethernet3-Telkom
3 chain=srcnat action=masquerade out-interface=Ethernet1-UCom
4 I chain=srcnat action=masquerade out-interface=Jeandre-OpenWeb
5 I chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=8080 protocol=tcp in-interface=Jeandre-OpenWeb dst-port=8080
6 chain=srcnat action=src-nat to-addresses=192.168.2.10 src-address=192.168.0.10 dst-address=192.168.2.0/24
7 chain=srcnat action=src-nat to-addresses=192.168.2.20 src-address=192.168.0.20 dst-address=192.168.2.0/24
8 chain=srcnat action=src-nat to-addresses=192.168.2.40 src-address=192.168.0.40 dst-address=192.168.2.0/24
9 chain=srcnat action=src-nat to-addresses=192.168.2.45 src-address=192.168.0.45 dst-address=192.168.2.0/24
10 chain=srcnat action=src-nat to-addresses=192.168.2.50 src-address=192.168.0.50 dst-address=192.168.2.0/24
11 chain=srcnat action=src-nat to-addresses=192.168.2.3 src-address=192.168.1.1 dst-address=192.168.2.0/24
12 chain=dstnat action=dst-nat to-addresses=192.168.0.10 src-address=192.168.2.0/24 dst-address=192.168.2.10
13 chain=dstnat action=dst-nat to-addresses=192.168.0.20 src-address=192.168.2.0/24 dst-address=192.168.2.20
14 chain=dstnat action=dst-nat to-addresses=192.168.0.45 src-address=192.168.2.0/24 dst-address=192.168.2.45
15 chain=dstnat action=dst-nat to-addresses=192.168.0.40 src-address=192.168.2.0/24 dst-address=192.168.2.40
16 chain=dstnat action=dst-nat to-addresses=192.168.1.1 src-address=192.168.2.0/24 dst-address=192.168.2.3
17 chain=dstnat action=dst-nat to-addresses=192.168.0.50 src-address=192.168.2.0/24 dst-address=192.168.2.50
18 X chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=8080 protocol=tcp in-interface=Jeandre-OpenWeb dst-port=80
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R name="Jeandre-Network-Bridge" mtu=1500 l2mtu=1598 arp=enabled mac-address=00:0C:42:D5:09:0A protocol-mode=none priority=0x8000 auto-mac=no admin-mac=00:0C:42:D5:09:0A max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
1 R name="Jeandre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=proxy-arp mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m
2 R name="Jeandre-NAS-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
3 R name="Jeandre-Server-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
4 R name="Telkom-Router-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
5 R name="Pierre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
6 R name="Jeandre-iPhone-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; DNS Requests route through Pierre
chain=prerouting action=mark-connection new-connection-mark=dns passthrough=yes protocol=udp src-address=127.0.0.1 dst-port=53
1 ;;; DNS Requests route through Pierre
chain=prerouting action=mark-connection new-connection-mark=dns passthrough=yes protocol=udp dst-address=!127.0.0.1 dst-port=53
2 ;;; DNS Requests route through Pierre
chain=prerouting action=mark-connection new-connection-mark=GlobalOutbound passthrough=yes dst-address-list=!Local connection-mark=!dns
3 X ;;; DNS Requests route through Pierre
chain=input action=mark-connection new-connection-mark=PPTP-VPN passthrough=yes protocol=tcp in-interface=Jeandre-OpenWeb dst-port=1723
4 ;;; DNS Requests route through Pierre
chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no connection-mark=dns
5 ;;; Pierre Traffic route through AfriHost
chain=prerouting action=mark-packet new-packet-mark=pierre-packets passthrough=yes src-address-list=Pierre connection-mark=GlobalOutbound
6 ;;; Pierre Traffic route through AfriHost
chain=prerouting action=mark-routing new-routing-mark=Pierre passthrough=no src-address-list=Pierre connection-mark=GlobalOutbound
7 X ;;; Jeandre Local Traffic route through Openweb
chain=prerouting action=mark-routing new-routing-mark=JeandreLocal passthrough=no src-address-list=Jeandre dst-address-list=RSA-Local connection-mark=GlobalOutbound
8 X ;;; Jeandre Traffic route through Axxess
chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no src-address-list=Jeandre dst-address-list=!RSA-Local connection-mark=GlobalOutbound
9 ;;; Jeandre Traffic route through Axxess
chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no src-address-list=Jeandre connection-mark=GlobalOutbound
10 ;;; All other Traffic route through UCom
chain=prerouting action=mark-routing new-routing-mark=UCom passthrough=no src-address-list=UCom-Global connection-mark=GlobalOutbound
11 X ;;; VPN Connection Route through OpenWeb Local only Acc
chain=output action=mark-routing new-routing-mark=JeandreLocal passthrough=no connection-mark=PPTP-VPN
[Jeandre@MikroTik] >
[Jeandre@MikroTik] > ip dns print
servers: 168.210.2.2,196.14.239.2
allow-remote-requests: yes
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 166KiB
[Jeandre@MikroTik] >
Thanks.