Community discussions

MikroTik App
  4. RouterOS
  5. General

latency issues with mangle rules.

Post Reply
 
ZioN
just joined
Topic Author
Posts: 22
Joined: Sun Jun 12, 2011 4:12 pm

latency issues with mangle rules.

Tue May 01, 2012 4:17 pm

Hi

I've implemented some basic mangle rules to differentiate traffic flow between two users. (Pierre and Jeandre in the code below). The idea here is that each users traffic flow their respective adsl account. The two adsl accounts dialed from within the MT router I am using. The problem comes with dns resolution. I would like to keep everything as dynamic as possible on the network (that is no static assignment of node ip address, instead static dhcp leases). Thus, if both these users are occupying the same subnet, their needs to be some common dns server that both can access. I've decided to use the dns servers of the adsl account (Jeandre-Axxess) and in the mangle list, tried to forward all dns requests through this account (in addition to the user Jeandre's own data). That is if user 2 (Pierre) has a dns request, It will route through user 1 (Jeandre) account and use user 1 dns servers (as supplied by user 1 isp). Thus under ip/dns the setting there would be the dns servers obtained from user 1 (Jeandre) isp, and would be passed to all dchp leases.

I should also mention that both users have multiple devices that connect to the network and that are separated by address lists. The two active adsl accounts are Pierre = Pierre-ADSL, Jeandre = Jeandre-Axxess.

When implementing this, although everything should work in theory, I experience huge latency delays for both users. A simple 'ping' command to google from any of the users' nodes yields delays on the order of 1300ms to the next hop (which would be the isp default gateway). This is obviously influencing browsing experience hugely.
Code: Select all
[Jeandre@MikroTik] /interface pppoe-client> print                         
Flags: X - disabled, R - running 
 0 X  name="Telkom-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=yes 
      allow=pap,chap,mschap1,mschap2 

 1 X  name="Jeandre-OpenWeb" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no 
      allow=pap,chap,mschap1,mschap2 

 2  R ;;; WebAfrica
      name="Pierre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no 
      allow=pap,chap,mschap1,mschap2 

 3  R name="Jeandre-Axxess" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=yes 
      allow=pap,chap,mschap1,mschap2 

 4 X  ;;; RSA-Web
      name="Jeandre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="xxxx" password="xxxx" profile=default service-name="" ac-name="" add-default-route=no 
      dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2 
[Jeandre@MikroTik] /interface pppoe-client> 

[Jeandre@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                                                                                                                                                    ADDRESS                        
 0   Router                                                                                                                                                                                                                  192.168.0.1                    
 1   Router                                                                                                                                                                                                                  192.168.1.2                    
 2   Router                                                                                                                                                                                                                  172.16.180.100                 
 3   Local                                                                                                                                                                                                                   192.168.0.0/24                 
 4   Local                                                                                                                                                                                                                   192.168.1.0/24                 
 5   Local                                                                                                                                                                                                                   172.16.0.0/16                  
 6 X UCom-Global                                                                                                                                                                                                             192.168.0.10                   
 7   Internal                                                                                                                                                                                                                192.168.0.0/24                 
 8   Internal                                                                                                                                                                                                                192.168.1.0/24                 
 9   Local                                                                                                                                                                                                                   192.168.2.0/24                 
10   Local                                                                                                                                                                                                                   192.168.3.0/24                 
11   Jeandre                                                                                                                                                                                                                 192.168.4.2                    
12 X Pierre                                                                                                                                                                                                                  192.168.0.10                   
13 X JeandreLocal                                                                                                                                                                                                            192.168.0.10                   
14   ;;; Jeandre-OpenWeb
     Local                                                                                                                                                                                                                   x.x.x.x                
.......
1060 D Jeandre                                                                                                                                                                                                                 192.168.0.10                >
1061 D Jeandre                                                                                                                                                                                                                 192.168.0.5                 >
1062 D Jeandre                                                                                                                                                                                                                 192.168.0.45                >
1063 D Pierre                                                                                                                                                                                                                  192.168.0.65                >
1064 D Pierre                                                                                                                                                                                                                  192.168.0.50                >
1065 D Jeandre                                                                                                                                                                                                                 192.168.0.15                >
1066 D Pierre                                                                                                                                                                                                                  192.168.0.61                >
1067 D Pierre                                                                                                                                                                                                                  192.168.0.60                >
1068 D Jeandre                                                                                                                                                                                                                 192.168.0.20                >
1069 D Jeandre                                                                                                                                                                                                                 192.168.0.21                >

[Jeandre@MikroTik] > ip firewall nat print         
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=Jeandre-Axxess 

 1   chain=srcnat action=masquerade out-interface=Pierre-ADSL 

 2   chain=srcnat action=masquerade out-interface=Ethernet3-Telkom 

 3   chain=srcnat action=masquerade out-interface=Ethernet1-UCom 

 4 I chain=srcnat action=masquerade out-interface=Jeandre-OpenWeb 

 5 I chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=8080 protocol=tcp in-interface=Jeandre-OpenWeb dst-port=8080 

 6   chain=srcnat action=src-nat to-addresses=192.168.2.10 src-address=192.168.0.10 dst-address=192.168.2.0/24 

 7   chain=srcnat action=src-nat to-addresses=192.168.2.20 src-address=192.168.0.20 dst-address=192.168.2.0/24 

 8   chain=srcnat action=src-nat to-addresses=192.168.2.40 src-address=192.168.0.40 dst-address=192.168.2.0/24 

 9   chain=srcnat action=src-nat to-addresses=192.168.2.45 src-address=192.168.0.45 dst-address=192.168.2.0/24 

10   chain=srcnat action=src-nat to-addresses=192.168.2.50 src-address=192.168.0.50 dst-address=192.168.2.0/24 

11   chain=srcnat action=src-nat to-addresses=192.168.2.3 src-address=192.168.1.1 dst-address=192.168.2.0/24 

12   chain=dstnat action=dst-nat to-addresses=192.168.0.10 src-address=192.168.2.0/24 dst-address=192.168.2.10 

13   chain=dstnat action=dst-nat to-addresses=192.168.0.20 src-address=192.168.2.0/24 dst-address=192.168.2.20 

14   chain=dstnat action=dst-nat to-addresses=192.168.0.45 src-address=192.168.2.0/24 dst-address=192.168.2.45 

15   chain=dstnat action=dst-nat to-addresses=192.168.0.40 src-address=192.168.2.0/24 dst-address=192.168.2.40 

16   chain=dstnat action=dst-nat to-addresses=192.168.1.1 src-address=192.168.2.0/24 dst-address=192.168.2.3 

17   chain=dstnat action=dst-nat to-addresses=192.168.0.50 src-address=192.168.2.0/24 dst-address=192.168.2.50 

18 X chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=8080 protocol=tcp in-interface=Jeandre-OpenWeb dst-port=80 
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > interface bridge print        
Flags: X - disabled, R - running 
 0  R name="Jeandre-Network-Bridge" mtu=1500 l2mtu=1598 arp=enabled mac-address=00:0C:42:D5:09:0A protocol-mode=none priority=0x8000 auto-mac=no admin-mac=00:0C:42:D5:09:0A max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 1  R name="Jeandre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=proxy-arp mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m 

 2  R name="Jeandre-NAS-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 3  R name="Jeandre-Server-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 4  R name="Telkom-Router-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 5  R name="Pierre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 6  R name="Jeandre-iPhone-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > ip firewall mangle print      
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; DNS Requests route through Pierre
     chain=prerouting action=mark-connection new-connection-mark=dns passthrough=yes protocol=udp src-address=127.0.0.1 dst-port=53 

 1   ;;; DNS Requests route through Pierre
     chain=prerouting action=mark-connection new-connection-mark=dns passthrough=yes protocol=udp dst-address=!127.0.0.1 dst-port=53 

 2   ;;; DNS Requests route through Pierre
     chain=prerouting action=mark-connection new-connection-mark=GlobalOutbound passthrough=yes dst-address-list=!Local connection-mark=!dns 

 3 X ;;; DNS Requests route through Pierre
     chain=input action=mark-connection new-connection-mark=PPTP-VPN passthrough=yes protocol=tcp in-interface=Jeandre-OpenWeb dst-port=1723 

 4   ;;; DNS Requests route through Pierre
     chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no connection-mark=dns 

 5   ;;; Pierre Traffic route through AfriHost
     chain=prerouting action=mark-packet new-packet-mark=pierre-packets passthrough=yes src-address-list=Pierre connection-mark=GlobalOutbound 

 6   ;;; Pierre Traffic route through AfriHost
     chain=prerouting action=mark-routing new-routing-mark=Pierre passthrough=no src-address-list=Pierre connection-mark=GlobalOutbound 

 7 X ;;; Jeandre Local Traffic route through Openweb
     chain=prerouting action=mark-routing new-routing-mark=JeandreLocal passthrough=no src-address-list=Jeandre dst-address-list=RSA-Local connection-mark=GlobalOutbound 

 8 X ;;; Jeandre Traffic route through Axxess
     chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no src-address-list=Jeandre dst-address-list=!RSA-Local connection-mark=GlobalOutbound 

 9   ;;; Jeandre Traffic route through Axxess
     chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no src-address-list=Jeandre connection-mark=GlobalOutbound 

10   ;;; All other Traffic route through UCom
     chain=prerouting action=mark-routing new-routing-mark=UCom passthrough=no src-address-list=UCom-Global connection-mark=GlobalOutbound 

11 X ;;; VPN Connection Route through OpenWeb Local only Acc
     chain=output action=mark-routing new-routing-mark=JeandreLocal passthrough=no connection-mark=PPTP-VPN 
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > ip dns print                  
                servers: 168.210.2.2,196.14.239.2
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 166KiB
[Jeandre@MikroTik] >
If anyone could please have a quick look over the above cli and point out to me where I went wrong, or where my analogy is incorrect, or approach is incorrect, I would really appreciate it.

Thanks.
Top
 
User avatar
Egate
Long time Member
Long time Member
Posts: 554
Joined: Thu May 15, 2008 10:43 am
Location: South Africa

Re: latency issues with mangle rules.

Tue May 01, 2012 9:05 pm

Sorry, wanted to read, but my head heart. :-) The thing coming to mind is KISS. Keep it simple, don't mean to offend, will leaf that part. :) Looks to me like your data also gets confused and at the end end up using your default route if it exist. This usually cause the delays you talk about.

First of, use your router as pri DNS server and as second server a international DNS like 8.8.8.8 Only the very first request will be few ms longer, after that, your server will supply DNS.

Add rule to allow input on your router before you start marking and routing. Also, from the ip's it appears as though you do actually split the users into subnet. Make rule in mangle to mark connection for Jeandre on all 192.168.4.0/24 and so forth. Use this mark in ip routes to route data out which ever ADSL you assign for each user. This will be two rules for each user. One in mangle and one in routes.
Top
 
ZioN
just joined
Topic Author
Posts: 22
Joined: Sun Jun 12, 2011 4:12 pm

Re: latency issues with mangle rules.

Mon May 07, 2012 11:36 pm

Hi

Thanks for the reply.

Maybe I should clarify my setup. Please see the following (rudimentary) network layout:
Doc1.jpg
Code: Select all
[Jeandre@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                                                                            TYPE               MTU L2MTU  MAX-L2MTU
 0  R  Ethernet1-UCom                                                                                                  ether             1500  1600
 1  R  Ethernet2-Network                                                                                               ether             1500  1598       2030
 2  R  Ethernet3-Telkom                                                                                                ether             1500  1598       2030
 3  X  ether4                                                                                                          ether             1500  1598       2030
 4  X  ether5                                                                                                          ether             1500  1598       2030
 5  R  Jeandre-Network-WiFi                                                                                            wlan              1500  2290
 6  R  Jeandre-Network-Bridge                                                                                          bridge            1500  1598
 7  X  Telkom-ADSL                                                                                                     pppoe-out       
 8     Jeandre-Remote-VPN                                                                                              pptp-in         
 9     Jeandre-CPT-VPN                                                                                                 pptp-in         
10  R  EoIP-Jeandre-CPT-VPN                                                                                            eoip-tunnel       1500 65535
11  R  Jeandre-Desktop-Loopback                                                                                        bridge            1500 65535
12  R  Jeandre-NAS-Loopback                                                                                            bridge            1500 65535
13  R  Jeandre-Server-Loopback                                                                                         bridge            1500 65535
14  R  Telkom-Router-Loopback                                                                                          bridge            1500 65535
15  R  Pierre-Desktop-Loopback                                                                                         bridge            1500 65535
16     Chanelle-VPN                                                                                                    pptp-in         
17  X  Jeandre-OpenWeb                                                                                                 pppoe-out       
18     Jeandre-Phone-VPN                                                                                               pptp-in         
19  R  Jeandre-iPhone-Loopback                                                                                         bridge            1500 65535
20  R  ;;; WebAfrica
       Pierre-ADSL                                                                                                     pppoe-out         1480
21     Pierre-VPN                                                                                                      pptp-in         
22  R  ;;; RSA-Web
       Jeandre-ADSL                                                                                                    pppoe-out         1480


[Jeandre@MikroTik] > interface pppoe-client print
Flags: X - disabled, R - running 

 2  R ;;; WebAfrica
      name="Pierre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="x" password="x" profile=default service-name="" 
      ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2 

 3  R ;;; RSA-Web
      name="Jeandre-ADSL" max-mtu=1480 max-mru=1480 mrru=disabled interface=Ethernet3-Telkom user="x" password="x" profile=default 
      service-name="" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=no allow=pap,chap,mschap1,mschap2 
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running 
 0  R name="Jeandre-Network-Bridge" mtu=1500 l2mtu=1598 arp=enabled mac-address=00:0C:42:D5:09:0A protocol-mode=none priority=0x8000 auto-mac=no admin-mac=00:0C:42:D5:09:0A 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 1  R name="Jeandre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=proxy-arp mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 2  R name="Jeandre-NAS-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 3  R name="Jeandre-Server-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 4  R name="Telkom-Router-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 5  R name="Pierre-Desktop-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 6  R name="Jeandre-iPhone-Loopback" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                                                   BRIDGE                                                                  PRIORITY  PATH-COST    HORIZON
 0    Ethernet2-Network                                                           Jeandre-Network-Bridge                                                      0x80         10       none
 1    Jeandre-Network-WiFi                                                        Jeandre-Network-Bridge                                                      0x80         10       none
 2    EoIP-Jeandre-CPT-VPN                                                        Jeandre-Network-Bridge                                                      0x80         10       none
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > ip address print           
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                       
 0   172.16.180.100/24  172.16.180.0    Ethernet1-UCom                                                                                                                                  
 1   192.168.0.1/24     192.168.0.0     Jeandre-Network-Bridge                                                                                                                          
 2   192.168.1.2/24     192.168.1.0     Ethernet3-Telkom                                                                                                                                
 3   192.168.2.3/32     192.168.2.3     Telkom-Router-Loopback                                                                                                                          
 4   192.168.2.10/32    192.168.2.10    Jeandre-Desktop-Loopback                                                                                                                        
 5   192.168.2.50/32    192.168.2.50    Pierre-Desktop-Loopback                                                                                                                         
 6   192.168.2.40/32    192.168.2.40    Jeandre-Server-Loopback                                                                                                                         
 7   192.168.2.45/32    192.168.2.45    Jeandre-NAS-Loopback                                                                                                                            
 8   192.168.2.20/32    192.168.2.20    Jeandre-iPhone-Loopback                                                                                                                         
 9 D xxx.xxx.xxx.xxx    xxx.xxx.xxx.xxx    Pierre-ADSL                                                                                                                                     
10 D xxx.xxx.xxx.xxx   xxx.xxx.xxx.xxx    Jeandre-ADSL                                                                                                                                    
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > ip dns print   
                servers: 8.8.8.8,168.210.2.2
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 62KiB
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > ip dhcp-server print 
Flags: X - disabled, I - invalid 
 #   NAME                                        INTERFACE                                        RELAY           ADDRESS-POOL                                        LEASE-TIME ADD-ARP
 0   Jeandre-Network                             Jeandre-Network-Bridge                                           Jeandre-Network                                     3d        
[Jeandre@MikroTik] > 


[Jeandre@MikroTik] > ip dhcp-server lease print detail
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 0   ;;; Jeandre-Desktop
     address=192.168.0.10 mac-address=BC:AE:C5:CF:02:31 client-id="1:bc:ae:c5:cf:2:31" address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d20h52m22s last-seen=1h5m9s 
     active-address=192.168.0.10 active-mac-address=BC:AE:C5:CF:02:31 active-client-id="1:bc:ae:c5:cf:2:31" active-server=Jeandre-Network host-name="Jeandre-Desktop" 

 1   ;;; Jeandre-Printer
     address=192.168.0.5 mac-address=98:4B:E1:3B:4F:A7 client-id="1:98:4b:e1:3b:4f:a7" address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d20h49m17s last-seen=14h31m59s 
     active-address=192.168.0.5 active-mac-address=98:4B:E1:3B:4F:A7 active-client-id="1:98:4b:e1:3b:4f:a7" active-server=Jeandre-Network host-name="Jeandre-Printer" 

 2   ;;; Jeandre-Network-Server
     address=192.168.0.40 mac-address=00:1D:7D:AC:47:06 address-list="Jeandre" server=Jeandre-Network always-broadcast=yes status=bound expires-after=2d20h51m47s last-seen=1d5h39m24s 
     active-address=192.168.0.40 active-mac-address=00:1D:7D:AC:47:06 active-client-id="1:0:1d:7d:ac:47:6" active-server=Jeandre-Network host-name="hyper-v-server" 

 3   ;;; Jeandre-NAS
     address=192.168.0.45 mac-address=00:10:75:07:45:8D client-id="1:0:10:75:7:45:8d" address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d20h51m52s last-seen=15h29m24s 
     active-address=192.168.0.45 active-mac-address=00:10:75:07:45:8D active-client-id="1:0:10:75:7:45:8d" active-server=Jeandre-Network host-name="Jeandre-NAS" 

 4   ;;; Pierre-iPad
     address=192.168.0.65 mac-address=40:30:04:81:16:74 address-list="Pierre" server=Jeandre-Network always-broadcast=yes status=bound expires-after=2d23h51m45s last-seen=8m15s 
     active-address=192.168.0.65 active-mac-address=40:30:04:81:16:74 active-client-id="1:40:30:4:81:16:74" active-server=Jeandre-Network host-name="Pierres-iPad" 

 5   ;;; Jeandre-PS3
     address=192.168.0.30 mac-address=00:24:8D:D2:93:5F client-id="1:0:24:8d:d2:93:5f" address-list="Jeandre" server=Jeandre-Network last-seen=1d2h40m23s 

 6   ;;; Pierre-Desktop
     address=192.168.0.50 mac-address=00:80:77:15:13:20 client-id="1:0:80:77:15:13:20" address-list="Pierre" server=Jeandre-Network status=bound expires-after=2d20h51m17s last-seen=2h54m29s 
     active-address=192.168.0.50 active-mac-address=00:80:77:15:13:20 active-client-id="1:0:80:77:15:13:20" active-server=Jeandre-Network host-name="snorbaard-i5" 

 7   ;;; Jeandre-Phone
     address=192.168.0.15 mac-address=50:CC:F8:28:82:2B address-list="Jeandre" server=Jeandre-Network always-broadcast=yes status=bound expires-after=2d20h52m58s last-seen=3h7m2s 
     active-address=192.168.0.15 active-mac-address=50:CC:F8:28:82:2B active-client-id="1:50:cc:f8:28:82:2b" active-server=Jeandre-Network 

 8   ;;; Jeandre-Desktop Wifi (EnGenius)
     address=192.168.0.11 mac-address=00:02:6F:4F:74:AD address-list="UCom-Global" server=Jeandre-Network last-seen=never 

 9   ;;; Pierre-PS3
     address=192.168.0.70 mac-address=FC:0F:E6:71:51:B1 client-id="1:fc:f:e6:71:51:b1" address-list="Pierre" server=Jeandre-Network last-seen=9w4d10h33m40s 

10   ;;; Pierre-Netbook WiFi
     address=192.168.0.61 mac-address=00:1D:92:C7:B2:D5 client-id="1:0:1d:92:c7:b2:d5" address-list="Pierre" server=Jeandre-Network last-seen=1w1d3h52m48s 

11   ;;; Pierre-Netbook Ethernet
     address=192.168.0.60 mac-address=00:1D:92:5A:9C:33 client-id="1:0:1d:92:5a:9c:33" address-list="Pierre" server=Jeandre-Network last-seen=1w1d1h6m18s 

12   ;;; Pierre-iPhone
     address=192.168.0.55 mac-address=14:8F:C6:4E:DB:E9 client-id="1:14:8f:c6:4e:db:e9" address-list="Pierre" server=Jeandre-Network last-seen=6w7m31s 

13   ;;; Jeandre-Download-Server
     address=192.168.0.35 mac-address=00:00:58:11:84:3E address-list="Jeandre" server=Jeandre-Network last-seen=8w12h35m35s 

14   ;;; Pierre-phone-xperia
     address=192.168.0.56 mac-address=00:23:45:39:CD:F5 address-list="Pierre" server=Jeandre-Network last-seen=1w5d40m47s 

15 X ;;; Jeandre-Laptop - Wifi
     address=192.168.0.98 mac-address=00:26:C6:00:8F:54 address-list="Jeandre" server=Jeandre-Network last-seen=3w23h27m35s 

16 X ;;; Jeandre-Laptop - EtherNet
     address=192.168.0.99 mac-address=18:A9:05:93:85:DF address-list="Jeandre" server=Jeandre-Network last-seen=never 

17   ;;; Jeandre-Laptop - Wifi
     address=192.168.0.20 mac-address=00:24:D7:9E:64:9C address-list="Jeandre" server=Jeandre-Network status=bound expires-after=2d21h37m50s last-seen=2h22m6s active-address=192.168.0.20 
     active-mac-address=00:24:D7:9E:64:9C active-client-id="1:0:24:d7:9e:64:9c" active-server=Jeandre-Network host-name="Jeandre-Laptop" 

18   ;;; Jeandre-Laptop - EtherNet
     address=192.168.0.21 mac-address=F0:DE:F1:72:F9:6C address-list="Jeandre" server=Jeandre-Network last-seen=1w2d2h8m27s 

19 D address=192.168.0.97 mac-address=00:00:5A:11:84:3E client-id="1:0:0:5a:11:84:3e" server=Jeandre-Network status=bound expires-after=2d20h51m47s last-seen=1d5h39m26s active-address=192.168.0.97 
     active-mac-address=00:00:5A:11:84:3E active-client-id="1:0:0:5a:11:84:3e" active-server=Jeandre-Network host-name="hyper-v-server" 


[Jeandre@MikroTik] > ip firewall nat print            
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=Jeandre-ADSL 

 1   chain=srcnat action=masquerade out-interface=Pierre-ADSL 

 2   chain=srcnat action=masquerade out-interface=Ethernet3-Telkom 

 3   chain=srcnat action=masquerade out-interface=Ethernet1-UCom 

 5   chain=srcnat action=src-nat to-addresses=192.168.2.10 src-address=192.168.0.10 dst-address=192.168.2.0/24 

 6   chain=srcnat action=src-nat to-addresses=192.168.2.20 src-address=192.168.0.20 dst-address=192.168.2.0/24 

 7   chain=srcnat action=src-nat to-addresses=192.168.2.40 src-address=192.168.0.40 dst-address=192.168.2.0/24 

 8   chain=srcnat action=src-nat to-addresses=192.168.2.45 src-address=192.168.0.45 dst-address=192.168.2.0/24 

 9   chain=srcnat action=src-nat to-addresses=192.168.2.50 src-address=192.168.0.50 dst-address=192.168.2.0/24 

10   chain=srcnat action=src-nat to-addresses=192.168.2.3 src-address=192.168.1.1 dst-address=192.168.2.0/24 

11   chain=dstnat action=dst-nat to-addresses=192.168.0.10 src-address=192.168.2.0/24 dst-address=192.168.2.10 

12   chain=dstnat action=dst-nat to-addresses=192.168.0.20 src-address=192.168.2.0/24 dst-address=192.168.2.20 

13   chain=dstnat action=dst-nat to-addresses=192.168.0.45 src-address=192.168.2.0/24 dst-address=192.168.2.45 

14   chain=dstnat action=dst-nat to-addresses=192.168.0.40 src-address=192.168.2.0/24 dst-address=192.168.2.40 

15   chain=dstnat action=dst-nat to-addresses=192.168.1.1 src-address=192.168.2.0/24 dst-address=192.168.2.3 

16   chain=dstnat action=dst-nat to-addresses=192.168.0.50 src-address=192.168.2.0/24 dst-address=192.168.2.50 

17 X chain=dstnat action=dst-nat to-addresses=192.168.0.10 to-ports=8080 protocol=tcp in-interface=Jeandre-OpenWeb dst-port=80 
[Jeandre@MikroTik] >
 

[Jeandre@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Jeandre VPN
     chain=input action=mark-connection new-connection-mark=Jeandre-VPN passthrough=yes protocol=tcp in-interface=Jeandre-ADSL dst-port=1723 

 1   ;;; Jeandre VPN
     chain=output action=mark-routing new-routing-mark=Jeandre passthrough=no connection-mark=Jeandre-VPN 

 2   ;;; Pierre VPN
     chain=input action=mark-connection new-connection-mark=Pierre-VPN passthrough=yes protocol=tcp in-interface=Pierre-ADSL dst-port=1723 

 3   ;;; Pierre VPN
     chain=output action=mark-routing new-routing-mark=Pierre passthrough=no connection-mark=Pierre-VPN 

 4   ;;; Pierre packet marks for queue
     chain=prerouting action=mark-packet new-packet-mark=pierre-in passthrough=yes in-interface=Pierre-ADSL 

 5   ;;; Pierre packet marks for queue
     chain=postrouting action=mark-packet new-packet-mark=pierre-out passthrough=yes out-interface=Pierre-ADSL 

 6   ;;; Pierre Traffic route through WebAfrica (ADSL)
     chain=prerouting action=mark-routing new-routing-mark=Pierre passthrough=no src-address-list=Pierre 

 7   ;;; Jeandre packet marks for queue
     chain=prerouting action=mark-packet new-packet-mark=jeandre-in passthrough=yes in-interface=Jeandre-ADSL 

 8   ;;; Jeandre packet marks for queue
     chain=postrouting action=mark-packet new-packet-mark=jeandre-out passthrough=yes out-interface=Jeandre-ADSL 

 9   ;;; Jeandre Traffic route through RSA-Web (ADSL)
     chain=prerouting action=mark-routing new-routing-mark=Jeandre passthrough=no src-address-list=Jeandre 


[Jeandre@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                                                                                                                  ADDRESS                        
 0   Router                                                                                                                                                                                192.168.0.1                    
 1   Router                                                                                                                                                                                192.168.1.2                    
 2   Router                                                                                                                                                                                172.16.180.100                 
 3   Local                                                                                                                                                                                 192.168.0.0/24                 
 4   Local                                                                                                                                                                                 192.168.1.0/24                 
 5   Local                                                                                                                                                                                 172.16.0.0/16                                  
 7   Internal                                                                                                                                                                              192.168.0.0/24                 
 8   Internal                                                                                                                                                                              192.168.1.0/24                 
 9   Local                                                                                                                                                                                 192.168.2.0/24                 
10   Local                                                                                                                                                                                 192.168.3.0/24                 
11   Jeandre                                                                                                                                                                               192.168.4.2
1060 D Jeandre                                                                                                                                                                               192.168.0.10                >
1061 D Jeandre                                                                                                                                                                               192.168.0.5                 >
1062 D Jeandre                                                                                                                                                                               192.168.0.40                >
1063 D Jeandre                                                                                                                                                                               192.168.0.45                >
1064 D Pierre                                                                                                                                                                                192.168.0.65                >
1065 D Pierre                                                                                                                                                                                192.168.0.50                >
1066 D Jeandre                                                                                                                                                                               192.168.0.15                >
1067 D Jeandre                                                                                                                                                                               192.168.0.20                >
[Jeandre@MikroTik] >
As shown in the layout, my local network is on one subnet (192.168.0.0/24). There are three user groups, Myself (Jeandre), Pierre, and default. All the nodes on the network share the same subnet but are differentiated by address lists (dynamically assigned via a predefined dhcp static lease for that node).

The main objective here is to route all Jeandre traffic through Jeandre-ADSL, Pierre traffic though Pierre-ADSL and other traffic (which would be most likely guests connecting via the wifi interface and will only be temporary) through Ethernet1-UCom. The 'X'-ADSL interfaces are pppoe clients dialed through Ethernet3-Telkom which has a standard ADSL router connected to it (and has been placed in bridge mode.) The Ethernet1-Ucom interface is an actual utp cable leading to a switch of my secondary isp. This (ethernet1-ucom) interface has a static ip and network assigned to it.

I have made the Ucom interface the defualt route, as this account is an uncapped account. The other 2 (ADSL) accounts are capped accounts.

I would like that any incoming connection on any of the various interfaces follow out of that same interface. That is, say if a pptp client dials a connection to dyndnsname1.org the connection should be established should 'route' back out of Jeandre-ADSL (as dyndnsname1.org is linked to Jeandre-ADSL public IP address). However, it seems that the connection is 'made' but cannot be established. I am presuming what happens is that the incoming tcp/1723 connection hits the route and wants to travel out of the default route instead of the incoming interface. I therefore had to setup some mangle rules that detect this incoming tcp/1723 connection and places it on the Jeandre routing table.

This is where I seem to be struggling. I don't know if my approach to this whole problem/setup is correct. I decided to go with mangle rules detecting the source address of each packet and then placing it on on of the two routing tables: Jeandre or Pierre. and obviously default/non address-list packets on main. Then specifying three global/default routes, one with prerequisite routing mark Jeandre, one with prerequisite routing mark Pierre and one with no prerequisite. However, I am starting to think this whole approach is incorrect. I am experiences more and more problems with this approach, but don't know of any other way to setup the network so that it follows the layout (above). Simple things like port forwarding dont seem to work either. Or at least not when incoming on one of the ADSL interfaces. It seems as if a packet that has been forwarded/dst-nat to an internal ip (based on the dst port) reaches that node but any packets returning from that connection seems as if it wants to follow the default route, and therefore it doesn't work.

I have reached the point were I am even considering placing each user group on a separate subnet and running some form of wins server for the netbios and windows network discovery (as this was the main reason why all nodes was to be on the same subnet.)

If anyone can please help me with this I would greatly appreciate it. I have sat for days with this problem but am afraid I am looking at it from the wrong point of view. Sometimes a second set of eyes is all that's needed.

Thanks so much.
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: adimihaix, Bing [Bot], HansHolgersson, vingjfg and 106 guests
  4. RouterOS
  5. General