1 server 2 DSL lines

Bene007 · March 13, 2012, 3:21pm

Hey everybody,

i’ve a problem. How can i reach the server at the same time via dsl line 1 and dsl line 2? This is the export of my firewall:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=\
    5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=spi comment="Bereits vorhandene Verbindungen akzeptieren" connection-state=established disabled=no
add action=accept chain=spi comment="Related Verbindugen akzeptieren (z.B. ICMP-Meldungen)" connection-state=related disabled=no
add action=drop chain=spi comment="Mikrotik Empfehlung: Pakete mit Invalid-Mark gleich loswerden" connection-state=invalid disabled=no
add action=return chain=spi comment="Zurueck, die restlichen Regeln sind Chain-spezifisch" disabled=no
add action=jump chain=forward disabled=no jump-target=spi
add action=accept chain=forward comment="PPTP-Negotiation erlauben" disabled=no dst-address=192.168.1.2 dst-port=1723 protocol=tcp
add action=accept chain=forward comment="GRE erlauben" disabled=no dst-address=192.168.1.2 protocol=gre
add action=accept chain=forward comment=Website disabled=no dst-address=192.168.1.2 dst-port=80 protocol=tcp
add action=accept chain=forward comment="Alles ueberall hin vom LAN erlauben" disabled=no in-interface=ether3
add action=drop chain=forward comment="Alles andere verwerfen" disabled=no
add action=jump chain=input disabled=no jump-target=spi
add action=accept chain=input comment="Ping immer annehmen" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="Alles aus dem LAN annehmen" disabled=no in-interface=ether3
add action=drop chain=input comment="Alles andere verwerfen" disabled=no
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Client 1 ueber DSL B" disabled=no new-routing-mark=dslB passthrough=yes src-address=192.168.1.4-192.168.1.99
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT fuer DSL1" disabled=no out-interface=pppoe1
add action=masquerade chain=srcnat comment="NAT fuer DSL2" disabled=no out-interface=pppoe2
add action=masquerade chain=srcnat comment="-> Server NAT" disabled=no dst-address=192.168.1.0/24
add action=dst-nat chain=dstnat disabled=no dst-address=!192.168.1.3 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="PPTP Negotiation -> Server" disabled=no dst-address=!192.168.1.3 dst-address-type=local dst-port=1723 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="GRE -> Server" disabled=no dst-address=!192.168.1.3 dst-address-type=local protocol=gre to-addresses=192.168.1.2
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

The server has the ip-adress 192.168.1.2 → He goes via DSL1 (DSL A) in the internet. The server is reachable via the WAN-adress of DSL1, but not via WAN-adress of DSL2. But what’s my mistake? Can someone help?

Thanks

tws101 · March 13, 2012, 6:21pm

Are you trying to load balance or just have a fail over?

How are your routes setup?

Here is a load balancing example

01
/ip address
02
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
03
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
04
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2
05

06
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8
07

08
/ip firewall mangle
09
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
10
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
11

12
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
13
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
14

15
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
16
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
17

18
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
19
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
20

21
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
22
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
23

24
/ip route
25
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
26
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
27

28
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
29
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
30

31
/ip firewall nat
32
add chain=srcnat out-interface=WAN1 action=masquerade
33
add chain=srcnat out-interface=WAN2 action=masquerade

Bene007 · March 14, 2012, 4:39pm

load balance

How are your routes setup?

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe2 routing-mark=dslB scope=10 target-scope=10

I’ve only one server (192.168.1.2), the server comes via DSL2 in the Internet (pppoe2). You can reach the server via the WAN-IP of pppoe2, but not via the WAN-IP of pppoe1. But why? I want that you can reach the webserver via both WAN-IPs at the same time.

tws101 · March 14, 2012, 8:38pm

You need another route for pppoe1. Add your second gateway to that route.

As your routes are setup now you are only routing out of pppoe2.

Bene007 · March 15, 2012, 1:34pm

You mean

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe1 scope=10 target-scope=10

or what? idk what u mean. sorry

tws101 · March 15, 2012, 2:22pm

That would add it as a second route with the same distance. Edit your first route and just add the second gateway.

Bene007 · March 15, 2012, 3:03pm

Done!

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe2,pppoe1 routing-mark=dslB scope=10 target-scope=10

But that destroys the policy based routing, because the pppoe1 is set as default, and now the server has the WAN-IP of pppoe1. Or do you know my mistake?

tws101 · March 15, 2012, 5:32pm

Okay I am getting a little lost.

What is your /IP Address configuration?
What is your /IP Interface configuration?
What interface is the Server connected to?

Diagram would help.

Bene007 · March 15, 2012, 6:04pm

What is your /IP Address configuration?

Of my Computer?
192.168.1.101

What is your /IP Interface configuration?

pppoe1, because 192.168.1.100-192.168.1.199 → pppoe1

What interface is the Server connected to?

Interface pppoe2

tws101 · March 15, 2012, 6:13pm

When I am asking those questions with a / I am wanting you to use the terminal in the mikrotik router with the print command

Commands would be
/interface print
/ip address print

Here is an example of the output. This is from my mikrotik router.
0 ;;; Shield Office
192.168.0.1/24 192.168.0.0 Ether5-Out to Switch
1 ;;; Shield Main
192.168.1.1/24 192.168.1.0 vlan100
2 ;;; Shield Guest
192.168.2.1/24 192.168.2.0 vlan200
3 ;;; Shield Routable Guest
192.168.3.1/24 192.168.3.0 vlan300
4 D XX.XXX.101.213/21 XX.XXX.96.0 Ether1-Gateway-TW
5 D XXX.XX.210.116/32 XXX.XX.211.254 Ether2-PPPoE
6 ;;; Transparent Wep Proxy Address
192.168.254.1/32 192.168.254.1 Ether5-Out to Switch

tws101 · March 15, 2012, 6:31pm

Okay so External clients cant reach the web server on your second DSL connection.

What is connected to in-interface=ether3 ?

Bene007 · March 15, 2012, 6:48pm

Sorry ok

/interface print

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                                      TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1                                                                    ether             1500  1598       4074
 1  R  ether2                                                                    ether             1500  1598       4074
 2  R  ether3                                                                    ether             1500  1598       4074
 3     ether4                                                                    ether             1500  1598       4074
 4     ether5                                                                    ether             1500  1598       4074
 5  R  ;;; Leitung 1
       pppoe1                                                                    pppoe-out         1492
 6  R  ;;; Leitung 2
       pppoe2                                                                    pppoe-out         1492

/ip address print

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                       
 0   ;;; LAN-IP
     192.168.1.3/24     192.168.1.0     ether3                                                                          
 1 D 93.233.77.51/32    87.186.224.45   pppoe1                                                                          
 2 D 87.164.124.254/32  217.0.116.80    pppoe2

Okay so External clients cant reach the web server on your second DSL connection.

You can reach the server via the second DSL connection (pppoe2), but not via the first DSL connection (pppoe1)

What is connected to in-interface=ether3 ?

On that port is the switch connected

tws101 · March 15, 2012, 8:25pm

From what I can see it all looks perfectly fine. However I assume the issue must be with some vestigial firewall rule that is left over from before your changes.

what do you have under /ip firewall filter print

Bene007 · March 15, 2012, 8:32pm

Here is the export:

/ip firewall filter
add action=accept chain=spi comment=\
    "Bereits vorhandene Verbindungen akzeptieren" connection-state=\
    established disabled=no
add action=accept chain=spi comment=\
    "Related Verbindugen akzeptieren (z.B. ICMP-Meldungen)" connection-state=\
    related disabled=no
add action=drop chain=spi comment=\
    "Mikrotik Empfehlung: Pakete mit Invalid-Mark gleich loswerden" \
    connection-state=invalid disabled=no
add action=return chain=spi comment=\
    "Zurueck, die restlichen Regeln sind Chain-spezifisch" disabled=no
add action=jump chain=forward disabled=no jump-target=spi
add action=accept chain=forward comment="PPTP-Negotiation erlauben" disabled=\
    no dst-address=192.168.1.2 dst-port=1723 protocol=tcp
add action=accept chain=forward comment="GRE erlauben" disabled=no \
    dst-address=192.168.1.2 protocol=gre
add action=accept chain=forward comment=Website disabled=no dst-address=\
    192.168.1.2 dst-port=80 protocol=tcp
add action=accept chain=forward comment="Alles ueberall hin vom LAN erlauben" \
    disabled=no in-interface=ether3
add action=drop chain=forward comment="Alles andere verwerfen" disabled=no
add action=jump chain=input disabled=no jump-target=spi
add action=accept chain=input comment="Ping immer annehmen" disabled=no \
    icmp-options=8:0 protocol=icmp
add action=accept chain=input comment="Alles aus dem LAN annehmen" disabled=\
    no in-interface=ether3
add action=drop chain=input comment="Alles andere verwerfen" disabled=no

the comments are german, because i’m from germany If u need a translation, i’ll translate it

EDIT:

Here i printed it out

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Bereits vorhandene Verbindungen akzeptieren
     chain=spi action=accept connection-state=established 

 1   ;;; Related Verbindugen akzeptieren (z.B. ICMP-Meldungen)
     chain=spi action=accept connection-state=related 

 2   ;;; Mikrotik Empfehlung: Pakete mit Invalid-Mark gleich loswerden
     chain=spi action=drop connection-state=invalid 

 3   ;;; Zurueck, die restlichen Regeln sind Chain-spezifisch
     chain=spi action=return 

 4   chain=forward action=jump jump-target=spi 

 5   ;;; PPTP-Negotiation erlauben
     chain=forward action=accept protocol=tcp dst-address=192.168.1.2 dst-port=1723 

 6   ;;; GRE erlauben
     chain=forward action=accept protocol=gre dst-address=192.168.1.2 

 7   ;;; Website
     chain=forward action=accept protocol=tcp dst-address=192.168.1.2 dst-port=80 

 8   ;;; Alles ueberall hin vom LAN erlauben
     chain=forward action=accept in-interface=ether3

tws101 · March 15, 2012, 8:57pm

That is incomplete only 8 rules coming up… You need to show them all as I am assuming you have some rules toward the bottom that are dropping input on your first dsl connection.

Bene007 · March 16, 2012, 8:31am

Sorry -.-

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Bereits vorhandene Verbindungen akzeptieren
     chain=spi action=accept connection-state=established 

 1   ;;; Related Verbindugen akzeptieren (z.B. ICMP-Meldungen)
     chain=spi action=accept connection-state=related 

 2   ;;; Mikrotik Empfehlung: Pakete mit Invalid-Mark gleich loswerden
     chain=spi action=drop connection-state=invalid 

 3   ;;; Zurueck, die restlichen Regeln sind Chain-spezifisch
     chain=spi action=return 

 4   chain=forward action=jump jump-target=spi 

 5   ;;; PPTP-Negotiation erlauben
     chain=forward action=accept protocol=tcp dst-address=192.168.1.2 
     dst-port=1723 

 6   ;;; GRE erlauben
     chain=forward action=accept protocol=gre dst-address=192.168.1.2 

 7   ;;; Website
     chain=forward action=accept protocol=tcp dst-address=192.168.1.2 
     dst-port=80 

 8   ;;; Alles ueberall hin vom LAN erlauben
     chain=forward action=accept in-interface=ether3 

 9   ;;; Alles andere verwerfen
     chain=forward action=drop 

10   chain=input action=jump jump-target=spi 

11   ;;; Ping immer annehmen
     chain=input action=accept protocol=icmp icmp-options=8:0 

12   ;;; Alles aus dem LAN annehmen
     chain=input action=accept in-interface=ether3 

13   ;;; Alles andere verwerfen
     chain=input action=drop

tws101 · March 16, 2012, 2:46pm

Could be 9 13 or maybe 2 I am not sure. I’m not that big a firewall guy.

Try disabling the drop rules and retesting. If it works go back through enabling them one at a time.

Bene007 · March 16, 2012, 3:12pm

You think it’s a firewall problem?

Could be 9 13 or maybe 2 I am not sure. I’m not that big a firewall guy.

Try disabling the drop rules and retesting. If it works go back through enabling them one at a time.

no success -.-

Bene007 · March 20, 2012, 2:35pm

push No one can help?

tws101 · March 20, 2012, 8:49pm

I think I found the issue and I am sorry this took so long.

The issue is when a client contacts the sever on the second connection the server is responding on the first connection.

I am posting information from my earlier post below it has your answer. In the post below notice how the mangle rules identifies which wan connection a request is coming in on. Then is marks and and ensures the return traffic uses the same route. So you need to edit your mangle rules only for a connection coming in on WAN 2 and mark that traffic. Then establish a route for the traffic that will leave WAN 2 instead of WAN1 like it is doing now.

That will solve the issue.

\