klap
January 3, 2017, 3:16pm
1
i have a question. i configure dual wan with Q balance in the router, but i want 1 PC alway use same WAN.
thanks For the help!
best regards
klap
Sob
January 3, 2017, 6:42pm
2
Imagine yourself as some random other member of this forum, who wants to help others and reads your post. What do you see? I think it’s pretty close to this:
“Hmm… he has some multi-WAN setup, ok. He doesn’t provide any details about exact kind of load balancing used. And he wants one PC to use only one WAN, no problem. But it almost sounds like he did something already. Too bad he didn’t write what exactly. Or was that part about packet marking just related to two WANs? If only he posted config export, everything could be clear. Oh well, too bad, good luck to him, moving to next thread…”
Additional hints:
/export hide-sensitive
FTP is tricky protocol with two transfer modes and from firewall’s view they make huge difference
klap
January 4, 2017, 2:18am
3
u have rigth, sorry my mikrotik conf:
jan/03/2017 23:17:36 by RouterOS 6.37.3
software id = RNSE-HZEW
/interface bridge
if i disable WAN 1 (for example) the aplication works FINE. So my idea is say to mikrotik to that PC always go out true WAN1 -i try 3 diferent ways but i think that PC (.252) keep going out true WAN1 and WAN2
add action=route chain=prerouting disabled=yes passthrough=yes port=“”
Sob
January 4, 2017, 4:59am
4
That’s quite a lot of rules you have there. And several duplicate ones. You should be able to simplify your mangle rules like this (I hope I didn’t overlook anything, try to understand what it does before doing changes):
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 \
new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 \
new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Local \
connection-state=related connection-type=ftp new-connection-mark=FTP passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Local \
protocol=tcp dst-port=21 new-connection-mark=FTP passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=FTP new-routing-mark=to_WAN1 passthrough=yes
add action=mark-packet chain=prerouting comment=FTP_GENERAL connection-mark=FTP new-packet-mark=FTP_GENERAL passthrough=no
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
You also need this little hint for proper routing to LAN:
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
Then make sure your FTP client uses passive mode and it should work. Unless you connect to encrypted FTP, in that case it wouldn’t work ok. You’d probably have to use per-connection-classifier=both-addresses. Or maybe there could be another way, I have some idea, but I’d have to think about it a little more to be sure.
klap
January 4, 2017, 7:21am
5
HI thanks for ure time! and sorry for my english is very bad.
Yes i have some same rules, i create it and i test if work, and then i don’t delete just i disable it for don’t forget what i try and where i am. (sorry i don’t know how to say in english, is like memo). I know maybe is bad, i need clean up that mess.
A) Why
Code: Select all /ip route rule add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
192.168.0.0/16 - my lan is in 192.168.1.0/25 - that rule dont reach my lan.. or is an example or maybe i miss something (i think i miss something)
B) my FTP is in Passive MODE - i need ask to owner of software if is encrypted or no.
Sob
January 4, 2017, 4:14pm
6
I like your approach.
The idea is very simple. Going by posted rules in order:
#1-2: Mark incoming connections from WAN if they are not marked yet. It will happen when someone accesses some service on router from internet or for ports forwarded to internal machines.#3: Mark FTP data connections. It will only work for those that contrack helper can see, so it requires control connection on standard port (or ports set in /ip firewall service-port set ftp disabled=no ports=), and not encrypted.#4: Mark FTP control connections. It’s done by port, because it’s not yet clear from first packet that it’s FTP connection.#5-6: Your original load balancing.#7-8: Set routing for forwarded connections with to_WANx mark.#9: Set routing for FTP connections.#10: Your packet marking for queue.#11-12: Set routing for local connections.
Route rule makes things simpler. Without it, you need extra rules to except some connections from marking. If you didn’t do that, marked connections could have trouble finding the right route to LAN. This allows you to tell router to always look for LAN address range in main routing table only, even if packet has different routing mark.
About used subnet in routing rule, you can use your exact LAN subnet, but even larger one should be probably ok, 192.168.0.0/16 is all private address space. It would make problem only if your router was part of some larger complex LAN.
klap
January 4, 2017, 5:59pm
7
ok let me see if i understand fine:
i am cleaning and making new one configuration in mangle:
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\Local
i don’t need name the dst-Address, is enough naming it WAN1 and WAN2 in the sentences???:
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1
so my new config in clean was:
/ip firewall mangle
/ip firewall nat
dem, if is that, in old config i put much repeat sentences or redundancies…
and, i have an idea, how i can say maybe for MAC Addres tell the router that mac address always go out for same WAN ? (that is curiosity i have) - maybe if this doesn’t work , maybe i can fix using a rule on the mac address of the PC.
well thanks again for ure time
Sob
January 4, 2017, 6:39pm
8
You had these rules to skip marking connections (and subsequently routing) for given destinations, i.e. to make them use default routing table:
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=Local
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=Local
You don’t need that anymore thanks to rule in “/ip route rule”.
I’m not sure what you mean.
Like this?
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Local \
new-connection-mark=WAN1_conn passthrough=yes src-mac-address=01:02:03:04:05:06
klap
January 4, 2017, 11:40pm
9
[]/ip firewall mangle ]
yea THAT! if the Q balance no works with that FTP maybe that was an option !
now i understand, i go apply in the router and i tell u what happens! thanks to you!!!
klap
January 9, 2017, 5:04pm
10
hello i try ure confing and dont work so i go back to my original config and i do a little clean up:
[admin@MikroTik] /ip firewall mangle> print
ok i do the MAC ADDRESS comand for redirect trafic of that PC to WAN1 but i see that PC open conections on WAN2. so maybe that isnt working fine:
0 ;;; PasoxMacAddCalvo
if i do this :
i have same issue for specific Home Banking web pagehttp://www.interbanking.com.ar/ – this Web use aplication of IBM - https://www.trusteer.com/en/support/rapport-installation-links for secure the website if interbaking.com.ar and if i enable wan2 not work Says "sesion time out"i think the webpage detects the change of Public IP address and for that kick out of web page.
i add more screen:
i ENABLE the 2cond WAN – WAN2 and :
link of screenshoot - i cant more than 3 files
http://prnt.sc/dtj22o
Sob
January 10, 2017, 12:18am
11
Add connection-mark=no-mark to mangle rules 7 and 8. Because without it, they will happily ovewrite the mark set by rule 0.
klap
January 10, 2017, 12:23am
12
Thats it ? Lol ok tomorrow i Will test. Thanks
Enviado desde mi HTC One M8 mediante Tapatalk
klap
January 11, 2017, 7:12pm
13
Yes now all work great - Home Banking - https - FTP - with 2 WANS balancing lines -
thanks For the help!
best regards
klap
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; PasoxMacAddCalvo
chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes connection-mark=no-mark
in-interface=Local src-mac-address=00:25:22:DA:B9:80 log=no log-prefix=""
1 chain=input action=mark-connection new-connection-mark=WAN1_conn in-interface=WAN1
2 chain=input action=mark-connection new-connection-mark=WAN2_conn in-interface=WAN2
3 chain=output action=mark-routing new-routing-mark=to_WAN1 connection-mark=WAN1_conn
4 chain=output action=mark-routing new-routing-mark=to_WAN2 connection-mark=WAN2_conn
5 chain=prerouting action=accept dst-address=192.168.3.0/24 in-interface=Local
6 chain=prerouting action=accept dst-address=192.168.2.0/24 in-interface=Local
7 add connection-mark=no-mark chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0
8 add connection-mark=no-mark chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1
9 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 connection-mark=WAN1_conn in-interface=Local
10 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 connection-mark=WAN2_conn in-interface=Local
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN1
1 chain=srcnat action=masquerade out-interface=WAN2
2 chain=pre-hotspot action=accept dst-address-type=!local hotspot=auth
[admin@MikroTik] /ip firewall nat>
