6 Lines 5 are load balancing -need the last one for https

Sadam4090 · March 26, 2010, 8:07am

Can any one help me on this one. I have 6 lines and i have manage to set up load balancing on five of them, but my problem is the 6’th line, I have to set it up for Https, voip, and secure mail, but it doesn’t want to work…

/ip firewall address-list
add address=10.2.0.0/24 comment="" disabled=no list=local
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=yes in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=yes in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1-gateway
/ip firewall mangle
add action=add-src-to-address-list address-list=third address-list-timeout=\
    30s chain="mark new unseen" comment="" disabled=no nth=5,3
add action=add-src-to-address-list address-list=first address-list-timeout=\
    30s chain="mark new unseen" comment="" disabled=no nth=5,1
add action=add-src-to-address-list address-list=second address-list-timeout=\
    30s chain="mark new unseen" comment="" disabled=no nth=5,2
add action=add-src-to-address-list address-list=fourth address-list-timeout=\
    30s chain="mark new unseen" comment="" disabled=no nth=5,4
add action=add-src-to-address-list address-list=seen address-list-timeout=30s \
    chain="mark new unseen" comment="" disabled=no
add action=jump chain="mark new unseen" comment="" disabled=no jump-target=\
    "mark connection"
add action=mark-connection chain="mark connection" comment="" disabled=no \
    new-connection-mark=first_conn passthrough=yes src-address-list=first
add action=mark-connection chain="mark connection" comment="" disabled=no \
    new-connection-mark=second_conn passthrough=yes src-address-list=second
add action=mark-connection chain="mark connection" comment="" disabled=no \
    new-connection-mark=third_conn passthrough=yes src-address-list=third
add action=mark-connection chain="mark connection" comment="" disabled=no \
    new-connection-mark=fourth_conn passthrough=yes src-address-list=fourth
add action=mark-connection chain="mark connection" comment="" disabled=no \
    new-connection-mark=fifth_conn passthrough=yes src-address-list=fifth
add action=mark-routing chain="mark connection" comment="" connection-mark=\
    first_conn disabled=no new-routing-mark=first passthrough=no
add action=mark-routing chain="mark connection" comment="" connection-mark=\
    second_conn disabled=no new-routing-mark=second passthrough=no
add action=mark-routing chain="mark connection" comment="" connection-mark=\
    third_conn disabled=no new-routing-mark=third passthrough=no
add action=mark-routing chain="mark connection" comment="" connection-mark=\
    fourth_conn disabled=no new-routing-mark=fourth passthrough=no
add action=mark-routing chain="mark connection" comment="" connection-mark=\
    fifth_conn disabled=no new-routing-mark=fifth passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=\
    first_conn disabled=no new-routing-mark=first passthrough=no \
    src-address-list=first
add action=mark-routing chain=prerouting comment="" connection-mark=\
    second_conn disabled=no new-routing-mark=second passthrough=no \
    src-address-list=second
add action=mark-routing chain=prerouting comment="" connection-mark=\
    third_conn disabled=no new-routing-mark=third passthrough=no \
    src-address-list=third
add action=mark-routing chain=prerouting comment="" connection-mark=\
    fourth_conn disabled=no new-routing-mark=fourth passthrough=no \
    src-address-list=fourth
add action=mark-routing chain=prerouting comment="" connection-mark=\
    fifth_conn disabled=no new-routing-mark=fifth passthrough=no \
    src-address-list=fifth
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
    jump-target="mark connection" src-address-list=local
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
    jump-target="mark new unseen" src-address-list=local
add action=mark-routing chain=prerouting comment=\
    " Route HTTPS traffic to ECMP" disabled=yes dst-port=443,444 \
    new-routing-mark=ecmp-https-route passthrough=yes protocol=tcp
add action=jump chain=prerouting comment=Https connection-state=new disabled=\
    yes jump-target=tcp-services protocol=tcp src-port=443,444
add action=mark-connection chain=tcp-services comment=https disabled=yes \
    new-connection-mark=https passthrough=no protocol=tcp src-port=443,444
add action=mark-packet chain=prerouting comment=Https connection-mark=https \
    disabled=yes new-packet-mark=https passthrough=no
add action=mark-routing chain=prerouting comment=https disabled=yes \
    new-routing-mark=https packet-mark=https passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether1-gateway

and the routes

/ip route
add comment="Https Default Route" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=A scope=30 target-scope=10
add comment=Default disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    B scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    B routing-mark=first scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    C routing-mark=second scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    D routing-mark=fourth scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    E routing-mark=third scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    F routing-mark=fifth scope=30 target-scope=10
add comment="ECMP route for HTTP" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=A routing-mark=ecmp-https-route scope=30 \
    target-scope=10
add comment=https disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    A routing-mark=https scope=30 target-scope=10

Can any one help me on this one?

nest · April 4, 2010, 1:43pm

Maybe because all your rules for https are disabled?

Also be careful of the order, from first quick glance it appears you are selecting with nth rule to 5 different gateways then afterwards making rule for https, but already packets are selected by nth rules so it will not go out the gateway you wish, but one of the 5? Check the ordering of the rules and also when you use passthrough. I am not saying that you have it wrong, just suggesting you double check your rule logic and their ordering.

Sadam4090 · April 12, 2010, 8:34am

I have taken off passthrough on my https connection and now all my traffic is going through my https connection, what must i do? i also don’t undestand the nth rule, can you suggest a better way for doing this and can you give me an example please?

Thanks

nest · April 13, 2010, 7:51pm

Maybe best if you read some more. Here is a good example to try to get idea of how nth rule works. It was changed in v3.x so if you find examples on internet be careful, it may be example for 2.9x!

http://wiki.mikrotik.com/wiki/NTH_in_RouterOS_3.x

Sadam4090 · April 14, 2010, 8:37am

Ok Thanks, I have looked at it. I Understand how nth work, but I am confused of how to do it in the right order.
For example: to select the HTTPS packets first, route it to the right gateway, and then select all the other packets with nth.

If you can help me on this one ill appreciate it.
Thanks

nest · April 15, 2010, 11:41pm

OK, try to see if this helps.
http://wiki.mikrotik.com/wiki/NTH_load_balancing_with_masquerade_(another_approach)

I can’t help you any further as my time will cost you money!
Maybe someone who does not mind working out a full written out answer for your requirement can help you for free. But sorry, I can’t.