cannot route to other ips after enabling mangle

dipdip · December 18, 2010, 11:38pm

I used http://www.youtube.com/watch?v=Iad-Cb2gBnw to do a simple load balancing between the 2 ADSL lines and its working great.

BUT got a problem . I can’t ping/access the Radius server from MT2 or MT3 as long as I use Mangle for routing marks on MT1.

Using traceroute (from MT2 and MT3) to see where the routing is going to, as soon as I ping the Radius server, 192.168.1.222, the traffic goes out via one of the ADSL lines onto the Internet. What causes that? I thought that it would by default use eth4 to route to the Radius.

I can however, ping the eth4 which is the interface for the Radius network on MT1 from both MT2 and MT3.

Please note that the public IP’s of the 2 ADSL lines and eth1,2 of MT1 has been modifed for this post.
The prob must be on MT1.
Details as follows.
[ /ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; 1st Public IP on ADSL Router 1
address=49.49.49.50/28 network=49.etc broadcast=49. etc
interface=ether1 actual-interface=ether1

1 ;;; Link to Radius Server
address=192.168.1.254/24 network=192.168.1.0 broadcast=192.168.1.255
interface=ether4 actual-interface=ether4

2 ;;; Link to Wireless Network
address=172.17.1.1/30 network=172.17.1.0 broadcast=172.17.1.3
interface=ether3 actual-interface=ether3

3 ;;; 1st Public IP on ADSL Router 2
address=51.51.51.52/28 network=51.etc
broadcast=51. etc
interface=ether2 actual-interface=ether2

4 address=192.168.10.1/24 network=192.168.10.0 broadcast=192.168.10.255
interface=ether4 actual-interface=ether4

[ /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU

0 R ;;; Link to ADSL Router 1
ether1 ether 1500 1524
1 R ;;; Link to ADSL Router 2
ether2 ether 1500 1524
2 R ;;; Link to Wireless Network
ether3 ether 1500 1524
3 R ;;; Link to Radius Server
ether4 ether 1500 1524 ]

[ /ip firewall> export
/# jan/03/1970 16:17:06 by RouterOS 4.11

software id = A6YG-5A3U

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“” disabled=no
in-interface=ether3 new-connection-mark=list_1 passthrough=yes
add action=mark-routing chain=prerouting comment=“” disabled=no in-interface=
ether3 new-routing-mark=list_1 passthrough=yes src-address-list=list_1
add action=mark-connection chain=prerouting comment=“” disabled=no
in-interface=ether3 new-connection-mark=list_2 passthrough=yes
add action=mark-routing chain=prerouting comment=“” disabled=no in-interface=
ether3 new-routing-mark=list_2 passthrough=yes src-address-list=list_2
add action=mark-connection chain=prerouting comment=“” connection-state=new
disabled=no in-interface=ether3 new-connection-mark=list_1 nth=4,1
passthrough=yes
add action=add-src-to-address-list address-list=list_1 address-list-timeout=
1d chain=prerouting comment=“” connection-mark=list_1 disabled=no
in-interface=ether3
add action=mark-routing chain=prerouting comment=“” connection-mark=list_1
disabled=no in-interface=ether3 new-routing-mark=list_1 passthrough=yes
add action=mark-connection chain=prerouting comment=“” connection-state=new
disabled=no in-interface=ether3 new-connection-mark=list_2 nth=4,2
passthrough=yes
add action=add-src-to-address-list address-list=list_2 address-list-timeout=
1d chain=prerouting comment=“” connection-mark=list_2 disabled=no
in-interface=ether3
add action=mark-routing chain=prerouting comment=“” connection-mark=list_2
disabled=no in-interface=ether3 new-routing-mark=list_2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“Load balancing Router1” disabled=no
out-interface=ether1
add action=masquerade chain=srcnat comment=“Load balancing Router2” disabled=no
out-interface=ether2
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=8080
protocol=tcp to-addresses=192.168.1.222 to-ports=80
add action=masquerade chain=srcnat comment=“” disabled=yes
add action=dst-nat chain=dstnat comment=“Remote Radius” disabled=no
dst-address=41.134.31.59 protocol=tcp to-addresses=192.168.1.222
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no ]

no bridges or anything.

dipdip · December 20, 2010, 8:56pm

are there not ANYONE to help?

dd

dipdip · December 21, 2010, 4:32am

for any1 intrested, this the reply that i got from mikrotik:

Hello,

You cannot reach RADIUS server because in mangle you are marking all the traffic
and forcing it through specific routing table which has only default route. You
have to add exceptions in your mangle rules not to mark traffic with dst-
address=192.168.1.0/24

Regards,
Maris

thanks guys