Dual wan PCC load balancing

RouterOS General
1

jan/10/2018 21:58:18 by RouterOS 6.36.1

software id = 9U8J-EMVS

/interface ethernet
set [ find default-name=ether1 ] name=1-TTK
set [ find default-name=ether2 ] name=2-DOM-RU
set [ find default-name=ether3 ] name=3-LAN
set [ find default-name=ether4 ] name=4-DEV-LAN
/ip neighbor discovery
set "1-TTK" discover=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip address
add address=109.195.238.177/24 comment=defconf interface=2-DOM-RU network=
109.195.238.0
add address=178.76.252.194/29 interface=1-TTK network=178.76.252.192
add address=178.76.252.195/29 interface=1-TTK network=178.76.252.192
add address=178.76.252.196/29 interface=1-TTK network=178.76.252.192
add address=178.76.252.198/29 interface=1-TTK network=178.76.252.192
add address=178.76.252.197/29 interface=1-TTK network=178.76.252.192
add address=192.168.0.1/24 interface=3-LAN network=192.168.0.0
add address=192.168.2.1/24 interface=4-DEV-LAN network=192.168.2.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=1-TTK
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=2-DOM-RU
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface=1-TTK
/ip firewall mangle
add action=accept chain=prerouting dst-address=178.76.252.192/29
in-interface=3-LAN
add action=accept chain=prerouting dst-address=109.195.238.0/24 in-interface=
3-LAN
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=1-TTK new-connection-mark=1-TTK_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=2-DOM-RU new-connection-mark=2-DOM-RU_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=3-LAN new-connection-mark=1-TTK_conn
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=3-LAN new-connection-mark=
2-DOM-RU_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=
yes dst-address-type=!local in-interface=3-LAN new-connection-mark=
2-DOM-RU_conn passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=1-TTK_conn disabled=
yes in-interface=3-LAN new-routing-mark=to_1-TTK passthrough=yes
add action=mark-routing chain=prerouting connection-mark=2-DOM-RU_conn
disabled=yes in-interface=3-LAN new-routing-mark=to_2-DOM-RU passthrough=
yes
add action=mark-routing chain=output connection-mark=1-TTK_conn log-prefix=
TTK new-routing-mark=to_1-TTK passthrough=yes
add action=mark-routing chain=output connection-mark=2-DOM-RU_conn
log-prefix=DOMRU new-routing-mark=to_2-DOM-RU passthrough=yes
/ip firewall nat
add action=netmap chain=dstnat comment=sip.generalcomp.ru dst-address=
178.76.252.198 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=
192.168.0.90 to-ports=443
add action=netmap chain=dstnat comment=sip.generalcomp.ru dst-address=
178.76.252.198 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=
192.168.0.90 to-ports=443
add action=netmap chain=dstnat comment=conf.generalcomp.ru dst-address=
178.76.252.197 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=
192.168.0.91 to-ports=443
add action=netmap chain=dstnat comment=conf.generalcomp.ru dst-address=
178.76.252.197 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=
192.168.0.91 to-ports=443
add action=netmap chain=dstnat comment=av.generalcomp.ru dst-address=
178.76.252.196 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=
192.168.0.92 to-ports=443
add action=netmap chain=dstnat comment=av.generalcomp.ru dst-address=
178.76.252.196 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=
192.168.0.92 to-ports=443
add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=
178.76.252.195 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=
192.168.0.19 to-ports=4443
add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=
178.76.252.195 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=
192.168.0.19 to-ports=4443
add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=
178.76.252.195 dst-port=80 in-interface=1-TTK protocol=tcp to-addresses=
192.168.0.19 to-ports=8080
add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=
178.76.252.195 dst-port=80 in-interface=1-TTK protocol=udp to-addresses=
192.168.0.19 to-ports=8080
add action=netmap chain=dstnat comment="EDGE SIP 5061" dst-address=
178.76.252.198 dst-port=5061 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.90 to-ports=5061
add action=netmap chain=dstnat comment="EDGE AV 50000-59999" dst-address=
178.76.252.196 dst-port=50000-59999 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.92 to-ports=50000-59999
add action=netmap chain=dstnat comment="EDGE AV 50000-59999" dst-address=
178.76.252.196 dst-port=50000-59999 in-interface=1-TTK protocol=udp
to-addresses=192.168.0.92 to-ports=50000-59999
add action=netmap chain=dstnat comment="EDGE STUN" dst-address=178.76.252.196
dst-port=3478 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.92
to-ports=3478
add action=netmap chain=dstnat comment="RDP Belyaeva Alla" dst-address=
178.76.252.194 dst-port=40045 in-interface=1-TTK log=yes log-prefix=
"rdp test" protocol=tcp to-addresses=192.168.0.45 to-ports=3389
add action=netmap chain=dstnat comment="RDP Belyaeva Alla" dst-address=
109.195.238.177 dst-port=40045 in-interface=2-DOM-RU protocol=tcp
to-addresses=192.168.0.45 to-ports=3389
add action=netmap chain=dstnat comment="RDP Alex Dol" dst-address=
178.76.252.194 dst-port=4078 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.78 to-ports=3389
add action=netmap chain=dstnat comment="RDP Aefrem" dst-address=
178.76.252.194 dst-port=40241 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.241 to-ports=3389
add action=netmap chain=dstnat comment="RDP Senchenko Marina" dst-address=
178.76.252.194 dst-port=4080 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.80 to-ports=3389
add action=netmap chain=dstnat comment="RDP Zachitaylov Sergei" dst-address=
178.76.252.194 dst-port=4064 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.64 to-ports=3389
add action=netmap chain=dstnat comment="RDP Chernykh Dmitriy" dst-address=
178.76.252.194 dst-port=40120 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.120 to-ports=3389
add action=netmap chain=dstnat comment="RDP Chernykh Dmitriy" dst-address=
109.195.238.177 dst-port=40120 in-interface=2-DOM-RU protocol=tcp
to-addresses=192.168.0.120 to-ports=3389
add action=netmap chain=dstnat comment="RDP Sergei Pleshakov" dst-address=
178.76.252.194 dst-port=4063 in-interface=1-TTK protocol=tcp
to-addresses=192.168.0.63 to-ports=3389
add action=dst-nat chain=dstnat comment=
"NAT 1:1 192.168.0.19 na 178.76.252.195" dst-address=178.76.252.195
to-addresses=192.168.0.19
add action=src-nat chain=srcnat comment=
"NAT 1:1 192.168.0.19 na 178.76.252.195" src-address=192.168.0.19
to-addresses=178.76.252.195
add action=dst-nat chain=dstnat comment=
"NAT 1:1 192.168.0.92 na 178.76.252.196" dst-address=178.76.252.196
to-addresses=192.168.0.92
add action=src-nat chain=srcnat comment=
"NAT 1:1 192.168.0.92 na 178.76.252.196" src-address=192.168.0.92
to-addresses=178.76.252.196
add action=dst-nat chain=dstnat comment=
"NAT 1:1 192.168.0.91 na 178.76.252.197" dst-address=178.76.252.197
to-addresses=192.168.0.91
add action=src-nat chain=srcnat comment=
"NAT 1:1 192.168.0.92 na 178.76.252.196" src-address=192.168.0.91
to-addresses=178.76.252.197
add action=dst-nat chain=dstnat comment=
"NAT 1:1 192.168.0.90 na 178.76.252.198" dst-address=178.76.252.198
to-addresses=192.168.0.90
add action=src-nat chain=srcnat comment=
"NAT 1:1 192.168.0.90 na 178.76.252.198" src-address=192.168.0.90
to-addresses=178.76.252.198
add action=masquerade chain=srcnat comment=MASQUERAD out-interface=1-TTK
add action=masquerade chain=srcnat out-interface=2-DOM-RU
/ip route
add check-gateway=arp distance=1 gateway=178.76.252.193 routing-mark=to_1-TTK
add check-gateway=arp distance=1 gateway=109.195.238.254 routing-mark=
to_2-DOM-RU
add check-gateway=arp distance=2 gateway=109.195.238.254
add check-gateway=arp disabled=yes distance=1 gateway=178.76.252.193
add check-gateway=arp disabled=yes distance=1 gateway=
178.76.252.193,109.195.238.254
/ip route rule
add src-address=178.76.252.192/29 table=to_1-TTK
add src-address=109.195.238.0/24 table=to_2-DOM-RU
add dst-address=192.168.0.0/24 table=main
add dst-address=192.168.2.0/24 table=main
add dst-address=0.0.0.0/0 table=main
add routing-mark=to_1-TTK table=to_1-TTK
add routing-mark=to_2-DOM-RU table=to_2-DOM-RU
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set memory-frequency=1200DDR protected-routerboot=disabled
So i have this config, loadbalancing seems working, but port-forward don't work. what am i doing wrong?

2

Without digging into your configuration, I can say that the most likely cause is that your mangle tables aren’t creating connection tracking entries for route marks on new connections originating on the various WAN interfaces. That’s the most common mistake I’ve seen in posts with your problem.

3

It’s funny, but i found that connection in /ip firewall connections using filter, and it is surely marked correctly, microtik gets syn packet, sends response, and that’s all.

4

ok - it looks like your NAT rules are to blame. You’re using netmap which is a stateless nat action - that means you must use TWO rules to accomplish each mapping.

I see why you thought to use this, as it’s apparent that you have a 1:1 relationship between a specific public IP address and private IP address, yet you’re doing all of these mappings at the protocol/port level. I recommend against this methodology. If you want to dedicate an IP to a 1:1 mapping, then you should just map it at layer 3 (the entire IP address, not just certain ports) and then limit access to the host by using filter rules. This ends up being cleaner, easier to understand, uses each section of the firewall for its intended purpose, and takes less CPU.

So let’s take the host that is 178.76.252.198 → 192.168.0.90
You have the following rules:
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.90 to-ports=443
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=192.168.0.90 to-ports=443
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=5061 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.90 to-ports=5061
add action=dst-nat chain=dstnat dst-address=178.76.252.198 to-addresses=192.168.0.90

I’d say the best thing for this host would be to just remove the netmap rules. There is no “return-path” mapping to undo the stateless nat, so anything getting translated by these rules will not be properly “un-natted” on the return path. The final rule here actually does exactly what I’m recommending (map the whole IP and use the filter table to limit what actually gets forwarded).

Finally, your route rules seem to be a bit confusing to me:
/ip route rule
add src-address=178.76.252.192/29 table=to_1-TTK
add src-address=109.195.238.0/24 table=to_2-DOM-RU
add dst-address=192.168.0.0/24 table=main
add dst-address=192.168.2.0/24 table=main
add dst-address=0.0.0.0/0 table=main
add routing-mark=to_1-TTK table=to_1-TTK
add routing-mark=to_2-DOM-RU table=to_2-DOM-RU

All of the underlined rules don’t seem to make sense to me, especially the 0.0.0.0/0 rule (unless you’re temporarily using this to disable load balancing for troubleshooting purposes)

5

It all seems to me like banging a wall with my forehead. Can you please tell me what exactly should i do to make this piece of ghm… hardware work?