ECMP Load Balancing port forwarding

cadei · April 30, 2018, 9:21am

Hi all,
I configured for my company a new CC1036-12G-4S (6.41.4) with 2 WAN on eth1 and eth2
I followed this guide:
https://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade
and it works correctly.
I have problems though when I have to reach an internal IP (10.10.10.10) .

1)public_ip1:2000 >>10.10.10.10:2000
2)public_ip2:2000 >>10.10.10.10:2000

I can reach only 1 rule at once and not both. This happens in a random way , probably every 10/15 minutes.
I use Google DNS.
Could you help me, kindly?
Regards

CZFan · April 30, 2018, 9:46am

ECMP only works on outgoing traffic.

Are you accessing the public interface via IP or FQDN? If the latter, maybe the DNS server where you hosting your FQDN is doing round robin?

cadei · April 30, 2018, 10:38am

I use public IP access not FQDN

CZFan · April 30, 2018, 12:02pm

Ok, then you might need to add some mangle rules in order to allow packets to go out same gateway they entered, just do a search, there are info on google and this forum for that

cadei · April 30, 2018, 12:13pm

Thanks ,
I did a long without success .At the moment I have this configuration:

lags: X - disabled, I - invalid, D - dynamic

2 chain=input action=mark-connection new-connection-mark=wlan1_conn
passthrough=yes in-interface=ether1 log=no log-prefix=“”

3 chain=input action=mark-connection new-connection-mark=wlan2_conn
passthrough=yes in-interface=ether2 log=no log-prefix=“”

4 chain=output action=mark-routing new-routing-mark=to_wlan1 passthrough=no
connection-mark=wlan1_conn log=no log-prefix=“”

5 chain=output action=mark-routing new-routing-mark=to_wlan2 passthrough=no
connection-mark=wlan2_conn log=no log-prefix=“”

cadei · May 1, 2018, 2:53pm

any help?
please

CZFan · May 1, 2018, 3:41pm

http://bfy.tw/HvDx

anav · May 1, 2018, 4:35pm

So you want users to be able to access the same server from two different public IPs, WAN1 and WAN2.

Off the top of my head you need two dstnat rules to ensure the incoming unsolicited traffic goes to the server.
I would also make corresponding srcnat rules to ensure traffic goes out the same WANIP.
I initially thought this was not necessary as I thought the Router would keep track of incoming connections and ensure they got routed out properly but I am just a newbie LOL.

By the way, I am going to assume you limite by IP address who can access your server (otherwise it would be not as secure as possible).
Simply remove source addresses lists if not required.

/ip firewall nat
add action=srcnat chain=srcnat to WAN1_IPaddress comment=“SCR_NAT for Traffic Going Out WAN1” \ to WAN1_IPaddress
add action=srcnat chain=srcnat to WAN2_IPaddress comment=“SCR_NAT for Traffic Going Out WAN2” \ to WAN2_IPaddress

(don’t be alarmed, the TO Address becomes available when you select srcnat action. It does not mean where the outgoing traffic is going on the internet, it is used to
identify which public IP will get substituted for the private IP of your users (in this case the server).

add action=dst-nat chain=dstnat comment=Server_Via_Wan1 dst-port=
2000, in-interface=WAN1 log=yes protocol=tcp
src-address-list=YourDefinedList to-addresses=10.10.10.10

add action=dst-nat chain=dstnat comment=Server_Via_Wan2 dst-port=
2000, in-interface=WAN2 log=yes protocol=tcp
src-address-list=YourDefinedList to-addresses=110.10.10.10

(similarly the to address becomes available when selecting dstnat for action. In this case it is your server).
What I would like to know is what is the difference between the to address here and the destination address in the General area selection???)

cadei · May 2, 2018, 11:26am

I already used the rule to solve the problem but without any results.
In attachment the configuration.

Thanks
route.txt (1.37 KB)
mangle.txt (670 Bytes)
nat.txt (620 Bytes)

cadei · May 4, 2018, 7:58am

The Mikrotik Support suggest me to use the additional rule (in mangle section) based on the chain:prerouting. Probably to mark incoming connections.
Do you think that’s the problem?
Thanks

Sob · May 4, 2018, 12:01pm

You already mark connections, but only traffic to router (chain=input). If you do it in chain=prerouting, and add route marking in chain=forward for traffic from LAN and previously marked connections, it should work.

cadei · May 7, 2018, 8:26am

OK!.
what rules should be added?
many thanks

sindy · May 7, 2018, 10:14am

Read this and this, it is all there, simplified to the bone.

cadei · June 6, 2018, 8:32am

After migrate to PCC load balance, port forwarding from outside it works correctly.

kapi2454 · May 15, 2020, 11:20pm

I have the same problem. PCC not work with some banck page, how dou you solve it?
Thankyou!!!