FTP protocol routing

nabeel · March 24, 2016, 8:57pm

Hello Guys,
First of all I am sorry if I posted this question in the wrong place as I don’t know where exactly to post it.

I have routerboard 951Ui-2HnD and I am using it to merge two internet lines wan1 and wan2 and it’s working fine but I am facing a problem when I am trying to connect to any FTP server or cPanel ( i am a web developer ) because of the 2 ips it’s forces me to logout every 15 seconds as security measure.

I need to force any FTP ( port 21 ) connection to be using a single wan ( let’s say wan1 ) and some wild card websites to do the same. for example I want any SSL ( port 443 ) connection to *.siteground.com use single wan also.

I hope I explained the problem correctly as I searched for days and I can’t find anything … and I assume I am searching wrong.

Thanks for your time guys.
Regards,
Nabeel

Sob · March 24, 2016, 10:42pm

Sharing current config would probably help. It’s hard to suggest any solution if we don’t know what exactly you have there now.

Van9018 · March 25, 2016, 4:05am

I think Per-Connection-Classifier (PCC) is what you need. It’ll try to track connections (from same src-addr and dest-addr) and route them over the same wan.

http://wiki.mikrotik.com/wiki/Manual:PCC
http://mum.mikrotik.com/presentations/US12/steve.pdf

nabeel · March 26, 2016, 2:12pm

I am new to MikroTik, how can I share the settings with you ?

nabeel · March 26, 2016, 2:49pm

Thanks Van for the info but I can’t figure out how to implement it … can you help me out ?

Sob · March 26, 2016, 5:29pm

To export config, run “/export hide-sensitive” in terminal and it will be printed out. Or “/export hide-sensitive file=myconfig” and it will be saved in file myconfig.rsc, accessible under Files. Additionally, if you don’t want to share your addresses with the whole world, you can censor them. But be careful to not overdo it (config with xxx.xxx.xxx.xxx everywhere does not tell much).

nabeel · March 26, 2016, 5:43pm

Here is the config

# mar/26/2016 19:40:36 by RouterOS 6.34.1
# software id = V8ZQ-FY5G
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether3 ] name=3
set [ find default-name=ether4 ] name=4
set [ find default-name=ether5 ] name=5
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n mode=ap-bridge
/ip hotspot profile
add dns-name=teamyea.data hotspot-address=5.5.5.1 login-by=\
    mac,cookie,http-chap name=hsprof1
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=30s
add name=2024k rate-limit=512k/2048k
add name=4069k rate-limit=512k/4096k
add name=512k rate-limit=128k/512k
add advertise=yes advertise-interval=20s advertise-timeout=immediately \
    advertise-url=http://mikel.com/netcut.html name=end rate-limit=64k/64k \
    transparent-proxy=yes
add name=10069k rate-limit=1024k/10096k
add name=6796k rate-limit=412k/6796k
add name=256k rate-limit=128k/256k
/ip pool
add name=dhcp_pool1 ranges=5.5.5.2-5.5.5.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/ip hotspot
add address-pool=dhcp_pool1 interface=bridge1 name=hotspot1 profile=hsprof1
/interface bridge port
add bridge=bridge1 interface=4
add bridge=bridge1 interface=3
add bridge=bridge1 interface=5
add bridge=bridge1 interface=wlan1
/ip address
add address=5.5.5.1/24 interface=bridge1 network=5.5.5.0
add address=192.168.1.33/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.33/24 interface=WAN2 network=192.168.2.0
/ip dhcp-server network
add address=5.5.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=5.5.5.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
/ip firewall mangle
add chain=prerouting in-interface=WAN1
add chain=prerouting in-interface=WAN2
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=5.5.5.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=5.5.5.0/24
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=to_wan1 src-address=5.5.5.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=to_wan2 src-address=5.5.5.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=WAN1 src-address=5.5.5.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=5.5.5.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=5.5.5.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=5.5.5.0/24
/ip hotspot user
add mac-address=A0:B3:CC:50:55:A4 name=nabeel
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
/system clock
set time-zone-name=Africa/Cairo
/system leds
set 5 interface=wlan1
/system package update
set channel=release-candidate

Sob · March 27, 2016, 12:08am

You should be able to force connections to selected addresses to go through only one WAN, if you add new mangle rule above current connection marking rules and add connection-mark=no-mark to those:

/ip firewall address-list
add address=8.8.8.8 list=wan1_dst_ip
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=wan1_dst_ip in-interface=bridge1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \
    new-connection-mark=wan1_conn per-connection-classifier=both-addresses-and-ports:2/0 src-address=5.5.5.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \
    new-connection-mark=wan2_conn per-connection-classifier=both-addresses-and-ports:2/1 src-address=5.5.5.0/24

Unfortunately, it’s not a magic solution for all your problems.

Ftp with its multi-connection model is tricky. From my limited local testing, it looks like data connections (identified as related) inherit connection mark from control connection. That’s the good part. The bad is that related connections can only be identified for ftp on standard port 21 (unless you add another in /ip firewall service-port; but you can’t add all). Even worse, connection must be unencrypted. If you use encryption (which is very good idea), data connections can’t be identified as related. You could probably watch for connections to port 21, add destination address to temporary list and then route all other connections to this address using same WAN. But if the same address runs another service (e.g. http), it would catch all those connections too.

Matching based on hostnames is another tricky part. Firewall itself can’t do it. It could be done for specific hostnames, if you resolved them using script and added results in address list, and then used this list as shown at beginning of this post. I don’t see this solution as very elegant one, but it would work. But I don’t think there’s a way how to do it for *.domain.tld.