Help Chateau LTE12 how to dual wan lte

comsorg · January 29, 2022, 11:43am

I found a solution for RS6 with DualWAN settings on 2 cellular modems.

ip firewall mangle add action=mark-connection chain=input in-interface=lte1 new-connection-mark=con_LTE1
ip firewall mangle add action=mark-connection chain=input in-interface=lte2 new-connection-mark=con_LTE2

ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE1 new-routing-mark=LTE1_rout
ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE2 new-routing-mark=LTE2_rout

ip route add distance=1 gateway=lte1 routing-mark=LTE1_rout
ip route add distance=1 gateway=lte2 routing-mark=LTE2_rout

# PPC (Per Connection Classifier)
/ip firewall mangle add src-address=192.168.10.0/24 action=mark-routing chain=prerouting new-routing-mark=lan-to-LTE1 per-connection-classifier=src-address-and-port:2/0
/ip firewall mangle add src-address=192.168.10.0/24 action=mark-routing chain=prerouting new-routing-mark=lan-to-LTE2 per-connection-classifier=src-address-and-port:2/1

/ip route add distance=1 gateway=lte1 routing-mark=lan-to-LTE1
/ip route add distance=1 gateway=lte2 routing-mark=lan-to-LTE2

But unfortunately it doesn’t work for me, I have version 7.0.4 and on input

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=con_LTE1 new-routing-mark=LTE1_rout

I receive a message :

input does not match any value of new-routing-mark

marking the router didn’t help me

/routing/table/add name=to_lte1 fib
/routing/table/add name=to_lte2 fib

I’m no expert in this. But I was struggling to find one simple guide, I believe there’s more like me who are also looking for something like this.

P.S. While studying the forum I came across a link https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples
Use of Routing Tables and Policy Routing for ROSv7

/routing table add name=myTable fib
/routing rule add dst-address=8.8.8.8 action=lookup-only-in-table table=myTable
/ip route add dst-address=8.8.8.8 gateway=172.16.1.1@main routing-table=myTable

But I don’t know how to implement it for myself.

Sob · January 30, 2022, 7:58pm

Names must of course match. If you want to have rules with routing mark/table “LTE1_rout”, creating routing table named “to_lte1” won’t help you.

You also don’t need that many routing tables, two is enough, you can change:

LTE1_rout, lan-to-LTE1 => LTE1
LTE2_rout, lan-to-LTE2 => LTE2

Some more info: https://wiki.mikrotik.com/wiki/Manual:PCC

comsorg · January 31, 2022, 9:18am

Thank you so much for the answer!
After changing the label

/routing/table/add name=LTE1_rout fib

the

ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE1 new-routing-mark=LTE1_rout

command passed.
But now a new problem has emerged

ip route add distance=1 gateway=lte1 routing-mark=LTE1_rout
expected end of command (line 1 column 38)

What am I doing wrong?

sindy · January 31, 2022, 11:13am

They have also changed the name of the parameter of the route in 7.x, now you have to use routing-table rather than routing-mark.

comsorg · January 31, 2022, 12:41pm

sindy, thanks a lot!
Now it turned out to assemble DualWAN lte, with these settings

ip firewall mangle add action=mark-connection chain=input in-interface=lte1 new-connection-mark=con_LTE1
ip firewall mangle add action=mark-connection chain=input in-interface=lte2 new-connection-mark=con_LTE2

/routing/table/add name=LTE1_rout fib       
/routing/table/add name=LTE2_rout fib

ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE1 new-routing-mark=LTE1_rout
ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE2 new-routing-mark=LTE2_rout

ip route add distance=1 gateway=lte1 routing-table=LTE1_rout
ip route add distance=1 gateway=lte2 routing-table=LTE2_rout

# PPC (Per Connection Classifier)
/ip firewall mangle add src-address=192.168.10.0/24 action=mark-routing chain=prerouting new-routing-mark=LTE1 per-connection-classifier=src-address-and-port:2/0
/ip firewall mangle add src-address=192.168.10.0/24 action=mark-routing chain=prerouting new-routing-mark=LTE2 per-connection-classifier=src-address-and-port:2/1

/ip route add distance=1 gateway=lte1 routing-table=LTE1
/ip route add distance=1 gateway=lte2 routing-table=LTE2

Now two lte interfaces are enabled and traffic is visible on the charts. But somehow it works strangely, the sites load with a delay and restart at the beginning. I can’t check the speed on the site yet https://www.speedtest.net/

LATENCY TEST ERROR
Could not connect to the test server. A firewall could be blocking the connection or the server might be having some issues. Please try again later.

sindy · January 31, 2022, 12:46pm

Have you disabled the action=fasttrack-connection rule in /ip/firewall/filter?

comsorg · January 31, 2022, 1:31pm

sindy, I didn’t find such a rule in /ip/firewall/filter

sindy · January 31, 2022, 1:37pm

Post the complete export. The excerpt you’ve shown above is weird (routes are added twice, with different table names (LTEx vs-LTEx_rout), but /routing/table/add is only shown for the “long” names), so maybe there are some extra rules that interfere with those you’ve shown.

comsorg · January 31, 2022, 2:34pm

sindy, thank you again for your cooperation!
I wanted to upload the configuration export file, but I don’t know how to attach it.
How post the complete export?

sindy · January 31, 2022, 2:39pm

When you edit a post, there are two tabs below the editing window - Options and Attachments. Choose Attachments and press [Add files].

If that does not work (it may require a higher rank on the forum), open the exported configuration in a text editor, select all, Ctrl-C, press the [</>] button above the edit field here, and press Ctrl-V.

comsorg · January 31, 2022, 3:05pm

sindy, thanks, I figured it out!
DualWAN_lte.rar (9.06 KB)

sindy · January 31, 2022, 3:10pm

This is not an (text) export, this is a (binary) backup. See my automatic signature below for a hint.

comsorg · January 31, 2022, 3:18pm

Live forever, learn forever.
backup.rsc (3.09 KB)

sindy · January 31, 2022, 3:52pm

Apart from the routes being added twice into the additional routing tables (which is not harmful, just useless), and apart from the mangle rules in chains input and output, which only make sense if the SIM cards provide you with public IPs and thus the Chateau is accessible from the internet, I cannot see anything strange in the load distribution part.

However, only connections via lte1 get src-nated, because your action=src-nat rule matches on out-interface-list=WAN, but currently only lte1 is a member of that list. So /interface list member add list=WAN interface=lte2 should help. What probably happens is that connections directed to lte2 by the per-connection-classifier mangle rules fail due to missing NAT (either the ISP drops the request packets or at least the responses get misrouted in the local environment of the server) and the retry connections come from another port and eventually get sent via lte1.

The /ip dhcp-server network row with address=0.0.0.0/24 is useless too.

comsorg · January 31, 2022, 4:20pm

I read it and decided to reset all the settings and reinstall everything again.
As I understand it, my SIM cards provide me with internal (gray) IP addresses and I do not need to prescribe the rules of the mangle in the input and output chains, that is, the commands

ip firewall mangle add action=mark-connection chain=input in-interface=lte1 new-connection-mark=con_LTE1
ip firewall mangle add action=mark-connection chain=input in-interface=lte2 new-connection-mark=con_LTE2

ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE1 new-routing-mark=LTE1_rout
ip firewall mangle add action=mark-routing chain=output connection-mark=con_LTE2 new-routing-mark=LTE2_rout

it is not necessary to enter.

But to connect via lte2, you need to add

/interface list member add list=WAN interface=lte2

comsorg · February 8, 2022, 10:10am

sindy
I apologize for the long answer, I tried to figure it out myself. But I haven’t found a solution yet.
That’s the problem
If you use only lte1, then ping passes to google.com .
If lte2, then ping does not pass until google.com
When the lte1 and lte2 are both active, ping does not pass.
There must be some way to configure dns, but I can’t manually make changes through winbox - these fields are not active.

sindy · February 8, 2022, 7:41pm

Post the current export, after all the changes you’ve made since the last post.

Are you pinging 8.8.8.8 from the router or from a PC connected to it?

comsorg · February 9, 2022, 1:32pm

The configuration file contains only the changes I made last time. If I try to add something and it doesn’t work, I roll back.
Pinging google.com from the router

lte1
[admin@MikroTik] > ping google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                       
    0 173.194.222.102                            56 110 38ms465us 
    1 173.194.222.102                            56 110 42ms117us 
    2 173.194.222.102                            56 110 54ms348us 
    3 173.194.222.102                            56 110 41ms777us 
    4 173.194.222.102                            56 110 44ms964us 
    5 173.194.222.102                            56 110 67ms225us

lte2
 [code][admin@MikroTik] > ping google.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server

both
 [code] [admin@MikroTik] > ping google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                       
    0 216.58.209.174                             56  48 54ms57us  
    1 216.58.209.174                                               timeout                                                                                                                      
    2 216.58.209.174                                               timeout                                                                                                                      
    3 216.58.209.174                                               timeout                                                                                                                      
    4 192.168.0.100                              84  64 153ms452us host unreachable                                                                                                             
    5 216.58.209.174                                               timeout                                                                                                                      
    6 216.58.209.174                                               timeout                                                                                                                      
    7 216.58.209.174                                               timeout                                                                                                                      
    8 192.168.0.100                              84  64 126ms267us host unreachable

backup.rsc (2.86 KB)

sindy · February 9, 2022, 2:12pm

So you have configured the same default-route-distance for both LTE interfaces (or, better to say, you haven’t changed the default value of 2 for none of them), hence when both are active, default routes via both are added with the same distance value, and the ping packets take “randomly” one of them.

If LTE2 works as such: the first packet of a ping sequence activates a src-nat handling for the whole sequence for the IP adddress of LTE A, so the packets that choose to leave via LTE B may be dropped due to their wrong source address; if they are not, the ISP B applies another src-nat on them and translates their source address to one of its public IPs, but when the response arrives, it gets un-dst-nated back to your WAN A address. And your WAN A address is assigned to someone totally unrelated within ISP B’s network.

Another possibility is that LTE2 doesn’t work at all; to find that out, disable LTE1, and try pinging 8.8.8.8 rather than google.com. If 8.8.8.8 responds but you get that error message for google.com, it means the DNS fqdn->IP number resolution doesn’t work with LTE2. When LTE1 is down, the DNS server list it has provided should be removed from the DNS dynamic configuration, but maybe something else is wrong. Check what :put [/ip dns get dynamic-servers] shows when only LTE1 is enabled, only LTE2 is enabled, and when both are enabled.

Amm0 · February 9, 2022, 2:27pm

Not sure that’s entirely correct, if the distance is same, ECMP is used. For forwarded packets (e.g. LAN to internet) connection tracking will take over, so the first ping packet will go out a “random” LTE interface, but subsequent ping should go out the same LTE interface as the first packet, since connection tracking takes over. Now for internet to router, the same-distance / ECMP routes can cause trouble, so you need packet marks etc on input/output so connections go out the same route them came in.

Saw someplace in configs here that it’s 7.0.4. Don’t know specifically about Chateau LTE12, but for RB5009 (another V7-only device), MT recommend using 7.1.1. Can’t say that “fix” anything automatically, but 7.0.4 is now a pretty old version.