OK here goes. I setup PCC with 2 internet connections.
wan1 is on ether1 with 72.24.205.34/24 as it's ip
wan2 is on ether2 with 216.161.237.204/29 as it's ip
lan is on ether5 with 172.16.5.12/22 as it's ip
PCC is working great but now I need to get to step 2. I have a server behind the firewall and I would like to dst-nat from each wan interface so that no matter which wan interface I come in from I can get to the server. So from a remote browser I should be able to browse to either ip and get to the server behind the firewall.
so here's what I got going on at the moment. When I try to hit the interfaces on from the web I get mixed results. Sometimes it loads and sometimes it doesn't.
make a custom chain and create a jump rule if packet comes from each interface, this way every change you make in custom chain will apply to all connections
OK a little more info. Here’s what happening. When I’m comming in wan1 sometimes it’s get’s marked with wan2 marking instead so obviously the return packets are getting sent out the wrong interface on the reply. So how do I fix this??
Looking at the Packet Flow diagram (http://wiki.mikrotik.com/wiki/Packet_Flow), it looks as if a packet dst-nat’d to a server behind the firewall hits the following chains in sequence, listing only the relevant parts:
prerouting (connection tracker, prerouting mangle, dst-nat) → make routing decision, at this point it would choose ‘forward’ instead of ‘input’ since the destination IP is no longer the router itself.
Your rules only mark packets in the input chain, or in the prerouting chain if they are from the LAN interface - so that’s the first time a mark is applied, and it is chosen somewhat randomly, resulting in packets potentially going out the wrong interface.
and add ‘connection-mark=no-mark’ (available in 4.x only, I think?) to make sure that you don’t overwrite the connection-mark in prerouting on the reply from the server.
That’s off the top of my head - maybe I’ll have time at work today to try it in a lab.
The mangle rules I have in the firewall at the moment are apart of the tutorial for PCC load balancing but I also need my dst-nat working for both wans. I will try a couple things to today to see if I can get it to work. I think the hardest part is walking through the packet flow and making sure you don’t violate or break rules that are already in place.
I added the new mangle rules for the forward table but the other PCC rules are exactly the same as what I have in there already so I didn’t change them. I will try this now and see if it works.
ok so with those 2 forward rules in place 2 things have happened. I can’t get to the router from the internet now and it always marks the connections from either interface was wan1_conn so it only works from the 72.24.x.x ip.
If I think I got this right what the no-mark does it prevent the dst-nat return traffic from getting tagged by the PCC rule which causes it to be sent out the wrong interface.
Yes. The connection gets marked by the new rules in the forward chain when it is established (connection-state=new) depending on which interface the request came in from. You need to make sure that the PCC rules don’t overwrite the connection-mark on the outbound return traffic as with your former rules they somewhat randomly choose an outbound interface for all traffic coming in via the LAN interface, that’s done by PCC marking only connections that have not been marked yet (connection-mark=no-mark).
Many thanks!!!