I would like to request that someone with mangle experience takes a quick look at my mangle config and let me know what tha problem is.
I am working on a lab that will allow me to finish the setup of a client but it seems i am doing something wrong.
In the following example i just want my computer (192.168.100.150) to pass all traffic through ISP1. I have placed my connection marks but for some reason
i cannot comprehend it keeps passing through ISP2.
I would really appreciate the feedback as to why this is happening.
/interface ethernet
set [ find default-name=ether1 ] name=01-WAN1
set [ find default-name=ether2 ] name=02-LAN
set [ find default-name=ether3 ] master-port=02-LAN name=03-LAN
set [ find default-name=ether4 ] master-port=02-LAN name=04-LAN
set [ find default-name=ether5 ] loop-protect=off name=05-WAN2
It looks like in your “PCC 2” rule, you added packet-mark=no-mark by mistake, instead of correct connection-mark=no-mark. As it is now, this rule will happily overwrite previously set connection mark from “PRE-PCC 1” rule.
I am still trying to graps the passthrough concept in mangle though.
Lets suppose that PRE-PCC1 is a match and that its a no-passthrough.
Is it normal for all traffic the internet to halt?
Passthrough is very simple, it just tells the router to continue processing rules. And you need it, because you need to do more actions for same packet. You want to mark connection and immediately mark routing for first packet of this connection. Without passthrough, you only mark connection, but then poor little packet doesn’t know where to go, because you don’t have default route in main routing table.
I am getting the idea now although a few questions emerge…
Lets say that with my config above as a starting point i want to achieve having to gateways with 2 static external ip addresses
(lets suppose nat is in place and working) and have all traffic originating from either WAN interface be answered back via the same interface.
My goal is to be able to access from outside a service on a specific server inside via 2 gateways at the same time.
That mangle rule must be placed before PCC rules for the LAN PC clients (needed for general load balancing)
How can i achieve that? I know that once the packet exits the router the mark is lost.
Do i have to use the “established” option for the server to identify the origin of the packets?
If you want to access one internal server from both WANs at the same time, you must mark incoming connections and then route them back properly. You already have part of that, you just need to mark routing:
Thank you Sob!
I have already managed to make it work in the meantime.
At the moment the device is configures to load balance 2 WAN interfaces while port forwarding successfully both connection destined to the main server.
I also configured the Failover that automatically increases the route value if one connection is for some reason down, via netwatch.
Now all that remains is to transfer the SSTP config successfully from my Mikrotik (working for 1 wan) to my client’s in order to be able to establish a VPN (dual wan).
But i suppose that it will not give me a hard time.
Mikrotik are awesome
Will let you know of the final outcome since i am very close to the final config.
While everything is working properly, SSTP to mikrotik is not.
I have tried everything i can think of.
The logs show that the connection matches the input 443 tcp rule but then nothing happens.
The connection tracking shows the incoming connection to WAN 1 443 but it stops at TCP SYN.
I have to assume that for some reason i really cannot understand the request does not get answered.
Can u please check my config and explain what am i doing so wrong???
Routing Works
Nat works
Connections from both WANS at the same time to my server 192.168.1.1 work
SSTP port from local network to my mikrotik interface work
The only thing that does not work is SSTP from WAN to Router.
/interface ethernet
set [ find default-name=ether3 ] name=Local
set [ find default-name=ether4 ] master-port=Local name=Local2
set [ find default-name=ether5 ] master-port=Local name=Local3
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=sstp-pool ranges=192.168.10.5-192.168.10.15
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.10.1 name=SSTP remote-address=
sstp-pool use-compression=yes
/interface sstp-server server
set authentication=mschap2 certificate=CA1 default-profile=SSTP enabled=yes
/ip address
add address=192.168.1.254/24 interface=Local network=192.168.1.0
add address=10.111.0.1/24 interface=WAN1 network=10.111.0.0
add address=10.112.0.1/24 interface=WAN2 network=10.112.0.0
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512
servers=8.8.4.4,8.8.8.8
I found the problem again. The issue was located in the routes.
I had to add 2 default routes, one for each interface.
The routes were added with a higher than the marked routes used by the ECC, 15 and 16 distance.
Now i can connect with my windows 10 SSTP client, and i get successfully verified with my credentials and
certificate.
I can also ping the remote router. Now the only issue that remains is that i can only ping the
router at 192.168.10.1 ip but not the 192.168.1.1, which is the ip of the server at the far end.
Now i have to find out if its routing related or firewall related issue.
Your feedback is more than welcome as always
UPDATE!
It works. I had to remove the 3rd mangle rule that was directing all traffic from 192.168.1.1 only through WAN1.
If you want to force WAN1 for outgoing connections from 192.168.1.1 (using the rule you removed), you can either mark connections from VPN with another mark and your “from LAN” marking rules won’t touch them, because they have connection-mark=no-mark condition, or you can use routing rule:
Thanks Sob.
Mikrotik configuration is fun but puzzling some times
At least now everything works.
I ll keep you as a friend for the hard days thanks again for all the help.
Here is a question for you
In PCC i have checked the new connection check box (connection-state=new).
My purpose was when a new connection from a Lan workstation was initiated the PCC would kick in
and ignore all the established and related connections.
Is that correct ?
I suppose it is. I mean, rule with connection-state=new definitely won’t process packets for established or related connections. But checking for connection state may be redundant when rule also has connection-mark=no-mark, because you mark all connections anyway. I’m not sure about possible performance differences, but I think it should be nothing major.
Seems i have a question regarding my PCC functionality
Lets suppose that one of the DSL connections drops or hangs.
My script via netwatch is configured to demote the failed route’s distance and to restore it to its original state when the line is available again.
While my wan2 dropped today and my route got demoted some of the workstation did not have access to the Internet during that time.
May i ask how exactly PCC works in regard to the routes?
PCC doesn’t care. And I also don’t think that your netwatch scripts actually do anything useful, because no matter how they change the distance, each to_ISPx routing table will always have only one active route, which will be selected.
You can try this, it should be fully automatic without need for netwatch. A word of warning, this is a little new to me, so no guarantees (not that I give any otherwise ):
First of all thanks again for your time and effort.
I would like to grasp the mechanics of the routes before applying a solution.
Recursive routes are reported to cause issues in failover. People claim that they have
An eradic behavior.
You mentioned that Pcc doesnt care about route distance?
even if i set a default route with higher priority will the pcc continue to ignore it because of the marking?
do u think recursive routes is the only choise for mikrotikik failover that is setup to use pcc"?
):