no connection will not broken just he go to another isp in mikrotik are thats right
I do not want go on details, but, for example, simply the payment platform want the same IP,
if one of called subdomains or domain with other names is reached with the other IP,
for security reason can not be completed the payment.
in this case you can remove TSL host domain and fill address list manual with IP website you want thank
...and the lists are constantly changing, the same site can very well have different IPs for each test done.
Ok, you don't like to get the point, I don't like to answer this again.
any way . Thank you for your join my post
That will not work because this server does not use TLS. Furthermore, it would be unwarranted because the ampr.org domain contains many services and only a few speedtest servers.
It also is not clear why you want all this at all. It seems like you are bothered by the fact that the users reveal that your traffic is sometimes routed via ISP #2, that must be hidden from them.
However, what if they instead of a speedtest visit a “what is my IP” site? E.g. whatismyip.com. That will display the same (or even more) information.
Are you going to redirect those to ISP #1 as well? Where does it end?
no connection will not broken just he go to another isp in mikrotik are thats right
That is not really true, the first connection to any site that matches your criteria is likely to be broken. You cannot route a TCP connection that is already established halfway through.
oH ? Are you mean the server can route just one connection in same time ?
No, what I mean is: when loadbalancing has initiated a connection via ISP #2 and you detect that using your TLS host rule, it is too late to reroute that to ISP #1.
Depending on how you do the rerouting, the connection will either fail or it will complete via ISP #2 (and only the next connection will be rerouted).
I understand you but in case we can move the rule in up it will have priority to excute by server before other rule is that right ?
No. The way TCP works (TLS is no exception) is this:
- client sends TCP packet without payload, only meaningful thing is SYN flag
- server sends reply without any payload. The only meaningful thing are SYN+ACK flags
- client sends anotger packet. Most often is again without payload, only ACK flag. Sometimes this packet carries some payliad, but not often
- client sends payload, which in TLS case carries SNI (in v1.2 and earlier it’s plaintext, in v1.3 it’s encrypted as well)
- server sends TLS feedback
- data exchange starts
So only in step #4 it’s possible to re-route request via another ISP (if that’s what you want) and that’s waaay too late to “save” the connection … and server will drop connection (because change in SRC address will be seen as invalid connection from the new SRC address). And this really doesn’t depend on rule priority on router/firewall …
If address list updating works as intended, the next connection attempt will be routed towards ISP#2 already in step #1 and connection will eventually succeed.
Thank for everybody What matters is that my issue has been resolved
We don’t think so. Either you had no issue at all, or it has not been (completely) resolved. Because that is impossible.
Can you Explaine me what the different between pcc load balance Firewall Mangle Rule and the Rule i use to Reroute Connection to onother ISP
the tow Rule = Same Resault but in pcc load balance the route will go automatic
tow rule have mark connections and prerouting
and in Reroute Connection will go manual
CAN YOU SEE THIS VIDEO ?
https://youtu.be/XuTuIonXsns
if you want to rename ISP on speedtest you view https://damastik.com/change-mikrotik-isp-name-on-speedtest/