Issue with multiple WAN load balancing

ashmodai · November 18, 2013, 2:44pm

Dear all,

I have been struggling since weeks trying to understand why my config does not work So I thought that I may be lucky and find someone in this forum that could help …
My setup is very simple. I do have two WAN interfaces and I want to do a simple PPC load balancing between the two links. Find below the relevant extract of my config …

/interface bridge
add arp=proxy-arp comment="Local Lan Bridge" l2mtu=9498 mtu=9400 name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment="Lan Bridge main interface" l2mtu=9498 mtu=9400 speed=1Gbps
set [ find default-name=ether2 ] l2mtu=9498 mtu=9400 speed=1Gbps
set [ find default-name=ether3 ] speed=1Gbps
set [ find default-name=ether4 ] speed=1Gbps
set [ find default-name=ether5 ] speed=1Gbps
set [ find default-name=ether6 ] speed=1Gbps
set [ find default-name=ether7 ] speed=1Gbps
set [ find default-name=ether8 ] speed=1Gbps
set [ find default-name=ether9 ] speed=1Gbps
set [ find default-name=ether10 ] speed=1Gbps
set [ find default-name=ether13 ] speed=1Gbps
set [ find default-name=ether11 ] comment="Main WAN Interface" name=wan1 speed=1Gbps
set [ find default-name=ether12 ] comment="Second WAN Interface" name=wan2 speed=1Gbps

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/interface bridge settings
set use-ip-firewall=yes

/ip address
add address=192.168.6.1/24 comment="Internal IP" interface=ether1 network=192.168.6.0

/ip dhcp-client
add default-route-distance=10 dhcp-options=hostname,clientid disabled=no interface=wan1
add default-route-distance=10 dhcp-options=hostname,clientid disabled=no interface=wan2

/ip firewall address-list
add address=80.71.124.131 list=wan1Addr
add address=80.67.18.66 list=wan2Addr

/ip firewall connection tracking
set enabled=yes

/ip firewall filter
add chain=input comment="allow established" connection-state=established
add chain=input comment="allow related" connection-state=related

add action=drop chain=input comment="drop invalid traffic" connection-state=invalid
add action=drop chain=input comment="Drop boardcast as src" src-address-type=broadcast
add action=drop chain=input comment="Drop multicast as src" src-address-type=multicast

add chain=input comment=VPN dst-port=500 protocol=udp
add chain=input comment="Allow everything from lan" in-interface=bridge

add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre

add action=drop chain=input comment="drop everything else"

add chain=forward comment="forward established traffic" connection-state=established
add chain=forward comment="forward related traffic" connection-state=related

add chain=forward comment="forward traffic from LAN to WAN1" out-interface=wan1
add chain=forward comment="forward traffic from LAN to WAN2" out-interface=wan2

add chain=forward comment="allow public services to web" dst-address=192.168.6.100 dst-port=80,443 protocol=tcp

add action=drop chain=forward comment="drop invalid traffic" connection-state=invalid
add action=drop chain=forward comment="drop everything else"

/ip firewall mangle

add chain=prerouting comment="Accept from bridge to wan1" dst-address-list=wan1Addr in-interface=bridge
add chain=prerouting comment="Accept from bridget to wan2" dst-address-list=wan2Addr in-interface=bridge

add chain=prerouting comment="Accept from bridge to local" dst-address=192.168.6.0/24 in-interface=bridge

add action=mark-connection chain=prerouting comment="Marking all connections incoming on wan1 to wan1" connection-mark=no-mark in-interface=wan1 new-connection-mark=wan1_conn passthrough=no 
add action=mark-connection chain=prerouting comment="Marking all connections from wan1 to wan1" connection-mark=no-mark new-connection-mark=wan1_conn passthrough=no src-address-list=wan1Addr

add action=mark-connection chain=prerouting comment="Marking all connections incoming on wan2 to wan2" connection-mark=no-mark in-interface=wan2 new-connection-mark=wan2_conn passthrough=no
add action=mark-connection chain=prerouting comment="Marking all connections from wan2 to wan2" connection-mark=no-mark new-connection-mark=wan2_conn passthrough=no src-address-list=wan2Addr

add action=mark-connection chain=prerouting comment="Marking 50% of traffic from LAN out to wan 1" connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=wan1_conn passthrough=no per-connection-classifier=both-addresses:2/0 
add action=mark-connection chain=prerouting comment="Marking 50% of traffic from LAN out to wan 2" connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=wan2_conn passthrough=no per-connection-classifier=both-addresses:2/1 

add action=mark-routing chain=prerouting comment="Route to Wan1" connection-mark=wan1_conn in-interface=bridge new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no

add action=mark-routing chain=prerouting comment="Route to Wan2" connection-mark=wan2_conn in-interface=bridge new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=no

/ip firewall nat
add chain=srcnat comment="NAT bypass for local subnets" dst-address=192.168.6.0/24 src-address=192.168.6.0/24

add action=masquerade chain=srcnat comment="Masquerade wan1" out-interface=wan1
add action=masquerade chain=srcnat comment="Masquerade wan2" out-interface=wan2

add action=dst-nat chain=dstnat comment="HTTP" dst-port=80 in-interface=wan1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS" dst-port=443 in-interface=wan1 protocol=tcp to-addresses=192.168.6.100 to-ports=443


/ip route
add check-gateway=ping distance=1 gateway=wan1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=wan2 routing-mark=to_wan2
add check-gateway=ping distance=10 gateway=wan1
add check-gateway=ping distance=10 gateway=wan2

Like this nothing works … If I disable the following lines

add action=mark-routing chain=prerouting comment=“Route to Wan1” connection-mark=wan1_conn in-interface=bridge new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no

add action=mark-routing chain=prerouting comment=“Route to Wan2” connection-mark=wan2_conn in-interface=bridge new-routing-mark=to_wan2 passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=no

I see that all connections with the outside seem to have a connection-mark but the traffix always end up being very much ending on wan2 …

NB: The two address lists are updated by scripts in order to have my external IPs (dhcp) available for rules.

Please help. I am desperate
Thanks !

ashmodai · November 20, 2013, 10:44pm

please anyone ?

ashmodai · November 25, 2013, 9:47am

Is my question so dumb that nobody wants to tell me ?
I am tempted by deleting my full config and starting from scratch again but at least for my personal understanding I would like to know what I missed here …