Load balance mangle question

ekkas · January 31, 2011, 10:46pm

I have load balance set up and working perfectly for some time now.
Just one problem is that I cannot ping the router’s IPs from the Internet.
In this case I have 3 DSLs connected (with static IPs) to WAN1,2 & 3.

The rules I think is relevant is:
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=Cwan1 passthrough=no
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=Cwan2 passthrough=no
add action=mark-connection chain=input in-interface=WAN3 new-connection-mark=Cwan3 passthrough=no
add action=mark-routing chain=output connection-mark=Cwan1 disabled=no new-routing-mark=Rwan1 passthrough=no
add action=mark-routing chain=output connection-mark=Cwan2 disabled=no new-routing-mark=Rwan2 passthrough=no
add action=mark-routing chain=output connection-mark=Cwan3 disabled=no new-routing-mark=Rwan3 passthrough=no

/ip route
add check-gateway=ping comment=WAN1 dst-address=0.0.0.0/0 gateway=196.xx.xx.xx routing-mark=Rwan1
add check-gateway=ping comment=WAN2 dst-address=0.0.0.0/0 gateway=196.xx.xx.xx routing-mark=Rwan2
add check-gateway=ping comment=WAN3 dst-address=0.0.0.0/0 gateway=196.xx.xx.xx routing-mark=Rwan3

As I understand, this should mark connections coming into e.g. WAN1 as (connection mark) Cwan1, then as the reply goes out, mark them with (routing mark) Rwan1 where it will be routed out through the correct interface, but pings do not respond from outside.

Any help would be great.
Thanks

Ekkas

sariao · February 1, 2011, 2:30pm

I will assume that your Mikrotik public ip as follow:

WAN1: 196.xx.xx.x1
WAN2: 196.xx.xx.x2
WAN3: 196.xx.xx.x3

so you have to add this to your mangle output:

/ip firewall mangle add src-add=196.xx.xx.x1 action=mark-routing chain=output new-routing-mark=Rwan1 passthrough=no place-before=0
/ip firewall mangle add src-add=196.xx.xx.x2 action=mark-routing chain=output new-routing-mark=Rwan2 passthrough=no place-before=0
/ip firewall mangle add src-add=196.xx.xx.x3 action=mark-routing chain=output new-routing-mark=Rwan3 passthrough=no place-before=0

ekkas · February 1, 2011, 3:22pm

Thanks Sario, but it’s not working.
I see bytes getting added to counter, but no ping from outside.

What do you do if you have dynamic IPs? (pppoe)

ekkas · February 1, 2011, 3:35pm

Got it working after adding failover routes for unmarked traffic. !?
Anyways, all good.

Feklar · February 1, 2011, 4:03pm

http://forum.mikrotik.com/t/how-to-gain-access-to-mt-box-itself-in-case-of-dual-wan/44113/1

The problem is that the router will failover to the default route for any traffic that comes into it. Because it falls through to the main routing table, there’s a good chance that it is trying to reply to pings with the wrong route, hence why they are not getting back.

The rules posted in this thread deal with marking the packet appropriately so the router can reply back with the correct route.