load balancing and port forwarding for port 80 or another port

NorouziFar · October 13, 2018, 6:44am

i can’t forward port 80 to IP 192.168.10.1 with this setting i used for balancing user for use internet or for special IP to use “Dolat” network
i have a website in 192.168.10.1 and static IP 94.x.x.x i want to forward port 80 from 94.x.x.x to 192.168.10.

ip address:
                                
 0   192.168.10.2/24    192.168.10.0    Local                                     
 1   94.x.x.x/30   94.x.x.x   Internet                                  
 2   10.x.x.x/29     10.x.x.x     Dolat 

ip firewall nat:
 0  chain=srcnat action=masquerade src-address=192.168.10.0/24 log=no  log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-ports=80 
      protocol=tcp dst-address=94.x.x.x dst-port=80 log=no log-prefix="" 

ip firewall mangle for balancing user and :

 0    ;;; PC-WIN-Server
      chain=prerouting action=mark-routing new-routing-mark=Sh-tel 
      passthrough=yes src-address=192.168.10.1 log=no log-prefix="" 


 2    ;;; PC-12
      chain=prerouting action=mark-routing new-routing-mark=Sh-tel 
      passthrough=yes src-address=192.168.10.104 log=no log-prefix="" 

 3    ;;; PC-Nezam
      chain=prerouting action=mark-routing new-routing-mark=Sh-tel 
      passthrough=yes src-address=192.168.10.115 log=no log-prefix="" 


 4     ;;; Dolat
      chain=prerouting action=mark-routing new-routing-mark=GroupA 
      passthrough=yes src-address=192.168.10.0/24 dst-address=10.x.x.x 
      src-address-list="" log=no log-prefix="" 

 5    ;;; Dolat
      chain=prerouting action=mark-routing new-routing-mark=GroupA 
      passthrough=yes src-address=192.168.10.0/24 dst-address=10.x.x.x 
      log=no log-prefix="" 

                                    
rout :
 0 A S  dst-address=0.0.0.0/0 gateway=94.x.x.x routin-mark=sh-tel

 1 A S  dst-address=0.0.0.0/0 gateway=10.x.x.x routin-mark=GroupA

when i change rout from :

 0  A  S  dst-address=0.0.0.0/0 gateway=94.x.x.x routin-mark=sh-tel
 1  A  S  dst-address=0.0.0.0/0 gateway=10.x.x.x routin-mark=GroupA

to this setting :

 0 A S  dst-address=0.0.0.0/0 gateway=94.x.x.x 
 1 A S  dst-address=0.0.0.0/0 gateway=10.x.x.x routin-mark=GroupA

work correct without routing-mark but i need routing-mark

how can i solve it

sindy · October 13, 2018, 12:04pm

See the explanation and solution in this post. The last paragraph explains the relationship to your case.

NorouziFar · October 14, 2018, 9:09am

oky tanks for answer . i know i should use connection marks but i don’t know how and which connection i should marked ??

sindy · October 14, 2018, 9:12am

Read again that post completely, there is everything you need to make it work, including an example.

sindy · October 14, 2018, 2:35pm

Maybe this post answers your question in an easier to understand way?

I’m struggling how to explain things in a simple to understand way without leaving out something important.

NorouziFar · October 15, 2018, 7:46am

i do it but not work" what is my wrong ?? please solved it??

for example address:
192.168.10.0/24 local
94.20.50.60 /internet
74.70.80.90 /dolat
====================
/ip firewall mangle
chain=prerouting connection-state=established,related in-interface=Interne>

chain=prerouting action=mark-routing new-routing-mark=handling-A connection-mark=handling-A 

chain=prerouting action=mark-routing new-routing-mark=handling-B connection-mark=handling-B 

chain=prerouting action=mark-connection new-connection-mark=handling-A 
      passthrough=yes connection-state=new protocol=tcp 
      dst-address=94.20.50.60  dst-port=80 log=no log-prefix="" 

chain=prerouting action=mark-connection new-connection-mark=handling-B 
      passthrough=yes connection-state=new protocol=tcp 
      src-address=192.168.10.1 src-port=80 log=no log-prefix="" 
chain=prerouting action=mark-routing new-routing-mark=handling-A 
      connection-mark=handling-A 

chain=prerouting action=mark-routing new-routing-mark=handling-B 
      connection-mark=handling-B

/ip firewall nat
chain=srcnat action=masquerade out-interface=Internet log=no log-prefix="" 

chain=srcnat action=masquerade out-interface=Dolat log=no log-prefix="" 

chain=srcnat action=masquerade src-address=192.168.10.0/24 log=no 
      log-prefix=""
chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-ports=80 
      protocol=tcp dst-address=94.20.50.60  dst-port=80 log=no log-prefix=""

/ip route
dst-address=0.0.0.0/0 gateway=94.20.50.61
        gateway-status=94.20.50.61 reachable via  Internet distance=1 
        scope=30 target-scope=10 routing-mark=handling-A 

dst-address=0.0.0.0/0 gateway=94.20.50.61 
        gateway-status=94.20.50.61 reachable via  Internet distance=1 
        scope=30 target-scope=10 routing-mark=handling-B

dst-address=0.0.0.0/0 gateway=74.70.80.91
        gateway-status=74.70.80.91 reachable via  Dolat check-gateway=ping 
        distance=1 scope=30 target-scope=10 routing-mark=GroupA bgp-as-path=""

sindy · October 15, 2018, 9:21am

I would recommend that you replace handling-A by via-Internet and handling-B by via-Dolat in both the connection-mark and routing-mark, as doing so will help you see some logical mistakes yourself (like using the same route for both routing-mark values, so currently you would send even packets marked for Dolat via Internet)

Plus modify the very first mangle rule chain=prerouting connection-state=established,related in-interface=Internet, you want it to accept mid-connection packets which come in via either WAN.

So the script to do that would be:
/interface list add name=all-WANs
/interface list member add list=all-WANs interface=Internet
/interface list member add list=all-WANs interface=Dolat
/ip firewall mangle set [find chain=“prerouting” connection-state**~“established”] in-interface-list=all-WANs
/ip firewall mangle unset [find chain=“prerouting” connection-state~**“established”] in-interface

Then, try to logically separate in your mind the step of translating connection-mark to routing-mark, which has to be performed for each individual packet which is sent from LAN (or the Mikrotik itself) but must not be performed for packets coming in via one of the WANs, from the step of choosing the WAN interface out of (Internet, Dolat) for a whole connection only once, when the connection begins.

So for connections initiated by remote clients in the internet, the initial packet of the connection comes in via WAN, so you need to mark the connection with via-Internet or via-Dolat depending on in-interface, because the choice of interface is not yours - the client has already done the choice by connecting to one of your two public IP addresses.

For connections initiated from LAN, you use your own criteria to choose the WAN, the load balancing is one of the possible ones. So you use your normal load balancing rules, but instead of using them to assign a routing-mark directly, you use them to assign the connection-mark, which will be converted into a routing mark later during the same pass through the mangle prerouting chain but remembered throughout the connection, so you don’t need to re-assign it over and over again, which allows you to use also load balancing methods which don’t depend on other connection properties like source and destination port, so you can e.g. send a randomly chosen 37% of connections to one WAN and let the rest use the other one.