Load Balancing for specific destination host

Iam · March 3, 2012, 9:40pm

Hi …

I have to WAN connection which one of them is ADSL with pppoe and valid ip-address connection and the other one is Wimax with invalid ip-address and manual configuration.

I want to make my local clients when trying to connect specific host and specific port the use wimax link and for the rest of internet traffic they going through adsl link.

for example when my clients trying to connect to X.X.X.X:35478 they going through wimax link and when they try to going anything other than X.X.X.X:35478 they going through adsl link.

obviously if they try to connect to X.X.X.X:80 or something other than 35478 they must going through adsl link.

I hope you guys can help me in this matter.

Best Regards
Iam

Iam · March 5, 2012, 8:50pm

Hi guys …

I ask my question in my last post in this thread but i don’t see anyone interested so i need to know is it even possible to do such thing?

Sob · March 6, 2012, 12:32am

I’m not quite sure what your “invalid ip-address” means and if it can influence things. But you need something like this:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=x.x.x.x dst-port=35478 \
  new-routing-mark=xxxx protocol=tcp
/ip route
add gateway=<wimax-gw> routing-mark=xxxx

vik1988 · March 6, 2012, 4:20am

r u using IP FIREWALL NAT rules to nat the traffic for Wimax and adsl Link.

If yes then resolution is simple..

Iam · March 6, 2012, 7:55am

Sob:

I’m not quite sure what your “invalid ip-address” means and if it can influence things. But you need something like this:
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=x.x.x.x dst-port=35478 \
  new-routing-mark=xxxx protocol=tcp
/ip route
add gateway=<wimax-gw> routing-mark=xxxx

Thank you for your reply…
I try what you said but it’s not working.
Since i want only x.x.x.x:35478 traffic goes through Wimax link after doing what you said i test it and found out web traffic is going through wimax link

Iam · March 6, 2012, 8:08am

Thank you for your reply…

Well i use IP FIREWALL NAT to nat traffic.

I try to set specific nat rule and set it this way

ip firewall nat add chain=srcnat dst-address=x.x.x.x protocol=tcp port=35478 out-interface=4-Wimax action=masquerade
ip firewall nat add chain=srcnat dst-address=!x.x.x.x protocol=tcp port=!35478 out-interface=1-adsl-pppoe action=masquerade

but then internet traffic is not going through mikrotik and only x.x.x.x:35478 is accessible.

Sob · March 6, 2012, 2:46pm

I don’t know what exactly might be wrong, but the basic idea with routing mark is correct and should work. Check wiki for some examples, maybe you’ll spot what’s wrong.

Just one note about your NAT rules, “out-interface” does not mean action, i.e. “make the traffic go through that interface” but condition, i.e. “use the rule if the traffic goes out through that interface”.

Iam · March 6, 2012, 3:52pm

thank you for your reply

Would you mind tell me more about route rule? How can i set it properly?

vik1988 · March 6, 2012, 4:42pm

Sob:

I’m not quite sure what your “invalid ip-address” means and if it can influence things. But you need something like this:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=x.x.x.x dst-port=35478 \
  new-routing-mark=xxxx protocol=tcp
/ip route
add gateway=<wimax-gw> routing-mark=xxxx
/ip firewall nat add chain=srcnat routing-mark=xxxx out-interface=4-Wimax action=masquerade

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!x.x.x.x dst-port=!35478 \
  new-routing-mark=yyyy protocol=tcp
/ip route
add gateway=<adsl> routing-mark=yyyy
/ip firewall nat add chain=srcnat routing-mark=yyyy out-interface=yyyy action=masquerade

Why don’t you try this..

Iam · March 6, 2012, 9:53pm

vik1988:

Sob:

I’m not quite sure what your “invalid ip-address” means and if it can influence things. But you need something like this:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=x.x.x.x dst-port=35478 \
  new-routing-mark=xxxx protocol=tcp
/ip route
add gateway=<wimax-gw> routing-mark=xxxx
/ip firewall nat add chain=srcnat routing-mark=xxxx out-interface=4-Wimax action=masquerade

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!x.x.x.x dst-port=!35478 \
  new-routing-mark=yyyy protocol=tcp
/ip route
add gateway=<adsl> routing-mark=yyyy
/ip firewall nat add chain=srcnat routing-mark=yyyy out-interface=yyyy action=masquerade

Why don’t you try this..

Thank you…
Tried what you said step by step but it didn’t work.
The whole traffic to outside is drop. outside is not accessible even x.x.x.x:35478 is unreachable.

Sob · March 7, 2012, 4:37am

I just tested it and it works fine, so it should work also for you. You’ll have to do some simple debugging to see what’s wrong.

Complete working config of my test router:

/ip address
add address=192.168.80.1/24 interface=lan
add address=10.0.20.1/24 interface=wan1
add address=10.0.100.1/24 interface=wan2
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=10.55.55.55 dst-port=5555 \
    new-routing-mark=xxx protocol=tcp
add action=log chain=postrouting connection-state=new disabled=no log-prefix=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat out-interface=wan2
/ip route
add gateway=10.0.100.2 routing-mark=xxx
add gateway=10.0.20.2

And then simple test using telnet command from machine 192.168.80.10 on LAN:

telnet 10.1.1.1
telnet 10.55.55.55
telnet 10.55.55.55 5555

Which produces this log:

05:24:49 firewall,info postrouting: in:(none) out:wan1, proto TCP (SYN), 192.168.80.10:52192->10.55.1.1:23, len 52 
05:24:49 firewall,info postrouting: in:(none) out:wan1, proto TCP (SYN), 192.168.80.10:52193->10.55.55.55:23, len 52 
05:24:51 firewall,info postrouting: in:(none) out:wan2, proto TCP (SYN), 192.168.80.10:52194->10.55.55.55:5555, len 52

You can clearly see that packet to 10.55.55.55:5555 is exiting via wan2, while others go via wan1. The source address is still 192.168.80.10, because the logging rule is before the masquerade rule. But NAT works, it can be checked in Torch tool that the source of outgoing packets is 10.0.20.1 (for wan1) or 10.0.100.1 (for wan2).

Iam · March 7, 2012, 6:21pm

Sob:

I just tested it and it works fine, so it should work also for you. You’ll have to do some simple debugging to see what’s wrong.

Complete working config of my test router:
/ip address
add address=192.168.80.1/24 interface=lan
add address=10.0.20.1/24 interface=wan1
add address=10.0.100.1/24 interface=wan2
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=10.55.55.55 dst-port=5555 \
    new-routing-mark=xxx protocol=tcp
add action=log chain=postrouting connection-state=new disabled=no log-prefix=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat out-interface=wan2
/ip route
add gateway=10.0.100.2 routing-mark=xxx
add gateway=10.0.20.2
And then simple test using telnet command from machine 192.168.80.10 on LAN:
telnet 10.1.1.1
telnet 10.55.55.55
telnet 10.55.55.55 5555
Which produces this log:
05:24:49 firewall,info postrouting: in:(none) out:wan1, proto TCP (SYN), 192.168.80.10:52192->10.55.1.1:23, len 52 
05:24:49 firewall,info postrouting: in:(none) out:wan1, proto TCP (SYN), 192.168.80.10:52193->10.55.55.55:23, len 52 
05:24:51 firewall,info postrouting: in:(none) out:wan2, proto TCP (SYN), 192.168.80.10:52194->10.55.55.55:5555, len 52
You can clearly see that packet to 10.55.55.55:5555 is exiting via wan2, while others go via wan1. The source address is still 192.168.80.10, because the logging rule is before the masquerade rule. But NAT works, it can be checked in Torch tool that the source of outgoing packets is 10.0.20.1 (for wan1) or 10.0.100.1 (for wan2).

Thanks for your help…
It’s not working… I really confused … i did exactly what you said with only changing details (like IP addresses and ports) to suite my network.
Since i want to dedicate a link to a specific host:port is it possible to do it with NAT ?
I mean writing two NAT rule one for HOST:TCP/PORT to go through WiMax Link and the one for other destinations to go through ADSL-PPPOE-Connection?

If we can do this, that would be great.

Sob · March 7, 2012, 9:03pm

Where packets go is determined by routing table. NAT only changes addresses. You can influence routing by changing destination address in dstnat, but it won’t help you much in this case, because you don’t want to change destination address.

Maybe some other part of your config is ruining the effort? Some other firewall rules for example… Sharing complete relevant parts of your config might help. Those would be /ip address, /ip route and /ip firewall. Just don’t overdo address masking, it won’t help if everything becomes x.x.x.x. If you have public addresses and you’re concerned about your privacy, it’s enough to mask just one or two leading digits. For private ones (192.168.x.x, 10.x.x.x and 172.16-31.x.x) masking is completely unnecessary.