Load balancing interference with PPTP services

rotten777 · August 22, 2011, 12:09pm

Hey guys. I’m having a problem wrapping my mind around the load balancing and excluding PPTP traffic. Here’s what I have in the “ip firewall mangle” section..

/ip firewall mangle
 0   chain=prerouting action=accept dst-address=WANSUBNET1/25 in-interface=ether1-corplan 
 1   chain=prerouting action=accept dst-address=WANSUBNET2/25 in-interface=ether1-corplan 
 2   chain=prerouting action=mark-connection new-connection-mark=ether2-wan1-pub_conn passthrough=yes in-interface=ether2-wan1-pub connection-mark=no-mark 
 3   chain=prerouting action=mark-connection new-connection-mark=ether3-wan2-corp_conn passthrough=yes in-interface=ether3-wan2-corp connection-mark=no-mark 
 4   chain=prerouting action=mark-connection new-connection-mark=ether2-wan1-pub_conn passthrough=yes dst-address-type=!local in-interface=ether1-corplan connection-mark=no-mark per-connection-classifier=both-addresses:2/0 
 5   chain=prerouting action=mark-connection new-connection-mark=ether3-wan2-corp_conn passthrough=yes dst-address-type=!local in-interface=ether1-corplan connection-mark=no-mark per-connection-classifier=both-addresses:2/1 
 6   chain=prerouting action=mark-routing new-routing-mark=to_wan1 passthrough=yes in-interface=ether1-corplan connection-mark=ether2-wan1-pub_conn 
 7   chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=yes in-interface=ether1-corplan connection-mark=ether3-wan2-corp_conn 
 8   chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=yes connection-mark=ether2-wan1-pub_conn 
 9   chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=yes connection-mark=ether3-wan2-corp_conn

Any help is appreciated.

Right now the remote-address setup for the ppp users is on the same subnet as the “ether1-corplan” subnet. I was thinking of moving it to its own subnet. I don’t know at this point I’m just scratching my head.

The hardware is a RB1100 if that matters.

fewi · August 26, 2011, 4:34pm

I’m a little confused at what you’re trying to achieve as your explanation isn’t very clear.

But if you’re trying to exempt any traffic from PCC just add rules that ‘accept’ the traffic before any of the route marking takes place. Move those rules to be just below these:

/ip firewall mangle
add chain=prerouting action=accept dst-address=WANSUBNET1/25 in-interface=ether1-corplan 
add chain=prerouting action=accept dst-address=WANSUBNET2/25 in-interface=ether1-corplan

Those rules do exactly what you’re trying to do: they ensure that any traffic to directly connected networks on the WAN side do not have PCC applied to them, but just use the normal routing table. PPTP uses tcp/1723 as a control channel and ip/47 (GRE) as a data channel. Assuming you want PPTP to end point 1.1.1.1 to be exempt from PCC:

/ip firewall mangle
add chain=prerouting dst-address=1.1.1.1 protocol=gre action=accept
add chain=prerouting dst-address=1.1.1.1 protocol=tcp dst-port=1723 action=accept

Then move those two new rules directly below the two rules referenced above.

If that doesn’t cover you please post more details.