Load Balancing PCC lots of drop not coming from LAN

dad2312 · March 14, 2020, 3:06pm

I use load balancing with 2 LTE, it works good, but i have lots of drop packet not cot coming from LAN. Then i think there’s something bad in my config.

Can you help me ?

Here’s the config

/interface bridge
add admin-mac=74:4D:28:CB:53:12 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface vlan
add interface=WAN1 name=internet-wan1 vlan-id=3
add interface=WAN2 name=internet-wan2 vlan-id=3
add interface=WAN1 name=management-wan1 vlan-id=2
add interface=WAN2 name=management-wan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n country=\
    no_country_set disabled=no distance=indoors frequency-mode=manual-txpower \
    installation=indoor mode=ap-bridge security-profile=profile1 ssid=\
    HAPAC2-2GHZ wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-XXXX country=france disabled=no distance=indoors frequency=\
    5500 mode=ap-bridge security-profile=profile1 ssid=HAPAC2-5GHZ \
    wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=1d \
    name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=management-wan1
add bridge=bridge interface=management-wan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=WAN1 list=LAN
add interface=internet-wan2 list=WAN
add interface=internet-wan1 list=WAN
add comment=defconf interface=WAN2 list=LAN
add comment=defconf interface=ether3 list=LAN
add comment=defconf interface=ether4 list=LAN
add comment=defconf interface=ether5 list=LAN
add comment=defconf interface=management-wan1 list=LAN
add comment=defconf interface=management-wan2 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=internet-wan1 script="{\r\
    \n    :local routemark \"to_wan1\"\r\
    \n    :local count [/ip route print count-only where comment=\$routemark]\
    \r\
    \n    :if (\$bound=1) do={\r\
    \n        :if (\$count = 0) do={\r\
    \n            /ip route add gateway=\$\"gateway-address\" comment=\$routem\
    ark routing-mark=\$routemark\r\
    \n        } else={\r\
    \n            :if (\$count = 1) do={\r\
    \n                :local test [/ip route find where comment=\$routemark]\r\
    \n                :if ([/ip route get \$test gateway] != \$\"gateway-addre\
    ss\") do={\r\
    \n                    /ip route set \$test gateway=\$\"gateway-address\"\r\
    \n                }\r\
    \n            } else={\r\
    \n                :error \"Multiple routes found\"\r\
    \n            }\r\
    \n        }\r\
    \n    } else={\r\
    \n        /ip route remove [find comment=\$routemark]\r\
    \n    }\r\
    \n}" use-peer-dns=no use-peer-ntp=no
add disabled=no interface=internet-wan2 script="{\r\
    \n    :local routemark \"to_wan2\"\r\
    \n    :local count [/ip route print count-only where comment=\$routemark]\
    \r\
    \n    :if (\$bound=1) do={\r\
    \n        :if (\$count = 0) do={\r\
    \n            /ip route add gateway=\$\"gateway-address\" comment=\$routem\
    ark routing-mark=\$routemark\r\
    \n        } else={\r\
    \n            :if (\$count = 1) do={\r\
    \n                :local test [/ip route find where comment=\$routemark]\r\
    \n                :if ([/ip route get \$test gateway] != \$\"gateway-addre\
    ss\") do={\r\
    \n                    /ip route set \$test gateway=\$\"gateway-address\"\r\
    \n                }\r\
    \n            } else={\r\
    \n                :error \"Multiple routes found\"\r\
    \n            }\r\
    \n        }\r\
    \n    } else={\r\
    \n        /ip route remove [find comment=\$routemark]\r\
    \n    }\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.10 client-id=1:0:4:4b:88:9a:dc comment=shield \
    mac-address=00:04:4B:88:9A:DC server=defconf
add address=192.168.88.3 client-id=1:c4:ad:34:71:39:3b mac-address=\
    C4:AD:34:71:39:3B server=defconf
add address=192.168.88.2 client-id=1:74:4d:28:4d:a:71 mac-address=\
    74:4D:28:4D:0A:71 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=internet-wan1 new-connection-mark=WAN1-CONN passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=internet-wan2 new-connection-mark=WAN2-CONN passthrough=no
add action=accept chain=prerouting dst-address=192.168.88.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!local in-interface=bridge new-connection-mark=WAN1-CONN \
    passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!local in-interface=bridge new-connection-mark=WAN2-CONN \
    passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting in-interface=bridge \
    new-connection-mark=WAN2-CONN passthrough=yes src-address=192.168.88.10
add action=mark-routing chain=prerouting connection-mark=WAN1-CONN \
    in-interface=bridge new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2-CONN \
    in-interface=bridge new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1-CONN \
    new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2-CONN \
    new-routing-mark=to_wan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=internet-wan1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=internet-wan2
/ip route
add comment=to_wan2 distance=1 gateway=10.96.250.141 routing-mark=to_wan2
add comment=to_wan1 distance=1 gateway=10.29.29.206 routing-mark=to_wan1
/system clock
set time-zone-name=Europe/Paris
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

Thanks in advance for your help

mkx · March 14, 2020, 3:44pm

Membership of LAN interface list is IMHO too generous (why WAN1 and WAN2?). And why management access over physical WAN interfaces (even though via VLAN)?

Other than that I don’t think anything is wrong with your setup, there will always be some connection attempts coming from WAN that are rightfully dropped. I’d get frightened if such “drop everything else” rule didn’t get hit ocasionally… because that would indicate my firewall rules were flawed.
Unless you notice that some connections are dropped which shouldn’t be (but if that was legitimate traffic, you or some of legitimate users would notice that).

dad2312 · March 14, 2020, 7:48pm

Ok Thank you Mkx

I change name of ether1 by wan1 and ether2 by wan2 (both port receive the 2 ISP), they are not in the LAN. I have delete management wan1 and management wan2 from LAN interface list (it was a try for other thing)

I have 2 LHG LTE with passtrough and i need manage it then i have 2 VLAN on both LHG
one for internet (passtrough) and one for management (dhcp client on both LHG LTE on vlan management)

i don’t know if i can make better ?
don’t hesitate to comment
Thanks

mkx · March 15, 2020, 10:17am

For LTE modem management I’d make a separate VLAN and let RB do routing (and firewalling). As there likely won’t be any high throughput involved with management, performance drop due to routing (as opposed to bridging used now) should be neglectable. Security wise it would be a step forward (with sane firewall filter rules in place that is).

dad2312 · March 15, 2020, 10:56am

thank you, but i don’t understand is it not exactly what i make ?

Acutaly the 2 lte are in passtrough mode and all (DHCP, firewall, routing…) is manage by HAPAC2.

mkx · March 15, 2020, 1:41pm

You created VLAN 2 for LTE modem management on the RB-LTE connection but then you made VLAN 2 member of same L2 domain as normal LAN:

interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=management-wan1
add bridge=bridge interface=management-wan2

The lines I highlited.
I’d keep VLAN 2 separate LAN (to keep bulk of current config this would mean an additional bridge to merge the two interfaces), configure separate IP address and add some firewall rules to secure communications in both directions.

BTW, the way you’re trying to take will bring you home, but it’s not the recommended way of doing VLAN on ROS devices. Recomended way is to indeed have single bridge but to enable vlan-filtering … which includes the LTE pass-through connections. You might want to have a look at this tutorial.

dad2312 · March 15, 2020, 6:21pm

Yes, i make that just for LHG LTE has an ip gave by the bridge et can go to internet (to update automaticaly by script, send email etc…). Ok i can make a bridge with vlans inside to separate with lan.

i’m going to learn about vlan filtering in bridge.

thank you Mkx