Load Balancing with Hotspot problem.

blingblouw · January 9, 2012, 1:50pm

Hi Guys.

I have setup PCC Loadbalancing and Hotspot on the same box.
Everything is working fine and the users are loadbalanced after authentication however they can’t seem to access the Mikrotik hotspot /status and /logout etc pages.

Does anyone know how I can fix this?

/ipfirewall address-list
add address=10.20.30.0/24 disabled=no list=Local_NAT_Networks

/ipfirewall filter
add action=add-src-to-address-list address-list=HACKER address-list-timeout=0s chain=input comment=“Add Third SSH Connection to HACKER” disabled=no dst-port=22 protocol=tcp src-address-list=TEMP_BAN2
add action=add-src-to-address-list address-list=TEMP_BAN2 address-list-timeout=10s chain=input comment=“Add Second SSH Connection to TEMP_BAN2” connection-state=new disabled=no dst-port=22 protocol=tcp
src-address-list=TEMP_BAN1
add action=add-src-to-address-list address-list=TEMP_BAN1 address-list-timeout=10s chain=input comment=“Add First SSH Connection to TEMP_BAN1” connection-state=new disabled=no dst-port=22 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=drop chain=input comment=“Drop All HACKER” disabled=no src-address-list=HACKER

/ipfirewall mangle
add action=accept chain=prerouting disabled=no dst-address=10.20.30.1
add action=accept chain=prerouting disabled=no src-address=10.20.30.1
add action=mark-connection chain=input comment=“Mark Packet FROM PPPoE1 as WAN1” connection-state=new disabled=no in-interface=PPPoE1 new-connection-mark=WAN1_connection passthrough=yes
add action=mark-connection chain=input comment=“Mark Packet FROM PPPoE2 as WAN2” connection-state=new disabled=no in-interface=PPPoE2 new-connection-mark=WAN2_connection passthrough=yes
add action=mark-routing chain=output comment=“Send all Packets marked WAN1 to WAN1” connection-mark=WAN1_connection disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment=“Send all Packets marked WAN2 to WAN2” connection-mark=WAN2_connection disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment=“Marking for NEW connection Type, Authenticated & Not Local & PCC 2/0” connection-state=new disabled=no dst-address-type=!local hotspot=auth
new-connection-mark=WAN1_connection passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting comment=“Marking for NEW connection Type, Authenticated & Not Local & PCC 2/1” connection-state=new disabled=no dst-address-type=!local hotspot=auth
new-connection-mark=WAN2_connection passthrough=yes per-connection-classifier=both-addresses:2/1 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting comment=“Marking for ESTABLISHED connection Type. Mark 1” connection-state=established disabled=no dst-address-type=!local hotspot=auth new-connection-mark=
WAN1_connection passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting comment=“Marking for ESTABLISHED connection Type. Mark 2” connection-state=established disabled=no dst-address-type=!local hotspot=auth new-connection-mark=
WAN2_connection passthrough=yes per-connection-classifier=both-addresses:2/1 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting comment=“Marking for RELATED connection Type. Mark 1” connection-state=related disabled=no dst-address-type=!local hotspot=auth new-connection-mark=
WAN1_connection passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting comment=“Marking for RELATED connection Type. Mark 2” connection-state=related disabled=no dst-address-type=!local hotspot=auth new-connection-mark=
WAN2_connection passthrough=yes per-connection-classifier=both-addresses:2/1 src-address-list=Local_NAT_Networks
add action=mark-routing chain=prerouting connection-mark=WAN1_connection disabled=no new-routing-mark=to_WAN1 passthrough=yes src-address-list=Local_NAT_Networks
add action=mark-routing chain=prerouting connection-mark=WAN2_connection disabled=no new-routing-mark=to_WAN2 passthrough=yes src-address-list=Local_NAT_Networks

/ipfirewall nat
add action=accept chain=pre-hotspot disabled=no dst-address-type=local
add action=masquerade chain=srcnat disabled=no out-interface=PPPoE1
add action=masquerade chain=srcnat disabled=no out-interface=PPPoE2
add action=masquerade chain=srcnat disabled=no src-address=172.20.11.0/24
add action=masquerade chain=srcnat comment=“masquerade hotspot network” disabled=no src-address=10.20.30.0/24
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes

usmans · January 10, 2012, 12:59am

Try this…

/ip firewall mangle
add action=mark-connection chain=input comment=“INPUTS ROUTER1” disabled=no in-interface=Wan1 new-connection-mark=router1_conn passthrough=yes
add action=mark-connection chain=input comment=“INPUTS ROUTER2” disabled=no in-interface=Wan2 new-connection-mark=router2_conn passthrough=yes

add action=mark-routing chain=output comment=“router1 to router1” connection-mark=router1_conn disabled=no new-routing-mark=to_router1 passthrough=yes
add action=mark-routing chain=output comment=“router2 to router2” connection-mark=router2_conn disabled=no new-routing-mark=to_router2 passthrough=yes

add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.2.0/24 in-interface=Lan
add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.3.0/24 in-interface=Lan

add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local hotspot=auth in-interface=Lan new-connection-mark=router1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local hotspot=auth in-interface=Lan new-connection-mark=router2_conn passthrough=yes per-connection-classifier=both-addresses:2/1

add action=mark-routing chain=prerouting comment=“” connection-mark=router1_conn disabled=no in-interface=Lan new-routing-mark=to_router1 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=router2_conn disabled=no in-interface=Lan new-routing-mark=to_router2 passthrough=yes

/ip route
add check-gateway=ping comment=“PCC ROUTER1 default” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=30 target-scope=10
add check-gateway=ping comment=“PCC ROUTER2 default” disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=30 target-scope=10

add check-gateway=ping comment=“PCC ROUTER1” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_router1 scope=30 target-scope=10
add check-gateway=ping comment=“PCC ROUTER2” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_router2 scope=30 target-scope=10