Hi
I have a multihome (multiple gateway ) configuration problem.
On my 750G box I am connected to 3 ISPs. ISP A, B and C. This is IP information.
Ether1 → Connected To ISP A, IP: 1.1.1.1/30, GW: 1.1.1.2
Ether2 → Connected To ISP B, IP: 2.2.2.1/30, GW: 2.2.2.2
Ether3 → Connected To ISP C, IP: 3.3.3.1/30, GW: 3.3.3.2
My router is not connected to any client network so I do not need any NAT or PAT or masquerade. I am using this router for a site2site VPN configuration and …
I used output and input mangle chains to mark connections based on source address (packets leaving the router) and incoming interface (packet coming from internet and through each ISP network). Then I use prerouting chain to mark route those connection marks. After that adding static routes with routing marks and the right gateway. I think that’s all and it must work. BUT it does NOT!!!
I tried to ping 1.1.1.1, 2.2.2.1, 3.3.3.1 with http://lg.level3.net/ping/ping.cgi but I get time out. In my 7580G pings with source address specified get time out too but when I specify the interface (even without src-address) they work fine.
When I have my gateways in /ip route all using routing-marks, pings from outside timeout but when I use one of the gateways to 0.0.0.0/0 without routing-mark and other have routing mark the problem solves. packets come and leave to router from the correct L3 path.
If your using 3 ISP’s and all your not using NAT, then you should be using a BGP routing setup to advertise all the addresses between the ISP’s. If your using NAT there are examples in the wiki like the folowing:
I do not have an ASN to use BGP and advertise my prefix(es). I have just 1 IP address from each ISP (+1 for DGW). Also you are right, I do not use NAT and I am using mostly for tunneling.
Ether1 → Connected To ISP A, IP: 1.1.1.1/30, GW: 1.1.1.2
Ether2 → Connected To ISP B, IP: 2.2.2.1/30, GW: 2.2.2.2
Ether3 → Connected To ISP C, IP: 3.3.3.1/30, GW: 3.3.3.2
Hi …
Do you have any problem using NAT?, Why dont you try using it and see if it solve your problem, except if you have other reason(s) for not wanting to use NAT. I have used 4 interfaces with 4 different destinations and work well with mangle though with all the interfaces nated to their respective ip’s.
you marked using ‘connection marking’, and some protocols (including icmp) do not create connections.
you should try add some mangle rules to mark packets also.
try and study the pcc wiki page & the forum. the mangle rules are a bit tricky, you need to catch all traffic, or you risk some of your traffic to go unmarked.
I use log rules to troubleshoot this kind of issues.
you marked using ‘connection marking’, and some protocols (including icmp) do not create connections.
you should try add some mangle rules to mark packets also.
try and study the pcc wiki page & the forum. the mangle rules are a bit tricky, you need to catch all traffic, or you risk some of your traffic to go unmarked.
I use log rules to troubleshoot this kind of issues.
very helpful cata02. Karma 2 u. i always use logs but I do not know on Mikrotik I am a little shy with logs.
I just spent a few hours getting my setup working with 3 gateways out of the router. I do use NAT, but it shouldn’t make a difference.
To debug this, you must create some log entries in the mangle table to see where your packets are going. It’s not hard. Just duplicate the mangle record and change the action to “log”. Then look at the entries in the log file to see if you are catching the packets you expected to catch.
Another debugging tool I use is watching the packet counters on the mangle rules. From outside your network, telnet into your network to each of the gateway addresses and watch the counters. Also try to telnet out and watch the counters. If the counters don’t seem to match what you expected, add log entries. If the log entries don’t trigger, make the log entry more general (i.e. remove the qualifiers like interface or address) until the log entry does trigger. Then look at the log file to see why the packet didn’t trigger your original log entry and your mangle entry.
As a previous poster mentioned, you should use a TCP-based application like telnet or http for debugging. Debugging mangle rules with ping gives inconsistent results because icmp doesn’t always create a connection for connection-marks to work with.
As I said, I spent several hours last night getting mine to work.
Without log entries for debugging, it’s like trying to hunt the wumpus in a dark cave.
