Multiple Gateways, PPPoE and Web-Proxy One Question

mk0000 · November 4, 2011, 11:59am

Hello,

i have use the following Sites

http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways
http://wiki.mikrotik.com/wiki/Pppoe_server_with_profiles

for Multiple Gateways and the PPPoE-Server functionally fine.

http://wiki.mikrotik.com/wiki/How_to_make_transparent_web_proxy

But when i use the transparent Web-Proxy the Traffic can’t find a route. Where is my failure?

My Routes:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1
routing-mark=GroupB scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1
routing-mark=GroupA scope=30 target-scope=10

My Firewall - NAT

/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no
src-address=192.168.88.0/24
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp
to-ports=8080

My Firewall - Mangle

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=GroupB
passthrough=yes src-address=192.168.88.22
add action=mark-connection chain=prerouting disabled=no new-connection-mark=
connection_tcp passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=connection_tcp
disabled=no new-packet-mark=conn_tcp passthrough=no

The last 2 Rules I use for the Queues.

I hope you can help me.

fewi · November 4, 2011, 12:02pm

When you use the proxy the router originates the traffic. Your mangle rules don’t mark that traffic (traffic originated by the router doesn’t go through pre-routing), so there’s no route to take.

Just duplicate exactly the routes you have, move them under the existing ones, and remove the routing-mark property.

mk0000 · November 4, 2011, 1:03pm

This works, but the traffic goes over the first route…
I will separating the traffic over the 2 WAN-Ports and this must work with the web-proxy too.
Or is that no way?

fewi · November 4, 2011, 1:34pm

Then duplicate your mangle rules that mark routing in the output chain so that traffic originated by the router has routing marks applied to it.

mk0000 · November 4, 2011, 2:47pm

Hello fewi,

can you post a example?

I have test it with, but it doesn’t work:

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=GroupA
passthrough=yes src-address=192.168.88.22
add action=mark-routing chain=output disabled=no new-routing-mark=GroupA
passthrough=yes src-address=192.168.88.22
add action=mark-connection chain=prerouting disabled=no new-connection-mark=
connection_tcp passthrough=yes protocol=tcp
add action=mark-connection chain=output disabled=no new-connection-mark=
connection_tcp passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=connection_tcp
disabled=no new-packet-mark=conn_tcp passthrough=no
add action=mark-packet chain=output connection-mark=connection_tcp disabled=no
new-packet-mark=conn_tcp passthrough=no

mk0000 · November 4, 2011, 7:22pm

Have every one an idea? I have test it withe the Rules you can see in my last Post but it doesn’t work.

fewi · November 4, 2011, 7:25pm

Those mangle rules don’t seem to make much sense. There’s no marking for ‘GroupB’, for example. And ‘GroupA’ only gets marked for traffic to 192.168.88.22 as a single IP. Is that your entire ruleset?

What are you actually trying to do - don’t post config at this point, post the overall business goal. Maybe add a network diagram.

mk0000 · November 4, 2011, 7:46pm

The attached file shows my network diagram.
I have many Clients for GroupA and GroupB.
For the allocation of IP addresses assigned to individual groups, it can later be moved based on the traffic of one or the other yet.
On the Mikrotik router 2 WAN run together and the traffic must pass through the web proxy (but for every client on the appropriate group / WAN interface).
Your Idea with the 2 Routes without any Routingmarks works fine but over one WAN for all Clients. This I can not use.
I hope you can helpme.

fewi · November 4, 2011, 7:57pm

That’s impossible. The connection from the web proxy to the Internet is separate from the original connection, and it’s impossible to determine whether a connection from the proxy to the Internet is because of a request from group A or group B.

mk0000 · November 4, 2011, 8:09pm

hmmm
So I need another router in front of the device which then takes over the web proxy?

fewi · November 4, 2011, 8:22pm

How would that device know whether or not something came from group A or group B?

You simply can’t use a RouterOS proxy and send group A traffic via WAN link 1 and group B traffic via WAN link 2 because the proxied traffic no longer comes from either group, it comes from the router running the proxy. You can spread traffic randomly across both circuits, but not use the group to make a decision.

The only possible approach would be to have two additional routers, each running a proxy - one for group A, and one for group B.

mk0000 · November 5, 2011, 7:52am

Okay, I will test it…

One Question About this Network-Diagram…

If the Web proxy would stay away, the total traffic of 64 Mbps would be about over one RB 450G with connection tracking, is this possible?
Or even why I need two single RB 450G?