I’ve been using PC Engines WRAP board with multiple ethernet interfaces running Debian GNU/Linux to make a WAN load balancer for my DSL and Cable Internet connections and its worked successfully for sometime. I’ve been playing around with MikroTik OS on RouterBoard 500 and 153 for a few months for AP and HotSpot use and seemed to me that I could also use it as a WAN load balancer to replace my WRAP board. The long and short of it is I setup multiple WAN Gateways as is described in the WIKI as is described here: http://wiki.mikrotik.com/wiki/Load_Balancing and everything works great outbound. However, I then try and turn on some simple dst-nat like this:
So my first question is has anyone successfully used MikroTik OS 2.9.31 for both src and dst nat with multiple gateways?
I’ve also tried unsuccessfully removing from my dst-nat rules things such as “in-interface”, I also tried using an action of redirect rather than dst-nat so I wouldn’t just need to specify the “to-address”.
So in short I have no problem with outbound but connections inbound using the dst-nat configuration doesn’t appear to be working for me.
According to you Debian iptables rules, you have mixed dst-address with to-address.
Dst-address should be the remote address of the router, ‘to-address’ has to be local address (where packets should be delivered).
I ran into another little snag that I’m trying to determine how to resolve in MikroTik OS.
In a Debian/GNU Linux system using iproute package I do the following:
ip link set $IFI up
ip addr flush dev $IFI
ip addr add $IPI/$NMI dev $IFI
ip rule del table main
ip rule add prio 50 table main
ip route del default table main
ip link set $IFE1 up
ip addr flush dev $IFE1
ip addr add $IPE1/$NME1 brd $BRD1 dev $IFE1
# can be used for DNAT (iptables nat won't arp)
ip addr add $IPE11 dev $IFE1
ip link set $IFE2 up
ip addr flush dev $IFE2
ip addr add $IPE2/$NME2 brd $BRD2 dev $IFE2
ip rule del from $NWE1/$NME1 table 201
ip rule add prio 201 from $NWE1/$NME1 table 201
ip route add default via $GWE1 dev $IFE1 src $IPE1 proto static table 201
ip route append prohibit default table 201 metric 1 proto static
ip rule del from $NWE2/$NME2 table 202
ip rule add prio 202 from $NWE2/$NME2 table 202
ip route add default via $GWE2 dev $IFE2 src $IPE2 proto static table 202
ip route append prohibit default table 202 metric 1 proto static
ip rule del table 222
ip rule add prio 222 table 222
ip route add default table 222 proto static \
nexthop via $GWE1 dev $IFE1 \
nexthop via $GWE2 dev $IFE2
This allows me to have a default gateway and traffic is roughly distributed across both connections. The general problem that I’m experiencing is that when I’m using the wan load balancing solution on the Wiki (http://wiki.mikrotik.com/wiki/Load_Balancing) is that it has three(3) default routes. The last default route is for the router itself which will only forward packets using one Internet connection rather than both connections for traffic originated from the router.
So the challenge that I’m having is that with my Debian GNU/Linux solution all traffic whether its originated from the router or routing through the router has its traffic spread across multiple links. How can I accomplish the same thing with MikroTik OS?
Oh I thought I’d add that I did try adding the third default route (for the MikroTik router itself) using ECMP, something like:
set <third default route> gateway=[wan gateway 1],[wan gateway 2]
However this type of solution may get the traffic out of the router but doesn’t appear to work with dst-nat. In my RDP (3389) example using dst-nat it appears that dst-nat will only work on the interface associated with the third default route. If I change the third default route to equal cost out both gateways I can then balance outbound traffic originated from the router but then my dst-nat breaks and things get a little unpredictable. e.g I can only ssh into one of my wan gateways but not the other.
I’m still trying to figure out how to solve this problem. In short I need the router itself to keep track of when traffic is destined to it and ensure that traffic destined to it routes back out via the same gateway rather than using just a simple default route to a particular gateway.
It seems to me the approach that I used with Debian GNU/Linux was keeping state of everything and hashing out the routing table. Whereas on ROS using the Wiki solution I’m looking for new sessions that are alternately marking routes so traffic forwarded through the router takes paths through both wan gateways. As I mentioned earlier this works great for outbound traffic but if you want to use dst-nat traffic terminating on the router only works on one connection. The reason being is that all traffic originating from the router only uses one gateway. ISPs often implement reverse path forwarding checks. So if the packet is received on one gateway but replied to from another that is seen as forged traffic. I understand that asymmetrical routing on the Internet is quite common but that is in the core not on cable and dsl connection at the edge/aggregation layer.
So in short I’m trying to determine how to keep state in ROS of inbound connections to the router itself.
I also tried changing the chain to “input” but that didn’t work either. At any rate does anyone have an idea on how to keep state so that inbound traffic to the router itself has its state kept so that traffic will go back out that interface?
Was a solution ever found for this? We are having the same issue.
Multiple connections, outbound load balancing is clear enough. However, connection inbound (even simple pings) will not work as they come in one connection and then are sent back out via a different connection and appear forged.
mark connections in input chain, so you know from where this connection originated
then in output mark these connection packets with routing-mark so they leave through gateway you need
in ip routes add 3 gateways:
1st gateway takes marked packets with routing-mark that originated from that intarface
2nd do the same with other marked routings
3rd default gw
simplest way to test is - make this configuration for ICMP