export.txt.rsc (7.09 KB)
On RB3011 I connected two identical lte routers one to port eth1 and the other to port eth10 and assigned static ip to both.
Inserting these rules that I copied from a previous configuration the balance works, but if I disconnect one of the two wan and try to navigate I see the main page of the router lte
and the vpn gets stuck
the balance works quite well, I noticed that the traceroute, ping and updates on the RB3011 no longer works and the vpn does not connect, I read many posts but I do not understand what to add in the firewall.
I added in /ip route
add distance=1 gateway=192.168.8.1
vpn works and pinging from tik works, but internet browsing becomes very slow.
Use of routing marks is incompatible with use of fasttracking. If you disable the action=fasttrack-connection rule in chain forward of /ip firewall filter, newly established connections will be handled with normal speed.
Depending on your uplink bandwidth, the CPU power may be sufficient fo fully use it even with fasttracking disabled; if it is not, you may want to use fasttracking selectively.
Hi, Sindy,
I changed again the firewall rules and routes because I wanted to have a failover with the recursive method, I disabled the fastrack as you suggested. Now they work . ping direct from Tik, vpn and failover
Balancing does not work, internet browsing only takes place on gateway 192.168.8.1 .
Here are the firewall files and the routes where I am wrong? firewall.txt.rsc (5.14 KB) iproute.txt.rsc (1011 Bytes)
I’m noticing, however, that while browsing I lose the ip on the pages. For example, if I log into the mikrotik forum I lose the login.
How you could solve?
In your specific case where you use per-connection-classifier to assign the connection-mark, you can set the values-to-hash to dst-address-and-port, so all connections to the same remote server will match the same rule no matter which port wil be chosen on client side.
If other strategies of load balancing are used, you can “statically” override the generic balancing rules for sites which are known to check client’s IP address:
/ip firewall mangle add … dst-address-list=use-WAN1 action=mark-connection new-connection-mark=WAN1_conn (placed before the other action=mark-connection rules).
And, lastly, instead of placing the remote servers to address lists statically, you can populate these lists automatically - whenever you send a packet to a given remote IP via a given WAN, you add that IP to the address list for that WAN with some expiration time, so any new connection to the same address will be established via the same WAN. Only connections to remote IPs which are not on any address list yet will be distributed “freely”.
Interesting .
I figured out how to make a static list of addresses.
Can you explain how to make a dynamic list with an expiry time for accumulated addresses?
sindy, thanks again,
everything works properly, practically the traffic is sorted a bit on one gateway a bit on the other keeping the routes for an hour.
The only thing I lost with the latest changes are the multiple connections and the sum of the total bandwidth, but I think it’s inevitable.
I’ll be adding a copy of my configuration shortly to help those who will find it as difficult as I do.
If you mean that speedtest always uses a single uplink for all test sessions, then yes, this is inevitable, unless you’d turn the approach upside down and instead of manually configuring remote IPs which require use of the same WAN, you’d manually configure IPs which don’t.
I don’t understand exactly how you can do it and what you get is very complicated.
I enclose here below my final working configuration. mybackup.rsc (12.5 KB)
What is the purpose of the six rules you have that assign new connection marks to specific IP addressess on the bridge??
I am assuming its so these IPs never get assigned WAN2, but only WAN1?
(2) The difficulty with dischers PCC is that he assumes fixed/static WANIPs, and I was looking for a way around his config for dyanmic IPs…
But I see you are using fixed WANIPs so this example doesnt provide any illumination on the issue.
What I found interesting though, is your use of these rules (dischers first two rules) OR LACK THEREOF,
Nowhere to be found are these ACCEPT RULES… ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address=fixedIP-WAN1
add action=accept chain=prerouting disabled=no dst-address=fixedIP-WAN2
Instead you have six rules I have no clue what you are doing…???
…
those rules (some are disabled) are pecedent to those of PCC and are used to direct the traffic of some devices with fixed ip (managed by dhcp server) exclusively to a specific WAN.
I didn’t understand your problem with dynamic ip’s.
---- In dhcp server I reserved static addresses for some devices .
---- the first two rules you see make sure that some services (grouped in list-address) such as speed test , are processed in postrouting and thus do not suffer from any slowdowns .
---- the third and fourth regenerate lists to instard traffic , so that some sites (such as banks ) are always connected from the same WAN
---- the fifth and sixth is prerouting the WANs .
I don’t understand exactly how you can do it and what you get is very complicated.