LB and Failover works fine. I can surf any site of the WEB from my laptop using pair of ISP. But internal NTP-Client cant sync with ANY NTP-servers. There is No ping from Mikrotik internal ping tool to any hosts (google e.t.c) not only to NTP-servers. I think this config will make troubles for me in future not only with NTP... I see that it is some problem with routing because of HostN checking and default routes, but i cant resolve it. I`m newbie Help me please.
Sowething that I dont understand - I added default route to WAN1 with distance 30 and default SNTP-client now can syncing time. :smiley: But NTP-package still cant synchronize…
Some help?
Do you have a default catch all route? Without a default route in the main routing table, any traffic from the router will have no access to the internet.
Can you please provide “/ip route print detail” then? You don’t mention where you are trying to sync NTP to. If you are trying to use a DNS name, you may need to resolve that domain again as they can change, or set up your own NTP server that you control.
Feklar, my whole config is in the first message at the top + my last message. Nothing more.
I always use the same IPs (tryed ~10 different servers) of NTP-server in both case with NTP-client and with SNTP-client. SNTP - ok, NTP-client no luck.
One alternative, at least in my scenario it works, so it’s run a ntp server like http://www.openntpd.org/ and setup your RB as ntp client of this server on your own LAN.
Ok. Now NTP is workin fine.
But I have some troubles with port forwarding.
I add 2 same dst-nat rules for 2 WANs – forwarding at WAN1 works fine, but at WAN2 forwarding not working (but i see incoming packets). How to solve?
You didn’t mention, or leave what your NTP server is, or how you resolve it. Putting in a DNS name does not work, yes it will resolve that for you the first time, but only as you put it in, the DNS name will not be updated at a later time.
For the port forwarding, it is basically an extension of making sure packets that come in addresses to the router on a specific interface will leave the same interface, you are just watching for it over the forward chain instead.
/ip firewall mangle
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether1 new-connection-mark=\
port_forward1_connection passthrough=no
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether2 new-connection-mark=\
port_forward2_connection passthrough=no
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward1_connection disabled=no new-routing-mark=\
to_outside1 passthrough=no
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward2_connection disabled=no new-routing-mark=\
to_outside2 passthrough=no
Those lines of code are the actual CLI commands to add the rules, you can edit them with any text editor and paste them into the console of the routerboard to add them, and manipulate them anyway that you choose. I’m not exactly sure what you are wanting me to adapt.
The rules basically say anything coming in ether1 that is being forwarded through the router to another devices, mark the connection, and the same for ether 2. Then the next rules say anything with that connection mark, put a routing mark on it so that the router knows what interface to send the traffic back out of.
Still dont understand you. In your code you mark incoming connection from eth1 and then mark routing with that marked connection. And thats all? Im pretty sure that it is will not work cos you don`t show for this routing where is an output! Or i wrong?
Please look at my present config and give me a complete solution for port-forwarding (nat rule, mangle rule, etc) -
Just edit the routing marks to match your configuration.
/ip firewall mangle
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether1 new-connection-mark=\
port_forward1_connection passthrough=no
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether2 new-connection-mark=\
port_forward2_connection passthrough=no
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward1_connection disabled=no new-routing-mark=\
to_ISP1 passthrough=no in-interface=Local
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward2_connection disabled=no new-routing-mark=\
to_ISP2 passthrough=no in-interface=Local
Yes this is all that really needs to be done, like I said, it is just a simple extension of your basic PCC setup. Look at what chain you are making the connections on, it is the forward chain. Forward means any traffic that is not destined for the router, and being sent over it. So what happens is an incoming connection for a port forward comes into the router, and dst-nat does it’s thing. The router sees the incoming interface, marks it, and then any return traffic from the device being forwarded to will automatically get the same mark, and by extension, the routing mark it needs to send traffic back.
The reason why you have to do it this way is this. Normally the traffic comes in and is forwarded to said device, and it replies back, and the router looks at it’s routing table and sends it out of the main table because there is no table specified by a routing mark. This is all fine and good when there is just one connection, or you are connecting to the device over the main of the two links. But it won’t work for the second link because the return traffic is going out of the main routing table, making a broken/invalid connection, so you never “see” the return traffic. Specifying the routing mark like I did above corrects that.
