PCC Load Balancing 2 ADSL and forcing traffic from 1 IP to a specific ADSL

kapparou · July 18, 2018, 5:02pm

Hi,
I have to load balancing with PCC 2 ADSL and, at the same time, make sure that the traffic from 1 static IP address on the LAN (video server) will go out with always the same ADSL.

eth5-Hlan and eth4-ADSL are the 2 ADSL
eth2-LAN is the LAN network with addresses 192.168.88.0/24

here is the code:

add action=mark-connection chain=input in-interface=eth5-HLan new-connection-mark=ether5_conn passthrough=no
add action=mark-connection chain=input in-interface=eth4-ADSL new-connection-mark=ether4_conn passthrough=no
add action=mark-routing chain=output connection-mark=ether4_conn new-routing-mark=to_ether4 passthrough=yes
add action=mark-routing chain=output connection-mark=ether5_conn new-routing-mark=to_ether5 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=eth5-HLan
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=eth4-ADSL
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=eth2-LAN new-connection-mark=ether4_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=eth2-LAN new-connection-mark=ether5_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-routing chain=prerouting connection-mark=ether5_conn in-interface=eth2-LAN new-routing-mark=to_ether5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ether4_conn in-interface=eth2-LAN new-routing-mark=to_ether4 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=eth5-HLan
add action=masquerade chain=srcnat out-interface=eth4-ADSL

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ether4
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_ether5
add check-gateway=ping distance=1 gateway=eth5-HLan routing-mark=custom-route
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.1

I want that an IP, for example 192.168.88.5 (video server), use always the ADSL on eth5-HLan. How can I do this?

kapparou · July 24, 2018, 7:30am

Anyone can help me?

sindy · July 24, 2018, 7:44am

Right after the two PCC rules, add the following one:

add action=mark-connection chain=prerouting in-interface=eth2-LAN new-connection-mark=ether5_conn passthrough=yes src-address=192.168.88.5

kapparou · July 24, 2018, 10:23am

Thanks!! It works!!

Another question: the Eth4 and Eth5 of the mikrotik are connected to the Lan ports of the xDSL Router. When I setup PCC load balancing and failover the mikrotik ‘see’ the xDSL Gateway not the Internet. If the internet connection on one xDSL router goes down the mikrotik can’t see that because the xDSL router is always up.
How can I tell the PCC load balancer to watch for the internet connection beyond the xDSL router instead of ping the xDSL router?
Here are the routes I’ve specified: (192.168.0.1 and 192.168.1.1 are the LAN IPs of the two xDSL router)

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ether4
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_ether5
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.1

sindy · July 24, 2018, 10:48am

See this article on how to use recursive next-hop search to check that the ADSL line and the ISP’s infrastructure is transparent all the way to the internet.

kapparou · July 24, 2018, 12:10pm

In this article the 2 wan port of the RB are not connected to 2 routers xDSL, in my scenario the 2 wan ports on the mikrotik are connected to 2 lan ports of the xDSL routers, so the mikrotik see the gatway 192.168.1.1 that is the xDSL router’s ip address

sindy · July 24, 2018, 12:40pm

It’s not relevant how is the WAN link physically implemented. As long as the two gateways have different IP addresses, which they do in your case, you don’t need to bother about the particular technology.

So you need the following recursive routes (take care yourself about all the scope and target-scope parameters which are essential to make the recursive next-hop search work properly).

dst=address=0.0.0.0/0 gateway=100.64.0.1 distance=1
    dst-address=100.64.0.1 gateway=dns.1.1
    dst-address=100.64.0.1 gateway=dns.1.2
    dst-address=100.64.0.1 type=unreachable distance=2
        dst-address=dns.1.1 gateway=192.168.0.1
        dst-address=dns.1.2 gateway=192.168.0.1

dst=address=0.0.0.0/0 gateway=100.64.0.2 distance=2
    dst-address=100.64.0.2 gateway=dns.2.1
    dst-address=100.64.0.2 gateway=dns.2.2
    dst-address=100.64.0.2 type=unreachable distance=2
        dst-address=dns.2.1 gateway=192.168.1.1
        dst-address=dns.2.2 gateway=192.168.1.1

dst-address=0.0.0.0/0 gateway=100.64.0.1 routing-mark=wan1
dst-address=0.0.0.0/0 gateway=100.64.0.2 routing-mark=wan2

The type=unreachable routes with distance=2 are there so that the 100.64.0.x would not be accessible if their dedicated uplink is not. Maybe even each of the routes to dns.x.y needs a twin type=unreachable route.

macgaiver · July 24, 2018, 12:55pm

implementation is little bit off, first 2 rules should be in prerouting chain not in input chain, like in manual example:
https://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing
on your connection-mark rules you do not have check, if that connections hasn’t been already marked “connection-mark=no-mark” again same like in example from manual.
All your IPs are local IPs, in this case you will be better out not using masquerade at all, and allow your DSL modems to masquerade. use routing in your local network instead.

sindy · July 24, 2018, 2:00pm

It’s not a big deal as none of the prerouting rules attached any connection-mark, and the input rules are executed a while later.

Yes, you’re right, but the PCC rules have the advantage of providing consistent results

Well, on many modems routing cannot be configured. So if on both modems the OP can configure a static route to 192.168.88.0/24 and provide a static lease to the Mikrotik so that the gateway IP for that subnet would remain the same, then yes, but without the route it would stop working once he’d disable the masquerade.

macgaiver · July 24, 2018, 2:58pm

without 2) your PCC will override your mark-connection rule for particular IP.

sindy · July 24, 2018, 3:10pm

In general yes, but in this particular case the PCC rules are the only ones providing the connection-mark for packets coming in from the LAN (and they do check that they come from there), so in fact they are just overwriting over and over again the marks they’ve assigned previously themselves. PCC rules give consistent results all the time, so they can even be used without connection-marking, so you could directly assign routing-marks by them. This is not the case with nth, random etc. where you must mark the connection only when handling its initial packet.

And having this in mind, I’ve told the OP to add the exception rule for a particular source IP after the PCC rules, which means that it overwrites the connection-mark assigned by one of the PCC rules. If connection-mark=no-mark was there in the PCC rules, that extra rule would have to be placed before them.

Haven’t compared resource consumption, though.

kapparou · July 25, 2018, 8:15am

Hi,
the rule is ok, the IP address 192.168.88.5 always exit the mikrotik via Eth5.
But there is a problem: the IP 192.168.88.5 should be NATted 1:1 towards Internet. From Internet, through the public IP of the xDSL router and a port (ex: 150.1.1.x:1234) I should be able to reach the 192.168.88.5. But the 192.168.88.5 is on the LAN of the MikroTik, not on the LAN of the xDSL Router. And doing a LAN scan on the Lan of the xDsl Router I see only the IP of the WAN port of MikroTik (192.168.0.2 on Eth5).
How can I do?

sindy · July 25, 2018, 11:23am

Well, at this point we are getting where @macgaiver was pulling it a day ago: to have a server at 192.168.88.5 accessible from the internet under the public IP address of the connection via the xDSL modem/router, you need to do one of the following:

set up port-forwarding of incoming connections on the modem to the WAN address of the Mikrotik and set up port-forwarding on the Mikrotik to the server
set up routing to 192.168.88.0/24 on the modem, disable the masquerade on Mikrotik for this modem and do the port forwarding to 192.168.88.5 only at the modem
switch the modem to bridge mode, set up /interface pppoe-client on the Mikrotik to get the public IP of that connection to the Mikrotik, and do the port forwarding only at the Mikrotik.

Port-forwarding of all ports is often called a DMZ function or NAT1:1 in the documentation of xDSL routers. On the Mikrotik, the rule doing that would be

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.5 in-interface=the-name-of-the-proper-wan

However, if you do set up this wide way, the Mikrotik’s firewall won’t protect the server from any incoming traffic, so I’d recommend to only selectively port-forward tcp and udp ports you really need to make visible from outside.

To really get through, an /ip firewall filter rule in chain=forward must permit these packets through as well. Depending on from which RouterOS version they are ihnerited, some default firewall rules contain “drop everything from WAN unless it is dst-nated”, some don’t and you have to either modify the final drop rule or add “accept everything (or only something) from WAN which is dst-nated” to the right place in the chain.

kapparou · July 25, 2018, 12:12pm

Well, at this point we are getting where @macgaiver was pulling it a day ago: to have a server at 192.168.88.5 accessible from the internet under the public IP address of the connection via the xDSL modem/router, you need to do one of the following:

set up port-forwarding of incoming connections on the modem to the WAN address of the Mikrotik and set up port-forwarding on the Mikrotik to the server

set up routing to 192.168.88.0/24 on the modem, disable the masquerade on Mikrotik for this modem and do the port forwarding to 192.168.88.5 only at the modem

switch the modem to bridge mode, set up /interface pppoe-client on the Mikrotik to get the public IP of that connection to the Mikrotik, and do the port forwarding only at the Mikrotik.

Port-forwarding of all ports is often called a DMZ function or NAT1:1 in the documentation of xDSL routers. On the Mikrotik, the rule doing that would be

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.5 in-interface=the-name-of-the-proper-wan

However, if you do set up this wide way, the Mikrotik’s firewall won’t protect the server from any incoming traffic, so I’d recommend to only selectively port-forward tcp and udp ports you really need to make visible from outside.

To really get through, an /ip firewall filter rule in chain=forward must permit these packets through as well. Depending on from which RouterOS version they are ihnerited, some default firewall rules contain “drop everything from WAN unless it is dst-nated”, some don’t and you have to either modify the final drop rule or add “accept everything (or only something) from WAN which is dst-nated” to the right place in the chain.

Well if I choose the number 1:

[*]set up port-forwarding of incoming connections on the modem to the WAN address of the Mikrotik and set up port-forwarding on the Mikrotik to the server

only the traffic in/out from the server 192.168.88.5 would pass the mikrotik and goes outside towards Internet right? Because on xDSL modem side I have to specify the IP address:port on the LAN to forward, I will use 192.168.0.2:1234 which is the IP address of the WAN port of the mikrotik and 1234 is the port of the server 192.168.88.5, right?

The NAT rules are the following:
/ip firewall nat
add chain=dst-nat action=dst-nat to-addresses=192.168.88.5 in-interface=eth5-HLAN
add action=masquerade chain=srcnat out-interface=eth5-HLan
add action=masquerade chain=srcnat out-interface=eth4-ADSL

sindy · July 25, 2018, 12:53pm

No, it does not work this way. Port forwarding normally does not disable the other devices on the private side of the NAT from working, it only handles connections initiated from the internet side. So e.g. a request comes to the public IP of the modem, port 1234, the modem forwards it to the Mikrotik’s WAN IP, port 1234 (or some other one if configured like that), and the MIkrotik will forward it to the IP of the server, again changing it from 1234 to something else or keeping it unchanged, and automatically creates reverse rules for the response packets which only apply to that very connection. So if something inside the LAN wants to get somewhere else than from where this connection has been established, it can use port 1234 on its side; if that something would initiate, from 1234, another connection to the very same IP and port in the internet from which this current connection was initiated, it would get the 1234 translated to some other port to keep the two connections separate.

I’d say try with a single port first to be sure that the rest of the configuration is correct, and then eventually remove the port number from the rules and see whether it still works.

kapparou · July 25, 2018, 2:17pm

Well if I choose the number 1:

set up port-forwarding of incoming connections on the modem to the WAN address of the Mikrotik and set up port-forwarding on the Mikrotik to the server

only the traffic in/out from the server 192.168.88.5 would pass the mikrotik and goes outside towards Internet right?

No, it does not work this way. Port forwarding normally does not disable the other devices on the private side of the NAT from working, it only handles connections initiated from the internet side. So e.g. a request comes to the public IP of the modem, port 1234, the modem forwards it to the Mikrotik’s WAN IP, port 1234 (or some other one if configured like that), and the MIkrotik will forward it to the IP of the server, again changing it from 1234 to something else or keeping it unchanged, and automatically creates reverse rules for the response packets which only apply to that very connection. So if something inside the LAN wants to get somewhere else than from where this connection has been established, it can use port 1234 on its side; if that something would initiate, from 1234, another connection to the very same IP and port in the internet from which this current connection was initiated, it would get the 1234 translated to some other port to keep the two connections separate.

I’d say try with a single port first to be sure that the rest of the configuration is correct, and then eventually remove the port number from the rules and see whether it still works.

Ok, but if I modify the NAT rule in this way:
/ip firewall nat
add chain=dst-nat action=dst-nat to-addresses=192.168.88.5 in-interface=eth5-HLAN
add action=masquerade chain=srcnat src-address=192.168.88.6-192.168.88.200 out-interface=eth5-HLan
add action=masquerade chain=srcnat out-interface=eth4-ADSL
the IP 192.168.88.5 can’t access internet. Should I masquerade also 192.168.88.5?

sindy · July 25, 2018, 3:10pm

Of course you should. dst-nat handles incoming connections, src-nat (or masquerade where you cannot avoid it because you’re getting a dynamic address) handles outgoing connections, and they work as independent of each other as they can. As you’ve chosen the double nat (one at 'Tik and one at xDSL router), you must src-nat everything that goes out from the 'Tik because without the route to 192.168.88.0/24, the xDSL router sends the packet for 192.168.88.0/24 back via its WAN interface.

kapparou · July 26, 2018, 7:00pm

Ok, tomorrow I’ll do the test: I’ll give 192.168.88.5 to the WAN interface of the firewall connected on the LAN port of the Mikrotik and see if I’ll be able to reach the firewall from internet using xDSL_Public_IP:1234