PCC load balancing Intervlan routing

cadei · June 6, 2018, 9:05am

Dear all,
recently , I have adopted PCC load balancing in our network.
At the moment ,it seems works correctly but I have a problem with intervlan routing.
We use in our network 8 VLAN so 8 different subnet.
Before ,intervlan , routing from VLAN worked correctly and I could block/permit the traffic with IP FIREWALL FILTER.
I found a w/a but it is less easy to manage for all vlan
For example if I want reach from my IP several vlan, locally, I must apply a couple rules for each vlan .

VLAN 10 = 10.10.10.0/24
VLAN 20= 10.10.20.0/24

src address : 10.10.20.50 dst address: 10.10.10.10

1 ;;; prerouting rule SRC
chain=prerouting action=accept src-address=10.10.10.0/24
dst-address=10.10.20.0/24 log=no
2 ;;; prerouting rule DST
chain=prerouting action=accept src-address=10.10.10.0/24
dst-address=10.10.20.0/24 log=no

sindy · June 6, 2018, 9:52am

I’m afraid I’m missing the point. Do you have in mind that as you started connection-marking and routing-marking all traffic, you must set up exceptions from connection-marking so that local traffic between VLANs would not be connection-marked and thus end up routed out via WAN rather than being delivered locally as they should? If so, make an address list containing all your VLAN subnets, and use it in the routing-marking rules as a negative one:

/ip firewall address-list
add list=local-subnets address=10.10.10.0/24
add list=local-subnets address=10.10.20.0/24
...

/ip firewall mangle
...
action=mark-routing ... dst-address-list=!local-subnets

cadei · June 6, 2018, 11:10am

Thanks a lot
What does this change involve?
At the moment I have made this change only for a subnet and it works.
regards

14 chain=prerouting action=mark-routing new-routing-mark=to_wlan1 passthrough=yes dst-address=!10.10.90.0/24 connection-mark=wlan1_conn in-interface=bridge_trunk log=no log-prefix=“”

15 chain=prerouting action=mark-routing new-routing-mark=to_wlan2 passthrough=yes dst-address=!10.10.90.0/24 connection-mark=wlan2_conn in-interface=bridge_trunk log=no log-prefix=“”

sindy · June 6, 2018, 11:49am

It involves just a replacement of dst-address by dst-address-list. So instead of a single IP address or single subnet or maybe a single range, you can refer to several distinct subnets in a single firewall rule.

Whether you use this in a rule which accepts traffic to these destinations before the action=mark-routing rule can see it or whether you use this inverted in the action=mark-routing rule itself is not important; the result in both cases is that the packets for local destinations do not get a routing-mark making it use a corresponding set of routes (commonly referred to as “routing table”). The point is that the routes to directly connected subnets only exist in the default routing table, so you either have to prevent packets for directly connected subnets from being routing-marked (as done above), or you have to duplicate the routes to connected subnets also in the routing-marked routing tables.

cadei · June 6, 2018, 3:23pm

Ok thanks very much .
Now i will try with this configuration .
I have another question for you.
How could I force an host to use always the same WAN ?

Edit :
in attachment the mangle section.
Could you check if it is all correct?
mangle_.txt (1.43 KB)

sindy · June 6, 2018, 3:57pm

Still the same way. Before the PCC rules, put a mark-connection rule with src-address=your.host.ip.addr instead of per-connection-classifier=…, the rest of the rule parameters is the same like in the PCC rules.

sindy · June 6, 2018, 4:04pm

The mangle rules seem fine to me, only the passthrough=yes in the action=mark-routing rules is useless (unless some other rules follow).

cadei · June 8, 2018, 3:25pm

Ok Sindy.
Thank you for your help.
At the moment it seems works all

Regards