I have a RouterBoard (RB750UP) configured as load balancing 2 ADSL lines.
Since the modems are not able to be put in bridge mode I have configured 2 separate IP segments between the modems and the router.
I have setup the load balancing as described in the wiki (here)
The load balancing is working perfectly for the internal connected devices.
But I can’t figure out how I can connect to the device remotely.
See below for my relevant configuration/ ip address
add address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255 interface=ether5
add address=192.168.11.2/24 network=192.168.11.0 broadcast=192.168.11.255 interface=ether1
add address=192.168.12.2/24 network=192.168.12.0 broadcast=192.168.12.255 interface=ether2
/ ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masqueradeI have done some testing and the thing which I think is causing trouble is that traffic originated on the router is not routed properly, and I believe that is because it is not handled correctly on the mangle part and not given a correct marking.
If I try to ping google.com (173.194.65.139) from the router I get a ‘no route to host’ status message.
But I can’t figure out how to create mangle rules in order to give the packets a proper routing mark.
In your export, on output you do not mark any route, and the last two lines really… do nothing.
Output is only traffic generated from RouterBoard to out, like ping or tracert inside routerboard, not the traffic “forwarded” out from local lan.
You specified route only for marked traffic, the routerboard do not know how reach googlle.com
I can follow you that I do not mark any traffic in the output chain.
but adding the following rules do not change anything…
add chain=output out-interface=ether1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=output out-interface=ether2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
Got your point.
So I need to create 1 (or multiple) routes without a routing mark in order to route any traffic outside the Router itself.
If I create 1 rule it always uses that one, obvious!
But if I create 2 for the sake of redundancy/fail-over it will always keep using the first 1, except when that one is down, it will automatically start using the other one.
The things you same definitely make sense.
But I still do not understand it when looking at the “Packet Flow Diagram”.
If I initiate a connection from outside, it enters the “Routing Decision” block on entry “I”.
From there it flows to prerouting.
On the prerouting chain I am marking the connections depending on the incoming interface.
The packet then ends at the input chain.
But the answer (originated by the router and created/started on the output chain?) never reaches the destination.
On the same image, simply the package are going from “routing decision” to “Local process IN” and here die, processed or not by any “program” like ping ,mac telnet, etc.
So it traverses the output chain. Which makes sense again. But how can the traffic destined for the router be handled by the input chain and replied by output in such a way that mangle can handle it.
Am I correct to state that it does not matter whether the incoming packets are marked on prerouting or input chain because all packets traverse the prerouting chain.
So what rules are needed to setup remote connection to either incoming path?
Sorry, but is very hard to me explain all on English,
simply all the traffic incoming to RB can be routing-marked on prerouting chain,
and on out chain the marking-routing are only for traffic generated by Router.
NAT are “forwarded” traffic, not first prerouting and later on output,
but first prerouting, then forward, then postrouting!
Generally packet flow are:
pre → forward → post
if the packet are directed to some program in the router [winbox, ssh, telnet, web, tracert, ping, etc.]
pre → input → [Linux]
if the packet are generated to some program in the router [tool email, fetch, ssh, telnet, mac server, neighbor discovery, tracert, ping, etc.]
[Linux] → output → postrouting
This is also the reason for the routing can be marked only on prerouting and output chains.
I think it is getting clearer by the time I look at it.
I think I found my mis-interpretation of the packet flow diagram.
I was in the understanding that from the output chain the traffic could be marked for routing.
But looking more clearer at the flow diagram I see that if packets reach the output chain, the routing decision has been carried out so am I correct to conclude that if the router tries to send a packet (generated itself or a reply from outside) the first thing it does it define which way to route. But how can the traffic originated from the router then be forced to go out a specific interface?