Ping and Routes Issue

eslamxboss · April 24, 2018, 7:41am

Hello All
I have 4 WANs and using NTH method
the problem is I cant do ping from all wan links except WAN1
If I change any WAN2/3/4 Distance to 1 I can ping.
And if I disable route WAN1, I can ping from WAN2

I need to ping from all WANs at the same time
Thank you…

/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=WAN4
set [ find default-name=ether10 ] name=LAN

/ip address
add address=192.168.1.2/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.2/24 interface=WAN2 network=192.168.2.0
add address=192.168.3.2/24 interface=WAN3 network=192.168.3.0
add address=192.168.4.2/24 interface=WAN4 network=192.168.4.0
add address=10.0.0.1/16 interface=LAN network=10.0.0.0

/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no
interface=LAN name=dhcp1

/ip dhcp-server network
add address=10.0.0.0/16 dns-server=10.0.0.1 gateway=10.0.0.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new
new-connection-mark=line1 nth=4,1 passthrough=yes src-address=10.0.0.0/16
add action=mark-connection chain=prerouting connection-state=new
new-connection-mark=line2 nth=4,2 passthrough=yes src-address=10.0.0.0/16
add action=mark-connection chain=prerouting connection-state=new
new-connection-mark=line3 nth=4,3 passthrough=yes src-address=10.0.0.0/16
add action=mark-connection chain=prerouting connection-state=new
new-connection-mark=line4 nth=4,4 passthrough=yes src-address=10.0.0.0/16
add action=mark-routing chain=prerouting connection-mark=line1
new-routing-mark=line1 passthrough=yes src-address=10.0.0.0/16
add action=mark-routing chain=prerouting connection-mark=line2
new-routing-mark=line2 passthrough=yes src-address=10.0.0.0/16
add action=mark-routing chain=prerouting connection-mark=line3
new-routing-mark=line3 passthrough=yes src-address=10.0.0.0/16
add action=mark-routing chain=prerouting connection-mark=line4
new-routing-mark=line4 passthrough=yes src-address=10.0.0.0/16

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=masquerade chain=srcnat out-interface=WAN4

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=line1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=line2
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=line3
add check-gateway=ping distance=1 gateway=192.168.4.1 routing-mark=line4
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
add check-gateway=ping distance=3 gateway=192.168.3.1
add check-gateway=ping distance=4 gateway=192.168.4.1

eslamxboss · April 24, 2018, 12:38pm

any help?

CZFan · April 24, 2018, 2:52pm

Quick scan of your config, I suggest re reading the Wiki and examples as your config does not look the same, i.e. you have passthrough on may rules and I suspect the routing mark is changed every time

sindy · April 24, 2018, 3:08pm

It is not very clear from your description what you actually want, but because pinging the gateway in each local subnet 192.168.x.0/24 should use the appropriate interface automatically, I assume that you want that your ****

nth

rules apply also to traffic towards remote destinations originated by the Mikrotik itself (of which the ping is only one part, as at least the ntp and dns traffic is locally originated too).

If my guess is correct, your answer is at this picture. You have to connection mark the packets using the

nth

matcher and then route mark them not only in

chain=prerouting

but also in

chain=output

of

/ip firewall mangle

. Once you do that, your routes without

routing-mark

parameter will not be used any more. Which also means that even the interface check pings will be routed according to routing marks, so each of the marked routing tables should must its own route for each local subnet.

sindy · April 24, 2018, 3:21pm

In this particular case ****

passthrough=no

would do more harm than help because

on any single packet, only one of the four rules with the ****

nth

matcher matches anyway,

as you have to also route-mark the first packet of an outbound connection after you have connection-marked it, ****

passthrough=yes

on connection-marking rules is a must.

However, what always puzzled me but I was too lazy to test so far was the question whether ****

action=mark-connection

automatically only matches on

connection-state=new

or

connection-mark=none

, or whether it is necessary to use one of these explicitly to avoid replacing an already assigned connection mark. I would assume the latter to be true but I have seen many configs without that explicit matcher and people reported it was working fine for them like that. So I’ve tested now, and I’ve ended up even more puzzled because I don’t get how all those configurations could have seemed to work.

This is how the test rules look like:

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
...
 5    chain=prerouting action=mark-connection new-connection-mark=1st-rule passthrough=yes dst-address=192.168.10.1
 6    chain=prerouting action=mark-connection new-connection-mark=2nd-rule passthrough=yes dst-address=192.168.10.1
 7    chain=prerouting action=passthrough dst-address=192.168.10.1 connection-mark=1st-rule
 8    chain=prerouting action=passthrough dst-address=192.168.10.1 connection-mark=2nd-rule

So if the ****

action=mark-connection

only matches on packets without connection mark, rule 7 has to match on a single packet to

192.168.10.1

, otherwise rule 8. The result is

/ip firewall mangle print stats
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                 ACTION                            BYTES         PACKETS
 ...
 5    prerouting                                                            mark-connection                      60               1
 6    prerouting                                                            mark-connection                      60               1
 7    prerouting                                                            passthrough                           0               0
 8    prerouting                                                            passthrough                          60               1

The next test is whether it ****

action=mark-connection

matches only on

connection-state=new

; if it does, the

action=mark-connection

rules have to match only once on a two-packet ping and one of the passthrough rules twice. The result, after clearing the counters from the previous test, is:

[admin@MikroTik] > ip firewall mangle print stats
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                 ACTION                            BYTES         PACKETS
...
 5    prerouting                                                            mark-connection                     120               2
 6    prerouting                                                            mark-connection                     120               2
 7    prerouting                                                            passthrough                           0               0
 8    prerouting                                                            passthrough                         120               2

So everything works as expected, no implicit match conditions are associated to ****

action=mark-connection

.