Problem To PBR ( two Gateway )

alisc · June 17, 2016, 11:13am

hi everybody ,
I’m not English
my english not so good , excuse me

i have 2 Gateway ( with public IP )
ISP 1 : 77.15.20.0/24
ISP 2 : 5.10.55.0/24

My Problem : ISP2 Mangle , is not work properly !

For the first time the user opens the Website, the Website is not loading
But when the user refreshes the Website , Website is Loading

In general, once the site opens, once the site is not open

What I did:

direct mark rounting ( Does not work properly )
mark connection and mark routing ( Does not work properly )

ROS Rule :

/ip firewall mangle
add action=mark-connection chain=prerouting comment="ISP2" \
    in-interface=ISP2 new-connection-mark=ISP2


add action=mark-routing chain=prerouting connection-mark=ISP2 \
    new-routing-mark=ISP2r passthrough=no src-address=5.10.55.0/24

please guide me

MrBarakat · June 17, 2016, 2:13pm

my dear u have 2 isp , but what u did with them togher ??
blacne or anotherthing

Feklar · June 17, 2016, 2:42pm

1.) You only have two mangle rules listed there, and you do not list your routing table, hard to tell what is going on without all of the necessary information.
2.) According to your rules you are marking traffic coming INTO the router form the outside and trying to load balance it, that will not work. You need to mark outbound traffic from your LAN. There are 3 possible moving parts when you are dealing with multiple internet connections:
a.) Traffic generated by a user that you want to policy base route/load balance
b.) Traffic that the router is responding to itself
c.) Traffic coming into the LAN from the outside (such as a port forward)
Each one of these requires a set of rules to make them work. Most people just care about part “a” of it, but if you want, for example, to be able to connect to both public IP addresses of the router then you need rules for case “b” to take care of that.

Here is a working example for case a and the limited information provided.

/ip firewall mangle:
add action=mark-connection chain=prerouting connection-state=new in-interface=<LAN Interface> new-connection-mark=outside1_connection dst-address=5.10.55.0/24
add action=mark-connection chain=prerouting connection-state=new in-interface=<LAN Interface> new-connection-mark=outside2_connection connection-mark=no-mark
add action=mark-routing chain=prerouting connection-mark=outside1_connection in-interface=<LAN Interface>  new-routing-mark=to_outside1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=outside2_connection in-interface=<LAN Interface>  new-routing-mark=to_outside2 passthrough=no

What happens is a new connection comes into the LAN and it hits the mangle prerouting chain. The packet will either match for the dst-address or not, if it does it hits the first rule. If it does not, the second rule matches. It then will get passed down in the firewall rule chain to the mark routing rules. This will then tell the router what internet connection it should use for that specific traffic.

The problem you are running into is the requested traffic is coming into the router, and then the router tries to load balance that traffic and will sometimes send it out the wrong interface.