Second WAN routing not working

boo9 · January 22, 2014, 11:23pm

Ros 6.7 RB450G

I have a setup with 3 lans (vlans admin,internat,szkola) and single wan + qos (priorities 1-8 according to traffic type dns/icmp and according to source interface), all working fine.

Then I wanted to add extra wan to be exclusively used by one of the vlans to which I dont have easy access so I cannot place computer there.

But I wanted to test the setup and decided that my machine Comp1 in admin-lan I have access to, I will redirect the outgoing http/port-80 traffic through second wan (eth4-wan3)

I started wireshark on "port 80 and host showip.com"
RB: very first mangle prerouting rules - log from/to showip.com
RB: very first forward two rules - log from/to showip.com
RB: very first postrouting two rules - log from/to showip

I fired off "wget showip.com" on comp1

the shark capture on comp1 shows:
send => SYN
recvd <= SYN,ACK
send => ACK
send => ACK, PSH (data)

The RB logs show following
send => SYN - goes out to wan3, // that is correct
recvd <= SYN,ACK - arrives to wan3, // that is correct
send => ACK - goes out to wan1 // wrong, why ? !!!! should have followed the same route as => SYN

Can anybody please help me with this, I got stumped by this since yesterday.

jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48
jan/23 00:03:57 firewall,info forward TO showip forward: in:admin out:eth4-wan3, src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48
jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth4-wan3, src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48

jan/23 00:03:57 firewall,info forward FROM showip forward: in:eth4-wan3 out:admin, src-mac f8:8e:85:af:0e:5a, proto TCP (SYN,ACK), 69.36.12.216:80->10.172.88.10:4164, NAT 69.36.12.216:80->(10.88.0.5:4164->10.172.88.10:4164), len 44
jan/23 00:03:57 firewall,info postroute FROM showip postrouti: in:(none) out:admin, src-mac f8:8e:85:af:0e:5a, proto TCP (SYN,ACK), 69.36.12.216:80->10.172.88.10:4164, NAT 69.36.12.216:80->(10.88.0.5:4164->10.172.88.10:4164), len 44

jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40
jan/23 00:03:57 firewall,info forward TO showip forward: in:admin out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40
jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40

jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138
jan/23 00:03:57 firewall,info forward TO showip forward: in:admin out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138
jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138# jan/23/2014 00:18:25 by RouterOS 6.7

software id = 39ZZ-BD0W

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add chain=input comment="DBG accept all" disabled=yes
add action=log chain=forward comment="to showip" dst-address=69.36.12.216
log-prefix="forward TO showip"
add action=log chain=forward comment="from showip" log-prefix=
"forward FROM showip" src-address=69.36.12.216
add chain=forward comment="DBG accept all" disabled=yes
add chain=forward comment="fwd estab" connection-state=established
add chain=forward comment="fwd related" connection-state=related
add chain=input comment="input estab" connection-state=established
add chain=input comment=dns dst-port=53 protocol=udp
add chain=input comment="input related" connection-state=related
add chain=input comment="vpn pptp" connection-state=new dst-port=1723
protocol=tcp
add chain=input comment=ping protocol=icmp
add chain=input comment=dns dst-port=53 protocol=tcp
add chain=input comment=dhcp dst-port=67 protocol=udp
add action=drop chain=input comment="block vlans" src-address=10.0.0.0/8
add action=drop chain=input comment="DROP remaining" in-interface=eth1-wan1
add chain=forward comment="PPTP client => anywhere" in-interface=all-ppp
add chain=forward comment="eth2 => anywhere" in-interface=eth2-lan
add action=drop chain=forward comment="p2p 01-04-21:40" p2p=all-p2p
add action=drop chain=forward comment="no inter-vlan" disabled=yes
dst-address=10.0.0.0/8 out-interface=!eth1-wan1
add action=drop chain=forward comment="no inter-vlan" disabled=yes
dst-address=192.168.0.0/16 out-interface=!eth1-wan1
add action=drop chain=forward comment="default configuration"
connection-state=invalid disabled=yes
add action=log chain=forward comment="DBG log" disabled=yes
add chain=forward comment=
"all outbound ok, default DROP will disable inter vlan traffic"
out-interface=eth1-wan1
add chain=forward comment=
"all outbound ok, default DROP will disable inter vlan traffic"
out-interface=eth4-wan3
add chain=forward dst-port=514 protocol=udp src-address=10.0.0.0/8
add action=drop chain=forward comment="DROP default"
add chain=forward disabled=yes

/ip firewall mangle
add action=mark-packet chain=forward comment="big downloads tcp"
connection-bytes=3000000-0 new-packet-mark=p8 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="big downloads udp"
connection-bytes=3000000-0 new-packet-mark=p8 passthrough=no protocol=udp
add action=log chain=prerouting comment="from showip" dst-address-type=!local
log-prefix="prerouting FROM showip" src-address=69.36.12.216
add action=log chain=prerouting comment="to showip" dst-address=69.36.12.216
dst-address-type=!local log-prefix="prerouting TO showip"
add action=mark-connection chain=prerouting comment="con mark in wan3"
connection-mark=no-mark in-interface=eth4-wan3 new-connection-mark=
wan3_conn
add action=mark-connection chain=prerouting comment=
"to tcp/80 from zspserver wan3" connection-mark=no-mark dst-address-type=
!local dst-port=80 new-connection-mark=wan3_conn protocol=tcp
src-address=10.172.88.10
add action=mark-routing chain=prerouting comment="route mark wan3"
connection-mark=wan3_conn new-routing-mark=wan3
add action=mark-connection chain=prerouting comment=
"dns query via UDP - NEW fwd" connection-state=new dst-port=53
new-connection-mark=dns protocol=udp
add action=mark-packet chain=prerouting comment="dns query via UDP fwd"
connection-mark=dns new-packet-mark=p1 passthrough=no
add action=mark-connection chain=output comment="dns query via UDP - NEW out"
connection-state=new dst-port=53 new-connection-mark=dns protocol=udp
add action=mark-packet chain=output comment="dns query via UDP out"
connection-mark=dns new-packet-mark=p1 passthrough=no
add action=mark-connection chain=prerouting comment="icmp FWD new"
connection-state=new new-connection-mark=icmp protocol=icmp
add action=mark-packet chain=prerouting comment="icmp FWD related"
connection-mark=icmp new-packet-mark=p1 passthrough=no
add action=mark-connection chain=output comment="router OUT new"
connection-state=new new-connection-mark=router-out
add action=mark-packet chain=output comment="router OUT related"
connection-mark=router-out new-packet-mark=p1 passthrough=no
add action=mark-connection chain=prerouting comment="internat lan NEW"
connection-state=new in-interface=internat new-connection-mark=
internat-lan
add action=mark-packet chain=prerouting comment="internat lan related"
connection-mark=internat-lan new-packet-mark=p7 passthrough=no
add action=mark-connection chain=prerouting comment="admin lan NEW"
connection-state=new in-interface=admin new-connection-mark=admin-lan
add action=mark-packet chain=prerouting comment="admin lan related"
connection-mark=admin-lan new-packet-mark=p4 passthrough=no
add action=mark-connection chain=prerouting comment="szkola lan NEW"
connection-state=new in-interface=szkola new-connection-mark=szkola-lan
add action=mark-packet chain=prerouting comment="szkola lan related"
connection-mark=szkola-lan new-packet-mark=p5 passthrough=no
add action=mark-packet chain=prerouting comment=
"router PPTP,GRE,vpn<=>lan,bcast,other" new-packet-mark=p1 passthrough=no
add action=mark-packet chain=prerouting comment="router in GRE" disabled=yes
in-interface=eth1-wan1 new-packet-mark=p1 passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="router ppp-elvis" disabled=
yes in-interface="(unknown)" new-packet-mark=p1 passthrough=no
add action=mark-packet chain=prerouting comment="VPN client <=> lans"
disabled=yes dst-address=192.168.88.0/24 new-packet-mark=p1 passthrough=
no
add action=log chain=postrouting dst-address=69.36.12.216 log-prefix=
"postroute TO showip"
add action=log chain=postrouting log-prefix="postroute FROM showip"
src-address=69.36.12.216

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=eth1-wan1 to-addresses=
0.0.0.0
add action=masquerade chain=srcnat out-interface=eth3-wan2 to-addresses=
0.0.0.0
add action=masquerade chain=srcnat out-interface=eth4-wan3 to-addresses=
0.0.0.0
add action=dst-nat chain=dstnat comment="syslog at zspserwer" dst-port=514
protocol=udp to-addresses=10.172.88.10

troy · January 24, 2014, 7:33pm

You forgot to share ip routing with us.

/ip routing export compact

boo9 · January 25, 2014, 12:25am

I have abandoned the connection oriented approach to routing.
Now I am adding routing marks on each packet, based on the src network address. This works and wan interfaces are selected correctly based on src address.
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“route internat via wan2” dst-address-list=
!local-net in-interface=internat new-routing-mark=wan2
add action=mark-routing chain=prerouting comment=“route szkola via wan3” dst-address-list=
!local-net dst-address-type=“” in-interface=szkola new-routing-mark=wan3

/ip route
add distance=1 gateway=10.88.0.1 routing-mark=wan2
add distance=1 gateway=10.46.0.1 routing-mark=wan3
add distance=1 gateway=10.0.0.1I just learned that one can have multiple connection marks, so I may be revisiting the connection oriented routing marks. Packet routing works if I dont have input connections, but I may need that in the future. http://forum.mikrotik.com/t/multiple-connection-marks/54806/1

I hope I can manage following with ROS 6.7

3 vlans, each using separate wan (no LB or failover)
connection oriented routing marks
connection oriented priorioty marks for queue tree
separate up/down qos queue tree for each vlan/wan pair.

There are some loose ends I am unable to grasp.
I understand how to control upload, by attaching HTB to wan iface.
But how do I qos download direction from specific wan iface, if the download flow goes to multiple vlans/lans., namly, connections from the router itself + connections from corresponding vlan + connections from port forwards (dstnat) that end up on other lan/vlans, In other words connections through single specific wan fan-out to multiple interfaces. I dont know how to create HTB for download with multiple interfaces.