SSH connection and Loadbalancer

mambotech · June 23, 2007, 5:08pm

Hi Guy’s

I have a strange problem and I think it’s because of the MT Loadbalance.

This is my DNAT rule which seems to be working fine.

chain=dstnat dst-address=172.22.2.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22

I can see the connection coming into the MT but at the remote end it is just timing out. I think this is due to the request coming in one WAN connection and returning on the other WAN connection. Can anyone tell me how I can make sure that the port 22 request routes back out the same connection it came in on.

Thanks Mark

changeip · June 24, 2007, 4:07am

you have to mangle those packets coming in WAN2 and send them back out wan2. Search this thread for an example:

http://forum.mikrotik.com/t/policy-routing-logging-in-problem/14153/2

Sam

mambotech · June 25, 2007, 6:05pm

Hi Sam,

Thanks for the pointer. I still can get this dam thing to work. I ran touch and can see that dst-nat is working but I am still not getting a response back from the server. I have tried to mark the connection, packet and route and added the static+policy please see below:

x.x.x.x = the client address trying to connect to the server. I am not 100% sure it should be that address.

chain=dstnat dst-address=172.22.2.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22

27 chain=prerouting dst-address=x.x.x.x protocol=tcp dst-port=22 connection-mark=ssh action=mark-connection new-connection-mark=ssh passthrough=yes

28 chain=prerouting dst-address=x.x.x.x protocol=tcp dst-port=22 packet-mark=ssh action=mark-packet new-packet-mark=ssh passthrough=yes

29 chain=postrouting dst-address=x.x.x.x protocol=tcp dst-port=22 routing-mark=ssh action=mark-routing new-routing-mark=ssh passthrough=yes

2 dst-address=86.22.69.205/32 action=lookup table=ssh

Bascially I need to make sure that the ssh return path is routed out through WAN1 …

Thanks Mark

changeip · June 25, 2007, 6:28pm

rather than trying to only route ssh out wan2, you should route anything that comes in WAN2 back out wan2.

27 chain=prerouting in-interface=wan2 action=mark-connection new-connection-mark=in-wan2-conn passthrough=yes

then mark those packets belonging to in-wan2-conn with a new packet mark, and then route mark those packets. in-interface=wan2 is the key, you want to mangle anything coming in wan2 so you can later send it back out wan2. There is a clear example of this on the link above.

Sam

mambotech · June 25, 2007, 8:38pm

Hi Sam,

I used you example and mangle picked up the traffic. I then added the routing policy. I then noticed that ether1 had not TX rate … it was receiving but no TX … I disable the policy and the TX started working again ???

Strange

Mark

changeip · June 25, 2007, 10:09pm

go ahead and post the following if yo uwant me to look at it more:

/ip route export
/ip firewall mangle export

Sam

invader_zog · June 26, 2007, 8:35am

this is a variant of the problem i’ve been strugglign with – read a few of my posts for some solutions…