Hi. I have 2 internet service providers. Lets call them “Main ISP” (wan1) and the second one “Backup ISP” (wan2).
Every 1 minute my script checks connection of the main provider and if it fail the script changes routing rules by disabling one that passes all traffic through wan1 and enable routing rule that passes all traffic through wan2.
The problem is my Main ISP reports me that they see some traffic with the source ip address of my Backup ISP interface.
In general configuration is a little bit more complicated. As you can see I need to pass some sort of traffic (smtp to be precise) through my Backup ISP all the time, but that’s not the case as I think.
Here is my ip address list:
# ADDRESS NETWORK INTERFACE
0 10.0.0.1/24 10.0.0.0 ether-local
1 220.135.67.81/28 220.135.67.80 ether-wan1
2 85.175.37.94/26 85.175.37.64 ether-wan2
Here is my routing rules:
# DST-ADDRESS GATEWAY DISTANCE Routing mark PREF-SRC
0 A S 0.0.0.0/0 220.135.67.94 1 220.135.67.81
1 A S 0.0.0.0/0 85.175.37.65 1 Wan2 85.175.37.94
2 X S 0.0.0.0/0 85.175.37.65 1 85.175.37.94
3 ADC 10.0.0.0/24 ether-local 0 10.0.0.1
4 ADC 85.175.37.64/26 ether-wan2 0 85.175.37.94
5 ADC 220.135.67.80/28 ether-wan1 0 220.135.67.81
I’v tried to make some workarounds like Firewall rule and disable-enable interfaces after routing rules change. But still.
I have packets going out of my ether-wan1 interface with src-ip 85.175.37.94.
Does anyone have any idea of what can I do with that?
By the way. My router is RB1100AHx2 with v.5.14 firmware.
It may help if you posted “/ip firewall nat”. It could be your srcnat or masquerade rule is malfunctioning.
edit: Post “/ip firewall mangle” also. It could be the routing mark rule.
Ok.
Here is my “/ip firewall nat”
0 chain=srcnat action=masquerade out-interface=ether-wan1
1 chain=srcnat action=masquerade out-interface=ether-wan2
2 ;;; Mail server
chain=dstnat action=dst-nat to-addresses=10.0.0.82 protocol=tcp in-interface=ether-wan2 dst-port=25,465,119
Here is my “/ip firewall mangle”
0 chain=prerouting action=mark-connection new-connection-mark=Wan2
passthrough=yes connection-state=new protocol=tcp
dst-address-list=!wan1Mail in-interface=ether-local dst-port=25
1 chain=forward action=mark-connection new-connection-mark=Wan2
passthrough=yes connection-state=new in-interface=ether-wan2
2 chain=prerouting action=mark-routing new-routing-mark=Wan2 passthrough=no
in-interface=ether-local connection-mark=Wan2
And one more. On interface ether-wan2 I see the same picture. Some of the traffic is trying to pass with src-ip from wan1 220.135.67.81. Do I really missing something?
I would start with the mangle section. Just as a test, remove all the “/ip firewall mangle” rules, and see if the invalid network addresses still try to use the incorrect ethernet interface. With no mangle rules, all should go out one interface (ether-wan1).
edit: and translated to 220.135.67.81.
I’ve changed mangle rules to this ones:
0 chain=prerouting action=mark-routing new-routing-mark=Wan2 passthrough=no protocol=tcp dst-address-list=!wan1Mail
in-interface=ether-local dst-port=25
1 chain=forward action=mark-connection new-connection-mark=Wan2 passthrough=yes connection-state=new
in-interface=ether-wan2
2 chain=prerouting action=mark-routing new-routing-mark=Wan2 passthrough=no in-interface=ether-local
connection-mark=Wan2
And I still see foreign packets on my interfaces after switching to Backup ISP and back. Disable and then Enable Ethernet interfaces by script seems to be solving the issue. But I’m not sure is it a right choice. Maybe I should drop established connections somehow.
By the way. What’s the point of marking new connections and then mark routing according to the previous connection mark if you can mark routing from the start?
By the way. What’s the point of marking new connections and then mark routing according to the previous connection mark if you can mark routing from the start?
That was supposed to be my question. Did you try it without any mangle rules? If that does ok, then try this. It should send everything out ether-wan2.
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=Wan2 in-interface=ether-local
Yes I did. The behavior is the same.
The more I work with it the better I see the picture.
I think that those ip packets come from established tcp connections. So after I switch ISP I need to reset all connections.
Unfortunately for now I don’t see other solution than to disable and then re-enable interfaces by script. Technically that is a solution.
That sound’s like a good alternative. I’ve tried it and it seems having the same result.
PS. Thank you SurferTim for your help.