Community discussions

 
bedamusa
just joined
Topic Author
Posts: 5
Joined: Sat Sep 03, 2016 8:39 pm

Problem with load balans RB433AH

Sun Oct 30, 2016 10:25 am

This is my current configuration:

WAN1 = Real Lan ip
WAN2 = ADSL
/interface bridge
add name=Local
add name=WAN2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g frequency=auto mode=ap-bridge \
    name=LocalWlan ssid=NotFree2
/interface ethernet
set [ find default-name=ether3 ] name=LocalLan
set [ find default-name=ether1 ] name=WAN1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa-eap mode=\
    dynamic-keys supplicant-identity=Sapnet wpa-pre-shared-key=0000000000
/ip pool
add name=dhcp_pool1 ranges=192.168.2.20-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Local name=dhcp1
/interface bridge port
add bridge=WAN2 interface=ether2
add bridge=Local interface=LocalLan
add bridge=Local interface=LocalWlan
/ip address
add address=88.87......./24 interface=WAN1 network=88.87.......
add address=192.168.1.2/24 interface=WAN2 network=192.168.1.0
add address=192.168.2.1/24 interface=Local network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=88.87.......,88.87.......
/ip firewall filter
add action=drop chain=input comment=\
    "Bruteforce login prevention(ftp: drop ftp brute forcers)" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add chain=output comment="Bruteforce login prevention(ftp: 530 Login incorrect\
    \_to limit dst address)" content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output comment=\
    "Bruteforce login prevention(ftp: 530 Login incorrect to ftp_blacklist)" \
    content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment=\
    "Bruteforce login prevention(ssh: drop ssh brute forcers)" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input comment=\
    "Bruteforce login prevention(ssh: stage3 to blacklist)" connection-state=\
    new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input comment=\
    "Bruteforce login prevention(ssh: stage2 to stage3)" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(ssh: stage1 to stage2)" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(ssh: stage1)" connection-state=new dst-port=\
    22 protocol=tcp
add action=drop chain=forward comment=\
    "Bruteforce login prevention(ssh: drop ssh brute downstream)" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=\
    "Bruteforce login prevention(Telnet: droop telnet brute forcers)" \
    dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=4w2d chain=input comment=\
    "Bruteforce login prevention(Telnet: stage3 to telnet_blacklist)" \
    connection-state=new dst-port=23 protocol=tcp src-address-list=\
    telnet_stage_3
add action=add-src-to-address-list address-list=telnet_stage_3 \
    address-list-timeout=1h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage2 to stage3)" connection-state=\
    new dst-port=23 protocol=tcp src-address-list=telnet_stage_2
add action=add-src-to-address-list address-list=telnet_stage_2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage1 to stage2)" connection-state=\
    new dst-port=23 protocol=tcp src-address-list=telnet_stage_1
add action=add-src-to-address-list address-list=telnet_stage_1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(Telnet: stage1)" connection-state=new \
    dst-port=23 protocol=tcp
add action=drop chain=input comment=\
    "Bruteforce login prevention(Winbox: droop Winbox brute forcers)" \
    dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=2w1d chain=input comment=\
    "Bruteforce login prevention(Winbox: stage3 to winbox_blacklist)" \
    connection-state=new dst-port=8291 protocol=tcp src-address-list=\
    winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 \
    address-list-timeout=1m chain=input comment=\
    "Bruteforce login prevention(Winbox: stage2 to stage3)" connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 \
    address-list-timeout=6h chain=input comment=\
    "Bruteforce login prevention(Winbox: stage1 to stage2)" connection-state=\
    new dst-port=8291 protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 \
    address-list-timeout=12h chain=input comment=\
    "Bruteforce login prevention(Winbox: stage1)" connection-state=new \
    dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 log-prefix="" \
    new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add action=accept chain=prerouting dst-address=88.87......./23 in-interface=\
    Local
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    Local
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=Local new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=Local new-routing-mark=to_WAN2
/ip firewall nat
add action=masquerade chain=srcnat log-prefix="" out-interface=WAN1
add action=masquerade chain=srcnat log-prefix="" out-interface=WAN2
/ip route
add check-gateway=ping comment=Telnet distance=1 gateway=88.87....... \
    routing-mark=to_WAN1
add check-gateway=ping comment="ADSL" distance=1 gateway=192.168.1.1 \
    routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=88.87.......
add check-gateway=ping distance=2 gateway=192.168.1.1
add disabled=yes distance=1 gateway=88.87.......
But is WAN1 is down not going to the WAN2. Can someone help me and tell where is the problem?
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Problem with load balans RB433AH

Sun Oct 30, 2016 7:52 pm

If you want the system to fail over should one or the other WAN stop then you need to add a backup route for each WAN (being the other WAN and a higher distance.

You have done this for the main routing table but not for the to_WAN1 or to_WAN2 tables.

#Main Routes
add check-gateway=ping comment=Telnet distance=1 gateway=88.87....... \
routing-mark=to_WAN1
add check-gateway=ping comment="ADSL" distance=1 gateway=192.168.1.1 \
routing-mark=to_WAN2

# Backup routes
add check-gateway=ping comment=Telnet distance=2 gateway=88.87....... \
routing-mark=to_WAN2
add check-gateway=ping comment="ADSL" distance=2 gateway=192.168.1.1 \
routing-mark=to_WAN1
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
bedamusa
just joined
Topic Author
Posts: 5
Joined: Sat Sep 03, 2016 8:39 pm

Re: Problem with load balans RB433AH

Mon Oct 31, 2016 9:52 am

Thanks scampbell.

Who is online

Users browsing this forum: No registered users and 24 guests