Community discussions

 
morze
just joined
Topic Author
Posts: 5
Joined: Wed Jun 15, 2016 9:53 am

TCP per connection failover

Sun Feb 18, 2018 12:47 pm

Hi!
I have a fast, but not very good ISP, some web sites not opens with syn_sent. I have a VPN connection, thru wich theese websites work fine. It would be nice to add each (fail to connect) IP-address automaticly to address list to apply the routing mark on next connection to this IP. How this can be done with RouterOS?
1) forward to IP xxx (tcp 80/443)
2) Tcp connection failed (no responce from xxx)
3) Add xxx to "thru VPN" Address list.
"re-trying to forward failed tcp connectrions to other gateway".
May be possible to match in filter or mangle syn_sent but not establised tcp connections?
Can anybody help? Thanks.
 
disa
just joined
Posts: 17
Joined: Fri May 12, 2017 11:04 am

Re: TCP per connection failover

Mon Feb 19, 2018 11:35 am

Hi!
I have a fast, but not very good ISP, some web sites not opens with syn_sent. I have a VPN connection, thru wich theese websites work fine. It would be nice to add each (fail to connect) IP-address automaticly to address list to apply the routing mark on next connection to this IP. How this can be done with RouterOS?
1) forward to IP xxx (tcp 80/443)
2) Tcp connection failed (no responce from xxx)
3) Add xxx to "thru VPN" Address list.
"re-trying to forward failed tcp connectrions to other gateway".
May be possible to match in filter or mangle syn_sent but not establised tcp connections?
Can anybody help? Thanks.
I suppose it's possible with scripting
 
morze
just joined
Topic Author
Posts: 5
Joined: Wed Jun 15, 2016 9:53 am

Re: TCP per connection failover

Mon Feb 19, 2018 8:18 pm

Not very graceful, but working solution:
/ip firewall filter
 add action=add-dst-to-address-list address-list=tcp1 address-list-timeout=5s chain=forward  dst-port=443,80 out-interface=wan1 protocol=tcp tcp-flags=syn
 add action=add-dst-to-address-list address-list=tcp2 address-list-timeout=1s chain=forward  dst-port=443,80 out-interface=wan1 protocol=tcp tcp-flags=syn
 add action=add-src-to-address-list address-list=tcp2 address-list-timeout=10s chain=forward in-interface=wan1 protocol=tcp src-port=443,80 tcp-flags=syn
/ip firewall mangle
 add action=mark-routing chain=prerouting dst-address-list=tcp1 new-packet-mark=tcp1 passthrough=yes protocol=tcp
 add action=add-dst-to-address-list address-list=vpn address-list-timeout=12h chain=prerouting dst-address-list=!tcp2 packet-mark=tcp1
- Adding new connections IP for 5s (may be longer) in tcp1 and for 1s in tcp2;
- Add any respond host in tcp2 for 10s (must be loger then tcp1);
- In the mangle add any host from tcp1, but not existent in tcp2 (not respond) to vpn list.
After that I can apply routing-mark to ip from vpn list.
Can anybody do it better? )

Who is online

Users browsing this forum: No registered users and 36 guests