Can't forward port with 2 wan load balance

kingkross · Tue Feb 20, 2018 11:08 am

I can't forward port with 2 wan load balance.

Please Help me.

add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=pppoe-out1 new-connection-mark=wan1_con passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes in-interface=pppoe-out2 new-connection-mark=wan2_con passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_con disabled=yes new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_con disabled=yes new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=W-CON1 passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=Client-100
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=W-CON2 passthrough=yes per-connection-classifier=both-addresses:2/1 src-address-list=Client-100
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=TO-ROUTER2 passthrough=yes src-address-list=Client-100
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=TO-ROUTER1 passthrough=yes src-address-list=Client-100
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=W-CON2 passthrough=yes src-address-list=Client-200
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=W-CON1 passthrough=yes src-address-list=Client-300
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=TO-ROUTER1 passthrough=yes src-address-list=Client-300
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=TO-ROUTER2 passthrough=yes src-address-list=Client-200
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 in-interface=pppoe-out2 protocol=tcp to-addresses=10.0.0.99 to-ports=8080
add action=dst-nat chain=dstnat dst-port=21 in-interface=pppoe-out2 protocol=tcp to-addresses=10.0.0.99 to-ports=21
add action=dst-nat chain=dstnat dst-port=3389 in-interface=pppoe-out2 protocol=tcp to-addresses=10.0.0.99 to-ports=3389
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=TO-ROUTER2
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=TO-ROUTER1
add check-gateway=ping disabled=yes distance=1 gateway=pppoe-out1
add check-gateway=ping disabled=yes distance=2 gateway=pppoe-out2

Sob · Tue Feb 20, 2018 2:37 pm

You're on the right track with those four disabled rules at the beginning. But there are some problems. First, even if you mark incoming connections correctly, first reply packet will immediatelly change the mark to another. So for those other connection marking rules, you need to add connection-mark=no-mark. Another major problem is that you're marking connections, but don't actually use those marks for anything, because you mark routing based on address lists. It also means that PCC does nothing for you, because connections from Client-100 devices will always use router 1.

Look how it's done in PCC manual, first you mark connections and then mark routing based on connection marks:
https://wiki.mikrotik.com/wiki/Manual:PCC

kingkross · Tue Feb 20, 2018 7:19 pm

Link is PPPOE. I can't specific by IP.

I'm a beginner.

Please describe me step by step.

Sob · Wed Feb 21, 2018 1:25 am

There's nothing wrong with being a beginner, but it's good to try to understand things. I'd say that linked PCC page was step by step enough, but ok, here you go, fixed mangle rules can be like this (minus possible typos):

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=W-CON1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=W-CON2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local new-connection-mark=W-CON1 passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=Client-100
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local new-connection-mark=W-CON2 passthrough=yes per-connection-classifier=both-addresses:2/1 src-address-list=Client-100
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local new-connection-mark=W-CON2 passthrough=yes src-address-list=Client-200
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local new-connection-mark=W-CON1 passthrough=yes src-address-list=Client-300
add action=mark-routing chain=prerouting dst-address-type=!local connection-mark=W-CON1 new-routing-mark=TO-ROUTER1
add action=mark-routing chain=prerouting dst-address-type=!local connection-mark=W-CON2 new-routing-mark=TO-ROUTER2
add action=mark-routing chain=output connection-mark=W-CON1 new-routing-mark=TO-ROUTER1
add action=mark-routing chain=output connection-mark=W-CON2 new-routing-mark=TO-ROUTER2

Then you might also want to fix dstnat rules, unless in-interface=pppoe-out2 (i.e. to make them work only with pppoe-out2) in intentional.

kingkross · Wed Feb 21, 2018 5:07 am

Thanks A lots.

Can't forward port with 2 wan load balance [SOLVED]

Can't forward port with 2 wan load balance

Re: Can't forward port with 2 wan load balance

Re: Can't forward port with 2 wan load balance

Re: Can't forward port with 2 wan load balance [SOLVED]

Re: Can't forward port with 2 wan load balance

Who is online