Community discussions

MikroTik App
 
futrix
just joined
Topic Author
Posts: 8
Joined: Thu May 06, 2010 12:47 pm

Dual Wan + incomming connections problem

Thu Aug 26, 2010 12:42 pm

Hello!

I've got a rb1100 router. Until yesterday there was only one DSL connection and it used to work fine. The router servers PPTP service and forwards some ports to internally located servers. Yesterday a new DSL connection appeared and it should handle all NAT traffic except email sending/receiving. PPTP and all 'forwarded' services should remain on the 'old' DSL.

I've created a new route for new DSL connection with distance 1 and changed distance to 2 on the old DSL route. I've also created prerouting rules to mark email packets with label 'symetryk'. Then I've changed the Routing Mark field on the old DSL route to 'symetryk'. Internally all works fine - email traffic goes thru old DSL, and other traffic goes thru new DSL but PPTP and 'forwarded' services stopped working.

When I remove the routing mark from route and set the distance to 1 on both default gateways services are working fine but all traffic goes thru old DSL which is not what I want.

Where to look for the answer?

Kind regards,
Krzysztof Kiszewski
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Dual Wan + incomming connections problem

Thu Aug 26, 2010 4:42 pm

Post your mangle rules, NAT rules and routing configuration.
 
futrix
just joined
Topic Author
Posts: 8
Joined: Thu May 06, 2010 12:47 pm

Re: Dual Wan + incomming connections problem

Thu Aug 26, 2010 5:09 pm

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    ip.add.re.ss scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether13_wan src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether13_wan src-address=192.168.56.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether12_wan2 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=FTP disabled=no dst-port=20 \
    in-interface=ether13_wan protocol=tcp to-addresses=192.168.0.254 \
    to-ports=20
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=21 \
    in-interface=ether13_wan protocol=tcp to-addresses=192.168.0.254 \
    to-ports=21
add action=dst-nat chain=dstnat comment=Kamery disabled=no dst-port=8080 \
    in-interface=ether13_wan protocol=tcp to-addresses=192.168.0.3 to-ports=\
    80

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=25 \
    new-routing-mark=symetryk passthrough=no protocol=tcp src-address=\
    192.168.0.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-port=587 \
    new-routing-mark=symetryk passthrough=no protocol=tcp src-address=\
    192.168.0.0/24

/ip firewall filter
add action=accept chain=input comment="" disabled=no in-interface=ether13_wan \
    protocol=icmp
add action=accept chain=input comment="" connection-state=established \
    disabled=no in-interface=ether13_wan
add action=accept chain=input comment="" connection-state=related disabled=no \
    in-interface=ether13_wan
add action=log chain=input comment=PPTP disabled=no dst-port=1723 \
    in-interface=ether13_wan log-prefix="" protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=1723 \
    in-interface=ether13_wan protocol=tcp
add action=accept chain=input comment=FTP disabled=no dst-port=20 \
    in-interface=ether13_wan protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=21 \
    in-interface=ether13_wan protocol=tcp
add action=accept chain=input comment=Kamery disabled=no dst-port=8080 \
    in-interface=ether13_wan protocol=tcp
add action=accept chain=input comment=Dude disabled=no dst-port=2211 \
    in-interface=ether13_wan protocol=tcp
add action=log chain=input comment=WinBox disabled=no dst-port=8291 \
    in-interface=ether13_wan log-prefix="" protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=8291 \
    in-interface=ether13_wan protocol=tcp
add action=reject chain=input comment="Odrzu\E6 reszt\EA" disabled=yes \
    in-interface=ether13_wan reject-with=icmp-network-unreachable
This is the current state, where I have access to services and winbox. When I change the distance and routing mark on the gateways services are not accessible.
 
futrix
just joined
Topic Author
Posts: 8
Joined: Thu May 06, 2010 12:47 pm

Re: Dual Wan + incomming connections problem

Mon Aug 30, 2010 9:15 am

Any advice?
 
Tomislav
just joined
Posts: 1
Joined: Tue May 31, 2011 3:04 am
Location: Belgrade, Serbia

Re: Dual Wan + incomming connections problem

Tue May 31, 2011 3:15 am

Similar problem here.
I'm new to Mikrotik, but heard only good things. I used one of sample scripts to enable dual-wan load balancing but I lost access to internal website and ftp from wan. If I unplug 2nd wan link, servers are accesible. Tried playing with firewall rules but still nothing....

Any help is more than welcome!
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Dual Wan + incomming connections problem

Tue May 31, 2011 8:08 pm

What causes this is the routing table. When a connection comes in on a certain route, I.E. your new DSL line, the router then looks at it's routing table to determine what route to use to respond back on. If the other internet connection you have has a lesser distance, it will then use that route to respond back to you, thus making an invalid connection.

What you need to do is mark connections that come in on a specific interface and then use routing marks to insure that they go out the same interface again.
add action=mark-connection chain=input disabled=no in-interface=ether1 new-connection-mark=input1_connection passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=ether2 new-connection-mark=input2_connection passthrough=yes
add action=mark-routing chain=output connection-mark=input1_connection disabled=no new-routing-mark=to_outside1 passthrough=no
add action=mark-routing chain=output connection-mark=input2_connection disabled=no new-routing-mark=to_outside2 passthrough=no
You also need to do the same thing if you plan on forwarding to servers behind the firewall.
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether1 new-connection-mark=outside1_connection passthrough=no
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether2 new-connection-mark=outside2_connection passthrough=no
add action=mark-routing chain=prerouting connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=no
Note that you also need appropriate routes with the correct routing marks in them for this to work.
 
duvi
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Jun 05, 2009 12:32 pm
Contact:

Re: Dual Wan + incomming connections problem

Wed Jun 01, 2011 10:40 am

add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether1 new-connection-mark=outside1_connection passthrough=no
add action=mark-connection chain=forward connection-state=new disabled=no in-interface=ether2 new-connection-mark=outside2_connection passthrough=no
Why do you use "passthrough=no" here?

Thanks!
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Dual Wan + incomming connections problem

Wed Jun 01, 2011 6:12 pm

Saves CPU cycles primarily, and it's the only rules that I have of that type on the forward chain. Once a connection has a mark, every packet that is a part of that connection also has the same mark. Once that has happened, there is no need to process that packet further.

You have to mark the connection in forward since the traffic is being forwarded over the router to a server behind the router, otherwise it doesn't know it's final destination yet. Then you have to mark for routing in pre-routing because the router will decide how to route the reply packets after prerouting, but before forward.

http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram
 
macxie2011
just joined
Posts: 1
Joined: Sat Jun 11, 2011 4:17 am

Re: Dual Wan + incomming connections problem

Sat Jun 11, 2011 5:54 am

Just make an ddns and apply a domain name from Changeip.net, use an script to do DNS of ROS, then you can connect vpn through the domain name instead of the ip addr.
 
klap
just joined
Posts: 12
Joined: Fri Dec 30, 2016 9:28 pm

Re: Dual Wan + incomming connections problem

Fri Dec 30, 2016 9:33 pm

hello i have same problem.. i have a client PC with especial software and that soft needs connect to FTP for upload some files. but this application give to me this error:

Registros con errores graves: 0
30/12/2016 - 16:09:20 - M:2 - TFrmEnviarDatosCelular.SubirTxtServidorConnect timed out.
30/12/2016 - 16:22:18 - M:2 - TFrmEnviarDatosCelular.SubirTxtServidorNo transfer timeout (600 seconds): closing control connection

i make u say for mark but dont work --

i past my /ip firewall mangle:
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=change-mss new-mss=1410 tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1411-65535
1 D chain=forward action=change-mss new-mss=1410 tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1411-65535
2 chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=yes in-interface=WAN1 log=no
log-prefix=""
3 chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=WAN2 log=no
log-prefix=""
4 chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn log=no
log-prefix=""
5 chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn log=no
log-prefix=""
6 chain=prerouting action=accept dst-address=192.168.3.0/24 in-interface=Local log=no log-prefix=""
7 chain=prerouting action=accept dst-address=192.168.2.0/24 in-interface=Local log=no log-prefix=""
8 chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 log=no log-prefix=""
9 chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 log=no log-prefix=""
10 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn
in-interface=Local log=no log-prefix=""
11 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn
in-interface=Local log=no log-prefix=""
12 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn
in-interface=Local log=no log-prefix=""
13 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn
in-interface=Local log=no log-prefix=""
14 ;;; FTP_POSTROUTING
chain=postrouting action=mark-connection new-connection-mark=FTP passthrough=yes protocol=tcp dst-port=21 log=no
log-prefix=""
15 ;;; FTP_PRE_ROUTING
chain=prerouting action=mark-connection new-connection-mark=FTP passthrough=yes protocol=tcp dst-port=21 log=no
log-prefix=""
16 ;;; FTP_GENERAL
chain=postrouting action=mark-packet new-packet-mark=FTP_GENERAL passthrough=no connection-mark=FTP log=no
log-prefix=""
17 ;;; FTP_GENERAL
chain=prerouting action=mark-packet new-packet-mark=FTP_GENERAL passthrough=no connection-mark=FTP log=no
log-prefix=""
18 chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=FTP
packet-mark=FTP_GENERAL log=no log-prefix=""
19 chain=input action=mark-connection new-connection-mark=input1_connection passthrough=yes in-interface=WAN1
20 chain=input action=mark-connection new-connection-mark=input2_connection passthrough=yes in-interface=WAN2
21 chain=output action=mark-routing new-routing-mark=to_outside1 passthrough=no connection-mark=input1_connection
22 chain=input action=mark-connection new-connection-mark=input2_connection passthrough=yes in-interface=WAN2
23 chain=output action=mark-routing new-routing-mark=to_outside2 passthrough=no connection-mark=input2_connection
24 chain=forward action=mark-connection new-connection-mark=outside1_connection passthrough=no connection-state=new
in-interface=WAN1
25 chain=forward action=mark-connection new-connection-mark=outside2_connection passthrough=no connection-state=new
in-interface=WAN2
26 chain=prerouting action=mark-routing new-routing-mark=to_outside1 passthrough=no connection-mark=outside1_connectio>
27 chain=prerouting action=mark-routing new-routing-mark=to_outside2 passthrough=no connection-mark=outside2_connectio>

Thanks and happy new year!

Who is online

Users browsing this forum: xvo and 41 guests