I have a setup with 3 lans (vlans admin,internat,szkola) and single wan + qos (priorities 1-8 according to traffic type dns/icmp and according to source interface), all working fine.
Then I wanted to add extra wan to be exclusively used by one of the vlans to which I dont have easy access so I cannot place computer there.
But I wanted to test the setup and decided that my machine Comp1 in admin-lan I have access to, I will redirect the outgoing http/port-80 traffic through second wan (eth4-wan3)
I started wireshark on "port 80 and host showip.com"
RB: very first mangle prerouting rules - log from/to showip.com
RB: very first forward two rules - log from/to showip.com
RB: very first postrouting two rules - log from/to showip
I fired off "wget showip.com" on comp1
the shark capture on comp1 shows:
send => SYN
recvd <= SYN,ACK
send => ACK
send => ACK, PSH (data)
The RB logs show following
send => SYN - goes out to wan3, // that is correct
recvd <= SYN,ACK - arrives to wan3, // that is correct
send => ACK - goes out to wan1 // wrong, why ? !!!! should have followed the same route as => SYN
Can anybody please help me with this, I got stumped by this since yesterday.
plain code
jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48 jan/23 00:03:57 firewall,info forward TO showip forward: in:admin out:eth4-wan3, src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48 jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth4-wan3, src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48 jan/23 00:03:57 firewall,info forward FROM showip forward: in:eth4-wan3 out:admin, src-mac f8:8e:85:af:0e:5a, proto TCP (SYN,ACK), 69.36.12.216:80->10.172.88.10:4164, NAT 69.36.12.216:80->(10.88.0.5:4164->10.172.88.10:4164), len 44 jan/23 00:03:57 firewall,info postroute FROM showip postrouti: in:(none) out:admin, src-mac f8:8e:85:af:0e:5a, proto TCP (SYN,ACK), 69.36.12.216:80->10.172.88.10:4164, NAT 69.36.12.216:80->(10.88.0.5:4164->10.172.88.10:4164), len 44 jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40 jan/23 00:03:57 firewall,info forward TO showip forward: in:admin out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40 jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40 jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138 jan/23 00:03:57 firewall,info forward TO showip forward: in:admin out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138 jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138
ros code
# jan/23/2014 00:18:25 by RouterOS 6.7 # software id = 39ZZ-BD0W # /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add chain=input comment="DBG accept all" disabled=yes add action=log chain=forward comment="to showip" dst-address=69.36.12.216 \ log-prefix="forward TO showip" add action=log chain=forward comment="from showip" log-prefix=\ "forward FROM showip" src-address=69.36.12.216 add chain=forward comment="DBG accept all" disabled=yes add chain=forward comment="fwd estab" connection-state=established add chain=forward comment="fwd related" connection-state=related add chain=input comment="input estab" connection-state=established add chain=input comment=dns dst-port=53 protocol=udp add chain=input comment="input related" connection-state=related add chain=input comment="vpn pptp" connection-state=new dst-port=1723 \ protocol=tcp add chain=input comment=ping protocol=icmp add chain=input comment=dns dst-port=53 protocol=tcp add chain=input comment=dhcp dst-port=67 protocol=udp add action=drop chain=input comment="block vlans" src-address=10.0.0.0/8 add action=drop chain=input comment="DROP remaining" in-interface=eth1-wan1 add chain=forward comment="PPTP client => anywhere" in-interface=all-ppp add chain=forward comment="eth2 => anywhere" in-interface=eth2-lan add action=drop chain=forward comment="p2p 01-04-21:40" p2p=all-p2p add action=drop chain=forward comment="no inter-vlan" disabled=yes \ dst-address=10.0.0.0/8 out-interface=!eth1-wan1 add action=drop chain=forward comment="no inter-vlan" disabled=yes \ dst-address=192.168.0.0/16 out-interface=!eth1-wan1 add action=drop chain=forward comment="default configuration" \ connection-state=invalid disabled=yes add action=log chain=forward comment="DBG log" disabled=yes add chain=forward comment=\ "all outbound ok, default DROP will disable inter vlan traffic" \ out-interface=eth1-wan1 add chain=forward comment=\ "all outbound ok, default DROP will disable inter vlan traffic" \ out-interface=eth4-wan3 add chain=forward dst-port=514 protocol=udp src-address=10.0.0.0/8 add action=drop chain=forward comment="DROP default" add chain=forward disabled=yes /ip firewall mangle add action=mark-packet chain=forward comment="big downloads tcp" \ connection-bytes=3000000-0 new-packet-mark=p8 passthrough=no protocol=tcp add action=mark-packet chain=forward comment="big downloads udp" \ connection-bytes=3000000-0 new-packet-mark=p8 passthrough=no protocol=udp add action=log chain=prerouting comment="from showip" dst-address-type=!local \ log-prefix="prerouting FROM showip" src-address=69.36.12.216 add action=log chain=prerouting comment="to showip" dst-address=69.36.12.216 \ dst-address-type=!local log-prefix="prerouting TO showip" add action=mark-connection chain=prerouting comment="con mark in wan3" \ connection-mark=no-mark in-interface=eth4-wan3 new-connection-mark=\ wan3_conn add action=mark-connection chain=prerouting comment=\ "to tcp/80 from zspserver wan3" connection-mark=no-mark dst-address-type=\ !local dst-port=80 new-connection-mark=wan3_conn protocol=tcp \ src-address=10.172.88.10 add action=mark-routing chain=prerouting comment="route mark wan3" \ connection-mark=wan3_conn new-routing-mark=wan3 add action=mark-connection chain=prerouting comment=\ "dns query via UDP - NEW fwd" connection-state=new dst-port=53 \ new-connection-mark=dns protocol=udp add action=mark-packet chain=prerouting comment="dns query via UDP fwd" \ connection-mark=dns new-packet-mark=p1 passthrough=no add action=mark-connection chain=output comment="dns query via UDP - NEW out" \ connection-state=new dst-port=53 new-connection-mark=dns protocol=udp add action=mark-packet chain=output comment="dns query via UDP out" \ connection-mark=dns new-packet-mark=p1 passthrough=no add action=mark-connection chain=prerouting comment="icmp FWD new" \ connection-state=new new-connection-mark=icmp protocol=icmp add action=mark-packet chain=prerouting comment="icmp FWD related" \ connection-mark=icmp new-packet-mark=p1 passthrough=no add action=mark-connection chain=output comment="router OUT new" \ connection-state=new new-connection-mark=router-out add action=mark-packet chain=output comment="router OUT related" \ connection-mark=router-out new-packet-mark=p1 passthrough=no add action=mark-connection chain=prerouting comment="internat lan NEW" \ connection-state=new in-interface=internat new-connection-mark=\ internat-lan add action=mark-packet chain=prerouting comment="internat lan related" \ connection-mark=internat-lan new-packet-mark=p7 passthrough=no add action=mark-connection chain=prerouting comment="admin lan NEW" \ connection-state=new in-interface=admin new-connection-mark=admin-lan add action=mark-packet chain=prerouting comment="admin lan related" \ connection-mark=admin-lan new-packet-mark=p4 passthrough=no add action=mark-connection chain=prerouting comment="szkola lan NEW" \ connection-state=new in-interface=szkola new-connection-mark=szkola-lan add action=mark-packet chain=prerouting comment="szkola lan related" \ connection-mark=szkola-lan new-packet-mark=p5 passthrough=no add action=mark-packet chain=prerouting comment=\ "router PPTP,GRE,vpn<=>lan,bcast,other" new-packet-mark=p1 passthrough=no add action=mark-packet chain=prerouting comment="router in GRE" disabled=yes \ in-interface=eth1-wan1 new-packet-mark=p1 passthrough=no protocol=gre add action=mark-packet chain=prerouting comment="router ppp-elvis" disabled=\ yes in-interface="(unknown)" new-packet-mark=p1 passthrough=no add action=mark-packet chain=prerouting comment="VPN client <=> lans" \ disabled=yes dst-address=192.168.88.0/24 new-packet-mark=p1 passthrough=\ no add action=log chain=postrouting dst-address=69.36.12.216 log-prefix=\ "postroute TO showip" add action=log chain=postrouting log-prefix="postroute FROM showip" \ src-address=69.36.12.216 /ip firewall nat add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes to-addresses=0.0.0.0 add action=masquerade chain=srcnat out-interface=eth1-wan1 to-addresses=\ 0.0.0.0 add action=masquerade chain=srcnat out-interface=eth3-wan2 to-addresses=\ 0.0.0.0 add action=masquerade chain=srcnat out-interface=eth4-wan3 to-addresses=\ 0.0.0.0 add action=dst-nat chain=dstnat comment="syslog at zspserwer" dst-port=514 \ protocol=udp to-addresses=10.172.88.10