Community discussions

MikroTik App
 
boo9
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 5:19 pm

Second WAN routing not working

Thu Jan 23, 2014 1:23 am

Ros 6.7 RB450G

I have a setup with 3 lans (vlans admin,internat,szkola) and single wan + qos (priorities 1-8 according to traffic type dns/icmp and according to source interface), all working fine.

Then I wanted to add extra wan to be exclusively used by one of the vlans to which I dont have easy access so I cannot place computer there.

But I wanted to test the setup and decided that my machine Comp1 in admin-lan I have access to, I will redirect the outgoing http/port-80 traffic through second wan (eth4-wan3)

I started wireshark on "port 80 and host showip.com"
RB: very first mangle prerouting rules - log from/to showip.com
RB: very first forward two rules - log from/to showip.com
RB: very first postrouting two rules - log from/to showip

I fired off "wget showip.com" on comp1

the shark capture on comp1 shows:
send => SYN
recvd <= SYN,ACK
send => ACK
send => ACK, PSH (data)

The RB logs show following
send => SYN - goes out to wan3, // that is correct
recvd <= SYN,ACK - arrives to wan3, // that is correct
send => ACK - goes out to wan1 // wrong, why ? !!!! should have followed the same route as => SYN

Can anybody please help me with this, I got stumped by this since yesterday.

plain code

jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48 
jan/23 00:03:57 firewall,info forward  TO showip forward: in:admin out:eth4-wan3, src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48 
jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth4-wan3, src-mac 00:30:05:fa:d3:f1, proto TCP (SYN), 10.172.88.10:4164->69.36.12.216:80, len 48 

jan/23 00:03:57 firewall,info forward FROM showip forward: in:eth4-wan3 out:admin, src-mac f8:8e:85:af:0e:5a, proto TCP (SYN,ACK), 69.36.12.216:80->10.172.88.10:4164, NAT 69.36.12.216:80->(10.88.0.5:4164->10.172.88.10:4164), len 44 
jan/23 00:03:57 firewall,info postroute FROM showip postrouti: in:(none) out:admin, src-mac f8:8e:85:af:0e:5a, proto TCP (SYN,ACK), 69.36.12.216:80->10.172.88.10:4164, NAT 69.36.12.216:80->(10.88.0.5:4164->10.172.88.10:4164), len 44 

jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40 
jan/23 00:03:57 firewall,info forward  TO showip forward: in:admin out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40 
jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 40 

jan/23 00:03:57 firewall,info prerouting TO showip prerouting: in:admin out:(none), src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138 
jan/23 00:03:57 firewall,info forward  TO showip forward: in:admin out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138 
jan/23 00:03:57 firewall,info postroute TO showip postrouting: in:(none) out:eth1-wan1, src-mac 00:30:05:fa:d3:f1, proto TCP (ACK,PSH), 10.172.88.10:4164->69.36.12.216:80, NAT (10.172.88.10:4164->10.88.0.5:4164)->69.36.12.216:80, len 138

ros code

# jan/23/2014 00:18:25 by RouterOS 6.7
# software id = 39ZZ-BD0W
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input comment="DBG accept all" disabled=yes
add action=log chain=forward comment="to showip" dst-address=69.36.12.216 \
    log-prefix="forward  TO showip"
add action=log chain=forward comment="from showip" log-prefix=\
    "forward FROM showip" src-address=69.36.12.216
add chain=forward comment="DBG accept all" disabled=yes
add chain=forward comment="fwd estab" connection-state=established
add chain=forward comment="fwd related" connection-state=related
add chain=input comment="input estab" connection-state=established
add chain=input comment=dns dst-port=53 protocol=udp
add chain=input comment="input related" connection-state=related
add chain=input comment="vpn pptp" connection-state=new dst-port=1723 \
    protocol=tcp
add chain=input comment=ping protocol=icmp
add chain=input comment=dns dst-port=53 protocol=tcp
add chain=input comment=dhcp dst-port=67 protocol=udp
add action=drop chain=input comment="block vlans" src-address=10.0.0.0/8
add action=drop chain=input comment="DROP remaining" in-interface=eth1-wan1
add chain=forward comment="PPTP client => anywhere" in-interface=all-ppp
add chain=forward comment="eth2 => anywhere" in-interface=eth2-lan
add action=drop chain=forward comment="p2p 01-04-21:40" p2p=all-p2p
add action=drop chain=forward comment="no inter-vlan" disabled=yes \
    dst-address=10.0.0.0/8 out-interface=!eth1-wan1
add action=drop chain=forward comment="no inter-vlan" disabled=yes \
    dst-address=192.168.0.0/16 out-interface=!eth1-wan1
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes
add action=log chain=forward comment="DBG log" disabled=yes
add chain=forward comment=\
    "all outbound ok, default DROP will disable inter vlan traffic" \
    out-interface=eth1-wan1
add chain=forward comment=\
    "all outbound ok, default DROP will disable inter vlan traffic" \
    out-interface=eth4-wan3
add chain=forward dst-port=514 protocol=udp src-address=10.0.0.0/8
add action=drop chain=forward comment="DROP default"
add chain=forward disabled=yes

/ip firewall mangle
add action=mark-packet chain=forward comment="big downloads tcp" \
    connection-bytes=3000000-0 new-packet-mark=p8 passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="big downloads udp" \
    connection-bytes=3000000-0 new-packet-mark=p8 passthrough=no protocol=udp
add action=log chain=prerouting comment="from showip" dst-address-type=!local \
    log-prefix="prerouting FROM showip" src-address=69.36.12.216
add action=log chain=prerouting comment="to showip" dst-address=69.36.12.216 \
    dst-address-type=!local log-prefix="prerouting TO showip"
add action=mark-connection chain=prerouting comment="con mark in wan3" \
    connection-mark=no-mark in-interface=eth4-wan3 new-connection-mark=\
    wan3_conn
add action=mark-connection chain=prerouting comment=\
    "to tcp/80 from zspserver wan3" connection-mark=no-mark dst-address-type=\
    !local dst-port=80 new-connection-mark=wan3_conn protocol=tcp \
    src-address=10.172.88.10
add action=mark-routing chain=prerouting comment="route mark wan3" \
    connection-mark=wan3_conn new-routing-mark=wan3
add action=mark-connection chain=prerouting comment=\
    "dns query via UDP - NEW fwd" connection-state=new dst-port=53 \
    new-connection-mark=dns protocol=udp
add action=mark-packet chain=prerouting comment="dns query via UDP fwd" \
    connection-mark=dns new-packet-mark=p1 passthrough=no
add action=mark-connection chain=output comment="dns query via UDP - NEW out" \
    connection-state=new dst-port=53 new-connection-mark=dns protocol=udp
add action=mark-packet chain=output comment="dns query via UDP out" \
    connection-mark=dns new-packet-mark=p1 passthrough=no
add action=mark-connection chain=prerouting comment="icmp FWD new" \
    connection-state=new new-connection-mark=icmp protocol=icmp
add action=mark-packet chain=prerouting comment="icmp FWD related" \
    connection-mark=icmp new-packet-mark=p1 passthrough=no
add action=mark-connection chain=output comment="router OUT new" \
    connection-state=new new-connection-mark=router-out
add action=mark-packet chain=output comment="router OUT related" \
    connection-mark=router-out new-packet-mark=p1 passthrough=no
add action=mark-connection chain=prerouting comment="internat lan NEW" \
    connection-state=new in-interface=internat new-connection-mark=\
    internat-lan
add action=mark-packet chain=prerouting comment="internat lan related" \
    connection-mark=internat-lan new-packet-mark=p7 passthrough=no
add action=mark-connection chain=prerouting comment="admin lan NEW" \
    connection-state=new in-interface=admin new-connection-mark=admin-lan
add action=mark-packet chain=prerouting comment="admin lan related" \
    connection-mark=admin-lan new-packet-mark=p4 passthrough=no
add action=mark-connection chain=prerouting comment="szkola lan NEW" \
    connection-state=new in-interface=szkola new-connection-mark=szkola-lan
add action=mark-packet chain=prerouting comment="szkola lan related" \
    connection-mark=szkola-lan new-packet-mark=p5 passthrough=no
add action=mark-packet chain=prerouting comment=\
    "router PPTP,GRE,vpn<=>lan,bcast,other" new-packet-mark=p1 passthrough=no
add action=mark-packet chain=prerouting comment="router in GRE" disabled=yes \
    in-interface=eth1-wan1 new-packet-mark=p1 passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="router ppp-elvis" disabled=\
    yes in-interface="(unknown)" new-packet-mark=p1 passthrough=no
add action=mark-packet chain=prerouting comment="VPN client <=> lans" \
    disabled=yes dst-address=192.168.88.0/24 new-packet-mark=p1 passthrough=\
    no
add action=log chain=postrouting dst-address=69.36.12.216 log-prefix=\
    "postroute TO showip"
add action=log chain=postrouting log-prefix="postroute FROM showip" \
    src-address=69.36.12.216

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=eth1-wan1 to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=eth3-wan2 to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=eth4-wan3 to-addresses=\
    0.0.0.0
add action=dst-nat chain=dstnat comment="syslog at zspserwer" dst-port=514 \
    protocol=udp to-addresses=10.172.88.10
 
troy
Member
Member
Posts: 320
Joined: Thu Jun 30, 2005 6:47 pm

Re: Second WAN routing not working

Fri Jan 24, 2014 9:33 pm

You forgot to share ip routing with us.

/ip routing export compact
 
boo9
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 5:19 pm

Re: Second WAN routing not working

Sat Jan 25, 2014 2:25 am

I have abandoned the connection oriented approach to routing.
Now I am adding routing marks on each packet, based on the src network address. This works and wan interfaces are selected correctly based on src address.

ros code

/ip firewall mangle
add action=mark-routing chain=prerouting comment="route internat via wan2" dst-address-list=\
    !local-net in-interface=internat new-routing-mark=wan2
add action=mark-routing chain=prerouting comment="route szkola via wan3" dst-address-list=\
    !local-net dst-address-type="" in-interface=szkola new-routing-mark=wan3

/ip route
add distance=1 gateway=10.88.0.1 routing-mark=wan2
add distance=1 gateway=10.46.0.1 routing-mark=wan3
add distance=1 gateway=10.0.0.1
I just learned that one can have multiple connection marks, so I may be revisiting the connection oriented routing marks. Packet routing works if I dont have input connections, but I may need that in the future. http://forum.mikrotik.com/viewtopic.php?f=2&t=59973.

I hope I can manage following with ROS 6.7
- 3 vlans, each using separate wan (no LB or failover)
- connection oriented routing marks
- connection oriented priorioty marks for queue tree
- separate up/down qos queue tree for each vlan/wan pair.

There are some loose ends I am unable to grasp.
I understand how to control upload, by attaching HTB to wan iface.
But how do I qos download direction from specific wan iface, if the download flow goes to multiple vlans/lans., namly, connections from the router itself + connections from corresponding vlan + connections from port forwards (dstnat) that end up on other lan/vlans, In other words connections through single specific wan fan-out to multiple interfaces. I dont know how to create HTB for download with multiple interfaces.

Who is online

Users browsing this forum: Sailwebwifi and 15 guests