Community discussions

MikroTik App
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

pcc load balance uneven upstream connections

Sat Jun 15, 2013 11:38 am

Hi

I have three adsl lines which i load balanced with pcc. It works well. 2 lines speed is 4 megs and the 3rd is 10 meg. When i add another pcc connection to add more weight to wan 3 nothing happens. i added a picture showing no traffic on the last pcc connection on wan 3. is this normal or am i doing something wrong?


https://www.dropbox.com/s/43hmqa9enj79vy9/pcc.jpg
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Sun Jun 16, 2013 3:11 am

Double check the mangle rules

It is my understanding that you just add additional PCC rules marked with the appropriate connection.
Make sure your PCC is adjusted with each new additional rule an that its assigned to mark the connection you want more usage from.

In the examples I've found giving more weight to one connection of two available you would do the following:
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/2 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
Hopefully I have the right answer there, but I have questions of my own so I could be wrong.
I'm not using the above as part of my mangle setup, as I'm just trying to get the initial PCC setup properly.
Below is the rule set I followed when setting up PCC using a server assigned static-IP via PPPoE and a DHCP cable connection.
So its seemingly different than any example I have been able to find.

/ip firewall mangle
add chain=input in-interface=PPPoE action=mark-connection new-connection-mark=PPPoE_conn
add chain=input in-interface=ether8 action=mark-connection new-connection-mark=ether8_conn
 
add chain=output connection-mark=PPPoE_conn action=mark-routing new-routing-mark=to_PPPoE
add chain=output connection-mark=ether8_conn action=mark-routing new-routing-mark=to_ether8
 
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local  
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local  
 
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=ether8_conn passthrough=yes
 
add chain=prerouting connection-mark=PPPoE_conn in-interface=Local action=mark-routing new-routing-mark=to_PPPoE
add chain=prerouting connection-mark=ether8_conn in-interface=Local action=mark-routing new-routing-mark=to_ether8
 
/ip route
add dst-address=0.0.0.0/0 gateway=PPPoE routing-mark=to_PPPoE check-gateway=arp
add dst-address=0.0.0.0/0 gateway=ether8 routing-mark=to_ether8 check-gateway=arp
 
add dst-address=0.0.0.0/0 gateway=PPPoE distance=1 check-gateway=arp
add dst-address=0.0.0.0/0 gateway=ether8 distance=2 check-gateway=arp
 
/ip firewall nat
add chain=srcnat out-interface=PPPoE action=masquerade
add chain=srcnat out-interface=ether8 action=masquerade
What is the significance of:
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

I do not have a static dst-address to assign here since the PPP address is received upon connection and in my routing I'm using the PPPoE interface & eth interface connected to the Cable modem as the gateway. An with the cable connection, its a DHCP address. I simply did not enter the two above mangle rules an things seem to be working. But I'm sure it will lead to issues unless I can figure out some other way of applying these actions.
An I have a 3rd connection available to me, via City Wide Hotspot, I however don't want it apart of the PCC as it requires a login that I only know. Can I setup a standard routing rule to provide a 3rd an essentially "backup only" connection that will turn up if the extremely rare case the DSL an Cable connection were to fail at the same time?

Also, other than just trying to watch the packet counts, how can you tell PCC is working properly. Is there a reliable method for testing?
I know my fail-over is working as disabling one interface or the other, I can continue to reach outside of my gateway, but that is not the purpose of PCC.
Tests on such sites as speedtest.net are inconclusive.

After I get the basic setup done an confirmed done properly I might consider weighing the cable over the DSL, but I'm trying to take this one success at a time.

Thanks!
Last edited by rooin on Sun Jun 16, 2013 3:35 am, edited 1 time in total.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Sun Jun 16, 2013 3:15 am

I'm also finding something is configured wrong as I have to keep logging to try an submit my post on this forum.
However my bank website seems to work without issue.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Sun Jun 16, 2013 11:59 am

i have added my config. i use pppoe on mikrotik and just renamed the pppoe connections as WAN1 2 and 3. not sure perhaps this is why i cant add another pcc connection to mangle to add load to wan 3. perhaps the pros can enlighten. In most example there are ip's used.

This rule i cant add as my destination is dynamic. I notice one of your connections are also pppoe.

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local



/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    WAN2_conn
add action=mark-connection chain=input in-interface=WAN3 new-connection-mark=\
    WAN3_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN3_conn \
    new-routing-mark=to_WAN3
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN1_conn per-connection-classifier=\
    both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN2_conn per-connection-classifier=\
    both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=LAN new-connection-mark=WAN3_conn per-connection-classifier=\
    both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting dst-address-type=!local
    in-interface=LAN new-connection-mark=WAN3_conn per-connection-c
    both-addresses-and-ports:3/3
add action=mark-routing chain=prerouting connection-mark=WAN2_conn 
    in-interface=LAN new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN3_conn 
    in-interface=LAN new-routing-mark=to_WAN3
add action=mark-routing chain=prerouting connection-mark=WAN1_conn 
    in-interface=LAN new-routing-mark=to_WAN1
Routes
/ip route
add check-gateway=ping distance=1 gateway=WAN2 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=WAN3 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=WAN1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=WAN1
add check-gateway=ping distance=2 gateway=WAN2
add check-gateway=ping distance=3 gateway=WAN3
NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
Perhaps you can see something i missed.

Thanks
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Sun Jun 16, 2013 11:42 pm

You are using a very similar setup.
Guess we will have to await someone who can explain the significance of the destination routes for addresses we do not have.
Hopefully we will both be enlightened by someone who can shed some light on this.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Mon Jun 17, 2013 12:00 am

Found another mangle rule set that doesn't use the ones we have in question but has more to it otherwise...
I think I might give this a shot as things are not working properly for me currently. I keep getting intermittent connection issues, where just retrying my request its fine.
/ip firewall mangle
add action=mark-connection chain=input connection-state=new disabled=no in-interface=PPPoE new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=input connection-state=new disabled=no in-interface=ether8 new-connection-mark=WAN2 passthrough=yes

add action=mark-connection chain=prerouting connection-state=established disabled=no in-interface=PPPoE new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=established disabled=no in-interface=ether8 new-connection-mark=WAN2 passthrough=yes

add action=mark-connection chain=prerouting connection-state=related disabled=no in-interface=PPPoE new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=related disabled=no in-interface=ether8 new-connection-mark=WAN2 passthrough=yes

add action=mark-routing chain=output connection-mark=WAN1 disabled=no new-routing-mark=static-WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2 disabled=no new-routing-mark=static-WAN2 passthrough=no

add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local in-interface=ether1-Network new-connection-mark=WAN1_pcc passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local in-interface=ether1-Network new-connection-mark=WAN2_pcc passthrough=yes per-connection-classifier=both-addresses:2/1

add action=mark-connection chain=prerouting connection-state=established disabled=no dst-address-type=!local in-interface=ether1-Network new-connection-mark=WAN1_pcc passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=established disabled=no dst-address-type=!local in-interface=ether1-Network new-connection-mark=WAN2_pcc passthrough=yes per-connection-classifier=both-addresses:2/1

add action=mark-connection chain=prerouting connection-state=related disabled=no dst-address-type=!local in-interface=ether1-Network new-connection-mark=WAN1_pcc passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=related disabled=no dst-address-type=!local in-interface=ether1-Network new-connection-mark=WAN2_pcc passthrough=yes per-connection-classifier=both-addresses:2/1

add action=mark-routing chain=prerouting connection-mark=WAN1_pcc disabled=no new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_pcc disabled=no new-routing-mark=WAN2 passthrough=yes
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Mon Jun 17, 2013 1:41 pm

Currently using the following, so far so good.
chain=input action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes in-interface=PPPoE 
chain=input action=mark-connection new-connection-mark=ether8_conn passthrough=yes in-interface=ether8 

chain=output action=mark-routing new-routing-mark=to_PPPoE passthrough=yes connection-mark=PPPoE_conn 
chain=output action=mark-routing new-routing-mark=to_ether8 passthrough=yes connection-mark=ether8_conn 

chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses-and-ports:2/0 
chain=prerouting action=mark-connection new-connection-mark=ether8_conn passthrough=yes dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses-and-ports:2/1 

chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes connection-state=new dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/0 
chain=prerouting action=mark-connection new-connection-mark=ether8_conn passthrough=yes connection-state=new dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/1 

chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes connection-state=established dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/0 
chain=prerouting action=mark-connection new-connection-mark=ether8_conn passthrough=yes connection-state=established dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/1 

chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes connection-state=related dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/0 
chain=prerouting action=mark-connection new-connection-mark=ether8_conn passthrough=yes connection-state=related dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/1 

chain=prerouting action=mark-routing new-routing-mark=to_PPPoE passthrough=yes in-interface=ether1-Network connection-mark=PPPoE_conn 
chain=prerouting action=mark-routing new-routing-mark=to_ether8 passthrough=yes in-interface=ether1-Network connection-mark=ether8_conn
[Edit]
On a side note:
Even better news, this site is functioning better. I don't have to get lucky when I submit the post.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Mon Jun 17, 2013 9:48 pm

Glad to hear. hope someone can help me with mine.

I think the reason why your one works better is because you are using "both-addresses-and-ports" in your per connection classifier. i don't think you need to duplicate the per connection classifier. The key in your case may be the use of addresses and the ports.


chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes connection-state=new dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/0 
chain=prerouting action=mark-connection new-connection-mark=ether8_conn passthrough=yes connection-state=new dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/1 

chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes connection-state=established dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/0 
chain=prerouting action=mark-connection new-connection-mark=ether8_conn passthrough=yes connection-state=established dst-address-type=!local in-interface=ether1-Network per-connection-classifier=both-addresses:2/1 
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Tue Jun 18, 2013 3:23 am

Although I'm not completely sure how the new, established an related prerouting mangles change how the traffic is handled, perhaps you want to give them a go?

I was getting traffic on both WAN's but it just didn't feel right.
An the issue where I had to keep logging into this site made me realize it wasn't working properly.


Totally just realized my PCC settings were different between the 2 original ones I had an the 6 additional that I added.
Going to try changing them all to address & port an see how it goes.

[edit]
Very badly. address/port breaks things like crazy, had to logging to the forums twice just to edit this post after making that change.
Changed all too by address an will see how that goes now.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Thu Sep 05, 2013 1:41 am

An update to all this, that I am still working out bugs and issues an really have been trying to put the final grasp on some of these configuration options.
I'm going to post a small book here an hope that someone can turn on my lightbulb an get me on my way.
When having to deal with Mangle chains I am stumped on the reason for each chain choice can someone please lay this out for me.

The Wiki is rather vague:
chain (name; Default: ) Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created.
I will put what I feel is my understanding of each an see how wrong I am.
chain=prerouting: header changes; ie connection labels, packet labels, all packets WAN or LAN
chain=input: packets destined for the mikrotik itself.
chain=forward: packets destined for a device behind the mikrotik
chain=output: packets leaving the Mikrotik WAN(s); routing changes etc...
chain=postrouting: Not even sure what to say on this one...

The reason I bring this up is there are so many examples of PCC balancing out there. some use prerouting, some use input, an forward. Then you have some that do a combination of two or even all three, with the same "inbound" rules, just applying a different chain. That to me points to uncertainty of not really knowing exactly which chain you need to apply.
I'm sure someone out there can answer this an provide the description needed for people to choose the right chain for their needs. redundant chains seems like a easy way to raise CPU overhead.

The other issues I am facing is inbound connections destined for devices behind my NAT. I'm experiencing issues where people who share the same WAN2 provider as me are unable to load web content behind my NAT. But at my work for example, I can reach the same content without issue. (not the same provider as my WAN2)
So I did more web crawling. forum reading an TikTube watching an now I'm at a place where nothing from the outside works an my hairpin access doesn't even work anymore.
Connection balancing seems to be working.

So at this point Im going to summarize what I have for connections/network & what services over those connections I want to accomplish.

- WAN1: PPPoE bridged connection w/ server assigned static IP. ~22/2Mb
- WAN2: DHCP assigned NOT static Cable connection; Charter. ~30/4Mb
- LAN: typical household 192.168.1.0/24 NAT'd private network.
- PCC: For increased throughput and connection failover (either direction; I understand if the DSL goes down, my hosting goes down)
- Web hosting: I host a very basic website from my home via the DSL connection on a Synology NAS.
I would like HTTP 80 requests to accept/return connections over the DSL(mangle), but would also like the NAS to be able to perform its own internet requests over both WANs for increased throughput. So I've ruled out src address routing the NAS to only the DSL for that reason.
- Gaming: I'm also a gamer, an I would think that allowing a Friend to connect to me shouldn't be a issue if all of my mangle rules to keep the connection stuck to one WAN or the other should allow this, and that I have the correct ports opened on the firewall. (which was never a issue prior to attempting PCC)

Here is my current config prints relative to the connections/routing
Filter
[admin@RB2011] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Input: Drop Invalid | LAN access | LAN established | LAN related | ping | drop
     chain=input action=drop connection-state=invalid 

 1   chain=input action=accept connection-state=new in-interface=ether1-Network 

 2   chain=input action=accept connection-state=established 

 3   chain=input action=accept connection-state=related 

 4   chain=input action=accept protocol=icmp 

 5   chain=input action=drop 

 6   ;;; Forward: Drop Invalid | LAN access | LAN established | LAN related | drop
     chain=forward action=drop connection-state=invalid 

 7   chain=forward action=accept connection-state=new in-interface=ether1-Network 

 8   chain=forward action=accept connection-state=established 

 9   chain=forward action=accept connection-state=related 

10   chain=forward action=drop 
Mangle Notes
address list "LAN" is just the private 192.168.1.0/24 network, I don't have static WAN routes due to PPPoE and DHCP connections, so I can't specify those IPs like used in Manual: PCC page.
Eventhough the PPPoE is a static IP, its server assigned static, so I pick it up dynamically when the PPP connects. So I at least told it to quit processing LAN destined traffic.
/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) from the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks.
Ive yet to see a ping/tracert go out the other WAN when destined for that WAN's network.
[admin@RB2011] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Accept LAN
     chain=prerouting action=accept src-address-list=LAN dst-address-list=LAN 

 1   ;;; Connection Marks
     chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes in-interface=PPPoE-WAN1 connection-mark=no-mark 

 2   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=ether8-WAN2 connection-mark=no-mark 

 3   ;;; Connection Splitting
     chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes dst-address-type=!local in-interface=ether1-Network connection-mark=no-mark 
     per-connection-classifier=both-addresses:2/0 

 4   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=ether1-Network connection-mark=no-mark 
     per-connection-classifier=both-addresses:2/1 

 5   ;;; Packet Routes
     chain=prerouting action=mark-routing new-routing-mark=WAN1-Route passthrough=yes in-interface=ether1-Network connection-mark=PPPoE_conn 

 6   chain=prerouting action=mark-routing new-routing-mark=WAN2-Route passthrough=yes in-interface=ether1-Network connection-mark=WAN2_conn 

 7   ;;; Outbound Packet Marks
     chain=output action=mark-routing new-routing-mark=WAN1-Route passthrough=yes connection-mark=PPPoE_conn 

 8   chain=output action=mark-routing new-routing-mark=WAN2-Route passthrough=yes connection-mark=WAN2_conn 
Routes
 [admin@RB2011] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=PPPoE-WAN1 gateway-status=PPPoE-WAN1 reachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=WAN1-Route 

 1 A S  dst-address=0.0.0.0/0 gateway=ether8-WAN2 gateway-status=ether8-WAN2 reachable check-gateway=arp distance=1 scope=30 target-scope=10 routing-mark=WAN2-Route 

 2 A S  dst-address=0.0.0.0/0 gateway=PPPoE-WAN1 gateway-status=PPPoE-WAN1 reachable distance=2 scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=ether8-WAN2 gateway-status=ether8-WAN2 reachable distance=3 scope=30 target-scope=10 

 4 ADC  dst-address=10.255.1.1/32 pref-src=[WAN1 IP ADDR] gateway=PPPoE-WAN1 gateway-status=PPPoE-WAN1 reachable distance=0 scope=10 

 5 ADC  dst-address=[WAN2 IP ADDR] pref-src=[WAN2 IP SRC] gateway=ether8-WAN2 gateway-status=ether8-WAN2 reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.xxx gateway=ether1-Network gateway-status=ether1-Network reachable distance=0 scope=10 
NAT - It's my understanding that if Mangle is setup properly, I don't need to use any marking here, just treat it like the only connection available, an worked fine with the DSL only.
chain=dstnat action=dst-nat to-addresses=192.168.1.xxx to-ports=80 protocol=tcp dst-address=[WAN1 IP addr.] in-interface=PPPoE-WAN1 dst-port=80
Hairpin to allow me to hit my site from the inside by name, which worked up until my attempts to get the outside working fully.
chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.xxx out-interface=ether1-Network dst-port=80
An a example hole for Torchlight 2 game hosting. Which again, worked without issue prior to 2nd Connection an PCC.
;;; TL2
chain=dstnat action=dst-nat to-addresses=192.168.1.xxx to-ports=4171-4179 protocol=udp dst-port=4171-4179 
So currently HTTP requests are timing out from anywhere, game hosting isn't working, but the connections seem to be balancing.
An I won't find out for sure until I try an post this message if secure website logins are broken or not. (was working prior to latest changes)

Any and all help would be appreciated, thank you.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Thu Sep 05, 2013 9:14 am

Hi

I found a way to get internal ip's to use specific wan's. I used this mangle rules in the wiki below before i sent the rest of the ip's to be balanced.

http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways

I only created a group A and sent all my dedicated ip's straight to wan1. These ip's will not balance but at least it wont get lost.Then i continued with the normal balancing. If the mangle rule does not fall in group A it continues to be balanced across wan 1 and wan 2. this will only help for ip's needing to go through one wan from inside your network.

However the dst nat rule to get people outside your network to access ip's internally does not work on balancing.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Thu Sep 05, 2013 10:03 am

Well I know my website will be limited to the DSL connection, which is fine with me, its a light website anyway.
However I wish to allow the NAS that its on to still span its internet requests (from my network) across both WAN connections.
I can't lock its LAN IP into a routed group WAN configuration, that will prevent -all- of its traffic from utilizing the 2nd WAN, not just the HTTP inbound requests.

From what I'm reading I've got to be on the right path, I'm just missing a key element here that is throwing the whole thing off track.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Thu Sep 05, 2013 10:22 am

Ok so if i understand correct you have a web server and other pc's on a specific nas and you want other pc's to be load balanced and web server to stay constant wan. Are you using masquerade on the nas router to get to the wan which im assuming is on another router? If so the wan router sees the request coming from the nas and not the ip. If you create a dst nat on the wan router point it to web server it will end up going nas router.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Thu Sep 05, 2013 3:30 pm

No, any inbound HTTP request originating from the internet would be pointed to my DSL (static IP), I want all requests back to it to return on the same connection to prevent issues.
But this would also go for game hosting that could happen on either WAN an be dynamic by its nature, but for the duration of the connection, stay on the same WAN to prevent any connection issues as well.
You do not have the required permissions to view the files attached to this post.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Sat Sep 07, 2013 2:29 pm

So I think I have things mostly working at this point.

Bonded speed seems to be there, secure sites not broken (that I've found) an outside world can get to the website.
 1   ;;; Connection Marks
     chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes in-interface=PPPoE-WAN1 connection-mark=no-mark 

 2   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=ether8-WAN2 connection-mark=no-mark 

 3   ;;; Connection Splitting
     chain=prerouting action=mark-connection new-connection-mark=PPPoE_conn passthrough=yes dst-address-type=!local in-interface=ether1-Network connection-mark=no-mark per-connection-classifier=both-addresses:2/0 

 4   chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=ether1-Network connection-mark=no-mark per-connection-classifier=both-addresses:2/1 

 5   ;;; Packet Routes
     chain=prerouting action=mark-routing new-routing-mark=WAN1-Route passthrough=yes in-interface=ether1-Network connection-mark=PPPoE_conn 

 6   chain=prerouting action=mark-routing new-routing-mark=WAN2-Route passthrough=yes in-interface=ether1-Network connection-mark=WAN2_conn 

 7   ;;; Outbound Packet Marks
     chain=output action=mark-routing new-routing-mark=WAN1-Route passthrough=yes connection-mark=PPPoE_conn 

 8   chain=output action=mark-routing new-routing-mark=WAN2-Route passthrough=yes connection-mark=WAN2_conn 
Had to disable the drop filter rules, not exactly sure how those are processed (other than in order) an in relation to the NAT and Mangle rules... either way, disabled opened traffic up again.
The chain input drop and chain forward drop that I had in the Filter Rules in a prior post. Anyone clarify this? I know I should have rules that pretty much say "Discard everything else" but how that applies an mingles with NAT rules an such apparently is beyond my current understanding, as all I was seeing was counts on the filter an couldn't get in until I disabled them.

Then the issue with loading extremely slowly ended up being errors on my DSL connection. Also now resolved. (not happy it took over 2 days)
Had a friend test the website from the outside, says it loads fine and as fast as one would expect on a 2Mb upload.

Now I'm trying to get my hairpin to work properly.
The rule that I was using without issue prior to the 2nd WAN connection isn't working.
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.xxx protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade
I feel this has to do with the opening accept rule that I can't properly apply in my mangle since I don't have static ip's I can apply like in the examples people use.
I do however have the accept rule for traffic sourced/destined for my network.
chain=prerouting action=accept src-address-list=LAN dst-address-list=LAN


When I attempt to load my website by name internally my browsers status bar flips a couple of times showing the url/not/showing/not an then times out. this takes roughly 3 seconds or so.

Any ideas?
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Wed Sep 11, 2013 6:02 pm

Ok just and update not sure if its going to work properly but accessing my internal network from outside seems to work better when i did not specify a out interface on my masquerade rule.

/ip firwall nat
srcnat action and masquerade and no out interface.


will it cause problems if i dont specify a out interface?

Currently it looks like this....
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=3389 protocol=tcp \
    to-addresses=192.168.11.253 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-port=8181 protocol=tcp \
    to-addresses=10.0.200.2 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=9000 protocol=tcp \
    to-addresses=192.168.52.200 to-ports=80
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN3
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=dst-nat chain=dstnat disabled=yes dst-port=8181 protocol=tcp \
    to-addresses=10.0.200.2 to-ports=80
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Thu Sep 12, 2013 8:25 am

Your dest-nat rules look fine to me.
chain=dstnat action=dst-nat to-addresses=192.168.1.xxx to-ports=80 protocol=tcp dst-address=[WAN IP] in-interface=PPPoE-WAN1 dst-port=80
I specify my WAN inbound as I only want port 80 requests from that WAN to be directed, the others can be dropped. The above rule works fine for my web hosting.

I still haven't figured out my hairpin though. I used to be able to just www.address.com and it would come up just as if I had pulled it up "local" but it just times out now.
Any variation I do to the old hairpin NAT rule has made no difference.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Thu Sep 12, 2013 8:37 am

Have you tried NOT specifying a out interface on your masquerade rule. With mine now set with no out interface things work pretty fast. Will update if there are any problems.
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Thu Sep 12, 2013 10:41 am

No change.
 chain=srcnat action=masquerade protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.1.xxx dst-port=80
Still get the momentary "Looking for..." "Connecting to..." an time out.

I see no counters hit either in the inbound WAN dst-nat or the internal hairpin rule.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Thu Sep 12, 2013 11:13 am

No src ip, no dst ip, no port
chain=srcnat action=masquerade 
 
rooin
newbie
Posts: 31
Joined: Tue Feb 22, 2011 10:44 am

Re: pcc load balance uneven upstream connections

Thu Sep 12, 2013 11:21 am

Not quite sure I see a point to that.
 
happydaddy
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu May 24, 2007 12:18 am

Re: pcc load balance uneven upstream connections

Thu Nov 21, 2013 12:32 am

Possible Sollution below for the packets being blackholed

1.2.3.4= WAN ip
192.168.1.10=server
192.168.1.0/24 Lan

IF you have wan ip which changes add a script to resolve host. Do not add in-interface only use WAN IP.
# DST-NAT rule to redirect port 3389 from
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=1.2.3.4 dst-address-type=local dst-port=3389 protocol=tcp to-addresses=192.168.1.10 to-ports=3389 comment="Redirect RDP PORT  TCP 3389 to local server"
 
# Masquerade local traffic going to mikrotik WAN IP - [To access that service from LAN using mikrtoik wan ip]
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.10 protocol=tcp dst-port=3389 out-interface=LAN-Interface action=masquerade comment="Masquerade Traffic going to WAN IP of mikrotik from local LAN users"

Who is online

Users browsing this forum: No registered users and 18 guests