Joined: Tue May 10, 2011 4:20 pm

Mangle issue with Multiple providers

Thu Sep 01, 2016 8:48 pm

I have 3 backbone providers. I NAT all the clients to a public IP address, and some clients have their own src-nat set up to get their own public IP address. I am using ECMP in the routing table to balance out the connections across all the links. When it was just 1 provider I had zero issues with the clients who were routed to their own public IP but once I started using ECMP I began having issues.

With the top mangle rules it does force the clients with a public ip address to src-nat out the proper interface so they show up with the proper public ip address. The problem I have is trying to get back in to their equipment from behind the router with the rule enabled. Once I enable the top mangle rule I am unable to do so from behind the router, but I can do so just fine from outside my network. I have spend a lot of time trying to come up with a mangle solution that would allow back through one of dst-nat ip's to the clients router to no avail. Any help would be appreciated.

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"Make sure our StaticIP customers go out over the proper connection." new-routing-mark=to_ether1 passthrough=\
no src-address=
add action=mark-connection chain=input connection-mark=no-mark in-interface="ether1 - Provider 1" log-prefix="" new-connection-mark=ether1_conn passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface="ether2 - Provider 2" log-prefix="" new-connection-mark=ether2_conn passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface="ether3 - Provider 3" new-connection-mark=ether3_conn passthrough=no
add action=mark-routing chain=output connection-mark=ether1_conn log-prefix="" new-routing-mark=to_ether1 passthrough=no
add action=mark-routing chain=output connection-mark=ether2_conn log-prefix="" new-routing-mark=to_ether2 passthrough=no
add action=mark-routing chain=output connection-mark=ether3_conn new-routing-mark=to_ether3 passthrough=no
Joined: Sun Aug 21, 2016 12:04 am

Re: Mangle issue with Multiple providers

Fri Sep 02, 2016 5:40 pm

A couple of questions:

1) Please clarify that you mean by "behind" the router. Do you mean when you try to access it from inside your network (LAN)?
2) What is the LAN IP of the computer that you are using to try to access your client's routers.
3) What are the LAN IPs (or IP range) or your clients that get srcNat-ed to the public IP addresses?
4) Did you list the mangle rules in the order in which they are executed (sorted by rule number)?


