Community discussions

 
upower3
Member
Member
Topic Author
Posts: 384
Joined: Thu May 07, 2015 11:46 am

Mark packets on one router so another one can use the marks?

Sun Jul 09, 2017 10:06 pm

I have a bit odd setup: imagine LAN with two routers (Mikrotiks, ROS is the latest current), each connected to its own ISP (so WAN IPs of course different). LAN is the same network, only IPs on routers are different:

Router 1:
ether1 (WAN): 1.1.1.1/24
bridge1 (LAN): 192.168.88.1/24

Router 2:
ether1 (WAN): 2.2.2.2/24
bridge1 (LAN): 192.168.88.2/24

I have several hosts on the LAN that uses internet, let's say two hosts:

Host 1:
IP: 192.168.88.200/24
GW: 192.168.88.1 (=Router 1)

Host 2:
IP: 192.168.88.210/24
GW: 192.168.88.2 (=Router 2)

So Host 1 uses internet via Router 1, and host 2 uses internet via router 2.

Now I try to do dst-nat to allow say packet to 22222/tcp порт он router 1 to reach 22 port on host 1. I do that on Router 1 and it works. But as I try to set the same on router 2, I got no return packets.

The packet flow is simple, host 1 send its reply packets to router 1 (not to router 2 where it expected to be).

So the question is, how can I mark packets that's enter via router 2 so router 1 will know it should be forwarded to router 2? Connection marks are just inside single router, and no flags I can else use, so please help!
Last edited by upower3 on Mon Jul 10, 2017 11:04 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 3:58 am

One idea, do you need two routers, can't it be done using just one? One router can handle multiple WANs and you wouldn't have a problem with return path then.

Other way is to solve it on host, watch what connections come from each gateway and send replies back there. But it depends on host OS, e.g. Linux can do it, Windows most likely not.

Or you can forward reply packets from router 1 to router 2, but since there are no shared connection marks between routers, it's not exactly easy, but perhaps doable. For router 1, replies for connections coming via router 2 should be seen as invalid, because router 1 never saw any incoming packet for them. So this might do the trick (on router 1):
/ip firewall mangle
add action=route chain=prerouting connection-state=invalid in-interface=<LAN> route-dst=192.168.88.10
It will also forward other invalid packets to router 2, but those can be safely dropped there. I didn't test it, but I think it should work.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 5:52 am

Maybe if Host 1 can have two IPs? Windows and linux both support this I think. Then you can mark packets that come into Router 1 from IP2 of Host 1, you can forward that packet to Router 2.
 
upower3
Member
Member
Topic Author
Posts: 384
Joined: Thu May 07, 2015 11:46 am

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 7:38 am

do you need two routers, can't it be done using just one?
No, sorry, in fact I try to do smooth move between different server rooms in different buildings so I'll move servers one by one have two different routers (and even ISP) in places. Messy, but that's for plan. As a backup plan I'll move it all at once (as fast as we can).
/ip firewall mangle
add action=route chain=prerouting connection-state=invalid in-interface=<LAN> route-dst=192.168.88.10
Just tried, looks like it won't work even that I can see packets are forwarded to another router. The problem maybe is that these packats are become invalid in transition (not sure at all)? Anyway, thank you for the idea, I never though about!
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 6:04 pm

I gave it a try and it looked good at first, I could access internal server through router 2. But then I looked at packets and found out that router 1 forwards first reply packet and sends icmp redirect to server, telling it to use router 2 as gateway for client address. Server accepts it and does exactly that for further reply packets. But when I blocked the redirect, it turned out that router 1 sees only first reply packet as invalid. Following ones are seen as new and it ruins the whole plan.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
coylh
Member Candidate
Member Candidate
Posts: 160
Joined: Tue Jul 12, 2011 12:11 am

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 10:07 pm

You can use DSCP markings if you want. If you choose values unused by your QOS scheme, it won't interfere.
 
upower3
Member
Member
Topic Author
Posts: 384
Joined: Thu May 07, 2015 11:46 am

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 10:11 pm

You can use DSCP markings if you want. If you choose values unused by your QOS scheme, it won't interfere.
Keeping in mind I don't have any QoS scheme implemented, what DSCP value would you recommend me to use?
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: Mark packets on one router so another one can use the marks?

Mon Jul 10, 2017 10:58 pm

Simple solution:
on router 1 you create two nat rules one is dst-nat and second is src-nat, you NAT src-address to your router LAN IP, so it hides the public IP of the packet.

Example:
on router one you create two rules:
DST-NAT:
/ip fire nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=22 to-addresses=192.168.88.210 (host 2 that have default gateway through router 2)

then you create SRC-NAT, so that host will see incoming packet as it came from router 1 192.168.88.1, and will reply back to router 1, and the router 1 will have NAT table session, and process the package correctly.

SRC-NAT:
/ip fire nat chain=srcnat action=src-nat to-addresses=192.168.88.1 dst-address=192.168.88.210 protocol=tcp dst-port=22 in-interface=WAN

Who is online

Users browsing this forum: No registered users and 86 guests