Dual wan PCC load balancing

napalm79 · Mon Jan 15, 2018 9:21 am

# jan/10/2018 21:58:18 by RouterOS 6.36.1

# software id = 9U8J-EMVS

#

/interface ethernet

set [ find default-name=ether1 ] name=1-TTK

set [ find default-name=ether2 ] name=2-DOM-RU

set [ find default-name=ether3 ] name=3-LAN

set [ find default-name=ether4 ] name=4-DEV-LAN

/ip neighbor discovery

set "1-TTK" discover=no

/ip hotspot profile

set [ find default=yes ] html-directory=flash/hotspot

/ip pool

add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/ip address

add address=109.195.238.177/24 comment=defconf interface=2-DOM-RU network=\

    109.195.238.0

add address=178.76.252.194/29 interface=1-TTK network=178.76.252.192

add address=178.76.252.195/29 interface=1-TTK network=178.76.252.192

add address=178.76.252.196/29 interface=1-TTK network=178.76.252.192

add address=178.76.252.198/29 interface=1-TTK network=178.76.252.192

add address=178.76.252.197/29 interface=1-TTK network=178.76.252.192

add address=192.168.0.1/24 interface=3-LAN network=192.168.0.0

add address=192.168.2.1/24 interface=4-DEV-LAN network=192.168.2.0

/ip dhcp-server network

add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=192.168.88.1 name=router

/ip firewall filter

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept established,related" \

    connection-state=established,related

add action=drop chain=input comment="defconf: drop all from WAN" \

    in-interface=1-TTK

add action=drop chain=input comment="defconf: drop all from WAN" \

    in-interface=2-DOM-RU

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \

    connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related" \

    connection-state=established,related

add action=drop chain=forward comment="defconf: drop invalid" \

    connection-state=invalid

add action=drop chain=forward comment=\

    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

    connection-state=new disabled=yes in-interface=1-TTK

/ip firewall mangle

add action=accept chain=prerouting dst-address=178.76.252.192/29 \

    in-interface=3-LAN

add action=accept chain=prerouting dst-address=109.195.238.0/24 in-interface=\

    3-LAN

add action=mark-connection chain=prerouting connection-mark=no-mark \

    in-interface=1-TTK new-connection-mark=1-TTK_conn passthrough=yes

add action=mark-connection chain=prerouting connection-mark=no-mark \

    in-interface=2-DOM-RU new-connection-mark=2-DOM-RU_conn passthrough=yes

add action=mark-connection chain=prerouting connection-mark=no-mark \

    dst-address-type=!local in-interface=3-LAN new-connection-mark=1-TTK_conn \

    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0

add action=mark-connection chain=prerouting connection-mark=no-mark \

    dst-address-type=!local in-interface=3-LAN new-connection-mark=\

    2-DOM-RU_conn passthrough=yes per-connection-classifier=\

    both-addresses-and-ports:2/1

add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\

    yes dst-address-type=!local in-interface=3-LAN new-connection-mark=\

    2-DOM-RU_conn passthrough=yes per-connection-classifier=\

    both-addresses-and-ports:3/2

add action=mark-routing chain=prerouting connection-mark=1-TTK_conn disabled=\

    yes in-interface=3-LAN new-routing-mark=to_1-TTK passthrough=yes

add action=mark-routing chain=prerouting connection-mark=2-DOM-RU_conn \

    disabled=yes in-interface=3-LAN new-routing-mark=to_2-DOM-RU passthrough=\

    yes

add action=mark-routing chain=output connection-mark=1-TTK_conn log-prefix=\

    TTK new-routing-mark=to_1-TTK passthrough=yes

add action=mark-routing chain=output connection-mark=2-DOM-RU_conn \

    log-prefix=DOMRU new-routing-mark=to_2-DOM-RU passthrough=yes

/ip firewall nat

add action=netmap chain=dstnat comment=sip.generalcomp.ru dst-address=\

    178.76.252.198 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=\

    192.168.0.90 to-ports=443

add action=netmap chain=dstnat comment=sip.generalcomp.ru dst-address=\

    178.76.252.198 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=\

    192.168.0.90 to-ports=443

add action=netmap chain=dstnat comment=conf.generalcomp.ru dst-address=\

    178.76.252.197 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=\

    192.168.0.91 to-ports=443

add action=netmap chain=dstnat comment=conf.generalcomp.ru dst-address=\

    178.76.252.197 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=\

    192.168.0.91 to-ports=443

add action=netmap chain=dstnat comment=av.generalcomp.ru dst-address=\

    178.76.252.196 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=\

    192.168.0.92 to-ports=443

add action=netmap chain=dstnat comment=av.generalcomp.ru dst-address=\

    178.76.252.196 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=\

    192.168.0.92 to-ports=443

add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=\

    178.76.252.195 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=\

    192.168.0.19 to-ports=4443

add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=\

    178.76.252.195 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=\

    192.168.0.19 to-ports=4443

add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=\

    178.76.252.195 dst-port=80 in-interface=1-TTK protocol=tcp to-addresses=\

    192.168.0.19 to-ports=8080

add action=netmap chain=dstnat comment=lync.generalcomp.ru dst-address=\

    178.76.252.195 dst-port=80 in-interface=1-TTK protocol=udp to-addresses=\

    192.168.0.19 to-ports=8080

add action=netmap chain=dstnat comment="EDGE SIP 5061" dst-address=\

    178.76.252.198 dst-port=5061 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.90 to-ports=5061

add action=netmap chain=dstnat comment="EDGE AV 50000-59999" dst-address=\

    178.76.252.196 dst-port=50000-59999 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.92 to-ports=50000-59999

add action=netmap chain=dstnat comment="EDGE AV 50000-59999" dst-address=\

    178.76.252.196 dst-port=50000-59999 in-interface=1-TTK protocol=udp \

    to-addresses=192.168.0.92 to-ports=50000-59999

add action=netmap chain=dstnat comment="EDGE STUN" dst-address=178.76.252.196 \

    dst-port=3478 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.92 \

    to-ports=3478

add action=netmap chain=dstnat comment="RDP Belyaeva Alla" dst-address=\

    178.76.252.194 dst-port=40045 in-interface=1-TTK log=yes log-prefix=\

    "rdp test" protocol=tcp to-addresses=192.168.0.45 to-ports=3389

add action=netmap chain=dstnat comment="RDP Belyaeva Alla" dst-address=\

    109.195.238.177 dst-port=40045 in-interface=2-DOM-RU protocol=tcp \

    to-addresses=192.168.0.45 to-ports=3389

add action=netmap chain=dstnat comment="RDP Alex Dol" dst-address=\

    178.76.252.194 dst-port=4078 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.78 to-ports=3389

add action=netmap chain=dstnat comment="RDP Aefrem" dst-address=\

    178.76.252.194 dst-port=40241 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.241 to-ports=3389

add action=netmap chain=dstnat comment="RDP Senchenko Marina" dst-address=\

    178.76.252.194 dst-port=4080 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.80 to-ports=3389

add action=netmap chain=dstnat comment="RDP Zachitaylov Sergei" dst-address=\

    178.76.252.194 dst-port=4064 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.64 to-ports=3389

add action=netmap chain=dstnat comment="RDP Chernykh Dmitriy" dst-address=\

    178.76.252.194 dst-port=40120 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.120 to-ports=3389

add action=netmap chain=dstnat comment="RDP Chernykh Dmitriy" dst-address=\

    109.195.238.177 dst-port=40120 in-interface=2-DOM-RU protocol=tcp \

    to-addresses=192.168.0.120 to-ports=3389

add action=netmap chain=dstnat comment="RDP Sergei Pleshakov" dst-address=\

    178.76.252.194 dst-port=4063 in-interface=1-TTK protocol=tcp \

    to-addresses=192.168.0.63 to-ports=3389

add action=dst-nat chain=dstnat comment=\

    "NAT 1:1 192.168.0.19 na 178.76.252.195" dst-address=178.76.252.195 \

    to-addresses=192.168.0.19

add action=src-nat chain=srcnat comment=\

    "NAT 1:1 192.168.0.19 na 178.76.252.195" src-address=192.168.0.19 \

    to-addresses=178.76.252.195

add action=dst-nat chain=dstnat comment=\

    "NAT 1:1 192.168.0.92 na 178.76.252.196" dst-address=178.76.252.196 \

    to-addresses=192.168.0.92

add action=src-nat chain=srcnat comment=\

    "NAT 1:1 192.168.0.92 na 178.76.252.196" src-address=192.168.0.92 \

    to-addresses=178.76.252.196

add action=dst-nat chain=dstnat comment=\

    "NAT 1:1 192.168.0.91 na 178.76.252.197" dst-address=178.76.252.197 \

    to-addresses=192.168.0.91

add action=src-nat chain=srcnat comment=\

    "NAT 1:1 192.168.0.92 na 178.76.252.196" src-address=192.168.0.91 \

    to-addresses=178.76.252.197

add action=dst-nat chain=dstnat comment=\

    "NAT 1:1 192.168.0.90 na 178.76.252.198" dst-address=178.76.252.198 \

    to-addresses=192.168.0.90

add action=src-nat chain=srcnat comment=\

    "NAT 1:1 192.168.0.90 na 178.76.252.198" src-address=192.168.0.90 \

    to-addresses=178.76.252.198

add action=masquerade chain=srcnat comment=MASQUERAD out-interface=1-TTK

add action=masquerade chain=srcnat out-interface=2-DOM-RU

/ip route

add check-gateway=arp distance=1 gateway=178.76.252.193 routing-mark=to_1-TTK

add check-gateway=arp distance=1 gateway=109.195.238.254 routing-mark=\

    to_2-DOM-RU

add check-gateway=arp distance=2 gateway=109.195.238.254

add check-gateway=arp disabled=yes distance=1 gateway=178.76.252.193

add check-gateway=arp disabled=yes distance=1 gateway=\

    178.76.252.193,109.195.238.254

/ip route rule

add src-address=178.76.252.192/29 table=to_1-TTK

add src-address=109.195.238.0/24 table=to_2-DOM-RU

add dst-address=192.168.0.0/24 table=main

add dst-address=192.168.2.0/24 table=main

add dst-address=0.0.0.0/0 table=main

add routing-mark=to_1-TTK table=to_1-TTK

add routing-mark=to_2-DOM-RU table=to_2-DOM-RU

/system clock

set time-zone-name=Europe/Moscow

/system routerboard settings

set memory-frequency=1200DDR protected-routerboot=disabled

So i have this config, loadbalancing seems working, but port-forward don't work. what am i doing wrong?

Mon Jan 15, 2018 5:55 pm

Without digging into your configuration, I can say that the most likely cause is that your mangle tables aren't creating connection tracking entries for route marks on new connections originating on the various WAN interfaces. That's the most common mistake I've seen in posts with your problem.

napalm79 · Tue Jan 16, 2018 7:55 am

Without digging into your configuration, I can say that the most likely cause is that your mangle tables aren't creating connection tracking entries for route marks on new connections originating on the various WAN interfaces. That's the most common mistake I've seen in posts with your problem.

It's funny, but i found that connection in /ip firewall connections using filter, and it is surely marked correctly, microtik gets syn packet, sends response, and that's all.

Tue Jan 16, 2018 5:50 pm

ok - it looks like your NAT rules are to blame. You're using netmap which is a stateless nat action - that means you must use TWO rules to accomplish each mapping.

I see why you thought to use this, as it's apparent that you have a 1:1 relationship between a specific public IP address and private IP address, yet you're doing all of these mappings at the protocol/port level. I recommend against this methodology. If you want to dedicate an IP to a 1:1 mapping, then you should just map it at layer 3 (the entire IP address, not just certain ports) and then limit access to the host by using filter rules. This ends up being cleaner, easier to understand, uses each section of the firewall for its intended purpose, and takes less CPU.

So let's take the host that is 178.76.252.198 -> 192.168.0.90
You have the following rules:
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.90 to-ports=443
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=192.168.0.90 to-ports=443
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=5061 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.90 to-ports=5061
add action=dst-nat chain=dstnat dst-address=178.76.252.198 to-addresses=192.168.0.90

I'd say the best thing for this host would be to just remove the netmap rules. There is no "return-path" mapping to undo the stateless nat, so anything getting translated by these rules will not be properly "un-natted" on the return path. The final rule here actually does exactly what I'm recommending (map the whole IP and use the filter table to limit what actually gets forwarded).

Finally, your route rules seem to be a bit confusing to me:
/ip route rule
add src-address=178.76.252.192/29 table=to_1-TTK
add src-address=109.195.238.0/24 table=to_2-DOM-RU
add dst-address=192.168.0.0/24 table=main
add dst-address=192.168.2.0/24 table=main
add dst-address=0.0.0.0/0 table=main
add routing-mark=to_1-TTK table=to_1-TTK
add routing-mark=to_2-DOM-RU table=to_2-DOM-RU

All of the underlined rules don't seem to make sense to me, especially the 0.0.0.0/0 rule (unless you're temporarily using this to disable load balancing for troubleshooting purposes)

napalm79 · Sun Jan 28, 2018 11:36 pm

ok - it looks like your NAT rules are to blame. You're using netmap which is a stateless nat action - that means you must use TWO rules to accomplish each mapping.

I see why you thought to use this, as it's apparent that you have a 1:1 relationship between a specific public IP address and private IP address, yet you're doing all of these mappings at the protocol/port level. I recommend against this methodology. If you want to dedicate an IP to a 1:1 mapping, then you should just map it at layer 3 (the entire IP address, not just certain ports) and then limit access to the host by using filter rules. This ends up being cleaner, easier to understand, uses each section of the firewall for its intended purpose, and takes less CPU.

So let's take the host that is 178.76.252.198 -> 192.168.0.90
You have the following rules:
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=443 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.90 to-ports=443
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=443 in-interface=1-TTK protocol=udp to-addresses=192.168.0.90 to-ports=443
add action=netmap chain=dstnat dst-address=178.76.252.198 dst-port=5061 in-interface=1-TTK protocol=tcp to-addresses=192.168.0.90 to-ports=5061
add action=dst-nat chain=dstnat dst-address=178.76.252.198 to-addresses=192.168.0.90

I'd say the best thing for this host would be to just remove the netmap rules. There is no "return-path" mapping to undo the stateless nat, so anything getting translated by these rules will not be properly "un-natted" on the return path. The final rule here actually does exactly what I'm recommending (map the whole IP and use the filter table to limit what actually gets forwarded).

Finally, your route rules seem to be a bit confusing to me:
/ip route rule
add src-address=178.76.252.192/29 table=to_1-TTK
add src-address=109.195.238.0/24 table=to_2-DOM-RU
add dst-address=192.168.0.0/24 table=main
add dst-address=192.168.2.0/24 table=main
add dst-address=0.0.0.0/0 table=main
add routing-mark=to_1-TTK table=to_1-TTK
add routing-mark=to_2-DOM-RU table=to_2-DOM-RU

All of the underlined rules don't seem to make sense to me, especially the 0.0.0.0/0 rule (unless you're temporarily using this to disable load balancing for troubleshooting purposes)

It all seems to me like banging a wall with my forehead. Can you please tell me what exactly should i do to make this piece of ghm... hardware work?

Dual wan PCC load balancing

Dual wan PCC load balancing

Re: Dual wan PCC load balancing

Re: Dual wan PCC load balancing

Re: Dual wan PCC load balancing

Re: Dual wan PCC load balancing

Who is online