Community discussions

 
wanton
just joined
Topic Author
Posts: 16
Joined: Wed Nov 21, 2018 6:06 pm

PCCload balancing vs Remote Connection to LAN...

Mon Jul 08, 2019 2:09 pm

Dear All,

In a nutshell; I have a Dual Wan PCC Load Balancing connection - which seemed to finally working fine (thx Sebastia - You're clues helped).
My band width usage and my internet connection finally looked good

BUT...

My external accountant got cutoff from my file server and Postgre SQL database.

More accurately;

My situation is -> We have a file server which acts also as a psql database located at 192.168.0.100.
We have a RDP gateway to connect to our CRM software through Mac Os located at 192.168.0.197.

My RB3011 UiAS Mikrotik hosts a DHCP server located on the Bridge-lan interface at 192.168.0.1/24
Primary WAN is an ADSL modem located on 192.168.1.1 (download 20MBPS, upload 1MBPS :-? :-? :-? )
Secondary WAN to increase bandwidth is an LTE modem located on 192.168.2.1 (download 40MBPS, upload 20MBPS :-? :-? :-? )
Firewall dst-nat is set for the appropriate incoming connections to the file server and RDP gateway.
The idea was to make the LTE act as fail over, but also as bandwidth supplier since the ADSL connection is crap and often fails when overloaded.
But ADSL is important because we get a static IP address for remote connections - with LTE this is unavailable.

For this I configured PCC Loading exactly as described by Steven Discher on mum.mikrotik.com.
What happened was that ping time increased to 2.5s (!!) and dl and up where veery slow ( i had a parallel topic going on for that)
UNTIL
i inverted the distance for the routing tables of adsl and lte connections
I made the distance to the adsl modem 2 and lte modem 1 (which was the inverse of what described in Mr Dischers presentation)

Magically the setup was working. :D :D :D :D :D
Ping still was unexceptional and remained between 0.5s - 2.5 but dl and ul where max of what we can have (around 25MBPS dl and 30MBPS ul) ...

I was delighted -
BUT
soon enough my smile faded when my external accountant phoned me to say he cannot connect to the psql database !
This changed when I disabled LTE and only the ADSL was enabled. The accountant could connect to the psql database when only the ADSL was enabled.

What "I THINK" happens is that my router makes some outgoing return traffic go through the LTE which busts up remote connections.

Summarising: I have a PCC Load balancing configuration but when both interfaces are up remote connections to my file server and most importantly my psql database are impossible.
Which gets me back to my startpoint where I only connect through 1 wan interface (ADSL).

Is this a connection/routing problem in the mangle ?
What is the difference between marking connections and marking routes ?

ANY help is appreciated ...

Warm regards

K

This is my configuration:
# jul/08/2019 12:39:43 by RouterOS 6.44.1
# software id = 0CJU-ULDR
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED09DEC409
/interface bridge
add admin-mac=B8:69:F4:87:45:30 auto-mac=no comment=LAN name=bridge-lan protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full name=ether1-adsl speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full disabled=yes name=ether3-lte speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool-lan ranges=192.168.0.140-192.168.0.185
add name=pool-l2te ranges=10.0.1.0-10.0.1.10

/ip dhcp-server
add address-pool=pool-lan disabled=no interface=bridge-lan lease-time=1h name=dhcp-lan

/ppp profile
add change-tcp-mss=yes dns-server=10.0.1.1 local-address=10.0.1.1 name=l2tp remote-address=pool-l2te use-encryption=yes
add change-tcp-mss=yes dns-server=10.0.1.1 local-address=10.0.1.1 name=ovpn remote-address=pool-l2te use-encryption=yes

/queue simple
add limit-at=14M/20M max-limit=18M/20M name=queue2-gsm packet-marks=LTE-Packets queue=pcq-upload-default/pcq-download-default \
    target=192.168.0.0/24
add max-limit=900k/16M name=queue1-adsl packet-marks=ADSL-Packets queue=pcq-upload-default/pcq-download-default target=\
    192.168.0.0/24

/dude
set data-directory=disk1/Dude_db enabled=yes

/interface bridge port
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
add bridge=bridge-lan interface=ether6

/ip firewall connection tracking
set tcp-established-timeout=4h

/ip neighbor discovery-settings
set discover-interface-list=none

/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required

/interface list member
add interface=ether1-adsl list=WAN
add interface=ether3-lte list=WAN
add interface=bridge-lan list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN

/interface ovpn-server server
set auth=sha1 certificate=alba.crt default-profile=ovpn enabled=yes

/ip address
add address=192.168.0.1/24 interface=bridge-lan network=192.168.0.0
add address=192.168.1.2/24 interface=ether1-adsl network=192.168.1.0
add address=192.168.2.2/24 interface=ether3-lte network=192.168.2.0
add address=10.0.1.1/24 disabled=yes interface=ether1-adsl network=10.0.1.0

/ip dhcp-server lease
add address=192.168.0.100 mac-address=00:0A:E4:88:AB:4A
add address=192.168.0.197 mac-address=00:15:17:DA:26:D0
add address=192.168.0.189 mac-address=F4:F2:6D:79:01:03
add address=192.168.0.198 mac-address=00:0D:02:84:14:E2
add address=192.168.0.199 mac-address=00:00:74:FB:51:83

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

/ip dns static
add address=192.168.0.1 name=router.lan

/ip firewall address-list
add address=192.168.0.0/24 list=LAN_VPN
add address=10.0.1.0/24 list=L2TP_VPN
add address=192.168.1.0/24 list=Connected
add address=192.168.2.0/24 list=Connected
add address=192.168.0.0/24 list=Connected

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address-list=LAN_VPN
add action=accept chain=input protocol=icmp
add action=accept chain=input port=1022 protocol=tcp
add action=accept chain=input port=1194 protocol=tcp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes protocol=ipsec-esp
add action=drop chain=input
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward src-address-list=LAN_VPN
add action=accept chain=forward src-address-list=L2TP_VPN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp

/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-routing chain=prerouting dst-port=110,995,143,993,25,465,587 new-routing-mark=LTE-Route passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting connection-nat-state="" dst-port=5432 in-interface=ether1-adsl log=yes \
    new-connection-mark=ADSL passthrough=yes protocol=tcp src-port=5432
add action=mark-connection chain=output dst-port=5432 log=yes new-connection-mark=ADSL passthrough=yes protocol=tcp src-port=\
    5432
add action=mark-connection chain=prerouting dst-port=500,4500,1701 new-connection-mark=ADSL passthrough=yes protocol=udp
add action=mark-routing chain=prerouting new-routing-mark=ADSL-Route passthrough=yes protocol=udp src-port=500,4500,1701
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.2.0/24

add action=mark-connection chain=prerouting comment="Per Connection Classifier Load Balancing - Per Steve Discher" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=ADSL passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan \
    new-connection-mark=LTE passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ADSL in-interface=bridge-lan new-routing-mark=ADSL-Route passthrough=\
    yes
add action=mark-routing chain=prerouting connection-mark=LTE in-interface=bridge-lan new-routing-mark=LTE-Route passthrough=yes
add action=mark-routing chain=output connection-mark=ADSL new-routing-mark=ADSL-Route passthrough=yes
add action=mark-routing chain=output connection-mark=LTE new-routing-mark=LTE-Route passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1-adsl new-connection-mark=ADSL \
    passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3-lte new-connection-mark=LTE \
    passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1-adsl src-address-list=LAN_VPN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3-lte src-address-list=LAN_VPN
add action=dst-nat chain=dstnat dst-port=3389 log=yes protocol=tcp to-addresses=192.168.0.197 to-ports=3389
add action=dst-nat chain=dstnat dst-port=5432 log=yes protocol=tcp to-addresses=192.168.0.100 to-ports=5432
add action=dst-nat chain=dstnat dst-port=8282 in-interface=ether1-adsl protocol=tcp to-addresses=192.168.0.80 to-ports=8282

/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=LTE-Route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=ADSL-Route
add disabled=yes distance=1 dst-address=192.168.0.197/32 gateway=192.168.1.1 routing-mark=ADSL-Route
add check-gateway=ping distance=1 gateway=192.168.2.1 pref-src=192.168.2.2
add check-gateway=ping distance=2 gateway=192.168.1.1 pref-src=192.168.1.2
add disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1
add disabled=yes distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1

/ip service
set telnet disabled=yes
set www address=192.168.0.0/24
set ssh port=1022
set winbox address=192.168.0.0/24

/ip smb
set domain=MikrotikSMB

/ip ssh
set allow-none-crypto=yes

/lcd interface
add interface=bridge-lan

/lcd interface pages
set 0 interfaces=ether1-adsl,ether2,ether3-lte,ether4,ether5,sfp1,bridge-lan,ether7,ether8,ether9,ether10

/ppp secret
add name=serafin profile=l2tp service=l2tp
add name=wantondude profile=ovpn service=ovpn
add name=serafin profile=ovpn service=ovpn
add name=wantondude profile=l2tp service=l2tp
add name=lukus profile=l2tp service=l2tp

/snmp
set enabled=yes trap-target=192.168.0.161

/system clock
set time-zone-name=Europe/Warsaw

/system identity
set name=----

/tool mac-server
set allowed-interface-list=mactel

/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

/tool netwatch
add down-script=gwdown host=8.8.8.8 timeout=30s up-script=gwup

 
wanton
just joined
Topic Author
Posts: 16
Joined: Wed Nov 21, 2018 6:06 pm

Re: PCCload balancing vs Remote Connection to LAN...

Mon Jul 08, 2019 5:41 pm

Bump
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: PCCload balancing vs Remote Connection to LAN...

Mon Jul 08, 2019 6:07 pm

You're mangling needs improvement, some tips:

new connections from wan's need to pinned to these interfaces, otherwise you'll could end up with split routing, which with NAT wont fly...
Do that in prerouting, on in-interface=wan1/2/...

You only need to mangle route on the outbound track, so when going to Wan / internet. It doesn't make sense to do that on inbound direction.

Mark connections once (when connection-mark=no-mark), and mark packets on based on that.

Be carefull with passthrough

just remove this 'connection-nat-state="" '
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: PCCload balancing vs Remote Connection to LAN...

Mon Jul 08, 2019 7:39 pm

Some more notes:
* the queue setup won't work, as they both have seme target, you'll need to use queue linked to interface (queue tree)
* interface e6-10 are part of bridge, they are "slaves" and should not be used on their own

Who is online

Users browsing this forum: No registered users and 34 guests