Page 1 of 1

Dual WAN trouble - acts like jitter

Posted: Tue Aug 13, 2019 5:00 pm
by gssherman
Hello

I have set up (I believe) my RB2011iL with dual Internet connections. I would like to pass most traffic through the Cable connection with specific traffic through the DSL connection.

It is mostly working except I get pauses when trying to telnet out to other systems. As I am typing characters, there are pauses after a few characters. If I am listing something out, there are pauses after blocks of characters. If I run torch on any port (including a port like eth8) everything works fine.

The Cable connection is DHCP, the DSL connection is static IP. The ROS is v6.45.3
/interface ethernet
set [ find default-name=ether1 ] name=eth1 speed=100Mbps
set [ find default-name=ether2 ] name=eth2 speed=100Mbps
set [ find default-name=ether3 ] name=eth3 speed=100Mbps
set [ find default-name=ether4 ] name=eth4 speed=100Mbps
set [ find default-name=ether5 ] name=eth5 speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth6-DSL
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth7-Cable
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth8
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth9
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth10
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dyn-pool-10-B ranges=192.168.10.128/26
add name=dyn-pool-10-A next-pool=dyn-pool-10-B ranges=192.168.10.64/26
/ip dhcp-server
add address-pool=dyn-pool-10-A authoritative=after-2sec-delay disabled=no \
    interface=bridge1 lease-time=1d name=dhcp-10
/interface bridge port
add bridge=bridge1 interface=eth2
add bridge=bridge1 interface=eth3
add bridge=bridge1 interface=eth4
add bridge=bridge1 interface=eth5
add bridge=bridge1 interface=eth1
add bridge=bridge2 interface=eth9
add bridge=bridge2 interface=eth10
add bridge=bridge2 disabled=yes interface=eth8
/ip neighbor discovery-settings
set discover-interface-list=none
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.10.254/24 interface=bridge1 network=192.168.10.0
add address=B.B.B.10/27 interface=eth6-DSL network=B.B.B.0
add address=192.168.100.25/24 comment="for modem access" disabled=yes \
    interface=eth7-Cable network=192.168.100.0
add address=192.168.0.2/24 comment="for modem access" disabled=\
    yes interface=eth6-DSL network=192.168.0.0
# cable WAN address  A.A.A.224/22
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
    eth7-Cable use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8 gateway=\
    192.168.10.254
/ip dns
set servers=1.1.1.1,1.0.0.1,208.67.220.220
/ip firewall address-list
add address=192.168.10.3 list=Kappa
add address=A.A.A.224 list=Cable-WAN
add address=B.B.B.0/27 list=Connected
add address=A.A.A.0/22 list=Connected
add address=192.168.10.0/24 list=Connected
add address=192.168.10.0/24 list=LAN
/ip firewall filter
add action=drop chain=forward disabled=yes in-interface=eth6-DSL \
	out-interface=eth7-Cable
add action=drop chain=forward disabled=yes in-interface=eth7-Cable \
    out-interface=eth6-DSL
add action=drop chain=forward connection-state=new disabled=yes dst-address=\
    192.168.10.0/24 in-interface=eth6-DSL
add action=drop chain=forward connection-state=new disabled=yes dst-address=\
    192.168.10.0/24 in-interface=eth7-Cable
add action=accept chain=input comment=ping log=yes log-prefix=ping-- protocol=\
    icmp
add action=accept chain=input comment="local IPs" src-address-list=LAN
add action=accept chain=input comment=established,related connection-state=\
    established,related
add action=drop chain=input comment="Default - drop incoming"
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=Invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=eth7-Cable log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=eth6-DSL log=yes log-prefix=!NAT
/ip firewall mangle
add action=accept chain=prerouting comment="Connected networks" \
    dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input comment=WAN->Router connection-mark=\
    no-mark in-interface=eth6-DSL new-connection-mark=DSL->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    eth7-Cable new-connection-mark=Cable->ROS
add action=mark-routing chain=output connection-mark=DSL->ROS new-routing-mark=\
    DSL_Route
add action=mark-routing chain=output connection-mark=Cable->ROS \
    new-routing-mark=Cable_Route
add action=mark-connection chain=forward comment=WAN->LAN connection-mark=\
    no-mark in-interface=eth6-DSL new-connection-mark=DSL->LAN
add action=mark-connection chain=forward connection-mark=no-mark in-interface=\
    eth7-Cable new-connection-mark=Cable->LAN
add action=mark-routing chain=prerouting connection-mark=DSL->LAN \
    new-routing-mark=DSL_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Cable->LAN \
    new-routing-mark=Cable_Route src-address-list=LAN
add action=mark-connection chain=prerouting comment=LAN->WAN connection-mark=\
    no-mark dst-address-list=!Connected dst-address-type=!local \
    new-connection-mark=LAN->WAN passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting comment="LAN to Cable" \
    connection-mark=LAN->WAN new-routing-mark=Cable_Route passthrough=yes \
    src-address-list=LAN
add action=mark-routing chain=prerouting comment="LAN to DSL" connection-mark=\
    LAN->WAN disabled=yes new-routing-mark=DSL_Route passthrough=yes \
    src-address-list=LAN
add action=mark-routing chain=prerouting comment="Kappa to DSL" \
    connection-mark=LAN->WAN disabled=yes new-routing-mark=DSL_Route \
    passthrough=yes src-address-list=Kappa
add action=mark-routing chain=prerouting comment="outbound telnet" \
    connection-mark=LAN->WAN dst-port=\
    23,2121,2323,4444,5000,6551,6552,23389,33392 log-prefix=TELNET_ \
    new-routing-mark=DSL_Route passthrough=yes protocol=tcp src-address-list=\
    Kappa
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Cable" out-interface=eth7-Cable
add action=masquerade chain=srcnat comment="NAT DSL" out-interface=eth6-DSL
/ip firewall service-port
set ftp disabled=yes
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=B.B.B.1 routing-mark=DSL_Route
add distance=1 gateway=A.A.A.1 routing-mark=Cable_Route
add comment="main Cable" distance=1 gateway=A.A.A.1
add comment="main DSL" distance=2 gateway=B.B.B.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=something
/system ntp client
set enabled=yes primary-ntp=209.114.111.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I am sure it is something simple, but I am not sure where to look.

TIA,
Glenn

Re: Dual WAN trouble - acts like jitter

Posted: Tue Aug 13, 2019 10:44 pm
by sindy
I am sure it is something simple, but I am not sure where to look.
Two points:
  • unrestricted fasttracking is incompatible with use of mangle rules because most packets belonging to fasttracked connections skip a big deal of firewall processing. Few don't, which means that the connections via the non-default routes work but with many dropped (because misrouted) packets
  • you connection-mark the packets in chain=forward but routing-mark them in chain=prerouting; as prerouting comes first, the initial packet of each connection, which causes the connection-mark to be assigned in forward, is not routing-marked afterwards, so it takes the default route. Subsequent packets of the same connection are routing-marked because the connection they belong to has been previously marked, so they take the marked route (which may be the same like the routing-mark-less one or different)
You may want to read this post regarding selective fasttracking