Community discussions

 
User avatar
donsergio
newbie
Topic Author
Posts: 48
Joined: Wed Jan 31, 2018 8:35 pm
Location: Spain

Wan balance by ports number (protocol)

Fri Aug 30, 2019 12:40 pm

Hi, who´s the best practice to balance the ports (protocol port) by wan´s depending of the port number?

I tried this but I think it´s not right
/ip firewall mangle

add action=mark-routing chain=prerouting comment=\
    "Redirect common ports TCP" dst-address-type="" dst-port=\
    0-1024,8000-9000,4244,5222-5223,5228,5242 new-routing-mark=wan1 \
    passthrough=yes protocol=tcp src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment=\
    "Redirect common ports UDP" dst-address-type="" dst-port=\
    0-1024,8000-9000,4244,5222-5223,5228,5242 new-routing-mark=wan1 \
    passthrough=yes protocol=udp src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment=\
    "Redirect non common ports TCP" dst-address-type="" dst-port=\
    !0-1024,8000-9000,4244,5222-5223,5228,5242 new-routing-mark=tcp-wan2 passthrough=\
    yes protocol=tcp src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment=\
    "Redirect non common ports UDP" dst-address-type="" dst-port=\
    !0-1024,8000-9000,4244,5222-5223,5228,5242 new-routing-mark=udp-wan2 passthrough=\
    yes protocol=udp src-address=192.168.0.0/24

/ip route
add distance=1 gateway=ether1 routing-mark=wan1
add distance=1 gateway=ether2 routing-mark=udp-wan2
add distance=1 gateway=ether2 routing-mark=tcp-wan2

And in ip firewall nat I have masquerade in both wans... all goes well but for example, I can´t access remote winbox routerboards.... I think this connections need to pass by wan2 magle rule, right?

All help is welcome
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wan balance by ports number (protocol)

Tue Sep 03, 2019 5:22 am

Don't mark routing directly. Mark connections first and then mark routing based on connection marks. It will be less work for router and it won't break incoming forwarded ports, if you have any. And I don't know how much experience you have with multi-WAN configs, but ethernet interface as gateway usually doesn't work, there should be an IP address.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
donsergio
newbie
Topic Author
Posts: 48
Joined: Wed Jan 31, 2018 8:35 pm
Location: Spain

Re: Wan balance by ports number (protocol)

Tue Sep 03, 2019 3:30 pm

Don't mark routing directly. Mark connections first and then mark routing based on connection marks. It will be less work for router and it won't break incoming forwarded ports, if you have any. And I don't know how much experience you have with multi-WAN configs, but ethernet interface as gateway usually doesn't work, there should be an IP address.
Hi, thanks for your reply... and, can you give me an example to do that I need?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wan balance by ports number (protocol)

Wed Sep 04, 2019 4:35 am

This should work:
/ip firewall mangle
add action=jump chain=prerouting connection-state=new jump-target=balance src-address=192.168.0.0/24
add action=mark-connection chain=balance dst-port=0-1024,8000-9000,4244,5222-5223,5228,5242 new-connection-mark=wan1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=balance dst-port=0-1024,8000-9000,4244,5222-5223,5228,5242 new-connection-mark=wan1_conn passthrough=yes protocol=udp
add action=mark-connection chain=balance connection-mark=no-mark new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan1_conn new-routing-mark=wan1 passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn new-routing-mark=wan2 passthrough=no src-address=192.168.0.0/24
New connections from 192.168.0.0/24 will jump to marking subchain, where selected ports will be marked for wan1 and if the connection still doesn't have any mark at the end of chain, it will be marked for wan2. This will happen only once for each new connection. And then this and all following packets will be given routing marks based on their connection marks. And then you probably need:
/ip route
add gateway=<IP address of WAN1 gateway> routing-mark=wan1
add gateway=<IP address of WAN2 gateway> routing-mark=wan2
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
donsergio
newbie
Topic Author
Posts: 48
Joined: Wed Jan 31, 2018 8:35 pm
Location: Spain

Re: Wan balance by ports number (protocol)

Fri Sep 06, 2019 12:42 pm

Hi, I´m testing this and doing a lot of tests / changes and I can´t do it work... I put the IPs of the gateway on the routes... if I "traceroute -p 80 8.8.8.8" and "traceroute -p 44444 8.8.8.8" the packets goes to each gateway, but can´t search on the web, can´t open webs... for example...

Looks only no work with "marked packets" because I can access to server that port is not marked.... if i change mikrotik web access port to 4444 I can access to it, but if i put 102 then say can´t open the web page


This should work:
/ip firewall mangle
add action=jump chain=prerouting connection-state=new jump-target=balance src-address=192.168.0.0/24
add action=mark-connection chain=balance dst-port=0-1024,8000-9000,4244,5222-5223,5228,5242 new-connection-mark=wan1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=balance dst-port=0-1024,8000-9000,4244,5222-5223,5228,5242 new-connection-mark=wan1_conn passthrough=yes protocol=udp
add action=mark-connection chain=balance connection-mark=no-mark new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan1_conn new-routing-mark=wan1 passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting connection-mark=wan2_conn new-routing-mark=wan2 passthrough=no src-address=192.168.0.0/24
New connections from 192.168.0.0/24 will jump to marking subchain, where selected ports will be marked for wan1 and if the connection still doesn't have any mark at the end of chain, it will be marked for wan2. This will happen only once for each new connection. And then this and all following packets will be given routing marks based on their connection marks. And then you probably need:
/ip route
add gateway=<IP address of WAN1 gateway> routing-mark=wan1
add gateway=<IP address of WAN2 gateway> routing-mark=wan2
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wan balance by ports number (protocol)

Sat Sep 07, 2019 1:59 am

If you used this exact config, then all outgoing connections from 192.168.0.0/24 should get marked, there wouldn't be any unmarked ones, so it looks like there's something different, perhaps some other rules are interfering.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
donsergio
newbie
Topic Author
Posts: 48
Joined: Wed Jan 31, 2018 8:35 pm
Location: Spain

Re: Wan balance by ports number (protocol)

Mon Sep 09, 2019 10:23 pm

Hi! Yes, you´re right, I has some rules to priorize traffic and disabling all, it works fine fine.... but now, I don´t have priorized traffic, I need to implement it now with this new rules...

And the best trouble, I can´t open ports... with my old way the ports opening works well, now with the same way to open the port, doesn´t work.... I log the rule to forward port and the result are the same but don´t work the rule.... I need to test test test more..

Thanks a lot!! I need to pay some beers to you!!

If you used this exact config, then all outgoing connections from 192.168.0.0/24 should get marked, there wouldn't be any unmarked ones, so it looks like there's something different, perhaps some other rules are interfering.
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wan balance by ports number (protocol)

Mon Sep 09, 2019 10:52 pm

By open ports you mean dstnat from internet? If you have the usual config where you mark incoming connections based on interface, it should work with this just fine. These new rules won't override connection marks for already marked incoming connections.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
donsergio
newbie
Topic Author
Posts: 48
Joined: Wed Jan 31, 2018 8:35 pm
Location: Spain

Re: Wan balance by ports number (protocol)

Tue Sep 10, 2019 9:39 pm

Hi, yes, as I tell you... If I enable my old config.... I can open ports and works well... I mean my first config, after tryin to redirect by two wans by port....

My old rule only mark routing...

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to-wan-1 passthrough=yes src-address=192.168.0.0/24

And in /ip route
add distance=20 gateway=wan1 routing-mark=to-wan-1
(the distance=20 is because I have other wan and if it route fails, change to the other wan)

An to open port I usually use:
/ip firewall nat
add action=dst-nat dst-port=37779 protocol=tcp to-address=192.168.0.100 to-ports=37779

I tried to log and the log is the same with your config and with my old config with one wan (with the above example)

But with this config the ports works well, but with the new config the webs (37779 I use to camcorder http dashboard) don´t work yet now... and not more rules in mangle.... and in nat only the masquerades and the dst-nat

Best Regards!!

By open ports you mean dstnat from internet? If you have the usual config where you mark incoming connections based on interface, it should work with this just fine. These new rules won't override connection marks for already marked incoming connections.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Wan balance by ports number (protocol)

Tue Sep 10, 2019 9:50 pm

I think that nowadays it does not make sense to balance using port numbers, almost 80 or 90% of the traffic corresponds to port 443 and 80, not much load distribution is achieved using the criterion of the port number only

it seems to me that a more appropriate strategy is to distribute the clients among the various wan connections that you have to be able to distribute the load
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wan balance by ports number (protocol)

Tue Sep 10, 2019 10:04 pm

Your old rule forces everything from 192.168.0.0/24 to use wan1. So it directly conflicts with your new requirement to balance traffic from same 192.168.0.0/24 by port. You can't have both.

Mark incoming connections based on WAN interface and port forwarding will work from both WANs:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=<WAN1> action=mark-connection new-connection-mark=wan1_conn passthrough=no
add chain=prerouting connection-state=new in-interface=<WAN2> action=mark-connection new-connection-mark=wan2_conn passthrough=no
Passthrough depends on whether you do something else with incoming packets, e.g. if you give them packet marks for queues. In that case you'd need yes. If not, it can be no.
You can also add this, if you need outside access to some service on router (e.g. VPN) working from both WANs:
/ip firewall mangle
add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=wan2
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
donsergio
newbie
Topic Author
Posts: 48
Joined: Wed Jan 31, 2018 8:35 pm
Location: Spain

Re: Wan balance by ports number (protocol)

Tue Oct 08, 2019 8:26 pm

Hi, sorry for my late response, lot of work.... Yeah it works.... Now I can redirect any connection by any wan....

I owe you lot of beers....

Thanks a lot my friend, now full working!!

Best regards!!

Your old rule forces everything from 192.168.0.0/24 to use wan1. So it directly conflicts with your new requirement to balance traffic from same 192.168.0.0/24 by port. You can't have both.

Mark incoming connections based on WAN interface and port forwarding will work from both WANs:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=<WAN1> action=mark-connection new-connection-mark=wan1_conn passthrough=no
add chain=prerouting connection-state=new in-interface=<WAN2> action=mark-connection new-connection-mark=wan2_conn passthrough=no
Passthrough depends on whether you do something else with incoming packets, e.g. if you give them packet marks for queues. In that case you'd need yes. If not, it can be no.
You can also add this, if you need outside access to some service on router (e.g. VPN) working from both WANs:
/ip firewall mangle
add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=wan2

Who is online

Users browsing this forum: No registered users and 87 guests