Port Forwarding on ECMP Balancing

chemy · Sat Sep 07, 2019 1:13 am

Hello Everyone!

I'm working with 2 ISP one of 10Mbps and other of 100Mbps. The 10Mbps connection have a Public IP to access from outside to a web app. From inside my network the ECMP balancing works fine, but when I try to access from outside the connection can't be established. It seems that the connections is entering from one ISP and is going out through the other.

I reviewed the tutorial on the Mikrotik Wiki and I think I did it the right way.

If I deactivate one of the WAN interfaces the NAT works fine.

Here are my routes and my mangle rules:

Mangle

add action=mark-connection chain=input in-interface=ether1-WAN new-connection-mark=WAN_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether5-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN_conn new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to-isp2 passthrough=no

Routes

add check-gateway=ping distance=1 gateway=192.168.1.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1,192.168.18.1
add check-gateway=ping distance=1 gateway=192.168.18.1 routing-mark=to-isp2
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to-isp1

CZFan · Sat Sep 07, 2019 1:26 am

Mangle rules should be in pre-routing chain

chemy · Sat Sep 07, 2019 1:32 am

Mangle rules should be in pre-routing chain

Do you mean the mark-routing mangle rules? I just tried that and it didn't work. I also tried using prerouting on the 4 mangle rules with no success.

Sob · Sat Sep 07, 2019 2:08 am

Mangle rules (for marking connections) would be fine in input, if you were dealing only with connections to router itself. But if I'm not mistaken, you want to connect to service behind router. So you want them in prerouting (they would work in forward too, but in prerouting they will work for both cases). And then of course you need to mark routing for responses from the service:

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=WAN_conn new-routing-mark=to-isp1 passthrough=no in-interface=<LAN>
add action=mark-routing chain=prerouting connection-mark=WAN2_conn new-routing-mark=to-isp2 passthrough=no in-interface=<LAN>

chemy · Sat Sep 07, 2019 2:30 am

Thanks. So, my rules need to be like the following?

BTW, I have a bridge on the LAN side

add action=mark-connection chain=prerouting in-interface=ether1-WAN new-connection-mark=WAN_conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether5-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN_conn in-interface=bridge1 new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge1 new-routing-mark=to-isp2 passthrough=no

Sob · Sat Sep 07, 2019 3:10 am

Yes, those should work. And I'd keep those you had in chain=output too.

chemy · Sat Sep 07, 2019 3:18 am

Thanks for your help. But it seems that still doesn't work.

Here are my current mangle rules:

add action=mark-connection chain=prerouting in-interface=ether1-WAN new-connection-mark=WAN_conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether5-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN_conn in-interface=bridge1 new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge1 new-routing-mark=to-isp2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN_conn new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to-isp2 passthrough=no

Sob · Sat Sep 07, 2019 4:20 am

Are there any other marking rules that could interfere with these?

chemy · Sun Sep 08, 2019 7:40 pm

Hi Sob,

I made some testing and it looks like I'm my mangle rules for QoS are causing the problem. If a Deactivate them works fine.

Here are all my mangle rules:

add action=mark-connection chain=input in-interface=ether1-WAN new-connection-mark=WAN_conn passthrough=yes
add action=mark-connection chain=input in-interface=ether5-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN_conn in-interface=bridge1 new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge1 new-routing-mark=to-isp2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN_conn new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to-isp2 passthrough=no
add action=mark-connection chain=forward comment=RX in-interface-list="Redes WAN" new-connection-mark=rx-con passthrough=yes
add action=mark-packet chain=forward connection-mark=rx-con new-packet-mark=rx-pkt passthrough=yes
add action=mark-connection chain=prerouting comment=TX in-interface-list="Redes LAN" new-connection-mark=tx-con passthrough=yes
add action=mark-packet chain=prerouting connection-mark=tx-con new-packet-mark=tx-pkt passthrough=yes
add action=mark-packet chain=forward comment=DNS connection-mark=rx-con new-packet-mark=dns-rx-pkt passthrough=no port=53 protocol=tcp
add action=mark-packet chain=forward connection-mark=tx-con new-packet-mark=dns-tx-pkt passthrough=no port=53 protocol=tcp
add action=mark-packet chain=forward comment=UDP connection-mark=rx-con new-packet-mark=udp-rx-pkt passthrough=no protocol=udp
add action=mark-packet chain=forward connection-mark=tx-con new-packet-mark=udp-tx-pkt passthrough=no protocol=udp
add action=mark-packet chain=forward comment="HTTP - HTTPS" connection-bytes=0-1000000 new-packet-mark=http-rx-pkt packet-mark=rx-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward connection-bytes=0-1000000 new-packet-mark=http-tx-pkt packet-mark=tx-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment="HTTP - HTTPS Downloads" connection-bytes=1000000-0 connection-mark=rx-con new-packet-mark=http-downloads-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward connection-bytes=1000000-0 connection-mark=tx-con new-packet-mark=http-uploads-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=Other new-packet-mark=other-rx-pkt packet-mark=rx-pkt passthrough=no
add action=mark-packet chain=forward new-packet-mark=other-tx-pkt packet-mark=tx-pkt passthrough=no

What can I do to maintain my QoS and have external access?

Sob · Sun Sep 08, 2019 8:33 pm

It looks like you don't need original connection marks at all, the rules are re-marking connections with every packet, always switching between rx-con and tx-con, depending on direction. And all you really use those connection marks for is to avoid repeating in-interface-list condition for futher rules. I'd just do this:

add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1-WAN new-connection-mark=WAN_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5-WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN_conn new-routing-mark=to-isp1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to-isp2 passthrough=no

add action=jump chain=forward comment=RX in-interface-list="Redes WAN" jump-target=rx-con
add action=mark-packet chain=rx-con new-packet-mark=dns-rx-pkt passthrough=no port=53 protocol=tcp
add action=mark-packet chain=rx-con new-packet-mark=udp-rx-pkt passthrough=no protocol=udp
add action=mark-packet chain=rx-con connection-bytes=0-1000000 new-packet-mark=http-rx-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=rx-con new-packet-mark=http-downloads-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=rx-con comment=Other new-packet-mark=other-rx-pkt passthrough=no

add action=jump chain=prerouting comment=TX in-interface-list="Redes LAN" jump-target=tx-con
add action=mark-routing chain=tx-con connection-mark=WAN_conn new-routing-mark=to-isp1 passthrough=yes
add action=mark-routing chain=tx-con connection-mark=WAN2_conn new-routing-mark=to-isp2 passthrough=yes
add action=mark-packet chain=tx-con new-packet-mark=dns-tx-pkt passthrough=no port=53 protocol=tcp
add action=mark-packet chain=tx-con new-packet-mark=udp-tx-pkt passthrough=no protocol=udp
add action=mark-packet chain=tx-con connection-bytes=0-1000000 new-packet-mark=http-tx-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=tx-con new-packet-mark=http-uploads-pkt passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=tx-con new-packet-mark=other-tx-pkt passthrough=no

chemy · Mon Sep 09, 2019 2:10 am

It Works!

Thanks so much!

Port Forwarding on ECMP Balancing

Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Re: Port Forwarding on ECMP Balancing

Who is online