Community discussions

MikroTik App
 
StudentSA
just joined
Topic Author
Posts: 9
Joined: Thu Feb 28, 2019 2:02 pm

Slow speed for marked traffic through WAN2

Fri Apr 09, 2021 5:36 pm

Good Day,

My setup is as follows:

Mikrotik Hex RB750Gr3

Failover WAN2 (100/100) (PPPOE) (ISP 2) -> ETH1
Primary WAN1 (200/200) (Static IP) (ISP 1) -> ETH2
local network (LAN_USERS) (192.168.88.0/24) ----> ETH3

By default all LAN_USER internet traffic is using WAN1. This works.

I would however like to force one server on IP 192.168.88.246 to only use WAN2. Some Googling and seemed pretty easy.
Basically Mangle, NAT, Route? But I guess I must be missing something as I am getting extremely degraded speed test results from the server in question. i.e. +-1MBPS up and down.
I have confirmed that WAN2 PPPOE is working by unplugging the cable and connecting my laptop directly to it and initiating the PPPOE connection (full speed as expected).

It is really confusing as I would have expect my config to either work or not work at all :)

I have checked through my browser (on the server 192.168.88.246) "what is my ip" does show WAN2's Public IP so traffic must be routed that way.

Can someone look over my config and advise what I could check?
[admin@MikroTik] > export hide-sensitive 
# apr/09/2021 15:15:51 by RouterOS 6.47.9
# software id = WEFJ-XXXX
#
# model = RB750Gr3
# serial number = XXXXXXXXXX

/interface bridge
add admin-mac=B8:69:F4:00:00:00 auto-mac=no comment=defconf name=bridge

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan2
set [ find default-name=ether2 ] name=ether2-wan1
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether4 ] name=ether4-lan
set [ find default-name=ether5 ] name=ether5-lan

/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=ether1-wan2 name=pppoe-out1 user=myuser@myisp.com

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.229

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface=ether3-lan
add bridge=bridge comment=defconf interface=ether4-lan
add bridge=bridge comment=defconf interface=ether5-lan

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan2 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2-wan1 list=WAN

/ip address
add address=192.168.88.1/24 comment="Router IP 192.168.88.1" interface=ether5-lan network=192.168.88.0
add address=41.1.2.50/24 interface=ether2-wan1 network=41.1.2.0

/ip dhcp-client
add comment=defconf interface=ether1-wan2

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall address-list
add address=192.168.88.0/24 list=LAN_USERS
add address=41.1.2.0/24 list=WAN_SUBNET
add address=41.180.72.0/24 list=WAN_SUBNET
add address=169.100.104.0/24 list=WAN_SUBNET
add address=192.168.88.246 list=WAN2_ONLY

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Traffic from WAN2 Server" connection-mark=no-mark dst-address-type=!local new-connection-mark=only-wan2 passthrough=yes \
    src-address=192.168.88.246
add action=mark-routing chain=prerouting connection-mark=only-wan2 in-interface=bridge new-routing-mark=to_wan2 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address-list=LAN_USERS
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none src-address-list=LAN_USERS

/ip route
add distance=1 gateway=pppoe-out1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=41.1.2.49

detail routing table print:
[admin@MikroTik] /ip route> print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=1 scope=30 target-scope=10 routing-mark=to_wan2 

 1 A S  dst-address=0.0.0.0/0 gateway=41.1.2.49 gateway-status=41.1.2.49 reachable via  ether2-wan1 check-gateway=ping distance=1 scope=30 target-scope=10 

 2  DS  dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=2 scope=30 target-scope=10 

 3 ADC  dst-address=41.1.2.0/24 pref-src=41.1.2.50 gateway=ether2-wan2 gateway-status=ether2-wan2 reachable distance=0 scope=10 

 4 ADC  dst-address=41.3.4.225/32 pref-src=169.0.1.178 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10
 
 
Really appreciate any help
 
StudentSA
just joined
Topic Author
Posts: 9
Joined: Thu Feb 28, 2019 2:02 pm

Re: Slow speed for marked traffic through WAN2

Fri Apr 09, 2021 6:23 pm

I think I'm on to something,

Disabling all Firewall rules magically fixes the connection.

The Firewall rules that I have are all default rules as far as I am aware. When disabling one rule at a time and observing the connection speeds I found that disabling rule 8 fasttrack connection seems to make everything work.

Would leaving this disabled have any negative effects?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Slow speed for marked traffic through WAN2

Fri Apr 09, 2021 7:02 pm

DONT DISABLE FIREWALL RULES IF CONNECTED TO THE INTERNET>.........................

As for fastrack yes, mangling and fastrack dont work well together.
However there is a better easier way to accomplish what you want WITHOUT MANGLING which is always better as you can leave fastrack rule up and running .

(1) First make sure you have a sourcenat rule for each WAN interface. Please see the below........
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 {applicable for dynamic wanip}
add action=src-nat chain=srcnat out-interface=eth2 to-addresses=41.1.2.50 \ {applicable for static wanip}
ipsec-policy=out,none

(2) WHAT THE HECK is this IP Address ????????
add address=192.168.88.1/24 comment="Router IP 192.168.88.1" interface=ether5-lan network=192.168.88.0
it should be the BRIDGE!!!
add address=192.168.88.1/24 comment="Router IP 192.168.88.1" interface=bridge network=192.168.88.0


(3) Okay now to the key changes for IP routing.
[a] First rule of thumb is that you need a NORMAL set of standard IP routes for each interface. Also for failover just put the distance greater for the secondary failover interface.
As per the below, all traffic going out of the router will be directed out the lesser distance interface (5), through your Primary WAN.
The only time this will not be the case is if the router pings the primary and its not available it will switch to the secondary. The router will continue pinging and if the primary comes back up the router will switch back to the primary.

/ip route
add check-gateway=ping distance=5 gateway=41.1.2.49
add distance=10 gateway=pppoe-out1

Now add another route for every exception you need to define. In your case you wish to ensure that one device only uses WAN2. So we need another route for WAN2. so copy the rule above for WAN2 (secondary WAN) and add the necessary routing mark (which will be referenced in the below route rule)
add distance=10 gateway=pppoe-out1 routing-mark=serveronly

[c] add a corresponding Route RULE
src-address=192.168.88.246
action= lookup only in table
Table= serveronly


Done, should work now as requested with all firewall rules in place including fastrack
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Slow speed for marked traffic through WAN2

Fri Apr 09, 2021 7:11 pm

Fasttrack has to be disabled for traffic that need to go through mangle - in your case it is enough to add condition routing-table=main to fasttrack rule.

Or as the conditions you use in your mangle rules are as simple as a single src-address you could follow @anav's advice and replace mangle with route rule.
 
StudentSA
just joined
Topic Author
Posts: 9
Joined: Thu Feb 28, 2019 2:02 pm

Re: Slow speed for marked traffic through WAN2

Mon Apr 12, 2021 1:38 pm

Thanks,

@anav, I did modify the sensitive IP's when sending the export (safety and all).

Thanks for the pointers, I have changed the router ip to be on the bridge.

All working as expected.

Cheers

Who is online

Users browsing this forum: BrianTax, coreshock and 67 guests