Community discussions

 
User avatar
uebi
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Tue Sep 13, 2005 5:27 pm
Location: Austria
Contact:

Routing Mark Problem/Question for incoming connections

Wed Dec 26, 2007 4:16 am

Hi there!

I'm writing this topic via my routerboard that has 2 internet connections (DSL and Cable, 2 default gateways with different routing marks). I do some marking to do tcp port 80 over the DSL line and everything else over cable. Works fine, I surf the web via the DSL line, do my ssh stuff via the cable connection, send mails through the cable connection, .... but there is something I don't understand...

As soon as I activate the marking, everything works fine and I have something like a "static" load balancing (which is my intention!), but the second this is active, I can no longer ping the WAN IPs??? I have two public IPs, one from my cable provider and one from my DSL PPTP connection, which are both pingable, but only as long as I don't do any marking.

The question is why? Am I missing something? What do I have to configure for incoming connections? Or does my routerboard just want me to got to bed? *G*



Thanks!

Greets,
uebi
"They have the Internet on computers now?" - Homer Simpson
 
User avatar
uebi
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Tue Sep 13, 2005 5:27 pm
Location: Austria
Contact:

Re: Routing Mark Problem/Question for incoming connections

Wed Dec 26, 2007 4:22 am

I tried about an hour, than I posted the topic and a few minutes later, I found out that I just have to add the "default" gateway again without a routing mark.

Well, it's far past midnight here ;-)


Thanks,
uebi

PS: I didn't delete the topic, because maybe somebody has the same problem some day. If the admins don't think that way - delete it and punish me in Krakow ;-)
"They have the Internet on computers now?" - Homer Simpson
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Routing Mark Problem/Question for incoming connections

Sat Dec 29, 2007 6:48 pm

hi dude

can you post you conf ?


I tried about an hour, than I posted the topic and a few minutes later, I found out that I just have to add the "default" gateway again without a routing mark.

Well, it's far past midnight here ;-)


Thanks,
uebi

PS: I didn't delete the topic, because maybe somebody has the same problem some day. If the admins don't think that way - delete it and punish me in Krakow ;-)
 
User avatar
uebi
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Tue Sep 13, 2005 5:27 pm
Location: Austria
Contact:

Re: Routing Mark Problem/Question for incoming connections

Sat Dec 29, 2007 7:35 pm

Sure. Just replaced the IPs and addes some comments.

The 3 routes. I got one more static route for a network I always wanna reach via Upstream1, but I didn't paste it here.
/ip route
add comment="Gateway for upstream1 markings" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=upstream1-traffic scope=30 \
target-scope=10
add comment="Gateway for upstream2 markings" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=upstream2-traffic scope=255 \
target-scope=10
add comment="Default Gateway" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.2 scope=255 target-scope=10


Marking. All port 80 and port 53 traffic goes through Upstream1. Everything else through Upstream2.
/ip firewall mangle
add action=mark-connection chain=prerouting comment="All Connections" disabled=no in-interface=bridge1 \
new-connection-mark=all-connections passthrough=yes
add action=mark-routing chain=prerouting comment="Upstream1" connection-mark=all-connections disabled=no dst-port=80 \
in-interface=bridge1 new-routing-mark=upstream1-traffic passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="" connection-mark=all-connections disabled=no dst-port=53 \
in-interface=bridge1 new-routing-mark=upstream1-traffic passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment="Upstream2" connection-mark=all-connections disabled=no dst-port=!80 \
in-interface=bridge1 new-routing-mark=upstream2-traffic passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="" connection-mark=all-connections disabled=no in-interface=bridge1 \
new-routing-mark=upstream2-traffic passthrough=yes protocol=icmp
add action=mark-routing chain=prerouting comment="" connection-mark=all-connections disabled=no dst-port=!53 \
in-interface=bridge1 new-routing-mark=upstream2-traffic passthrough=yes protocol=udp

Traffic for Upstream1 needs to be masqueraded (dynamic IP), traffic for Upstream2 is natted to my static cable IP.
/ip firewall nat
add action=masquerade chain=srcnat comment="Upstream1" disabled=no dst-address=0.0.0.0/0 out-interface=pptp-upstream1 \
routing-mark=upstream1-traffic src-address=192.168.7.0/24
add action=src-nat chain=srcnat comment="Upstream2" disabled=no dst-address=0.0.0.0/0 out-interface=ether1 \
routing-mark=upstream-traffic src-address=192.168.7.0/24 to-addresses=1.2.3.4 to-ports=0-65535


Hope I didn't forget anything ;-)

Greets,
uebi
"They have the Internet on computers now?" - Homer Simpson
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Routing Mark Problem/Question for incoming connections

Sat Dec 29, 2007 11:32 pm

i have 2 dsl 1 is static ip and second is on dhcpd isp assing ip . i make port forwording 8291 to the dsl 1 ether2
simple senario all traffic route to ether3 except 80 on ether1 and i could connect winbox from remote location

i apply this rules based on your rules. this not working make any mistake ??




/ip route print

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.0.0/24 192.168.0.4 ether2
1 ADC 192.168.1.0/24 192.168.1.101 ether3
2 ADC 192.168.10.0/23 192.168.10.1 ether1
3 A S ;;; Gateway for upstream1 markings
0.0.0.0/0 r 192.168.0.5 1 ether2
4 A S ;;; Gateway for upstream2 markings
0.0.0.0/0 u 192.168.1.100 1
5 A S ;;; Default Gateway
0.0.0.0/0 r 192.168.0.5 1 ether2


/ip firewall mangle

;;; All Connections
chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=all-connections passthrough=yes

21 ;;; Upstream1
chain=prerouting in-interface=ether1 protocol=tcp dst-port=80 connection-mark=all-connections action=mark-routing
new-routing-mark=upstream1-traffic passthrough=yes

22 ;;; Upstream1
chain=prerouting in-interface=ether1 protocol=tcp dst-port=8291 connection-mark=all-connections action=mark-routing
new-routing-mark=upstream1-traffic passthrough=yes

23 ;;; Upstream2
chain=prerouting in-interface=ether1 protocol=tcp dst-port=!80 connection-mark=all-connections action=mark-routing
new-routing-mark=upstream2-traffic passthrough=yes

24 ;;; Upstream2
chain=prerouting in-interface=ether1 protocol=tcp dst-port=!8291 connection-mark=all-connections action=mark-routing
new-routing-mark=upstream2-traffic passthrough=yes

25 chain=prerouting in-interface=ether1 protocol=icmp connection-mark=all-connections action=mark-routing
new-routing-mark=upstream2-traffic passthrough=yes


/ip firewall nat print

2 ;;; Upstream1
chain=srcnat out-interface=ether2 src-address=192.168.10.0/23 dst-address=0.0.0.0/0 routing-mark=upstream1-traffic
action=masquerade

3 ;;; Upstream2
chain=srcnat out-interface=ether3 src-address=192.168.10.0/23 dst-address=0.0.0.0/0 routing-mark=upstream-traffic
action=src-nat to-addresses=192.168.1.100 to-ports=0-65535

Sure. Just replaced the IPs and addes some comments.

The 3 routes. I got one more static route for a network I always wanna reach via Upstream1, but I didn't paste it here.
/ip route
add comment="Gateway for upstream1 markings" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=upstream1-traffic scope=30 \
target-scope=10
add comment="Gateway for upstream2 markings" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=upstream2-traffic scope=255 \
target-scope=10
add comment="Default Gateway" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.2 scope=255 target-scope=10


Marking. All port 80 and port 53 traffic goes through Upstream1. Everything else through Upstream2.
/ip firewall mangle
add action=mark-connection chain=prerouting comment="All Connections" disabled=no in-interface=bridge1 \
new-connection-mark=all-connections passthrough=yes
add action=mark-routing chain=prerouting comment="Upstream1" connection-mark=all-connections disabled=no dst-port=80 \
in-interface=bridge1 new-routing-mark=upstream1-traffic passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="" connection-mark=all-connections disabled=no dst-port=53 \
in-interface=bridge1 new-routing-mark=upstream1-traffic passthrough=yes protocol=udp
add action=mark-routing chain=prerouting comment="Upstream2" connection-mark=all-connections disabled=no dst-port=!80 \
in-interface=bridge1 new-routing-mark=upstream2-traffic passthrough=yes protocol=tcp
add action=mark-routing chain=prerouting comment="" connection-mark=all-connections disabled=no in-interface=bridge1 \
new-routing-mark=upstream2-traffic passthrough=yes protocol=icmp
add action=mark-routing chain=prerouting comment="" connection-mark=all-connections disabled=no dst-port=!53 \
in-interface=bridge1 new-routing-mark=upstream2-traffic passthrough=yes protocol=udp

Traffic for Upstream1 needs to be masqueraded (dynamic IP), traffic for Upstream2 is natted to my static cable IP.
/ip firewall nat
add action=masquerade chain=srcnat comment="Upstream1" disabled=no dst-address=0.0.0.0/0 out-interface=pptp-upstream1 \
routing-mark=upstream1-traffic src-address=192.168.7.0/24
add action=src-nat chain=srcnat comment="Upstream2" disabled=no dst-address=0.0.0.0/0 out-interface=ether1 \
routing-mark=upstream-traffic src-address=192.168.7.0/24 to-addresses=1.2.3.4 to-ports=0-65535


Hope I didn't forget anything ;-)

Greets,
uebi
 
User avatar
uebi
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Tue Sep 13, 2005 5:27 pm
Location: Austria
Contact:

Re: Routing Mark Problem/Question for incoming connections

Sat Dec 29, 2007 11:47 pm

Does your MT have the public IPs assigned to its interfaces and did you just replace them in your post to not show them? Is it a DSL MODEM or ROUTER?
Basically, I have both public IPs directly on my MT (static and pptp) and therefore I don't need any portforwarding/marking/whatever to be able to access the router with winbox from outside my LAN.


Greets,
uebi
"They have the Internet on computers now?" - Homer Simpson
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Routing Mark Problem/Question for incoming connections

Sun Dec 30, 2007 12:27 am

thanks dude for your prompt reply

lets assume both are dsl and i forworded 8291 from uplink1 connection ether2 , ether 3 dsl don't have static ip . i hope you understand my question . send me your email i am online right now at msn

Does your MT have the public IPs assigned to its interfaces and did you just replace them in your post to not show them? Is it a DSL MODEM or ROUTER?
Basically, I have both public IPs directly on my MT (static and pptp) and therefore I don't need any portforwarding/marking/whatever to be able to access the router with winbox from outside my LAN.


Greets,
uebi
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Routing Mark Problem/Question for incoming connections

Tue Jan 01, 2008 9:52 pm

where r u uebi ?
 
User avatar
uebi
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Tue Sep 13, 2005 5:27 pm
Location: Austria
Contact:

Re: Routing Mark Problem/Question for incoming connections

Wed Jan 02, 2008 12:51 am

Sorry, I was away from my computer.

I don't have MSN here :-(
E-Mail?


Greets
"They have the Internet on computers now?" - Homer Simpson
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Routing Mark Problem/Question for incoming connections

Wed Jan 02, 2008 3:40 pm

well i post my issue in my pervious post please read !!!
 
User avatar
uebi
Member Candidate
Member Candidate
Topic Author
Posts: 117
Joined: Tue Sep 13, 2005 5:27 pm
Location: Austria
Contact:

Re: Routing Mark Problem/Question for incoming connections

Wed Jan 02, 2008 11:47 pm

I already read it, but I'm still not sure why you need a portforwarding for Winbox ON the MT??
Do you have ADSL-Modems (Bridge) oder ADSL-Routers in front of the MT?

I never had any issues getting onto my MT with this config when the public IPs ar ON THE MT, not in front on the ADSL-Router! If your public IPs are configured on your ADSL Router (not the MT!), then you need to configure a DST-NAT on the ADSL-Router to forward the Winbox Port to the private MT IP, but I don't any application where you need a portforwarding ON a MT to access it with winbox.


Greets,
uebi
"They have the Internet on computers now?" - Homer Simpson
 
pokeman
Member Candidate
Member Candidate
Posts: 136
Joined: Fri Jun 05, 2009 10:52 pm

Re: Routing Mark Problem/Question for incoming connections

Fri Jan 18, 2008 7:46 pm

hello

hi urbi still this issue not resolve

waiting your reply

Who is online

Users browsing this forum: No registered users and 88 guests