Hello All
I made loadbalancing with 3 wan 4mb each, after that all my bank pages dont work. I attached a picture of my network.

Im trying resolve this problem by setting MTU less of 1500, change MSS, but i dont know how can i do.

Some Advicess????

pastranini -

Without your actual configuration it is hard to tell what has gone wrong. But from your description it sounds like you do not have a persistant connection for HTTPS (banks). You need to share your configuration here - post it on the forum. I suspect that you used some form of loadbalancing and did not get it implemented correctly.....

R/

THIS IS MY CONF. ON RB450 (this is use only for loadbalancing)



MANGLE:

0 ;;; WAN1
chain=prerouting action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=new in-interface=ether1 nth=2,0

1 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no in-interface=ether1 connection-mark=wan1

2 ;;; WAN2
chain=prerouting action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=new in-interface=ether1 nth=2,1

3 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no in-interface=ether1 connection-mark=wan2

4 ;;; WAN3
chain=prerouting action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=new in-interface=ether1 nth=2,2

5 chain=prerouting action=mark-routing new-routing-mark=wan3 passthrough=no in-interface=ether1 connection-mark=wan3


NAT:

0 chain=srcnat action=masquerade out-interface=ether2 wan1

1 chain=srcnat action=masquerade out-interface=ether3 wan2

2 X chain=srcnat action=masquerade out-interface=ether4 OUT OF SERVICE ¡¡¡¡

3 chain=srcnat action=masquerade out-interface=ether5 wan3

ROUTE:

0 A S dst-address=0.0.0.0/0 gateway=172.16.3.1 interface=ether3 gateway-state=reachable distance=1 scope=30 target-scope=10 routing-mark=wan2

1 A S dst-address=0.0.0.0/0 gateway=192.168.3.254 interface=ether5 gateway-state=reachable distance=1 scope=30 target-scope=10 routing-mark=wan3

2 A S dst-address=0.0.0.0/0 gateway=192.168.1.254 interface=ether2 gateway-state=reachable distance=1 scope=30 target-scope=10 routing-mark=wan1

3 ADS dst-address=0.0.0.0/0 gateway=172.16.3.1 interface=ether3 gateway-state=reachable distance=0 scope=30 target-scope=10

4 DS dst-address=0.0.0.0/0 gateway=192.168.1.254 interface=ether2 gateway-state=reachable distance=0 scope=30 target-scope=10

5 DS dst-address=0.0.0.0/0 gateway=192.168.3.254 interface=ether5 gateway-state=reachable distance=0 scope=30 target-scope=10

6 ADC dst-address=10.10.10.0/24 pref-src=10.10.10.1 interface=ether1 distance=0 scope=10

7 ADC dst-address=172.16.3.0/24 pref-src=172.16.3.5 interface=ether3 distance=0 scope=10

8 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.72 interface=ether2 distance=0 scope=10

9 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.200 interface=ether5 distance=0 scope=10

10 ADC dst-address=192.168.100.23/32 pref-src=192.168.100.24 interface=l2tp-out1 distance=0 scope=10



THIS IS THE CONF ON PC WITH ROUTEROS, BEHIND RB450


/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=no

/ ip address
add address=172.16.68.1/24 network=172.16.68.0 broadcast=172.16.68.255 \
interface=LAN comment="" disabled=no

/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no

/ip route
# DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE
0 ADC 10.10.10.0/24 10.10.10.4 Internet29505
1 ADC 172.16.68.0/24 172.16.68.1 LAN
2 X S 0.0.0.0/0 u 192.168.1.254
3 X S 0.0.0.0/0 u 192.168.3.254
4 X S 0.0.0.0/0 u 192.168.1.254
5 X S 0.0.0.0/0 u 192.168.2.1
6 AD 0.0.0.0/0 r 10.10.10.1 0 Internet29505

/ ip firewall mangle
add chain=prerouting src-address=172.16.68.29 content=speedtest \
action=mark-connection new-connection-mark=speedtest.net passthrough=yes \
comment="PRUEBA" disabled=no
add chain=prerouting connection-mark=speedtest.net action=mark-packet \
new-packet-mark=sppedpack passthrough=no comment="" disabled=no
add chain=prerouting src-address=172.16.68.0/26 action=mark-routing \
new-routing-mark=A passthrough=no comment="" disabled=yes
add chain=prerouting src-address=172.16.68.64/26 action=mark-routing \
new-routing-mark=B passthrough=no comment="" disabled=yes
add chain=prerouting src-address=172.16.68.128/26 action=mark-routing \
new-routing-mark=C passthrough=no comment="" disabled=yes
add chain=prerouting src-address=172.16.68.192/26 action=mark-routing \
new-routing-mark=D passthrough=no comment="" disabled=yes
add chain=prerouting src-address-list=Achiris action=mark-routing \
new-routing-mark=ConexionesA passthrough=yes comment="" disabled=yes
add chain=prerouting content=ares action=mark-connection \
new-connection-mark=ares passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=ares action=mark-packet \
new-packet-mark=arespacket passthrough=no comment="" disabled=no
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=ConexionesP2P passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=ConexionesP2P action=mark-packet \
new-packet-mark=P2PCA passthrough=no comment="" disabled=no
add chain=prerouting content=hotmail action=mark-connection \
new-connection-mark=hotmailconn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=hotmailconn action=mark-packet \
new-packet-mark=hotpacket passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=1863 action=mark-connection \
new-connection-mark=msnconn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=msnconn action=mark-packet \
new-packet-mark=msnpaquet passthrough=no comment="" disabled=no
add chain=prerouting content=imss action=mark-connection \
new-connection-mark=immsconn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=immsconn action=mark-packet \
new-packet-mark=immspaqeut passthrough=no comment="" disabled=no
add chain=prerouting content=ban action=mark-connection \
new-connection-mark=Bancosconn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=Bancosconn action=mark-packet \
new-packet-mark=bancospaqeut passthrough=no comment="" disabled=no
add chain=prerouting content=HSBC action=mark-connection \
new-connection-mark=HSBCconn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=HSBCconn action=mark-packet \
new-packet-mark=Hsbcpaqeut passthrough=no comment="" disabled=no
add chain=prerouting in-interface=LAN connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=Impar passthrough=yes \
comment="" disabled=yes
add chain=prerouting in-interface=LAN connection-mark=Impar \
action=mark-routing new-routing-mark=Impar passthrough=no comment="" \
disabled=yes
add chain=prerouting in-interface=LAN connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=Par passthrough=yes comment="" \
disabled=yes
add chain=prerouting in-interface=LAN connection-mark=Par action=mark-routing \
new-routing-mark=Par passthrough=no comment="" disabled=yes
add chain=prerouting in-interface=LAN connection-state=new nth=2,4,2 \
src-address-list=Achiris action=mark-connection new-connection-mark=nulo \
passthrough=yes comment="" disabled=yes
add chain=prerouting in-interface=LAN connection-mark=nulo action=mark-routing \
new-routing-mark=nulo passthrough=no comment="" disabled=yes
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1448 \
comment="" disabled=yes
/ ip firewall nat
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 action=redirect \
to-ports=3128 comment="" disabled=no
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 \
src-address-list=Angostura action=redirect to-ports=3128 comment="" \
disabled=yes
add chain=dstnat in-interface=LAN protocol=tcp dst-port=80 \
src-address-list=Nuevos action=redirect to-ports=3128 comment="" \
disabled=yes
add chain=srcnat src-address=172.16.68.0/24 dst-address=!172.16.68.0/24 \
action=masquerade comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=1701 action=dst-nat \
to-addresses=172.16.68.15 to-ports=1701 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=1723 action=dst-nat \
to-addresses=172.16.68.15 to-ports=1723 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=5900 action=dst-nat \
to-addresses=172.16.68.15 to-ports=5900 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=3389 action=dst-nat \
to-addresses=172.16.68.15 to-ports=3389 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=26 action=dst-nat \
to-addresses=172.16.68.15 to-ports=26 comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=25 action=dst-nat \
to-addresses=172.16.68.15 to-ports=25 comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=forward action=jump jump-target=virus comment="" disabled=no
add chain=forward action=jump jump-target=prohibidas comment="" disabled=no
add chain=virus protocol=tcp dst-port=135-139 src-address-list=Achiris \
action=drop comment="blaaster Achiris" disabled=no
add chain=virus protocol=tcp dst-port=135-139 src-address-list=Angostura \
action=drop comment="blaaster Angostura" disabled=no
add chain=virus src-address-list=Angostura action=return comment="" \
disabled=no
add chain=prohibidas content=redtube action=drop comment="" disabled=no
add chain=prohibidas content=pornogatitas action=drop comment="" disabled=no
add chain=prohibidas action=return comment="" disabled=no
add chain=forward protocol=tcp dst-port=80 src-address-list=Achiris \
action=accept comment="" disabled=yes
add chain=forward protocol=tcp dst-port=1863 action=accept comment="Regla del \
MSN" disabled=no
add chain=forward connection-state=invalid action=drop comment="Conexiones \
Invalidas" disabled=no
add chain=forward src-address-list=Cortadas action=drop comment="Ip Cortadas, \
para que no navegue nada" disabled=no
/ ip firewall address-list
add list=Achiris address=172.16.68.2 comment="" disabled=yes
add list=Achiris address=172.16.68.3 comment="" disabled=yes
add list=Achiris address=172.16.68.4 comment="" disabled=yes
add list=Achiris address=172.16.68.5 comment="" disabled=yes
add list=Achiris address=172.16.68.6 comment="" disabled=yes
add list=Achiris address=172.16.68.7 comment="" disabled=yes
add list=Achiris address=172.16.68.9 comment="" disabled=yes
add list=Achiris address=172.16.68.11 comment="" disabled=yes
add list=Achiris address=172.16.68.12 comment="" disabled=yes
add list=Achiris address=172.16.68.13 comment="" disabled=yes
add list=Achiris address=172.16.68.14 comment="" disabled=yes
add list=Achiris address=172.16.68.15 comment="" disabled=yes
add list=Achiris address=172.16.68.17 comment="" disabled=yes
add list=Achiris address=172.16.68.18 comment="" disabled=yes
add list=Achiris address=172.16.68.19 comment="" disabled=yes
add list=Achiris address=172.16.68.20 comment="" disabled=yes
add list=Achiris address=172.16.68.50 comment="" disabled=yes
add list=Achiris address=172.16.68.51 comment="" disabled=yes
add list=Achiris address=172.16.68.52 comment="" disabled=yes
add list=Achiris address=172.16.68.53 comment="" disabled=yes
add list=Achiris address=172.16.68.54 comment="" disabled=yes
add list=Achiris address=172.16.68.55 comment="" disabled=yes
add list=Achiris address=172.16.68.16 comment="" disabled=yes
add list=Achiris address=172.16.68.21 comment="" disabled=yes
add list=Achiris address=172.16.68.22 comment="" disabled=yes
add list=Achiris address=172.16.68.56 comment="" disabled=yes
add list=Angostura address=172.16.68.65 comment="" disabled=yes
add list=Angostura address=172.16.68.66 comment="" disabled=yes
add list=Angostura address=172.16.68.67 comment="" disabled=yes
add list=Angostura address=172.16.68.68 comment="" disabled=yes
add list=Angostura address=172.16.68.69 comment="" disabled=yes
add list=Angostura address=172.16.68.70 comment="" disabled=yes
add list=Cortadas address=172.16.68.74 comment="" disabled=yes
add list=Angostura address=172.16.68.72 comment="" disabled=yes
add list=Angostura address=172.16.68.73 comment="" disabled=yes
add list=Angostura address=172.16.68.74 comment="" disabled=yes
add list=Angostura address=172.16.68.75 comment="" disabled=yes
add list=Cortadas address=172.16.68.76 comment="" disabled=yes
add list=Angostura address=172.16.68.77 comment="" disabled=yes
add list=Angostura address=172.16.68.78 comment="" disabled=yes
add list=Cortadas address=172.16.68.79 comment="" disabled=yes
add list=Nuevos address=172.16.68.193 comment="" disabled=yes
add list=Cortadas address=172.16.68.194 comment="" disabled=yes
add list=Nuevos address=172.16.68.195 comment="" disabled=yes
add list=Angostura address=172.16.68.80 comment="" disabled=yes
add list=Angostura address=172.16.68.81 comment="" disabled=yes
add list=Angostura address=172.16.68.82 comment="" disabled=yes
add list=Cortadas address=172.16.68.6 comment="" disabled=yes
add list=Cortadas address=172.16.68.10 comment="" disabled=no
add list=Cortadas address=172.16.68.12 comment="" disabled=yes
add list=Cortadas address=172.16.68.23 comment="" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes

/ ip dhcp-client
add interface=Internet29505 add-default-route=yes use-peer-dns=yes \ GET IP FROM RB450
use-peer-ntp=yes comment="" disabled=no

/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="LLamar_A_Redcom_6737329798_o_6737340122" \
max-object-size=4096KiB cache-drive=system max-cache-size=unlimited \
max-ram-cache-size=unlimited

I KNOW IS SO LARGE BUT I DONT KNOW WHAT I CAN DO ¡¡¡

I DONT KNOW WHAT HAPPENED WITH THE BANK PAGES. BUT IN ONE OF THOSE APPEAR THE PICTURE THAT I ATTACHED, BUT WHEN I CONNECTED DIRECTLY MY LAPTOP TO THE DSL WORKS GOOD.

I DONT KNOW WHAT HAPPENED WITH THE BANK PAGES. BUT IN ONE OF THOSE APPEAR THE PICTURE THAT I ATTACHED, BUT WHEN I CONNECTED DIRECTLY MY LAPTOP TO THE DSL WORKS GOOD.

it needs HTTPS but couldn't connect with it?

please, provede us translation of the text on screenshot

Yes Normis I Know that i need https, I allowed 443 but nothing happend, I got crazy, customers want to shot me

Chupaka this is the traslation

For your security We remember that you can not login in this way to the application so that you have been redirect and your IP has been registred

Try excluding https from the load balancing aka force it from only one DSL..
They must be keeping track of your originating IP.

I know the solution for this. I have already faced the same issue with a link load balancer. You are not only facing problems with https but also facing probs with smtp--just check. Try sending some e-mails trough Outlook express using an external smtp server. This is a very common issue with load balancing application. You need to enable connection persistence for smtp and https and ssh, sftp etc.
I think the following link might help.

http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent

Thanks,

Sudipta

Short answer of what is wrong. After your users logins to there bank web site the new pages create a new connection that most of the time ends up going out a new pipe. Bank web pages dont like this.

Easy fix is to mark port 443 to 1 pipe and let all 443 traffic go out that pipe.

example code put at top of your mark lists.

/ ip firewall mangle
add chain=prerouting in-interface=ether2 connection-state=new protocol=tcp dst-port=443 action=mark-connection new-connection-mark=odd passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=ether2 connection-mark=odd protocol=tcp dst-port=443 action=mark-routing new-routing-mark=odd passthrough=no comment="" disabled=no

When I Login in to the banks the page works good, but when i tried to make other operation the connection broke and the pag shows me the message of the last post.

I Will try to fix the problem using 2 rules of mangle.

Thanks.

Did you solved your problem?

Mikrotik did: http://wiki.mikrotik.com/wiki/PCC

I know the solution for this. I have already faced the same issue with a link load balancer. You are not only facing problems with https but also facing probs with smtp--just check. Try sending some e-mails trough Outlook express using an external smtp server. This is a very common issue with load balancing application. You need to enable connection persistence for smtp and https and ssh, sftp etc.
I think the following link might help.

http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent

Thanks,

Sudipta

Hello guys,
Your link saved few asses here you know? Good job by providing it, we with partner don't even know that kind of page exists.

Thanks, micky Simulation pret