how can i make the authentication go from pppoe-out1 in pcc

dormador · Tue Dec 21, 2010 7:50 pm

Hi
i have router x86 with 2 wan pcc load balancing ....... pppoe-ou1+pppoe-out2
this server is the main for all my network and has a usermanger to authenticate all another point from another ISP.
every thing is cool until load balancing 2 line . the authentication some times goes from pppoe-out1 thin accepted from another side. some time goes from pppoe-out2 then not accepted !!!

how can i solved this problem ?

what is the authentication port to manage it goes from pppoe-out1 only !

urgent help please .

regards

fewi · Tue Dec 21, 2010 8:42 pm

Exclude the RADIUS ports from having PCC applied to it by accepting those protocols and ports before PCC runs.

dormador · Tue Dec 21, 2010 9:48 pm

fewi thanks for replaying , but i don't understand how to do that ?

how can i exclude ...

some description please

fewi · Tue Dec 21, 2010 9:52 pm

It's impossible to give specific details without seeing your specific situation, namely your PCC ruleset. Post it here. Wrap it in

 tags so it stays readable.

dormador · Thu Dec 23, 2010 9:57 am

...........

dormador · Thu Dec 23, 2010 1:10 pm

..................

dormador · Mon Jan 03, 2011 8:47 pm

update Mr.Fewi

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=yes in-interface=ether8 new-connection-mark=internet1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=yes in-interface=pppoe-out1 new-connection-mark=internet2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=internet1_conn disabled=yes new-routing-mark=to_internet1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=internet2_conn disabled=yes new-routing-mark=to_internet2 passthrough=yes
add action=accept chain=prerouting comment="" disabled=yes dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0
add action=accept chain=prerouting comment="" disabled=yes dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment="" disabled=yes dst-address-type=!local new-connection-mark=internet1_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=yes dst-address-type=!local new-connection-mark=internet2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=internet1_conn disabled=yes in-interface=Local new-routing-mark=to_internet1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=internet2_conn disabled=yes in-interface=Local new-routing-mark=to_internet2 passthrough=yes

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether8
add action=masquerade chain=srcnat comment="" disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=10.2.50.0/24

/ip route
add check-gateway=ping comment="very important_1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-mark=to_internet1 scope=30 target-scope=10
add check-gateway=ping comment="very important_2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_internet2 scope=30 target-scope=10
add check-gateway=ping comment="very important" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254,pppoe-out1 scope=30 target-scope=10

Ok thats all
i have problem now with ether8"wan2" i should make it disable ..
i need some firewall that make all authentication in or out go from pppoe-out1

and if you see some wrong please tell me to fix it...

regards

fewi · Mon Jan 03, 2011 10:30 pm

Add the below rule, put it at the top of the 'output' chain - you have to replace the IP address of the User Manager device:

/ip firewall mangle
add action=mark-routing chain=output comment="RADIUS" connection-mark=internet1_conn disabled=no new-routing-mark=to_internet1 passthrough=no

Another solution would be to split the default route without a routing mark (the third one) into two routes, one for each link, and have the PPPoE link have a lower distance than the other link. The authentication traffic is not marked by default, so it would fall through to the routes without routing marks. If the PPPoE route is more desirable it would always be used.

dormador · Tue Jan 04, 2011 1:30 pm

Add the below rule, put it at the top of the 'output' chain - you have to replace the IP address of the User Manager device:
Code: Select all
/ip firewall mangle
add action=mark-routing chain=output comment="RADIUS" connection-mark=internet1_conn disabled=no new-routing-mark=to_internet1 passthrough=no
Another solution would be to split the default route without a routing mark (the third one) into two routes, one for each link, and have the PPPoE link have a lower distance than the other link. The authentication traffic is not marked by default, so it would fall through to the routes without routing marks. If the PPPoE route is more desirable it would always be used.

Mr.Few when add this firewall in the top of output chain ,i don't see any loadbalance .. every thing goes from ppoe-out1 .
the second solution give me same as the solution Number one. the data goes from pppoe-out1 also .

i have an idea if we know the port for authentication then direction that port to go over pppoe-out1 .

i see in radius the port for incoming is 3799 ..

what you see ?

fewi · Tue Jan 04, 2011 4:34 pm

I don't see how that can possibly be true given the details you have posted so far, so I have no idea how to help you.

dormador · Tue Jan 04, 2011 5:43 pm

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=ether8 new-connection-mark=internet1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=ether9 new-connection-mark=internet2_conn passthrough=yes
add action=mark-routing chain=output comment=RADIUS connection-mark=internet1_conn disabled=no new-routing-mark=to_internet1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=internet1_conn disabled=no new-routing-mark=to_internet1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=internet2_conn disabled=no new-routing-mark=to_internet2 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local per-connection-classifier=\
    both-addresses:2/0
add action=accept chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local per-connection-classifier=\
    both-addresses:2/1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=internet1_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=internet2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=internet1_conn disabled=no in-interface=Local new-routing-mark=to_internet1 \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=internet2_conn disabled=no in-interface=Local new-routing-mark=to_internet2 \
    passthrough=yes

/ip route
add check-gateway=ping comment="very important_1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-mark=to_internet1 \
    scope=30 target-scope=10
add check-gateway=ping comment="very important_2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_internet2 \
    scope=30 target-scope=10
add check-gateway=ping comment="very important" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.254 scope=30 target-scope=10

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether8
add action=masquerade chain=srcnat comment="" disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=10.2.50.0/24

prob.PNG

you can see in the picture ether9(pppoe-out1) up than 2 Mbps the ether8 0 kb !
where is the mistake ?

dormador · Thu Jan 06, 2011 11:13 am

any idea

Mikrotik give me any solution , and what about direction the port for authentication from filter to go from and out pppoe-out1...
and if its work with load balance or not ...

how can i make the authentication go from pppoe-out1 in pcc

how can i make the authentication go from pppoe-out1 in pcc

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Re: how can i make the authentication go from pppoe-out1 in

Who is online