I'm having some trouble with setting up a RB1200 for load balancing over 2 ADSL links. The problem appears to be that anything marked for the second link doesn't find it's way out. That includes inbound and outbound. When I switch the default route to pppoe-out2 then the second link works. At the moment the second link default route with distance=2 is not active. I have checked my connections and they are getting the correct route marking.
I've followed the PCC wiki page meticulously and the only difference in my set-up is the per-connection-classifier. I have tried a couple of different configuration and nothing is working as it should. I suspect there is something wrong elsewhere in my configuration that I am missing and need some help spotting it. Can you help?
Code: Select all
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=\
"" dial-on-demand=no disabled=no interface=ether9 \
max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 password=xxxxxx \
profile=default service-name="" use-peer-dns=no user=\
xxxxxxxxxxx
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=\
"" dial-on-demand=no disabled=no interface=\
ether8 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out2 password=\
xxxxxx profile=default service-name="" use-peer-dns=no user=\
xxxxxxxxxxx
Code: Select all
/ip address
add address=192.168.0.253/24 comment="LAN Bridge interface" disabled=no \
interface=lan-ether1 network=192.168.0.0
add address=10.0.0.253/32 disabled=no interface=ether10 network=255.255.255.0
add address=192.168.1.10/24 disabled=no interface=ether8 network=192.168.1.0
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no in-interface=lan-ether1 new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no in-interface=lan-ether1 new-routing-mark=to_wan2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=pppoe-out1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=pppoe-out2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=lan-ether1 new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
src-address:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=lan-ether1 new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
src-address:2/1
add action=mark-routing chain=output connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes
Code: Select all
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=1
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5222,5223,7777,9090,9091 in-interface=!lan-ether1 protocol=tcp to-addresses=192.168.0.153
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=25,443,465,993,3103 in-interface=!lan-ether1 protocol=tcp to-addresses=192.168.0.175
add action=dst-nat chain=dstnat comment="Service ports from kwagga -> exch-cpt" disabled=no dst-port=110,995,5669,12489 in-interface=!lan-ether1 protocol=tcp src-address=xxx.xx.xx.x to-addresses=192.168.0.175
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5670 in-interface=!lan-ether1 protocol=udp to-addresses=192.168.0.175 to-ports=161
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=873 in-interface=!lan-ether1 protocol=tcp to-addresses=192.168.0.152
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5668 in-interface=!lan-ether1 protocol=tcp src-address=xxx.xx.xx.x to-addresses=192.168.0.136
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5671 in-interface=!lan-ether1 protocol=tcp src-address=xxx.xx.xx.x to-addresses=192.168.0.155
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=5667 in-interface=!lan-ether1 protocol=tcp src-address=xxx.xx.xx.x to-addresses=192.168.0.154
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2
Code: Select all
/ip firewall filter
add action=accept chain=input comment="accept established connection packets" connection-state=established disabled=no
add action=accept chain=input comment="accept related connection packets" connection-state=related disabled=no
add action=drop chain=input comment="drop invalid packets" connection-state=invalid disabled=no
add action=accept chain=input disabled=no src-address=192.168.0.0/24
add action=jump chain=input comment="jump to chain ICMP" disabled=no jump-target=icmp protocol=icmp
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no dst-address-type=broadcast
add action=log chain=input disabled=no log-prefix="Filter:"
add action=drop chain=input comment="drop everything else" disabled=no
add action=accept chain=icmp disabled=no src-address=xxx.xx.xx.x
add action=drop chain=icmp comment="Drop everything else" disabled=no protocol=icmp
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward comment="allow already established connections" connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=accept chain=forward comment="" disabled=no src-address=192.168.0.175
add action=accept chain=forward comment="" disabled=no src-address=192.168.0.136
add action=accept chain=forward comment="" disabled=no src-address-list=servers-lan
add action=accept chain=forward comment="" disabled=no src-address-list=trusted-lan
add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=accept chain=tcp comment="" disabled=no dst-port=25,53,80,110,143,443,873,1194,3690,5228,5666-5671,8200,9418,12489 protocol=tcp
add action=accept chain=udp comment="" disabled=no dst-port=53,123,161,1194,33434-33534 protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=\
21,22,1022,1222,3000,3389-3397,8080,8081,8291,60080,65443 protocol=tcp src-address-list=support-engineers
add action=log chain=forward disabled=no log-prefix="Filter:"
add action=drop chain=forward comment="Drop everthing else" disabled=no