Community discussions

MUM Europe 2020
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

PCC LB with advanced routing failover. NTP trouble.

Wed Jun 20, 2012 5:16 pm

Hi!
(Sorry for my english, i`m russian.)

Help me please with my setup of RB450G.
I use http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting with PCC to configure LB of 2 ISP with failover.

LB and Failover works fine. I can surf any site of the WEB from my laptop using pair of ISP. But internal NTP-Client can`t sync with ANY NTP-servers. There is No ping from Mikrotik internal ping tool to any hosts (google e.t.c) not only to NTP-servers. I think this config will make troubles for me in future not only with NTP...
I see that it is some problem with routing because of HostN checking and default routes, but i can`t resolve it. I`m newbie :(
Help me please.


Here is my conf:
 /ip address
add address=192.168.10.1/24interface=Local
add address=192.168.1.2/24 interface=WAN1
add address=192.168.2.2/24 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.4.4,8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_mark
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_mark

add chain=output connection-mark=WAN1_mark action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=WAN2_mark action=mark-routing new-routing-mark=to_ISP2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark passthrough=yes

add chain=prerouting connection-mark=WAN1_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=WAN2_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP2

8.8.8.8       Google-DNS  host1A
72.30.2.43    Yahoo       host1B

8.8.4.4       Google-DNS host2A
199.59.148.82 Twitter    host2B

/ip route
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=72.30.2.43 gateway=192.168.1.1 scope=10
add dst-address=8.8.4.4 gateway=192.168.97.1 scope=10
add dst-address=199.59.148.82 gateway=192.168.97.1 scope=10

/ip route
add dst-address=10.1.1.1 gateway=8.8.4.4 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=72.30.2.43 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=199.59.148.82 scope=10 target-scope=10 check-gateway=ping

/ip route
add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1
add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1
add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2
add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Mon Jun 25, 2012 8:23 am

Nobody? :shock:
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Mon Jun 25, 2012 9:34 am

Sowething that I don`t understand -
I added default route to WAN1 with distance 30 and default SNTP-client now can syncing time. :D
But NTP-package still can`t synchronize...
Some help?
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Mon Jun 25, 2012 11:28 pm

Do you have a default catch all route? Without a default route in the main routing table, any traffic from the router will have no access to the internet.
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Tue Jun 26, 2012 3:41 pm

Do you have a default catch all route? Without a default route in the main routing table, any traffic from the router will have no access to the internet.
Hi Feklar.
Yes i have add
/ip route
add gateway=192.168.1.1 scope=10 distance=30
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Tue Jun 26, 2012 5:33 pm

Can you please provide "/ip route print detail" then? You don't mention where you are trying to sync NTP to. If you are trying to use a DNS name, you may need to resolve that domain again as they can change, or set up your own NTP server that you control.
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Tue Jun 26, 2012 10:55 pm

Feklar, my whole config is in the first message at the top + my last message. Nothing more.
I always use the same IPs (tryed ~10 different servers) of NTP-server in both case with NTP-client and with SNTP-client. SNTP - ok, NTP-client no luck.
 
dleo
newbie
Posts: 27
Joined: Wed Mar 11, 2009 10:49 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Tue Jun 26, 2012 11:31 pm

Hi,

One alternative, at least in my scenario it works, so it's run a ntp server like http://www.openntpd.org/ and setup your RB as ntp client of this server on your own LAN.
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 10:30 am

Ok. Now NTP is workin fine.
But I have some troubles with port forwarding.
I add 2 same dst-nat rules for 2 WANs – forwarding at WAN1 works fine, but at WAN2 forwarding not working (but i see incoming packets). How to solve?
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 6:15 pm

You didn't mention, or leave what your NTP server is, or how you resolve it. Putting in a DNS name does not work, yes it will resolve that for you the first time, but only as you put it in, the DNS name will not be updated at a later time.

For the port forwarding, it is basically an extension of making sure packets that come in addresses to the router on a specific interface will leave the same interface, you are just watching for it over the forward chain instead.
/ip firewall mangle
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether1 new-connection-mark=\
    port_forward1_connection passthrough=no
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether2 new-connection-mark=\
    port_forward2_connection passthrough=no
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward1_connection disabled=no new-routing-mark=\
    to_outside1 passthrough=no
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward2_connection disabled=no new-routing-mark=\
    to_outside2 passthrough=no
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 7:19 pm

Feklar, I use external NTP.

Please, can you adapt your code to my concretical case? I`m newbie, and i don`t understand your previous tip :oops:
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 7:37 pm

Those lines of code are the actual CLI commands to add the rules, you can edit them with any text editor and paste them into the console of the routerboard to add them, and manipulate them anyway that you choose. I'm not exactly sure what you are wanting me to adapt.

The rules basically say anything coming in ether1 that is being forwarded through the router to another devices, mark the connection, and the same for ether 2. Then the next rules say anything with that connection mark, put a routing mark on it so that the router knows what interface to send the traffic back out of.
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 7:56 pm

Still don`t understand you. In your code you mark incoming connection from eth1 and then mark routing with that marked connection. And thats all? I`m pretty sure that it is will not work cos you don`t show for this routing where is an output! Or i wrong?

Please look at my present config and give me a complete solution for port-forwarding (nat rule, mangle rule, etc) -
 /ip address
add address=192.168.10.1/24interface=Local
add address=192.168.1.2/24 interface=WAN1
add address=192.168.2.2/24 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.4.4,8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_mark
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_mark

add chain=output connection-mark=WAN1_mark action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=WAN2_mark action=mark-routing new-routing-mark=to_ISP2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark passthrough=yes

add chain=prerouting connection-mark=WAN1_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=WAN2_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP2

8.8.8.8       Google-DNS  host1A
72.30.2.43    Yahoo       host1B

8.8.4.4       Google-DNS host2A
199.59.148.82 Twitter    host2B

/ip route
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=72.30.2.43 gateway=192.168.1.1 scope=10
add dst-address=8.8.4.4 gateway=192.168.97.1 scope=10
add dst-address=199.59.148.82 gateway=192.168.97.1 scope=10

/ip route
add dst-address=10.1.1.1 gateway=8.8.4.4 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=72.30.2.43 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=199.59.148.82 scope=10 target-scope=10 check-gateway=ping

/ip route
add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1
add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1
add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2
add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
I will forever debt for you :oops:
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 8:15 pm

Just edit the routing marks to match your configuration.
/ip firewall mangle
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether1 new-connection-mark=\
    port_forward1_connection passthrough=no
add action=mark-connection chain=forward comment="Maintain Port Forwards on interface connections came in on" connection-state=new disabled=no in-interface=ether2 new-connection-mark=\
    port_forward2_connection passthrough=no
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward1_connection disabled=no new-routing-mark=\
    to_ISP1 passthrough=no in-interface=Local
add action=mark-routing chain=prerouting comment="Maintain Port Forwards on interface connections came in on" connection-mark=port_forward2_connection disabled=no new-routing-mark=\
    to_ISP2 passthrough=no in-interface=Local
Yes this is all that really needs to be done, like I said, it is just a simple extension of your basic PCC setup. Look at what chain you are making the connections on, it is the forward chain. Forward means any traffic that is not destined for the router, and being sent over it. So what happens is an incoming connection for a port forward comes into the router, and dst-nat does it's thing. The router sees the incoming interface, marks it, and then any return traffic from the device being forwarded to will automatically get the same mark, and by extension, the routing mark it needs to send traffic back.

The reason why you have to do it this way is this. Normally the traffic comes in and is forwarded to said device, and it replies back, and the router looks at it's routing table and sends it out of the main table because there is no table specified by a routing mark. This is all fine and good when there is just one connection, or you are connecting to the device over the main of the two links. But it won't work for the second link because the return traffic is going out of the main routing table, making a broken/invalid connection, so you never "see" the return traffic. Specifying the routing mark like I did above corrects that.
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Fri Jun 29, 2012 8:43 pm

Feklar, it is not workin. As it was previously I can connect from outside to WAN1 port-forwarding, and can not connect to WAN2 port-forwarding. :shock:
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Sat Jun 30, 2012 11:46 am

Any help? :(
 
Kimchen
just joined
Topic Author
Posts: 11
Joined: Wed Jun 20, 2012 4:51 pm

Re: PCC LB with advanced routing failover. NTP trouble.

Sun Jul 01, 2012 1:05 pm

Sorry Feklar! I`m stupid *sshole!!! Your last solution is work!!! Hurray!!! Thank you sir!!!
 
User avatar
BraZuky
just joined
Posts: 17
Joined: Wed Jun 04, 2008 9:42 am
Location: Manaus
Contact:

Re: PCC LB with advanced routing failover. NTP trouble.

Thu Jul 26, 2012 2:40 pm

Hello friends,

I´m in trouble to setup this configs.

What about this ip in the script ? 192.168.97.1?


/ip route
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=72.30.2.43 gateway=192.168.1.1 scope=10
add dst-address=8.8.4.4 gateway=192.168.97.1 scope=10
add dst-address=199.59.148.82 gateway=192.168.97.1 scope=10

Who is online

Users browsing this forum: No registered users and 76 guests