Community discussions

MikroTik App
 
DottorT86
just joined
Topic Author
Posts: 11
Joined: Fri Aug 09, 2019 7:51 am

PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other

Wed Feb 12, 2020 11:58 pm

Hi everybody,
A few days ago I activated my second internet connection, and I thought of using both connections at the same time via PCC lod balance.
Both connections are PPPOE type and have dynamic IP but the second connection is behind NAT so i can't use DDNS services to reach my IP address remotly.
I would like to use the PCC load balance only with 3 of the 6 LANs and I would like the remaining 3 to be directed to only one of the two WANs.
To simplify I would like to create such a configuration:
- LAN 1 - PCC (WAN 1 + WAN 2 with failover)
- LAN 2 - PCC (WAN 1 + WAN 2 with failover)
- LAN 3 - PCC (WAN 1 + WAN 2 with failover)
- LAN 4 - WAN 1
- LAN 5 - WAN 1
- LAN 6 - WAN 2
I did step by step tests using the PCC load balance in the beginning only with one LAN and the two WANs.
This is the configuration I've used:

(pppoe-1=WAN 1)
(pppoe-2=WAN 2)
(bridge_1=LAN 1)
(bridge_2=LAN 2)

/ip firewall mangle
add chain=input in-interface=pppoe-1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=pppoe-2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address-type=!local in-interface=bridge_1 per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=bridge_1 per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=bridge_1 action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=bridge_1 action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-2 routing-mark=to_WAN2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=pppoe-1 action=masquerade
add chain=srcnat out-interface=pppoe-2 action=masquerade

This configuration works very good.
The first problem came when I tried to apply this configuration to two LANs simultaneously.
This is the configuration I've used:

/ip firewall mangle
# LAN 1
add chain=input in-interface=pppoe-1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=pppoe-2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address-type=!local in-interface=bridge_1 per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=bridge_1 per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=bridge_1 action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=bridge_1 action=mark-routing new-routing-mark=to_WAN2
# LAN 2
add chain=input in-interface=pppoe-1 action=mark-connection new-connection-mark=WAN3_conn
add chain=input in-interface=pppoe-2 action=mark-connection new-connection-mark=WAN4_conn
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3
add chain=output connection-mark=WAN4_conn action=mark-routing new-routing-mark=to_WAN4
add chain=prerouting dst-address-type=!local in-interface=bridge_2 per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=bridge_2 per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
add chain=prerouting connection-mark=WAN3_conn in-interface=bridge_2 action=mark-routing new-routing-mark=to_WAN3
add chain=prerouting connection-mark=WAN4_conn in-interface=bridge_2 action=mark-routing new-routing-mark=to_WAN4

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-2 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-1 routing-mark=to_WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-2 routing-mark=to_WAN4 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=pppoe-1 action=masquerade
add chain=srcnat out-interface=pppoe-2 action=masquerade

Using this configuration it seems that the PCC load balance works with both LANs but the LANs can no longer communicate with each other.
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other  [SOLVED]

Thu Feb 13, 2020 12:35 am

First, why WAN3 and WAN4, when you have only two? Keep using marks only for WAN1 and WAN2, you'll save some rules, and it won't be unnecessarily confusing.

Regarding the main problem, you mark all connections from LAN, but you have only one route in alternative routing tables (default one). What happens is that for these packets, router doesn't find route to local connected subnets. You have three options:

a) Don't mark connections when the destination is another LAN.
b) Manually add routes to connected subnets to other routing tables.
c) Use routing rule(s) to override route selection, when destination is any LAN.

Last one is simplest (change it or add another if you use different addresses for LAN, e.g. from 10.0.0.0/8):
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/16 table=main
It tells router that no matter what routing mark packet has, it should look up destination only in main table (which contains connected routes). Extra bonus is that it will allow you to further prune your mangle rules, where instead of (example from after you get rid od WAN3 and WAN4):
/ip firewall mangle
add chain=prerouting connection-mark=WAN1_conn in-interface=bridge_1 action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=bridge_1 action=mark-routing new-routing-mark=to_WAN2
...
add chain=prerouting connection-mark=WAN1_conn in-interface=bridge_2 action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=bridge_2 action=mark-routing new-routing-mark=to_WAN2
...
you can use just two rules for all:
/ip firewall mangle
add chain=prerouting connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
It will mark routing in both directions, which would normally break it for incoming packets, but routing rule overrides that.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
DottorT86
just joined
Topic Author
Posts: 11
Joined: Fri Aug 09, 2019 7:51 am

Re: PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other

Sun Feb 16, 2020 2:09 am

Thank you so much for your reply Sob!
I solved my problem!
I have one last question regarding this configuration.
Would it be possible to ping an IP address (for example google DNS servers or Open DNS servers) for checking failover instead of the IP address of the PPPOE connection?
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other

Sun Feb 16, 2020 3:19 am

You're probably looking for this:

viewtopic.php?f=23&t=157048
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
DottorT86
just joined
Topic Author
Posts: 11
Joined: Fri Aug 09, 2019 7:51 am

Re: PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other

Mon Feb 17, 2020 1:05 am

Thank You so much for your reply!
I tried to search for this topic within Mikrotik Wiki but every link I found brought me to a blank page.
As soon as I can I try to perform the configuration following the explanation of Chupaka.
Thank You again!
 
DottorT86
just joined
Topic Author
Posts: 11
Joined: Fri Aug 09, 2019 7:51 am

Re: PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other

Fri Apr 10, 2020 5:39 pm

Hi,
I reopened this old post as I would like to ask a question regarding this configuration.
I state that I have already done research in this and other forums and in the mikrotik wiki but I have not been able to find an answer, probably because I am not sure what to look for.
I would like to make sure that an interface, for example "bridge_2" connects to the internet only through the pppoe-2 interface.
This is the configuration I am using.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-1
add action=masquerade chain=srcnat out-interface=pppoe-2

/ip firewall mangle
add action=mark-connection chain=input in-interface=pppoe-1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=pppoe-2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge_1 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge_1 new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge_1 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge_1 new-routing-mark=to_WAN2

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge_2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge_2 new-routing-mark=to_WAN2

/ip route
add check-gateway=ping distance=1 gateway=pppoe-1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=pppoe-2 routing-mark=to_WAN2

/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.100.0/24 table=main
With this configuration, if I disconnect pppoe-2, bridge_2 automatically connects to the internet via pppoe-1.
I wish that if I disconnect pppoe-2, bridge_2 will not connect to the internet.
 
DottorT86
just joined
Topic Author
Posts: 11
Joined: Fri Aug 09, 2019 7:51 am

Re: PCC load balance (2 WAN + 6 LAN) but LANs can no longer communicate each other

Fri Apr 10, 2020 8:54 pm

I have probably found the solution!
I've added the Src. Address to the Masquerade.
These are the masquerade rules before the change:
add action=masquerade chain=srcnat comment="defconf: masquerade (NEW)" ipsec-policy=out,none out-interface=pppoe-1
add action=masquerade chain=srcnat comment="defconf: masquerade (NEW)" ipsec-policy=out,none out-interface=pppoe-2
and these are the masquerade rules after the change:
add action=masquerade chain=srcnat comment="defconf: masquerade (NEW)" ipsec-policy=out,none out-interface=pppoe-1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade (NEW)" ipsec-policy=out,none out-interface=pppoe-2 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade (NEW)" ipsec-policy=out,none out-interface=pppoe-2 src-address=192.168.100.0/24
Apparently everything works fine.
Do you think it is a correct solution?

Who is online

Users browsing this forum: Bing [Bot], nfsdaemon, RainbowDash, sindy, technikat and 152 guests