Community discussions

MikroTik App
 
planetwords
just joined
Topic Author
Posts: 1
Joined: Thu Aug 04, 2022 10:14 pm

NTH firewall-marking load-balancing not working - possible config error?

Thu Aug 04, 2022 10:26 pm

I'm trying to implement NTH firewall-marking load-balancing on my Miktrotik Router. I think I might have an error somewhere in the configuration, as my wife keeps getting disconnected from League Of Legends. Please help save my marriage! :)

I have two connections, Virgin Media gigabit 1000/50mbps, and BRSK fibre, 900/500mbps at the moment that I am trying to loadbalance.

I have 10gb/sec connections to my upstairs network and my downstairs PC.

Please let me know if you need any other info.

Thanks
Here is my export:
# jan/06/1970 12:13:40 by RouterOS 6.49.6
#
# model = CRS309-1G-8S+
/interface bridge
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.101-192.168.88.254
add name=dhcp_pool1 ranges=192.168.89.3-192.168.89.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=listBridge lease-time=10s name=dhcp
/interface bridge port
add bridge=listBridge interface=sfp-sfpplus1
add bridge=listBridge interface=sfp-sfpplus2
add bridge=listBridge interface=sfp-sfpplus3
add bridge=listBridge interface=sfp-sfpplus4
add bridge=listBridge interface=sfp-sfpplus5
add bridge=listBridge interface=sfp-sfpplus6
add bridge=listBridge interface=sfp-sfpplus8
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=192.168.88.2/16 interface=sfp-sfpplus8 network=192.168.0.0
add address=192.168.89.2/16 interface=sfp-sfpplus1 network=192.168.0.0
add address=192.168.12.2/24 interface=sfp-sfpplus7 network=192.168.12.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.50 client-id=1:f2:df:92:71:4f:62 mac-address=F2:DF:92:71:4F:62 server=dhcp
add address=192.168.88.25 client-id=1:80:61:5f:10:f9:d1 mac-address=80:61:5F:10:F9:D1 server=dhcp
/ip dhcp-server network
add address=192.168.0.0/16 gateway=192.168.88.2
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=listBridge protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=listBridge port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=listBridge port=22 protocol=tcp
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="block all else" in-interface=ether1
add action=drop chain=input comment="block all else" in-interface=sfp-sfpplus7
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=sfp-sfpplus7
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=listBridge new-connection-mark=odd passthrough=yes src-address-list=odd
add action=mark-routing chain=prerouting in-interface=listBridge new-routing-mark=odd src-address-list=odd
add action=mark-connection chain=prerouting in-interface=listBridge new-connection-mark=even passthrough=yes src-address-list=even
add action=mark-routing chain=prerouting in-interface=listBridge new-routing-mark=even src-address-list=even
add action=mark-connection chain=prerouting connection-state=new in-interface=listBridge new-connection-mark=odd nth=2,1 passthrough=yes
add action=add-src-to-address-list address-list=odd address-list-timeout=1d chain=prerouting connection-mark=odd in-interface=listBridge
add action=mark-routing chain=prerouting connection-mark=odd in-interface=listBridge new-routing-mark=odd passthrough=no
add action=mark-connection chain=prerouting connection-state=new in-interface=listBridge new-connection-mark=even nth=2,2 passthrough=yes
add action=add-src-to-address-list address-list=even address-list-timeout=1d chain=prerouting connection-mark=even in-interface=listBridge
add action=mark-routing chain=prerouting connection-mark=even in-interface=listBridge new-routing-mark=even passthrough=no
add action=mark-connection chain=prerouting connection-state=new in-interface=listBridge new-connection-mark=even nth=2,2 passthrough=yes src-address-list=!odd
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=2,1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=sfp-sfpplus7
/ip route
add distance=1 gateway=192.168.12.1 routing-mark=odd scope=255
add distance=1 gateway=192.168.1.100 routing-mark=even scope=255
add distance=1 gateway=192.168.12.1 scope=255
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/16 port=2200
set api disabled=yes
set winbox address=192.168.0.0/16
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=RouterOS
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NTH firewall-marking load-balancing not working - possible config error?

Fri Aug 05, 2022 1:28 pm

Two points
1. Very few use NTH, most use PCC for load balancing
2. If a computer game will determine marriage status, you have bigger problems than router config ;-)
3. A better solution would be to do failover
a. where all the computers get access to one internet
b. your wife gets SOLE access to the other internet

Who is online

Users browsing this forum: Bing [Bot], JSpazP, sokalsondha and 49 guests