Community discussions

 
NorouziFar
just joined
Topic Author
Posts: 13
Joined: Sun Jun 14, 2015 8:31 am

load balancing and port forwarding for port 80 or another port

Sat Oct 13, 2018 9:44 am

i can't forward port 80 to IP 192.168.10.1 with this setting i used for balancing user for use internet or for special IP to use "Dolat" network
i have a website in 192.168.10.1 and static IP 94.x.x.x i want to forward port 80 from 94.x.x.x to 192.168.10.
ip address:
                                
 0   192.168.10.2/24    192.168.10.0    Local                                     
 1   94.x.x.x/30   94.x.x.x   Internet                                  
 2   10.x.x.x/29     10.x.x.x     Dolat 

ip firewall nat:
 0  chain=srcnat action=masquerade src-address=192.168.10.0/24 log=no  log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-ports=80 
      protocol=tcp dst-address=94.x.x.x dst-port=80 log=no log-prefix="" 

ip firewall mangle for balancing user and :

 0    ;;; PC-WIN-Server
      chain=prerouting action=mark-routing new-routing-mark=Sh-tel 
      passthrough=yes src-address=192.168.10.1 log=no log-prefix="" 


 2    ;;; PC-12
      chain=prerouting action=mark-routing new-routing-mark=Sh-tel 
      passthrough=yes src-address=192.168.10.104 log=no log-prefix="" 

 3    ;;; PC-Nezam
      chain=prerouting action=mark-routing new-routing-mark=Sh-tel 
      passthrough=yes src-address=192.168.10.115 log=no log-prefix="" 


 4     ;;; Dolat
      chain=prerouting action=mark-routing new-routing-mark=GroupA 
      passthrough=yes src-address=192.168.10.0/24 dst-address=10.x.x.x 
      src-address-list="" log=no log-prefix="" 

 5    ;;; Dolat
      chain=prerouting action=mark-routing new-routing-mark=GroupA 
      passthrough=yes src-address=192.168.10.0/24 dst-address=10.x.x.x 
      log=no log-prefix="" 

                                    
rout :
 0 A S  dst-address=0.0.0.0/0 gateway=94.x.x.x routin-mark=sh-tel

 1 A S  dst-address=0.0.0.0/0 gateway=10.x.x.x routin-mark=GroupA
when i change rout from :
 0  A  S  dst-address=0.0.0.0/0 gateway=94.x.x.x routin-mark=sh-tel
 1  A  S  dst-address=0.0.0.0/0 gateway=10.x.x.x routin-mark=GroupA
to this setting :
 0 A S  dst-address=0.0.0.0/0 gateway=94.x.x.x 
 1 A S  dst-address=0.0.0.0/0 gateway=10.x.x.x routin-mark=GroupA
work correct without routing-mark but i need routing-mark

how can i solve it
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: load balancing and port forwarding for port 80 or another port

Sat Oct 13, 2018 3:04 pm

See the explanation and solution in this post. The last paragraph explains the relationship to your case.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
NorouziFar
just joined
Topic Author
Posts: 13
Joined: Sun Jun 14, 2015 8:31 am

Re: load balancing and port forwarding for port 80 or another port

Sun Oct 14, 2018 12:09 pm

See the explanation and solution in this post. The last paragraph explains the relationship to your case.
oky tanks for answer . i know i should use connection marks but i don't know how and which connection i should marked ??
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: load balancing and port forwarding for port 80 or another port

Sun Oct 14, 2018 12:12 pm

Read again that post completely, there is everything you need to make it work, including an example.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: load balancing and port forwarding for port 80 or another port

Sun Oct 14, 2018 5:35 pm

i don't know how and which connection i should marked ??
Maybe this post answers your question in an easier to understand way?

I'm struggling how to explain things in a simple to understand way without leaving out something important.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
NorouziFar
just joined
Topic Author
Posts: 13
Joined: Sun Jun 14, 2015 8:31 am

Re: load balancing and port forwarding for port 80 or another port

Mon Oct 15, 2018 10:46 am

i don't know how and which connection i should marked ??
Maybe this post answers your question in an easier to understand way?

I'm struggling how to explain things in a simple to understand way without leaving out something important.
i do it but not work" what is my wrong ?? please solved it??
for example address:
192.168.10.0/24 local
94.20.50.60 /internet
74.70.80.90 /dolat
====================
/ip firewall mangle
chain=prerouting connection-state=established,related in-interface=Interne>

chain=prerouting action=mark-routing new-routing-mark=handling-A connection-mark=handling-A 

chain=prerouting action=mark-routing new-routing-mark=handling-B connection-mark=handling-B 

chain=prerouting action=mark-connection new-connection-mark=handling-A 
      passthrough=yes connection-state=new protocol=tcp 
      dst-address=94.20.50.60  dst-port=80 log=no log-prefix="" 

chain=prerouting action=mark-connection new-connection-mark=handling-B 
      passthrough=yes connection-state=new protocol=tcp 
      src-address=192.168.10.1 src-port=80 log=no log-prefix="" 
chain=prerouting action=mark-routing new-routing-mark=handling-A 
      connection-mark=handling-A 

chain=prerouting action=mark-routing new-routing-mark=handling-B 
      connection-mark=handling-B

/ip firewall nat
chain=srcnat action=masquerade out-interface=Internet log=no log-prefix="" 

chain=srcnat action=masquerade out-interface=Dolat log=no log-prefix="" 

chain=srcnat action=masquerade src-address=192.168.10.0/24 log=no 
      log-prefix=""
chain=dstnat action=dst-nat to-addresses=192.168.10.1 to-ports=80 
      protocol=tcp dst-address=94.20.50.60  dst-port=80 log=no log-prefix=""

/ip route
dst-address=0.0.0.0/0 gateway=94.20.50.61
        gateway-status=94.20.50.61 reachable via  Internet distance=1 
        scope=30 target-scope=10 routing-mark=handling-A 

dst-address=0.0.0.0/0 gateway=94.20.50.61 
        gateway-status=94.20.50.61 reachable via  Internet distance=1 
        scope=30 target-scope=10 routing-mark=handling-B

dst-address=0.0.0.0/0 gateway=74.70.80.91
        gateway-status=74.70.80.91 reachable via  Dolat check-gateway=ping 
        distance=1 scope=30 target-scope=10 routing-mark=GroupA bgp-as-path=""
 
sindy
Forum Guru
Forum Guru
Posts: 2406
Joined: Mon Dec 04, 2017 9:19 pm

Re: load balancing and port forwarding for port 80 or another port

Mon Oct 15, 2018 12:21 pm

I would recommend that you replace handling-A by via-Internet and handling-B by via-Dolat in both the connection-mark and routing-mark, as doing so will help you see some logical mistakes yourself (like using the same route for both routing-mark values, so currently you would send even packets marked for Dolat via Internet)

Plus modify the very first mangle rule chain=prerouting connection-state=established,related in-interface=Internet, you want it to accept mid-connection packets which come in via either WAN.

So the script to do that would be:
/interface list add name=all-WANs
/interface list member add list=all-WANs interface=Internet
/interface list member add list=all-WANs interface=Dolat
/ip firewall mangle set [find chain="prerouting" connection-state~"established"] in-interface-list=all-WANs
/ip firewall mangle unset [find chain="prerouting" connection-state~"established"] in-interface



Then, try to logically separate in your mind the step of translating connection-mark to routing-mark, which has to be performed for each individual packet which is sent from LAN (or the Mikrotik itself) but must not be performed for packets coming in via one of the WANs, from the step of choosing the WAN interface out of (Internet, Dolat) for a whole connection only once, when the connection begins.

So for connections initiated by remote clients in the internet, the initial packet of the connection comes in via WAN, so you need to mark the connection with via-Internet or via-Dolat depending on in-interface, because the choice of interface is not yours - the client has already done the choice by connecting to one of your two public IP addresses.

For connections initiated from LAN, you use your own criteria to choose the WAN, the load balancing is one of the possible ones. So you use your normal load balancing rules, but instead of using them to assign a routing-mark directly, you use them to assign the connection-mark, which will be converted into a routing mark later during the same pass through the mangle prerouting chain but remembered throughout the connection, so you don't need to re-assign it over and over again, which allows you to use also load balancing methods which don't depend on other connection properties like source and destination port, so you can e.g. send a randomly chosen 37% of connections to one WAN and let the rest use the other one.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 55 guests