MikroTik> /ip firewall connection
MikroTik> print
(output snipped)
MikroTik> remove 120,121
action failed(6)
Couldn't remove Connection <192.168.200.8:3897 -> 64.12.x.x.5190> - action failed (6)
Hello,
Currently connection removing is broken on big-endian platforms such as RB400
series and RB333.RB600 and RB1000.
This fix will be available in next RouterOS release.
Regards,
Maris
It seems to me that MikroTik can solve all problems for us by improving on load balancing and failover support in RouterOS. From what I've seen last 5+ years, I am starting to think that MikroTik Latvia need to hire more people because there is too much work to be done.I agree, the remove needs to be fixed. There are times when a connection has to be removed because its going out the wrong gateway with the wrong ip... I've witnessed this enough times myself when swapping gateways.
You need to email support at mikrotik for this one, no one here can fix it : ) It is nice to have this thread so we know when it is fixed however.
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping Normy has just deleted the wiki examples. They will live on and we can honor their memory with this archived thread, remembering their lives dreams and hopes: http://forum.mikrotik.com/viewtopic.php?f=6&t=8870To : NetworkPro
I don't know why there are such examples (yes, all 3 examples), but they are complete b...s..t.
You need one code line for everything to work:
It is ECMP route - it is per address-pair load balancing (not connection based load balancing). So if you connect from address1 to address2 and it goes via GW1 all other communications from address1 to address2 will use the same gateway.Code: Select alladd dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping
nth can be used to acheive per packet load balancing, not per connection.
MikroTik, please, DELETE those wiki examples - they are uselessss
Flags: X - disabled, R - running
0 R name="ADSL1" max-mtu=1492 max-mru=1492 mrru=disabled interface=ether1 user="*" password="*" profile=default-compression-noMSS service-name="" ac-name="" add-default-route=no
dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2
1 R name="ADSL2" max-mtu=1492 max-mru=1492 mrru=disabled interface=ether2 user="*" password="*" profile=default-compression-noMSS service-name="" ac-name="" add-default-route=no
dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2 Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.1.2/24 192.168.1.0 192.168.1.255 ether2
1 192.168.6.2/24 192.168.6.0 192.168.6.255 ether1
2 10.0.10.100/24 10.0.10.0 10.0.10.255 Bridge-WDS
3 D 87.***.***.32/32 ***.***.*.234 0.0.0.0 ADSL1
4 D 95.***.**.19/32 ***.***.*.234 0.0.0.0 ADSL2Flags: * - default
0 name="default-compression-noMSS" use-compression=yes use-vj-compression=yes use-encryption=default only-one=default change-tcp-mss=no
Flags: X - disabled, A - active, D -...
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
3 A S ;;; ECMP Test
0.0.0.0/0 reachable ADSL1 1 ADSL1
reachable ADSL2 ADSL2
4 ADC 10.0.10.0/24 10.0.10.100 0 Bridge-WDS
5 ADC 192.168.1.0/24 192.168.1.2 0 ether2
6 ADC 192.168.6.0/24 192.168.6.2 0 ether1
7 ADC ***.***.*.234/32 **.**.**1.19 0 ADSL2
8 DC ***.***.*.234/32 ***.**.*22.32 0 ADSL1Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=10.0.10.0/24
I gave it some thought: the only way how it should be possible on one box is MLPPP, you can forget about all other setups. if it is not working paste your configuration here and send a mail to support. Better explanation what went wrong would be nice. (some sniffer info, screenshots while BT)Packets are still leaking, out both interfaces. I am starting do wonder if the packet sniffer uses connection tracking to replace IP addresses?
MLPPP is not working, active connections shows : 1
Back to square 1.
/ip firewall mangle
add action=mark-connection chain=input connection-state=new in-interface=ADSL2 new-connection-mark=ADSL2Con2R passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=ADSL1 new-connection-mark=ADSL1Con2R passthrough=yes
add action=mark-routing chain=output connection-mark=ADSL2Con2R new-routing-mark=ToADSL2 passthrough=yes
add action=mark-routing chain=output connection-mark=ADSL1Con2R new-routing-mark=ToADSL1 passthrough=yes
/ip route rule
add action=lookup routing-mark=ToADSL2 table=ToADSL2
add action=lookup routing-mark=ToADSL1 table=ToADSL1
/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - sthable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S ;;; Route All ToADSL2
0.0.0.0/0 reachable ADSL2 1 ADSL2
1 A S ;;; ECMP Test
0.0.0.0/0 reachable ADSL1 1 ADSL1
reachable ADSL2 ADSL2
2 A S ;;; Route All ToADSL1
0.0.0.0/0 reachable ADSL1 1 ADSL1
3 ADC 10.0.10.0/24 10.0.10.100 0 Bridge-WDS
4 ADC 192.168.1.0/24 192.168.1.2 0 ether2
5 ADC 192.168.6.0/24 192.168.6.2 0 ether1
6 ADC 212.**.**.234/32 **.**.***.33 0 ADSL2
7 DC 212.**.**.234/32 **.**.***.73 0 ADSL1
The two ADSL accounts have different usernames and passwords. With this particular ISP, a PPPoE username and password can be used from anywhere, from any CPE MAC address.I'm almost sure that your ISP server have MLPPP support.
If yes just create one PPPoE client with both interfaces (works only if username and password for both connections is same)
And with this NAT log rules I can log everything else that would get NATed that is not the above:/ip firewall nat
add action=masquerade chain=srcnat comment=NAT src-address=10.0.10.0/24
And sure enough, I get this:add action=log chain=srcnat out-interface=ADSL1
add action=log chain=srcnat out-interface=ADSL2
And 10.0.20.* and 192.168.2.* are in the internal network....
05:04:08 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60
05:04:25 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 10.0.20.100:53->10.0.20.111:3370, len 61
05:04:38 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 192.168.2.100:53->192.168.2.165:1026, len 61
05:04:53 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60
05:05:38 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60
05:05:43 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 192.168.2.100:53->192.168.2.165:1026, len 30
That is the problem - MLPPP need same username sand passwords for both accounts.The two ADSL accounts have different usernames and passwords...
The problem which I call "leaking packets" still remains. Internet users behind the router have not reported any big problems yet, as their websites seems to work. I myself am unable to travel to test Internet services like MSN etc behind that router, all I can do is over the Internet and I must not cut myself off with a misconfiguration.
05:04:08 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60
05:04:25 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 10.0.20.100:53->10.0.20.111:3370, len 61
05:04:38 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 192.168.2.100:53->192.168.2.165:1026, len 61
05:04:53 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60
05:05:38 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60
05:05:43 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 192.168.2.100:53->192.168.2.165:1026, len 30
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT src-address=10.0.10.0/24True. And I knew it and tested accordingly.That is the problem - MLPPP need same username sand passwords for both accounts.The two ADSL accounts have different usernames and passwords...
These are just logged in postrouting by [srcnat] facility. I have sniffed other packets with other addresses on the ADSL interfaces. This logging probably works because routing-decision sends them to postrouting, knowing there are log rules there.The problem which I call "leaking packets" still remains. Internet users behind the router have not reported any big problems yet, as their websites seems to work. I myself am unable to travel to test Internet services like MSN etc behind that router, all I can do is over the Internet and I must not cut myself off with a misconfiguration.But in here it is obvious that packets will not be captured by this nat rule:Code: Select all05:04:08 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60 05:04:25 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 10.0.20.100:53->10.0.20.111:3370, len 61 05:04:38 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 192.168.2.100:53->192.168.2.165:1026, len 61 05:04:53 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60 05:05:38 firewall,info srcnat: in:(none) out:ADSL1, proto UDP, 10.0.20.100:53->10.0.20.117:1034, len 60 05:05:43 firewall,info srcnat: in:(none) out:ADSL2, proto UDP, 192.168.2.100:53->192.168.2.165:1026, len 30Just use out-interface option.Code: Select all/ip firewall nat add action=masquerade chain=srcnat comment=NAT src-address=10.0.10.0/24
Or create a firewall filter to block this traffic.
