Load Balance, Multiwan with webproxy

lukkes · Wed Jun 02, 2010 9:03 pm

I've read a lot of post asking how we can make a load balance and web proxy can use it, to many people say that it's not possible, but yes it is, only we need to do it's mark in the output the packets go to destination port 80 and assign a routing mark, thats it.

I you found this useful don't forget about the karma http://forum.mikrotik.com/viewtopic.php?f=1&t=41148

yinxiangyn · Thu Jun 03, 2010 4:13 pm

I've read a lot of post asking how we can make a load balance and web proxy can use it, to many people say that it's not possible, but yes it is, only we need to do it's mark in the output the packets go to destination port 80 and assign a routing mark, thats it.

I you found this useful don't forget about the karma http://forum.mikrotik.com/viewtopic.php?f=1&t=41148

Very useful, hoho
Although not understand what Karma is, but I vote, thank you for your help!

gtpro · Thu Jun 03, 2010 9:13 pm

Hi, I'm new to the forums but I have been reading them for a while, english is not my primary language.

Can you guys tell me how to set up the mangle rules to use the web proxy when I'm using PCC load balance.

This is my current set up.

/ ip address
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 interface=Local
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=wan1
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=wan2
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=wan3

/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=wan2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=wan3 action=mark-connection new-connection-mark=wan3_conn

add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 \
action=mark-connection new-connection-mark=wan3_conn passthrough=yes

add chain=prerouting connection-mark=wan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wan3

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_wan3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade
add chain=srcnat out-interface=wan3 action=masquerade

Thank you.

gtpro · Fri Jun 04, 2010 4:40 am

Hi. Can you guys please tell me what exactly I need to put in the mangle rules to get my web proxy working with PCC load balancer. Thank You!!!

fewi · Fri Jun 04, 2010 4:07 pm

As stated in the original post, also mark in the 'output' chain rather than just in 'prerouting'.

yinxiangyn · Fri Jun 04, 2010 5:44 pm

Hi, I'm new to the forums but I have been reading them for a while, english is not my primary language.

Can you guys tell me how to set up the mangle rules to use the web proxy when I'm using PCC load balance.

This is my current set up.

/ ip address
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 interface=Local
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=wan1
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=wan2
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=wan3

/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=wan2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=wan3 action=mark-connection new-connection-mark=wan3_conn

add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 \
action=mark-connection new-connection-mark=wan3_conn passthrough=yes

add chain=prerouting connection-mark=wan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wan3

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_wan3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade
add chain=srcnat out-interface=wan3 action=masquerade

Thank you.

My example above is wrong, I deleted it. Will cause problems.
Now, I adjusted it.
According to this do it.

yinxiangyn · Fri Jun 04, 2010 5:48 pm

Destination port 80, also need to do load balancing.

gtpro · Fri Jun 04, 2010 8:02 pm

I tried what you said but it does not work, I'm trying to get transparent web proxy to work. After I add the NAT rule to redirect traffic from port 80 to port 8080 of the proxy everything on the LAN stops, no packets can get through.

yinxiangyn · Fri Jun 04, 2010 10:17 pm

I tried what you said but it does not work, I'm trying to get transparent web proxy to work. After I add the NAT rule to redirect traffic from port 80 to port 8080 of the proxy everything on the LAN stops, no packets can get through.

I am sure the above settings, in my RB450G, load balance、 web-proxy does work.
Just some of the details, I need to study.
Where the arrow mark, I do not know what use, but it does work.

gtpro · Fri Jun 04, 2010 10:46 pm

Could it be because I'm not using pppoe over the wan side?

yinxiangyn · Fri Jun 04, 2010 11:09 pm

Could it be because I'm not using pppoe over the wan side?

I'm not sure, because I did not test such an environment.
All the web-proxy related, I have come to give you an example for reference.
Maybe other people see, and can give you recommendations.

gtpro · Fri Jun 04, 2010 11:55 pm

I tried everything you said but it still does not work, I think the problem is that I'm using static addresses on the WAN side and not pppoe. I might try setting up the pppoe interfaces tonight.

Is this the right way to set it up?

/ ip firewall mangle
add chain=input in-interface=pppoe-out1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=pppoe-out2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=pppoe-out3 action=mark-connection new-connection-mark=wan3_conn

add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 \
action=mark-connection new-connection-mark=wan3_conn passthrough=yes

add chain=prerouting connection-mark=wan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wan3

/ ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=to_wan3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out2 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out3 distance=3 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=pppoe-out1 action=masquerade
add chain=srcnat out-interface=pppoe-out2 action=masquerade
add chain=srcnat out-interface=pppoe-out3 action=masquerade

Any help would be appreciated!

yinxiangyn · Sat Jun 05, 2010 12:35 am

ip route
add comment=adsl1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 routing-mark=to_pppoe-out1

add check-gateway=ping comment=adsl1 disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=pppoe-out1

/ip firewall mangle
add action=mark-connection chain=input comment="" \
disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe-out1_conn \
passthrough=yes

add action=mark-packet chain=output disabled=no dst-port=80 new-packet-mark=1 \
passthrough=yes per-connection-classifier=both-addresses:4/0 protocol=tcp

add action=mark-routing chain=output connection-mark=!pppoe-out1_conn \
disabled=no new-routing-mark=to_pppoe-out1 packet-mark=1 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn \
disabled=no in-interface=LAN new-routing-mark=to_pppoe-out1 passthrough=\
yes

add action=mark-connection chain=prerouting comment="" \
disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=\
pppoe-out2_conn passthrough=yes per-connection-classifier=\
both-addresses:4/1

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1

add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=LAN \
protocol=tcp to-ports=8080
This is my sample, PCC, WEB PROXY does work.

gtpro · Sat Jun 05, 2010 12:50 am

I'm going to try your sample configuration late tonight or very early tomorrow morning and I will let you know how it goes.

yinxiangyn · Sat Jun 05, 2010 12:53 am

I'm going to try your sample configuration late tonight or very early tomorrow morning and I will let you know how it goes.

I hope you succeed, and now, I'm going to bed.

gtpro · Sat Jun 05, 2010 3:32 am

Before I try the setup I want that some one on this forum takes a look on this configuration so if there are any mistakes let me know please.

/ip firewall mangle

add action=mark-connection chain=input in-interface=pppoe-out1 new-connection-mark=pppoe-out1_conn passthrough=yes

add action=mark-packet chain=output dst-port=80 new-packet-mark=1 passthrough=yes per-connection-classifier=both-addresses:3/0 \ protocol=tcp

add action=mark-routing chain=output connection-mark=!pppoe-out1_conn new-routing-mark=to_pppoe-out1 packet-mark=1 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn in-interface=Local new-routing-mark=to_pppoe-out1 passthrough=yes

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local new-connection-mark=pppoe-out1_conn passthrough=yes per-connection-classifier=both-addresses:3/0

add action=mark-connection chain=input in-interface=pppoe-out2 new-connection-mark=pppoe-out2_conn passthrough=yes

add action=mark-packet chain=output dst-port=80 new-packet-mark=2 passthrough=yes per-connection-classifier=both-addresses:3/1 \ protocol=tcp

add action=mark-routing chain=output connection-mark=!pppoe-out2_conn new-routing-mark=to_pppoe-out2 packet-mark=2 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=pppoe-out2_conn in-interface=Local new-routing-mark=to_pppoe-out2 passthrough=yes

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local new-connection-mark=pppoe-out2_conn passthrough=yes per-connection-classifier=both-addresses:3/1

add action=mark-connection chain=input in-interface=pppoe-out3 new-connection-mark=pppoe-out3_conn passthrough=yes

add action=mark-packet chain=output dst-port=80 new-packet-mark=3 passthrough=yes per-connection-classifier=both-addresses:3/2 \ protocol=tcp

add action=mark-routing chain=output connection-mark=!pppoe-out3_conn new-routing-mark=to_pppoe-out3 packet-mark=3 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=pppoe-out3_conn in-interface=Local new-routing-mark=to_pppoe-out3 passthrough=yes

add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local new-connection-mark=pppoe-out3_conn passthrough=yes per-connection-classifier=both-addresses:3/2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pppoe-out3

add action=redirect chain=dstnat dst-port=80 in-interface=Local protocol=tcp to-ports=8080

ip route
add comment=adsl1 distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_pppoe-out1
add check-gateway=ping comment=adsl1 distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1

add comment=adsl2 distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_pppoe-out2
add check-gateway=ping comment=adsl2 distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2

add comment=adsl3 distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=to_pppoe-out3
add check-gateway=ping comment=adsl3 distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out3

yinxiangyn · Mon Jun 07, 2010 11:47 am

I use a few days, found that while using load balancing and web-proxy, sometimes leading to high CPU occupied, especially encountered when multi-threaded HTTP download.

yinxiangyn · Mon Jun 07, 2010 12:07 pm

The most simple solution, in accordance with the example of doing so, as long as a rule. Other settings you do not need to make any changes.
But do have a flaw, that is browsing the Web and HTTP downloading when there is no load balancing, only work in a single line.

do not check the passthrough!!!

gtpro · Mon Jun 07, 2010 11:03 pm

I think that having 3 pppoe with pcc and web proxy does not work well, I already tried it. Maybe web proxy only works with 1 wan

gtpro · Tue Jun 08, 2010 7:41 pm

I'm using this configuration wiht static addresses on the wan sides, the web proxy works but it only uses one wan, is it not possible to use web proxy with PCC ??. If I disable the Redirect rule then all 3 wans are used. Anyone knows how to get PCC and web proxy working??

/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection passthrough=yes new-connection-mark=wan1_conn
add chain=input in-interface=wan2 action=mark-connection passthrough=yes new-connection-mark=wan2_conn
add chain=input in-interface=wan3 action=mark-connection passthrough=yes new-connection-mark=wan3_conn

add chain=output connection-mark=wan1_conn action=mark-routing passthrough=yes new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing passthrough=yes new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing passthrough=yes new-routing-mark=to_wan3

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 \
action=mark-connection new-connection-mark=wan3_conn passthrough=yes

add chain=prerouting connection-mark=wan1_conn in-interface=Local action=mark-routing passthrough=yes new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=Local action=mark-routing passthrough=yes new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=Local action=mark-routing passthrough=yes new-routing-mark=to_wan3

chain=output action=mark-routing new-routing-mark=wan1 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/0
chain=output action=mark-routing new-routing-mark=wan2 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/1
chain=output action=mark-routing new-routing-mark=wan2 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_wan3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping

/ ip firewall nat
chain=dstnat action=redirect to-ports=3128 protocol=tcp in-interface=Local dst-port=80
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade
add chain=srcnat out-interface=wan3 action=masquerade

fewi · Tue Jun 08, 2010 7:52 pm

chain=output action=mark-routing new-routing-mark=wan1 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/0

Why do you have the destination address qualifier in there? Traffic from the proxy to any given website isn't going to match that, so it's not going to be spread out. Remove those.

Also, your routing marks need to match the ones you're actually referring to in the routing statements.

add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_wan1 check-gateway=ping

That route fires on 'to_want1', but you're assigning something else: "new-routing-mark=wan1"

Edit: looking again you also have the output chain rules ordered wrong, and you have passthrough enabled on rules that shouldn't have it turned on. Remove everything from the mangle ruleset and try the below:

/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=wan2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=wan3 action=mark-connection new-connection-mark=wan3_conn

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 action=mark-connection new-connection-mark=wan3_conn passthrough=yes

add chain=prerouting connection-mark=wan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wan3

add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/2

add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3

gtpro · Tue Jun 08, 2010 8:04 pm

Hi, thanks for replying, if I remove these lines:

chain=output action=mark-routing new-routing-mark=wan1 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/0
chain=output action=mark-routing new-routing-mark=wan2 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/1
chain=output action=mark-routing new-routing-mark=wan3 passthrough=yes dst-address=192.168.5.0/24 per-connection-classifier=both-addresses:3/2

the web proxy stops working, how should I do it? I'm very new to the Mikrotik stuff, I was using WRT54GL's before this RB450G, pleases tell me how I should do it.

fewi · Tue Jun 08, 2010 8:06 pm

Please see the edit above.

I don't know how to phrase this nicely and I promise I'm not trying to be mean, but which part of the wiki example (which has a detailed description of what the configuration parts do) do you have a hard time understanding? Maybe ask generic questions here instead of just for finished configuration so you can understand what the parts do.

gtpro · Tue Jun 08, 2010 8:10 pm

I just saw your edited post, sorry, I'm going to try that and I will let you know, excuse my bad english.

gtpro · Tue Jun 08, 2010 10:34 pm

Hey fewi just to let you know that with the configuration you posted it does not work, after I enable the nat redirect rule I cant access web pages, I fixed this

add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/2

To this

add chain=output action=mark-connection new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add chain=output action=mark-connection new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add chain=output action=mark-connection new-connection-mark=wan3_conn passthrough=yes per-connection-classifier=both-addresses:3/2

But still it does not work, I dont know what else to do to get it going right. Thank you Fewi.

yinxiangyn · Wed Jun 09, 2010 9:34 pm

I think that having 3 pppoe with pcc and web proxy does not work well, I already tried it. Maybe web proxy only works with 1 wan

I mean just sometimes CPU load is high, but does not mean it does not work. This is normal.
You have not found a way it?
In fact, there are many ways to reach。
Another way, Example

gtpro · Wed Jun 09, 2010 11:48 pm

Well it did not work with my setup, can you put all your mangle rules here.

bawolek · Fri Jun 18, 2010 12:35 am

I have also problem with proxy and load-balancing,

I want to use redirect in proxy
/ip proxy access
add action=deny comment="" disabled=no redirect-to=x.x.x.x.x src-address=0.0.0.0/0

but when I turn this rule, browser has errors: "to many redirection" ....

lukkes · Fri Jun 18, 2010 12:48 am

you must put another line before that accepting the redirected site

gtpro · Fri Jun 18, 2010 2:56 am

Can someone please post all the mangle rules needed to get PCC and web proxy working.

This is my current configuration:

/ ip address
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 interface=Local
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=wan1
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=wan2
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=wan3

/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=wan2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=wan3 action=mark-connection new-connection-mark=wan3_conn

add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 \
action=mark-connection new-connection-mark=wan3_conn passthrough=yes

add chain=prerouting connection-mark=wan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wan3

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_wan3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade
add chain=srcnat out-interface=wan3 action=masquerade

I have tried adding these rules above my output rules:

/ip firewall mangle
add chain=output connection-mark=no-mark per-connection-classifier=both-addresses:3/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=output connection-mark=no-mark per-connection-classifier=both-addresses:3/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=output connection-mark=no-mark per-connection-classifier=both-addresses:3/2 \
action=mark-connection new-connection-mark=wan3_conn passthrough=yes

But it does not work, after I add the Nat redirect rule I cannot browse web pages. So if any of you have PCC load balance and web proxy working please share your configuration.

bawolek · Fri Jun 18, 2010 5:28 pm

you must put another line before that accepting the redirected site

thanks, one point karma is for you ;p

@gtpro im not sure but i think that is impossible to run web-proxy for more than one wan .... proxy works on one WAN, you can load-balance traffic to any output interfaces but traffic which goes thrue proxy is going by only one WAN
(maybe because is one process for cpu and use one routing table)

so you have to load-balance all traffic, but not http

 add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local dst-port=!80 in-interface=\
    LAN new-connection-mark=dsl2_pol passthrough=yes per-connection-classifier=both-addresses:6/4 protocol=tcp

gtpro · Fri Jun 18, 2010 7:37 pm

Thanks Bawolek, I know what I will do next, I will buy another RB450G just to do the load balancing and a second RB450G just to do the web proxy, I think that will work.

yinxiangyn · Fri Jun 18, 2010 8:08 pm

Thanks Bawolek, I know what I will do next, I will buy another RB450G just to do the load balancing and a second RB450G just to do the web proxy, I think that will work.

Just saw your reply
Believe me, do not do this, RB450G as WEB-PROXY is incompetent, SD card capacity is too small, CPU too weak. X86 should be more suitable.
My English is too bad, I hope not offend anyone. I also hope you can understand what I say.

yinxiangyn · Fri Jun 18, 2010 8:20 pm

My own family use, 4X4M ADSL, even though I overclocked to 800MHz,If used together with load balancing and WEB-PROXY, sometimes 100% CPU load,If you use in the workplace, or commercial use, the number of users a lot of it, is obviously not suitable.

yinxiangyn · Fri Jun 18, 2010 8:52 pm

Relative to the WIKI, I just made two changes, adding 80-port load balancing, and 80 ports are not marked.
And I can assure you, in my RB450G all normal. WEB-PROXY work in the four-line。
http://wiki.mikrotik.com/wiki/PCC#Appli ... _Balancing

bawolek · Fri Jun 18, 2010 9:15 pm

in my post Fri Jun 18, 2010 4:28 pm I forgot about UDP protocol ! ...

so @yinxiangyn in your config I think that you should add roules for udp

so you have roules 10,11,12,13 this roules mangle protocol TCP without port 80
but what about UDP ? ;p

if your proxy is working on 4 wan with yours config, that fact is very interesting

PS do not worry about your English, my English also is poor but I think everyone know what's going on ;p

greetings from Polish

gtpro · Fri Jun 18, 2010 9:29 pm

@ inxiangyn

Can you post here all the mangle rules you are using on that setup, my english is not good.

yinxiangyn · Fri Jun 18, 2010 11:34 pm

OK Just a moment， I just finished watching the World Cup.

gtpro · Fri Jun 18, 2010 11:58 pm

Ok

yinxiangyn · Sat Jun 19, 2010 12:02 am

Ok

/ip route
add comment=adsl1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 routing-mark=to_pppoe-out1 scope=30 target-scope=10
add comment=adsl2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out2 routing-mark=to_pppoe-out2 scope=30 target-scope=10
add comment=adsl3 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out3 routing-mark=to_pppoe-out3 scope=30 target-scope=10
add comment=adsl4 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out4 routing-mark=to_pppoe-out4 scope=30 target-scope=10
add comment=adsl1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 scope=30 target-scope=10
add comment=adsl2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
pppoe-out2 scope=30 target-scope=10
add comment=adsl3 disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
pppoe-out3 scope=30 target-scope=10
add comment=adsl4 disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
pppoe-out4 scope=30 target-scope=10

/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=pppoe-out1 \
new-connection-mark=pppoe-out1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out2 \
new-connection-mark=pppoe-out2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out3 \
new-connection-mark=pppoe-out3_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out4 \
new-connection-mark=pppoe-out4_conn passthrough=yes
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out1_conn passthrough=yes \
per-connection-classifier=both-addresses:4/0 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out2_conn passthrough=yes \
per-connection-classifier=both-addresses:4/1 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out3_conn passthrough=yes \
per-connection-classifier=both-addresses:4/2 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out4_conn passthrough=yes \
per-connection-classifier=both-addresses:4/3 protocol=tcp
add action=mark-connection chain=prerouting comment=\
"" disabled=no dst-address-type=\
!local dst-port=!80 in-interface=bridge1 new-connection-mark=\
pppoe-out1_conn passthrough=yes per-connection-classifier=\
both-addresses:4/0 protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local dst-port=!80 in-interface=bridge1 new-connection-mark=\
pppoe-out2_conn passthrough=yes per-connection-classifier=\
both-addresses:4/1 protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local dst-port=!80 in-interface=bridge1 new-connection-mark=\
pppoe-out3_conn passthrough=yes per-connection-classifier=\
both-addresses:4/2 protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local dst-port=!80 in-interface=bridge1 new-connection-mark=\
pppoe-out4_conn passthrough=yes per-connection-classifier=\
both-addresses:4/3 protocol=tcp
add action=mark-routing chain=prerouting comment=\
"" connection-mark=pppoe-out1_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out1 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out2_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out2 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out3_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out3 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out4_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out4 \
passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out1_conn \
disabled=no new-routing-mark=to_pppoe-out1 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out2_conn \
disabled=no new-routing-mark=to_pppoe-out2 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out3_conn \
disabled=no new-routing-mark=to_pppoe-out3 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out4_conn \
disabled=no new-routing-mark=to_pppoe-out4 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out3
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out4
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=bridge1 \
protocol=tcp to-ports=3123

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=yes enabled=yes max-cache-size=398000KiB \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=3123 serialize-connections=\
no src-address=0.0.0.0
/ip proxy access
add action=allow disabled=no dst-port=80 src-address=192.168.13.0/24
/ip proxy cache
add action=allow disabled=no dst-port=80 src-address=192.168.13.0/24

gtpro · Sat Jun 19, 2010 12:09 am

Thank you

, I will try it as soon as I can and I will let you know.

yinxiangyn · Sat Jun 19, 2010 12:16 am

Thank you , I will try it as soon as I can and I will let you know.

interface

PS
When testing, temporary closure of the firewall filter

gtpro · Sat Jun 19, 2010 12:25 am

/ip proxy access
add action=allow disabled=no dst-port=80 src-address=192.168.13.0/24
/ip proxy cache
add action=allow disabled=no dst-port=80 src-address=192.168.13.0/24

Is this your local LAN 192.168.13.0/24 ?

yinxiangyn · Sat Jun 19, 2010 12:29 am

/ip proxy access
add action=allow disabled=no dst-port=80 src-address=192.168.13.0/24
/ip proxy cache
add action=allow disabled=no dst-port=80 src-address=192.168.13.0/24

Is this your local LAN 192.168.13.0/24 ?

yes
good luck

NO!
I forgot, is the bridge

yinxiangyn · Sat Jun 19, 2010 12:53 am

in my post Fri Jun 18, 2010 4:28 pm I forgot about UDP protocol ! ...

so @yinxiangyn in your config I think that you should add roules for udp

so you have roules 10,11,12,13 this roules mangle protocol TCP without port 80
but what about UDP ? ;p

if your proxy is working on 4 wan with yours config, that fact is very interesting

PS do not worry about your English, my English also is poor but I think everyone know what's going on ;p

greetings from Polish

Thank you for your greetings, my friend

why go to mark UDP? I do not quite understand.
For other purposes?
Maybe I will go to mark tcp 8080, because some site is using the tcp 8080, but I can not think of reasons to mark UDP.
Where do I understand wrong?

I am a photography enthusiast, WEB-PROXY for me, just as a picture memory.
Like to visit this site, a lot of pictures, I need to use WEB-PROXY, so I once again recall the time can quickly see the picture. It's that simple. ^ _ ^!
http://forum.xitek.com/showthread.php?threadid=734548

bawolek · Sat Jun 19, 2010 1:17 am

so... "UDP" maybe this is not good word...

I mean that yours rules not balance all traffic from clients,
but only tcp protocol (without port 80)

but what about for example UDP.... etc

for example this rule mark all traffic from clients....

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=dsl1_pol \
    passthrough=yes per-connection-classifier=both-addresses:6/3

if you use "protocol=tcp dst-port=!80" then roule mark only tcp (without port 80) but rest traffic goes through by default gateway

gtpro · Sat Jun 19, 2010 1:29 am

After 15 minutes of trying your setup I can confirm that it WORKS yinxiangyn, it is balancing 3 wans and the web proxy is working. Thank You yinxiangyn

!

yinxiangyn · Sat Jun 19, 2010 1:43 am

After 15 minutes of trying your setup I can confirm that it WORKS yinxiangyn, it is balancing 3 wans and the web proxy is working. Thank You yinxiangyn !

You're welcome, my friend.

yinxiangyn · Sat Jun 19, 2010 1:46 am

so... "UDP" maybe this is not good word...

I mean that yours rules not balance all traffic from clients,
but only tcp protocol (without port 80)

but what about for example UDP.... etc

for example this rule mark all traffic from clients....
Code: Select all
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=dsl1_pol \
    passthrough=yes per-connection-classifier=both-addresses:6/3 
if you use "protocol=tcp dst-port=!80" then roule mark only tcp (without port 80) but rest traffic goes through by default gateway

Thanks for your advice, my friend.

I probably know what you mean.
Maybe I'm just home use, some of the problems I have not noticed, but I will try.

My friend, you are right.
I misunderstood the "!" Means, thank you for reminding me.
Use of BIT-TORRENT software is easy to find the problem, I do not use a long time.
I will try to improve it.

yinxiangyn · Sat Jun 19, 2010 5:41 am

After 15 minutes of trying your setup I can confirm that it WORKS yinxiangyn, it is balancing 3 wans and the web proxy is working. Thank You yinxiangyn !

My friend, Thank you for your Karma, but I am wrong, while it does work, but some problems are not resolved. I hope I can solve it.

Without causing distress to you before, stop using it.!!!

gtpro · Sat Jun 19, 2010 5:51 am

It is still working fine here, what kind of problems do you have?

lukkes · Sat Jun 19, 2010 6:15 am

you must put another line before that accepting the redirected site
thanks, one point karma is for you ;p

@gtpro im not sure but i think that is impossible to run web-proxy for more than one wan .... proxy works on one WAN, you can load-balance traffic to any output interfaces but traffic which goes thrue proxy is going by only one WAN
(maybe because is one process for cpu and use one routing table)

so you have to load-balance all traffic, but not http
Code: Select all
 add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local dst-port=!80 in-interface=\
    LAN new-connection-mark=dsl2_pol passthrough=yes per-connection-classifier=both-addresses:6/4 protocol=tcp
 

Thanks for the karma,

talking about proxy with many wan it works, i'm using it, you can make an speed test in http://www.speakeasy.net/speedtest and if your router is balancig you willl see in this test because it download two files at same time.. just try

yinxiangyn · Sat Jun 19, 2010 6:59 am

It is still working fine here, what kind of problems do you have?

The use of TCP type of connection, no problem, load balancing, web browsing. Work well.
For example in the use of UDP type of connection will be a problem. Such as P2P software.
If NTH or src-address, src-port type of PCC, a simple solution.
Only in a both-addresses types of PCC, I need to learn.

yinxiangyn · Sat Jun 19, 2010 9:00 am

bawolek · Sat Jun 19, 2010 10:41 am

@yinxiangyn my idea is still evolving

I think that better way is add accept before rule 10 for tcp 80 port

then in prerouting roules 10,11,12,13 will be the same pair of dst adres (and will be in the same mark)

now 10,11,12,13 rules creates one group of dst adres pair and 14,15,16,17 creates another pairs for rest of traffic

so it can hapen that the same group of adress will goes through not by the same WAN interfaces (for example tcp from client will goes through by pppoe1, and UDP from the same client (AND THE SAME ADDRESSES PAIR) will go through pppoe2 )

(because you markt the same adres in two steps: one for tcp (without 80 tcp), two for the rest of the traffic from the same address)

if you add accept for 80 tcp, you will not need a 14,15,16,17 rules

and 10,11,12,13 will look:

 add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=dsl1_pol \
    passthrough=yes per-connection-classifier=both-addresses:6/3

I hope that I wrote is understandable ;p

greet

yinxiangyn · Sat Jun 19, 2010 11:46 am

@yinxiangyn my idea is still evolving
I think that better way is add accept before rule 10 for tcp 80 port

then in prerouting roules 10,11,12,13 will be the same pair of dst adres (and will be in the same mark)

now 10,11,12,13 rules creates one group of dst adres pair and 14,15,16,17 creates another pairs for rest of traffic

so it can hapen that the same group of adress will goes through not by the same WAN interfaces (for example tcp from client will goes through by pppoe1, and UDP from the same client (AND THE SAME ADDRESSES PAIR) will go through pppoe2 )

(because you markt the same adres in two steps: one for tcp (without 80 tcp), two for the rest of the traffic from the same address)

if you add accept for 80 tcp, you will not need a 14,15,16,17 rules
and 10,11,12,13 will look:
Code: Select all
 add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=dsl1_pol \
    passthrough=yes per-connection-classifier=both-addresses:6/3 
I hope that I wrote is understandable ;p

greet

My friend, a good idea, although I can not 100% understand your intentions, because the language.
But generally I can understand. And I'm going to try

This is your intention to it?

PS
No matter if it is a white cat or a black cat， a cat that can catch rats is a good cat!
Chinese Proverb,Hope you like it.

bawolek · Sat Jun 19, 2010 12:29 pm

exactly, precisely what I meant

I think this is a correct solution, in your previous mark rules, aplications (from the same client) that use more than ones protocol (for example TCP + UDP) may goes through not to the same pppoe interface, .............. now they goes though to the same pppoe interface

PS the great proverb but ;p
for example I like cats, who are larger and faster to catch rats, than other cats

greet

yinxiangyn · Sat Jun 19, 2010 1:08 pm

Anyway, will not be Garfield

and
@gtpro
use this

/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=pppoe-out1 \
new-connection-mark=pppoe-out1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out2 \
new-connection-mark=pppoe-out2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out3 \
new-connection-mark=pppoe-out3_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out4 \
new-connection-mark=pppoe-out4_conn passthrough=yes
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out1_conn passthrough=yes \
per-connection-classifier=both-addresses:4/0 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out2_conn passthrough=yes \
per-connection-classifier=both-addresses:4/1 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out3_conn passthrough=yes \
per-connection-classifier=both-addresses:4/2 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out4_conn passthrough=yes \
per-connection-classifier=both-addresses:4/3 protocol=tcp
add action=accept chain=prerouting disabled=no dst-port=80 in-interface=\
bridge1 protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out1_conn \
passthrough=yes per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out2_conn \
passthrough=yes per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out3_conn \
passthrough=yes per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out4_conn \
passthrough=yes per-connection-classifier=both-addresses:4/3
add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out1 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out2_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out2 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out3_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out3 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out4_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out4 \
passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out1_conn \
disabled=no new-routing-mark=to_pppoe-out1 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out2_conn \
disabled=no new-routing-mark=to_pppoe-out2 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out3_conn \
disabled=no new-routing-mark=to_pppoe-out3 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out4_conn \
disabled=no new-routing-mark=to_pppoe-out4 passthrough=yes

See you, my friends, I have to see the football game.

kazanova · Mon Sep 06, 2010 10:41 pm

after fotball game rule work fine or not :S

http://forum.mikrotik.com/viewtopic.php ... 30#p225830

Michel · Tue Sep 28, 2010 1:57 pm

Sorry that I post again (I do not see my postings, they are waiting to approve)

My IPSEC connection has now problems with the routing mark, because it breaks the secure packets.

echo: ipsec invalid length of payload
echo: ipsec failed to pre-process packet.

/ ip route
add comment=adsl1 disabled=no distance=1 dst-address=IP gateway=\
pppoe-out1 routing-mark=to_pppoe-out1

If I disable the mark, than all is fine again. Any hints ?

lukkes · Wed Sep 29, 2010 2:15 pm

set prerouting rule over the others with the ipsec mark and action accept it will send all packets to the default gateway and will not use the balance, also you can do it with all that breaks with the balance, https, msn, etc

Michel · Thu Sep 30, 2010 11:07 am

Thank you very much, it works now.

vic_s · Fri Jul 22, 2011 11:32 pm

Hello, i am trying to get a load balance pcc with an external webproxy which is connected to a different interface which is not the lan interface, and i cant get it to work.

I used the last configuration posted :

/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=pppoe-out1 \
new-connection-mark=pppoe-out1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out2 \
new-connection-mark=pppoe-out2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out3 \
new-connection-mark=pppoe-out3_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=pppoe-out4 \
new-connection-mark=pppoe-out4_conn passthrough=yes
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out1_conn passthrough=yes \
per-connection-classifier=both-addresses:4/0 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out2_conn passthrough=yes \
per-connection-classifier=both-addresses:4/1 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out3_conn passthrough=yes \
per-connection-classifier=both-addresses:4/2 protocol=tcp
add action=mark-connection chain=output disabled=no dst-port=80 \
new-connection-mark=pppoe-out4_conn passthrough=yes \
per-connection-classifier=both-addresses:4/3 protocol=tcp
add action=accept chain=prerouting disabled=no dst-port=80 in-interface=\
bridge1 protocol=tcp
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out1_conn \
passthrough=yes per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out2_conn \
passthrough=yes per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out3_conn \
passthrough=yes per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=bridge1 new-connection-mark=pppoe-out4_conn \
passthrough=yes per-connection-classifier=both-addresses:4/3
add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out1 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out2_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out2 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out3_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out3 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=pppoe-out4_conn \
disabled=no in-interface=bridge1 new-routing-mark=to_pppoe-out4 \
passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out1_conn \
disabled=no new-routing-mark=to_pppoe-out1 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out2_conn \
disabled=no new-routing-mark=to_pppoe-out2 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out3_conn \
disabled=no new-routing-mark=to_pppoe-out3 passthrough=yes
add action=mark-routing chain=output connection-mark=pppoe-out4_conn \
disabled=no new-routing-mark=to_pppoe-out4 passthrough=yes

It works, but all the proxy http traffic gets to the internet by the default route, so the http its not loadbalanced.

Does anyone have an idea?

tate · Mon Oct 21, 2013 10:33 am

pless help not working PCC Proxy

/ip address
add address=192.168.1.1/24 disabled=no interface=WAN1 network=192.168.1.0
add address=192.168.0.1/24 disabled=no interface=WAN2 network=192.168.0.0
add address=192.168.5.1/24 disabled=no interface=Local network=192.168.5.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes

add action=mark-connection chain=output comment="Marking Web Proxy Connection for WAN-1" disabled=no dst-port=80 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=output comment="Marking Web Proxy Connection for WAN-2" disabled=no dst-port=80 new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp

add action=mark-connection chain=prerouting comment="Excluding Port 80 from PCC - WAN1" disabled=no dst-address-type=!local dst-port=!80 in-interface=Local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment="Excluding Port 80 from PCC - WAN2" disabled=no dst-address-type=!local dst-port=!80 in-interface=Local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp

add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no in-interface=Local new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no in-interface=Local new-routing-mark=to_WAN2 passthrough=yes

add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes

add action=accept chain=prerouting disabled=no dst-address=192.168.1.0/24 in-interface=Local
add action=accept chain=prerouting disabled=no dst-address=192.168.0.0/24 in-interface=Local

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN1 Traffic" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade WAN2 Traffic" disabled=no out-interface=WAN2
add action=redirect chain=dstnat comment="Redirect port 80 request to Mikrotik Web Proxy" disabled=no dst-port=80 protocol=tcp to-ports=8080

/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=to_WAN2 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10

ionutcyd · Wed Dec 16, 2015 8:08 pm

Hi there,

I'm trying to help a fiend of mine,

He has 3 providers and he uses load balancing . the problem is that the mikrotik is changing the ip every 10-15 seconds and the users complain that can't access internet banking and can't log on web servers . Is there anything that he can do to ?? I hope that you understood the problem . i'm not in the business and his english is not that good

Thanks a lot
Johnny

Who is online