help with mark routing

MrIC · Fri Apr 29, 2011 2:06 am

hello there
i have 2 adsl lines and using PCC to load balance them
i need to mark routing an Extension to make that Extension works only from one line
this is my config :

/ip firewall layer7-protocol
add comment="" name="Extension \" .exe \"" regexp="\\.(exe)"

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn disabled=no in-interface=Local new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn disabled=no in-interface=Local new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=yes dst-address-type=!local in-interface=Local layer7-protocol="Extension \" .exe \"" new-connection-mark=MC.exe passthrough=yes \
    protocol=tcp
add action=mark-routing chain=prerouting comment="" connection-mark=MC.exe disabled=yes in-interface=Local new-routing-mark=MR.exe passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2

/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.10.1 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=MR.exe scope=30 target-scope=10

but it didn't work
can someone help me with this ?

Sorry for my bad english
thanks in advance

MrIC · Sat Apr 30, 2011 4:14 pm

any help ??

fewi · Sat Apr 30, 2011 7:59 pm

That's impossible to do. Anything based on layer seven for TCP connections has already a passed at least 3 packets (the handshake) before any actual upper level protocol data is passed. Those packets will already have been NATed out an interface, so it's too late to change interfaces since subsequent packets in the connection must come from the same source address for the other endpoint to accept them. If you're dealing with real IPs only you can make routing decisions on anything, if you're dealing with private IPs you can only decide based on properties available with the very first packet.
That is the theory - in practice RouterOS also does not let you change NAT IP addresses so even if the other endpoint would allow you to change IPs the original source IP would still go out the"wrong" circuit and the ISP would discard it.

help with mark routing

help with mark routing

Re: help with mark routing

Re: help with mark routing