Multiple Gateways, PPPoE and Web-Proxy One Question

mk0000 · Fri Nov 04, 2011 1:59 pm

Hello,

i have use the following Sites

http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways
http://wiki.mikrotik.com/wiki/Pppoe_ser ... h_profiles

for Multiple Gateways and the PPPoE-Server functionally fine.

http://wiki.mikrotik.com/wiki/How_to_ma ... _web_proxy

But when i use the transparent Web-Proxy the Traffic can't find a route. Where is my failure?

My Routes:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
routing-mark=GroupB scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
routing-mark=GroupA scope=30 target-scope=10

My Firewall - NAT

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no \
src-address=192.168.88.0/24
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp \
to-ports=8080

My Firewall - Mangle

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=GroupB \
passthrough=yes src-address=192.168.88.22
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
connection_tcp passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=connection_tcp \
disabled=no new-packet-mark=conn_tcp passthrough=no

The last 2 Rules I use for the Queues.

I hope you can help me.

fewi · Fri Nov 04, 2011 2:02 pm

When you use the proxy the router originates the traffic. Your mangle rules don't mark that traffic (traffic originated by the router doesn't go through pre-routing), so there's no route to take.

Just duplicate exactly the routes you have, move them under the existing ones, and remove the routing-mark property.

mk0000 · Fri Nov 04, 2011 3:03 pm

This works, but the traffic goes over the first route....
I will separating the traffic over the 2 WAN-Ports and this must work with the web-proxy too.
Or is that no way?

fewi · Fri Nov 04, 2011 3:34 pm

Then duplicate your mangle rules that mark routing in the output chain so that traffic originated by the router has routing marks applied to it.

mk0000 · Fri Nov 04, 2011 4:47 pm

Hello fewi,

can you post a example?

I have test it with, but it doesn't work:

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=GroupA \
passthrough=yes src-address=192.168.88.22
add action=mark-routing chain=output disabled=no new-routing-mark=GroupA \
passthrough=yes src-address=192.168.88.22
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
connection_tcp passthrough=yes protocol=tcp
add action=mark-connection chain=output disabled=no new-connection-mark=\
connection_tcp passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=connection_tcp \
disabled=no new-packet-mark=conn_tcp passthrough=no
add action=mark-packet chain=output connection-mark=connection_tcp disabled=no \
new-packet-mark=conn_tcp passthrough=no

mk0000 · Fri Nov 04, 2011 9:22 pm

Have every one an idea? I have test it withe the Rules you can see in my last Post but it doesn't work.

fewi · Fri Nov 04, 2011 9:25 pm

Those mangle rules don't seem to make much sense. There's no marking for 'GroupB', for example. And 'GroupA' only gets marked for traffic to 192.168.88.22 as a single IP. Is that your entire ruleset?

What are you actually trying to do - don't post config at this point, post the overall business goal. Maybe add a network diagram.

mk0000 · Fri Nov 04, 2011 9:46 pm

The attached file shows my network diagram.
I have many Clients for GroupA and GroupB.
For the allocation of IP addresses assigned to individual groups, it can later be moved based on the traffic of one or the other yet.
On the Mikrotik router 2 WAN run together and the traffic must pass through the web proxy (but for every client on the appropriate group / WAN interface).
Your Idea with the 2 Routes without any Routingmarks works fine but over one WAN for all Clients. This I can not use.
I hope you can helpme.

fewi · Fri Nov 04, 2011 9:57 pm

That's impossible. The connection from the web proxy to the Internet is separate from the original connection, and it's impossible to determine whether a connection from the proxy to the Internet is because of a request from group A or group B.

mk0000 · Fri Nov 04, 2011 10:09 pm

hmmm
So I need another router in front of the device which then takes over the web proxy?

fewi · Fri Nov 04, 2011 10:22 pm

How would that device know whether or not something came from group A or group B?

You simply can't use a RouterOS proxy and send group A traffic via WAN link 1 and group B traffic via WAN link 2 because the proxied traffic no longer comes from either group, it comes from the router running the proxy. You can spread traffic randomly across both circuits, but not use the group to make a decision.

The only possible approach would be to have two additional routers, each running a proxy - one for group A, and one for group B.

mk0000 · Sat Nov 05, 2011 9:52 am

Okay, I will test it....

One Question About this Network-Diagram...

If the Web proxy would stay away, the total traffic of 64 Mbps would be about over one RB 450G with connection tracking, is this possible?
Or even why I need two single RB 450G?

Multiple Gateways, PPPoE and Web-Proxy One Question

Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Re: Multiple Gateways, PPPoE and Web-Proxy One Question

Who is online