Hi Guy's
I have a strange problem and I think it's because of the MT Loadbalance.
This is my DNAT rule which seems to be working fine.
chain=dstnat dst-address=172.22.2.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22
I can see the connection coming into the MT but at the remote end it is just timing out. I think this is due to the request coming in one WAN connection and returning on the other WAN connection. Can anyone tell me how I can make sure that the port 22 request routes back out the same connection it came in on.
Thanks Mark
Re: SSH connection and Loadbalancer
you have to mangle those packets coming in WAN2 and send them back out wan2. Search this thread for an example:
http://forum.mikrotik.com/viewtopic.php ... pip#p78216
Sam
http://forum.mikrotik.com/viewtopic.php ... pip#p78216
Sam
Re: SSH connection and Loadbalancer
Hi Sam,
Thanks for the pointer. I still can get this dam thing to work. I ran touch and can see that dst-nat is working but I am still not getting a response back from the server. I have tried to mark the connection, packet and route and added the static+policy please see below:
x.x.x.x = the client address trying to connect to the server. I am not 100% sure it should be that address.
chain=dstnat dst-address=172.22.2.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22
27 chain=prerouting dst-address=x.x.x.x protocol=tcp dst-port=22 connection-mark=ssh action=mark-connection new-connection-mark=ssh passthrough=yes
28 chain=prerouting dst-address=x.x.x.x protocol=tcp dst-port=22 packet-mark=ssh action=mark-packet new-packet-mark=ssh passthrough=yes
29 chain=postrouting dst-address=x.x.x.x protocol=tcp dst-port=22 routing-mark=ssh action=mark-routing new-routing-mark=ssh passthrough=yes
2 dst-address=86.22.69.205/32 action=lookup table=ssh
Bascially I need to make sure that the ssh return path is routed out through WAN1 ....
Thanks Mark
Thanks for the pointer. I still can get this dam thing to work. I ran touch and can see that dst-nat is working but I am still not getting a response back from the server. I have tried to mark the connection, packet and route and added the static+policy please see below:
x.x.x.x = the client address trying to connect to the server. I am not 100% sure it should be that address.
chain=dstnat dst-address=172.22.2.100 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.68 to-ports=22
27 chain=prerouting dst-address=x.x.x.x protocol=tcp dst-port=22 connection-mark=ssh action=mark-connection new-connection-mark=ssh passthrough=yes
28 chain=prerouting dst-address=x.x.x.x protocol=tcp dst-port=22 packet-mark=ssh action=mark-packet new-packet-mark=ssh passthrough=yes
29 chain=postrouting dst-address=x.x.x.x protocol=tcp dst-port=22 routing-mark=ssh action=mark-routing new-routing-mark=ssh passthrough=yes
2 dst-address=86.22.69.205/32 action=lookup table=ssh
Bascially I need to make sure that the ssh return path is routed out through WAN1 ....
Thanks Mark
Re: SSH connection and Loadbalancer
rather than trying to only route ssh out wan2, you should route anything that comes in WAN2 back out wan2.
27 chain=prerouting in-interface=wan2 action=mark-connection new-connection-mark=in-wan2-conn passthrough=yes
then mark those packets belonging to in-wan2-conn with a new packet mark, and then route mark those packets. in-interface=wan2 is the key, you want to mangle anything coming in wan2 so you can later send it back out wan2. There is a clear example of this on the link above.
Sam
27 chain=prerouting in-interface=wan2 action=mark-connection new-connection-mark=in-wan2-conn passthrough=yes
then mark those packets belonging to in-wan2-conn with a new packet mark, and then route mark those packets. in-interface=wan2 is the key, you want to mangle anything coming in wan2 so you can later send it back out wan2. There is a clear example of this on the link above.
Sam
Re: SSH connection and Loadbalancer
Hi Sam,
I used you example and mangle picked up the traffic. I then added the routing policy. I then noticed that ether1 had not TX rate ... it was receiving but no TX .... I disable the policy and the TX started working again ???
Strange
Mark
I used you example and mangle picked up the traffic. I then added the routing policy. I then noticed that ether1 had not TX rate ... it was receiving but no TX .... I disable the policy and the TX started working again ???
Strange
Mark
Re: SSH connection and Loadbalancer
go ahead and post the following if yo uwant me to look at it more:
/ip route export
/ip firewall mangle export
Sam
/ip route export
/ip firewall mangle export
Sam
-
-
invader zog
Frequent Visitor
- Posts: 84
- Joined:
Re: SSH connection and Loadbalancer
this is a variant of the problem i've been strugglign with -- read a few of my posts for some solutions...