Community discussions

MikroTik App
 
ajgnet
newbie
Topic Author
Posts: 46
Joined: Wed Apr 27, 2022 1:57 am

Fasttrack with multiwan failover policy routing - possible for primary ISP?

Fri May 06, 2022 2:38 pm

I have 3 ISPs VZ, NW, and SP. By default, all traffic goes out VZ with NW and SP acting as failover. However, some traffic is marked to exit NW and SP depending on the destination IP, source IP, or destination port using mangle rules.

When I fasttrack all established, related traffic on the forward chain, traffic out my primary ISP VZ works as expected, but traffic marked by mangle rules out NW or SP either intermittently times out, or goes out VZ. ICMP traffic routes as expected which was deceiving at first until I realized Fasttrack ignores ICMP traffic and only processes TCP/UDP. We quickly turned Fasttrack off because of the intermittent connections.

But then I tried something, and it appears to be working. I only fasttrack the forward chain on established, related and define the inbound interface as ether1-VZFios (VZ, our primary ISP) and the outbound interface as sfp-sfpplus1-LAN (our LAN interface). This appears to Fasttrack all established, related connections on our primary ISP VZ while still allowing connections out VZ and SP to be processed by the mangle rules and ignored by Fasttrack. This should work for us since 90% of our traffic goes out VZ.

I wanted to share this possible solution, but also to get confirmation: is this the right way to do this?
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; Allow Established & Related
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
      in-interface=ether1-VZFios out-interface=sfp-sfpplus1-LAN log=no log-prefix=""

 2    ;;; Allow Established & Related
      chain=input action=accept connection-state=established,related log=no log-prefix=""

 3    ;;; Established, Related
      chain=forward action=accept connection-state=established,related log=no log-prefix=""
mangle rules:
 ;;; Mobile Devices Through NW
      chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes
      src-address-list=Mobile_Devices_IPv4 in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

;;; Streaming Media Devices Through SP
      chain=prerouting action=mark-routing new-routing-mark=to_SP passthrough=yes
      src-address-list=Streaming_Media_Devices_IPv4 in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

;;; Youtube & Google Through NW
      chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes
      dst-address-list=Youtube_Google_IPv4 in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

;;; Apple Through NW
      chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes dst-address-list=Apple_IPv4
      in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

chain=prerouting action=mark-connection new-connection-mark=VZ_conn passthrough=yes connection-mark=no-mark
      in-interface=ether1-VZFios log=no log-prefix=""

chain=prerouting action=mark-connection new-connection-mark=NW_conn passthrough=yes connection-mark=no-mark
      in-interface=ether2-NW log=no log-prefix=""

chain=prerouting action=mark-connection new-connection-mark=SP_conn passthrough=yes connection-mark=no-mark
      in-interface=ether3-Spectrum log=no log-prefix=""

chain=prerouting action=mark-routing new-routing-mark=to_VZ passthrough=yes connection-mark=VZ_conn
      in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes connection-mark=NW_conn
      in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

chain=prerouting action=mark-routing new-routing-mark=to_SP passthrough=yes connection-mark=SP_conn
      in-interface=sfp-sfpplus1-LAN log=no log-prefix=""

chain=output action=mark-routing new-routing-mark=to_VZ passthrough=yes connection-mark=VZ_conn log=no
      log-prefix=""

chain=output action=mark-routing new-routing-mark=to_NW passthrough=yes connection-mark=NW_conn log=no
      log-prefix=""

chain=output action=mark-routing new-routing-mark=to_SP passthrough=yes connection-mark=SP_conn log=no
      log-prefix=""

chain=forward action=mark-connection new-connection-mark=VZ_conn passthrough=yes connection-state=new
      in-interface=ether1-VZFios log=no log-prefix=""

chain=forward action=mark-connection new-connection-mark=NW_conn passthrough=yes connection-state=new
      in-interface=ether2-NW log=no log-prefix=""

chain=forward action=mark-connection new-connection-mark=SP_conn passthrough=yes connection-state=new
      in-interface=ether3-Spectrum log=no log-prefix=""
nat rules masquerade all 3 exiting ISPs with some dst-nat rules for port 80 on each isp
chain=srcnat action=masquerade out-interface=ether1-VZFios log=no log-prefix=""

chain=srcnat action=masquerade out-interface=ether2-NW log=no log-prefix=""

chain=srcnat action=masquerade out-interface=ether3-Spectrum log=no log-prefix=""
 
chain=dstnat action=dst-nat to-addresses=10.0.10.1 to-ports=80 protocol=tcp in-interface=ether1-VZFios
      dst-port=80 log=no log-prefix=""
      
chain=dstnat action=dst-nat to-addresses=10.0.10.1 to-ports=80 protocol=tcp in-interface=ether2-NW dst-port=80
      log=no log-prefix=""

chain=dstnat action=dst-nat to-addresses=10.0.10.1 to-ports=80 protocol=tcp in-interface=ether3-Spectrum
      dst-port=80 log=no log-prefix=""     
 
 
ajgnet
newbie
Topic Author
Posts: 46
Joined: Wed Apr 27, 2022 1:57 am

Re: Fasttrack with multiwan failover policy routing - possible for primary ISP?

Mon Aug 29, 2022 5:31 pm

This solution no longer works on 7.5rc2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21895
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Fasttrack with multiwan failover policy routing - possible for primary ISP?

Mon Aug 29, 2022 6:17 pm

How many exceptions do you have?
Users requiring special routing?

Who is online

Users browsing this forum: kbabioch, rasputin83, Rox169 and 26 guests