2 wan and 3 Local subnets with inbound dst-nat
Posted: Sat Mar 18, 2017 5:13 pm
Hello,
I have 3 local subnets:
192.168.0.0/24
192.168.3.0/24
192.168.20.0/24
and 2 PPPOE internet WAN connection
1st WAN from E-Lcom ISP with 8Mbps speed
2nd WAN from Tarassul ISP with 4Mbps speed
I tried to configure load balance and dst-nat to access local server, the result are:
1- I couldn't get speed more than 6Mbps
2- I connection not stable. if I tried to download or upload a big file the connection got interrupted a lot
3- I couldn't manage to get access to the local server
I did load balance on Mikrotik RB1100X2AH using the following code:
# mar/18/2017 16:52:32 by RouterOS 6.30.4
# software id = VQC5-LHD2
#
/interface bridge
add name=bridge1-Servers_List
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ELcom
set [ find default-name=ether2 ] name=ether2-Tarassul
set [ find default-name=ether4 ] name=LAN2
set [ find default-name=ether5 ] name=LAN1
set [ find default-name=ether9 ] name=ether9-Server1
set [ find default-name=ether10 ] name=ether10-Server2
set [ find default-name=ether11 ] name=ether11-Server3
set [ find default-name=ether12 ] name=ether12-Server4
/interface pppoe-client
add disabled=no interface=ether1-ELcom \
max-mru=1480 max-mtu=1480 mrru=1600 name=E-Lcom password=***** user=\
*****
add disabled=no interface=ether2-Tarassul \
max-mru=1480 max-mtu=1480 mrru=1600 name=Tarassul password=**** user=\
*****
/interface bridge port
add bridge=bridge1-Servers_List interface=ether10-Server2
add bridge=bridge1-Servers_List interface=ether11-Server3
add bridge=bridge1-Servers_List interface=ether12-Server4
add bridge=bridge1-Servers_List interface=ether8
add bridge=bridge1-Servers_List interface=ether9-Server1
/ip address
add address=192.168.1.253/24 disabled=yes interface=ether3 network=\
192.168.1.0
add address=192.168.3.8/24 interface=LAN1 network=192.168.3.0
add address=192.168.20.254/24 interface=bridge1-Servers_List network=\
192.168.20.0
add address=192.168.20.250/24 interface=bridge1-Servers_List network=\
192.168.20.0
add address=172.16.10.1/24 interface=ether1-ELcom network=172.16.10.0
add address=172.16.20.1/24 interface=ether2-Tarassul network=172.16.20.0
add address=192.168.0.1/24 interface=LAN2 network=192.168.0.0
/ip dhcp-relay
add dhcp-server=192.168.20.10 disabled=no interface=LAN1 name=\
"DHCP Relay"
/ip firewall address-list
add address=192.168.20.0/24 list=Servers_List
add address=192.168.3.0/24 list=LAN1_List
add address=192.168.0.0/24 list=LAN2_List
add address=172.16.10.0/24 list=E-Lcom_Wan
add address=172.16.20.0/24 list=Tarassul_Wan
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input src-address=192.168.3.0/24
add chain=input src-address=192.168.20.0/24
add chain=input src-address=192.168.0.0/24
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=443 protocol=tcp
add chain=input dst-port=80 protocol=tcp
add action=drop chain=input
/ip firewall mangle
add chain=prerouting dst-address-list=LAN1_List \
src-address-list=LAN1_List
add chain=prerouting dst-address-list=Servers_List \
src-address-list=LAN1_List
add chain=prerouting dst-address-list=LAN1_List \
src-address-list=Servers_List
add chain=prerouting dst-address-list=\
E-Lcom_Wan src-address-list=LAN1_List
add chain=prerouting dst-address-list=\
Tarassul_Wan src-address-list=LAN1_List
add chain=prerouting dst-address-list=LAN2_List \
src-address-list=LAN2_List
add action=mark-connection chain=forward \
connection-mark=no-mark in-interface=\
E-Lcom new-connection-mark=E-Lcom_Conn passthrough=no
add action=mark-connection chain=forward \
connection-mark=no-mark in-interface=\
Tarassul new-connection-mark=Tarassul_Conn passthrough=no
add action=mark-connection chain=prerouting \
connection-mark=no-mark in-interface=\
E-Lcom new-connection-mark=E-Lcom_Conn
add action=mark-connection chain=prerouting \
connection-mark=no-mark \
in-interface=Tarassul new-connection-mark=Tarassul_Conn
add action=jump chain=prerouting connection-mark=no-mark in-interface=\
LAN1 jump-target=Policy_Routing
add action=jump chain=prerouting connection-mark=no-mark in-interface=\
bridge1-Servers_List jump-target=Policy_Routing
add action=jump chain=prerouting connection-mark=no-mark in-interface=\
LAN2 jump-target=Policy_Routing
add action=mark-routing chain=prerouting \
connection-mark=E-Lcom_Conn \
new-routing-mark=E-Lcom_Traffic src-address-list=LAN1_List
add action=mark-routing chain=prerouting \
connection-mark=E-Lcom_Conn \
new-routing-mark=E-Lcom_Traffic src-address-list=Servers_List
add action=mark-routing chain=prerouting \
connection-mark=E-Lcom_Conn new-routing-mark=E-Lcom_Traffic \
src-address-list=LAN2_List
add action=mark-routing chain=prerouting \
connection-mark=Tarassul_Conn \
new-routing-mark=Tarassul_Traffic src-address-list=LAN1_List
add action=mark-routing chain=prerouting \
connection-mark=Tarassul_Conn \
new-routing-mark=Tarassul_Traffic src-address-list=Servers_List
add action=mark-routing chain=prerouting \
connection-mark=Tarassul_Conn \
new-routing-mark=Tarassul_Traffic src-address-list=LAN2_List
add action=mark-routing chain=output \
connection-mark=E-Lcom_Conn new-routing-mark=E-Lcom_Traffic
add action=mark-routing chain=output \
connection-mark=Tarassul_Conn new-routing-mark=Tarassul_Traffic
add action=mark-connection chain=Policy_Routing dst-address-type=!local \
new-connection-mark=E-Lcom_Conn per-connection-classifier=src-address:2/0
add action=mark-connection chain=Policy_Routing dst-address-type=!local \
new-connection-mark=Tarassul_Conn per-connection-classifier=\
src-address:2/1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=E-Lcom
add action=masquerade chain=srcnat out-interface=Tarassul
add action=dst-nat chain=dstnat dst-port=80 in-interface=\
E-Lcom protocol=tcp to-addresses=192.168.20.11 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=\
E-Lcom protocol=tcp to-addresses=192.168.20.11 to-ports=443
add action=dst-nat chain=dstnat dst-port=3389 in-interface=E-Lcom \
protocol=tcp to-addresses=192.168.20.202 to-ports=3389
/ip route
add check-gateway=arp distance=50 gateway=E-Lcom routing-mark=E-Lcom_Traffic
add check-gateway=arp distance=50 gateway=Tarassul routing-mark=\
Tarassul_Traffic
add check-gateway=arp distance=100 gateway=E-Lcom
add check-gateway=arp distance=110 gateway=Tarassul
add disabled=yes distance=1 gateway=192.168.1.2
it worked fine, EXCEPT that I have an Exchange server on Local network 192.168.20.11 with outlook web access enabled.
I used to use my mobile to check my email on this server. after I configure this load balance it works sometimes but most of times it doesn't.
would you please help me to find the problem
I have 3 local subnets:
192.168.0.0/24
192.168.3.0/24
192.168.20.0/24
and 2 PPPOE internet WAN connection
1st WAN from E-Lcom ISP with 8Mbps speed
2nd WAN from Tarassul ISP with 4Mbps speed
I tried to configure load balance and dst-nat to access local server, the result are:
1- I couldn't get speed more than 6Mbps
2- I connection not stable. if I tried to download or upload a big file the connection got interrupted a lot
3- I couldn't manage to get access to the local server
I did load balance on Mikrotik RB1100X2AH using the following code:
# mar/18/2017 16:52:32 by RouterOS 6.30.4
# software id = VQC5-LHD2
#
/interface bridge
add name=bridge1-Servers_List
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ELcom
set [ find default-name=ether2 ] name=ether2-Tarassul
set [ find default-name=ether4 ] name=LAN2
set [ find default-name=ether5 ] name=LAN1
set [ find default-name=ether9 ] name=ether9-Server1
set [ find default-name=ether10 ] name=ether10-Server2
set [ find default-name=ether11 ] name=ether11-Server3
set [ find default-name=ether12 ] name=ether12-Server4
/interface pppoe-client
add disabled=no interface=ether1-ELcom \
max-mru=1480 max-mtu=1480 mrru=1600 name=E-Lcom password=***** user=\
*****
add disabled=no interface=ether2-Tarassul \
max-mru=1480 max-mtu=1480 mrru=1600 name=Tarassul password=**** user=\
*****
/interface bridge port
add bridge=bridge1-Servers_List interface=ether10-Server2
add bridge=bridge1-Servers_List interface=ether11-Server3
add bridge=bridge1-Servers_List interface=ether12-Server4
add bridge=bridge1-Servers_List interface=ether8
add bridge=bridge1-Servers_List interface=ether9-Server1
/ip address
add address=192.168.1.253/24 disabled=yes interface=ether3 network=\
192.168.1.0
add address=192.168.3.8/24 interface=LAN1 network=192.168.3.0
add address=192.168.20.254/24 interface=bridge1-Servers_List network=\
192.168.20.0
add address=192.168.20.250/24 interface=bridge1-Servers_List network=\
192.168.20.0
add address=172.16.10.1/24 interface=ether1-ELcom network=172.16.10.0
add address=172.16.20.1/24 interface=ether2-Tarassul network=172.16.20.0
add address=192.168.0.1/24 interface=LAN2 network=192.168.0.0
/ip dhcp-relay
add dhcp-server=192.168.20.10 disabled=no interface=LAN1 name=\
"DHCP Relay"
/ip firewall address-list
add address=192.168.20.0/24 list=Servers_List
add address=192.168.3.0/24 list=LAN1_List
add address=192.168.0.0/24 list=LAN2_List
add address=172.16.10.0/24 list=E-Lcom_Wan
add address=172.16.20.0/24 list=Tarassul_Wan
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input src-address=192.168.3.0/24
add chain=input src-address=192.168.20.0/24
add chain=input src-address=192.168.0.0/24
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=443 protocol=tcp
add chain=input dst-port=80 protocol=tcp
add action=drop chain=input
/ip firewall mangle
add chain=prerouting dst-address-list=LAN1_List \
src-address-list=LAN1_List
add chain=prerouting dst-address-list=Servers_List \
src-address-list=LAN1_List
add chain=prerouting dst-address-list=LAN1_List \
src-address-list=Servers_List
add chain=prerouting dst-address-list=\
E-Lcom_Wan src-address-list=LAN1_List
add chain=prerouting dst-address-list=\
Tarassul_Wan src-address-list=LAN1_List
add chain=prerouting dst-address-list=LAN2_List \
src-address-list=LAN2_List
add action=mark-connection chain=forward \
connection-mark=no-mark in-interface=\
E-Lcom new-connection-mark=E-Lcom_Conn passthrough=no
add action=mark-connection chain=forward \
connection-mark=no-mark in-interface=\
Tarassul new-connection-mark=Tarassul_Conn passthrough=no
add action=mark-connection chain=prerouting \
connection-mark=no-mark in-interface=\
E-Lcom new-connection-mark=E-Lcom_Conn
add action=mark-connection chain=prerouting \
connection-mark=no-mark \
in-interface=Tarassul new-connection-mark=Tarassul_Conn
add action=jump chain=prerouting connection-mark=no-mark in-interface=\
LAN1 jump-target=Policy_Routing
add action=jump chain=prerouting connection-mark=no-mark in-interface=\
bridge1-Servers_List jump-target=Policy_Routing
add action=jump chain=prerouting connection-mark=no-mark in-interface=\
LAN2 jump-target=Policy_Routing
add action=mark-routing chain=prerouting \
connection-mark=E-Lcom_Conn \
new-routing-mark=E-Lcom_Traffic src-address-list=LAN1_List
add action=mark-routing chain=prerouting \
connection-mark=E-Lcom_Conn \
new-routing-mark=E-Lcom_Traffic src-address-list=Servers_List
add action=mark-routing chain=prerouting \
connection-mark=E-Lcom_Conn new-routing-mark=E-Lcom_Traffic \
src-address-list=LAN2_List
add action=mark-routing chain=prerouting \
connection-mark=Tarassul_Conn \
new-routing-mark=Tarassul_Traffic src-address-list=LAN1_List
add action=mark-routing chain=prerouting \
connection-mark=Tarassul_Conn \
new-routing-mark=Tarassul_Traffic src-address-list=Servers_List
add action=mark-routing chain=prerouting \
connection-mark=Tarassul_Conn \
new-routing-mark=Tarassul_Traffic src-address-list=LAN2_List
add action=mark-routing chain=output \
connection-mark=E-Lcom_Conn new-routing-mark=E-Lcom_Traffic
add action=mark-routing chain=output \
connection-mark=Tarassul_Conn new-routing-mark=Tarassul_Traffic
add action=mark-connection chain=Policy_Routing dst-address-type=!local \
new-connection-mark=E-Lcom_Conn per-connection-classifier=src-address:2/0
add action=mark-connection chain=Policy_Routing dst-address-type=!local \
new-connection-mark=Tarassul_Conn per-connection-classifier=\
src-address:2/1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=E-Lcom
add action=masquerade chain=srcnat out-interface=Tarassul
add action=dst-nat chain=dstnat dst-port=80 in-interface=\
E-Lcom protocol=tcp to-addresses=192.168.20.11 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=\
E-Lcom protocol=tcp to-addresses=192.168.20.11 to-ports=443
add action=dst-nat chain=dstnat dst-port=3389 in-interface=E-Lcom \
protocol=tcp to-addresses=192.168.20.202 to-ports=3389
/ip route
add check-gateway=arp distance=50 gateway=E-Lcom routing-mark=E-Lcom_Traffic
add check-gateway=arp distance=50 gateway=Tarassul routing-mark=\
Tarassul_Traffic
add check-gateway=arp distance=100 gateway=E-Lcom
add check-gateway=arp distance=110 gateway=Tarassul
add disabled=yes distance=1 gateway=192.168.1.2
it worked fine, EXCEPT that I have an Exchange server on Local network 192.168.20.11 with outlook web access enabled.
I used to use my mobile to check my email on this server. after I configure this load balance it works sometimes but most of times it doesn't.
would you please help me to find the problem