Dear All,
My proxy (192.168.2.2) connected to internet via mikrotik using load balancing between 2 lines. The Lines are fine.
Mikrotik IPs are 192.168.9.3 to modem and 192.168.2.1 to local
When I add (please ignore the syntax error, I get used to winbox ):
1. ip route: destination=0.0.0.0/0 gateway=192.168.1.1, 192.168.1.2 routing-mark=proxyroute
2. ip mangle: chain=prerouting src-address=192.168.2.2 connection-state=new action=mark-conn new-mark=connmark
3. ip mangle : chain=prerouting conn-mark=connmark action=mark-routing new-mark=proxyroute
It does not work, the client browser cannot receive website it asked for.

But when I omit line number 2 and change line number 3 with
ip mangle: chain=prerouting src-address=192.168.2.2 action=mark-routing new-mark=proxyroute
It works.

Is there any mistake I made?
Please, any suggestion welcome.

Thank you,
Andre

Dear all ;
The load balance is an important case to most of the MikroTik users .
can anyone guide us how to make a load balance between two internet or more so the traffic will be divided by them .
also what is the suitable document we should read in mikrotik web site for this ? .
waiting your feedback .
with best regards .

dont use connection mark for this, use routing mark and use it on another ip route with the same distance than your current gateway.

regards

When I add (please ignore the syntax error, I get used to winbox ):
1. ip route: destination=0.0.0.0/0 gateway=192.168.1.1, 192.168.1.2 routing-mark=proxyroute

Hi ;
if your wan interface to internet with ip 192.168.9.3 and your local network interface ip 192.168.2.1
what are these ip's for ? 192.168.1.1 & 192.168.1.2

dont use connection mark for this, use routing mark and use it on another ip route with the same distance than your current gateway.
regards

what do you mean by " use it on another ip route ?
waiting your replies .
with best regards .

andre_i -

I have read your post a few times and am still not quite sure what your setup is...here is how it looks to me from your description....

WAN --| (Your post says your gateways are 192.168.1.1)
******WAN 192.168.9.3 MT Router LAN 192.168.2.1<->Proxy 192.168.2.2
WAN --| (and 192.168.1.2) How can your MT WAN be 192.168.9.3 with the GWs being 192.168.1.x?

Maybe if you lay this out a little better -

wan--|
*****<->WAN MT Box LAN<->Proxy <(are users here on the Proxy)
wan--| ^<-> users <(or here on the MT?)


We could understand better how to help you.

R/

Hi ;
as i am reading more about this topic and i will use load balance soon , i have a couple of questions .
like the web proxy cache , Do i have to make two redirect rule in the firewall nat ? one for each internet modem ? .
do i have to repeat the firewall filter and mangle rules for the new modem ? or just add a new gateway for the second internet modem ?
with best regards .

Dear all ;
the case of load balancing is very important to us .
now i am have two VSAT terminals i am connecting them to MT , follow the topics in wiki but there is problem doing the loadbalance .
on of the topics say to mark the connection with nth to odd and even and then to mark the route for the connection and use it with static route .
what i noticed is that the odd packets number more than the even packets all the time , and the packets marked for the route mark more than the packets marked with the connection that's only for the odd while in the even case the number of packets are similar .
then by using a static route to ISP1 with odd mark and another static route to ISP2 with even mark and a third static route as the topic say to be used by the router itself to ISP1 , all the traffic going to only one internet gatway while the second one is not passing traffic .
if i add the second gateway to the third static route , then the two internet terminals start passing traffic but actully there is no internet at the client side .
and if i remove the third static route the internet stop as well .
i will write here the commands i am doing now to test the load balance :
lan > going to wire clients
wlan > going to wireless clients
iDirect > going to ISP1
Hughes > going to ISP2 with the configuration above i got the same number of packet for each mark , ex : wire odd packet & wire odd route = 100
wireless odd packet & wireless odd route = 230
so on .
and only with this configuration as i wrote above the two internet terminals are showing traffic .
please we all need help in this case as it help us to improve the weak service we are get from ISP .
anycomment and any practical had been done by anyone and work fine please give us your advice .
with best regards to all

ahmedsaffar76 -

It looks like you are using ROS 2.9.x can you confirm this? Things are different between v2.9.x and 3.x so confirmation is necessary to help you out....

R/

ahmedsaffar76 -

Also - can you just do a print of your rules? " /ip route print ", /ip route rule print ,
/ip firewall nat print , /ip firewall mangle print , etc,....

When you a dump like you did, the rules are not necessarily in the order of precedence they appear in the router as.

R/

Dear sir ;
yes now i am using 2.9.27 ,and i am realy thinking to upgrade to 3.6 with level 4 licence .
if you could help to advise me how to manage this with 2.9.27 and how to mange it with 3.x so when i upgrade i will not have to stop the service to clients for long time .
i will write the print command results this day but i am going only to remove the ip .
with best regards .

Dear sir ;
yes now i am using 2.9.27 ,and i am realy thinking to upgrade to 3.6 with level 4 licence .
if you could help to advise me how to manage this with 2.9.27 and how to mange it with 3.x so when i upgrade i will not have to stop the service to clients for long time .
i will write the print command results this day but i am going only to remove the ip .
with best regards .

Hello again ;
here are the information you asked for , i just removed the ISP ip for it

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 xxx.xxx.xxx.xxx/30 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx iDirect
1 yyy.yyy.yyy.yyy/28 yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy hughes
2 192.168.3.1/24 192.168.3.0 192.168.3.255 lan
3 192.168.4.1/24 192.168.4.0 192.168.4.255 wlan1
4 D 192.168.3.5/32 192.168.3.4 0.0.0.0 <pppoe-zaidtariq>
5 D 192.168.3.3/32 192.168.3.2 0.0.0.0 <pppoe-ahmedali>
6 D 192.168.4.118/32 192.168.4.117 0.0.0.0 <pppoe-mustafaali>
7 D 192.168.4.116/32 192.168.4.115 0.0.0.0 <pppoe-hazimqasim>
8 D 192.168.4.3/32 192.168.4.2 0.0.0.0 <pppoe-waleed>
9 D 192.168.4.104/32 192.168.4.103 0.0.0.0 <pppoe-ahmedbasim>
10 D 192.168.4.9/32 192.168.4.8 0.0.0.0 <pppoe-abuthyaa>
11 D 192.168.4.120/32 192.168.4.119 0.0.0.0 <pppoe-nasernaif>
12 D 192.168.3.102/32 192.168.3.101 0.0.0.0 <pppoe-jinan>
13 D 192.168.4.5/32 192.168.4.4 0.0.0.0 <pppoe-dr.omar>
14 D 192.168.4.106/32 192.168.4.105 0.0.0.0 <pppoe-ahmedjabbar>

xxx.xxx.xxx.xxx the ip from ISP1
yyy.yyy.yyy.yyy the ip from ISP2
i am using two pppoe servers one for lan interface and the second one to wlan interface
for each client i assing two pools , each pool is only one ip , later i'll use this ip's in the simple queue .

[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DIS
0 ADC yyy.yyy.yyy.yyy/28 yyy.yyy.yyy.yyy
1 ADC xxx.xxx.xxx.xxx/30 xxx.xxx.xxx.xxx
2 ADC 192.168.3.2/32 192.168.3.3
3 ADC 192.168.3.4/32 192.168.3.5
4 ADC 192.168.3.101/32 192.168.3.102
5 ADC 192.168.3.0/24 192.168.3.1
6 ADC 192.168.4.2/32 192.168.4.3
7 ADC 192.168.4.4/32 192.168.4.5
8 ADC 192.168.4.8/32 192.168.4.9
9 ADC 192.168.4.103/32 192.168.4.104
10 ADC 192.168.4.105/32 192.168.4.106
11 ADC 192.168.4.115/32 192.168.4.116
12 ADC 192.168.4.117/32 192.168.4.118
13 ADC 192.168.4.119/32 192.168.4.120
14 ADC 192.168.4.0/24 192.168.4.1
15 X S 0.0.0.0/0 r xxx.xxx.xxx.xxx
16 X S 0.0.0.0/0 u yyy.yyy.yyy.yyy
17 A S 0.0.0.0/0 r xxx.xxx.xxx.xxx

you will see that there are two static routes disabled , because i not wish to stop the service to client .
once i enable the two static routes only one terminal work and when i add the GW yyy.yyy.yyy.yyy to the last row in the table which it appear active now , the two terminals start work put the internet stop .
in the table above the route marks not appear .
the row number 15 , with mark route odd
the row number 16 , with mark route even

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward protocol=tcp tcp-flags=syn connection-limit=24,32 action=jump jump-target=drop

1 chain=drop action=drop

as i just installed the server yesterday to another pc machine i only put one rule to limit client connections to internet
later rules will be added

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=srcnat src-address=192.168.3.0/24 action=masquerade

1 X chain=srcnat src-address=192.168.4.0/24 action=masquerade

2 chain=srcnat action=masquerade

when i enable the static routes i enable rules 0 & 1 and disable 2

[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; wireless odd connection mark
chain=prerouting in-interface=wlan1 connection-state=new nth=1,1,0 action=mark-packet
new-packet-mark=odd passthrough=yes

1 ;;; wireless odd route marking
chain=prerouting in-interface=wlan1 packet-mark=odd action=mark-routing new-routing-mark=odd
passthrough=no

2 ;;; wire odd connection mark
chain=prerouting in-interface=lan connection-state=new nth=1,1,0 action=mark-packet
new-packet-mark=odd passthrough=yes

3 ;;; wire odd route marking
chain=prerouting in-interface=lan packet-mark=odd action=mark-routing new-routing-mark=odd
passthrough=no

4 ;;; wireless even connection mark
chain=prerouting in-interface=wlan1 connection-state=new nth=1,1,1 action=mark-packet
new-packet-mark=even passthrough=yes

5 ;;; wireless even route marking
chain=prerouting in-interface=wlan1 packet-mark=even action=mark-routing new-routing-mark=even
passthrough=no

6 ;;; wire even connection mark
chain=prerouting in-interface=lan connection-state=new nth=1,1,1 action=mark-packet
new-packet-mark=even passthrough=yes

7 ;;; wire even route marking
chain=prerouting in-interface=lan packet-mark=even action=mark-routing new-routing-mark=even
passthrough=no

attached a photo showing the mangle how count the packets
with best regards

ahmedsaffar76 -

Look at this wiki article - this is what you are trying to do.... If this does not make sense or you cannot get it to work - drop a line back here on the forum with your config and we will sort it out from there.

Link: http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent


R/

ahmedsaffar76 -

Two things jumped out at me - first you have no routing rules.... In Winbox, /IP route , select the rule tab - at the very least you should have one rule and it should be;

src 0.0.0.0/0 dst 0.0.0.0/0 action=lookup table=main

0 chain=srcnat src-address=192.168.3.0/24 action=masquerade

1 chain=srcnat src-address=192.168.4.0/24 action=masquerade

For the scr-nat rules above - I would use this type of rule...

chain=srcnat action=masquerade out-interface=iDirect routing-mark=odd
chain=srcnat action=masquerade out-interface=hughes routing-mark=even

As you can not use a src address because you are marking two different 'Input' IP address blocks, with two different routing marks....

For the last masquerade rule you need to pick an outgoing interface.... Pick the one you think is the most reliable, no routing marks required.

I still recommend the wiki I quoted above - the address list feature is very helpful for maintaining persistent links for sites that require it.

R/

ahmedsaffar76 -

Two things jumped out at me - first you have no routing rules.... In Winbox, /IP route , select the rule tab - at the very least you should have one rule and it should be;

src 0.0.0.0/0 dst 0.0.0.0/0 action=lookup table=main

0 chain=srcnat src-address=192.168.3.0/24 action=masquerade

1 chain=srcnat src-address=192.168.4.0/24 action=masquerade

For the scr-nat rules above - I would use this type of rule...

chain=srcnat action=masquerade out-interface=iDirect routing-mark=odd
chain=srcnat action=masquerade out-interface=hughes routing-mark=even

As you can not use a src address because you are marking two different 'Input' IP address blocks, with two different routing marks....

For the last masquerade rule you need to pick an outgoing interface.... Pick the one you think is the most reliable, no routing marks required.

I still recommend the wiki I quoted above - the address list feature is very helpful for maintaining persistent links for sites that require it.

R/

i put reply put i lost it during sending the post .
i will use these nat rules and inform you .
during that please give us explaining to the rule tab in the ip route .
with best regards .

ahmedsaffar76 -

That rule is a 'policy routing rule'. I can't explain why MT ROS requires it, but I do know that when you are using connection tracking, (nat, mangle, etc), that MT ROS EXPECTS there to be at least one rule in policy routing. So using 0.0.0.0/0 with action=lookup and table=main sends connection tracking sub-module to your main routing table to look everything up in and thus route out the correct interface.

R/

yes now i am using 2.9.27

Stop helping people that use Illegal cracked copies!

jwcn -
How do you know it's an illegal copy? I have two boards that are on towers that still have 2.9.27 on them and I have a really remote MT that still has 2.8.26 on it - I can assure you they are all LEGAL copies.....

Tell me you know how they are illegal and I'd be more than happy to stop helping....


R/

2.9.27 is the most recent version that has been cracked. The only reason one would not upgrade would be because they can't upgrade a cracked version and still avoid detection.

This is a common problem with new forum members. Download and install a cracked version, cry for help. It is an all too frequent problem.

This is why if you do a search for 2.9.27 MT locks every forum that involves it.

jwcn -

I don't keep up on 'cracked' software - I only use legal software.

MT should then make a post to that effect - anyone with 2.9.27 is screwed. I hate pirates...I use to write code and don't anymore - pirates are part of the reason....

I just didn't make the cutoff date for the upgrades on these older RB112s - someday - when I replace those boards with something faster I'll netinstall the latest legal version allowed for those boards. Too much trouble to climb a 150 tower with a laptop to do a netinstall for two boards....

R/

You should be able to upgrade the license and software without climbing...

Hi all ;
the case is not legal or illegal software .
now i am using 3.6 with level4 licence and still need help in MT , so are you going to provide help ?
and let me ask you if someone crakced 3.6 tomorrow morning , what is my fault ?
the forum supply help to any one need it .
by the way i think the pppoe is my troubles engine i will stop it now and see if i will still have the same problems with the wireless or not .
with best regards .

by the way i think the pppoe is my troubles engine i will stop it now and see if i will still have the same problems with the wireless or not .

The latest version 3.7 doesn’t have any problems in its’ PPPoE server, no packet loss nor latency,
We loaded it with 10Mbps and 200 users and it work fine
So try to upgrade to latest version before you give up .

ahmedsaffar76 -

You never said you were using PPPoE.... Turn if off - get the darn thing to work without it first then get PPPoE working.

ahmedsaffar76 -

You never said you were using PPPoE.... Turn if off - get the darn thing to work without it first then get PPPoE working.

Hi Galaxynet ;
Thanks very much
i turned it off since yesterday , i think it is the cause of many problems i face in the wireless .
now i am using the pc only as router without hotspot or pppoe .
maybe i will turn off the firewall as well if i see it is the second troubles engine .
also i put lan and wlan1 again in bridge1
what i saw yesterday when i did the configuration for the load balance , the odd list which i was belong to containing ip's i think it is for web sites .
i delete eveything to check it later with your help .
the client will kill me because whenever i test the configuration they loose the internet .
with best regards and whiting your feedback for this new situation .

ahmedsaffar76 -

Now that you have made so many changes and are using ROS3.6 - it's time for you to re-post your configuration - firewall, w/mangle, nat and filter rules and routing / routing rules.

R/

ahmedsaffar76 -

Now that you have made so many changes and are using ROS3.6 - it's time for you to re-post your configuration - firewall, w/mangle, nat and filter rules and routing / routing rules.

R/

Hi again ;
will do soon , mostly today i will post it .
i just need to give stable service to clients for couple of days .
maybe my ISP reduce my bandwidth or it is the share effects .
for a pc have three lan cards , one to ISP1 and one to ISP2 and the third to the clients which it bridged with wlan1 in bridge1 .
the bridge1 ip is 192.168.190.0/24 .
assume the ip for ISP1 is xxx.xxx.xxx.xxx
and for ISP2 yyy.yyy.yyy.yyy
what you are going to do ?
i think the DNS will make a problem , which DNS you are going to use ? for ISP1 or ISP2 ?
will you make a static dns server and enable remote requests ? .
will be waiting your reply .
with best regards .

ahmedsaffar76 -

Well part of the problem right now is your bridge.

If you do the suggested items then there should be no interruption of service.

Q & A;

i think the DNS will make a problem , which DNS you are going to use ? for ISP1 or ISP2 ? You can use ANY dns server you want - as long as it works. You could use for speed - one DNS server from each provider.


will you make a static dns server and enable remote requests ? No static, but you can enable the remote requests. Later you'll set up a proxy DNS.


R/

ahmedsaffar76 -

Well part of the problem right now is your bridge.

If you do the suggested items then there should be no interruption of service.

Q & A;

i think the DNS will make a problem , which DNS you are going to use ? for ISP1 or ISP2 ? You can use ANY dns server you want - as long as it works. You could use for speed - one DNS server from each provider.


will you make a static dns server and enable remote requests ? No static, but you can enable the remote requests. Later you'll set up a proxy DNS.


R/

Hi ;
i didn't get your reply .
would you please put more details ?
with best regards .

ahmedsaffar76 -

You need to post your config so you can get help..... I said that when you do as suggested - there has not been anything suggested yet because you have not posted anything since you upgraded and made other changes to your network.

I answered your questions as clearly as possible. If they don't make sense then you need to study a little more on ROS.

ahmedsaffar76 -

You need to post your config so you can get help..... I said that when you do as suggested - there has not been anything suggested yet because you have not posted anything since you upgraded and made other changes to your network.

I answered your questions as clearly as possible. If they don't make sense then you need to study a little more on ROS.

Hi galaxynet ;
Thanks very much for all what you wrote and what you are going to write .
i think i did it with crazy way and it work
what if i enabled again the pppoe ? , how should i put the users in groups while there is no ip's ?
i need to write what i did in the wiki and i hope they will provide me a licence key to install my second server with it , what do you think ? .
i am asking you here because you helped me a lot in this case and i will write and help others as you did with me in this forum .
waiting your reply .
with best regards .

Hi ahmedsaffar76, i try to send you a private message but I don't find the mail address.

My question is about yours VSAT connections, i have a clients that have a VSAT 128k and need to share in a P2P Mikrotik link of 30 km, it's running with windows xp + winproxy for starband connections + IPA (internet page accelerator). How can i do this but with mikrotik?

Greentings from the south !

You need to post a separate topic with your question.