Router traffic to the Internet stops with 2 ISP

miguelgoncalves · Thu Oct 20, 2011 1:23 am

Hi!

I am getting really desperate here. If anyone could help I would appreciate.

Here's the configuration

1 RB450G
2 Internet Providers (Cabovisao and Telepac)
1 LAN (GONAFEnet)
1 DMZ

I need connections from LAN to DMZ, from LAN to Internet and from DMZ to the Internet. I also need connections from the two external IP addresses to the NTP ports of a machine in the DMZ.

Here's the mangle setup:

Flags: X - disabled, I - invalid, D - dynamic
 0   chain=prerouting action=accept dst-address=213.228.178.0/24 in-interface=GONAFEnet

 1   chain=prerouting action=accept dst-address=192.168.75.0/24 in-interface=GONAFEnet

 2   chain=prerouting action=accept dst-address=213.228.178.0/24 in-interface=DMZ

 3   chain=prerouting action=accept dst-address=192.168.75.0/24 in-interface=DMZ

 4   chain=prerouting action=mark-connection new-connection-mark=Cabovisao_conn passthrough=yes in-interface=Cabovisao connection-mark=no-mark

 5   chain=prerouting action=mark-connection new-connection-mark=Telepac_conn passthrough=yes in-interface=Telepac connection-mark=no-mark

 6   chain=prerouting action=mark-connection new-connection-mark=Cabovisao_conn passthrough=yes dst-address-type=!local in-interface=GONAFEnet connection-mark=no-mark

 7   chain=prerouting action=mark-connection new-connection-mark=Telepac_conn passthrough=yes dst-address-type=!local in-interface=GONAFEnet connection-mark=no-mark

 8   chain=prerouting action=mark-connection new-connection-mark=Cabovisao_conn passthrough=yes dst-address-type=!local in-interface=DMZ connection-mark=no-mark

 9   chain=prerouting action=mark-connection new-connection-mark=Telepac_conn passthrough=yes dst-address-type=!local in-interface=DMZ connection-mark=no-mark

10   chain=prerouting action=mark-routing new-routing-mark=to_Cabovisao passthrough=yes in-interface=GONAFEnet connection-mark=Cabovisao_conn

11   chain=prerouting action=mark-routing new-routing-mark=to_Telepac passthrough=yes in-interface=GONAFEnet connection-mark=Telepac_conn

12   chain=prerouting action=mark-routing new-routing-mark=to_Cabovisao passthrough=yes in-interface=DMZ connection-mark=Cabovisao_conn

13   chain=prerouting action=mark-routing new-routing-mark=to_Telepac passthrough=yes in-interface=DMZ connection-mark=Telepac_conn

14   chain=output action=mark-routing new-routing-mark=to_Cabovisao passthrough=yes connection-mark=Cabovisao_conn

15   chain=output action=mark-routing new-routing-mark=to_Telepac passthrough=yes connection-mark=Telepac_conn

I am adding the proper routing mark (to_Cabovisao and to_Telepac) to the routes in /ip route.

When I setup the routing mark all connections that use the DNS server in the router (that is set up to forward and cache requests to our provider DNS servers') stop.

When I traceroute the firewall simply does not respond (but the following routers do) and when I ping from the firewall I am getting a no route to host apparently because both routes to the Internet are active.

How can this be fixed?

Any help will be highly appreciated.

Many thanks!

Cheers,
Miguel