Talk:NTH load balancing with masquerade
I have loadbalancing on two internet lines according to this manual. It works perfect for internet users.
But I can connect from outside (from winbox) to mikrotik. Only randomly!!! Some times yes and sometimes not. All users behind masquarade on local address work well without problems.
Only administration from outside is problem. I guess that router send to me reply on my connection throught first line to second line. But I have tried a lot of times to make some rules, but without success.
Can you help me? Where problem could be?
Following code works perfectly, users don't complain. Even acess to all devices in local network from outside (by dstnat) work well without any problems. But only connection to mikrotik from ouside - sometimes I can connect, and sometimes not.
/ip address
- output to two internet lines
add address=10.0.0.1/24 broadcast=10.0.1.255 comment="" disabled=no interface=internet network=10.0.0.0 add address=10.0.1.1/24 broadcast=10.0.1.255 comment="" disabled=no interface=internet2 network=10.0.1.0
- two local networks
add address=10.0.2.1/24 broadcast=10.0.2.255 comment="" disabled=no interface=ether2 network=10.0.2.0 add address=10.0.3.1/24 broadcast=10.0.3.255 comment="" disabled=no interface=ether3 network=10.0.3.0 add address=10.0.4.1/24 broadcast=10.0.4.255 comment="" disabled=no interface=ether4 network=10.0.4.0
/ip firewall nat add action=masquerade chain=srcnat comment="" disabled=no src-address=10.0.3.0/24 add action=masquerade chain=srcnat comment="" disabled=no src-address=10.0.2.0/24 add action=masquerade chain=srcnat comment="" disabled=no src-address=10.0.4.0/24
- access to some devices from outside - it works
add action=dst-nat chain=dstnat comment="device2" disabled=no dst-port=91 protocol=tcp to-addresses=10.0.3.241 to-ports=80 add action=dst-nat chain=dstnat comment="device2" disabled=no dst-port=92 protocol=tcp to-addresses=10.0.3.242 to-ports=80
/ip route
- route to one of two internet line acording to route marks
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.138 routing-mark=to_inet1 add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.138 routing-mark=to_inet2
- if packet is not marked route to first internet line
add comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.0.0.138,internet
/ip firewall mangle
- for access to some devices(AP) from line1 from outside - it works pernamently
add action=mark-routing chain=prerouting disabled=no new-routing-mark=to_inet1 passthrough=no src-address-list=AP
- from manual odd/even loadballancing
- even
add action=mark-connection chain=prerouting new-connection-mark=inet2_conn passthrough=yes src-address=10.0.0.0/16 src-address-list=even add action=mark-routing chain=prerouting new-routing-mark=to_inet2 passthrough=no src-address=10.0.0.0/16 src-address-list=even
- odd
add action=mark-connection chain=prerouting new-connection-mark=inet1_conn passthrough=yes src-address=10.0.0.0/16 src-address-list=odd add action=mark-routing chain=prerouting new-routing-mark=to_inet1 passthrough=no src-address=10.0.0.0/16 src-address-list=odd
- odd new
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=inet1_conn nth=2,1 passthrough=no src-address=10.0.0.0/16 add action=add-src-to-address-list address-list=odd address-list-timeout=1d chain=prerouting connection-mark=inet1_conn src-address=10.0.0.0/16 add action=mark-routing chain=prerouting connection-mark=inet1_conn new-routing-mark=to_inet1 passthrough=no src-address=10.0.0.0/16
- even new
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=inet2_conn nth=2,2 passthrough=yes src-address=10.0.0.0/16 add action=add-src-to-address-list address-list=even address-list-timeout=1d chain=prerouting connection-mark=inet2_conn src-address=10.0.0.0/16 add action=mark-routing chain=prerouting new-routing-mark=to_inet2 passthrough=no src-address=10.0.0.0/16 src-address-list=even
