How to set up port forwarding when balancing Mikrotik PCC?

G

Gregory2016-09-28 12:12:37

Mikrotik

Gregory, 2016-09-28 12:12:37

hello, tell me how to forward the port when using PCC

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether2 new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether3 new-connection-mark=ether2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=ether1_conn \
    new-routing-mark=to_ether1 passthrough=yes
add action=mark-routing chain=output connection-mark=ether2_conn \
    new-routing-mark=to_ether2 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-type=!local in-interface=ether1-master new-connection-mark=\
    ether1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-type=!local in-interface=ether1-master new-connection-mark=\
    ether2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ether1_conn \
    in-interface=ether1-master new-routing-mark=to_ether1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ether2_conn \
    in-interface=ether1-master new-routing-mark=to_ether2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.6.0 in-interface=\
    ether1-master
add action=accept chain=prerouting dst-address=192.168.5.0 in-interface=\
    ether1-master

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Melkij, 2016-09-28
@Maxlinus

If you not only have the first 4 rules in prerouting, but also have corresponding routing marks created in the routing table, then the picture is no different from one uplink. These rules just provide a response to an incoming connection on exactly the channel from which the request came.
For convenience, I started a port_forward chain in nat, into which I transferred packets according to the rules in-interface=ether2 and in-interface=ether3. And in this chain there is already a usual forwarding without reference to a real interface.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether3-gw0
add action=masquerade chain=srcnat out-interface=ether4-gw1
add action=jump chain=dstnat in-interface=ether3-gw0 jump-target=port_forwarding_udp protocol=udp
add action=jump chain=dstnat in-interface=ether4-gw1 jump-target=port_forwarding_udp protocol=udp
add action=jump chain=dstnat in-interface=ether3-gw0 jump-target=port_forwarding_tcp protocol=tcp
add action=jump chain=dstnat in-interface=ether4-gw1 jump-target=port_forwarding_tcp protocol=tcp
add action=dst-nat chain=port_forwarding_udp dst-port=6891 protocol=udp to-addresses=192.168.5.20
add action=dst-nat chain=port_forwarding_tcp dst-port=80 protocol=tcp to-addresses=192.168.7.10

If the port remains closed from some uplink, try pinging the router itself. If there are no pings on the same provider, deal with the routing-mark. I did not light up at one time how this magic works with check-gateway 8.8.8.8.

G

Gregory, 2016-09-28
@Maxlinus

I don't fully understand where I'm wrong:(
am I creating the forwarding rule as usual?
/ip route
add distance=1 gateway=8.8.4.4 routing-mark=to_ether1
add distance=1 gateway=8.8.8.8 routing-mark=to_ether1
add distance=1 gateway=8.8.4.4 routing-mark=to_ether2
add distance=1 gateway=8.8.8.8 routing-mark=to_ether2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=1 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.6.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.5.1 scope=10