Hello everyone. Need some help on triple ISP config with PCC load balancing. Looking for assistance to please look at the mangle & routing rules. Also the DHCP-client script. Config & concerns are below.
HEX on ROS 7.13.4 using winbox
ISP1: ether1 (100/100)
ISP2: ether2 (100/100)
ISP3: ether3 (100/100)
Lan Bridge: ether 4 & ether5
Concerns:
Mangle rules: I'm not sure if the rules are correct, the ordering of the rules, using passthrough properly, etc. For some reason, when WAN-3 is disabled (interface disabled or cable unplugged), the prerouting mangle rules for ether3 (ISP3 / to_ISP3) still have traffic, also shown in connection tracking. I delete the connections but still connections repopulate like it's connected. The output chain for ether2 & ether3 barely have any traffic. Most is on ether1, a lot of it. Leading to believe load balancing isn't working as intended because I mucked something up.
dhcp-client: The dhcp-client creates a default route for each ISP (not sure I should be doing this or it's ok). I also create new routes for routing tables to_ISPs. Found a script to update the gateway & also delete the connections when the gateway IP changes. Problem is, neither work. The GW is not being updated nor are the connections being killed/deleted. I don't know anything about scripts. I've tried copy/paste script in the dhcp-client advanced tab in winbox & also using the terminal.
HEX on ROS 7.13.4 using winbox
ISP1: ether1 (100/100)
ISP2: ether2 (100/100)
ISP3: ether3 (100/100)
Lan Bridge: ether 4 & ether5
Concerns:
Mangle rules: I'm not sure if the rules are correct, the ordering of the rules, using passthrough properly, etc. For some reason, when WAN-3 is disabled (interface disabled or cable unplugged), the prerouting mangle rules for ether3 (ISP3 / to_ISP3) still have traffic, also shown in connection tracking. I delete the connections but still connections repopulate like it's connected. The output chain for ether2 & ether3 barely have any traffic. Most is on ether1, a lot of it. Leading to believe load balancing isn't working as intended because I mucked something up.
dhcp-client: The dhcp-client creates a default route for each ISP (not sure I should be doing this or it's ok). I also create new routes for routing tables to_ISPs. Found a script to update the gateway & also delete the connections when the gateway IP changes. Problem is, neither work. The GW is not being updated nor are the connections being killed/deleted. I don't know anything about scripts. I've tried copy/paste script in the dhcp-client advanced tab in winbox & also using the terminal.
Code:
/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface bridge portadd bridge="Lan Bridge" interface=ether4add bridge="Lan Bridge" interface=ether5/ip firewall connection trackingset tcp-established-timeout=12h loose-tcp-tracking=no/ip settingsset max-neighbor-entries=4096 rp-filter=loose/interface list memberadd interface=ether1 list=WANadd interface=ether2 list=WANadd interface=ether3 list=WANadd interface="Lan Bridge" list=LAN/routing tableadd fib name=to_ISP1add fib name=to_ISP2add fib name=to_ISP3/ip dhcp-client add interface=ether1 add-default-route=yes script=":if (\$bound=1) do={\r\ \n /ip/route/set [find where comment=\"ISP1\"] gateway=\$\"gateway-address\"\r\ \n}\r\ \n\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP1_conn\"]\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP2_conn\"]\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP3_conn\"]" use-peer-dns=no use-peer-ntp=noadd interface=ether2 add-default-route=yes default-route-distance=2 script=":if (\$bound=1) do={\r\ \n /ip/route/set [find where comment=\"ISP2\"] gateway=\$\"gateway-address\"\r\ \n}\r\ \n\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP1_conn\"]\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP2_conn\"]\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP3_conn\"]" use-peer-dns=no use-peer-ntp=noadd interface=ether3 add-default-route=yes default-route-distance=3 script=":if (\$bound=1) do={\r\ \n /ip/route/set [find where comment=\"ISP3\"] gateway=\$\"gateway-address\"\r\ \n}\r\ \n\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP1_conn\"]\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP2_conn\"]\r\ \n/ip/firewall/connection/remove [find connection-mark=\"ISP3_conn\"]" use-peer-dns=no use-peer-ntp=no/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=noadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=noadd action=accept chain=input comment="defconf: accept ICMP" disabled=no protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback" disabled=no dst-address=127.0.0.1add action=accept chain=input comment="admin access" disabled=no in-interface-list=LAN src-address-list=adminadd action=accept chain=input comment="allow LAN DNS queries-TCP" disabled=no dst-port=53 in-interface-list=LAN protocol=tcpadd action=accept chain=input comment="allow LAN DNS/NTP queries-UDP" disabled=no dst-port=53,123 in-interface-list=LAN protocol=udpadd action=drop chain=input comment="drop all else" disabled=noadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=no hw-offload=yesadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=noadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=noadd action=accept chain=forward comment="internet access" disabled=no in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=noadd action=accept chain=forward comment="allow multi-subnet access" disabled=no dst-address-list=expected-address-from-LAN src-address-list=expected-address-from-LAN in-interface-list=LAN out-interface-list=LANadd action=drop chain=forward comment="drop all else" disabled=no/ip firewall mangleadd action=accept chain=prerouting comment="Lan Bridge access" dst-address-list=expected-address-from-LAN in-interface-list=LANadd action=mark-connection chain=prerouting comment="mark all new incoming connections" connection-mark=no-mark connection-state=new in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yesadd action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=ether2 new-connection-mark=ISP2_conn passthrough=yesadd action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=ether3 new-connection-mark=ISP3_conn passthrough=yesadd action=mark-connection chain=prerouting comment="divide traffic into three groups" connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=src-address-and-port:3/0add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=src-address-and-port:3/1add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP3_conn passthrough=yes per-connection-classifier=src-address-and-port:3/2add action=mark-routing chain=prerouting comment="distribute traffic across ISP's" connection-mark=ISP1_conn in-interface-list=LAN new-routing-mark=to_ISP1 passthrough=yesadd action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface-list=LAN new-routing-mark=to_ISP2 passthrough=yesadd action=mark-routing chain=prerouting connection-mark=ISP3_conn in-interface-list=LAN new-routing-mark=to_ISP3 passthrough=yesadd action=mark-routing chain=output comment="force connection to table" connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=noadd action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 passthrough=noadd action=mark-routing chain=output connection-mark=ISP3_conn new-routing-mark=to_ISP3 passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment="ISP1 - Masquerade" out-interface=ether1add action=masquerade chain=srcnat comment="ISP2 - Masquerade" out-interface=ether2add action=masquerade chain=srcnat comment="ISP3 - Masquerade" out-interface=ether3/ip routeadd check-gateway=ping gateway=ISP1-IP routing-table=to_ISP1 distance=1 comment="ISP1"add check-gateway=ping gateway=ISP2-IP routing-table=to_ISP2 distance=1 comment="ISP2"add check-gateway=ping gateway=ISP3-IP routing-table=to_ISP3 distance=1 comment="ISP3"Statistics: Posted by MTNick — Sun Feb 18, 2024 10:55 pm