load balancing for my dual adsl

coffeecoco · Tue Jun 06, 2006 9:18 am

me to be lazy and ask some one to do it for me for who has sucessfully got it to work, i have 2 adsl lines possibly more if MT will work at all, there are 3 known methods that would worf for me:
Session
Weight round robin
Dymamic Traffic

I dont mind at all which of them they generaly create the same output
very fast speed when using download managers.

Dan.

jo2jo · Wed Jun 07, 2006 1:39 am

is this an auction?

I'll pay 500$ if someone can get Load balencing working properly...i dont think it can be done with the current route OS

really.

joe

changeip · Wed Jun 07, 2006 1:52 am

It works fine for me ... however it might be that I'm not using NAT. We load balance 2 gigabit connections without problems.

For simple outbound load balancing just add both gateway IPs to your default route. If you want to start sending specific traffic out one gateway only you start getting into policy routing - but once its done it works fine.

So many people ask this question and for some reason can never figure it out. One of these days I will post a wiki with a few setups that I've got working - not that much time at the moment though - fighting bgp issues with MT : )

Sam

coffeecoco · Wed Jun 07, 2006 7:54 am

Ok well i guess thats 600 dollars in tottal any takers? nat would be needed I would have thought. I have a dual wan netcomm nb750 router it only works with NAT. but its only 2 wan ports and its not a MT router.

so we have 600 dollars so far.

[ASM] · Wed Jun 07, 2006 11:54 am

It can be done for multiple ADSL lines.... You cann't make all lines use exacly the same bandwidth.

Mitak · Wed Jun 07, 2006 12:06 pm

example:
1-st ISP gateway: 192.168.0.1
2-nd ISP gateway: 192.168.2.1

/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1,192.168.2.1

2:1 balancing:

/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1,192.168.0.1,192.168.2.1

2 connections will be routed via 192.168.0.1, and the next one - via 192.168.2.1

It works fine for me (with one ADSL /2Mbit/ connection, and one CABLE modem connection /1.5Mbit/.)
Bulgarian telecom BTK sux.....

The other simple way is to use routing-mark

p.s.
http://www.mikrotik.com/docs/ros/2.9/ip/route

coffeecoco · Wed Jun 07, 2006 12:56 pm

I tried this but when i use my threaded download manager 1 link only gets used. my whole plan is to use a download manager so when the second thread opens it most likly will be on the second wan port.
I cant explain why mine dont work, maybe it does partly but not very well at all, which brings me back to the original idea of a similar way the netcomm nb750 works it loads every new tcp session on a different wan port, OR it has option of link saturation, the netcomm actualy monitors sessions or link speed to change the route over to the other wan port with out breaeking downloads.

So what are we up to $600 dollars to whom will create this.

example:
1-st ISP gateway: 192.168.0.1
2-nd ISP gateway: 192.168.2.1

/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1,192.168.2.1

2:1 balancing:

/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1,192.168.0.1,192.168.2.1

2 connections will be routed via 192.168.0.1, and the next one - via 192.168.2.1

It works fine for me (with one ADSL /2Mbit/ connection, and one CABLE modem connection /1.5Mbit/.)
Bulgarian telecom BTK sux.....

The other simple way is to use routing-mark
p.s.
http://www.mikrotik.com/docs/ros/2.9/ip/route

freebird · Wed Jun 07, 2006 1:28 pm

Hi,

this "Load balance two ADSL lines" have been discussed a lot in the forum up to now, and no one have ever posted a solution. It has even been discussed at the first MUM in Praha.

The problem is the session persistence. One session (like a IM session, a HTTPS session) must be handled by one WAN port. Otherwise the server on the other side will get confused if he gets requests from one client but over two WAN ports (with different WAN IPs/Gateways/Providers).

To create two default routes is no solution. We need a solution for NAT'ed WAN connections like two PPPoE connections.

See other postings:

http://forum.mikrotik.com/viewtopic.php?t=6461

http://forum.mikrotik.com/viewtopic.php?t=7483

seandsl
--

coffeecoco · Wed Jun 07, 2006 1:31 pm

Yes i know about the ssl with online banking my netcomm router can specify a perticular route for port 443 ssl connections thats is easy fixed IM is UDP i think i never have a problem with IM in any way but im sure it can be fixed if we bind the IM to a wan port.

So who wants this ?

Gerard · Wed Jun 07, 2006 4:26 pm

Shouldn't it be possible to create a mangle rule to mark new connections as line1 or line2..

Then create another mangle rule that marks all packets that match a connection mark of line1 or line2 with a routing mark of route1 and route2.

Then create a routing rule to send all traffic with a routing mark of route1 or route2 to the proper gateway?

I haven't tested this so I don't know if it will work.. Any ideas?
-Gerard

nickb · Wed Jun 07, 2006 5:28 pm

This would be an easy resolution with MLPPP support in Mikrotik......

coffeecoco · Thu Jun 08, 2006 1:22 am

Yes of coarse MLPPP but there is no ISP in australia that supports it although its still good to have that also.

So $600 dollars guys.

Thu Jun 08, 2006 2:04 pm

Eugene just made this and will post it in the wiki in a few minutes

Eugene · Thu Jun 08, 2006 3:27 pm

http://wiki.mikrotik.com/wiki/Improved_ ... e_Gateways

Gerard · Thu Jun 08, 2006 4:18 pm

So does that mean I get partial credit or something?
-Gerard

maximan · Thu Jun 08, 2006 4:32 pm

I translate the wiki article to spanish:
http://wiki.mikrotik.com/wiki/Balanceo_ ... _%28wan%29

Maximiliano
Mikrotik Certified Consultant
To Sharing the knowledge

Eugene · Thu Jun 08, 2006 4:38 pm

Great, just visit it after day or two to add latest updates and feedback.

pekr · Thu Jun 08, 2006 6:30 pm

Hey guys, thanks a lot, appreciated!

Now let's talk the solution a bit. Never saw anything like that - even, odd packets, nice. So if I understand it correctly, the solution tries to equally divide traffic between two gateways, right?

You use one local interface. Is it possible to use single mangle rule, and instead of marking connection first, to decide upon source network address? Will that be sufficient?:

chain=prerouting src-address=10.0.0.0/24 action=mark-routing new-routing-mark=gw1 passthrough=no

chain=prerouting src-address=10.0.1.0/24 action=mark-routing new-routing-mark=gw2 passthrough=no

Routing is understandable, just NAT is not applied as yours, only upon outgoing interface, so not using connection-marks ...

maybe mine aproach did not work properly, because of missing one default route for eventually not market packets ...

Petr

Gerard · Thu Jun 08, 2006 6:35 pm

Has anyone tested this? I have it working but its slightly diff from the wiki.. I had to add in 2 routing rules to make it lookup the correct table..

/ ip firewall mangle 
add chain=prerouting in-interface=ether2 connection-state=new nth=1,1,0 \
    action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
    disabled=no 
add chain=prerouting in-interface=ether2 connection-mark=odd \
    action=mark-routing new-routing-mark=odd passthrough=no comment="" \
    disabled=no 
add chain=prerouting in-interface=ether2 connection-state=new nth=1,1,1 \
    action=mark-connection new-connection-mark=even passthrough=yes comment="" \
    disabled=no 
add chain=prerouting in-interface=ether2 connection-mark=even \
    action=mark-routing new-routing-mark=even passthrough=no comment="" \
    disabled=no 

/ ip firewall nat 
add chain=srcnat connection-mark=odd action=src-nat \
    to-addresses=192.168.10.201 to-ports=0-65535 comment="" disabled=no 
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.1.1.202 \
    to-ports=0-65535 comment="" disabled=no 

/ ip route 
add dst-address=0.0.0.0/0 gateway=192.168.10.1 scope=255 target-scope=10 \
    routing-mark=odd comment="" disabled=no 
add dst-address=0.0.0.0/0 gateway=10.1.1.254 scope=255 target-scope=10 \
    routing-mark=even comment="" disabled=no 

/ ip route rule 
add routing-mark=odd action=lookup table=odd comment="" disabled=no 
add routing-mark=even action=lookup table=even comment="" disabled=no

cmit · Thu Jun 08, 2006 6:40 pm

The problem with the setup discussed here is (could be) the following, if I'm not completely wrong:

For "normal" internet usage this will work. But it WILL eventually send out connections from the SAME user over DIFFERENT uplinks.
If you are now using a web application (like online banking, extranet, ...), it might very well be (and that's the way most of my online apps are coded) that for every action you take you login is checked for the source address.
That is, if you login in from source address 10.111.0.1 (to stay with the example addresses from the wiki), and one of your next requests is coming from 10.112.0.1, the app might consider that an attempt to spoof/hijack the session and will log you out (or do whatever the programmer intended to do).
Even "simply" using some webmail interface might show this problem.

And the solution in the wiki will NOT take care of that, as it is doing round-robin on every single connection(!).

I had done some tinkering around to get a solution that takes this into account, but never got around to testing thoroughly.

I will try to dig up my solution (which wasn't perfect, either, of course) and put it up here for discussion...

I'm not trying to offend anyone here (especially not Eugene) - just want to point out to possible problems as I see them.

Best regards,
Christian Meis

Gerard · Thu Jun 08, 2006 6:58 pm

Yeah I was working on fixing that right now.

I'm making it so that instead of setting a connection mark it will add the dst address to an address list for like 10 minutes and that will cause every dst address to go out through the same line.. It breaks load balancing to a single host however it still allows both lines to be used when many users are connecting to many diff hosts..
-Gerard

Eugene · Thu Jun 08, 2006 7:12 pm

Well, MY banking and MY instant messaging works, and that is my only point of concern

Indeed, as Christian has pointed out, it does round-robin on all connections, but as I have said, this does not cause any problems ... for me.

To "fix" it to NAT all connections from a particular user to the same IP address, you have to do the following:

/ ip firewall mangle


add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing new-routing-mark=odd 

add chain=prerouting src-address-list=even in-interface=Local action=mark-connection new-connection-mark=even passthrough=yes

add chain=prerouting src-address-list=even in-interface=Local action=mark-routing new-routing-mark=even 

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
    action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
    disabled=no 

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
    new-routing-mark=odd passthrough=no comment="" disabled=no 
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
    action=mark-connection new-connection-mark=even passthrough=yes comment="" \
    disabled=no 

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=even address-list-timeout=1d connection-mark=even passthrough=yes


add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
    new-routing-mark=even passthrough=no comment="" disabled=no

Eugene

dritoni · Thu Jun 08, 2006 10:19 pm

If one of the link goes down does it mean that some traffic won`t be routed at all.

Eugene · Thu Jun 08, 2006 10:55 pm

yes. you are welcome to enhance the wiki example.

Fri Jun 09, 2006 8:45 am

I translate the wiki article to spanish:
http://wiki.mikrotik.com/wiki/Balanceo_ ... _%28wan%29

Maximiliano
Mikrotik Certified Consultant
To Sharing the knowledge

thanks, but please make the links shorter

I will do this for you ..

coffeecoco · Fri Jun 09, 2006 8:46 am

Guee i will have to test this, just a curious question does this work if i wanted to use a pppo3 client on the MT? or must I set my modem as pppoe and DHCP the MT?
The online banking issue it can be solved simply with some kind of binding to a wan port? like bind port 445 to wan1

just the same as the netcomm nb750 ?

cmit · Fri Jun 09, 2006 9:54 am

If one of the link goes down does it mean that some traffic won`t be routed at all.

I surely hope to find the time to dig out and polish up my example.

But in the mean time: It was working practically the same way (by adding new src-addresses to address-lists, but with a lower address-list-timeout).

Then I added a script to check the uplinks every few seconds and have it redistribute the users/connections on the "dead" link to the (or one of the) alive uplinks.

Best regards,
Christian Meis

coffeecoco · Fri Jun 09, 2006 10:50 am

So whats next to fix the link down issue?

and which script needed polishing?

so far so good i added the script a dozen times now it works as far as using 2 ip's download managers threading works 2 links are being used.

If one of the link goes down does it mean that some traffic won`t be routed at all.
I surely hope to find the time to dig out and polish up my example.

But in the mean time: It was working practically the same way (by adding new src-addresses to address-lists, but with a lower address-list-timeout).

Then I added a script to check the uplinks every few seconds and have it redistribute the users/connections on the "dead" link to the (or one of the) alive uplinks.

Best regards,
Christian Meis

coffeecoco · Fri Jun 09, 2006 10:52 am

Eugene looking really go so far mate what can we do about this other part about links going down

cmit · Fri Jun 09, 2006 11:53 am

OK, let me try to get this done from some short notes - don't have access to the system my tests are on

...

My script worked by assigning every user to a dedicated uplink (that was required by the customer). This way you will absolutely be sure that the user will go out with the same source ip address every time (masquerading was involved here...). Of course this creates other "load-balancing-fairness" problems, as the users are not distributed among the uplinks using the acutal bandwidth-usage...

Effectively it works similar to the script posted above/in the Wiki: By assigning ip addresses to address lists and routing everyone in one address-list out one uplink.

As I was required to distribute the users so that each user was bound to a dedicated uplink, I was only taking into account the src-addresses. There are two uplinks involved in the example, named uplinkA and uplinkB (genious strikes...).

I put in the following mangle rules:

/ ip firewall mangle 
add chain=prerouting src-address-list=use_uplink_a action=mark-routing new-routing-mark=uplink_a passthrough=no comment="set routing mark for uplink A" disabled=no 
add chain=prerouting src-address-list=use_uplink_b action=mark-routing new-routing-mark=uplink_b passthrough=no comment="set routing mark for uplink B" disabled=no 
add chain=prerouting action=mark-packet new-packet-mark=new_srcadr  passthrough=yes comment="" disabled=no

Thus putting a routing-mark for uplinkA on everyone who already is on the address-list "user_uplink_a" and the same for uplinkB. Those routing-marks are later used to force traffic out a specific uplink (not shown in this post). Note that the first two mangle rules do NOT have passthrough activated. So only packets from source addresses NOT already on address-list "use_uplink_a" or "use_uplink_b" reach the third rule which marks packets from "unknown" source addresses with a packet-mark of "new_srcadr".

Then a firewall filter takes care of putting those unkown (until now) source addresses onto a third address list called "new_user":

/ ip firewall filter 
add chain=forward in-interface=ether1 packet-mark=new_srcadr action=add-src-to-address-list address-list=new_user address-list-timeout=0s comment="" disabled=no

The following script is run via scheduler every few seconds. Its' purpose is putting newly discovered users (= source addresses) onto one of the address-lists that map users to uplinks:

:local uplinkacount
:local uplinkbcount
:local newipadr
:log debug "script checking for new source addresses"
:foreach i in=[/ip firewall address-list find list=new_user] do={
	:set newipaddr [/ip firewall address-list get $i address]
	:set uplinkacount [:len [/ip firewall address-list find list=use_uplink_a]]
	:set uplinkbcount [:len [/ip firewall address-list find list=use_uplink_b]]
	:log debug ("   found new source address " . $newipaddr)
	:log debug ("   " . $uplinkacount . " User auf Uplink A")
	:log debug ("   " . $uplinkbcount . " User auf Uplink B")
	:if ($uplinkacount < $uplinkbcount) do={
		:log debug ("about to add " . $newipaddr . " to list a")
		/ip firewall address-list remove $i
		/ip firewall address-list add address=$newipaddr list=use_uplink_a disabled=no
		:log info ("added new source address " . $newipaddr . " to address-list use_uplink_a")
	} else={
		:log debug ("about to add " . $newipaddr . " to list b")
		/ip firewall address-list remove $i
		/ip firewall address-list add address=$newipaddr list=use_uplink_b disabled=no
		:log info ("added new source address " . $newipaddr . " to address-list use_uplink_b")
	}
}

So to sum up, the following way is used to distribute ("load-balance") users (internal source addresses) to the two uplinks:
If the router detects a source address not already on one of the address-lists that manage the user-to-uplink mapping, it marks packets from that address. A firewall rule then put this source address onto a temporary address-list. The script running every few seconaddds the distributes the users among the two uplinks so that the number of users on each uplink is (more or less) equal.

You could modify the script above to monitor some global variable for each uplink that signals if the uplink is available. If it's not available, users are not put on the corresponding address-list for that uplink.

Now you can have netwatch (or a own script) check if the uplinks and set the global variable to "not available" when a uplink is down. Then the script would just have to remove all addresses from the address-list for that uplink, and the users would get re-added to the other list.

Some shortcomings, here, too:
- You cannot specify a timeout for an entry on an address-list if you add it via script (opposed to having it automatically added by a firewall rule

), so a user mapped to one uplink will stay there "forever". This could be easily changed by having a script remove users from address-lists from time to time (to force re-addition to an address-list).
- As the first packets arrive from a "new" user, they will probably not be getting out on the internet, as the source address is not on any "mapping" address-list. So this could mean a few seconds "hick-up" when a new user is coming online. But this depends on how you policy-route your traffic: This is only the case if you don't let out any traffic from source addresses NOT on the address-lists use_uplink_a/use_uplink_b.

After all, these might be just some confusing bits and pieces, but until I get access to the test system again I thought I put them here for you guys to read over and perhaps already someone using the idea for something...

Comments welcome...

Best regards,
Christian Meis

coffeecoco · Fri Jun 09, 2006 12:47 pm

cmit So whould it be right to say that your individual script spreads users evenly over the (2) links eg.

10 users on wan1
10 users on wan2

im taking this is the way your individual script works im taking it that interigating yours with the one pasted above is different?

there for users cant utilize both links for faster speeds?
all in all your script would definatly solve the online bamking problem i am very sure.

coffeecoco · Fri Jun 09, 2006 12:53 pm

how does this script work does it keep the specific wan port set for each ip the client connects to?
or how does this solve the banking issue ?

Well, MY banking and MY instant messaging works, and that is my only point of concern

Indeed, as Christian has pointed out, it does round-robin on all connections, but as I have said, this does not cause any problems ... for me.

To "fix" it to NAT all connections from a particular user to the same IP address, you have to do the following:

/ ip firewall mangle


add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing new-routing-mark=odd 

add chain=prerouting src-address-list=even in-interface=Local action=mark-connection new-connection-mark=even passthrough=yes

add chain=prerouting src-address-list=even in-interface=Local action=mark-routing new-routing-mark=even 

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
    action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
    disabled=no 

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
    new-routing-mark=odd passthrough=no comment="" disabled=no 
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
    action=mark-connection new-connection-mark=even passthrough=yes comment="" \
    disabled=no 

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=even address-list-timeout=1d connection-mark=even passthrough=yes


add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
    new-routing-mark=even passthrough=no comment="" disabled=no

Eugene

coffeecoco · Fri Jun 09, 2006 12:57 pm

Just for kicks i got a feeling of how it works it logs the ip address and clients ip and saves that client to use a wan port for each ip they connect to..

eg. of problem if this is correct
i have a multithreaded newsgroup client that conencts to 1 news server and downloads a sigle file multithreaded it would be kinda a problem if only 1 wan port will be downloading the file. it will tri multi attemps via 1 route

coffeecoco · Fri Jun 09, 2006 12:59 pm

Netcomm NB750 solves all these problems by binding any destination port via 443 to always use eg. WAN1 or WAN2 optional also some other options of wan1 first or wan2 first

port 443 bind to a wan port tottal fixed everything

if that can be fixed that simple like netcomm do that would be great for us all.

a little eye opener there are other options

Session : new route new connection like the one above
Weight round robin : works on a ratio like 1:1 or 1:2 etc.. etc..
Dymamic Traffic : works by a live monitor of how much usage is being used per wan, it has an option to set link speed so it can create a value as a percentage % there for balances according to that.

cmit · Fri Jun 09, 2006 1:47 pm

It's not very difficult to bind outgoing HTTPS traffic to a specific WAN port: mangle it, policy-route it...

Best regards,
Christian Meis

Gerard · Fri Jun 09, 2006 1:57 pm

inncom,
You can either add a new mangle rule to mark all tcp traffic to port 443 as either odd/even OR make a NAT rule that src-nat's all tcp traffic to port 443 to a specific ip so that it always goes out of a single line..

add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=even passthrough=yes comment="" disabled=no
OR
add chain=srcnat protocol=tcp dst-port=443 action=src-nat \
to-addresses=10.1.1.202 to-ports=0-65535 comment="" disabled=no

You will have to move either one of these rules before the other mangle or nat rules for them to work..

I switched my office and a few tester clients to using the load balancer yesterday afternoon and I had everyone try their online banking and any other secure sites they use and no-one has had any problems..
I know that some sites do bind your session to your IP.. BUT I do know that web requests from AOL customers will come from several different proxy ips within a session so I don't think it should mess up too badly if they are doing it..

-Gerard

Fri Jun 09, 2006 2:00 pm

yes, we also tested eugene's example and there were no problems with any sites.

coffeecoco · Fri Jun 09, 2006 3:05 pm

THANKS! Gerard this one works.

add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
new-connection-mark=even passthrough=yes comment="" disabled=no

added it in order right after the odd mangle rule and wam it works

Eugene · Fri Jun 09, 2006 4:33 pm

Chek this: http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent

You could play with address-list-timeout settings or place dst-address instead of src-address to address list. In any case, leave feedback what works best for you.

Eugene

Gerard · Fri Jun 09, 2006 5:15 pm

Eugene,

My setup is very similar to your example(see my code above) but in order for me to get it to work I have to add these two routing rules.

/ ip route rule
add routing-mark=odd action=lookup table=odd comment="" disabled=no
add routing-mark=even action=lookup table=even comment="" disabled=no

Am I doing something wrong?
Thanks
-Gerard

Eugene · Fri Jun 09, 2006 6:37 pm

what version are you using?

Eugene

Gerard · Fri Jun 09, 2006 7:26 pm

I'm testing with 2.9.23 on new rb532a's I got in the other day..

I'll upgrade it to 2.9.25 in a second and try it agian..
Thanks,
-Gerard

rmdjapri · Sat Jun 10, 2006 8:21 am

Just wondering guys, is this example can be use with 2 cable modem link and the same gateway?

Best regards,
Romie

pekr · Sat Jun 10, 2006 1:15 pm

Gerard,

so what is the state with with policy routing? I can see it with various examples, where ppl claim, that without telling RouterOS to look-up correct routing table, it does not work properly. But from other examples, e.g. Eugene's one, there seem to be no need for such explicit setting?

Thanks,
Petr

Gerard · Sat Jun 10, 2006 6:57 pm

Romie,
I don't think it is possible if the gateway is the same, You would need to add another router in between one of the cable modems so that you would have a different gateway.. If anyone knows a better solution please let me know.

Petr,
I am still not able to make it work without adding the routing rules. I forgot I had to go install a customer yesterday afternoon so I wasn't able to experiment with it as much I had hoped. I will test some settings this weekend and let you guys know what I find.

-Gerard

sorinbuda · Mon Jun 12, 2006 5:07 pm

Hi, would you please look at this article as well? I have a similar problem but when I try to implement it everything bloks.

http://forum.mikrotik.com/viewtopic.php?t=8972

Thank you in advance,
sorin

coffeecoco · Wed Jun 14, 2006 3:09 pm

http://wiki.mikrotik.com/wiki/Improved_ ... e_Gateways

can some one mod this so that it works with 3 gateways now? i have 3 uplinks i figure i got to adjust this some how but i dont know
nth=1,1,0

Eugene · Thu Jun 15, 2006 1:35 pm

for three gateways:
1st rule -- nth=2,4,0
2nd rule -- nth=2,4,1
3rd rule -- nth=2,4,2

Eugene · Thu Jun 15, 2006 1:36 pm

2 Gerard:
The difference might be due to the fact that you are probably using routing and I am using routing-test.

maximan · Fri Jun 16, 2006 1:20 am

for three gateways:
1st rule -- nth=2,4,0
2nd rule -- nth=2,4,1
3rd rule -- nth=2,4,2

@Eugene

the nth for 3 gateway will be:
1st rule --nth=1,3,0
2nd rule --nth=1,3,1
3rd rule --nth=1,3,2

Or i'm wrong???

Maximiliano

eugenevdm · Sun Jun 18, 2006 6:47 am

I have the same question as 'maximan', what about three gateways, and how about 8 gateways?

Edit: Looked at the manual and now I have:

7,?,0
7,?,1
7,?,2
7,?,3
7,?,4
7,?,5
7,?,6
7,?,7

Can someone tell me what to set the counter to?

ManyX · Sun Jun 18, 2006 1:30 pm

very usefull wil by some examples how to build queue tree with load balancing

Eugene · Mon Jun 19, 2006 10:31 am

2maximan:

no, your are wrong

2eugenevdm:

any number you want

Eugene

music · Sat Jun 24, 2006 12:02 am

I hawe 2 gateways from two diferent ISP-s, and have 4 local interfaces for clients from 4 diferent subnets. In your example there's only one local interface.

What do I need to change to make it workable for me?

thx in advance.

Eugene · Sat Jun 24, 2006 12:37 am

mark clients' traffic by source address instead of in-interface

music · Sat Jun 24, 2006 12:45 am

thanks!

zerocool86 · Tue Jun 27, 2006 5:40 pm

hi all!

i have 2 internet conn (more coming) and 1 mt 532...

i've done load balance like you suggest on http://wiki.mikrotik.com/wiki/Load_Balancing
and the 90% of the site that i've tryed works... but... but... 10% have still problem of session persistence

why? Im works great, irc works great, downloads works great, my home banking works great... a stupid webmail (http://www.tiscali.it) DON'T WORK!
my second problem is that now i'm unable to bind some port to single ip (just to give some users highid on emule).. the previous rule don't work anymore and i'm unable to understand why! someone can help me?

zerocool86 · Fri Jun 30, 2006 11:51 pm

someone here?

coffeecoco · Sat Jul 01, 2006 7:18 am

chain=prerouting in-interface=Local protocol=tcp dst-port=443
action=mark-connection new-connection-mark=even passthrough=yes

for example

zerocool86 · Sat Jul 01, 2006 11:59 am

chain=prerouting in-interface=Local protocol=tcp dst-port=443
action=mark-connection new-connection-mark=even passthrough=yes

for example

i don't want to bind a port to a public ip... but to a private ip... just to redirect all traffic incoming port xxx to ip xxx.xxx.xxx.xxx... no matter what is the public ip....

zerocool86 · Mon Jul 03, 2006 2:01 am

janisk · Mon Jul 03, 2006 9:11 am

same as inncom, just do not set in interface.

create 2 rules for tcp and udp and forward ptckets to port wherever you want

zerocool86 · Mon Jul 03, 2006 4:09 pm

i don't understand

chain=prerouting in-interface=Local protocol=tcp dst-port=443
action=mark-connection new-connection-mark=even passthrough=yes

that's a mangle rule.. so how i can forward port? i can't! i have to create a nat rule that handle the traffic and forward to my private ip.... but don't work!!! can someone try to write something complete? i'm going crazy!

i simple want that my users can have high id con emule... so i need to nat 1tcp and 1udp port for each users on their private ip and that will work for both my wan connection... it's possible?

Eugene · Tue Jul 04, 2006 10:07 am

http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent

zerocool86 · Tue Jul 04, 2006 12:17 pm

http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent

it's what i've done... it works fon 95% of site.. for other i've to bind dst address to one gateway to preserve the session persistence.. for that point of view it's all ok

my problem now it's port forwarding

Eugene · Tue Jul 04, 2006 12:37 pm

This example is different, coz it makes persistent sessions and should work 100% of the time.

zerocool86 · Tue Jul 04, 2006 12:51 pm

This example is different, coz it makes persistent sessions and should work 100% of the time.

with load balance you haven't tryed to forward port?? if yes they work?

zerocool86 · Thu Jul 06, 2006 9:18 pm

ehy?

Eugene · Fri Jul 07, 2006 8:24 am

port forwarding works fine with load balancing. Use "Persistent load-balancing example" and define one more address list for forwarded sessions.

Eugene

fireverson · Fri Jul 07, 2006 8:51 am

i think i'm missing some configuration:

i have two dsl modem

my ip for dsl modemare:

192.168.1.35/27 dsl1
192.168.1.66/27 dsl2

and my LAN address is:

192.168.1.30/27

i follow this step http://wiki.mikrotik.com/wiki/Load_Balancing_Persistent
nad i set dhcp-client add-default-route to no

i cant connect to the internet

anyone knows what the problem is?

Eugene · Fri Jul 07, 2006 8:59 am

http://www.catb.org/~esr/faqs/smart-questions.html

fireverson · Fri Jul 07, 2006 9:03 am

sorry i'm just a newbie here

i'm just tryin to solve my problem

Eugene · Fri Jul 07, 2006 1:31 pm

then you have to provide more information about your problem.
(Hint: export of the relevant parts of your config will help).

exploited · Fri Aug 18, 2006 11:00 am

Hi all. I show the wiki "load balancing persistent" , and the other post in this topic. I din't understood this. Who djudjes if an ip is odd or even?
Us I understood (from my bad english) the "odd" and "even" is only names of address lists.

In wiki writes All traffic from customers having their Ip previously placed in address list "odd" , ....

Previously placed from who?

It's mean that is needed to make a list named "odd" and place all the odd address of my lan?

Thanks for any answer..

Eugene · Fri Aug 18, 2006 11:11 am

All addresses on your LAN are automatically classified by the following rules:

/ ip firewall mangle 
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \ 
    action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
  address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes

The example on the wiki does not require any additional configuration.

exploited · Fri Aug 18, 2006 11:20 am

Thank you so much. May you explain me how it happens the classification with those roules? How an ip classified in odd or even?
...and what is mean the 1d

Thank you

Eugene · Fri Aug 18, 2006 11:27 am

The manual is much more expressive about your question than I could ever be in my life:
http://www.mikrotik.com/docs/ros/2.9/ip/mangle

Eugene

dannyboy · Mon Sep 11, 2006 4:43 am

Hello,

I copy and paste the code to do load balance from the wiki. I than changed ip address with mine. I have problems!!

First problem I have is that in src-nat I only see the nat rule for "Odd" having traffic, the "even" stays in 0 traffic.

Second problem I have is that once I setup my pppoe server, pppoe pool, Clients, ect, and connect, I cant surf at all.

Here is the code:

ip firewall mangle add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing new-routing-mark=odd

add chain=prerouting src-address-list=even in-interface=Local action=mark-connection new-connection-mark=even passthrough=yes

add chain=prerouting src-address-list=even in-interface=Local action=mark-routing new-routing-mark=even

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing new-routing-mark=odd passthrough=no

add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 action=mark-connection new-connection-mark=even passthrough=yes

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=even address-list-timeout=1d connection-mark=even passthrough=yes

add chain=prerouting in-interface=Local connection-mark=even action=mark-routing new-routing-mark=even passthrough=no

ip firewall nat add chain=srcnat connection-mark=odd action=src-nat to-addresses=165.98.168.4 to-ports=0-65535

ip firewall nat add chain=srcnat connection-mark=even action=src-nat to-addresses=165.98.144.47 to-ports=0-65535

ip route add dst-address=0.0.0.0/0 gateway=165.98.168.1 scope=255 target-scope=10 routing-mark=odd

ip route add dst-address=0.0.0.0/0 gateway=165.98.144.1 scope=255 target-scope=10 routing-mark=even

ip route add dst-address=0.0.0.0/0 gateway=165.98.144.1 scope=255 target-scope=10

Thanks

Stryker777 · Mon Sep 11, 2006 4:54 am

As soon as you turn on PPPoE your "in interface" no longer is valid because your users are coming in via their dynamic interface that PPPoE creates.

dannyboy · Mon Sep 11, 2006 5:01 am

thank you for your prompt response, so I cant use load balance using PPPOE? Also did you take a lool at the code, did I do something wrong? Why the srcnat only works with the odd packets not the even?

thanks again

Stryker777 · Mon Sep 11, 2006 5:17 am

Are both address lists populating?
Are they populating with the same ips?

coffeecoco · Mon Sep 11, 2006 5:23 am

Hmm, one thing i didnt find in this thread is the fact that you must not set default route, when using dhcp or such other meathods, kind of strange dont you think to have 2 default routes ?

Stryker777 · Mon Sep 11, 2006 5:27 am

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes

Everyone is being added to the odd address list.
Should look like this (needs to be changed on the even also):

add chain=prerouting in-interface=Local connection-mark=odd action=add-src-to-address-list address-list=odd address-list-timeout=1d passthrough=yes

That is all I see at this moment, Im very tired though lol.

Stryker777 · Mon Sep 11, 2006 5:29 am

You set routes based on routing mark.
SInce everything should be marked even or odd those are the only 2 routes needed. They catch everything.

Stryker777 · Mon Sep 11, 2006 5:32 am

One moe thing, you can still load balance with pppoe. You just cant use in interface. Instead use your address range (src address=) so it only deals with your local addresses.
Good night.

dannyboy · Tue Sep 12, 2006 4:02 pm

Hello,

My load balance its working great!!!! Even with pppoe!!! Now I have one more question, I have another WAN I would like to use in my Load Balance router, I have read some of the stuff on this thread but I could not find a sure answer.

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 action=mark-connection new-connection-mark=even passthrough=yes

Can you tell me what I would have to change to use a third WAN? I read something about the nth but I realy dont understand, do I just change the nth or do I create a whole new set of rules?

thanks

dannyboy · Tue Sep 12, 2006 6:31 pm

Sorry,

Another thing, I want to have one WAN to be used only for VOIP. I know I have to bond ports 5060-5061 to that wan but How do I do that? Can you explain or send me the code on how to do this?

Thanks

cibernet · Tue Sep 12, 2006 8:18 pm

Sorry,

Another thing, I want to have one WAN to be used only for VOIP. I know I have to bond ports 5060-5061 to that wan but How do I do that? Can you explain or send me the code on how to do this?

Thanks

Use routing marks, and use that's marks to route the traffic to the desired gateway..

Regards

coffeecoco · Wed Sep 13, 2006 12:04 am

chain=prerouting in-interface=Local protocol=tcp dst-port=443
action=mark-connection new-connection-mark=even passthrough=yes

dannyboy · Wed Sep 13, 2006 8:50 am

Hello,

I have put the code to use three WANs buit for some reason only two work... can someone login and tell me whats wrong with this setup?

165.98.168.4
165.98.144.47
165.98.213.25

user help
pass help

Also when I do a speedtest in numion, I get almost 1 meg downloas speed and 250 upload speed, but in the surfing i only get 35.. Why is this happening shouldnt I get a higher rate to surf since I am load balancing the two 512k I have and even more once I get the third one working?

thanks

coffeecoco · Wed Sep 13, 2006 9:14 am

whoops can u goto the mangle rules and re enable the ones that are disabled hehe sorry

dannyboy · Wed Sep 13, 2006 11:26 am

Ok,
Inncom helped me o lot in setting up the load balance between the three Wans... Than we encounter ourselfs in a mission to get Vonage and VOIP to work through only one WAN. For some reason we could not get it to work. I appears that its using two of the Wans when a call its made through a Vonage adapter. What we want to do its to set all VOIP traffic to go through one WAN. I have the ports that we supposed to use,

5060-5061
10000-20000

Can someone help
user help
password help

192.168.144.47
165.98.213.25
165.98.168.4

thanks

yogi · Wed Sep 13, 2006 12:49 pm

5060-5061
10000-20000

The mark should be easy. You are doing it as UDP? Also why are you not just routing the Vonage IP as opposed to the ports?

coffeecoco · Wed Sep 13, 2006 2:03 pm

I honestly tried doing port based ip based even ip range based due to some reason there seems to be a few ip's vonage use for voip still not work, then i was understood that he has 3 modems that dial the pppoe so i began to work out maybe there needs to be port forwarding im not sure. from what i can work out is the voip is using 1 wan port but he has a issue with no sound evey now and then i cant work out it seems to be intermitant if anyone can help him thanks, it seems like a small thing to fix maybe i missed something.

itaol · Wed Sep 13, 2006 10:22 pm

# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; hotspot network
10.5.50.1/24 10.5.50.0 10.5.50.255 Wireless
1 192.168.1.2/24 192.168.1.0 192.168.1.255 Publica

/ ip firewall mangle
add chain=prerouting in-interface=Wireless connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=Wireless connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Wireless connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=Wireless connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no

/ ip firewall nat
add chain=srcnat connection-mark=even action=src-nat to-addresses=192.168.1.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=odd action=src-nat to-addresses=192.168.1.2 \
to-ports=0-65535 comment="" disabled=no

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=odd \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.5 scope=255 target-scope=10 routing-mark=even \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 comment="" \
disabled=no

/ ip route rule
add routing-mark=even action=lookup table=even comment="" disabled=no
add routing-mark=odd action=lookup table=odd comment="" disabled=no

Everything is working, Msn, Https and etc... But the balancing is not working correctly. The traffic is more intense over the 192.168.1.1 gateway.

Note that I am using one interface(192.168.1.2) to access two(192.168.1.1 and 192.168.1.5) gateways.

I don’t know if the problem is on it.

Please, somebody help me.
Sorry for the poor english.

coffeecoco · Thu Sep 14, 2006 12:58 am

your missing code thats why. there is some mangle code your missing copare it to the link provided on the wiki.

mangle rules are missing some code

trtmrt · Thu Sep 14, 2006 6:06 pm

you all must know that loadbalancing via two or more ADSL that have different outgoing IP will not work .. why...

.. thing like MSN, ICQ, ... must have same IP for all the outgoing connection to central ...

exmpl:
if i start MSN it have few connection one is for MSN directory and it's main connection, for transfer of emotion there is another one, file goes by third and cam on 4th ... 5th is for voice

.. all connection will go to different port on MSN central server (s) and if one connection came from different IP

.. you msn is out for 60 sec ... MSN think it is a freaud

try play some online game as knight online, silkroad, or even CS

.. lolo

a) put ADSL1 as dflt rout and then reroute (in preroute) http, ft, smtp, pop3 etc .. that can be reroute'd

b) have some smart per user IP or block of IP routing ..

itaol · Thu Sep 14, 2006 6:47 pm

you all must know that loadbalancing via two or more ADSL that have different outgoing IP will not work .. why...
.. thing like MSN, ICQ, ... must have same IP for all the outgoing connection to central ...

exmpl:
if i start MSN it have few connection one is for MSN directory and it's main connection, for transfer of emotion there is another one, file goes by third and cam on 4th ... 5th is for voice .. all connection will go to different port on MSN central server (s) and if one connection came from different IP .. you msn is out for 60 sec ... MSN think it is a freaud

try play some online game as knight online, silkroad, or even CS .. lolo

a) put ADSL1 as dflt rout and then reroute (in preroute) http, ft, smtp, pop3 etc .. that can be reroute'd

b) have some smart per user IP or block of IP routing ..

----------------------------------
but my Msn, is working without problems... The games online too.
The problem is that the traffic is more intense in the gateway of the 3th rule in the "/ip route". If i change 192.168.1.1 to 192.168.1.5 in the 3th route then the traffic is more intense in the 192.168.1.5.
It's not balancing correctly!

itaol · Thu Sep 14, 2006 7:14 pm

your missing code thats why. there is some mangle code your missing copare it to the link provided on the wiki.

mangle rules are missing some code

Isn't missing anything! that is the configuration of load balance without Persistent Sessions ....

http://wiki.mikrotik.com/wiki/Load_Balancing

Stryker777 · Thu Sep 14, 2006 7:24 pm

It is probably your time out period of 1 day. If you have a heavy user log in, they will get added to one of the three. Then they will stay on it for 1 day. You can shorten that if you want. Then you will see more balancing. One link may be higher here or there but over the course of the day it will come close to average across the links.

itaol · Thu Sep 14, 2006 8:07 pm

I wanna know if the Load Balance will work if the gateways are in the same interface... The ethernet cable is connected to a switch and the two gateways are connected in the switch as well.

coffeecoco · Fri Sep 15, 2006 1:13 am

your missing code thats why. there is some mangle code your missing copare it to the link provided on the wiki.

mangle rules are missing some code

Isn't missing anything! that is the configuration of load balance without Persistent Sessions ....

http://wiki.mikrotik.com/wiki/Load_Balancing

Yea sorry your tight i had the 3 wan in my head for a while and didnt think u was using 2 wans

dannyboy · Fri Sep 15, 2006 4:14 am

Hello,

Looks like the http://wiki.mikrotik.com/wiki/Load_Balancing will work better for me. I am using this config but there is a problem, if I try to login to my router from another location with either of my public ips I am not able to even ping that address. Can someone tell me why or what I need to do to make it work?

thanks

trtmrt · Fri Sep 15, 2006 12:11 pm

do you adsl modem have public ip ? or 192.168.x.y ?

itaol · Fri Sep 15, 2006 4:30 pm

do you adsl modem have public ip ? or 192.168.x.y ?

It is has a Public IP but it is in NAT mode with a rule that redirects all the connections to 192.168.1.2 that is the Mikrotik interface.

dannyboy · Fri Sep 15, 2006 10:29 pm

yes, they are public ip addresses. Also I have a webserver on my network, it used to work fine before I did this config, now it does not work. I use this to show a "no pay" page once users have not paid the bill. This is the code I use:

chain=dstnat dst-address=192.168.10.42 action=dst-nat
to-addresses=192.168.30.254 to-ports=8085

now this code does not work

ip addresses are 165.98.144.47,165.98.168.4,165.98.213.25

you can try to login with user=help pass=help

thanks

dannyboy · Tue Sep 19, 2006 9:08 am

http://wiki.mikrotik.com/wiki/Load_Balancing

I did what is on that link, it works fine when it comes to surfing the net. All my firewall mangle rules are working like they supposed to. Now I created a rule that detects traffic containing ports 5060-5061 udp and ports 10000-20000 udp, I made this rule just like the others "mark routing" It seems to be detecting this traffic fine fine. Once I goto the routes and create a route with the voip routing mark, nothing happends... When I make a call all traffic matching the magle rule should use this route, but it does not happens..

any ideas?

Eugene · Tue Sep 19, 2006 11:49 am

could you provide a snippet of your configuration (in particular /ip firewall export and /ip route export)

Eugene

Stryker777 · Tue Sep 19, 2006 2:36 pm

Sounds like you are missing route rules. Since you are now marking routes you need rules for the look up tables.

Example:

/ ip route rule 
add dst-address=10.33.33.0/29 action=lookup table=main comment="" disabled=no 
add dst-address=10.254.0.0/16 action=lookup table=main comment="" disabled=no 
add dst-address=10.44.44.0/30 action=lookup table=main comment="" disabled=no 


add src-address=10.44.44.0/24 routing-mark=T1 action=lookup table=T1 comment="" disabled=no 
add src-address=10.44.44.0/24 routing-mark=DSL action=lookup table=DSL comment="" disabled=no 
add src-address=10.33.33.0/24 routing-mark=T1 action=lookup table=T1 comment="" disabled=no 
add src-address=10.33.33.0/24 routing-mark=DSL action=lookup  table=DSL comment="" disabled=no

The main table lookups should be the ips of your internal servers.

One more thing, if you are using public ips, they must go out their gateway unless you have BGP running and already have an AS number. Otherwise, this load balancing is only to be used for the people you are masquerading.

dannyboy · Wed Sep 20, 2006 3:39 am

Hello,

How do I create a "snippet"? I am not sure what that is.. If I could make this MT router to be accessed from another public IP it would be great, but since I did the config above I cant login to it from another Public IP address. I am not sure what all the code you sent me will do. Either way can you look at support files or can I send you a backup file and you take a look at it.?

Wed Sep 20, 2006 8:49 am

dannyboy, enter given commands to the terminal:
/ip firewall export
/ip route export

Paste results to the forum, 'export' command will show existing configuration (firewall and route in your case).

dannyboy · Wed Sep 20, 2006 8:09 pm

IP FIREWALL EXPORT

/ ip firewall mangle
add chain=prerouting src-address=192.168.10.0/24 dst-address=10.10.10.0/24 \
action=accept comment="" disabled=no
add chain=prerouting src-address=192.168.10.0/24 dst-address=192.168.10.0/24 \
action=accept comment="" disabled=no
add chain=prerouting protocol=udp dst-port=5060-5061 \
connection-state=established action=mark-routing new-routing-mark=voip \
passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=10000-20000 \
connection-state=established action=mark-routing new-routing-mark=voip \
passthrough=yes comment="" disabled=no
add chain=prerouting src-address=192.168.10.20-192.168.10.50 \
action=mark-routing new-routing-mark=Chinandega1 passthrough=yes \
comment="Chinandega1" disabled=no
add chain=prerouting src-address=192.168.10.60-192.168.10.90 \
action=mark-routing new-routing-mark=Chinandega2 passthrough=yes \
comment="Chinandega2" disabled=no
add chain=prerouting src-address=192.168.10.100-192.168.10.140 \
action=mark-routing new-routing-mark=Corinto passthrough=yes \
comment="Corinto" disabled=no
/ ip firewall nat
add chain=srcnat src-address=192.168.10.0/24 action=masquerade comment="" \
disabled=no
add chain=dstnat src-address=192.168.10.139 protocol=tcp action=dst-nat \
to-addresses=64.118.86.30 to-ports=80 comment="" disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=forward p2p=all-p2p connection-state=established action=drop \
comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set gre disabled=no
set pptp disabled=no

IP ROUTE EXPORT

/ ip route
add dst-address=0.0.0.0/0 gateway=165.98.144.1 distance=0 scope=255 target-scope=10 routing-mark=Chinandega1 comment="" \
disabled=no
add dst-address=0.0.0.0/0 gateway=165.98.168.1 distance=0 scope=255 target-scope=10 routing-mark=Chinandega2 comment="" \
disabled=no
add dst-address=0.0.0.0/0 gateway=165.98.213.1 distance=0 scope=255 target-scope=10 routing-mark=Corinto comment="" \
disabled=no
add dst-address=0.0.0.0/0 gateway=165.98.168.1 distance=0 scope=255 target-scope=10 routing-mark=voip comment="" \
disabled=no

leequince · Thu Sep 21, 2006 1:41 am

Ok a funny thing I notice'd, I was still having a high download rate on one connection...

Looking in Connection tracking there was a lot of port 80 dst's from the router with no connection mark.. I am running a HotSpot, hence looked at the default user profile which had transparant proxy enabled.. A question how would I load balance the outgoing conections from the hotspot proxy?

Also do I have my nth values correct for 4 connections.

3,1,0
3,1,1
3,1,2
3,1,3

Ideas if I should change anything..

Cheer Lee

Eugene · Thu Sep 21, 2006 11:16 am

A question how would I load balance the outgoing conections from the hotspot proxy?

Also do I have my nth values correct for 4 connections.

3,1,0
3,1,1
3,1,2
3,1,3

Ideas if I should change anything..

Cheer Lee

use output chain.

nth values are correct.

Eugene · Thu Sep 21, 2006 11:20 am

...

1) you have to disable "passthrough" in your voip rules.

2) you are sending part of the voip connection (packets with established state) through a different gw then the other part of the connection ("new"). I'd say you are very lucky if it works.

Eugene

leequince · Thu Sep 21, 2006 11:58 am

A question how would I load balance the outgoing conections from the hotspot proxy?

Also do I have my nth values correct for 4 connections.

3,1,0
3,1,1
3,1,2
3,1,3

Ideas if I should change anything..

Cheer Lee
use output chain.

nth values are correct.

Cheers.. That works perfectly..

dannyboy · Fri Sep 22, 2006 8:04 am

Hello Eugene,

Well with your help I was able to make the VOIP work. Atleast I got further than before... Now when I make a call I can see that the Tx Rate goes up when I call on the VOIP Ethernet, but on the Rx Rate I get nothing. So some how I have it working one way, hehehe.. Now one question, what is Tx Rate? Is it outgoing traffic to the internet or incoming traffic from the internet? By knowing this I will be able to know if I am using the upload or download part of the bandwidth.

Thanks

dannyboy · Fri Sep 22, 2006 8:21 am

Hello Again,

Got it working!!!! I now have all VOIP going through one specific WAN.. Thanks to Eugene and Sergejs...The trick was to make the mangle rule unset... To unset goto ip firewall mangle and print, than type unset, it will ask for the number and value-name, put connection-state on the value.

Here is the snippet incase someone whats to try it out:

Mangle Rules

/ ip firewall mangle
add chain=prerouting protocol=udp dst-port=10000-20000 action=mark-routing new-routing-mark=Voip passthrough=no comment="" \
disabled=no
add chain=prerouting protocol=udp dst-port=5060-5061 action=mark-routing new-routing-mark=Voip passthrough=no comment="" \
disabled=no
add chain=prerouting src-address=192.168.10.0/24 dst-address=10.10.10.0/24 action=accept comment="" disabled=no
add chain=prerouting src-address=192.168.10.0/24 dst-address=192.168.10.0/24 action=accept comment="" disabled=no
add chain=prerouting src-address=192.168.10.20-192.168.10.50 action=mark-routing new-routing-mark=Chinandega1 \
passthrough=yes comment="Chinandega1" disabled=no
add chain=prerouting src-address=192.168.10.60-192.168.10.90 action=mark-routing new-routing-mark=Chinandega2 \
passthrough=yes comment="Chinandega2" disabled=no
add chain=prerouting src-address=192.168.10.100-192.168.10.140 action=mark-routing new-routing-mark=Corinto \
passthrough=yes comment="Corinto" disabled=no

Routes
/ ip route
add dst-address=0.0.0.0/0 gateway=165.98.144.1 distance=0 scope=255 target-scope=10 routing-mark=Chinandega1 comment="" \
disabled=no
add dst-address=0.0.0.0/0 gateway=165.98.168.1 distance=0 scope=255 target-scope=10 routing-mark=Chinandega2 comment="" \
disabled=no
add dst-address=0.0.0.0/0 gateway=165.98.213.1 distance=0 scope=255 target-scope=10 routing-mark=Corinto comment="" \
disabled=no
add dst-address=0.0.0.0/0 gateway=165.98.213.1 distance=0 scope=255 target-scope=10 routing-mark=Voip comment="" \
disabled=no

The only thing I am having problems with now is that I cant login to my router from a remote pc. I cant even ping my public ips from another public ip since I did the load balance configuration. Any Ideas?

Eugene · Fri Sep 22, 2006 2:03 pm

Hello Again,

Got it working!!!! I now have all VOIP going through one specific WAN.. Thanks to Eugene and Sergejs...The trick was to make the mangle rule unset... To unset goto ip firewall mangle and print, than type unset, it will ask for the number and value-name, put connection-state on the value.

Here is the snippet incase someone whats to try it out:

Congratulations! Could you make this into the wiki?

As for your last problem, you have to add exceptions (rules with action accept)to mangle for traffic going to the router's IP address. Thus all traffic going to/from the router itself would not be load-balanced.

Eugene

dannyboy · Fri Sep 22, 2006 5:34 pm

I realy dont know how to make a wiki, I went into the wiki but could not find a page that tells you how to do it.

About the Ip issue, I am able to login my router from inside my network, the problem is login in from an outside ip address.

Example:
If I am some place else in a diferent computer with a public IP address and I try to connect to one of my public Ip address, I cant even ping my address.

So, when you say add an accept rule I would make the src-address my public Ip addresss? Not sure if thats what you mean.

Thanks

Eugene · Mon Sep 25, 2006 1:33 pm

you have to accept everything with dst-address equal to your public IP.

dannyboy · Tue Sep 26, 2006 8:27 am

Hello,

I did that and still nothing!! cant login or ping my public ips from an outside ip address.

dannyboy · Tue Sep 26, 2006 9:06 am

Why does MT take things off the forum?!!! There was a load balance that I use some where in the wiki, now its not there! This config uses policy routing and you basicaly set mangle rules to do mark routing and than in routes you set the routing mark name to that gateway. It used to be called just "Load Balance" Now its replaced by the Load Balance Presistence.

Dont erase things that people do, its not right for the author niether the user.

thanks

dannyboy

dannyboy · Tue Sep 26, 2006 9:11 am

Sorry, I found it, the problem was that my sister erased my link I had on my desktop and changed it with one I had on my favorites!!! She was smart to put the same name, jejeje thasts why I was getting the new link!!

Sorry Again

klap · Wed Feb 08, 2017 6:45 pm

Well, MY banking and MY instant messaging works, and that is my only point of concern

Indeed, as Christian has pointed out, it does round-robin on all connections, but as I have said, this does not cause any problems ... for me.

To "fix" it to NAT all connections from a particular user to the same IP address, you have to do the following:

/ ip firewall mangle


add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing new-routing-mark=odd 

add chain=prerouting src-address-list=even in-interface=Local action=mark-connection new-connection-mark=even passthrough=yes

add chain=prerouting src-address-list=even in-interface=Local action=mark-routing new-routing-mark=even 

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
    action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
    disabled=no 

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
    new-routing-mark=odd passthrough=no comment="" disabled=no 
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
    action=mark-connection new-connection-mark=even passthrough=yes comment="" \
    disabled=no 

add chain=prerouting in-interface=Local action=add-src-to-address-list address-list=even address-list-timeout=1d connection-mark=even passthrough=yes


add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
    new-routing-mark=even passthrough=no comment="" disabled=no

Eugene

u say a particular user to the same IP address, where u put wich user or IP add. for this work?
thanks

load balancing for my dual adsl

load balancing for my dual adsl

simple load balancing

Re: simple load balancing

WHAT IS WRONG WITH THIS CODE~~

thanks stryker!!! Its working great!!

Load Balance doesn't work correctly

Ok, here it is

Re: Ok, here it is

Re:

Who is online