Community discussions

MikroTik App
 
Nic335
newbie
Topic Author
Posts: 25
Joined: Wed Jun 04, 2014 9:20 pm

2 Wan Load Balancing

Wed Dec 02, 2015 6:09 pm

Hi peoples.

Im getting 2 new connection, And I wanted to "try" a config before the guy come here and install both connection so it can be done in a few min.

For easy understanding, I will be using testRouter for the router im trying to do load balancing on
and just router for the main router we got here at the moment.
Both are mikrotik

So what i did is I connected my testRouter on my router using two port off my testRouter asigned 2 ip, one for each port.
192.168.3.6 and 192.168.3.7
Then I used this tutorial http://wiki.mikrotik.com/wiki/Improved_ ... e_Gateways
at one point I had a hickup, for some reason in that guide they are using nth with 3 number, I can only enter 2
So, I think i managed good, I used 2,1 as it seam to split the traffic equally

Now there is one thing different from that tutorial and my situation, I have 2 local network. and internet has to be shared and load balance for those 2 network.

Any how, I can't get it to work, and I don't really know how to diagnose what is not working.

From my understanding I think its because of the masquerade rules I inserted, But i think I need those as i will not know what ip il get from the isp as il be put on a dhcp

if I look at my mangle rules couters traffic look to be split up okay
Capture.PNG
This is my config
	/interface bridge
	add name=Network_1
	add name=Network_2
	/interface ethernet
	set [ find default-name=ether4 ] name=ISP_1
	set [ find default-name=ether5 ] name=ISP_2
	/interface wireless
	set [ find default-name=wlan1 ] band=2ghz-b rx-chains=0 tx-chains=0
	/ip ipsec proposal
	set [ find default=yes ] enc-algorithms=3des
	/ip pool
	add name=Network_1 ranges=192.168.10.10-192.168.10.250
	add name=Network_2 ranges=192.168.11.10-192.168.11.250
	/ip dhcp-server
	add address-pool=Network_1 disabled=no interface=Network_1 name=Network_1
	add address-pool=Network_2 disabled=no interface=Network_2 name=Network_2
	/system logging action
	set 0 memory-lines=100
	set 1 disk-lines-per-file=100
	/interface bridge port
	add bridge=Network_1 interface=wlan1
	add bridge=Network_1 interface=ether2
	add bridge=Network_2 interface=ether3
	/ip address
	add address=192.168.3.6/24 interface=ISP_2 network=192.168.3.0
	add address=192.168.10.1/24 interface=Network_1 network=192.168.10.0
	add address=192.168.3.7/24 interface=ISP_1 network=192.168.3.0
	add address=192.168.11.1/24 interface=Network_2 network=192.168.11.0
	/ip dhcp-client
	add default-route-distance=0 dhcp-options=hostname,clientid interface=ISP_2
	/ip dhcp-server network
	add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
	add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
	/ip dns
	set allow-remote-requests=yes servers=8.8.8.8
	/ip firewall mangle
	add action=passthrough chain=prerouting dst-address=!192.168.0.0/16 in-interface=Network_1
	add action=mark-connection chain=prerouting connection-state=new dst-address=!192.168.0.0/16 in-interface=Network_1 new-connection-mark=OddConnection nth=2,1
	add action=mark-connection chain=prerouting connection-state=new dst-address=!192.168.0.0/16 in-interface=Network_2 new-connection-mark=OddConnection nth=2,1
	add action=mark-connection chain=prerouting connection-state=new dst-address=!192.168.0.0/16 in-interface=Network_1 new-connection-mark=EvenConnection nth=2,2
	add action=mark-connection chain=prerouting connection-state=new dst-address=!192.168.0.0/16 in-interface=Network_2 new-connection-mark=EvenConnection nth=2,2
	add action=mark-routing chain=prerouting connection-mark=OddConnection new-routing-mark=OddRoute
	add action=mark-routing chain=prerouting connection-mark=EvenConnection new-routing-mark=EvenRoute
	/ip firewall nat
	add action=masquerade chain=srcnat out-interface=ISP_1 routing-mark=OddRoute
	add action=masquerade chain=srcnat out-interface=ISP_2 routing-mark=EvenRoute
	/ip route
	add distance=1 gateway=ISP_1 routing-mark=OddRoute
	add distance=1 dst-address=192.168.3.0/24 gateway=ISP_1 routing-mark=OddRoute scope=10
	add distance=1 gateway=ISP_2 routing-mark=EvenRoute
	add distance=1 dst-address=192.168.3.0/24 gateway=ISP_2 routing-mark=EvenRoute scope=10
	add distance=1 gateway=192.168.3.1
Any one can help me?
Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
Nic335
newbie
Topic Author
Posts: 25
Joined: Wed Jun 04, 2014 9:20 pm

Re: 2 Wan Load Balancing

Wed Dec 02, 2015 10:51 pm

Now I just tried to do this with PCC method
Still no luck

help Anyone :?

PCC method config ( i removed one local network )
/interface ethernet
set [ find default-name=ether2 ] name=Lan1
set [ find default-name=ether3 ] name=Lan2
set [ find default-name=ether4 ] name=Wan1
set [ find default-name=ether5 ] name=Wan2
set [ find default-name=ether1 ] disabled=yes
/ip pool
add name=Lan1 ranges=192.168.10.10-192.168.10.250
add name=Lan2 ranges=192.168.11.10-192.168.11.250
/ip dhcp-server
add address-pool=Lan1 disabled=no interface=Lan1 name=Lan1
add address-pool=Lan2 disabled=no interface=Lan2 name=Lan2
/ip address
add address=192.168.3.6/24 interface=Wan2 network=192.168.3.0
add address=192.168.3.7/24 interface=Wan1 network=192.168.3.0
add address=192.168.10.1/24 interface=Lan1 network=192.168.10.0
add address=192.168.11.1/24 interface=Lan2 network=192.168.11.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall mangle
add action=mark-connection chain=prerouting comment=ISP1 connection-mark=no-mark in-interface=Wan1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting comment=ISP2 connection-mark=no-mark in-interface=Wan2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Lan1 new-connection-mark=ISP1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Lan1 new-connection-mark=ISP2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=Lan1 new-routing-mark=ISP1
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=Lan1 new-routing-mark=ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Wan1
add action=masquerade chain=srcnat out-interface=Wan2
/ip route
add distance=1 gateway=Wan1 routing-mark=ISP1
add distance=1 gateway=Wan2 routing-mark=ISP2
add distance=1 gateway=Wan1
Also I don't mind using an other method. What is important is my two subnet on two different port has to have load balanced internet.

thanks
 
galaxynet
Long time Member
Long time Member
Posts: 646
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: 2 Wan Load Balancing

Tue Dec 08, 2015 5:22 pm

Just some observations on your PCC config Nic335...

Not sure which way you are 'expecting' traffic to originate, e.g., are there servers behind your router that you expect to have publicly accessible IP addresses or is this pretty much 'users' going to the Internet through your router. It doesn't make a lot of difference, mostly in efficiency of your config.

If it's just users then I would suggest that you start with marking the connections coming in your LAN interfaces first. Then you can mark any incoming traffic that does not already have a mark that is coming in your WAN interfaces - more efficient, less wasted cpu cycles.

Once you have a connection mark there is really no need to specify an 'in-interface' again. You can just use, "action=mark-routing chain=prerouting connection-mark=ISP1_conn new-routing-mark=ISP1".

Under IP Route, I did not see any routing rules which would be required for your setup to work.....

I expected to see entries like this:
/ip route
(A default gateway entry in table main looks like this);
check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.9 scope=30 target-scope=10
Notice there is no routing mark attached - this means the entry is in table 'main'.

(A routing table entry looks like this);
check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-mark=ether9 scope=30 target-scope=10
The routing mark, ether9, 'makes' a routing table. There in the routing table you put the routes that you want to use for that table.

/ip route rule
Here is where you put the rules for your routing marks. They look like this;
action=lookup disabled=no dst-address=0.0.0.0/0 routing-mark=ether9 table=ether9

In /ip route rule you can also just specify IP address(es) and when the src and/or dst address matches your criteria then the table specified will get used, i.e.,
action=lookup disabled=no dst-address=10.0.100.0/24 src-address=0.0.0.0/0 table=ether9
This will use the routing table 'ether9', but notice that there is no 'routing-mark' in this rule.

I know a lot of folks advocate using the defaults when doing a lot of these types of entries but I have found through the years that if you tell ROS what you want to do instead of leaving it up to ROS to decide what to do, that you will have fewer issues as you upgrade ROS over time. What I am talking about are the entries like 'dst-address=0.0.0.0/0', the default in ROS is 0.0.0.0/0, but that default doesn't always make it as you upgrade. I don't know why, I just know that not having my 'own' default in there has caused me issues at different times over the years, and these issues are not always readily evident. Just my two cents worth.

The order of any rule in ROS IS important, so keep that in mind.

Hope this helps point in you in the right direction Nic335.

Thom
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: 2 Wan Load Balancing

Tue Dec 08, 2015 9:29 pm

In addition to Galaxynet's good advice, you should remove the route-mark match criteria from your masquerade rules.

The masquerade rules have nothing to do with the load balancing / load sharing. That's strictly the mangle and routing tables' job. If a packet is going out isp-1's interface, then the only thing it could possibly have for the SRC IP address is the IP from ISP-1, and likewise for ISP-2. The NAT table doesn't need any more criteria than the interface.

If you keep the tasks strictly in the sections that are designed for them, then you don't get strange things. For instance, if you want to map port 8080 to some internal device, but only from your office's IP address, don't put the office's IP address in the NAT rule - make the NAT rule work for the entire Internet. Limit the access to port 8080 with a filter rule.

Who is online

Users browsing this forum: CGGXANNX, epanig, luczsoma and 44 guests