curl ifconfig.me
reducted
This setup uses ECMP load balancing for connections initiated from LAN or the router itself, and makes sure that incoming requests to the router itself (like VPN connections initiated by remote client, remote management connections via WAN) are responded via the same WAN through which they arrived. ECMP load balancing is iterating the list of gateways on the chosen route using round robin, hence in your case, every odd connection uses one gateway and every even one uses the other one; I'm not sure whether it is still the case if both source IP and destination IP of the connection are the same, i.e. whether the routing cache is somehow linked with connection tracking and thus also takes source and destination ports into account.I'm not sure what strategy it uses. I followed the instructions on https://www.youtube.com/watch?v=DDMD1GVg84M It just seemed to work.
When I doseveral times, I get returned different ips. It almost alternates between ISP1 and ISP2 Ips evenly.Code: Select allcurl ifconfig.me
My config is below
I'm afraid that watching the current traffic volume at each uplink and choosing the least loaded one (in % of its maximum capacity) for a new connection would be too much work for too little effect as the networking environment is very dynamic. So even if you measure the currently occupied bandwidth every second (which is about the fastest pace you can obtain using scripts), during that second tens to hundreds of existing connections can finish and tens to hundreds new ones can emerge. Plus each connection usually requires a different bandwidth, as the speed accomodates to the bandwidth available at the bottleneck of the path between the endpoints (client and server). So the best you can do is to distribute the connections evenly (taking the absolute bandwidth into account, i.e. if you have a 100 Mbit/s link and a 20 Mbit/s link, "evenly" means 5:1) and hope that statistically, it will work as needed. Where the upload/download ratios differ between the uplinks (like 50/50 and 20/4), there's no "ideal" strategy.I was hoping something like this.
I know my maximum upload bandwidth is 5mbit per ISP. If for ISP1, I'm using 70% of upload bandwidth, and for ISP2, I'm using 30% of upload bandwidth, then the new upload should use ISP2. Is this an unrealistic expectation?
As for me, yes. But it will cost you a bit of CPU power, as mangling is incompatible with fasttracking (which is only used for forwarded packets, not for connections to/from the router itself). So depending on your Mikrotik model, the consequences may vary from "unnoticed" to "unusable".So is the recommended approach to abandon ECMP and instead use PCC?
YesWill this allow me to distribute the connections evenly?
No, because connections almost always use both directions (even where the payload as such goes in only one direction, some control packets like TCP ACK must be sent in the opposite direction). There are few exceptions to this (an audio/video stream in UDP may theoretically not need the reverse channel). And the choice of WAN has to be done when the very first packet of the connection is handled, and at that moment, it is not known yet whether the connection will be used for upload or for download; later, while the connection is already running, the router could compare the download and upload rates, but it cannot change the WAN used by an ongoing connection if there is src-nat anywhere on the way between the endpoints, because the remote server asociates the public IP of that WAN with that connection. So it would ignore packets coming from another address, and it keeps sending to the address from which the initial request came.Can i make the disrtibution ratio different for download and upload?
reducted
I think speedtest.net uses multiple connections for download. That is where i saw more than 50mbit. But yeah for the rest i get it. I just need help to change my config to pcc now. Can you help me with that please. I am not sure how to adapt my vlans and bridge to the pcc example
I dont use NAT right now. I just have. Mikrotik vpn server setup. People vpn first, grab a local ip, and co nect to internal servers.
So if this is the case i should use ecmp? Then is what i currenctly have what i can have as the ideal setup?
/ip firewall nat
add action=masquerade chain=srcnat \
src-address=10.0.0.0/8
add action=masquerade chain=srcnat out-interface="TTNET1 VLAN"
add action=masquerade chain=srcnat out-interface="TTNET2 VLAN"
/interface l2tp-server
add name="AHMET VPN" user=ahmet
/ppp profile
add bridge="SWITCH BRIDGE" local-address="104 TRUSTED POOL" name="VPN PROFILE" \
remote-address="104 TRUSTED POOL"
/interface l2tp-server server
set default-profile="VPN PROFILE" enabled=yes use-ipsec=\
yes
/ppp secret
add name=ahmet profile="VPN PROFILE"
The per-connection-classifier just provides always the same result (match or mismatch) for all the packets belonging to the same connection, because it calculates a hash from source address, source port, destination address, and destination port (a combination of which is the same for each connection). There are cases where it is better not to include some of these identifiers into the hash, but we'll get to these later.I have many vlans and a bridge. I am not sure how to apply the PCC example on mikrotik wiki.
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address=!10.0.0.0/8 \
in-interface-list="!WAN" new-routing-mark="TTNET1 ROUTING" \
passthrough=no per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-routing chain=prerouting disabled=yes dst-address=!10.0.0.0/8 \
in-interface-list="!WAN" new-routing-mark="TTNET2 ROUTING" \
passthrough=no per-connection-classifier=both-addresses-and-ports:2/1
Nope, if you should have removed the existing mangle rules, I would have said that. You cannot remove the ones added based on the video (mangle chains input and output) because this would prevent your VPN server from working.All I have to do is to have this on my mangle, and remove existing records.
Routes stay the same; I don't know whether you use any routing rules as you haven't posted them. And yes, nothing else to be added, nothing to be removed.Nothing else? The routing rules stays the same?
That's strange. Post your complete configuration export following the hint in my automatic signature just below. Obfuscate also the usernames of the VPN users before posting.I am afraid it did not work. When I had these none of the servers were able to access the internet.
reducted
/interface list member
add interface="TTNET1 VLAN" list="WAN"
add interface="TTNET2 VLAN" list="WAN"
reducted
reducted
dst-address-type=!local
dst-address=!10.0.0.0/8
reducted
This is a popular misunderstanding, likely powered by a no less popular wishful thinking.For some reason, when dst-address-type=!local is used. Things stop working as well.
Could it be that the servers themselves are checking availability of the gateways (192.168.x0.1)? Since there are no ports in ICMP protocol itself, it could be that check pings got always delivered to the "wrong" gateway thanks to the routing-mark (if so, swapping the 2/0 and 2/1 values between the rules would make it work).Just adding dst-address=!10.0.0.0/8 didn't work either.
However when I tried
/ip firewall address-list
add address=10.0.0.0/8 list=LOCAL-SUBNETS
add address=192.168.20.0/24 list=LOCAL-SUBNETS
add address=192.168.10.0/24 list=LOCAL-SUBNETS
192.168.xx.yy is not part of my local network really. they are just the subnets for the modem and the dhcp client. I was assuming !local had the same effect. But maybe not.
Connection marking has two main purposes:Now that this is working. Why do i dirextly mark routes? Rather then first mark connections and then routes just like the examples? Is there a difference?
Of course it is. For this purpose, you'll have 4 routing tables:Is this possible?