Page 1 of 1
Load Balance for LAN
Posted: Wed Mar 13, 2024 10:50 pm
by shevari
Hello there!
I'm just starting my journey with networking and also Mikrotik
For my homelab I wanted to create a simple load balancing for a single local IP to some IP range, e.g.:
for 192.168.10.1 one of the addresses corresponds: 192.168.100.10-192.168.100.20
I have tried to do:
/ip firewall mangle add action=mark-packet chain=prerouting src-address=192.168.10.1 new-packet-mark=k8s-controlplane-lb passthrough=no
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.10.1 packet-mark=k8s-controlplane-lb to-addresses=192.168.100.10-192.168.100.20 random=yes
but unfortunately, I cannot even ping.
Did I miss something?
Re: Load Balance for LAN
Posted: Thu Mar 14, 2024 12:31 am
by tangent
I'm just starting my journey with networking and also Mikrotik
Welcome!
/ip firewall mangle add action=mark-packet…passthrough=no
I know next to nothing about load-balancing trickery, but that seems very wrong to me. Stopping the packet after marking it drops it on the floor. Surely you want it to continue through the packet filter to have a decision applied to it, based on the mark?
If the rule you want applied is that srcnat one, note that
it is in the postrouting chain, so it never even gets a chance to act in this configuration.
Study those diagrams carefully!
Re: Load Balance for LAN
Posted: Thu Mar 14, 2024 2:25 am
by anav
A clear set of requirements will lead to an optimal design
a. identify all users/devices that will interact on the network ( internal, external including admin)
b. identify all traffic flows they require
draw a diagram of what you wish to accomplish, identifying devices, WAN, vlans etc.
post your config of what you have accomplished thus far.
Re: Load Balance for LAN
Posted: Thu Mar 14, 2024 3:08 am
by Amm0
Reason @anav asks is there MANY ways to do load balance, and types of WAN matter. You seem to want to use "packet marking", but in most cases "connection marking" is better. So details matter here.
Mikrotik has a video on the "PCC method" of load balancing:
https://www.youtube.com/watch?v=nlb7XAv57tw
The firewall marking using "prerouting" rules shown in video common to all approaches.
Re: Load Balance for LAN
Posted: Thu Mar 14, 2024 3:17 am
by anav
Its not just a matter of details, its ensuring the OP has a clear understanding of what is required and has an actual plan.
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 3:51 pm
by shevari
Thanks for your response!
My network is really simple
As you can see, I'm working with /16 mask (VLANs I'll introduce in the future). All of these, VMs are in the Proxmox but there is no firewall, NATs, or other. The IP addresses are static leases in Mikrotik.
Now, I want to create a simple load balancer on e.g. 192.168.35.1/16 for these machines so LAN for LAN, WAN is no matter in this scheme
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 4:48 pm
by anav
Diagram and included detail is helpful.
However this statement needs to be broken down AS requested - it makes zero sense as stated......
Now, I want to create a simple load balancer on e.g. 192.168.35.1/16 for these machines so LAN for LAN, WAN is no matter in this scheme
Identify users/devices
Identify traffic flow they require.
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 5:41 pm
by shevari
Users/devices are so many - 1, just me
If it comes to the traffic - these servers are K8s nodes, there will be not-so-complicated web servers without any special traffic.
The mentioned IPs connect servers on a diagram to each other and are also accessible by the rest of the network.
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 6:15 pm
by anav
Okay so you want queues then??
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 6:32 pm
by shevari
But queues are not responsible for limiting traffic? I just want to be able to use a single IP to get a response from one of the selected IPs.
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 7:09 pm
by neki
Actually queues are responsible for limiting traffic, anyway I think that you are mixing two different things together, you want something like
HAProxy. Don't you?
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 7:28 pm
by Amm0
It does seem like a case for a web proxy.
HAProxy is great, I'd also suggest that either caddyserver or Traefik in a container might be better approach here since those are bit simplier than HAProxy. If you search for forum for either, you'll see how to do it on RouterOS. You also run any of these reverse proxy servers on Proxmox (Google or YouTube may help for here).
On the Mikrotik side, it's just be a dst-nat rule to allow access to any proxy server. And the proxy server then load balances the actually HTTP (the session/application layer, Layer ~5-7)... vs router approaches like packets (Layer 2/3) or connections (Layer 3/4). The proxy server is also handy since both caddyserver and Traefik can automatically deal with ACME SSL certs. So the outside never have to see or know your 3 other VM – only the proxy server would need direct access & all other access to them goes via the reverse proxy.
If it's not HTTP, the HAProxy may be better load balancer than caddyserver or Traefik.
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 8:20 pm
by anav
Zing over my head, what is the OP trying to do..... thats not available in queues, for example.
Re: Load Balance for LAN
Posted: Fri Mar 15, 2024 8:48 pm
by Amm0
Zing over my head, what is the OP trying to do..... thats not available in queues, for example.
I think you have a mental block any time "/container" get mentioned.
.
We kinda don't know what protocol's those VM servers are using – that the key detail to know here.
But, generally speaking, Proxmox support containers/"Docker".... so reverse proxy running there be more typical setup... e.g. if you have the 3 of similar VMs "doing some work" on proxmox based on
incoming WAN traffic to the "cluster".
Assuming need is from 1 x WAN to the 3 x VMs & you wanted to do this in RouterOS. Firewall could use PCC or ECMP* – just the src/dst address flopped from typical LAN->multiWAN. Since load balancing is from "single-WAN to multi-LAN" (well IPs)... All the same firewall mangle stuff for PCC apply, just with the src and dst address swapped. And I'd see queues as an "add-on" to PCC, rather than a substitute for PCC (or ECMP*). But if you're already doing a mangle for PCC... you can add a packet market for use in queues to control latency for sure.
I'm more saying keeping it as "dst-nat" rule from WAN to some new proxy server on proxmox may be simplier approach... than a bunch of firewall mangling needed to do Mikrotik & these proxy have some UI to manage the load sharing without mucking with PCC (or queues). And, depending on protocol, some reverse proxy does more checks on liveness and have more options how to split the incoming load, than anything you could do on a Mikrotik.
#ProtocolsMatter
* For ECMP, you'd add new a route table with dst-address=0.0.0.0/0 listed three times, same scope/disance, just each with different gateway= with the VM's IPs. Then, use some mangle action=mark-routing, based on protocol/port arriving on WAN, to send to need traffic the new route table. ECMP will divide the load based, only src-address (dst-address always be WAN IP, so not useful for ECMP hashing) – so if the traffic that's getting split up is all coming from one far-end client... ECMP be a poor choice. e.g. PCC offers a "both-addresses-and-ports" choice, while ECMP does not just src/dest address.