MikroTik

Posted: **Thu Mar 20, 2014 2:35 pm**

hi, a major help, I have run the configuration that I posted.

/ip address
add address=192.168.10.1/24interface=Local
add address=192.168.1.2/24 interface=WAN1
add address=192.168.2.2/24 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.4.4,8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_mark
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_mark

add chain=output connection-mark=WAN1_mark action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=WAN2_mark action=mark-routing new-routing-mark=to_ISP2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark passthrough=yes

add chain=prerouting connection-mark=WAN1_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=WAN2_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP2

/ip route
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=72.30.2.43 gateway=192.168.1.1 scope=10
add dst-address=8.8.4.4 gateway=192.168.2.1 scope=10
add dst-address=199.59.148.82 gateway=192.168.2.1 scope=10

/ip route
add dst-address=10.1.1.1 gateway=8.8.4.4 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=72.30.2.43 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=199.59.148.82 scope=10 target-scope=10 check-gateway=ping

/ip route
add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1
add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1
add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2
add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

everything is fine and works perfectly, the only thing that bothers me and that when I go on websites such FORUM, BLOG, ticket system, I am always thrown out because of the quick change of IP load balancing.

how can I fix it? please help me use the connection to work.

thanks in advance

Posted: **Sat Mar 22, 2014 5:40 pm**

please help

Posted: **Sun Mar 23, 2014 2:10 am**

You must increase you max UDP packet size. I recommend 4096. You will have truncated answers with 512. Also you will end up with DNS amplification attacks against your router if you have an open DNS. Either block UDP 53 from wan or limit it.

Connections are unidirectional so you don't need to match them in and out. Also your marking all packets with connection marks. Either only mark with a state of new or that are not already marked.

I think these changes could help. Honestly there is a lot here that I don't know the reason for but I think the big deal is that your re marking your connections.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

Posted: **Sun Mar 23, 2014 11:30 am**

thank you I'll try I want to clarify that I have a line from 4 to 7 mb mb and now I'll try to take your advice. thank you very much

Posted: **Sun Mar 23, 2014 11:35 am**

hello it seems that the problem is solved, a question but I have to block UDP port 53?

Posted: **Sun Mar 23, 2014 11:40 am**

one last piece of information to do this I need to follow this wiki?

http://wiki.mikrotik.com/wiki/DDoS

Posted: **Sun Mar 23, 2014 12:46 pm**

well it seems that the problem is solved now but I do not understand why I can not put in the bridge Ether3 that is the one that has the ip with ether4 ether5, could you tell me the script to be taken pr to go with the bridge ether4 and ether5 number 3

Posted: **Sun Mar 23, 2014 4:44 pm**

hello, I'm sorry to say but this system did not work, he continues to throw me out of sites such as forums, blogs etc etc, it seems that the latency in changing the ip in load balancing, how can I solve it?

Posted: **Thu Mar 27, 2014 12:54 am**

hello, I can not let go of this load balancing, basically I change the remote ip of continuous ip ip1 and quellodi ISP2 and causes me to fall free from the websites you forums, blogs etc etc, you could kindly tell me a solution? are also willing to let you remotely access my routerboard, if anyone can help me please, because I can not work.

thank you in advance

Posted: **Sat Mar 29, 2014 8:32 pm**

Good evening to all, please help, I do not know why the configuration with load balancing everything works perfect, but I can not loggarm, on the forum, or makes me constantly logout, you could kindly tell me how can I solve this problem

Posted: **Sun Mar 30, 2014 10:38 pm**

i need 4 wan folover

Posted: **Sat Apr 05, 2014 7:26 pm**

i need 4 wan folover

You should use PCC load balancing... here is a great writeup that should help:
http://mum.mikrotik.com/presentations/US12/steve.pdf

Posted: **Sun Apr 06, 2014 7:55 pm**

This guide assumes the following:

"ISP1" is your 1st wan connection name
"ISP2" is your 2nd wan connection name
"LAN" is your local network name

"ISP1" recieves the IP 111.111.111.1/24 on the network 111.111.111.0/24
"ISP2" recieves the IP 222.222.222.1/24 on the network 222.222.222.0/24

1. If your ISP assigned IP's via DHCP be sure to do the following (if they are assigned static move to step 2):

Log into the routeros webfig or winbox:

IP
DHCP Client
Click on your first WAN DHCP client
Change "add default gateway" to no
Repeat the same for your second WAN connection

2. Remove current routing rules

IP
Firewall
Nat
Remove the entry for "masquerade" to your current single ISP.

3. SSH into your router and run the following script:

/ ip firewall mangle
add chain=prerouting dst-address=111.111.111.0/24  action=accept in-interface=LAN
add chain=prerouting dst-address=222.222.222.0/24  action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=111.111.111.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 distance=2 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

This script assumes that you have 2 equal WAN connections(ex. two 7/1 DSL lines). If you have unbalanced connections you can modify the section of the script that defines how the traffic is balanced. That starts on line 6.

For example I have a 45/6 connection and a 30/6 connection and I have the following lines( Note that there are 5 lines and the first one starts at 5/0 and moves on from there):

add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/2 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/3 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/4 action=mark-connection new-connection-mark=ISP1_conn

The PCC method automatically does failover. All around good way to load balance 2 connections. You can also balance more connections by configuring the script correctly.

MikroTik

HELP IP-FAILOVER WITH LOAD BALANCING

HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING

Re: HELP IP-FAILOVER WITH LOAD BALANCING