Dokumen Forum Loadbalance

Alright, here an example based on the wiki manual from http://wiki.mikrotik.
com/wiki/Manual:PCC
Refer to the full scenario and configuration there, this post only discusses changes to the configuration
shown in the manual. All sections that are changed are posted here in their entirety, i.e. the mangle
section here are the ONLY rules that should exist in the wiki's scenario extended to what is outlined
below.
Now, let's add a web server at 19.168.0.100 that is supposed to be reachable on ports tcp/80 and tcp/443
via both WAN circuits. To give an example for your original requirement of mail being sent out via specific
circuits let's also make up a pretend policy that every time anyone on the LAN connects to 1.1.1.1/32 this
must happen via wlan1, and every time anyone on the LAN connects to 2.2.2.2/32 this must happen via
wlan2.
The port forwarding happens via the usual NAT rules, but you need two rules, one for each WAN
interface. You must also make sure to mark the connection at the time it is being established so you can
route traffic back out that interface. Also, you need to make sure that you don't overwrite the marks
applied at that time later on for return packets when PCC becomes active. This is easily achieved by only
applying PCC rules to previously unmarked connections, this is checked by adding a new qualifier:
connection-mark=no-mark.
The policy routing based on LAN traffic to specific destination IPs (1.1.1.1 and 2.2.2.2) is simple: add
connection marks based on the IPs before the PCC section. Since we've already established that the
PCC rules will be adjusted to only apply to previously unmarked packets, PCC wont remark.
Here the changed mangle section in its entirety:
Code: Select all

/ip firewall mangle
# standard stuff for router traffic. Doesn't apply to our case since we will later firewall
filter traffic that would be covered by this, but included as to be complete
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
# don't mark traffic going to directly connected WAN networks
add chain=prerouting dst-address=10.111.0.0/24
action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24
action=accept in-interface=Local
# mark web server connections established from WAN to LAN coming in wlan1 accordingly. If you
have static IPs, you can also refer to them here as dst-address.
add chain=prerouting connection-state=new in-interface=wlan1 protocol=tcp dst-port=80,443
action=mark-connection new-connection-mark=wlan1_conn
# mark web server connections established from WAN to LAN coming in wlan2 accordingly
add chain=prerouting connection-state=new in-interface=wlan2 protocol=tcp dst-port=80,443
action=mark-connection new-connection-mark=wlan2_conn
# force traffic to 1.1.1.1/32 out wlan1
add chain=prerouting dst-address=1.1.1.1/32 in-interface=Local action=mark-connection newconnection-mark=wlan1_conn passthrough=yes
# force traffic to 2.2.2.2/32 out wlan2
add chain=prerouting dst-address=2.2.2.2/32 in-interface=Local action=mark-connection newconnection-mark=wlan2_conn passthrough=yes
# apply PCC, but only to connections that aren't marked yet
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local perconnection-classifier=both-addresses:2/0 \

action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local perconnection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
# mark packets from LAN to WAN with routing marks according to their connection marks
add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing newrouting-mark=to_wlan1
add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing newrouting-mark=to_wlan2
And here the changed NAT section in its entirety, adding the port forwarding for the web server at
192.168.0.100. Forwarding by interface only - that makes it easy to use this for dynamically addresses
interfaces. Replace with IPs if you wish.
Code: Select all

/ip firewall nat
# forward tcp/80 and tcp/443 to 192.168.0.100 on both WAN interfaces
add chain=dstnat in-interface=wlan1 protocol=tcp dst-port=80,443 action=dst-nat toaddresses=192.168.0.100
add chain=dstnat in-interface=wlan2 protocol=tcp dst-port=80,443 action=dst-nat toaddresses=192.168.0.100
# source NAT all traffic out to the Internet
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
And firewall filter rules. This is a very, very simple rule set that assumes that there is no router access
from the WAN, that hosts at 192.168.10, .11, and .12 have full administrative access to the router, and
that other LAN hosts can talk to the router for DNS and NTP. DHCP can't be firewalled, so that will be a
service offered to clients. All traffic initiated from LAN to WAN is permitted, traffic from WAN to LAN can
only be initiated to the web server at 192.168.0.100.
Code: Select all

/ip firewall address-list
# create address list of hosts allowed to administrate the router
add list=admin_hosts address=192.168.0.10
/ip firewall filter
# statefully firewall traffic to the router
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
# allow services for all LAN clients: DNS and NTP
add chain=input in-interface=Local protocol=udp dst-port=53,123 action=accept
add chain=input in-interface=Local protocol=tcp dst-port=53 action=accept

# allow all router access from admin hosts
add chain=input in-interface=Local src-address-list=admin_hosts action=accept
# default deny
add chain=input action=drop
# statefully firewall traffic through the router
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
# allow all traffic from LAN to WAN
add chain=forward in-interface=Local action=accept
# allow tcp/80 and tcp/443 to web server
add chain=forward dst-address=192.168.0.100 protocol=tcp dst-port=80,443
# default deny
add chain=forward action=drop
This was all written together in a text editor and not tested in a lab, so it may contain errors. It should,
however, get you started.
Please post any corrections back here, or whether it worked for you. Once it is determined to be correct
I'll copy it over to a wiki article since this question comes up a lot. I have no use for PCC so I'm unlikely to
try it out myself.
This is the real config used in my home router RB750G (5.0rc10) connected to two ISP over ethernet +
vpn. There are 5 interfaces:
Code: Select all

lan
- ethernet connection to local (home) network
local-isp1
- ethernet connection to ISP1, ip address is assigned via dhcp
local-isp2
- ethernet connection to ISP2, ip address is assigned via dhcp
inet1-isp1
- l2tp connection to ISP1 (10/10 Mbps)
inet2-isp2
- pppoe connection to ISP2 (10/10 Mbps)
So there are 1 internal and 4 external interfaces. We expect that there are some static routes obtained
from dhcp. We want to send an outgoing packet to the interface local-isp1 or local-isp2 if there is a
specific static route for that packet in the main routing table. Otherwise we send the packet to the
interface inet1-isp1 or inet2-isp2 using PCC load balancing and failover. Actually we do so called russian
pppoe/l2tp. Srcnat is working on all 4 external interfaces. Incoming connections are allowed for some
services (torrent client). All outgoing packets belonging to incoming connections are sent to the external
interface from which the connection was initiated.
We use queue trees to prioritize all incoming and outgoing traffic via inet1-isp1 and inet2-isp2 interfaces.
The only reliable way to distinguish p2p traffic from other traffic is to bind all p2p applications to separate
ip address. Note that we limit all queue trees to 9 Mbps despite we have 10 Mbps internet connections.
This is required for correct work of incoming traffic prioritization.
Code: Select all

/ip address
add address=192.168.0.1/24 disabled=no interface=lan network=192.168.0.0
/ip dhcp-client
add add-default-route=yes default-route-distance=11 disabled=no interface=\
local-isp1
add add-default-route=yes default-route-distance=12 disabled=no interface=\
local-isp2
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
add address=10.10.10.10 disabled=no name=retracker.local ttl=1d
/ppp profile
add change-tcp-mss=no name=inet1 only-one=default remote-address=\
127.127.127.101 use-compression=default use-encryption=default use-mpls=\
default use-vj-compression=yes
add change-tcp-mss=no name=inet2 only-one=default remote-address=\
127.127.127.102 use-compression=default use-encryption=default use-mpls=\
default use-vj-compression=yes
/interface l2tp-client
add add-default-route=no allow=chap,mschap1,mschap2 connect-to=10.10.0.70 \
dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=2048 name=\
inet1-isp1 password=XXXXXXXX profile=inet1 user=XXXXXXXX
/interface pppoe-client
add ac-name="" add-default-route=no allow=chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=local-isp2 max-mru=1492 \
max-mtu=1492 mrru=2048 name=inet2-isp2 password=XXXXXXXX profile=\
inet2 service-name="" use-peer-dns=no user=XXXXXXXX
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=input comment=\
"Allow all traffic from the local network" disabled=no in-interface=lan
add action=accept chain=input comment="Allow ICMP packets" disabled=no \
protocol=icmp
add action=drop chain=input comment="Deny all other traffic" disabled=no
add action=accept chain=forward comment=\
"Allow all outgoing traffic received from the local network" disabled=no \
in-interface=lan
add action=jump chain=forward comment=\
"Process incoming traffic going to the local network" disabled=no \
jump-target=forward-in out-interface=lan
add action=drop chain=forward comment="Deny all other traffic" disabled=no
add action=accept chain=forward-in comment="Allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward-in comment="Allow related connections" \
connection-state=related disabled=no
add action=accept chain=forward-in comment=\
"Allow connections to torrent client" disabled=no dst-address=\
192.168.0.13 dst-port=12345 protocol=udp
add action=accept chain=forward-in comment=\
"Allow connections to torrent client" disabled=no dst-address=\
192.168.0.13 dst-port=12345 protocol=tcp
add action=drop chain=forward-in comment="Deny all other traffic" disabled=no
/ip firewall mangle
add action=jump chain=prerouting comment="Choose the outgoing interface for th\
e packets received from the local network" disabled=no in-interface=lan \
jump-target=choose-out-iface
add action=mark-connection chain=prerouting comment="Bind the whole connection\
\_to the interface inet1 if at least one packet\
\nbelonging to the connection is received from the interface inet1" \
disabled=no in-interface=inet1-isp1 new-connection-mark=inet1 \
passthrough=no
add action=mark-connection chain=prerouting comment="Bind the whole connection\
\_to the interface inet2 if at least one packet\
\nbelonging to the connection is received from the interface inet2" \
disabled=no in-interface=inet2-isp2 new-connection-mark=inet2 \
passthrough=no
add action=jump chain=output comment="Choose the outgoing interface for the pa\
ckets originated from the router itself" disabled=no jump-target=\
choose-out-iface
add action=mark-routing chain=choose-out-iface comment="Send the packets belon\
ging to the connection bound to the interface inet1\
\nto the interface inet1" connection-mark=inet1 disabled=no \
new-routing-mark=inet1 passthrough=no
add action=mark-routing chain=choose-out-iface comment="Send the packets belon\
ging to the connection bound to the interface inet2\
\nto the interface inet2" connection-mark=inet2 disabled=no \
new-routing-mark=inet2 passthrough=no
add action=mark-routing chain=choose-out-iface comment="Send some of the packe\
ts belonging to unbound connections to the interface inet2\
\naccording to PCC. All the remaining packets will be sent to the interfac\
e inet1." disabled=no new-routing-mark=inet2 passthrough=no \
per-connection-classifier=both-addresses:2/1
add action=jump chain=forward comment="Adjust tcp mss on vpn connections" \
disabled=no jump-target=tcp-mss-adjust protocol=tcp tcp-flags=syn
"Mark the packets going to the interface inet1 for QoS" disabled=no \
jump-target=qos-inet-out out-interface=inet1-isp1
"Mark the packets received from the interface inet1 for QoS" disabled=no \
in-interface=inet1-isp1 jump-target=qos-inet1-in
"Mark the packets going to the interface inet2 for QoS" disabled=no \
jump-target=qos-inet-out out-interface=inet2-isp2
"Mark the packets received from the interface inet2 for QoS" disabled=no \
in-interface=inet2-isp2 jump-target=qos-inet2-in
add action=change-mss chain=tcp-mss-adjust comment=\
"Adjust tcp mss on the interface inet1" disabled=no new-mss=1420 \
out-interface=inet1-isp1 protocol=tcp tcp-flags=syn tcp-mss=1421-65535
add action=change-mss chain=tcp-mss-adjust comment=\
"Adjust tcp mss on the interface inet1" disabled=no in-interface=\
inet1-isp1 new-mss=1420 protocol=tcp tcp-flags=syn tcp-mss=1421-65535
add action=return chain=tcp-mss-adjust comment=\
"Return to the chain \"forward\"" disabled=no
add action=mark-packet chain=qos-inet-out comment="Mark p2p traffic" \
disabled=no new-packet-mark=inet-out-p2p passthrough=no src-address=\
192.168.0.13
add action=mark-packet chain=qos-inet-out comment="Mark server traffic" \
disabled=no new-packet-mark=inet-out-server passthrough=no src-address=\
192.168.0.5
add action=mark-packet chain=qos-inet1-in comment="Mark p2p traffic" \
disabled=no dst-address=192.168.0.13 new-packet-mark=inet1-in-p2p \
passthrough=no
add action=mark-packet chain=qos-inet1-in comment="Mark server traffic" \
disabled=no dst-address=192.168.0.5 new-packet-mark=inet1-in-server \
passthrough=no
add action=mark-packet chain=qos-inet1-in comment="Mark other traffic" \
disabled=no new-packet-mark=inet1-in-other passthrough=no
add action=mark-packet chain=qos-inet2-in comment="Mark p2p traffic" \
disabled=no dst-address=192.168.0.13 new-packet-mark=inet2-in-p2p \
passthrough=no
add action=mark-packet chain=qos-inet2-in comment="Mark server traffic" \
disabled=no dst-address=192.168.0.5 new-packet-mark=inet2-in-server \
passthrough=no
add action=mark-packet chain=qos-inet2-in comment="Mark other traffic" \
disabled=no new-packet-mark=inet2-in-other passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT on all external interfaces" \
disabled=no out-interface=!lan
add action=dst-nat chain=dstnat comment="Port mapping for torrent client" \
disabled=no dst-port=12345 in-interface=!lan protocol=udp to-addresses=\
192.168.0.13
add action=dst-nat chain=dstnat comment="Port mapping for torrent client" \
disabled=no dst-port=12345 in-interface=!lan protocol=tcp to-addresses=\
192.168.0.13
/routing filter
add action=discard chain=dynamic-in comment=\
"Discard all dynamic default routes" disabled=no invert-match=no prefix=\
0.0.0.0/0
/ip route rule
add action=lookup disabled=no table=main
add action=lookup-only-in-table disabled=no routing-mark=inet2 table=inet2
add action=lookup-only-in-table disabled=no table=inet1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=127.127.127.1 \
routing-mark=inet1 scope=30 target-scope=10
add comment="Remote host to monitor inet1" disabled=no distance=1 \
dst-address=81.19.66.61/32 gateway=127.127.127.101 scope=10 target-scope=\
10

10
dst-address=213.180.193.1/32 gateway=127.127.127.101 scope=10 \
target-scope=10
target-scope=10
target-scope=10
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=127.127.127.1/32 \
gateway=213.180.193.1 scope=10 target-scope=10
/queue type
add kind=pfifo name=vpn pfifo-limit=500
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=9M name=inet1-out parent=inet1-isp1 priority=8
max-limit=9M name=inet2-out parent=inet2-isp2 priority=8
max-limit=9M name=inet1-in packet-mark=\
inet1-in-server,inet1-in-p2p,inet1-in-other parent=lan priority=8
max-limit=9M name=inet2-in packet-mark=\
inet2-in-server,inet2-in-p2p,inet2-in-other parent=lan priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=9M \
max-limit=9M name=inet1-out-server packet-mark=inet-out-server parent=\
inet1-out priority=1 queue=vpn
max-limit=9M name=inet1-out-p2p packet-mark=inet-out-p2p parent=inet1-out \
priority=8 queue=vpn
max-limit=9M name=inet1-out-other packet-mark=no-mark parent=inet1-out \
max-limit=9M name=inet2-out-server packet-mark=inet-out-server parent=\
inet2-out priority=1 queue=vpn
max-limit=9M name=inet2-out-p2p packet-mark=inet-out-p2p parent=inet2-out \
max-limit=9M name=inet2-out-other packet-mark=no-mark parent=inet2-out \
max-limit=9M name=inet1-in-server packet-mark=inet1-in-server parent=\
inet1-in priority=1 queue=vpn
max-limit=9M name=inet1-in-p2p packet-mark=inet1-in-p2p parent=inet1-in \
max-limit=9M name=inet1-in-other packet-mark=inet1-in-other parent=\
max-limit=9M name=inet2-in-server packet-mark=inet2-in-server parent=\
max-limit=9M name=inet2-in-p2p packet-mark=inet2-in-p2p parent=inet2-in \
max-limit=9M name=inet2-in-other packet-mark=inet2-in-other parent=\
In short, use the following routing as is. Just replace 127.127.127.101 and 127.127.127.102 with your real
gateways and routing marks "inet1" and "inet2" with your own. Other ip addresses should not be
changed.
Code: Select all

/ip route rule
add action=lookup disabled=no table=main
add action=lookup-only-in-table disabled=no routing-mark=inet2 table=inet2
add action=lookup-only-in-table disabled=no table=inet1
/ip route
10
10
target-scope=10
target-scope=10
target-scope=10
target-scope=10

Re: Load Balancing + Port Forwarding

by spookman Tue Mar 08, 2011 11:44 am
Thanks fewi & forne, I have managed to get it working and now understand why it works and works well.
Another Question maybe for fewi or anyone that can answer.
If I have multiple addresses on an interface like this (WAN1)
10.0.1.2
10.0.1.3
10.0.1.4
connection-mark & routing-mark & PCC
Code: Select all

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local perconnection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn
passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing newrouting-mark=to_WAN1
will traffic coming in on say 10.0.1.2 leave on 10.0.1.2 ?

and traffic leaving on WAN1 leave on 10.0.1.2 ?
And if I am forwarding port to internal servers
Code: Select all

add chain=prerouting connection-state=new in-interface=WAN1 protocol=tcp dst-address=10.0.1.4
dst-port=21,25,80,110,143,443,8080 action=mark-connection new-connection-mark=WAN1_conn
Will this go back out on 10.0.1.4 ?

Or do I have to define a routing mark for each external IP on WAN1 ?

Dokumen Forum Loadbalance

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dokumen Forum Loadbalance

Uploaded by

Copyright:

Available Formats

Alright, here an example based on the wiki manual from http://wiki.mikrotik.

Code: Select all

add chain=prerouting dst-address=10.112.0.0/24

add chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local perconnection-classifier=both-addresses:2/0 \

Code: Select all

Code: Select all

add chain=input in-interface=Local protocol=tcp dst-port=53 action=accept

Code: Select all

- ethernet connection to local (home) network

- ethernet connection to ISP1, ip address is assigned via dhcp

- ethernet connection to ISP2, ip address is assigned via dhcp

- l2tp connection to ISP1 (10/10 Mbps)

- pppoe connection to ISP2 (10/10 Mbps)

Code: Select all

add comment="Remote host to monitor inet2" disabled=no distance=1 \

Code: Select all

add check-gateway=ping disabled=no distance=1 dst-address=127.127.127.2/32 \

Re: Load Balancing + Port Forwarding

Code: Select all

will traffic coming in on say 10.0.1.2 leave on 10.0.1.2 ?

Code: Select all

Will this go back out on 10.0.1.4 ?

You might also like