Sunday, November 30, 2008

Load-balancing and Fail-over in Mikrotik

Conditions: ISP where we work as the Administrator to use more than one gateway to connect to the internet. Everything must be able to serve the upstram service and understanding. Because the case will be different when one can only serve understanding, for example, if using VSAT DVB one-way.

For this case ISPs have 2 point to the internet. One using DSL access (256kbps) and the other using the Wireless (512kbps). With the radio of DSL: Wireless=1:2.

Will be performed:

1. Using all available channels gateway with load-balancing technique.
2. Making one as back-up file with the technique-over.

Ok. Let's just start:

1.
IP address for access to the LAN:
>/ip address add address=192.168.0.1/28 interface=LAN
IP address for access to the DSL lines:
>/ip address add address=10.31.57.253/29 interface=DSL
IP address for the access point to Wireless:
>/ip address add address=10.9.8.2/29 interface=Wireless

Specify the gateway to the each:
>/ip route add gateway=10.32.57.254,10.9.8.1,10.9.8.1

2.
In the case of techniques to file-oer. Is assumed to be the main route through the Wireless DSL line as back-up when the main route can not be passed. To check whether the main point can be passed or not, use THE PING commnand.
>/ip firewall mangle add chain=prerouting src-address=192.168.0.0/28 action=mark-routing
new-routing-mark=SUBNET1-RM
>/ip route add gateway=10.9.8.1 routing-mark=SUBNET1-RM check-gateway=ping
>/ip route add gateway=10.32.57.254

PCQ

By using the queue type pcq in Mikrotik, we can share the bandwidth available to the equally-bandwith glutton --> the peak position on the network.

For example, we subscribe to 256 Kbps, if therare joyful about, then he can all the bandwidth allocation. But the friends come, say 9 people, they each can be about 256/10Kbps, still to open the open-site non-porn or just check email $ blog-->

Ok, only to direct how:

1. Assumption: Network Address192.168.169.0/28, the interface that leads to the user is given the name of a LAN, and the interface that leads to the upstream providers are given the name INTERNET;
2. Type in the console or terminal:
>/ip firewall mangle add chain=forward src-address=192.168.169.0/28 action=mark-connection new-connection-mark=NET1-CM
>/ip firewall mangle add connection-mark=NET1-CM action=mark-packet new-packet-mark=NET1-PM chain=forward
>/queue type add name=downsteam-pcq kind=pcq pcq-classsifier=dst-address
>/queue type add name=upstream-pcq kind=pcq pcq-classifier=src-address
>/queue tree add parent=LAN queue=DOWNSTREAM packet-mark=NET1-PM
>/queue tree add paren=INTERNET queue=UPSTEAM packet-mark=NET1-PM

TOS & Entertainment, ICMP DNS Mirkrotik

Destination:
. Detract from the delay ping client side to the Internet.. Accelerating resolving the hostname to the IP address.
Assumption: Client-clients are on the subnet 10.10.10.0/28

1. Type of Entertainment service for the ICMP Packet:

>ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=icmpacton=mark-connection new-connection-mark=ICMP-CM passthrough=yes

>ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packetnew-packet-mark=ICMP-PM passthrough=yes

>ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=chage-tosnew-tos=min-delay

2.Type of manipulating DNS service for Resolving:

>ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes

>ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=udpdst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes

>ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes

>ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay

3.Adding Queue Type:

>queue type add name="PFIFO-64" kind=pfifo pfifo-linit=64

4.Allocating Bandwidth for the ICMP Packet:

>queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PMpriority=1 limit-at=8000 max-linit=16000 queue=PFIFO-64

5.Allocating Bandwidth for Resolving DNS:

>queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64

Queue Tree with more than two interfaces

Basic Setup

This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It’s for sharing internet connection among users on each interfacess. In manual this possibility isn’t writted.

First, let’s set the basic setting first. I’m using a machine with 3 or more network interfaces:

[admin@instaler] > in pr

# NAME TYPE RX-RATE TX-RATE MTU

0 R public ether 0 0 1500

1 R wifi1 wlan 0 0 1500

2 R wifi2 wlan 0 0 1500

3 R wifi3 wlan 0 0 1500

And this is the IP Addresses for each interface:

[admin@instaler] > ip ad pr

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.20.1.0/24 10.20.1.0 10.20.1.255 public

1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi1

2 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi2

3 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3

On the public you can add NAT or proxy if you want.

Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connectoin for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don’t QoS local trafic emong users. But for user I need to separate upload and download.

[admin@instaler] ip firewall mangle> print

Flags: X - disabled, I - invalid, D - dynamic

disabled=no

0 chain=forward dst-address=10.10.2.36 action=mark-connection
new-connection-mark=users-userU passthrough=yes comment=”” disabled=no

1 chain=forward dst-address=10.10.2.36 action=mark-connection
new-connection-mark=users-userD passthrough=yes comment=”” disabled=no

2 chain=forward connection-mark=users-userU action=mark-packet
new-packet-mark=userU passthrough=yes comment=”” disabled=no

3 chain=forward connection-mark=users-userD action=mark-packet
new-packet-mark=userD passthrough=yes comment=”” disabled=no

98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16
action=mark-connection new-connection-mark=users-lokal passthrough=yes

99 chain=forward connection-mark=users-lokal action=mark-packet
new-packet-mark=lokalTrafic passthrough=yes

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent “global-out”, because we have two or more downloading interfaces. And for uplink, we are using parent “public”, we want QoS uplink traffic. (I’m using pcq-up and download from manual) This example is for 2Mb/1Mb

[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name=”Download” parent=global-out packet-mark=”” limit-at=0

queue=pcq-download priority=1 max-limit=2000000 burst-limit=0
burst-threshold=0 burst-time=0s

1 name=”Upload” parent=WGW packet-mark=”” limit-at=0 queue=pcq-upload
priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s

Now we add our user:

2 name=”user10D” parent=Download packet-mark=userD limit-at=0
queue=pcq-download priority=5 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s

3 name=”user10U” parent=Upload packet-mark=userU limit-at=0
queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s

MAC Address + IP Address Linux

#!/bin/sh
iptables=/sbin/iptables
# define a default policy here

$iptables -F INPUT

$iptables -F OUTPUT

$iptables -P INPUT DROP

$iptables -P OUTPUT DROP #remember later open the output of the policy

$iptables -F FORWARD

$iptables -F -t nat

$iptables -P FORWARD DROP

# default policy definition and make a new chain called maccheck in the interface eth1$iptables -t mangle -F

$iptables -t mangle -F maccheck

$iptables -t mangle -X maccheck

$iptables -t mangle -N maccheck

$iptables -t mangle -I PREROUTING -i eth1 -p all -j maccheck

# self-explanatory ... ip address + mac

$iptables -t mangle -A maccheck -s 192.168.0.1 -i eth1

-m mac -j RETURN–mac-source00:80:11:11:11:11

$iptables -t mangle -A maccheck -s 192.168.0.2 -i eth1 -m mac -j RETURN–mac-source

00:80:22:22:22:22

$iptables -t mangle -A maccheck -s 192.168.0.3 -i eth1 -m mac -j RETURN–mac-source

00:80:33:33:33:33

# besides i registered both ip and mac will be marked for later in the drop, contentwith one

mac's active, which only

# 00:80:11:11:11:11 here, for example we have defined above

$iptables -t mangle -A maccheck -s 0/0 -i eth1 -m mac -j MARK –mac-source !00:80:11:11:11:11–set-mark 1

$iptables -t mangle -A maccheck -s 0/0 -i eth1 -p all -j MARK –set-mark 1

# drop in packet marking$iptables -A INPUT -i eth1 -m mark –mark 1 -j DROP

$iptables -A OUTPUT -o eth1 -m mark –mark 1 -j DROP

$iptables -A FORWARD -i eth1 -m mark –mark 1 -j DROP



No comments: