Please help me,
i have mikrotik and hotspot (usermanager) on the same hardware, i am using “load balancing over multiple gateways” but it don’t work with hotspot, infact if i disable hotspot it works fine!
Hotspot servlets act as proxies of a sort, so you need to apply the same sort of configuration as you did for the ‘forward’ chain to the ‘input’ chain.
sorry i am newbie, can you explain with an example?
thank you
I just now read the wiki page you were referring to: http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways
You can’t make that work with Hotspot. Because the Hotspot proxies HTTP traffic, the traffic appears to come always from the IP address on the router, which will always be in one of the two routing groups the wiki example refers to.
and if i install hotspot on a second machine ???
The problem is that the wiki page you’re referencing spreads load over the links based on IP address. Let’s say you have a LAN of 192.168.100.0/24 (like in the wiki example), and you’re splitting things up so that 192.168.100.0/25 (192.168.100.1 - 192.168.100.127) are going to be marked GroupA and go out WAN A, and 192.168.100.128/25 (192.168.100.128 - 192.168.100.255) are going to be marked GroupB and go out WAN B. Whatever device you’re running a Hotspot on, it is going to have a local IP address on the LAN. It could be .1, it could be .100, it could be .254 - it has one static IP address. That IP address is what all traffic will be proxied to, so all traffic going to the WAN will appear to come from that IP address, and all traffic will always be sorted into GroupA or GroupB depending on the actual IP address of the Hotspot device, and all traffic will always go out the WAN link associated with that group. Doesn’t matter if it’s on the same router, or on a different one.
Look into different load balancing schemes like PCC, but be aware that they, too, will need adaption from what the wiki provides since they aren’t written for Hotspot scenarios, either. The PCC example specifically only marks in the ‘forward’ chain in the wiki example, since the Hotspot proxies you would have to mark things in the ‘output’ chain as well.
Alternatively you can turn off traffic going through the HTTP servlets on the Hotspot, at that point you may lose some of the built in Hotspot functionality (can’t do ad insertion anymore, for example). It’s not an officially supported configuration:
/ip firewall nat add chain=pre-hotspot action=accept protocol=tcp dst-address-type=!local hotspot=auth dst-port=80
Let’s say you have a LAN of 192.168.100.0/24 (like in the wiki example), and you’re splitting things up so that 192.168.100.0/25 (192.168.100.1 - 192.168.100.127) are going to be marked GroupA and go out WAN A, and 192.168.100.128/25 (192.168.100.128 - 192.168.100.255) are going to be marked GroupB and go out WAN B. Whatever device you’re running a Hotspot on, it is going to have a local IP address on the LAN. It could be .1, it could be .100, it could be .254 - it has one static IP address. That IP address is what all traffic will be proxied to, so all traffic going to the WAN will appear to come from that IP address
Fewi, Thanks for this explanation, i now understand why am not getting result from my configuration. this is exactly my case study and am using hotspot, transparent proxy and DNS.
please how can i really achieve working load balancing with this type of setup?
http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/ This is the example i followed.
Thanks.
Policy routing is not a good fit for what you’re trying to do. I’d use PCC instead. That said, with a transparent proxy there’s going to be issues. The source IP is always the same, and balancing by source IP is the only stable method. Every other method can lead to problems on forums and secure sites that are spread across multiple IPs at the destination, and expect all traffic getting to them to be sourced by the same IP.
I would a) turn off the transparent proxy b) buy a second router and then c) run the Hotspot on a router behind a router dedicated to PCC, with NAT turned off on the Hotspot router. I’d use src-address as the PCC qualifier.
I would a) turn off the transparent proxy b) buy a second router and then c) run the Hotspot on a router behind a router dedicated to PCC, with NAT turned off on the Hotspot router. I’d use src-address as the PCC qualifie
Hmm…taking a deep breath…
why i use proxy is because i use data bundle subscription from my ISP1 which is my reliable and fast ISP while ISP2 gives me unlimited monthly access (not data bundle) but not as fast and reliable like ISP!
and mostly we use the internet mostly for browsing and downloading so i felt proxy will reduce cost for me.
Based on that, i will like to implement a load balacing that will redirect all heavy TCP traffic to ISP2 while normal web browsers will use ISP1 and other unmarked traffics like ICMP, DNS, SMTP etc should also use ISP2.
How can i achieve this without getting a second router, besides my router is running on x86 HP desktop.
Thanks.
That makes more sense. If you had explained what kind of load balancing you were after initially I would not have made that post. Details are important.
Make two default routes with routing marks, one out ISP1 and one out ISP2. Give them a distance of 1. Make another two default routes out the two ISPs, without routing marks. They are the fallbacks for when an ISP fails.
Make IP firewall mangle rules that mark packets with routing marks. Mark DNS and HTTP traffic in the output chain with marks for ISP 1. This will cover router originated traffic as well as traffic from the clients flowing through the transparent HTTP proxy. Mark all other traffic in the output chain with a mark for ISP 2. Mark all traffic in the forward chain (all customer traffic other than what is redirected to the router for proxy purposes and thus never sees the forward chain) for ISP 2. If you want other customer traffic to go through ISP 1 do that here as well. This probably includes HTTPS since you typically don’t run that through a transparent proxy as that would generate certificate warnings. That’s it.
On a side note for other people reading the thread: I didn’t suggest a second router because I doubted the resources of your router, but because at the time it was entirely unclear what you were trying to do, so PCC seemed like the best generic fit. Combining PCC, proxies, and Hotspots is much, much easier on two routers rather than on one.
Fewi, i really appreciate your time to explain all these to me.
Basically here is what i have done so far
/ip route
add check-gateway=ping comment="ISP1" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-mark=GLO1 scope=30 \
target-scope=10
add check-gateway=ping comment="ISP2" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway="VISAFONE" routing-mark=VISA1 scope=30 \
target-scope=10
Make another two default routes out the two ISPs, without routing marks. They are the fallbacks for when an ISP fails.
I will do that later.
/ip firewall mangle
add action=mark-routing chain=output comment="ISP1 Traffic" disabled=no \
new-routing-mark=GLO1 out-interface=LAN passthrough=no protocol=tcp \
src-port=80,53,8080
add action=mark-routing chain=output comment="ISP2 Traffic" disabled=yes \
new-routing-mark=VISA1 passthrough=no
I disabled the last rule because if i enable it, everything will stop browsing.
my challenge now is the ISP2 output mangle which i disabled and that made me not to tryout the forward mangle as well.
Please correct me where i made any mistake.
Thanks.
Let’s start with the usual information. Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, “/ip firewall export”, “/ip hotspot export”, and an accurate network diagram.
CODES REMOVED.
PLS NOTE: the WAN and bridge interface is active for now so they are current doing nothing for me.
Please bear with me, i dont know how to use visio or any App used to draw Network diagram. but my network is simple
2 WAN: ISP1(isp small router) & ISP2(PPP 3G internet modem PPP client)
1 LAN which is the hotspot (10.10.99.0/24, 10.10.99.1 is the htspot gateway for all)
It’s important to show “print detail” instead of “print” so that all parameters are seen. For example, “/ip route print” doesn’t show routing marks. “/ip route print detail” does. Since you use routing marks you have to show them. Please post those sections again, or edit your post.
Post edited. please confirm.
Thanks.
OK. First let’s make a loopback interface to tie the proxy to, and assign it an IP address.
/interface bridge add name=loopback0
/ip address add address=172.31.255.255/32 interface=loopback0
Then let’s set the IP proxy to use that as a source address for everything.
/ip proxy set src-address=172.31.255.255
Make sure that that IP also gets NAT translated.
Remove this:
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=10.10.99.0/24
And replace it with this:
/ip firewall address=list
add list=rfc1918 adddress=10.0.0.0/8
add list=rfc1918 adddress=172.16.0.0/12
add list=rfc1918 adddress=192.168.0.0/16
/ip firewall
add chain=srcnat out-interface="GLO ROUTER" src-address-list=rfc1918 action=masquerade
add chain=srcnat out-interface="VISAFONE" src-address-list=rfc1918 action=masquerade
Replace your mangle rules with this. There’s no real need to mark anything for VISA1 - we’ll just mark for GLO1 with a routing mark, then use VISA1 as a default gateway for everything else. Just insert whatever else you want to go through the GLO1 link into the rule set below:
/ip firewall mangle
add chain=output comment="proxy traffic" src-address=172.31.255.255 action=mark-routing new-routing-mark=GLO1
add chain=forward comment="Hotspot HTTPS traffic" in-interface=LAN protocol=tcp dst-port=443 action=mark-routing new-routing-mark=GLO1
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-mark=GLO1
add dst-address=0.0.0.0/0 gateway=VISAFONE distance=1
add dst-address=0.0.0.0/0 gateway=172.16.0.1 distance=2
If that doesn’t do it I’m out of ideas.
Thanks so much Fewi, i will do this later today because right now people are much on the Network.
i will report back once am done.
I traveled yesterday and came back late in the night. I came very early this morning and from what i did so far, here is one error i got when i tried to run this code
add chain=forward comment="Hotspot HTTPS traffic" in-interface=LAN protocol=tcp dst-port=443 action=mark-routing new-routing-mark=GLO1
failure: routing-mark allowed only in output and prerouting chains
Then i noticed there is no traffic going to the VISAFONE
The active WAN is what i used to login to the router directly, i normally enable and use it only to access the router directly from my laptop. nothing else.
Finally, i did it.
here is the mangle rules i used.
0 ;;; httpTraffic
chain=prerouting action=mark-routing new-routing-mark=GLO1
passthrough=no protocol=tcp src-address=10.10.99.0/27 dst-port=80
1 chain=prerouting action=mark-routing new-routing-mark=GLO1 passthrough=no
protocol=tcp dst-port=443
2 ;;; DNS traffic
chain=prerouting action=mark-routing new-routing-mark=VISA1
passthrough=no protocol=tcp dst-port=53
3 ;;; Any Other traffic
chain=prerouting action=mark-routing new-routing-mark=VISA1
passthrough=no