I have several days working on a Load Balancing solution over a Mikrotik 3.10. I have read all the wiki articles and all the forum post about nth and it's implementation, I have configured the router as I have read but it is impossible... this is not working and I am just sure that my problem is a trick but I am not able to see it. So please, help me discover where my configuration fails.
Here we go....
My interfaces configuration
/interface> print Flags: X - disabled, R - running, D - dynamic, S - slave # NAME TYPE MTU 0 R LAN ether 1500 1 R ADSL1 ether 1500 2 R ADSL2 ether 1500 3 R pppoe-adsl2-20mb
I have three interfaces and two xDSL lines, one interface is for LAN, other interface ADSL1 has a RFC 1483 Fixed IP and ADSL2 has a PPPoE client over it with the next configuration...
/interface pppoe-client> print Flags: X - disabled, R - running 0 R name="pppoe-adsl2-20mb" max-mtu=1480 max-mru=1480 mrru=disabled interface=ADSL2 user="user" password="*****" profile=default-encryption service-name="Telefonica" ac-name="" add-default-route=no dial-on-demand=no use-peer-dns=yes allow=pap,chap
I am trying to balance network load into the two adsl lines. So I have configured the Mangle as I see on the forum. I marked pakets...then connections and then routing ....
/ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; ### TS chain=prerouting action=mark-routing new-routing-mark=200 passthrough=yes src-address-list=Server Win2000 src-port=3389 protocol=tcp
1 X ;;; ### Marcado NTH de paquete 1 chain=prerouting action=mark-packet new-packet-mark=PAK1 passthrough=yes connection-state=new nth=2,1
2 X ;;; ### Marcado NTH de paquete 2 chain=prerouting action=mark-packet new-packet-mark=PAK2 passthrough=yes connection-state=new nth=2,2
3 X ;;; ### Marcado NTH de Conexion 1 chain=prerouting action=mark-connection new-connection-mark=ADSL1 passthrough=yes packet-mark=PAK1
4 X ;;; ### Marcado NTH de Conexion 2 chain=prerouting action=mark-connection new-connection-mark=ADSL2 passthrough=yes packet-mark=PAK2
5 X ;;; ### Marcado de Ruta 1 chain=prerouting action=mark-routing new-routing-mark=ADSL1 passthrough=no packet-mark=PAK1
6 X ;;; ### Marcado de Ruta 2 chain=prerouting action=mark-routing new-routing-mark=ADSL1 passthrough=no packet-mark=PAK2
As you can see the first rule is a TS port mark in order to have TS administration on the LAN side windows 2000 Server. The next 6 rules are the Packet Marks, the Connection Marks and the Routing Marks Assignaments.
OK. Just here all works good, the counters runs up and it maintain a correlation...
The problems begins here....
/ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; ### Acceso TS chain=dstnat action=dst-nat to-addresses=192.168.0.5 to-ports=3389 src-address-list=Network_admin dst-port=3389 protocol=tcp
1 X ;;; ### Nat para administrar router adsl 30mb chain=srcnat action=masquerade out-interface=ADSL2
The first and second rules is a reverse nat to admin the lan interface of the router giving the PPPoE bridge, and a rule for TS.It works OK, The next three rules comes from the mangle and makes the masquerading based on the connection-marks. The last rule is a general nat. The problem here is that counters don't work correctly. Rule 2 works good but rule 3 is 0 and I suppouse that it's traffic is being applied to rule 4 (General) I really don't know why.
The IP routes....
/ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE 0 A S ;;; ### RUTA POR DEFECTO PPPoE 0.0.0.0/0 reachable pppoe-adsl2-20mb 1 pppoe-adsl2-20mb 1 A S ;;; ### NTH 0.0.0.0/0 reachable ADSL1 1 ADSL1 2 A S 0.0.0.0/0 reachable pppoe-adsl2-20mb 1 pppoe-adsl2-20mb 3 A S ;;; ### RUTA POR DEFECTO RFC1483 0.0.0.0/0 reachable 80.XXX.XXX.130 1 ADSL1 4 ADC 80.XXX.XXX.128/26 80.XXX..132 0 ADSL1 5 ADC 192.168.0.0/24 192.168.0.254 0 LAN 6 ADC 192.168.3.0/24 192.168.3.1 0 ADSL2 7 ADC 192.168.153.1/32 83.XX.XX.226
The IP routes has a default route number 0 and NTH routes.... based on routing marks assigned by NAT.
I also have a routing rule to 0.0.0.0/0 80.XXX.XXX.130 with routgin mark 200 due to my needs of remote administration.
The Ip routing rules are...
/ip route rule> print Flags: X - disabled, I - inactive 0 src-address=80.XXX.XXX.132/32 action=lookup table=200
1 X interface=pppoe-adsl2-20mb action=lookup table=100
2 routing-mark=200 action=lookup table=200
That's all folks.... THe route balancing is not working... all the traffic is going through the ADSL2 interface (aka pppoe) and only the administration traffic is working on ADSL1 (aka RFC1483).
I have tested all configuration possibilities, but I am not getting any results. If I dissabled the route rule 0, ir is suppoused that it will go applying the routing marks by nat... but the problem is that in connection log I have many "syn sent" entries and no traffic at all.
Greetings to all, greeted in advance for your time....
_________________ =========================== Antonio Sanchez System Administrator =========================== =========================== Granada (Spain)
Use PCC instead. It can guarantee that connections between the same two endpoints always go across the same link.
Hey the thing is i run hotspot on the network and when i tried PCC on my hotspot, i observed the loadbalancing was not working effectively but with NTH it works perfectly! Is there a firewall statement that could just permit access from all network(i have 8 VLANs) to an inside server say 10.2.1.13, while still using NTH? If you think PCC is a better option, could you provide me with sample script to make it work well for hotspot? (i am load balancing across 3 wan links)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum