2 different ISPs, 2xGWs, srcnat. How to load balance?

Hi,

I’m having some trouble trying to get my mikrotik setup in a load balanced environment across two isps, if i explain how my networks setup first then explain what i’m after. I’ve changed the ips in the config/network diagram so they dont reflect the real ones.

lan1 - masquarded has restricted internet access (via mikrotik web-proxy)
lan2 - masquarded unstricted internet access
wan1 - isp provider 1 has allocated a /29
wan2 - isp provider 2 has allocated a /29
wlan1 - wireless network (n hence i’m running version 4.0b3)

at the moment they are 2 servers behind lan2 using nat to port forward some ports (smtp/http/https).
if wan1 link breaks wan2 becomes the default root and outbound internet access ports

What i’m trying to archive:
if wan1 or wan2 breaks that service continues
outbound internet is load balanced 50/50
inbound smtp on both ips for example, 62.0.0.74 port 25 and 82.0.0.194 port 25 needs to redirect to 192.168.101.1 port 25

I can then change the mx record to have both ips in the list and also the IN A records can have a round robin dns setup for subdomain.bleh.com

Hope this all makes sense, my full network diagram and current config is listed below.

My Network diagram is as follows:

My Current config is as follows:

# RouterOS 4.0beta3
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
    name=wirebridge priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
    mac-address=XX:XX:XX:XX:XX:XX mdix-enable=yes mtu=1500 name=wan1 \
    speed=100Mbps
set 1 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
    mac-address=XX:XX:XX:XX:XX:XX mtu=1500 name=wan2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
    mac-address=XX:XX:XX:XX:XX:XX mtu=1500 name=lan1 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
    mac-address=XX:XX:XX:XX:XX:XX mtu=1500 name=lan2 speed=100Mbps

/interface wireless security-profiles
set default authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm \
    group-key-update=5m interim-update=0s management-protection=disabled \
    management-protection-key="" mode=dynamic-keys name=default \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=WirelessNetwork \
    tls-certificate=none tls-mode=no-certificates unicast-ciphers=\
    tkip,aes-ccm wpa-pre-shared-key=password wpa2-pre-shared-key=password
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
    antenna-gain=0 antenna-mode=rxa-txb area="" arp=enabled band=2ghz-b/g/n \
    basic-rates-a/g=6Mbps basic-rates-b=1Mbps comment="" compression=no \
    country=no_country_set default-ap-tx-limit=0 default-authentication=yes \
    default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
    disable-running-check=no disabled=no disconnect-timeout=3s \
    frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower hide-ssid=\
    no ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \
    ht-basic-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 \
    ht-extension-channel=disabled ht-guard-interval=any ht-rxchains=0 \
    ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc\
    s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" ht-txchains=0 \
    hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=4 mac-address=00:0C:42:3A:BF:20 \
    max-station-count=2007 mode=ap-bridge mtu=1500 name=wlan1 \
    on-fail-retry-time=100ms periodic-calibration=default \
    periodic-calibration-interval=60 preamble-mode=both \
    proprietary-extensions=post-2.9.25 radio-name=000C423ABF20 rate-set=\
    default scan-list=default security-profile=default ssid=\
    BurgoyneGroup station-bridge-clone-mac=00:00:00:00:00:00 \
    supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default \
    update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
    none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
    wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,\
    6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps\
    :17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT20-8:\
    0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0,HT40-8:0"
/interface bridge port
add bridge=wirebridge comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=wlan1 path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=wirebridge comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=lan2 path-cost=10 point-to-point=auto \
    priority=0x80
/ip address
add address=192.168.100.254/24 broadcast=192.168.100.255 comment="" disabled=no interface=lan1 network=192.168.100.0
add address=192.168.101.254/24 broadcast=192.168.101.255 comment="" disabled=no interface=lan2 network=192.168.101.0
add address=82.0.0.194/29 broadcast=82.0.0.199 comment="" disabled=no interface=wan1 network=82.0.0.192
add address=62.0.0.74/29 broadcast=62.0.0.79 comment="" disabled=no interface=wan2 network=62.0.0.72
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masquarde - This allows you to surf the net without it will not work" \
    disabled=no src-address=192.168.101.0/24
add action=masquerade chain=srcnat comment="" disabled=no src-address=\
    192.168.100.0/24
add action=dst-nat chain=dstnat comment="HTTP to Web Server wan1" disabled=no dst-address=62.0.0.74 dst-port=80 protocol=tcp to-addresses=192.168.101.2 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP to Web Server wan2" disabled=no dst-address=82.0.0.194 dst-port=80 protocol=tcp to-addresses=192.168.101.2 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP to Web Server wan1" disabled=no dst-address=62.0.0.74 dst-port=443 protocol=tcp to-addresses=192.168.101.2 to-ports=443
add action=dst-nat chain=dstnat comment="HTTP to Web Server wan2" disabled=no dst-address=82.0.0.194 dst-port=443 protocol=tcp to-addresses=192.168.101.2 to-ports=443
add action=dst-nat chain=dstnat comment="SMTP Email Server wan1" disabled=no dst-address=62.0.0.74 dst-port=25 protocol=tcp to-addresses=192.168.101.1 to-ports=25
add action=dst-nat chain=dstnat comment="SMTP Email Server wan2" disabled=no dst-address=82.0.0.194 dst-port=25 protocol=tcp to-addresses=192.168.101.1 to-ports=25
add action=redirect chain=dstnat comment="Mikrotik Web Proxy - Transparent only on lan1" disabled=no dst-port=80 protocol=tcp src-address=192.168.100.0/24 to-ports=8080

/ip proxy
set always-from-cache=no cache-administrator=email@address.co.uk cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=unlimited \
    max-client-connections=1000 max-fresh-time=3d max-server-connections=1000 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
    no src-address=0.0.0.0
/ip proxy access
add action=allow comment="" disabled=no dst-host=*.nhs.uk src-address=\
    192.168.100.0/24
add action=allow comment="" disabled=no dst-host=*.gov.uk src-address=\
    192.168.100.0/24
add action=deny comment="" disabled=no dst-host=*facebook* src-address=\
    192.168.100.0/24
add action=deny comment="" disabled=no dst-host=*myspace* src-address=\
    192.168.100.0/24
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=62.0.0.73 scope=255 target-scope=10
add comment="" disabled=no distance=10 dst-address=0.0.0.0/0 gateway=82.0.0.193 scope=30 target-scope=10
/system clock
set time-zone-name=Europe/London

Look at this for the load balance:

http://wiki.mikrotik.com/wiki/PCC#Introduction

Then for failover changes your routes to look more like

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=2 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

The 2 extra rules allow for failover on the marks. it works cleaner that the example shows.

Thanks already tried this config got two issues, because I have two lans (lan1 & lan2) I dont think my config is working because of this.

Secondly from a server if i try to telnet to port 25 on 62.0.0.64 I get a correct response, if I try on the nat rule for the wan2 I just get “Trying 82.0.0.194…” and it never connects…

Any ideas?

The masquarde rules i’ve got are:

add action=masquerade chain=srcnat comment=\
    "Masquarde - This allows you to surf the net without it will not work" \
    disabled=no out-interface=wan1 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2 \
    src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1 \
    src-address=192.168.101.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2 \
    src-address=192.168.101.0/24

Also on the mangle rules i’m not sure how to specify the in-interface as I have lan1 and lan2.

Thanks.

Still cant get this working dont think it’s the masquarde causing it - it just doesnt want to NAT dstnat → dstnat on the wan2 interface. Works perfectly for wan1

Anyone?

First of all forget about NAT -two simple rules with “out-interface= action=masquerade” will do all the job that is required

masquerade will not route anything, you have to do it yourself. Ether similar example like PCC, or manually. Or better - have both. Take PCC example and adjust it.

It doesn’t matter how many LANs you have - you just need to adapt the example.

Done exactly that - how do I get port 25 redirected to an internal ip from both wan1 and wan2. The NAT rules i have dont seem to do it for wan2.

Thanks

the response packets are probably leaving the default gateway and not the port they came in on is my guess… you have to mangle and mark packets and routing to force things to leave the same wan port they arrived on (unless your providers will route packets with any source ip, which is bad practice nowdays).

Do you have an example of how todo this?

Thanks

bump

i havent used pcc before, so I doint have an example using it. Here is another post that explains more:

http://forum.mikrotik.com/t/policy-based-routing/19589/9