DSTNAT to multiple addresses - load balancing?

Wazza · December 6, 2016, 2:47pm

Okay, so I have a requirement to redirect an inbound connection. Basically a dstnat rule, to an address.

What I’d like however is to redirect to a list of addresses, and have it round robin them in some way:-

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=123.123.123.123 dst-port=25 \
    in-interface=public protocol=tcp to-addresses=10.10.10.20 to-ports=25
add action=dst-nat chain=dstnat dst-address=123.123.123.123 dst-port=25 \
    in-interface=public protocol=tcp to-addresses=10.10.10.30 to-ports=25
add action=dst-nat chain=dstnat dst-address=123.123.123.123 dst-port=25 \
    in-interface=public protocol=tcp to-addresses=10.10.10.40 to-ports=25
add action=dst-nat chain=dstnat dst-address=123.123.123.123 dst-port=25 \
    in-interface=public protocol=tcp to-addresses=10.10.10.50 to-ports=25
add action=dst-nat chain=dstnat dst-address=123.123.123.123 dst-port=25 \
    in-interface=public protocol=tcp to-addresses=10.10.10.60 to-ports=25

Is something like that doable?
The idea being that I can spread the load, and possibly use some scripting / netwatch to identify if any of the destinations is offline, and disable the specific target rule, taking it out of rotation.

Note also, I don’t particularly want to use a range of IP addresses (123.123.123.10-123.123.123.50), but rather a non continuous list.

Thoughts?

Sob · December 6, 2016, 5:29pm

Using nth= option should work, at least a quick test in my local network did:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<pubaddr> dst-port=80 nth=3,1 protocol=tcp to-addresses=192.168.80.1
add action=dst-nat chain=dstnat dst-address=<pubaddr> dst-port=80 nth=3,2 protocol=tcp to-addresses=192.168.80.40
add action=dst-nat chain=dstnat dst-address=<pubaddr> dst-port=80 nth=3,3 protocol=tcp to-addresses=192.168.80.70

Or per-connection-classifier=src-address-and-port:x/y is another option.

rftnon · January 30, 2018, 6:25pm

This is an important post …

marktomlinson · July 5, 2018, 2:35pm

Hi All

Sorry to re-open an old thread, however I am looking to do something similar and wondered if there was an option to do this with some kind of affinity?

Mark

Sob · July 5, 2018, 3:07pm

I think it’s job for real load balancer, but as poor man’s alternative, per-connection-classifier=src-address:x/y should work too.