I know ECMP has been discussed alot. However, I have a comment (something I figured out after research) and a follow-up question:
Comment
When reading the wiki documents on ECMP, they simply say to add two routes and you should be doing load balancing. I tried this, but found that I quickly lost remote management to the Tik from the Internet. As I work for a Wisp and do everything by remote management, this was not a good thing. I found another wiki that described how to do ECMP only on certain types of client traffic (http://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing). This worked great, but I still couldn’t manage the Tik on both load balanced internet interfaces…only the interface that was set for the default route. The trick I found was to mark the outgoing packets for the Tik public IPs with a routing mark so that the Tik always sends packets back to a specific default gateway depending on what IP it is communicating on.
/ip firewall mangle
# mark outgoing HTTP traffic (or whatever traffic for load balancing)
add action=mark-routing chain=prerouting comment="Mark Outgoing HTTP Traffic" \
disabled=no dst-port=80 new-routing-mark="HTTP Traffic" passthrough=no protocol=tcp
# Mark outgoing traffic direct to the T1 mgmt address
add action=mark-routing chain=output comment="Mark outgoing traffic direct to the T1 mgmt address" \
disabled=no new-routing-mark=T1-route passthrough=no src-address=12.x.x.130
# Mark outgoing traffic direct to the DSL mgmt address
add action=mark-routing chain=output comment="Mark outgoing traffic direct to the DSL mgmt address" \
disabled=no new-routing-mark=DSL-route passthrough=no src-address=67.x.x.133
/ip route
# Default route
add check-gateway=ping comment="T1 GW - Default GW" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=12.x.x.129 scope=30 target-scope=10
# Only do ECMP for HTTP
add comment="ECMP for HTTP traffic" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
12.x.x.129,67.x.x.134 routing-mark="HTTP Traffic" scope=255 target-scope=10
# Set the default gw for packets marked T1-route
add comment="Manage Tik on T1 IP" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=12.x.x.129 \
routing-mark=T1-route scope=255 target-scope=10
# Set the default gw for packets marked DSL-route
add comment="Manage Tik on DSL IP" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=67.x.x.134 \
routing-mark=DSL-route scope=255 target-scope=10
Question
This is working great. Now I can manage the Tik on both public IPs (with their respective different gateways). Now, I need to take this project to the next level and enable mapping public IPs to users on the Hotspot interface (ether3). I set up netmap rules in the Firewall NAT as follows:
/ip firewall nat
add action=netmap chain=srcnat comment="Map subscribers to public IPs" disabled=no src-address=\
10.11.3.132 to-addresses=67.x.x.132
add action=netmap chain=dstnat comment="" disabled=no dst-address=67.x.x.132 to-addresses=10.11.3.132
This has worked for me in the past at locations where there is no load balancing set up. From there, I tried the same rule I figured out before…setting up a route mark for the public IP.
/ip firewall mangle
add action=mark-routing chain=output comment="TEST RULE" disabled=no new-routing-mark=\
DSL-route passthrough=no src-address=67.x.x.132
I also set up a binding in Hotspot for the AP I’m trying to assign a public IP (bound it to 10.11.3.132 and set to bypass). I’m still running into the issue where the Tik doesn’t seem to know to use the DSL gateway instead of the T1 gateway. I can’t figure out how to mark the traffic coming back from the device so that it uses a specific gateway. Any thoughts on what the mangle rule needs to be? I’ve tried alot of different combinations, but I keep seeing in torch that return traffic from the Tik keeps going to the current default gateway which is on the T1 line, so pings don’t return.
Help?
Thanks in advance.
