Load Balancing 2 Gateways for clients on Hotspot - Problem

tevolo · July 18, 2010, 10:32pm

Can anyone help with why there is a problem with my load balancing when I implement a hotspot:
My Setup:
Ether2 (WAN):
IP: 10.10.10.70/30
Gateway: 10.10.10.69
Ether3 (WAN2):
IP: 10.10.10.80/30
Gateway: 10.10.10.79
Bridge (all 4 WLAN connections are in the bridge)(Local network):
IP: 192.168.1.254/24

I managed to setup load balancing over 2 gateways with simple Mangle preroute Marks for the local network.
Route Group A: 192.168.1.0/25
Route Group B: 192.168.1.128/25
I added the routes for each gateway one for Group A and the other gateway for Group B.
I then setup masquerade for the whole network 192.168.1.0/24

When I connect to one of the wireless networks, it works just fine and the load balance works great too if I try different IPs on each group. But once I implement a Wireless Hotspot on my Bridge, I cannot connect to the internet and the hotspot page does not show up either.

Can anyone assist please? I can’t figure out how to setup the load balance with the two gateways on my hotspot.

Thank you.

fewi · July 18, 2010, 11:26pm

http://forum.mikrotik.com/t/loadbalancing-work-fine-but-with-hotspot/17200/1

tevolo · July 19, 2010, 7:24pm

Fewi, thanks for the old forum post, I was looking for that. I’ll give it a try.

But also, an approach I may want to do with my setup, is have two separate hotspots, and each hotspot uses a separate internet connection. hotspot A goes out of WAN1 and Hotspot B goes out WAN2
Would that be possible and simpler to setup than using PCC and load balancing?

I actually did try to set it up that way, but ran into problems separating the connections.

I have all wireless hotspot clients, the wired connections are only for the WAN connections. Would it be better or work if I had the hotspot on Ether2 for WAN1 and Ether3 for WAN2?

fewi · July 19, 2010, 7:40pm

That will also work, and in my opinion is easier to set up than PCC. All you need is policy routing - in mangle prerouting mark all packets coming from one Hotspot with a routing mark to_WAN1, and all packets from the other one with a routing mark to_WAN2. Then install two default routes for those routing marks, and install two more default routes with a higher distance without routing marks. When both WAN circuits are up, the routing mark routes will have a lower distance and packets go out the preferred path. When a WAN circuit fails those routes disable themselves as they are invalid (interface is down), and packets will fall through to the normal default routers and both Hotspots use the remaining route (one via routing marks, the other as fall through default).

Below is an approximation of the configuration you’d need, it assumes wlan1 and wlan2 as two wireless Hotspot interfaces, there’s no more bridging taking place:

/ip address
add address=10.10.10.70/30 interface=ether2
add address=10.10.10.80/30 interface=ether2
add address=192.168.1.1/25 interface=wlan1
add address=192.168.1.129/25 interface=wlan2

Now mark all packets coming in from the wlan1 interface with routing mark to_WAN1, and all packets coming on from the wlan2 interface with routing mark to_WAN2:

/ip firewall mangle
add chain=prerouting in-interface=wlan1 action=mark-routing new-routing-mark=to_WAN1 dst-address-type=!local
add chain=prerouting in-interface=wlan2 action=mark-routing new-routing-mark=to_WAN2 dst-address-type=!local

Install a route for those routing marks out the respective circuits, and fall through default routes

/ip route
add dst-address=0.0.0.0/0 routing-mark=to_WAN1 gateway=10.10.10.69
add dst-address=0.0.0.0/0 routing-mark=to_WAN2 gateway=10.10.10.79
add dst-address=0.0.0.0/0 gateway=10.10.10.69
add dst-address=0.0.0.0/0 gateway=10.10.10.79

And finally src NAT on the two WAN interfaces:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether2
add chain=srcnat action=masquerade out-interface=ether3

tevolo · July 21, 2010, 1:48am

Thank you.
I’ll try it out.

tevolo · September 14, 2010, 9:30pm

Fewi would you take a look at my setup here and let me know if this is correct:
Background: 2 WAN connections total on ether 3 and ether 2. Hotspot on bridge and bridge2 (both bridges have two wireless adapters for clients to connect to - bridge1 for wlan1 and wlan2, bridge2 for wlan3 and wlan4). bridge1 uses ether3 for all clients connected to wlan1/wlan2, bridge2 uses ether2 for all clients connected to wlan3/wlan4. Extra LAN address 10.10.10.18 uses ether2 as well.

IP Addresses:

/ip address
add address=99.99.99.99/30 broadcast=99.99.99.100 comment=“” disabled=no interface=ether3 network=99.99.99.97
add address=192.168.3.1/24 broadcast=192.168.3.255 comment=“” disabled=no interface=bridge1 network=192.168.3.0
add address=10.10.10.18/24 broadcast=10.10.10.255 comment=“” disabled=no interface=ether18 network=10.10.10.0
add address=55.55.55.55/30 broadcast=55.55.55.56 comment=“” disabled=no interface=ether2 network=55.55.55.53
add address=192.168.4.1/24 broadcast=192.168.4.255 comment=“” disabled=no interface=bridge2 network=192.168.4.0

Routes:

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=55.55.55.54 routing-mark=bridge2-to-ether2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=99.99.99.98 routing-mark=bridge1-to-ether3 scope=30 target-scope=10
add comment=“” disabled=no distance=2 dst-address=0.0.0.0/0 gateway=99.99.99.98 scope=30 target-scope=10
add comment=“” disabled=no distance=2 dst-address=0.0.0.0/0 gateway=55.55.55.54 scope=30 target-scope=10

Firewall rules:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“” disabled=no dst-address-type=local in-interface=bridge2 new-routing-mark=bridge2-to-ether2 passthrough=yes
add action=mark-routing chain=prerouting comment=“” disabled=no dst-address-type=local in-interface=bridge1 new-routing-mark=bridge1-to-ether3 passthrough=yes
add action=mark-routing chain=prerouting comment=“” disabled=no in-interface=ether18 new-routing-mark=bridge2-to-Ether2 passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“masquerade hotspot network” disabled=no out-interface=ether3 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2 src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2 src-address=192.168.4.0/24

Then I just have a hotspot setup on bridge1 and bridge2. bridge1 gives out ip addresses to clients in the 192.168.3.0/24 network, bridge2 on the 192.168.4.0/24 network.

Basically I just wanted to know if I have any mistakes in my setup, or anything I should look out for. Unfortunately, I can’t test it since it is at a remote location I can’t easily get to at this time.
Are the routes correct with the distances? And do I have to add anything else to allow clients to bring up the hotspot login page and be able to login using an outside radius server?

Thanks a ton!

fewi · September 14, 2010, 9:52pm

Change the distance of the second fallthrough route to 3 instead of 2, otherwise you’re performing ECMP (equal cost multipath), which doesn’t do well across two separate providers.

Your NAT is slightly off. I’d masquerade just based on the out-interface:

/ip firewall nat
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masquerade

Your route mark mangling is also slightly off, the ‘dst-address-type=local’ doesn’t make sense as those lines would only match packets destined for the router itself. You want to negate that. You also don’t need to pass through:

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=bridge2 new-routing-mark=bridge2-to-ether2 passthrough=no
add action=mark-routing chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=bridge1 new-routing-mark=bridge1-to-ether3 passthrough=no
add action=mark-routing chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether18 new-routing-mark=bridge2-to-ether2 passthrough=no

Hope it works out for you.

tevolo · September 15, 2010, 12:21am

I think it is working much better now:

IP Firewall:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=bridge2 new-routing-mark=bridge2-to-ether2 passthrough=no
add action=mark-routing chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=bridge new-routing-mark=bridge-to-ether3 passthrough=no
add action=mark-routing chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=ether18 new-routing-mark=bridge2-to-ether2 passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether3
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2

Routes:

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=55.55.55.54 routing-mark=bridge2toEther2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=99.99.99.98 routing-mark=Bridge-to-Ether3 scope=30 target-scope=10
add comment=“” disabled=no distance=2 dst-address=0.0.0.0/0 gateway=99.99.99.98 scope=30 target-scope=10
add comment=“” disabled=no distance=3 dst-address=0.0.0.0/0 gateway=55.55.55.54 scope=30 target-scope=10

I think before only one route was working, but with your suggestions in the last post that looks to be resolved. Thank you.

tevolo · September 15, 2010, 12:53am

I guess the last part of this setup would be, how can I monitor it and make sure both routes are being used efficiently?
When I check clients on the hotspot, some people are connected to the 192.168.4.0/24 network and some are connected 192.168.3.0/24 which shows me they have access and should be using the correct route.

fewi · September 15, 2010, 1:37am

Look at the interfaces and the traffic statistics on them. Both should be showing some
usage.

tevolo · December 6, 2010, 6:06pm

Any idea why one of the WAN connections would stop responding to Ping all of a sudden?
I haven’t make any changes to the setup which has been working great for a long time now, but a few days ago, one of the WAN IPs stopped responding to pings.
The gateway address responds to ping, but not the static IP which is on the router?
Also, I think the primary WAN connection failed at one point giving priority to the second WAN connection which caused the ping to stop.
Thanks.