Hi,
I’ve seen two articles on the Wiki that can assist with what I want to do, but I need to use a combination of them. I’ve attached a network diagram to reference.
There are 4 ISP’s in the proposed solution. ISP 4 currently plugs directly into the Cisco firewall. Due to reliabilility issues we need to phase out ISP 4 and for cost and failover reasons are adding in ISP 1,2 & 3. For a period though ISP 4 will need to run side by side to ensure a smooth transition and allow time for MX record changes etc. The two ADSL connections do have a static pool of addresses through a VPN tunnel on the ADSL device (all configured by the ISP).
- I need to load balance the two ADSL lines (ISP 2 & 3) for outbound FTP, HTTP, HTTPS, POP3, IMAP, 8080, 8443 connections. If one ADSL line goes down then, it should just use the one line for those protocols. If both ADSL lines (ISP 2 & 3) go down, then it should use the diginet line (ISP 1).
- The diginet should be used for outgoing SMTP and DNS. If it goes down, it should failover to the two ADSL lines. It will also be used for incoming SMTP, HTTPS (web mail) and PPTP. If it goes down, incoming traffic can be redirected manually to the two ADSL lines. Secondary MX record for mail. Secondary A record/IP for HTTPS (web mail)/PPTP.
- Inbound traffic needs to be routed back out via the same route it arrived.
- I need to NAT some internet IP addresses on all interfaces to internal addresses. (I assume NATing would be done by the Mikrotik router and then static routes would get it to the correct host on the correct internal VLAN.) This would cause one internal host to have possibly 4 external addresses and then traffice would be routed out via point 1 & 2 above. Based on this, a specific internet address would be assigned.
- I would remove the current NATing on the firewall but leave the rules in place and perform all firewall functions via the CISCO device as they are already correctly configured.
Is all of the above possible?
Hi,
it’s possible but you have to start configuring the board and later applying changes.
You can make balancing of 2+3 with PCC and you need a script to validate that the adsl lines are working. If not working, disable this route and change PCC config to non pcc.
Another script will wait for isp1 problems and change the rules to use isp2 and 3.
You need to mark all traffic with mangle and later apply the correct routing-mark.
Point 3 is easy, you need to mark input traffic with the input interface routing mark. I read a loadbalancing tutorial to make this. Perhaps you read about it. There are a few input rules in this tutorial. I don’t remember where is!
I think point 4 isn’t a problem.
I hope this will help you a little.
This is what I’ve done so far with only one ADSL in place so far. Its not working though. Any ideas as to what the problem may be?
/ip pool
add name=production ranges=192.168.2.40-192.168.3.254
add name=inside ranges=192.168.0.2-192.168.0.254
/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether1-diginet src-address-list=inside
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether1-diginet src-address-list=production
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2-ADSL-1 src-address-list=inside
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2-ADSL-1 src-address-list=production
/ip firewall mangle
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=25 new-routing-mark=to_WAN1 passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=53 new-routing-mark=to_WAN1 passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=53 new-routing-mark=to_WAN1 passthrough=no protocol=udp
add action=mark-routing chain=prerouting comment=“” disabled=no new-routing-mark=to_WAN2 passthrough=no
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether1-diginet new-connection-mark=from_WAN1 passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether2-ADSL-1 new-connection-mark=from_WAN2 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=from_WAN1 disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=from_WAN2 disabled=no new-routing-mark=to_WAN2 passthrough=yes
/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=196.x.x.225 routing-mark=to_WAN1 scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=196.x.x.97 routing-mark=to_WAN2 scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=172.0.0.0/24 gateway=10.0.0.2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=192.168.0.0/24 gateway=10.0.0.2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.0.0.2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=192.168.2.0/23 gateway=10.0.0.2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=192.168.10.0/24 gateway=10.0.0.2 scope=30 target-scope=10