loadbalancing work fine but with hotspot :( :(

foffa · November 12, 2007, 2:34am

hello guyess

i hav load balancing
it is working fine

but after enableing hotspot

all peers work with the active routes (D,A) ROUTE

when i disable hotspot

load balancing goes fine and the ip range i marked goes where i configured too

ANY IDEAS I GO COMPELETLY MAD MAD

BY THE WAY LETNI MAKES ME DISCOVER THIS ISSUE

BECAUSE I CHEcKD LOAD BALANCE BEFORE ENABLING HOTSPOT

foffa · November 12, 2007, 6:29pm

i got a solution by my self

but i need to hear another ideas

the solution i figured is so so simple

bimwilly · October 14, 2009, 4:38pm

hello i have similar problem, i have load balancing and when i enable hotspot, the entire network goes slow.
did u find a solution to yours.

bimwilly · October 14, 2009, 4:44pm

hello folks, did u get solution to loadbalancing with hotspot enabled.

fewi · October 14, 2009, 5:18pm

What kind of load-balancing? The below works for PCC and Hotspot:

/ip address
add address=1.1.1.2/24 disabled=no interface=outside1
add address=1.1.2.2/24 disabled=no interface=outside2
add address=10.0.0.1/24 disabled=no interface=hotspot
add address=10.0.1.1/24 disabled=no interface=hotspot2

/ip firewall address-list
add address=10.0.0.0/24 disabled=no list=Local_NAT_Networks
add address=10.0.1.0/24 disabled=no list=Local_NAT_Networks

/ip firewall mangle
add action=mark-connection chain=input connection-state=new disabled=no in-interface=outside1 new-connection-mark=outside1_connection passthrough=yes
add action=mark-connection chain=input connection-state=new disabled=no in-interface=outside2 new-connection-mark=outside2_connection passthrough=yes
add action=mark-routing chain=output connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=yes
add action=mark-routing chain=output connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=yes
add action=accept chain=prerouting disabled=no dst-address=1.1.1.0/24 src-address-list=Local_NAT_Networks
add action=accept chain=prerouting disabled=no dst-address=1.1.2.0/24 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local hotspot=auth new-connection-mark=outside1_connection passthrough=yes per-connection-classifier=src-address:2/0 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local hotspot=auth new-connection-mark=outside2_connection passthrough=yes per-connection-classifier=src-address:2/1 src-address-list=Local_NAT_Networks
add action=mark-routing chain=prerouting connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=yes src-address-list=Local_NAT_Networks
add action=mark-routing chain=prerouting connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=yes src-address-list=Local_NAT_Networks

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=to_outside1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.2.1 routing-mark=to_outside2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=1.1.2.1 scope=30 target-scope=10

Unauthenticated Hotspot connections will not be load-balanced, but everything else will be.

bimwilly · October 15, 2009, 8:28am

hello folks,
this post is meant for 2 isp and 2 lan, can it work for 2 isp and one lan ,

pls post the rules for that and also that will work with hotspot.
thanks

fewi · October 15, 2009, 3:06pm

Yes, it will. It’s the exact same mangle rules, just build the address-list Local_NAT_Networks with only one network. You could change the rules to refer to the LAN directly, but I see no benefit to that - using those rules as is allows you to expand to more LANs just by adding interfaces and adding the networks to the address-list.

bimwilly · October 15, 2009, 5:26pm

i tried it and it didnt work,
the rule i tried was simple. and it worked. u segment the 192.168.0.0/24 to groups and route each isp to the different group.

i hope u understand

fewi · October 15, 2009, 5:31pm

I do not.

bimwilly · October 15, 2009, 6:20pm

ok,

lets start like this, post rule that will work on 2wan and one lan and if hotspot is enabled, it will still work. and it wont slow the network

pls post .
thanks

fewi · October 15, 2009, 6:36pm

/ip address
add address=1.1.1.2/24 disabled=no interface=outside1
add address=1.1.2.2/24 disabled=no interface=outside2
add address=10.0.0.1/24 disabled=no interface=hotspot

/ip firewall address-list
add address=10.0.0.0/24 disabled=no list=Local_NAT_Networks

/ip firewall mangle
add action=mark-connection chain=input connection-state=new disabled=no in-interface=outside1 new-connection-mark=outside1_connection passthrough=yes
add action=mark-connection chain=input connection-state=new disabled=no in-interface=outside2 new-connection-mark=outside2_connection passthrough=yes
add action=mark-routing chain=output connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=yes
add action=mark-routing chain=output connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=yes
add action=accept chain=prerouting disabled=no dst-address=1.1.1.0/24 src-address-list=Local_NAT_Networks
add action=accept chain=prerouting disabled=no dst-address=1.1.2.0/24 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local hotspot=auth new-connection-mark=outside1_connection passthrough=yes per-connection-classifier=src-address:2/0 src-address-list=Local_NAT_Networks
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local hotspot=auth new-connection-mark=outside2_connection passthrough=yes per-connection-classifier=src-address:2/1 src-address-list=Local_NAT_Networks
add action=mark-routing chain=prerouting connection-mark=outside1_connection disabled=no new-routing-mark=to_outside1 passthrough=yes src-address-list=Local_NAT_Networks
add action=mark-routing chain=prerouting connection-mark=outside2_connection disabled=no new-routing-mark=to_outside2 passthrough=yes src-address-list=Local_NAT_Networks

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=to_outside1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.2.1 routing-mark=to_outside2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=1.1.2.1 scope=30 target-scope=10

Works for me on 3.30. Unauthenticated Hotspot connections will not be load-balanced, but all authenticated traffic from the Hotspot will be.

bimwilly · October 15, 2009, 7:41pm

thanks folks, i will try, but before then, let me ask you, will it work fine on 2.9.27 version.
thanks

fewi · October 15, 2009, 7:46pm

No. PCC got added way later. 2.9.27 is way out of support. No 2.x version is supported anymore at all since 4.0 got released.

Update.

CastorTroy · October 28, 2009, 7:56pm

fewi,

Would you mind posting a sample hotspot config to go along with your PCC config?

I’d greatly appreciate it.

fewi · October 28, 2009, 8:04pm

Simple hotspot config, no RADIUS. One profile for 1mbps up and down, a user ‘hotspot’ with password ‘hotspot’. Even unauthenticated users can ping.

/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-pap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
ssl-certificate=none use-radius=no
add dns-name=hotspot.example.com hotspot-address=0.0.0.0 html-directory=hotspot http-proxy=0.0.0.0:0 login-by=https name=hotspot rate-limit=5m/5m smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
/ip hotspot
add disabled=no idle-timeout=30m interface=hotspot keepalive-timeout=5m name=hotspot profile=hotspot
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default rate-limit=64k/64k shared-users=unlimited status-autorefresh=1m transparent-proxy=no
add idle-timeout=none keepalive-timeout=15m name=hotspot rate-limit=1m/1m shared-users=unlimited status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="" disabled=no name=hotspot password=hotspot profile=hotspot
/ip hotspot walled-garden ip
add action=accept comment="Allow hotspot users to ping for troubleshooting purposes" disabled=no protocol=icmp

And for completion’s sake here DHCP, DNS and NAT:

/ip pool
add name=DHCP-Pool-Hotspot ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=DHCP-Pool-Hotspot authoritative=yes bootp-support=static disabled=no interface=hotspot lease-time=3h name=DHCP-Hotspot
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.0.0.0/24 comment="" dns-server=10.0.0.1 domain=example.com gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=1.1.1.3 secondary-dns=1.1.2.3
/ip dns static
add address=10.0.0.1 disabled=no name=hotspot.example.com ttl=1d
/ip firewall nat
add chain=srcnat action=masquerade disabled=no out-interface=outside1
add chain=srcnat action=masquerade disabled=no out-interface=outside2

But really the wizard does a decent enough job of filling all that out for you.

CastorTroy · October 28, 2009, 8:48pm

The issue I am having currently is that with the hotspot enabled, users are not able to resolve DNS. Users can ping DNS servers, but aren’t able to resolve anything.

Disable the hotspot, and DNS works fine.

fewi · October 28, 2009, 9:44pm

Post the output of “/ip dns”. As per the manual that section must be set up right for Hotspots to function.

Enabling a Hotspot brings up dynamic rules in the firewall, one of which redirects DNS. That redirection in turn uses the internal DNS proxy, so if that doesn’t function right, the clients have DNS issues.

CastorTroy · October 28, 2009, 10:14pm

I upgraded the box to 4.2 (was running 3.27 ), and now DNS is working fine with the hotspot

The next issue I am having is regarding the load balancing itself.

I have WAN1, WAN2, and LAN1.

Using the ping utility, if I specify to ping out to the internet from WAN1, it can get out just fine. However, if I specify to ping out to the internet from WAN2, it cannot. I can ping the WAN2 gateway from WAN2, but no internet addresses.

If I disable WAN1, WAN2 then works with no issue, and I can ping out to the internet

CastorTroy · October 29, 2009, 7:06pm

I am still running into DNS issues…

Output of ip dns:

primary-dns: 67.91.XXX.XXX
secondary-dns: 67.91.XXX.XXX
allow-remote-requests: no
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 4KiB

fewi · October 29, 2009, 7:12pm

As I said, for Hotspot to function right you must set up the DNS proxy.

/ip dns set allow-remote-request=yes