Need help urgently with load balancing

Heathkit · December 9, 2016, 1:49pm

I have been advised by Microtic to use an approved load balancing script.
However when i ask some questions about getting the syntax of the statements exactly right they flat refuse to assist me.
I am therefore appealing to the wider community to assist.

This load balancing should be very simple.All I want to do is have Port 80 and 443 go to Wan1 and the other traffic to Wan2
The script is for 3 Wan ports which is OK as once I have the syntax correct I will add another few rules.

In these first 3 mangle instrauctions I just need to know exactky what the address-and-port sysntax should look like

/ip firewall mangle add chain=prerouting action=mark-connection
new-connection-mark=1st_conn per-connection-classifier=src-address-and-port:3/0
/ip firewall mangle add chain=prerouting action=mark-connection
new-connection-mark=2nd_conn per-connection-classifier=src-address-and-port:3/1
/ip firewall mangle add chain=prerouting action=mark-connection
new-connection-mark=3rd_conn per-connection-classifier=src-address-and-port:3/2

/ ip address
add address=192.168.10.1/24 network=192.168.10.0 broadcast=192.168.10.255 interface=LAN
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 interface=ISP1
add address=192.168.15.1/24 network=192.168.15.0 broadcast=192.168.15.255 interface=ISP2

/ ip firewall mangle
add chain=prerouting dst-address=192.168.5.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.15.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection
new-connection-mark=ISP2_conn

***** then allegedly I need to change these next 2 rules *** I am guessing they need to be expanded 3 wans and not 2 but is that all I need to do???**

add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local
per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local
per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn

add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.15.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.5.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.15.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

\

Any assistance would be greatly apreciated and if needed rewarded.

Regards
Heathkit

\

Sob · December 9, 2016, 4:29pm

Forget rules with per-connection-classifier, those are for load balancing where multiple connections are shared equally (sort of). You want rules like these:

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local comment="web to ISP1" \
    protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=ISP1_conn passthrough=yes
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local comment="mail to ISP2" \
    protocol=tcp dst-port=25,110,587 action=mark-connection new-connection-mark=ISP2_conn passthrough=yes
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local comment="rest to ISP3" \
    action=mark-connection new-connection-mark=ISP3_conn passthrough=yes

I hope you get the idea.

Heathkit · December 12, 2016, 7:59am

So I have simplified this so its Just 443 and 80 to WAN1 and the rest to WAN2
I am assuming the first 3 mangle instrauctions in the previous script were for load balancing so could also be removed, is that correct?
THis is my simplified script below..
IS there anything wrong with having the labels for the marks the same as the lables for the physical ports or is that bad practice?

/ ip address
add address=192.168.10.1/24 network=192.168.10.0 broadcast=192.168.10.255 interface=LAN
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 interface=WAN1
add address=192.168.15.1/24 network=192.168.15.0 broadcast=192.168.15.255 interface=WAN2

/ ip firewall mangle
add chain=prerouting dst-address=192.168.5.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.15.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=WAN1 connection-mark=no-mark action=mark-connection
new-connection-mark=WAN1
add chain=prerouting in-interface=WAN2 connection-mark=no-mark action=mark-connection
new-connection-mark=WAN2

/ip firewall mangle
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local comment=“web to WAN1”
protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=WAN1 passthrough=yes
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local comment=“rest to WAN2”
action=mark-connection new-connection-mark=WAN2 passthrough=yes

add chain=prerouting connection-mark=WAN1 in-interface=LAN action=mark-routing
new-routing-mark=WAN1
add chain=prerouting connection-mark=WAN2 in-interface=LAN action=mark-routing
new-routing-mark=WAN2
add chain=output connection-mark=WAN1 action=mark-routing new-routing-mark=WAN1
add chain=output connection-mark=WAN2 action=mark-routing new-routing-mark=WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.15.1 routing-mark=WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.5.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.15.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

Sob · December 16, 2016, 11:28pm

It looks ok to me, does it work? (Just because it looks ok, doesn’t necessarily mean it is ok, oversights happen..)

Whatever you like, those are just independent identifiers.