On trying to implement the Load Balance example in Wiki with 4 lines, I cannot copy/paste text as the ‘Nth=1,1,1’ gives error ‘Integer value needed’ (ROS3.3)
So I’m just punching in manually from Winbox.
Is it for
WAN1: every=3, packet=0
WAN2: every=3, packet=1
WAN3: every=3, packet=2
WAN4: every=3, packet=3
Correct?
Hi…
v3.x
http://wiki.mikrotik.com/wiki/NTH_in_RouterOS_3.x
v2.9.x
http://www.mikrotik.com/testdocs/ros/2.9/ip/mangle.php
Regards,
Thanks for that.
Just to make sure, when wanting to Load Balance between 4 marks, would the 4 rules then be:
WAN1: every=4, packet=1
WAN2: every=3, packet=1
WAN3: every=2, packet=1
WAN4: every=1, packet=1(or just whatever is left)
If passthrough=no then each rule should get 25% of traffic?
Correct?
Hello…
regarding load balancing… it is desirable to track “connections”.
Considering you have 4 links… as you told… you should track every NEW CONNECTION.
Then the rules will be like below:
chain=prerouting action=mark-connection new-connection-mark=conn41 passthrough=yes connection-state=new nth=4,1
chain=prerouting action=mark-routing new-routing-mark=conn41 passthrough=no connection-mark=conn41
chain=prerouting action=mark-connection new-connection-mark=conn42 passthrough=yes connection-state=new nth=4,2
chain=prerouting action=mark-routing new-routing-mark=conn42 passthrough=no connection-mark=conn42
chain=prerouting action=mark-connection new-connection-mark=conn43 passthrough=yes connection-state=new nth=4,3
chain=prerouting action=mark-routing new-routing-mark=conn43 passthrough=no connection-mark=conn43
chain=prerouting action=mark-connection new-connection-mark=conn44 passthrough=yes connection-state=new nth=4,4
chain=prerouting action=mark-routing new-routing-mark=conn44 passthrough=no connection-mark=conn44
Regards,
I’ve try it, but somehow the connection will focus on 1 line 1st then if the 1st full then it hop to another line!! It’s different from MT 2,9 the connection in the same time will share the connection as mention 25% each then when we downloading a file the full bandwidth will reserved for us!
mson77 is correct if he is talking about RouterOS 2.9 but since he is using nth=x,y i suspec it is about version 3 and then he is completely wrong.
in mson77 example:
first rule will get 25% of all packages that every 1st packet (connection) out of 4
since passthrough=no second rule will get 25% of left over 75% of starting traffic/connections or 18.75% of starting traffic
so at the end you will not mark all the connections, since 3rd rule will mark even less then first rule.
ekkas wrote correct patter on how you have to mark packages
in this post:
http://forum.mikrotik.com/t/nth-better-explanation-needed/19409/3
so first rule takes away correct 25%
second rule takes away 33.33(3)% that is same 25% of starting traffic etc.
edit:
in version 2.9 if you used nth then you had to have rules for traffic to cover every package of interest to work while in V3. you can have one rule that will do something with 1/8 of traffic and you do not have to care about rest 7/8
Ok, thank you. So
WAN1: every=4, packet=1
WAN2: every=3, packet=1
WAN3: every=2, packet=1
WAN4: every=1, packet=1(or just whatever is left)
is workin fine to LB 4 WANs but port 443 sites still gave trouble, so I added a rule before these to mark all traffic to port 443 with marker for WAN4. Now all SSL traffic goes through WAN4 and so far so good. Rest is balanced. Would like to have been able to balance 443 traffic as well…
In this case per-packet balancing is impossible, because it will break ssl connection.
You can use ECMP to balance ssl.
Any clues on where to start looking how?
equal-cost multi-path:
http://www.mikrotik.com/testdocs/ros/2.9/ip/route.php
ECMP is very simple to implement.
I have a question…!!! I need to bypass the load balancing for specific traffic, example rapidshare traffic … I have an address list and I want to route the traffic by one gateway if destination IP is in the list…
Can anybody help me??? Thanks.
Hello janisk…
Let me post a question regarding Nth in v3.x regarding load balancing issue.
I see examples of LB… sharing packets… as one can see at:
http://wiki.mikrotik.com/wiki/NTH_in_RouterOS_3.x
I understand that one should share connections in order to accomplish load balancing… instead of sharing packets.
Can one share packets to implement LB? Is it correct?
======================================
Can one use this below?
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=AAA nth=3,1 passthrough=yes; # will carry 100% of the connections
add action=mark-connection chain=prerouting new-connection-mark=BBB nth=3,2 passthrough=yes; # will carry 100% of the connections
add action=mark-connection chain=prerouting new-connection-mark=CCC nth=3,3 passthrough=yes; # will carry 100% of the connections
I changed from the WIKI example… ==> from mark-packet to mark-connection
=======================================
I understood that: Every rule has its own counter.
Then… from the WIKI example.. again.. may I use this way below?
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=AAA nth=3,1 passthrough=no; # will carry 100% of the connections
add action=mark-connection chain=prerouting new-connection-mark=BBB nth=2,1 passthrough=no; # will carry 67% of the connections
add action=mark-connection chain=prerouting new-connection-mark=CCC ; # will carry 33% of the connections
Again… changed from “mark-packet” to “mark-connection”.
Should LB use mark-packet or mark-connection?
Regards,
if you mark packets only you might break some communication due to packet from other source will simple be dropped (if you have NAT) ssh wont work etc. so you mark connections and then mark packets to what connections they belong.
Hello janisk,
Thank you for your fast reply.
Lets consider LB with 3 links. Following what you said I would do: (v3.x)
/ip firewall mangle
add chain=prerouting connection-mark=AAA action=mark-packet new-packet-mark=AAA passthrough=yes
add chain=prerouting connection-mark=BBB action=mark-packet new-packet-mark=BBB passthrough=yes
add chain=prerouting connection-mark=CCC action=mark-packet new-packet-mark=CCC passthrough=yes
add chain=prerouting connection-mark=AAA action=mark-routing new-routing-mark=AAA passthrough=yes
add chain=prerouting connection-mark=BBB action=mark-routing new-routing-mark=BBB passthrough=yes
add chain=prerouting connection-mark=CCC action=mark-routing new-routing-mark=CCC passthrough=yes
add action=mark-connection chain=prerouting new-connection-mark=AAA nth=3,1 passthrough=no;
add action=mark-connection chain=prerouting new-connection-mark=BBB nth=2,1 passthrough=no;
add action=mark-connection chain=prerouting new-connection-mark=CCC ;
For NAT table:
/ip firewall nat
add chain=srcnat packet-mark=AAA action=src-nat to-addresses=<ip_ether_AAA> to-ports=0-65535
add chain=srcnat packet-mark=BBB action=src-nat to-addresses=<ip_ether_BBB> to-ports=0-65535
add chain=srcnat packet-mark=CCC action=src-nat to-addresses=<ip_ether_CCC> to-ports=0-65535
For /ip route table:
/ip route add
add dst-address=0.0.0.0/0 gateway=<gw_ether_AAA> check-gateway=ping interface=<ether_AAA> routing-mark=AAA
add dst-address=0.0.0.0/0 gateway=<gw_ether_BBB> check-gateway=ping interface=<ether_BBB> routing-mark=BBB
add dst-address=0.0.0.0/0 gateway=<gw_ether_CCC> check-gateway=ping interface=<ether_CCC> routing-mark=CCC
I appreciate if you correct my rules above regarding the tables mangle, nat and route.
If OK please write OK… and if not… please write the correct way/rule… please.
In the mangle table… I mark packet and routing information over existing connection before “passthrough=no”
In the nat table… I sourceNAT using packet mark instead of connection mark information.
Regards,
no there is some things taht needs to be improved
first you do
add action=mark-connection chain=prerouting comment="myMark" connection-state=new \
disabled=no new-connection-mark="" passthrough=no nth=3,1
then you can mark every other new connections as you wish with nth=2,1 and for the 3rd mark you can simply make rule without nth field set, so less to compare, less strain on CPU
i haven’t tested it in real, but it should work somehow if you correct this error.
also if it does not work you have to check out what interfaces it is going out and mark according to interfaces, because incoming traffic also will be natted if you do like you do it now.
Hello janisk…
So… what is wrong with:
/ip firewall mangle
add chain=prerouting connection-mark=AAA action=mark-packet new-packet-mark=AAA passthrough=yes
add chain=prerouting connection-mark=BBB action=mark-packet new-packet-mark=BBB passthrough=yes
add chain=prerouting connection-mark=CCC action=mark-packet new-packet-mark=CCC passthrough=yes
add chain=prerouting connection-mark=AAA action=mark-routing new-routing-mark=AAA passthrough=yes
add chain=prerouting connection-mark=BBB action=mark-routing new-routing-mark=BBB passthrough=yes
add chain=prerouting connection-mark=CCC action=mark-routing new-routing-mark=CCC passthrough=yes
add action=mark-connection chain=prerouting new-connection-mark=AAA nth=3,1 passthrough=no;
add action=mark-connection chain=prerouting new-connection-mark=BBB nth=2,1 passthrough=no;
add action=mark-connection chain=prerouting new-connection-mark=CCC ;
regarding…
then you can mark every other new connections as you wish with nth=2,1 and for the 3rd mark you can simply make rule without nth field set, so less to compare, less strain on CPU
I didn’t understand you comment and suggestion.
TIA
Regards,