I am new to MikroTik and RouterOS, I need some comment from all of you please.
I am managing 2 network PoP (point of presence) in Hong Kong, both PoP using 2011UiAS router.
PoP A: The bandwidth provided by ISP A only 2Mbps International (non-HK) but 100Mbps within local (Hong Kong)
PoP B: The bandwidth provided by ISP B included 100Mbps International (non-HK) and 500Mbps local (Hong Kong)
With the above limitation, very low speed when the servers in PoP A connecting to International which is outside Hong Kong.
My idea is…is it possible to determine the traffic (e.g. destination IP) within PoP A router and see if that is within or outside Hong Kong (of course it is not 100% accurate by determine the location by looking up the IP)
If the destination within Hong Kong, the traffic will route through the ISP A directly
If the destination is outside Hong Kong, the traffic will route to PoP B then go out via the ISP B there
Understand that this only for outgoing connection which initiated from servers in PoP A, it is not applicable when others connecting to my servers in PoP A.
Could anyone please give me some comment if my idea works or not? If it works and possible, please guide me briefly how to do the configurations on both routeros in order to implement this?
Depending on how granular the ip’s of HK are, it might be easier to forward all traffic (except initiated from outside) to remote isp.
To do that you’ll need to setup a tunnel between A & B, and then route traffic over that tunnel. For externally initiated (and so local) traffic, you could use connection marking to know that local route should be selected.
And as it’s external traffic anyway, you might not encrypt it as 2011 doesn’t do encryption in hardware. But there are some risks with that.
Assuming that both your 2011 have a public IP address, the easiest to set up tunnels are GRE or IPIP:
/interface gre add remote-address=the.public.ip.of.the.remote.device
or
/interface ipip add remote-address=the.public.ip.of.the.remote.device
If you also add ipsec-secret=some-random-string-of-characters to the above command at both ends, you’ll get IPsec encryption for the tunnel with no extra effort, but as @Sebastia has warned you, in that case the throughput may be less than 100 Mbit/s as 2011 doesn’t support encryption in hardware.
The above is true if you haven’t touched any IPsec settings on either of the devices. If you did, you may have to do some manual settings to resolve possible conflict(s) between the IPsec peer and policy dynamically generated by the RouterOS for the tunnel and your existing one(s).
Once you see the tunnel interfaces up, you don’t even need to assign IP addresses to them, it is enough to use the interface names as the gateway parameters of the routes under /ip route. But be very careful with the routing, you’ll have to use so-called policy routing to make sure that connections which come to the “slow” site via its WAN interface will be also responded through it, whereas connections which come in via the tunnel will be responded through the tunnel. This requires to use /ip firewall mangle rules to assign connection-mark and later translate them to routing-mark for some packets, which in turn makes it impossible to use fasttracking for many of the connections so the 2011 may have tough time handling the traffic. Check this topic for an arrangement which allows to use policy routing and still have the major part of the traffic fasttracked, but what remains may still be too much for the 2011 to handle and you may need to replace it with something more powerful (3011, 4011 or 1100) or keep it as a switch and complement it with a hAP ac² to take care about the routing and encryption.
I have added the GRE interface at PoPA’s RB2011 pointed to PoPB, and I can see it is showing the link is UP, do I need to add another GRE interface in PoPB’s RB2011 and point it back to PoPA as well?
And how can I route all PoPA outgoing traffic via the newly added GRE interface?
Sorry I am still new to RouterOS, many thanks for the guide.
But I think for the ip route entry, I should put dst-address=0.0.0.0/0 in order to route ALL outgoing traffic of Point A to Point B?
And if I can still keep a fallback route in case the GRE link goes down?
In other words, as I am configuring this remotely, and I am not easy to access Point A physically, at which part I should be careful to avoid lock me out of the access of Point A RB2011?
Of course you need a symmetric configuration, and the fact that a tunnel interface configured at only one end is indicated as running is weird, so you have to investigate whether GRE packets are really coming to the IP address of PoPA from the IP address of PoPB and why, otherwise there will be a conflict with unpredictable results.
/tool sniffer quick interface=your-wan-interface-name ip-protocol=gre run at both ends should show you what is going on. Make the CLI window as wide as possible, RouterOS displays fewer packet headers if some don’t fit to the window width.
If you set distance=2 to the existing default route (with dst-address=0.0.0.0/0 (or no dst-address parameter at all, the default value is 0.0.0.0/0 if that parameter is missing)) and state no distance value to the newly added default route (which means a default value distance=1), the newly added one will be preferred as long as it is active.
But it is dangerous to do this due to many factors, so unless you are on site, first of all add at least a route back to the device from which you configure remotely. A route with a longer (more precise) dst-address mask always wins over any route also matching the dst-address of the packet but with shorter (wider) mask, so that you don’t lose connectivity to the 2011. And even if you do this, I’d start to add only routes to particular destinations via the GRE before making it the default route.
Or, switch on Safe Mode before adding the default route (press Ctrl-X on the command line if you configure from there, or press the “Safe mode” button in Winbox or WebFig if you use one of those to add the default route). If a change done in Safe Mode causes a disconnection of the management session, it is automatically reverted in 60 seconds or so. Once again, you must set safe mode where you do the actual change, so if you would set it in WebFig and then do the configuration from ssh, the change will not be reverted and you’ll have to get to the site physically.
It sounds more like being new to networking than just RouterOS, as you are asking rather for networking principles than how to implement them in RouterOS. Nothing bad about it, just be even more careful when doing changes with large impact on the configuration.
One more surprise might come from the firewall on the high speed site (if you have configured any rules at all in the forward chain of filter or in mangle, nat etc.). If in doubt, you can post here configuration exports from both sites, following the hint in my automatic signature.