Hello
I am running an isp in pakistan and i need help for load balancing my scenario is that i have 2 diffrent internet connections WAN 1 is 10Mbps and WAN2 is 20Mbps i just went that if i hite youtube website or mobile application there trafic goes to WAN1 and all other website route to WAN 2 is it possible
Waiting for answer
Thank you
Re: Need help for load balancing
Not sure but off the top of my head I would setup my WAN2 as primary with failover to WAN1.
Then for any firewall address list traffic related to youtube, I would state go to WAN1.
First we will create the necessary basic routes.
Simple case where there is no independent checking if the ISP upstream is actually connected to the net (gateway to them is up but they are not connected)
/ip route
add check-gateway=ping distance=2 gateway=Gateway IP of WAN2 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
add distance=3 gateway=Gateway IP of WAN1 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
more complex case where you use recursive routing to check connectivity beyond the ISP, ie to google DNS servers for example.
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=GatewayIP of WAN2
add distance=3 gateway=GatewayIP of WAN1
In order to properly identify traffic heading for youtube probably requires marking of some sort. Its a two step process in general.
One is to mark connections to youtube, then two, you attach a route marking rule to that traffic (marking connections is more efficient in that one marks the connection and all packets are then automatically marked (vice marking each packet). This is all done in prerouting!
However the rules I created work for plain youtube traffic which would not work as most all sites use HTTPS.
Thankfully MT now has a tls-host option to help with these new scenario.
First step will be to identify find users who are attempting to access youtube and add the destination addresses to a firewall address list.
/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube_users address-list-timeout=\
12h chain=prerouting dst-port=443 in-interface-list=lan\
connection-mark=no-mark protocol=tcp tls-host=*.googlevideo.com passthrough=yes
/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube_users address-list-timeout=\
12h chain=prerouting dst-port=443 interface-list=lan\
packet-mark=no-mark protocol=tcp tls-host=*.youtube.com passthrough=yes
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=youtube_users in-interface-list=lan\
connection-mark=no-mark new-connection-mark=markUtube passthrough=yes
add action=mark-routing chain=prerouting connection-mark=markUtube\
new-routing-mark=routeUtube passthrough=no
In plain english, the router will look at packets without any markings, ie this is done before sending traffic anywhere (not routed or going anywhere direct) but just showing up at any interface covered by the "in-interface-list". If the packets have no markings and has a destination port of 443 (and has a domain identification of youtube.com for example) the associated destination address of the connection is added to the applicable address list. The we say step to the next rule............
The next rule states, if the packets has no markings and has a destination port of 443 (and has a domain identification of googlevideo.com for example) the associated destination address of the connection is added to the applicable address list. The we say step to the next rule............
Next the router will look for any connections intended for the destination address from our created list (identified by our now populated firewall address rule). We set it up such that that the packet being inspected is the first in a new connection without any connection markings because we want the router to only look at new connections (and ignore allready marked traffic).
The router will mark the connection with the mark (markUtube) and any of its associated packets will not be inspected and will automatically receive the temporary mark.
Then you tell the router look at the next prerouting rule for this connection
The router then sees that for any connection (and associated packets) with the connection mark of markUtube attach another kind of mark, a routing mark to that connection (and its associated packets). Then you tell the router basically there are no more marking rules that apply.
So how do we use this special routing mark in our above IP ROUTE RULES !!!
We make use of the Routing mark option available (see winbox).
++++++++++++++++++++++++++++++++++++++++++++
Simple:
/ip route
add check-gateway=ping distance=2 gateway=Gateway IP of WAN2 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
add distance=3 gateway=Gateway IP of WAN1 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
add distance=1 gateway=Gateway IP of WAN1 routing-mark=routeUtube
Complex
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=GatewayIP of WAN2
add distance=3 gateway=Gateway IP of WAN1
add distance=1 gateway=Gateway IP of WAN1 routing-mark=routeUtube
Then for any firewall address list traffic related to youtube, I would state go to WAN1.
First we will create the necessary basic routes.
Simple case where there is no independent checking if the ISP upstream is actually connected to the net (gateway to them is up but they are not connected)
/ip route
add check-gateway=ping distance=2 gateway=Gateway IP of WAN2 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
add distance=3 gateway=Gateway IP of WAN1 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
more complex case where you use recursive routing to check connectivity beyond the ISP, ie to google DNS servers for example.
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=GatewayIP of WAN2
add distance=3 gateway=GatewayIP of WAN1
In order to properly identify traffic heading for youtube probably requires marking of some sort. Its a two step process in general.
One is to mark connections to youtube, then two, you attach a route marking rule to that traffic (marking connections is more efficient in that one marks the connection and all packets are then automatically marked (vice marking each packet). This is all done in prerouting!
However the rules I created work for plain youtube traffic which would not work as most all sites use HTTPS.
Thankfully MT now has a tls-host option to help with these new scenario.
First step will be to identify find users who are attempting to access youtube and add the destination addresses to a firewall address list.
/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube_users address-list-timeout=\
12h chain=prerouting dst-port=443 in-interface-list=lan\
connection-mark=no-mark protocol=tcp tls-host=*.googlevideo.com passthrough=yes
/ip firewall mangle
add action=add-dst-to-address-list address-list=youtube_users address-list-timeout=\
12h chain=prerouting dst-port=443 interface-list=lan\
packet-mark=no-mark protocol=tcp tls-host=*.youtube.com passthrough=yes
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=youtube_users in-interface-list=lan\
connection-mark=no-mark new-connection-mark=markUtube passthrough=yes
add action=mark-routing chain=prerouting connection-mark=markUtube\
new-routing-mark=routeUtube passthrough=no
In plain english, the router will look at packets without any markings, ie this is done before sending traffic anywhere (not routed or going anywhere direct) but just showing up at any interface covered by the "in-interface-list". If the packets have no markings and has a destination port of 443 (and has a domain identification of youtube.com for example) the associated destination address of the connection is added to the applicable address list. The we say step to the next rule............
The next rule states, if the packets has no markings and has a destination port of 443 (and has a domain identification of googlevideo.com for example) the associated destination address of the connection is added to the applicable address list. The we say step to the next rule............
Next the router will look for any connections intended for the destination address from our created list (identified by our now populated firewall address rule). We set it up such that that the packet being inspected is the first in a new connection without any connection markings because we want the router to only look at new connections (and ignore allready marked traffic).
The router will mark the connection with the mark (markUtube) and any of its associated packets will not be inspected and will automatically receive the temporary mark.
Then you tell the router look at the next prerouting rule for this connection
The router then sees that for any connection (and associated packets) with the connection mark of markUtube attach another kind of mark, a routing mark to that connection (and its associated packets). Then you tell the router basically there are no more marking rules that apply.
So how do we use this special routing mark in our above IP ROUTE RULES !!!
We make use of the Routing mark option available (see winbox).
++++++++++++++++++++++++++++++++++++++++++++
Simple:
/ip route
add check-gateway=ping distance=2 gateway=Gateway IP of WAN2 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
add distance=3 gateway=Gateway IP of WAN1 (assumes/translates to destination default entry of 0.0.0.0/0 if using winbox)
add distance=1 gateway=Gateway IP of WAN1 routing-mark=routeUtube
Complex
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=GatewayIP of WAN2
add distance=3 gateway=Gateway IP of WAN1
add distance=1 gateway=Gateway IP of WAN1 routing-mark=routeUtube
Who is online
Users browsing this forum: No registered users and 55 guests