I’m having a problem, and I know what I could be doing wrong. It must be something simple and I’m just not getting it, and am hoping that someone out there can help me out by making a sugestion. I have load balancing setup in a RB532a and I can get a PC attached to it to use ether my T1 or DSL by switching it to ether T1-Static or DSL-Static in (IP-Firewall-Address List) but I can’t seem to get my clients associated to the AP to do the same. I’m sure it has to have something to do with the masquerading in my AP, but if I disable the masquerading rule nothing works.

So that my customers don’t lose there internet connectivity I am trying to get it to work from my home office. My customers are associated to wlan1 on my AP, and I am associated to wlan2 on the same AP. (Not that it matters) My RB133c that I use for my CPE has a private static IP of 10.2.3.200 on the wlan interface, and 192.168.250.1 on the ether interface connected to my PC.

Should I be looking at 1:1 IP Mapping, Static NAT, Static Route?

I have the following rule in my AP:
masq from 10.2.5.0/24 to dev $net (net = ether1)

Should I be using a NAT rule of some kind in my AP?


My networks arrangement is below


“RB532a”

ether1 to switch - ether1 assigned static private IP (192.168.200.1)
ether2 to T1 Router - ether2 assigned static public IP (xx.xx.xx.xx)
ether3 to DSL Router - ether3 assigned static private IP (192.168.0.2)

“Switch”

Port 1 to AP ether1 assigned static IP (192.168.200.6)
Port 2 to PC ether1 assigned static IP (192.168.200.7)

“AP” attached to switch

ether1 assigned static IP (192.168.200.6)
wlan1 assigned IP range 10.1.3.0/24 – masqueraded to ether1 (68 CPE’s)
wlan2 assigned IP range 10.2.3.0/24 – masqueraded to ether1 (1 CPE)

"PC" attached to switch
ether1 assigned static IP (192.168.200.7) WORKING !

cmon69 -
Yep it is simple - your masq rule is the problem - everything your 'core' router sees only comes from one IP address - hence it only goes out one gateway....

So - what you'll have to do is introduce some routing in to your 'core' router to your associated wireless networks. Static or OSPF are probably your best options.

Thom

Thank you for replying galaxynet.

Last night I spent a lot of time playing with it and finely got it to work for the AP the same as it does with the PC, but as you pointed out “everything your 'core' router sees only comes from one IP address” This is still the case! I can set it to ether use DSL or T1, but not the client IP’s associated to AP.

“So - what you'll have to do is introduce some routing in to your 'core' router to your associated wireless networks. Static or OSPF are probably your best options.”

Unfortunately The AP has StarOS on it, and I’m not sure how to set up Static or OSPF on it yet, but will figure it out! Or I will just wait until I have switch out that AP with a RB532a.
I wish I had heard about MikroTik before I bought that @#$% StarOS AP. I have nine towers and I have switched out all but three with RB532a’s. I LOVE MIKROTIK, since I have tried it I can’t imagine how I got along with out it. It’s a bit of a learning curve but well worth it!

So I have decided that I will create a step by step guide “MikroTiK Load Balancing For Dummies Setup Sheet” May be It will help others out in the future, and I can learn a few things myself!

Chris -
I have not used StarOS in a long, long, time but I do remember that it can do routing.... Might be worth looking at their forum to see if you can 'divine' how to do that..... :)


Thom

galaxynet

I think I would rather pull all my teeth out with a rusty pliers, I think I will just rush to switch it out with a RB532a!

I wonder if anyone would object to my posting my document on load balancing to the forum. Even though it is a work in progress it might help others new to MikroTiK!

Unfortunately The AP has StarOS on it, and I’m not sure how to set up Static or OSPF on it yet, but will figure it out!

Manual is your friend

Chapter 5
http://www.star-os.com/documentation/Lu ... _Guide.pdf

I have never used StarOS, but even for me it was clear how to set up routing on it.

I noticed that the PDF is for V3. I am still on (v2.11.1 Build 4788) I wonder If I will run into any differences. Since I will be scrapping my AP with StarOS on it I'm not going to pay to upgrade to v3.

I will have to look threw it to see if I can gain anything from it!

Thanks mrz

I wonder if I bridge my wlan2 interface with the ether1 interface in my AP, if all my customers IP’s associated to wlan2 will be passed threw ether1 interface without masquerading. Does this sound right?

I just guessing here but I think its ok to use bridging instead of routing if the interfaces are in the same unit.
I was told early on not to bridge only route, and that it would introduce problems later down the road, but in this case would it be ok?

If ether1 is public interface and if you have more than one client then you can't do that

The ether1 interface on the AP has a private IP on it "192.168.200.6". This Ip comes from the loadbalancer ether1 interface. I'm not sure about what you mean when you say if I have more than one client than I can't do it. I have two wlan cards set to AP. wlan1 has 68 cpe associated to it and wlan2 has just one (my personal CPE).

cmon69 -
Whomever told you to go routed and not brdged was right.... Now don't get me wrong here, bridging does have it's place, but it's not what you need right now. Bridging the ethernet port with your wlan won't really do the trick for you - there is alot more to it than that.

If you did bridge them then you need to put routes in the MT reflecting what network goes where...and not having used the StarOS for a long time now - I am not sure how good their 'bridge' actually works....it use to have severe limitations. Next you'd then have to add the src-nat rules and of course you actually have two Wlans so it is hard to tell how StarOS will react to that. Don't forget DNS, and will the StarOS platform hand out IPs or are they all static? Lot's and lot's of quesions....

Swap out would be your best bet!

Thom


Thom

Galaxynet

The more I read the v3 StarOS manual the more I started to come to the same conclusions that you just pointed out. To answer your question, I have everything setup use static IP’s. The only thing that might not be considered static by some is the fact that I use DHCP in the StarOS AP, but even then I have it setup to hand out the same IP to the same customer router or PC every time. All CPE’s have a static IP. Earlier you suggested using either Static or OSPF. I think you’re absolutely right here; my only question would be the difference between the two? It sound like one you add the routes yourself “Static” and the other does it automatically “OSPF”. But basically they do the same thing. Am I wrong?

Chris -
No, you are right, one mode - OSPF - is more or less 'automatic' and then there is just 'static'. In my smaller networks I use static, in some of the larger more complex ones I use OSPF. OSPF is relatively new to me - only a fews years - but I had used RIP and BGP in the past so the leap wasn't too bad. But to use routing one has to be able to wrap their mind around the concept the first time then it all starts to fall in place.

So what are you going to do? Swap it out or try bridging the StarOS box and then using the MT to route data back to the bridge as necessary? The StarOS will still be handing out DHCP leases so keep that in mind in case you have anything connected to your ethernet that could possibly pick up an address from it.

Here is a little 'ditty' I give everyone who asks me about routing....
There is about a 15 page document on routing, let me boil it down for you.....

Routing - a router asks one question; Do I know where this data packet goes (do I have a static /bgp /ospf route or am I directly connected to this network) - if the answer is 'yes' then send that data packet to that place (could be another router or the actual destination) if the answer is 'no', then send that packet to my default gateway, it (the default gateway) is suppose to know what to do with it...

Sound simple enough? That's all there is to routing.....

Thom

I guess I’m going to stick to static routes unless it would require me to have rule for every individual customer connected to AP. In that case I just might want to learn how to setup OSPF. I have tried reading up on OSPF but my head starts spinning, I wish there was an easy to fallow instruction sheet for setup. I think that I will have to just take my time and re-read it over and over till it starts making sense.

Chris -
Yes you can use static and it won't require you to give a route to each individual client. I will assume here that your clients are connected to APs and that the AP and client have the same Wirelss network address? That being the case, what I do is every client has a LAN IP in the range of 192.168.5.0/24 (client side LAN only - they get all 253 addresses). There is a NAT rule in the firewall - nat 192.168.5.0/24 to WLAN IP (whatever that is on that network). With me so far, ok now for argument sake let's say this particular WLAN network has a network address of 172.25.10.0/24.

Right now we know two things - the client. when accessing the Internet, will appear to our core router and AP2 as having an IP address in the range of 172.25.10.x/24 . The client's private IP of 192.168.5.x/24 is src-nate'ed by the CPE at the client's location.

We also know where AP2 is and that it serves that address block (172.25.10.0/24) is located - Let us say the the LAN IP of that AP2 is 10.1.5.16/24 and our core router has an IP of 10.1.5.1/24

Ok - so what we tell our core router is to route any packets destinated for 172.25.10.0/24 to the LAN IP of AP2 - 10.1.5.16 (this is called the gateway). We will probably also tell our core router to either masqurade or scr-nat our AP/Client wireless IP block - like this chain=src-nat src-addr=172.25.10.0/24 action=masqurade - so it will have a valid IP address to reach the Internet with.

As a note - I use 192.168.5.0/24 on every client side for two reasons - 1) My techs have a starting point when they are troubleshooting any client issues over the phone. 2) If a client sticks a 'user' router on their own network - most popular consumner grade router/gateways/AP use 192.168.0.0/24, or 192.168.1.0/24 or 192.168.254.0/24 as their LAN IP address - no interference when we NAT in the CPE.....

Hope this makes sense to you Chris....

Thom

Galaxynet

Last night I tried to get OSPF to work but The StarOS AP wasn’t having any part of it. Since I will be replacing it as soon as I can, I decided to take a second look at static routing!

(I will assume here that your clients are connected to APs and that the AP and client have the same Wireless network address?)

The StarOS AP actually has only 8 clients “CPE’s” associated to it. I have an additional 7 AP’s associated to the StarOS AP. Six of those AP’s do there own routing on the wan “AP” side.

I was able to get everything working “I think” last night. It dawned on me that in order for clients associated to the AP’s that are getting there feed from the StarOs AP, I had to have their IP subnets added to the StarOS AP’s static route table otherwise clients on those AP could not get internet. So I took that reasoning and applied it to this situation. I took the subnets that are assigned to the StarOS Ap’s wan interfaces, and added them to the RB523a load balancers route list, then removed masquerading rule for those subnets from the StarOS’s Nat/Static Nat table, and Walla it started working.

Was this forum down today? I tried to reach it several time but all I got was Page could not be displayed.

Ah, ….. Just found out that its only working for client associated to the StarOS AP, and not for the clients associated to the other AP’s that are associated to the StarOS AP. I’m guessing that I will have to add their routes to the RB532a load balance as well! I just have to wonder if I do that if I will have to remove their masquerade entries in the StarOS AP, under NAT/Static Nat, and what affect that will have. Well I guess there’s only one way to find out! .......... Well that didnt work! ...... try try try again ..

“RB532a Load Balancer”

ether1 to switch - ether1 assigned static private IP (192.168.200.1)
ether2 to T1 Router - ether2 assigned static public IP (xx.xx.xx.xx)
ether3 to DSL Router - ether3 assigned static private IP (192.168.0.2)

“Switch”

Port 1 to StarOS AP ether1 assigned static IP from Load balancer ether1 (192.168.200.6)
Port 2 to PC ether1 assigned static IP from Load balancer ether1 (192.168.200.7) Load Balancing Working!

“StarOS AP” attached to switch
ether1 assigned static IP from Load balancer ether1 (192.168.200.6)
wlan1 assigned IP range 10.1.3.0/24 – Subnet used for Customer PC’s ro Router’s only - masqueraded to ether1 (7 CPE’s) Load Balancing Working
10.1.5.0/24 – Subnet used for CPE’s only - masqueraded to ether1
10.1.6.0/24 – Subnet used for AP’s only - masqueraded to ether1
(7 AP’s) Load Balancing NOT Working
wlan2 assigned IP range 10.2.3.0/24 – masqueraded to ether1 (1 CPE) Load Balancing Working!
10.2.5.0/24 – NOT USED

"PC" attached to switch
ether1 assigned static IP (192.168.200.7) Load Balancing Working!


AP1 - RB532a
BUSCHO SILO

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.22 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.20.0.0/24 subnet for customer computer's or router's only
10.21.0.0/24 subnet for customer Radios "CPE's" only

AP2 – RB532a
HARGUTH SILO

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.17 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.10.0.0/24 subnet for customer computer's or router's only
10.11.0.0/24 subnet for customer Radios "CPE's" only

AP3 – RB532a
SINGLESTAD ELEVATOR

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.18 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.12.0.0/24 subnet for customer computer's or router's only
10.13.0.0/24 subnet for customer Radios "CPE's" only

AP4 – RB532a
FAIRGROUNDS TOWER

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.19 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.14.0.0/24 subnet for customer computer's or router's only
10.15.0.0/24 subnet for customer Radios "CPE's" only


AP5 – RB532a
HALEY ELEVATOR

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.20 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.16.0.0/24 subnet for customer computer's or router's only
10.17.0.0/24 subnet for customer Radios "CPE's" only


AP6 – RB532a
BRASE SILO

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.21 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.18.0.0/24 subnet for customer computer's or router's only
10.19.0.0/24 subnet for customer Radios "CPE's" only

Chris -
Lets just take AP1 and I'll walk you through it - the rest should be the same or very similiar....

AP1 - RB532a
BUSCHO SILO

Ether1 – NOT FOR POE ONLY 192.168.100.1
Ether2 - NOT USED
Ether3 - NOT USED
Wlan1 – Station 10.1.6.22 static IP from StarOS AP wlan1
Wlan2 - AP Bridge 10.20.0.0/24 subnet for customer computer's or router's only
10.21.0.0/24 subnet for customer Radios "CPE's" only

So to do this you'll have to go back to routed at the main StarOS AP.
Looks like you have two networks out there - command and control for CPEs and Client systems 'behind' the CPEs.

I take it, looking at this setup, that the client systems are bridged through the CPEs to the AP - is that correct? That being the case - first thing I'd suggest you do is NAT client computers or whatever is connected to the LAN side of your CPEs. You can use either masq or 'regular' src-nat - your choice. If you'd rather not do that then it is still possible to do what you want - it will take adding more routes though...

Whichever you do - In your main AP, the StarOS AP, add route 10.21.0.0/24 the gateway is 10.1.6.22 (WLan side of AP1). If you did not NAT the client systems at the CPE then also add route 10.20.0.0/24 gateway 10.1.6.22

In your Loadbalancer, add routes to 10.21.0.0/24 this gateway is the StarOS AP ether1, 192.168.200.6 again, if you did not NAT your clients behind the CPEs then also add 10.20.0.0/24 - gateway 192.168.200.6

Now - we have the routes to the clients and their CPEs from the Loadbalancer through the StarOS AP, through/to AP1, right out to the CPE / Client systems. Here, depending on how you've done everything, you'll neet to add those networks 10.21.0.0/24 and if you did not NAT at the CPEs then 10.20.0.0/24, to your NAT'ing scheme, whether it be by address lists or whatever, you need to NAT/Masq these networks as they leave your Loadbalancer to go to the Internet.

That about covers it. You should be able to use the above example to setup routing for your entire network...

Thom

galaxynet,

Thank you for taking so much time helping me with this!

(So to do this you'll have to go back to routed at the main StarOS AP.
Looks like you have two networks out there - command and control for CPEs and Client systems 'behind' the CPEs

YES


(I take it, looking at this setup, that the client systems are bridged through the CPEs to the AP - is that correct?)

YES


(first thing I'd suggest you do is NAT client computers or whatever is connected to the LAN side of your CPEs.)

I can’t do that because most of the customers have Lucent Ethernet Converters for CPE’s. These are just a simple bridging unit.


(StarOS AP, add route 10.21.0.0/24 the gateway is 10.1.6.22 (WLan side of AP1). If you did not NAT the client systems at the CPE then also add route 10.20.0.0/24 gateway 10.1.6.22)

This is already in the StarOS AP otherwise the I would not be able to reach the CPE, and the customers would not be able to reach the internet.


(In your Loadbalancer, add routes to 10.21.0.0/24 this gateway is the StarOS AP ether1, 192.168.200.6 again, if you did not NAT your clients behind the CPEs then also add 10.20.0.0/24 - gateway 192.168.200.6)

Like this?
add dst-address=10.21.0.0/24 gateway=192.168.200.6 scope=255 target-scope=10 comment="BUSCHO Silo wlan2 IP's "Customer PC's Router's" disabled=no

add dst-address=10.20.0.0/24 gateway=192.168.200.6 scope=255 target-scope=10 comment="BUSCHO Silo wlan2 IP's "CPE's" disabled=no


(you'll need to add those networks 10.21.0.0/24 and if you did not NAT at the CPEs then 10.20.0.0/24, to your NAT'ing scheme, whether it be by address lists or whatever, you need to NAT/Masq these networks as they leave your Loadbalancer to go to the Internet.)

Like this?
/ ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.20.0.0/24 comment="" disabled=no
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.21.0.0/24 comment="" disabled=no

Could I put in a rule that would cover all the subnets on all the AP's?
like this
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.0.0.0/24 comment="Catch All" disabled=no

Should I remove the masquerade rules for that AP, in the StarOS AP? Other wise wont the loadbalancer only see the ether1 interface IP of the StarOS AP becouse it is masquerading the 10.20.0.0/24 & 10.21.0.0/24?

masquerade rules in the StarOS AP (Should I remove these?)

masq from 10.20.0.0/24 to dev $net # PC's & Router's
masq from 10.21.0.0/24 to dev $net # CPE's

Chris -

(In your Loadbalancer, add routes to 10.21.0.0/24 this gateway is the StarOS AP ether1, 192.168.200.6 again, if you did not NAT your clients behind the CPEs then also add 10.20.0.0/24 - gateway 192.168.200.6)

Like this?
add dst-address=10.21.0.0/24 gateway=192.168.200.6 scope=255 target-scope=10 comment="BUSCHO Silo wlan2 IP's "Customer PC's Router's" disabled=no

add dst-address=10.20.0.0/24 gateway=192.168.200.6 scope=255 target-scope=10 comment="BUSCHO Silo wlan2 IP's "CPE's" disabled=no

Yes

(you'll need to add those networks 10.21.0.0/24 and if you did not NAT at the CPEs then 10.20.0.0/24, to your NAT'ing scheme, whether it be by address lists or whatever, you need to NAT/Masq these networks as they leave your Loadbalancer to go to the Internet.)

Like this?
/ ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.20.0.0/24 comment="" disabled=no
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.21.0.0/24 comment="" disabled=no

No - masquerade is for when the data packet goes out to the Internet - you have two gateways and a load balancing setup...you need to src-nat (not masq) based on your loadbalancing scheme. If you implemented loadbalancing correctly then you should just have to make sure that your src-IPs are allowed in your firewall - everything else should be a go. I am basing this on your earlier post that had loadbalancer where ether 1 was connected to the StarOS via a switch and ether 2 & 3 were your Internet lines (dsl & T1).

Should I remove the masquerade rules for that AP, in the StarOS AP? Other wise wont the loadbalancer only see the ether1 interface IP of the StarOS AP becouse it is masquerading the 10.20.0.0/24 & 10.21.0.0/24?

masquerade rules in the StarOS AP (Should I remove these?)

masq from 10.20.0.0/24 to dev $net # PC's & Router's
masq from 10.21.0.0/24 to dev $net # CPE's

Yes - sorry I assumed you would understand that on what I said about removing the masq rules in the StarOS.

Could I put in a rule that would cover all the subnets on all the AP's?
like this
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.0.0.0/24 comment="Catch All" disabled=no

You could if you had your subnets grouped like this 10.20.0.0/23 This equates to all addresses between 10.20.0.0 (network address) and 10.20.255.255 (broadcast address). So you could use 10.20.0.1 - 10.20.255.254 The networks you have are too dispersed to group together this way. Soultion is either re-number everything (not likely!) or just do a class 'C' at a time 10.20.0.0/24 (the /24 = a class'C'). Be sure to comment entries like this if you have to make any = that way you know where they are are from or going to....

You actually shouldn't have to because your loadbalancer setup should take of this as long as it is setup correctly and allows the IP addresses from your CPEs and Clients.

Thom

galaxynet

One last thing! You stated that the following was not correct. Do you think what I have at the bottom is right?

Like this?
/ ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.20.0.0/24 comment="" disabled=no
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.21.0.0/24 comment="" disabled=no

(No - masquerade is for when the data packet goes out to the Internet - you have two gateways and a load balancing setup...you need to src-nat (not masq) based on your loadbalancing scheme. If you implemented loadbalancing correctly then you should just have to make sure that your src-IPs are allowed in your firewall - everything else should be a go. I am basing this on your earlier post that had loadbalancer where ether 1 was connected to the StarOS via a switch and ether 2 & 3 were your Internet lines (dsl & T1).)

Does this look correct? or should I use some other action?

add chain=srcnat action=src-nat to-addresses=0.0.0.0 to-ports=0-65535 out-interface=ether1 src-address=10.20.0.0/24 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=0.0.0.0 to-ports=0-65535 out-interface=ether1 src-address=10.21.0.0/24 comment="" disabled=no

Thanks

Galaxynet

I added the following script to my nat but don’t see any traffic hitting it, the good news is I am able to balance all my customers. I’m guessing that I don’t need the following rules in nat. I might have a rule in there that is already covering it.

add chain=srcnat action=src-nat to-addresses=0.0.0.0 to-ports=0-65535 out-interface=ether1 src-address=10.20.0.0/24 comment="" disabled=no
add chain=srcnat action=src-nat to-addresses=0.0.0.0 to-ports=0-65535 out-interface=ether1 src-address=10.21.0.0/24 comment="" disabled=no

Thank you for all your help!
Well its on to the next project for me!

I would like to find out if I can attach a 7200RPM 200GB 2.5" SATA harddrive to my loadbalancer to do web proxy? and If I cant I would like to find out what I can do!

Thanks again for all your help!

cmon69 -
Well I am glad to see that your loadbalancer was setup up correctly and you didn't need the extra rules - ok!

Web proxy or IP proxy..... Here I go, on my soap box again.... :)

Use a smaller cheaper drive to try this out - web proxy. We did use this feature quite a bit just a few years ago...both in MT and Squid (squid worked better - longer). The issue today is so many web pages are 'dynamic' that using a proxy yields minimual results. Proxy's don't cache dynamic pages.....because they are dynamic...........

So, as I first said, use something small & cheap and see if you can gain anything out of it.... We still use web or IP proxy out in the far and middle areas from the main feeds, but I can tell you as the routers are upgraded we are not adding the proxy back to them. If they break - we are not putting any proxy back in. We just don't see much of a benefit.

None of this is with ROS 3.X - once that is stable we may try again and see how it works - but for now, no proxy.

Just a little some insight from a user like yourself.

Thom

Can it be done with a RB532a or will I have to build a machine to do it?

cmon69 -
Isn't there an IDE header on the 532A? You could use that with a cheap IDE drive...power supply would be the obstacle.

If you are going to use SATA - you will have to use ROS 3.X on a 'regular' PC type platform.

Thom

Galaxynet

I guess I’ll stay away from web proxy for awhile! Your post gave me something to think about. The problem with 'dynamic' web pages among other things!