PCC Load Balance problem

tevolo · Mon Dec 06, 2010 9:28 pm

I tried to follow the PCC Load Balancing seen here: http://wiki.mikrotik.com/wiki/Manual:PCC.
The end setup worked for a little and wasn't really load balancing the connection, and it would disconnect local users from the internet every 15 minutes or so.
Anything missing in the configuration?

My setup:

/ ip address
LAN: 192.168.0.1/24 interface=ether1
WAN1: 111.111.111.111/24 interface=ether4
WAN2: 222.222.222.222/24 interface=ether5

/ ip firewall mangle
0 chain=input action=mark-connection new-connection-mark=OutWAN1 passthrough=no in-interface=ether4
1 chain=input action=mark-connection new-connection-mark=OutWAN2 passthrough=no in-interface=ether5
2 chain=output action=mark-routing new-routing-mark=InWAN1 passthrough=no connection-mark=OutWAN1
3 chain=output action=mark-routing new-routing-mark=InWAN2 passthrough=no connection-mark=OutWAN2
4 chain=prerouting action=accept dst-address=111.111.111.111/24 in-interface=ether1
5 chain=prerouting action=accept dst-address=222.222.222.222/24 in-interface=ether1
6 chain=prerouting action=mark-connection new-connection-mark=OutWAN1 passthrough=no dst-address-type=!local in-interface=ether1 per-connection-classifier=both-addresses:2/0
7 chain=prerouting action=mark-connection new-connection-mark=OutWAN2 passthrough=no dst-address-type=!local in-interface=ether1 per-connection-classifier=both-addresses:2/1
8 chain=prerouting action=mark-routing new-routing-mark=ToWAN1 passthrough=no in-interface=ether1 connection-mark=OutWAN1
9 chain=prerouting action=mark-routing new-routing-mark=ToWAN2 passthrough=no in-interface=ether1 connection-mark=OutWAN2

/ ip route
0 dst-address=0.0.0.0/0 gateway=111.111.111.1 gateway-status=111.111.111.1 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=InWAN1
1 dst-address=0.0.0.0/0 gateway=222.222.222.1 gateway-status=222.222.222.1 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=InWAN2
2 dst-address=0.0.0.0/0 gateway=222.222.222.1 gateway-status=222.222.222.1 unreachable check-gateway=ping distance=1 scope=30 target-scope=10
3 dst-address=0.0.0.0/0 gateway=111.111.111.1 gateway-status=111.111.111.1 unreachable check-gateway=ping distance=2 scope=30 target-scope=10
4 dst-address=222.222.222.0/24 pref-src=222.222.222.222 gateway=ether5 gateway-status=ether5 unreachable distance=0 scope=200
5 dst-address=111.111.111.0/24 pref-src=111.111.111.111 gateway=ether1

/ ip firewall nat
0 chain=srcnat action=masquerade src-address=192.168.0.0/24
1 chain=srcnat action=masquerade out-interface=ether5
2 chain=srcnat action=masquerade out-interface=ether4

Any help would be great. Thanks.

fewi · Mon Dec 06, 2010 9:49 pm

Your marks are all mixed up. Here's what you have:

/ ip firewall mangle
0 chain=input action=mark-connection new-connection-mark=OutWAN1 passthrough=no in-interface=ether4 
1 chain=input action=mark-connection new-connection-mark=OutWAN2 passthrough=no in-interface=ether5

Apply connection marks of 'OutWAN1' and 'OutWAN2' based on interface for traffic coming into the router.

2 chain=output action=mark-routing new-routing-mark=InWAN1 passthrough=no connection-mark=OutWAN1 
3 chain=output action=mark-routing new-routing-mark=InWAN2 passthrough=no connection-mark=OutWAN2

Based on the connection marks, apply routing marks of 'InWAN1' and 'InWAN2'. While syntactically correct that makes little sense logically - routing marks should refer to the OUTBOUND direction, so your use of connection and routing marks is - logically - the wrong way.

6 chain=prerouting action=mark-connection new-connection-mark=OutWAN1 passthrough=no dst-address-type=!local in-interface=ether1 per-connection-classifier=both-addresses:2/0
7 chain=prerouting action=mark-connection new-connection-mark=OutWAN2 passthrough=no dst-address-type=!local in-interface=ether1 per-connection-classifier=both-addresses:2/1

Apply connection marks of 'OutWAN1' and 'OutWAN2' to traffic going through the router based on PCC.

8 chain=prerouting action=mark-routing new-routing-mark=ToWAN1 passthrough=no in-interface=ether1 connection-mark=OutWAN1
9 chain=prerouting action=mark-routing new-routing-mark=ToWAN2 passthrough=no in-interface=ether1 connection-mark=OutWAN2

Apply routing marks of 'ToWAN1' and 'ToWAN2' based on those connection marks. These routing marks are completely different from what you applied in the previous section for router owned traffic.

/ ip route
0 dst-address=0.0.0.0/0 gateway=111.111.111.1 gateway-status=111.111.111.1 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=InWAN1
1 dst-address=0.0.0.0/0 gateway=222.222.222.1 gateway-status=222.222.222.1 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=InWAN2

Routes for routing marks of 'InWAN1' and 'InWAN2', which AGAIN are completely different from the already inconsistent routing marks you set above. There are exactly 0 packets with those routing marks.

Replace all those routing and connection marks with just 'WAN1' and 'WAN2' to make them consistent. Leave of all the 'To', 'In' and 'Out' - or if you want them, make them consistent. Mark connections with a term, mark routing based on the connection marks and only use a total of two marks - one for each WAN link - and then install routes that fire on those two routing marks.

tevolo · Tue Dec 07, 2010 12:13 am

I think I just screwed up those marks when adding it to the forum. Basically it follows the Wiki step by step though I thought that article was confusing with so many different routing and connection marks.
Here is actual output from the router.

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=ether5 new-connection-mark=Out_Speakeasy passthrough=no
add action=mark-connection chain=input comment="" disabled=no in-interface=ether4 new-connection-mark=Out_Megapath passthrough=no
add action=mark-routing chain=output comment="" connection-mark=Out_Speakeasy disabled=no new-routing-mark=To_Speakeasy passthrough=no
add action=mark-routing chain=output comment="" connection-mark=Out_Megapath disabled=no new-routing-mark=To_Megapath passthrough=no
add action=accept chain=prerouting comment="" disabled=no dst-address=111.111.111.0/24 in-interface=ether1
add action=accept chain=prerouting comment="" disabled=no dst-address=222.222.222.0/24 in-interface=ether1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=Out_Speakeasy passthrough=no per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=Out_Megapath passthrough=no per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=Out_Speakeasy disabled=no in-interface=ether1 new-routing-mark=To_Speakeasy passthrough=no
add action=mark-routing chain=prerouting comment="" connection-mark=Out_Megapath disabled=no in-interface=ether1 new-routing-mark=To_Megapath passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether5
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether4

/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=To_Speakeasy scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=To_Megapath scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=222.222.222.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=111.111.111.1 scope=30 target-scope=10

fewi · Tue Dec 07, 2010 12:21 am

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=Out_Speakeasy passthrough=no per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=Out_Megapath passthrough=no per-connection-classifier=both-addresses:2/1

As per the wiki passthrough must be set to 'yes' for those two lines - otherwise you're only marking the connection and the packet doesn't fall through to get a routing mark.

tevolo · Wed Dec 08, 2010 5:38 pm

Unfortunately I don't have the proper testing equipment and scenarios to truly put the router to test, so I have review the scenario and then give it a try in a dual wan environment.

Are the rest of the settings correct to have a true load balanced router with two WAN connections?

What if I added load balancing based on port/serivce along with it? Using: http://wiki.mikrotik.com/wiki/Per-Traff ... _Balancing Would it interfere with the existing routing marks?

/ ip firewall mangle 
add chain=prerouting action=mark-routing new-routing-mark="SMTP traffic" passthrough=no dst-port=25 protocol=tcp comment="" disabled=no
/ip route
add dst-address=0.0.0.0/0 gateway=222.222.222.1 scope=255 target-scope=10 routing-mark="SMTP traffic" comment="" disabled=no

If gateway 222.222.222.1 failed at one point, would port 25 still go out the failover gateway?

Sorry for so many questions, but I'm unsure how Mikrotik handles certain priorities based on the existing routing marks and new ones.
Thanks.

tevolo · Fri Dec 10, 2010 8:59 pm

Any ideas? Would the above work?
Thanks.

fewi · Fri Dec 10, 2010 10:43 pm

Yes. If the gateway goes away (interface dies, or ping/ARP check depending on what you use fails) the route becomes invalid, doesn't match the packet, and the fallthrough route it used.

PCC Load Balance problem

PCC Load Balance problem

Re: PCC Load Balance problem

Re: PCC Load Balance problem

Re: PCC Load Balance problem

Re: PCC Load Balance problem

Re: PCC Load Balance problem

Re: PCC Load Balance problem

Who is online