Community discussions

MikroTik App
 
elpek
just joined
Topic Author
Posts: 2
Joined: Mon Feb 18, 2013 10:13 am

Simple load balancing strategy (second link ain't working)

Thu Feb 28, 2013 7:18 pm

Hello!

My company wants me to configure a router RB1100AH which is my first ever MT device I ever used. What we need is a simple load balancing strategy over two equal speed WAN links. I googled to death and this forum became like a second home for me but still have some minor problem which is hard to spot. Both links are up and running and reachable from the Internet and so are forwarded ports, traffic from the local network however keeps going trough ISP1 link only. ISP2 link becomes active only when the first one gets disconnected. Could you guys (and possibly gals) take a quick look at my current configuration and tell me what am I doing wrong? My rough guess is that there is some problem with my mangle rules ... am I right? Any help would be greatly appreciated.
/ip firewall export compact

/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=drop chain=input comment="DROP PING REPLY" protocol=icmp src-address=!192.168.8.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=input comment="Drop port scanners" src-address-list="port scanners"
add action=drop chain=input comment="Drop ssh brute forcers" dst-port=222 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=3d chain=input connection-state=new dst-port=222 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=222 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=222 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=222 protocol=tcp
add action=drop chain=forward comment="Drop ssh brute downstream" dst-port=222 protocol=tcp src-address-list=ssh_blacklist

/ip firewall mangle
add action=mark-connection chain=input comment="IN:isp1, OUT:isp1" in-interface=isp1 new-connection-mark=isp1_connection
add action=mark-routing chain=output comment="IN:isp1, OUT:isp1" connection-mark=isp1_connection new-routing-mark=isp1_traffic passthrough=no
add action=mark-connection chain=input comment="IN:isp2, OUT:isp2" in-interface=isp2 new-connection-mark=isp2_connection
add action=mark-routing chain=output comment="IN:isp2, OUT:isp2" connection-mark=isp2_connection new-routing-mark=isp2_traffic passthrough=no
add action=mark-connection chain=forward comment="PFW:isp1, OUT:isp1" connection-state=new in-interface=isp1 new-connection-mark=isp1_pforward passthrough=no
add action=mark-routing chain=prerouting comment="PFW:isp1, OUT:isp1" connection-mark=isp1_pforward in-interface=local new-routing-mark=isp1_traffic passthrough=no
add action=mark-connection chain=forward comment="PFW:isp2, OUT:isp2" connection-state=new in-interface=isp2 new-connection-mark=isp2_pforward passthrough=no
add action=mark-routing chain=prerouting comment="PFW:isp2, OUT:isp2" connection-mark=isp2_pforward in-interface=local new-routing-mark=isp2_traffic passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=isp1
add action=masquerade chain=srcnat out-interface=isp2
add action=dst-nat chain=dstnat dst-port=8080 in-interface=isp1 protocol=tcp to-addresses=192.168.8.248 to-ports=80
add action=dst-nat chain=dstnat dst-port=8080 in-interface=isp2 protocol=tcp to-addresses=192.168.8.248 to-ports=80
add action=dst-nat chain=dstnat dst-port=8181 in-interface=isp1 protocol=tcp to-addresses=192.168.8.248 to-ports=81
add action=dst-nat chain=dstnat dst-port=8181 in-interface=isp2 protocol=tcp to-addresses=192.168.8.248 to-ports=81
add action=dst-nat chain=dstnat dst-port=10200 in-interface=isp1 protocol=tcp to-addresses=192.168.8.199 to-ports=10200
add action=dst-nat chain=dstnat dst-port=10200 in-interface=isp2 protocol=tcp to-addresses=192.168.8.199 to-ports=10200
add action=dst-nat chain=dstnat dst-port=10200 in-interface=isp1 protocol=udp to-addresses=192.168.8.199 to-ports=10200
add action=dst-nat chain=dstnat dst-port=10200 in-interface=isp2 protocol=udp to-addresses=192.168.8.199 to-ports=10200
 
dboillot
Member Candidate
Member Candidate
Posts: 122
Joined: Thu May 06, 2010 12:04 am

Re: Simple load balancing strategy (second link ain't workin

Thu Feb 28, 2013 10:52 pm

If I may, you will need to use something like PCC, http://wiki.mikrotik.com/wiki/Manual:PCC

we used this on 4 DLS lines and 2 IPD lines, and it worked great, what it does, is, depending on how you configure it, takes either the packets or the entire connection and routes it randomly over one or the other, and if one is dead, it routes all over the other. You may have this already setup, I didn't spend a lot of time trying to dissect your code. If you do, and its not balancing, then you may have a setting issue somewhere.
 
singh
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sat Apr 04, 2009 11:57 am

Re: Simple load balancing strategy (second link ain't workin

Fri Mar 01, 2013 10:40 am

Definately PPC should sort you out. Works great for me

Who is online

Users browsing this forum: yuridee and 198 guests