Hello,
I´m using Router OS 2.9.17 as PPPoE Server with transparent Web-Proxy. All outgoing request to port 80 with source address of the Web-Proxy is mangled with a routing-mark "webtraffic". Behind this PPPoE-Server there are two ADSL-Lines.
Via Policy-Routing, I loadbalance alle Webtraffic to both ADSL-Lines. Everything seems to work very fine. But If I want to download files via http (> 5 MB), the transfer gets aborted after a short time.
If I do no loadbalancing, the transfer succeeds without any errors. Is this a bug in policy-routing or am I doing something wrong?
Thanks.
canram_de
Here are my tracking-configs:
----------------------------------------------
ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
tcp-syncookie: no
max-entries: 532800
total-entries: 9869
---------------------------------------------
I´m forcing all Proxy-Outgoing Traffic to two different gatways.
You´re right. I´m using ECMP.
Here´s my route-config.
-----------------
101 A S dst-address=0.0.0.0/0 gateway=10.22.0.1,10.22.0.2 check-gateway=arp interface=ether1 backbone gateway-state=reachable scope=255 target-scope=10 routing-mark=Web-Traffic
----------------
Are those informatio helpfull for you? If you need other informations, please let me know.
Thank so far.
canram
----------------------------------------------
ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
tcp-syncookie: no
max-entries: 532800
total-entries: 9869
---------------------------------------------
I´m forcing all Proxy-Outgoing Traffic to two different gatways.
You´re right. I´m using ECMP.
Here´s my route-config.
-----------------
101 A S dst-address=0.0.0.0/0 gateway=10.22.0.1,10.22.0.2 check-gateway=arp interface=ether1 backbone gateway-state=reachable scope=255 target-scope=10 routing-mark=Web-Traffic
----------------
Are those informatio helpfull for you? If you need other informations, please let me know.
Thank so far.
canram
ECMP download large files breaking
large download breaking for me too, tracking settings are:
enabled: yes
tcp-syn-sent-timeout: 10s
tcp-syn-received-timeout: 10s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 20s
tcp-close-wait-timeout: 20s
tcp-last-ack-timeout: 20s
tcp-time-wait-timeout: 20s
tcp-close-timeout: 20s
udp-timeout: 20s
udp-stream-timeout: 3m
icmp-timeout: 20s
generic-timeout: 10m
tcp-syncookie: no
max-entries: 552240
total-entries: 3259
enabled: yes
tcp-syn-sent-timeout: 10s
tcp-syn-received-timeout: 10s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 20s
tcp-close-wait-timeout: 20s
tcp-last-ack-timeout: 20s
tcp-time-wait-timeout: 20s
tcp-close-timeout: 20s
udp-timeout: 20s
udp-stream-timeout: 3m
icmp-timeout: 20s
generic-timeout: 10m
tcp-syncookie: no
max-entries: 552240
total-entries: 3259
I was discussing ECMP with some collegues and we are quite unsure if it would be reliable. Problems are known with HTTP and Instant Messenger-applications. One idea was if ECMP could be get to work on src-address only, these problems should disappear. i hadn't the time yet to test anything, but if someone has an idea...
There are a lot of ECMP-related threads in the forum, but i can't see any with a clear statement from MT, though.
Some "bonding" of cheap xDSL-lines becomes common now and a few competing vendors do offer it with their routers already.
There are a lot of ECMP-related threads in the forum, but i can't see any with a clear statement from MT, though.
Some "bonding" of cheap xDSL-lines becomes common now and a few competing vendors do offer it with their routers already.
If your not using NAT then ECMP works perfectly. We have 2 100mb pipes being ECMP'd for outbound traffic and never have issues. I think the problem is that ECMP can't match on a source if all the sources are the same, ie a natted address. I think you can fix the issue by using policy routing and 'same' nat action, i think ...
Sam
Sam
sounds good, i'm looking forward to it ;-)I actually do have an idea for some simple solution that is distributing users/traffic (only) according to source address...
but not the web-proxy on the MT itself, i'd guess?Yes you´re right, but how should I use policy routing, if my source-machine is a webproxy?
I spent about three months to get ECMP working with 8 DSL lines (NATted on the DSL modems) and MT as a web proxy. In the end, after many weeks of research and frustration and loosing quite a few customers, I abandoned the idea.
ECMP just simply doesn't seem to work properly for this application. I had it sort of working by source-routing certain protocols such as IM and SSH and so on but the ECMP on port 80 just kept on breaking which was a bit of a show stopper. There was no specific pattern or time when it would break but it always broke.
I even posted many times on this board specifying my configuration and hoping for a decent reply from Mikrotik. But nothing happened. Recently I attempted doing this differently but using mangle on the input chain and then trying to source route on the output chain...but this apparently this only works with connection marks in version 2.8 and you will see in version 2.9 that policy routing does not regonise connections marks but only routing marks. I still have to downgrade my router to test this theory.
Here is the recent post I made regarding this:
http://forum.mikrotik.com/viewtopic.php?t=7472
Here are some old posts:
http://forum.mikrotik.com/viewtopic.php ... light=ecmp
My advice is to stop using ECMP and rather use policy routing before you start loosing customers. And forget about using a proxy server unless you decide to only proxy one of your lines.
I think the Mikrotik guys just got sick of this issue and they aren't responding any more. Perhaps someone should bring this up at that conference their having in Dallas because there is a presentation on load balacing. Many people are actually trying to do this using multiple cheap DSL lines and bonding is not widely available yet.
ECMP just simply doesn't seem to work properly for this application. I had it sort of working by source-routing certain protocols such as IM and SSH and so on but the ECMP on port 80 just kept on breaking which was a bit of a show stopper. There was no specific pattern or time when it would break but it always broke.
I even posted many times on this board specifying my configuration and hoping for a decent reply from Mikrotik. But nothing happened. Recently I attempted doing this differently but using mangle on the input chain and then trying to source route on the output chain...but this apparently this only works with connection marks in version 2.8 and you will see in version 2.9 that policy routing does not regonise connections marks but only routing marks. I still have to downgrade my router to test this theory.
Here is the recent post I made regarding this:
http://forum.mikrotik.com/viewtopic.php?t=7472
Here are some old posts:
http://forum.mikrotik.com/viewtopic.php ... light=ecmp
My advice is to stop using ECMP and rather use policy routing before you start loosing customers. And forget about using a proxy server unless you decide to only proxy one of your lines.
I think the Mikrotik guys just got sick of this issue and they aren't responding any more. Perhaps someone should bring this up at that conference their having in Dallas because there is a presentation on load balacing. Many people are actually trying to do this using multiple cheap DSL lines and bonding is not widely available yet.
Well, if I knew for sure that MT had a solution to load balance two different lines from two different providers, I'd gladly go to Dallas to find out how. Of course, I have to suspect that if those features actualy worked, they'd answer any of the dozens of questions on here as to how. 
If you search for 'load balancing' or 'ecmp', there are many dozens of people who have spent many dozens of hours each, and as far as I know, NO ONE has it working the way we'd all like it to work. 
If you search for 'load balancing' or 'ecmp', there are many dozens of people who have spent many dozens of hours each, and as far as I know, NO ONE has it working the way we'd all like it to work. ECMP will load balance outbound traffic. If you use NAT and webproxy then you might have extra configuration. You might need policy routing. Policy routing is not as easy as it appears to be, you need routes for the local networks even. Also, multiple providers with different ip space? You have to deal with marking packets that you want to go back out the same interface they came in on.Well, if I knew for sure that MT had a solution to load balance two different lines from two different providers, I'd gladly go to Dallas to find out how.
We have it working just fine. We do not use web proxy however. If you have a specific problem or getting stuck post about it (with specifics).there are many dozens of people who have spent many dozens of hours each, and as far as I know, NO ONE has it working the way we'd all like it to work. :(
Sam
You are right the Mikrotik staff does not respond to questions about ECMP and load balancing. There is probably a reason for this but who knows.
changeip: Isn't the point to use a proxy?
Anyway I spent another couple of hours trying to get load balancing working using source routing and a transparent proxy. Of course I cannot do this using 2.9 because the policy routing does not recognise connection marks. So I used another 2.8 router:
1. dst-nat port 80 calls from certain source addresses to redirect to local proxy
2. mangle connection marks.
3. use policy routing to direct connection marks.
Does not work. Unfortunately.
changeip: Isn't the point to use a proxy?
Anyway I spent another couple of hours trying to get load balancing working using source routing and a transparent proxy. Of course I cannot do this using 2.9 because the policy routing does not recognise connection marks. So I used another 2.8 router:
1. dst-nat port 80 calls from certain source addresses to redirect to local proxy
2. mangle connection marks.
3. use policy routing to direct connection marks.
Does not work. Unfortunately.
Yes - they say there is ECMP routing as an option, and the manual says that this is a good solution because it's a ''per session'' round-robin balancing, so it does not suffer from the problems of per-packet balancing
It worked for us in 2.7, but after a year or so, our Cache drive was getting errors that resulted in having to clear & rebuild the cache once a week or so. We were advised to upgrade to 2.8.x and from that point, we can't get ECMP routing working with Transparent proxy any longer.
It worked for us in 2.7, but after a year or so, our Cache drive was getting errors that resulted in having to clear & rebuild the cache once a week or so. We were advised to upgrade to 2.8.x and from that point, we can't get ECMP routing working with Transparent proxy any longer.
I've also bashed my head trying to get LoadBalancing right, after attempts with my Mikrotik & Wingate proxy servers, I just purchased a DLink RV016 router. Can handle 7 Internet lines & works well, just plug and pray... (Excuse the mention of other brands here, but I'm just trying to help my 'buddies' )
Some issues with some (especially banking) websites that doesn't like the idea of one session using more than one IP, but I route through one line only when we encounter that. So it's not perfect either, but maybe MT guys can download the source from DLink website and get an idea to implement this easily..???
I also think it's the way (loadbalancing) many of us are going, trying to supply high-bandwidth at low cost...
)Some issues with some (especially banking) websites that doesn't like the idea of one session using more than one IP, but I route through one line only when we encounter that. So it's not perfect either, but maybe MT guys can download the source from DLink website and get an idea to implement this easily..???
I also think it's the way (loadbalancing) many of us are going, trying to supply high-bandwidth at low cost...
I'll be sure to check out the DLink router because I really need to have an alternative that can load balance over multiple lines and do proxy.
I think what must have happened with Mikrotik is they had an underlying change in the architecture of their product which caused this to stop working. So instead of facing up to their customers and telling them it's too hard to fix they are keeping silent. Damn shame. So 90s.
I think what must have happened with Mikrotik is they had an underlying change in the architecture of their product which caused this to stop working. So instead of facing up to their customers and telling them it's too hard to fix they are keeping silent. Damn shame. So 90s.
Alternative Solution ??
Hi
I am one of the others who have been struggling with load balancing for months, but without success. I did get the policy routing working on ver 2.8, but on 2.9 it was difficult, and I am not sure if it was working really well. (We had 2 ADSL Lines).
At the MUM in Prague someone suggested "Eddies Box" for bonding multiple adsl line. See http://www.freestuffjunction.co.uk/bondedcd.shtml.
I took the plunge a couple of weeks ago, and bingo, it works perfectly, and you get a Linux firewall thrown in (as well as a load of other stuff) and its cheap. My box is running two adsl lines, and has been up for 10 days so far with zero probs. Its easy to set up (if you read the documentation). I think the only thing to watch out for is that your adsl provider supports genuine MLPPP (RFC 1990) as per Eddies page. There are some in UK, but you have to look around.
The nice thing is, that to the MT box, the multiple adsl lines are just one big fat ethernet connection
I'm a great enthausiast of MT boxes, and dont like to mention another project on this forum, but the two boxes together have changed my life !!!
rgds
Jim Heck
I am one of the others who have been struggling with load balancing for months, but without success. I did get the policy routing working on ver 2.8, but on 2.9 it was difficult, and I am not sure if it was working really well. (We had 2 ADSL Lines).
At the MUM in Prague someone suggested "Eddies Box" for bonding multiple adsl line. See http://www.freestuffjunction.co.uk/bondedcd.shtml.
I took the plunge a couple of weeks ago, and bingo, it works perfectly, and you get a Linux firewall thrown in (as well as a load of other stuff) and its cheap. My box is running two adsl lines, and has been up for 10 days so far with zero probs. Its easy to set up (if you read the documentation). I think the only thing to watch out for is that your adsl provider supports genuine MLPPP (RFC 1990) as per Eddies page. There are some in UK, but you have to look around.
The nice thing is, that to the MT box, the multiple adsl lines are just one big fat ethernet connection
I'm a great enthausiast of MT boxes, and dont like to mention another project on this forum, but the two boxes together have changed my life !!!
rgds
Jim Heck
Working?
Eugene,
I didnt mean to say that it cannot be made to work, only that I could not get it to work on my box. I did have a session with MT support a couple of months ago (not on this forum) and sent them about 8 versions of rif files over a period of 2-3 months, but still no luck. I think that they and I just ran out of steam!! (energy).
I am not complaining. As I said, I am a great fan of MT. I think one of the advantages of the solution that I have hit on is that not only does it balance load TCP sessions, but also UDP. I dont think the MT load balancing over non MLPPP links does this. Am I correct in thinking this.
rgds
Jim Heck
I didnt mean to say that it cannot be made to work, only that I could not get it to work on my box. I did have a session with MT support a couple of months ago (not on this forum) and sent them about 8 versions of rif files over a period of 2-3 months, but still no luck. I think that they and I just ran out of steam!! (energy).
I am not complaining. As I said, I am a great fan of MT. I think one of the advantages of the solution that I have hit on is that not only does it balance load TCP sessions, but also UDP. I dont think the MT load balancing over non MLPPP links does this. Am I correct in thinking this.
rgds
Jim Heck
Edimax does not work for:
1) http://www.absadirect.co.za secure banking site
it keeps on prompting for you pin
2) MSN, ICQ (maybe)
Some banking sites do not like to have change source address changed ala ECMP.
if you do not require these sites you are ok, else you will have to keep on looking or source routing the problem areas
1) http://www.absadirect.co.za secure banking site
it keeps on prompting for you pin
2) MSN, ICQ (maybe)
Some banking sites do not like to have change source address changed ala ECMP.
if you do not require these sites you are ok, else you will have to keep on looking or source routing the problem areas
Can you post an example of your Policy routing configuration please.I would agree with change ip.
I spent ages trying to get that to work like you described using NAT I never succeded! I now use policy routing as next best option.
I wish somebody from MT would commect on this issue though as I never got to the bottom of it?
Thks
Here is one example that does not work because downloads break:
http://forum.mikrotik.com/viewtopic.php?t=3302
Here is another example of unanswered questions regarding traffic originating locally:
http://forum.mikrotik.com/viewtopic.php?t=6009
http://forum.mikrotik.com/viewtopic.php?t=3302
Here is another example of unanswered questions regarding traffic originating locally:
http://forum.mikrotik.com/viewtopic.php?t=6009
Normis,
I am on some 8 or so MLs/forums for various kind of products, I do know many computing communities. MT's one, is the better one, friendly.
And I also note the fact, that users get help mostly from other users. But, I am known as a person not fearing voice my own opinion
So, I have to object to your post, I am sorry to do so. It does not help anybody and sounds kind of strange to me. Of course someone could eventually post some configs, but WHAT is the point?! You are product authors and you can see, that ppl get some trouble using your product. You claim you have some solution working, but you let ppl struggling for hours to get similar things to work.
Being your sales director, I would smash tech support for such kind of reply as yours. It does not help anyone, really. What is the point? So you can see ppl have some difficulcy, you can see, that ppl are starting to use different solution/boxes for it, which could distract someone from using your product in overall.
With few folks, we are discussing such topic on czech forum too. Well, it can be us, users, and probably it IS us, users, uncapable to get such things working. But then why to waste our time, and not produce some wiki-entry with some more examples when you claim you have it working? That would be much more constructive imo and would take some 10 - 15 minutes to produce?
Now sorry if you feel offended, please don't. I am sometimes kind of stright with my opinion. But I am also a business owner, and I like ppl being focused on solving potential problems. We are one of MT-only boxes satisfied customers, but as you can see from posts here, some ppl struggle to get some things working, and you decide the best way to help them, as this issue is here for quite some time, and docs are not apparently satisfactory enough in this particular case ....
Petr
I am on some 8 or so MLs/forums for various kind of products, I do know many computing communities. MT's one, is the better one, friendly.
And I also note the fact, that users get help mostly from other users. But, I am known as a person not fearing voice my own opinion
So, I have to object to your post, I am sorry to do so. It does not help anybody and sounds kind of strange to me. Of course someone could eventually post some configs, but WHAT is the point?! You are product authors and you can see, that ppl get some trouble using your product. You claim you have some solution working, but you let ppl struggling for hours to get similar things to work.
Being your sales director, I would smash tech support for such kind of reply as yours. It does not help anyone, really. What is the point? So you can see ppl have some difficulcy, you can see, that ppl are starting to use different solution/boxes for it, which could distract someone from using your product in overall.
With few folks, we are discussing such topic on czech forum too. Well, it can be us, users, and probably it IS us, users, uncapable to get such things working. But then why to waste our time, and not produce some wiki-entry with some more examples when you claim you have it working? That would be much more constructive imo and would take some 10 - 15 minutes to produce?
Now sorry if you feel offended, please don't. I am sometimes kind of stright with my opinion. But I am also a business owner, and I like ppl being focused on solving potential problems. We are one of MT-only boxes satisfied customers, but as you can see from posts here, some ppl struggle to get some things working, and you decide the best way to help them, as this issue is here for quite some time, and docs are not apparently satisfactory enough in this particular case ....
Petr
The Wiki and the docs do contain examples on this issue. But many times the docs and wiki is not enough, in this case attending a training, coming to the MUM or even hiring a certified consultant for a specific task will be very helpful to understand certain issues. RouterOS is a huge system with a manual that already is more than 600 pages + wiki + forum + support emails and people still find it too little. So I recommend the above - personal experience with someone to explain in person.
OR
you could make load balencing more user friendly and sell ALOT more routers with route OS on them..... I used my own work around by breaking up traffic but load balencing was what initally brought me to this platform.
Although i did not get what i wanted, i discovered how great RouteOS is and have begun to learn as much as i can about it. If someone would have clearly said that load balencing is difficult on routeOS and requires training or a 1 on 1 lessons, than i probablly would still be sticking with power hungry unix boxes and never discovred this great OS....
EDIT: to clearify, the reason i thought LBing was not a problem on routeOS was due to the example in the wiki/manual....
joe
you could make load balencing more user friendly and sell ALOT more routers with route OS on them..... I used my own work around by breaking up traffic but load balencing was what initally brought me to this platform.
Although i did not get what i wanted, i discovered how great RouteOS is and have begun to learn as much as i can about it. If someone would have clearly said that load balencing is difficult on routeOS and requires training or a 1 on 1 lessons, than i probablly would still be sticking with power hungry unix boxes and never discovred this great OS....
EDIT: to clearify, the reason i thought LBing was not a problem on routeOS was due to the example in the wiki/manual....
joe
actually i think eugne is right,
http://wiki.mikrotik.com/wiki/Improved_ ... e_Gateways
is the answer to all these problems, i have not tested it but i think it will work reading through it...the key here was the use of:
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
the connection state=New is the key
i will test when i can and report back.
tks
http://wiki.mikrotik.com/wiki/Improved_ ... e_Gateways
is the answer to all these problems, i have not tested it but i think it will work reading through it...the key here was the use of:
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
the connection state=New is the key
i will test when i can and report back.
tks
--THREAD SOLVED AND SOLUTION TESTED --
--THREAD SOLVED AND SOLUTION TESTED --
ok i tested it (SEE WIKI LINK ABOVE) and it works GREAT!! exactly as advertised / needed...again i think the missing key in everyones attempts before this (and there were ALOT of ppl trying to get this right) was the new-connection filter on the mangle rule
i didnt have any instant messengers around but i tested it with ftp, a few banking and investing secure sites...large http downloads...all ok..i'm getting 2 x 12 mbit cable modems and balencing all my users p2p traffic over that, and keepine very thing else on my fast dsl line
anyway...this should be made a stiki post. Oh and i only had 2 connections but i dont see why you cant expand this for "infinite" connections...amazing! when 8 months ago i paid 1500$ for a 3port load balencer that did not even work right.
joe
--THREAD SOLVED AND SOLUTION TESTED --
ok i tested it (SEE WIKI LINK ABOVE) and it works GREAT!! exactly as advertised / needed...again i think the missing key in everyones attempts before this (and there were ALOT of ppl trying to get this right) was the new-connection filter on the mangle rule
i didnt have any instant messengers around but i tested it with ftp, a few banking and investing secure sites...large http downloads...all ok..i'm getting 2 x 12 mbit cable modems and balencing all my users p2p traffic over that, and keepine very thing else on my fast dsl line
anyway...this should be made a stiki post. Oh and i only had 2 connections but i dont see why you cant expand this for "infinite" connections...amazing! when 8 months ago i paid 1500$ for a 3port load balencer that did not even work right.
joe
Hi. I haven't been around here much lately. For me, I'd GLADLY hire a consultant or attend training, BUT can someone from MikroTik confirm that the current versions of MT work with both Transparent Caching Proxy and with Multiple Gateways at the same time?The Wiki and the docs do contain examples on this issue. But many times the docs and wiki is not enough, in this case attending a training, coming to the MUM or even hiring a certified consultant for a specific task will be very helpful to understand certain issues.
It worked perfectly for us in version 2.7, but our cache drive occasional was having errors and having to have it's index rebuilt. The MT suggested solutions was to upgrade to 2.8, which did fix that issue, but Load Balancing with Transparent Proxy has never worked since.
Can anyone confirm that the current instructions do in fact allow proper load balancing with transparent proxy?
Thank you.
Well I would still suggest you try it. I have heard some isolated reports where is works. It could really depend on your network configuration. For example, I have heard this works:
Internet <-> Public IP Router 1 <-> MT with transparent proxy, NAT and ECMP <-> Clients
Internet <-> Public IP Router 2 <->
but this definitely does not work for me, i.e. broken downloads:
Internet <-> NAT Router 1 <-> MT with transparent proxy and ECMP <-> Cilents
Internet <-> NAT Router 2 <->
Internet <-> Public IP Router 1 <-> MT with transparent proxy, NAT and ECMP <-> Clients
Internet <-> Public IP Router 2 <->
but this definitely does not work for me, i.e. broken downloads:
Internet <-> NAT Router 1 <-> MT with transparent proxy and ECMP <-> Cilents
Internet <-> NAT Router 2 <->