Hi, we have a three 1G lines so total we have 3 Gbps connectivity on three links.
Now the question is that we want to split pppoe clients on our three links ISP1, ISP2 and ISP3
We don't want load balancing.
All pppoe clients are connected with bride port so outgoing is on bridge port with Port 4 and Port 5
Port 1 (1G), Port 2 (1G) , Port 3 (1G) Bridge (Port 4 and Port 5)
So Mikrotik Guru's can someone suggest the best option to do it.
-
-
birendersinghbudhwar
Member Candidate
- Posts: 117
- Joined:
- Location: Rohtak, HARYANA, INDIA
- Contact:
Re: pppoe clients with multiple ISP links
You do not have specified what rules apply to "split" the users on the 3 lines...
Re: pppoe clients with multiple ISP links
The quality of the answer depends on the quality of the question, and there's a lot missing in your question.
Your router is the PPPoE server for the clients, correct? And what is the setup with the upstream ISP - can you agree on bonding the three links together with the ISP, or is it three independent services (maybe from different ISPs) with individual public (or maybe even private) subnets?
Bonding would be ideal, but if the reason you don't want "load balancing" is that multiple connections of the same client would end up NATed to different public addresses, this can be avoided even with actual load balancing between multiple public addresses. So what is the reason not to use load balancing?
Another question, what RouterBoard model are we talking about? You mention just 5 ports - if it is a 5-port model, its total throughput will most likely be insufficient to handle the full 2 Gbit/s in each direction with PPPoE and bandwidth policing.
Your router is the PPPoE server for the clients, correct? And what is the setup with the upstream ISP - can you agree on bonding the three links together with the ISP, or is it three independent services (maybe from different ISPs) with individual public (or maybe even private) subnets?
Bonding would be ideal, but if the reason you don't want "load balancing" is that multiple connections of the same client would end up NATed to different public addresses, this can be avoided even with actual load balancing between multiple public addresses. So what is the reason not to use load balancing?
Another question, what RouterBoard model are we talking about? You mention just 5 ports - if it is a 5-port model, its total throughput will most likely be insufficient to handle the full 2 Gbit/s in each direction with PPPoE and bandwidth policing.
Re: pppoe clients with multiple ISP links
Ah... nice observation....if it is a 5-port model, its total throughput will most likely be insufficient to handle the full 2 Gbit/s in each direction with PPPoE and bandwidth policing.
-
-
birendersinghbudhwar
Member Candidate
- Posts: 117
- Joined:
- Location: Rohtak, HARYANA, INDIA
- Contact:
Re: pppoe clients with multiple ISP links
Hi,
Sorry if my question is not clear.
In my setup I have Matrox X Series x64 Bit hardware which comes with inbuilt 5 Ports of 10G each.
On Port 1, 2 and 3 I have Giga connections from ISP with 1G per port with pppoe client connection (ISP)
In Bridge Port with Port 4 and Port 5, I want pppoe server so pppoe clients can connect.
Load balancing have a issue that it break https connections. And I think my ISP doesn't support bonding.
Splitting the pppoe clients among the 3 uplinks can be manually or automatically what ever Mikrotik Guru's suggest.
If any other information required please let me know.
Sorry if my question is not clear.
In my setup I have Matrox X Series x64 Bit hardware which comes with inbuilt 5 Ports of 10G each.
On Port 1, 2 and 3 I have Giga connections from ISP with 1G per port with pppoe client connection (ISP)
In Bridge Port with Port 4 and Port 5, I want pppoe server so pppoe clients can connect.
Load balancing have a issue that it break https connections. And I think my ISP doesn't support bonding.
Splitting the pppoe clients among the 3 uplinks can be manually or automatically what ever Mikrotik Guru's suggest.
If any other information required please let me know.
The quality of the answer depends on the quality of the question, and there's a lot missing in your question.
Your router is the PPPoE server for the clients, correct? And what is the setup with the upstream ISP - can you agree on bonding the three links together with the ISP, or is it three independent services (maybe from different ISPs) with individual public (or maybe even private) subnets?
Bonding would be ideal, but if the reason you don't want "load balancing" is that multiple connections of the same client would end up NATed to different public addresses, this can be avoided even with actual load balancing between multiple public addresses. So what is the reason not to use load balancing?
Another question, what RouterBoard model are we talking about? You mention just 5 ports - if it is a 5-port model, its total throughput will most likely be insufficient to handle the full 2 Gbit/s in each direction with PPPoE and bandwidth policing.
Re: pppoe clients with multiple ISP links
I only know Matrox as a graphic card vendor, but x64 and 5×10 Gbit/s interfaces indicate that packet throughput is not an issue.In my setup I have Matrox X Series x64 Bit hardware which comes with inbuilt 5 Ports of 10G each.
This gives me two bits of information: that the actual issue is not load balancing (or, more exactly, load distribution) as such but how exactly it is done, and that you get a separate public subnet or even just a separate public address on each of the three links connected to ether1 .. ether3.Load balancing have a issue that it break https connections.
So following the principle "we don't deliver what you ordered, we deliver what you actually wanted", I dare to translate the requirement to "avoid load balancing" into a requirement to "make sure that all connections of any given PPPoE client will always get src-nated to the same public IP, except if the respective uplink is broken".
Laziness is the mother of evolution, so automatic distribution would be my personal preference, as it is maintenance-free. The drawback of manual distribution is that you have to manually choose an uplink for each client; the positive is that you can manually choose an uplink for each client, which allows you to eventually redistribute the clients if the uplinks are not loaded evenly.Splitting the pppoe clients among the 3 uplinks can be manually or automatically what ever Mikrotik Guru's suggest.
So supposing you've got three uplinks with three individual /30 public subnets (what a waste of valuable resources!), you would create six routing tables with default routes; three of them use all three gateways each with different priority, and three of them use just one gateway each.
/ip route
add gateway=uplink.1.gw.ip routing-mark=prefer-1
add gateway=uplink.2.gw.ip routing-mark=prefer-1 distance=2
add gateway=uplink.3.gw.ip routing-mark=prefer-1 distance=3
add gateway=uplink.2.gw.ip routing-mark=prefer-2
add gateway=uplink.3.gw.ip routing-mark=prefer-2 distance=2
add gateway=uplink.1.gw.ip routing-mark=prefer-2 distance=3
add gateway=uplink.3.gw.ip routing-mark=prefer-3
add gateway=uplink.1.gw.ip routing-mark=prefer-3 distance=2
add gateway=uplink.2.gw.ip routing-mark=prefer-3 distance=3
add gateway=uplink.1.gw.ip routing-mark=use-1
add gateway=uplink.2.gw.ip routing-mark=use-2
add gateway=uplink.3.gw.ip routing-mark=use-3
The distribution of client's connections is done using mangle rules.
/interface list add name=WAN
/interface list member
add list=WAN interface=uplink-1
add list=WAN interface=uplink-2
add list=WAN interface=uplink-3
/ip firewall mangle
#accept mid-connection (i.e. already connection-marked) download packets straight away
add chain=prerouting in-interface-list=WAN connection-mark=!no-mark action=accept
#send mid-connection (i.e. already connection-marked) upload packets through their previously assigned uplink
add chain=prerouting connection-mark=use-1 action=mark-routing new-routing-mark=use-1 passthrough=no
add chain=prerouting connection-mark=use-2 action=mark-routing new-routing-mark=use-2 passthrough=no
add chain=prerouting connection-mark=use-3 action=mark-routing new-routing-mark=use-3 passthrough=no
#handling the first response packet - set the connection-mark depending on the uplink through which the connection has actually been established
add chain=prerouting in-interface=uplink-1 action=mark-connection new-connection-mark=use-1 passthrough=no
add chain=prerouting in-interface=uplink-2 action=mark-connection new-connection-mark=use-2 passthrough=no
add chain=prerouting in-interface=uplink-3 action=mark-connection new-connection-mark=use-3 passthrough=no
#handling the first request packet - prefer an uplink depending the IP address of the customer
add chain=prerouting in-interface-list=WAN per-connection-classifier=src-address:3/0 action=mark-routing new-routing-mark=prefer-1 passthrough=no
add chain=prerouting in-interface-list=WAN per-connection-classifier=src-address:3/1 action=mark-routing new-routing-mark=prefer-2 passthrough=no
add chain=prerouting in-interface-list=WAN per-connection-classifier=src-address:3/2 action=mark-routing new-routing-mark=prefer-3 passthrough=no
The whole idea here is that for the first request packet from any given customer, always the same rule out of the three last ones above matches, because the per-connection-classifier calculates the hash only from the customer's IP address. So the first packet is sent always to the same routing table, where the route with distance=1 is used unless that path is down; the other two can be used only if the preferred path is down.
The first response packet (the second one of the connection) arrives via one of the uplinks; this indicates which uplink has actually been chosen for the connection, so we need to remember this information in order to tie that connection to that uplink for the rest of its existence, even if the uplink eventually breaks down. This is the job of the three action=mark-connection rules.
If you choose manual linking of a client to an uplink, the easiest way to me is to
- create three /ip firewall address-list items, prefer-1, prefer-2, prefer-3, and three /ppp profile items, each referring to one of these three address lists
- let each client prefer a particular uplink by setting the corresponding /ppp profile item in their /ppp secret row
- replace the per-connection-classifier match conditions in the three rules assigning the routing-mark to the initial packets by src-address-list=prefer-X match conditions.
Since you have a single upstream ISP, it would be much better than any of the above if the ISP didn't use public subnets directly on the uplinks, gave the same 12 public addresses (or even just 8, a single /29) completely to you, and used a private interconnection subnet on each uplink to route traffic towards these public IPs. In that case, you'd be able to use ECMP to distribute the load among all three uplinks and still NAT any given customer to the same public IP. If one of the uplinks would fail, all the existing connections would seamlessly keep using the remaining two. The ISP would have to do the same ECMP of course.
-
-
birendersinghbudhwar
Member Candidate
- Posts: 117
- Joined:
- Location: Rohtak, HARYANA, INDIA
- Contact:
Re: pppoe clients with multiple ISP links
Hi, Thanks for your reply.
My scenario is I have three connection 2 from same ISP 3rd from different and all are pppoe based.
All three uplinks getting IP's from ISP's radius server via pppoe.
Now my customers will be on my pppoe server running on on bridge interface with ether-4 and ether-5
Which will be the best can we use auto distribution of clients on three links via pppoe my only concern is that SSL websites should work properly as all three uplinks have different public IP's if auro load balancing / distribution happens different IP's goes to SSL web servers which logout the customers immediately like bank websites.
My scenario is I have three connection 2 from same ISP 3rd from different and all are pppoe based.
All three uplinks getting IP's from ISP's radius server via pppoe.
Now my customers will be on my pppoe server running on on bridge interface with ether-4 and ether-5
Which will be the best can we use auto distribution of clients on three links via pppoe my only concern is that SSL websites should work properly as all three uplinks have different public IP's if auro load balancing / distribution happens different IP's goes to SSL web servers which logout the customers immediately like bank websites.
I only know Matrox as a graphic card vendor, but x64 and 5×10 Gbit/s interfaces indicate that packet throughput is not an issue.In my setup I have Matrox X Series x64 Bit hardware which comes with inbuilt 5 Ports of 10G each.
This gives me two bits of information: that the actual issue is not load balancing (or, more exactly, load distribution) as such but how exactly it is done, and that you get a separate public subnet or even just a separate public address on each of the three links connected to ether1 .. ether3.Load balancing have a issue that it break https connections.
So following the principle "we don't deliver what you ordered, we deliver what you actually wanted", I dare to translate the requirement to "avoid load balancing" into a requirement to "make sure that all connections of any given PPPoE client will always get src-nated to the same public IP, except if the respective uplink is broken".
Laziness is the mother of evolution, so automatic distribution would be my personal preference, as it is maintenance-free. The drawback of manual distribution is that you have to manually choose an uplink for each client; the positive is that you can manually choose an uplink for each client, which allows you to eventually redistribute the clients if the uplinks are not loaded evenly.Splitting the pppoe clients among the 3 uplinks can be manually or automatically what ever Mikrotik Guru's suggest.
So supposing you've got three uplinks with three individual /30 public subnets (what a waste of valuable resources!), you would create six routing tables with default routes; three of them use all three gateways each with different priority, and three of them use just one gateway each.
/ip route
add gateway=uplink.1.gw.ip routing-mark=prefer-1
add gateway=uplink.2.gw.ip routing-mark=prefer-1 distance=2
add gateway=uplink.3.gw.ip routing-mark=prefer-1 distance=3
add gateway=uplink.2.gw.ip routing-mark=prefer-2
add gateway=uplink.3.gw.ip routing-mark=prefer-2 distance=2
add gateway=uplink.1.gw.ip routing-mark=prefer-2 distance=3
add gateway=uplink.3.gw.ip routing-mark=prefer-3
add gateway=uplink.1.gw.ip routing-mark=prefer-3 distance=2
add gateway=uplink.2.gw.ip routing-mark=prefer-3 distance=3
add gateway=uplink.1.gw.ip routing-mark=use-1
add gateway=uplink.2.gw.ip routing-mark=use-2
add gateway=uplink.3.gw.ip routing-mark=use-3
The distribution of client's connections is done using mangle rules.
/interface list add name=WAN
/interface list member
add list=WAN interface=uplink-1
add list=WAN interface=uplink-2
add list=WAN interface=uplink-3
/ip firewall mangle
#accept mid-connection (i.e. already connection-marked) download packets straight away
add chain=prerouting in-interface-list=WAN connection-mark=!no-mark action=accept
#send mid-connection (i.e. already connection-marked) upload packets through their previously assigned uplink
add chain=prerouting connection-mark=use-1 action=mark-routing new-routing-mark=use-1 passthrough=no
add chain=prerouting connection-mark=use-2 action=mark-routing new-routing-mark=use-2 passthrough=no
add chain=prerouting connection-mark=use-3 action=mark-routing new-routing-mark=use-3 passthrough=no
#handling the first response packet - set the connection-mark depending on the uplink through which the connection has actually been established
add chain=prerouting in-interface=uplink-1 action=mark-connection new-connection-mark=use-1 passthrough=no
add chain=prerouting in-interface=uplink-2 action=mark-connection new-connection-mark=use-2 passthrough=no
add chain=prerouting in-interface=uplink-3 action=mark-connection new-connection-mark=use-3 passthrough=no
#handling the first request packet - prefer an uplink depending the IP address of the customer
add chain=prerouting in-interface-list=WAN per-connection-classifier=src-address:3/0 action=mark-routing new-routing-mark=prefer-1 passthrough=no
add chain=prerouting in-interface-list=WAN per-connection-classifier=src-address:3/1 action=mark-routing new-routing-mark=prefer-2 passthrough=no
add chain=prerouting in-interface-list=WAN per-connection-classifier=src-address:3/2 action=mark-routing new-routing-mark=prefer-3 passthrough=no
The whole idea here is that for the first request packet from any given customer, always the same rule out of the three last ones above matches, because the per-connection-classifier calculates the hash only from the customer's IP address. So the first packet is sent always to the same routing table, where the route with distance=1 is used unless that path is down; the other two can be used only if the preferred path is down.
The first response packet (the second one of the connection) arrives via one of the uplinks; this indicates which uplink has actually been chosen for the connection, so we need to remember this information in order to tie that connection to that uplink for the rest of its existence, even if the uplink eventually breaks down. This is the job of the three action=mark-connection rules.
If you choose manual linking of a client to an uplink, the easiest way to me is toIn both cases, the src-nat or masquerade rules match on the respective out-interface names.
- create three /ip firewall address-list items, prefer-1, prefer-2, prefer-3, and three /ppp profile items, each referring to one of these three address lists
- let each client prefer a particular uplink by setting the corresponding /ppp profile item in their /ppp secret row
- replace the per-connection-classifier match conditions in the three rules assigning the routing-mark to the initial packets by src-address-list=prefer-X match conditions.
Since you have a single upstream ISP, it would be much better than any of the above if the ISP didn't use public subnets directly on the uplinks, gave the same 12 public addresses (or even just 8, a single /29) completely to you, and used a private interconnection subnet on each uplink to route traffic towards these public IPs. In that case, you'd be able to use ECMP to distribute the load among all three uplinks and still NAT any given customer to the same public IP. If one of the uplinks would fail, all the existing connections would seamlessly keep using the remaining two. The ISP would have to do the same ECMP of course.
Re: pppoe clients with multiple ISP links
Once again - it's not the load distribution as such that causes the trouble, it's the particular rules you use to distribute the traffic that make the difference. You must distribute the connections of the clients among the uplinks, otherwise you would have to use only one of the uplinks for all of them. And to avoid those issues with SSL, the only thing you have to ensure is that each particular client will always use the same uplink for all its connections. It doesn't matter whether you achieve this by using per-connection-classifier calculating the hash from the src-address alone or by matching the src-address against an address-list. I've outlined the pros and cons of each approach in my previous post.
I've also suggested a way to handle an outage of one of the uplinks which I would use if I were in your position, as I expect the clients to be more upset by having no internet connectivity at all than by having temporary issues with SSL sites.
I've also suggested a way to handle an outage of one of the uplinks which I would use if I were in your position, as I expect the clients to be more upset by having no internet connectivity at all than by having temporary issues with SSL sites.