Manual:Load balancing multiple same subnet links: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 12: Line 12:
Provider is giving us two links with IP addresses from the same network range (10.1.101.10/24 and 10.1.101.18/24). Gateway for both of these links is the same 10.1.101.1
Provider is giving us two links with IP addresses from the same network range (10.1.101.10/24 and 10.1.101.18/24). Gateway for both of these links is the same 10.1.101.1


<h3>Configuration</h3>
<h3>Configuration Example 1</h3>


Here is the whole configuration for those who want to copy&paste
Here is the whole configuration for those who want to copy&paste
Line 40: Line 40:
<h4>IP address</h4>
<h4>IP address</h4>


In previous RouterOS version multiple IP addresses from the same subnet on different interfaces were not allowed. Fortunately v4 allows such configurations.
In previous RouterOS version, multiple IP addresses from the same subnet on different interfaces were not allowed. Fortunately, from v4 RouterOS allows such configurations.


In this example our provider assigned two upstream links, one connected to <b>ether1</b> and other to <b>ether2</b>. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24
In this example our provider assigned two upstream links, one connected to <b>ether1</b> and other to <b>ether2</b>. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24
Line 57: Line 57:
         gateway-status=ether1 reachable,ether2 reachable distance=0 scope=10
         gateway-status=ether1 reachable,ether2 reachable distance=0 scope=10
</pre>
</pre>
{{ Note| [[Routing filters]] can be used to adjust preferred source if needed }}


<h4>Mangle and NAT</h4>
<h4>Mangle and NAT</h4>
Line 105: Line 103:
</pre>
</pre>


Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) will be resolved in main routing table.
Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) will be resolved in the main routing table.
<pre>
<pre>
/ip route
/ip route
Line 111: Line 109:
</pre>
</pre>
</div>
</div>
<h3>Configuration Example 2</h3>
[[File:Dual-wan.png|300px|]]
<h4>IP address</h4>
In this example our provider assigned two upstream links, one connected to <b>ether1</b> and other to <b>ether2</b>. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24
<pre>
/ip address
add address=10.1.101.18/24 interface=ether1
add address=10.1.200.18/24 interface=ether2
add address=192.168.1.1/24 interface=Local
add address=192.168.2.1/24 interface=Local
</pre>
<h4>Mangle and NAT</h4>
In this example connections going through the ehter1 interface is marked as <b>"first"</b> and packets going through the ether2 is marked as <b>"other"</b>.
<pre>
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=first out-interface=ether1 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=other out-interface=ether2 passthrough=yes
</pre>
Instead of masquerade, we will use src-nat for our local networks, because we do not want to purge connections which is one of masquarades main features when a primary link fails. We will restrict them with a firewall rules (later in this example)
<pre>
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-address=10.1.101.18/24
add action=src-nat chain=srcnat out-interface=ether2 to-address=10.1.200.18/24
</pre>
When the primary link will fail, we will reject all the established connections, so a new connections will pass through the secondary link. The same behavior will happen when a primary link will come back again and here we will prevent local IP leakage to a public network, which is one of <span class="plainlinks">[https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade masquerades disadvantages]</span>.
<pre>
add action=reject chain=forward connection-mark=other out-interface=ether1 reject-with=icmp-network-unreachable
add action=reject chain=forward connection-mark=first out-interface=ether2 reject-with=icmp-network-unreachable
</pre>
<h4>Routes</h4>
We will add two default routes. With <code>distance</code> parameter we set routes preference:
<pre>
/ip route add gateway=10.1.101.1 distance=1 check-gateway=ping
/ip route add gateway=10.1.200.1 distance=2
</pre>


[[Category:Unfinished]]
[[Category:Unfinished]]

Revision as of 09:01, 24 July 2019

Applies to RouterOS: v4,v5

Summary

This example demonstrates how to set up load balancing if provider is giving IP addresses from the same subnet for all links.

Application Example

Provider is giving us two links with IP addresses from the same network range (10.1.101.10/24 and 10.1.101.18/24). Gateway for both of these links is the same 10.1.101.1

Configuration Example 1

Here is the whole configuration for those who want to copy&paste

/ip address
add address=10.1.101.18/24 interface=ether1 
add address=10.1.101.10/24 interface=ether2
add address=192.168.1.1/24 interface=Local
add address=192.168.2.1/24 interface=Local

/ip route
add gateway=10.1.101.1
add gateway=10.1.101.1%ether1 routing-mark=first
add gateway=10.1.101.1%ether2 routing-mark=other

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

/ip firewall mangle
add action=mark-routing chain=prerouting src-address=192.168.1.0/24 new-routing-mark=first
add action=mark-routing chain=prerouting src-address=192.168.2.0/24 new-routing-mark=other

IP address

In previous RouterOS version, multiple IP addresses from the same subnet on different interfaces were not allowed. Fortunately, from v4 RouterOS allows such configurations.

In this example our provider assigned two upstream links, one connected to ether1 and other to ether2. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24

/ip address
add address=10.1.101.18/24 interface=ether1 
add address=10.1.101.10/24 interface=ether2
add address=192.168.1.1/24 interface=Local
add address=192.168.2.1/24 interface=Local

After IP address is set up, connected route will be installed as ECMP route

[admin@MikroTik] /ip route> print detail
 0 ADC  dst-address=10.1.101.0/24 pref-src=10.1.101.18 gateway=ether1,ether2 
        gateway-status=ether1 reachable,ether2 reachable distance=0 scope=10

Mangle and NAT

In our example very simple policy routing is used. Clients from 192.168.1.0/24 subnet is marked to use "first" routing table and 192.168.2.0/24 to use "other" subnet.

Note: The same can be achieved by setting up route rules instead of mangle.


/ip firewall mangle
add action=mark-routing chain=prerouting src-address=192.168.1.0/24 new-routing-mark=first
add action=mark-routing chain=prerouting src-address=192.168.2.0/24 new-routing-mark=other

And masquerade our local networks

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

Warning: You will also have to deal with traffic coming to and from the router itself. For explanations look at PCC configuration example.


IP route

We are adding two gateways, one to resolve in "first" routing table and another to "other" routing table.

/ip route
add gateway=10.1.101.1%ether1 routing-mark=first
add gateway=10.1.101.1%ether2 routing-mark=other

Interesting part of these routes is how we set gateway. gateway=10.1.101.1%ether1 means that gateway 10.1.101.1 will be explicitly reachable over ether1

[admin@MikroTik] /ip route> print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=10.1.101.1%ether2 
        gateway-status=10.1.101.1 reachable ether2 distance=1 scope=30 
        target-scope=10 routing-mark=other 

 1 A S  dst-address=0.0.0.0/0 gateway=10.1.101.1%ether1 
        gateway-status=10.1.101.1 reachable ether1 distance=1 scope=30 
        target-scope=10 routing-mark=first 

Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) will be resolved in the main routing table.

/ip route
add gateway=10.1.101.1

Configuration Example 2

IP address

In this example our provider assigned two upstream links, one connected to ether1 and other to ether2. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24

/ip address
add address=10.1.101.18/24 interface=ether1 
add address=10.1.200.18/24 interface=ether2
add address=192.168.1.1/24 interface=Local
add address=192.168.2.1/24 interface=Local

Mangle and NAT

In this example connections going through the ehter1 interface is marked as "first" and packets going through the ether2 is marked as "other".

/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=first out-interface=ether1 passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=other out-interface=ether2 passthrough=yes

Instead of masquerade, we will use src-nat for our local networks, because we do not want to purge connections which is one of masquarades main features when a primary link fails. We will restrict them with a firewall rules (later in this example)

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-address=10.1.101.18/24
add action=src-nat chain=srcnat out-interface=ether2 to-address=10.1.200.18/24

When the primary link will fail, we will reject all the established connections, so a new connections will pass through the secondary link. The same behavior will happen when a primary link will come back again and here we will prevent local IP leakage to a public network, which is one of masquerades disadvantages.

add action=reject chain=forward connection-mark=other out-interface=ether1 reject-with=icmp-network-unreachable
add action=reject chain=forward connection-mark=first out-interface=ether2 reject-with=icmp-network-unreachable

Routes

We will add two default routes. With distance parameter we set routes preference:

/ip route add gateway=10.1.101.1 distance=1 check-gateway=ping
/ip route add gateway=10.1.200.1 distance=2