ECMP load balancing with masquerade
mini dv 60 sailor moom oakville carta fax trollhammaren fax telefono scanner simply scripts ejercicio soundtrack 2fast 2furious lg dvd -rw print server planet 10 100 fast ethernet commerciali in vendita a roma midi frisina ragazze da conoscere deep dish flash dance per bucharest alambrado marano principato earphones jetix soccer calcio golf dsg monitor lcd 17 philips mod 170 s beach t jeans rogers macromedia flash argento tavola arredamento alto urina proteine advanced encryption package giochi freewere digitale terrestre decoder interattivo cumface nuovi artwork per monster madness dvdcam sony samsung d 351 ip 4000 canon birmania logitech headset 350 marciana televisori lcd 26 pollici yoga video ancient hermanita italiano bias definizione noleggio caravan pesca mein triestina 1949 50 il figlio di spartacus guerlain terracotta pour homme jahoo com occhiale dolce gabbana barzellette ingegneri schermo per videoproiettori accessori sorry for love il sole spunta domani traduttore nato hp-compaq ipaq pocket pc h6340 ultimo album di laura pausini desktop ss lazio gioco gratis download capo verde brondi cordless blu hotel bambino gratis lettore dvd e dvx milano - casablanca deumidificatori portatili exolon tdk stampante x cd router print luomo del treno zoom 12x frankenweenie cetinski w w w vigili del fuoco it bando 200 pos lodrino mille miliardi di dollari www pianetabimbi com hardman la spigola legend lx personal computer pentium hamlet box esterno 3 5 usb 2 0 firewire defender 90 tdi ricette torta i want to back delonghi pac 70 eco pinguino juist locker room modifiche estetiche per auto abrixas dj bobo sex rome escort adult duncan james e keedie i believe my heart clisteri accappatoio uomo jet 4 www tom tom go 700 severina sex tape honda shadow 125 christopher lee. mistery pack new midi files gioco di oggi il matto sono io luogo d incontro antivirus 2005 upg malena desnuda pc acer aspire frigoriferi incasso 320 samsung stampante laser colore requiem sinfonia di salmi acer travelmate 8102wlmi roadstar radio la donna di un amico salerno e provincie archos multimedia terme di san casciano gloria estefan konga mx desiderativo dvd riscrivibile sperimentazione sugli embrioni umani bmw f 650 cs nagra keys hispasat maria maddalena antonello venditti accoppia le coppie telefono cordless telecom con segreteria barracuda harrington toner epson c1900 dama su internet mv750i canon concerto de aranjuez pentax istds dds 3 125 lettore mp3 vocale cavo connessione video singola genova la pappa col pomodoro lettore cd con radio indizi carte briscola city builder ti faccio scopare mia moglie prove d esame stivali da donna n 41 chocolata il signore degli anelli il ritorno del re di cataldo ufficio innsbruck lino banfi dvd recorder hdrw720 sexo no funk fiera del calore meyday cp39 film la famiglia adams icy box park hotel serena indiana line 5 casse sito web torino ragazza 18 san damiano macra la casa di campagna hitachi 500gb rs mmc mother pride sedie inglesi iran farsi noleggio corvette naughtygirl il denaro motorola v550 batteria batterie dwa plus jeden a5 samsung ho visto nina volare moj galebe yashica fotocamera digitale goldenberg zalo audio surround scheda blocco autocad www le maliziose com nokia 7710 tomtom mobile falangina case vercelli ortona numa numa dance renato zero triangolo handel humax ricevitore digitale dtt 5000 hyundai terracan llllll russians audi a2 cosenza opere pie padre guido saeb c m vignette equazioni differenziali omogenee Spanish version of this article: Balanceo de carga mejorado persistente
Contents
Introduction
This example is improved (different) version of round-robin load balancing example. It adds persistent user sessions, i.e. a particular user would use the same source IP address for all outgoing connections. Consider the following network layout:
Quick Start for Impatient
Configuration export from the gateway router:
'''/ ip address'''
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
'''/ ip firewall mangle'''
add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \
new-connection-mark=odd passthrough=yes
add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \
new-connection-mark=even passthrough=yes
add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \
new-routing-mark=even passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
'''/ ip firewall nat'''
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
'''/ ip route'''
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
Explanation
First we give a code snippet and then explain what it actually does.
IP Addresses
/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.
Mangle
/ ip firewall mangle add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \ new-connection-mark=odd passthrough=yes add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \ new-routing-mark=odd
All traffic from customers having their IP address previously placed in the address list "odd" is instantly marked with connection and routing marks "odd". Afterwards the traffic is excluded from processing against successive mangle rules in prerouting chain.
/ ip firewall mangle add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \ new-connection-mark=even passthrough=yes add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \ new-routing-mark=even
Same stuff as above, only for customers having their IP address previously placed in the address list "even".
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no
First we take every second packet that establishes new session (note connection-state=new), and mark it with connection mark "odd". Consequently all successive packets belonging to the same session will carry the connection mark "odd". Note that we are passing these packets to the second and third rules (passthrough=yes). Second rule adds IP address of the client to the address list to enable all successive sessions to go through the same gateway. Third rule places the routing mark "odd" on all packets that belong to the "odd" connection and stops processing all other mangle rules for these packets in prerouting chain.
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local action=add-src-to-address-list \
address-list=even address-list-timeout=1d connection-mark=even passthrough=yes
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no
These rules do the same for the remaining half of the traffic as the first three rules for the first half of the traffic.
The code above effectively means that each new connection initiated through the router from the local network will be marked as either "odd" or "even" with both routing and connection marks.
The above works fine. There are however some situations where you might find that the same IP address is listed under both the ODD and EVEN scr-address-lists. This behavior causes issues with apps that require persistent connections. A simple remedy for this situation is to add the following statement to your mangle rules:
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
src-address-list=!odd action=mark-connection new-connection-mark=even \
passthrough=yes
This will ensure that the new connection will not already be part of the ODD src-address-list. You will have to do the same for the ODD mangle rule thus excluding IP's already part of the EVEN scr-address-list.
NAT
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535
All traffic marked "odd" is being NATted to source IP address of 10.111.0.2, while traffic marked "even" gets "10.112.0.2" source IP address.
Routing
/ ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even
For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed through the 10.112.0.1 gateway.
/ ip route add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10
Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.
