After knowing the background and environment that I use previously. It is time I will explain to you Ecmp Load Balancing with Automatic Routes Failover combined with Proxy and Dns Server. Based on the topology of the above picture, we are going to use the proxy and dns servers into the system of load balancing, more details about proxy and dns server I will discuss separately the next. Just for a while we just simply should know the ip address and port that used on the proxy and the ip address of dns server that we are going to enter on the Ecmp Load Balancing Failover.
As probably you know, load balancing is better if completed with failover system, where if one of the internet connection is in problem, the access internet still able to run without being distracted each other. There are several kinds of failover techniques that have been widely discussed. But here I will use the technique of the automatic route list failover without scripting. Scripting is meant here how you make the scripts that is inserted to the system that running automatically based on the logic of the scripts that usually using system scheduler. Ok, let's get started!
1. Specifying DNS router and address List on Firewall
Assuming that you have installed the network according to the schematic of interface line as in the previous article. So for not make you confusing, I just put here the setup interface and IP address on the following scripts below!
/interface set 1 name=wan1 set 2 name=wan2 set 3 name=proxy set 4 name=lan1 set 5 name=not-used /ip address add address=172.16.1.2/24 interface=wan1 add address=172.16.2.2/24 interface=wan2 add address=172.160.1.1/24 interface=proxy add address=192.168.1.1/24 interface=lan1 /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=172.16.1.1,8.8.8.8,8.8.4.4 /ip firewall address-list add address=192.168.1.0/24 comment="" disabled=no list=LocalNET add address=172.160.1.0/24 comment="" disabled=no list=ProxyNET
Actually mikrotik has the system to save the cache dns request, we only need to determine the parent dns server. In this case I have been made local dns server side wan1 server with the same ip 172.16.1.1. It does not matter build local dns sever you build local dns server on your network, even if you do not have local dns server you can use with the common google dns server.
And then we need to create the name of the address list on firewall that will used when you want to redirect the internet connection from local area network(lan) to the proxy server.
And then we need to create the name of the address list on firewall that will used when you want to redirect the internet connection from local area network(lan) to the proxy server.
2. Masquerading 2 Wan Connections and Redirect Web Proxy
/ip firewall nat add chain=srcnat out-interface=wan1 action=masquerade add chain=srcnat out-interface=wan2 action=masquerade /ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-address-list=!ProxyNET dst-port=80,8080 in-interface=lan1 protocol=tcp to-addresses=172.160.1.2 to-ports=3128 comment="TRANSPARENT PROXY"
There are two rules for masquerading two source of the internet connections wan that will fix src-addresses for all outgoing packets. If the packet will leave via wan1 it will be NATed to 170.16.1.0/24, if through wan2 will be NATed to 172.16.2.0/24
For redirecting connection from lan to the proxy, we use chain=dstnat. This is a transparent web proxy, for that you must be set the squid.conf of your squid proxy server to be http_port 3128 transparent. If no transparent, this rule will not working.
3. Proxy Hit and Accepting All Traffic to Connected Networks
/ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=cache-hits passthrough=no dscp=48 comment="PROXY HIT" / ip firewall mangle add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16.1.0/24 add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16.2.0/24 add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.160.1.0/24 add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=192.168.1.0/24 add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16.1.0/24 add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16.2.0/24 add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.160.1.0/24
This is what I have done, to mark the proxy hit packets using dscp(tos)=48 with chain=postrouting that is related with cache hits on squid.conf of the squid proxy server, in order to bypass of the connection packets from proxy to the network. For the plan of local dns server, I must put the next rules to accept all traffic on the networks as overall so that there is no obstruction of the overall network traffic by router.
4. Mangle for The Rule Ecmp Dual Wan Load Balancing
/ip firewall mangle add action=mark-connection chain=input in-interface=wan1 connection-mark=no-mark new-connection-mark=wan1_conn comment="Mark Connection that are Initiated from Outside" add action=mark-connection chain=input in-interface=wan2 connection-mark=no-mark new-connection-mark=wan2_conn add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_traf comment="Mark Routing for Router's Replies" add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan2_traf
The differences of the various methods of load balancing lies atthe last two rules of the above scripts, ie the rules that use chain=output. If you want to use dual wan without load balancing of two source internet that you have, you simply straighten the fourth rule above, becomes:
- add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_traf
5. Route List ECMP Dual Wan Load Balancing Automatic Failover
/ ip route add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1 check-gateway=ping / ip route add dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=wan1_traf add dst-address=0.0.0.0/0 gateway=172.16.2.1 routing-mark=wan2_traf
Look at the mark-routing on the script above that leads to new-routing of the mangle ECMP load balancing, that is wan1-traf. If you have trusted of the both wan connection is quite stable connection and ping, you don't need to extend this route again on your router, enough to route it. But if you doubt just continue with the following automatic routes failover!
/ip route add dst-address=128.199.248.105 gateway=172.16.1.1 scope=10 add dst-address=111.67.16.202 gateway=172.16.2.1 scope=10 /ip route add distance=1 gateway=128.199.248.105 routing-mark=wan1_traf check-gateway=ping add distance=2 gateway=111.67.16.202 routing-mark=wan2_traf check-gateway=ping /ip route add distance=1 gateway=111.67.16.202 routing-mark=wan1_traf check-gateway=ping add distance=2 gateway=128.199.248.105 routing-mark=wan2_traf check-gateway=ping /ip route add dst-address=10.129.30.1 gateway=128.199.248.105 scope=10 target-scope=10 check-gateway=ping add dst-address=10.129.31.1 gateway=111.67.16.202 scope=10 target-scope=10 check-gateway=ping /ip route add distance=1 gateway=10.129.30.1 routing-mark=wan1_traf add distance=2 gateway=10.129.31.1 routing-mark=wan2_traf /ip route add distance=1 gateway=10.129.30.1 add distance=2 gateway=10.129.31.2
To complete the load balancing system with failover, note here the ip 128.199.248.105 and 111.67.16.202 is the ip dns of open nic project. It can be changed with another dns that you trust is always on, with the exception if the ISP is having problems. That means as the indication of state your isp connection. It will be a gateway as shown in group of rules 2 and 3 of the script rules above.
It's such a tricky mathematics formulas rather hard to see how it is work, that is about recursion technique that's really work. The last three rules of the script above that use virtual gateway, which is actually the ip address does not exist on our network, which is 10.129.30.1 and 10.129.31.2. It's free you specify, so the route list of your router will be as shown below!
6. Simple QOS Implementation ECMP Dual Wan Load Balancing
/ip firewall mangle add action=mark-connection chain=forward in-interface=proxy out-interface=lan1 new-connection-mark=proxy-conn dscp=!48 passthrough=yes comment="DOWNLOAD VIA PROXY" add action=mark-packet chain=forward connection-mark=proxy-conn new-packet-mark=proxy-pkt passthrough=yes /ip firewall mangle add action=mark-connection chain=forward new-connection-mark=dconn in-interface=wan1 passthrough=yes comment="PUBLIC DOWNSTEAM" add action=mark-connection chain=forward new-connection-mark=dconn in-interface=wan2 passthrough=yes comment="" add action=mark-packet chain=forward connection-mark=dconn new-packet-mark=dpkt passthrough=yes /ip firewall mangle add action=mark-connection chain=forward out-interface=wan1 new-connection-mark=uconn passthrough=yes comment="PUBLIC UPSTEAM" add action=mark-connection chain=forward out-interface=wan2 new-connection-mark=uconn passthrough=yes comment="" add action=mark-packet chain=forward connection-mark=uconn new-packet-mark=upkt passthrough=yes /ip firewall mangle add action=mark-packet chain=forward connection-bytes=1000000-0 passthrough=no packet-mark=dpkt new-packet-mark=hpkt protocol=tcp comment="PUBLIC HARD" add action=mark-packet chain=forward connection-bytes=1000000-0 passthrough=no packet-mark=proxy-pkt new-packet-mark=hpkt protocol=tcp comment=""
For the system of Ecmp dual wan load balancing with failover here, we only use chain=forward in marking for the upload and download packets in this QOS (Quality of Service) implementation.
The First Rule is a download via proxy, If you unable to capture the cache hit traffic of the proxy as well, the packets of HIT and MISS still join here. Somebody call that this is Hit Proxy. But i think we could not say this as HIT or MISS proxy a long as we can not separate them as well. The most problem that I've found, how can we separate HIT and MISS proxy explicitly. MISS Proxy is the packets that requested by the clients (lan) to the proxy, but the proxy does't have from the cache, and will requested to the internet server directly.
The Second and Third Rules I already provide the comment on the script, the connection packets of download and upload actually from the internet server. So this is the simple qos implementation of dual wan load balancing.
The fourth Rule in order to separate the connection packets both from the clients or the proxy that greater than 1,000,000 bytes (around 1 MB) This generally captures the connection packets such download any extension files or video streaming. If you have much more bandwidth you can divide into various kind of the connection packets as you please.
After the connection packet has been captured, and finally to set queue tree and queue type rules, In this case I just give the limit value on hardsteam of queue tree to manage the bandwidth like the script below!
The First Rule is a download via proxy, If you unable to capture the cache hit traffic of the proxy as well, the packets of HIT and MISS still join here. Somebody call that this is Hit Proxy. But i think we could not say this as HIT or MISS proxy a long as we can not separate them as well. The most problem that I've found, how can we separate HIT and MISS proxy explicitly. MISS Proxy is the packets that requested by the clients (lan) to the proxy, but the proxy does't have from the cache, and will requested to the internet server directly.
The Second and Third Rules I already provide the comment on the script, the connection packets of download and upload actually from the internet server. So this is the simple qos implementation of dual wan load balancing.
The fourth Rule in order to separate the connection packets both from the clients or the proxy that greater than 1,000,000 bytes (around 1 MB) This generally captures the connection packets such download any extension files or video streaming. If you have much more bandwidth you can divide into various kind of the connection packets as you please.
After the connection packet has been captured, and finally to set queue tree and queue type rules, In this case I just give the limit value on hardsteam of queue tree to manage the bandwidth like the script below!
/queue type add name=sfq_proxy_hit kind=sfq add name=pcq_upsteam kind=pcq pcq-rate=0 pcq-classifier=src-address add name=pcq_downsteam kind=pcq pcq-rate=0 pcq-classifier=dst-address add name=pcq_hardsteam kind=pcq pcq-rate=256k pcq-classifier=dst-address add name=pcq_proxysteam kind=pcq pcq-rate=0 pcq-classifier=dst-address /queue tree add name=HIT_PROXY parent=global-out packet-mark=cache-hits queue=sfq_proxy_hit priority=1 add name=UPSTEAM parent=global-out queue=pcq_upsteam packet-mark=upkt priority=3 add name=DOWNSTEAM parent=global-out queue=pcq_downsteam packet-mark=dpkt priority=4 add name=HARDSTEAM parent=global-out queue=pcq_hardsteam packet-mark=hpkt limit-at=100k max-limit=300k priority=8 add name=PROXYSTEAM parent=global-out queue=pcq_proxysteam packet-mark=proxy-pkt priority=2
Especially for UPSTEAM as the upload packets queue, it should be use the parent of global-out according to the mangle rules that have been defined of the connection packets. For the bandwidth capacity of dual wan load balancing that is not too big, it is going to be a quite simple QOS that effectively in bandwidth management of ecmp dual wan load balancing, and the results you can see as shown below!
7. Security Access for The System Load Balancing
/ip firewall address-list add address=192.168.1.8 disabled=no list=internet-allowed add address=192.168.1.11 disabled=no list=internet-allowed add address=192.168.1.12 disabled=no list=internet-allowed add address=192.168.1.14 disabled=no list=internet-allowed add address=192.168.1.15 disabled=no list=internet-allowed add address=192.168.1.16 disabled=no list=internet-allowed add address=192.168.1.17 disabled=no list=internet-allowed add address=192.168.1.20 disabled=no list=internet-allowed add address=192.168.1.21 disabled=no list=internet-allowed add address=192.168.1.22 disabled=no list=internet-allowed add address=172.160.1.2 disabled=no list=internet-allowed /ip firewall filter add action=accept chain=input comment="Accept Input Established" connection-state=established disabled=no add action=accept chain=input comment="Accept Input Related" connection-state=related disabled=no add action=drop chain=input comment="Drop Input Invalid" connection-state=invalid disabled=no add action=accept chain=input comment="Accept Input Limited ICMP" disabled=no limit=50/5s,2 protocol=icmp add action=drop chain=input comment="Drop Input Exceed ICMP" disabled=no protocol=icmp add action=accept chain=input comment="Accept Input Winbox" disabled=no dst-port=8291 protocol=tcp add action=accept chain=input comment="Accept Input Webfig" disabled=no dst-port=80 protocol=tcp add action=accept chain=input comment="Accept Input Telnet" disabled=no dst-port=23 protocol=tcp add action=accept chain=input comment="Accept Input SSH" disabled=no dst-port=22 protocol=tcp add action=accept chain=input comment="Accept Input DNS" disabled=no dst-port=53 protocol=udp add action=accept chain=input comment="Accept Input WInbox Discovery" disabled=no dst-port=5678 protocol=udp add action=drop chain=input comment="Drop Input Anything Else" disabled=no add action=accept chain=forward comment="Accept Forward Established" connection-state=established disabled=no add action=accept chain=forward comment="Accept Forward Related" connection-state=related disabled=no add action=drop chain=forward comment="Drop Forward Invalid" connection-state=invalid disabled=no add action=jump chain=forward comment="Accept User Internet and Jump to Port-Filter" disabled=no jump-target=port-filter src-address-list=internet-allowed add action=accept chain=port-filter comment="Accept Port-Filter HTTP" disabled=no port=80 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter HTTPS AND SNEWS" disabled=no port=443,563 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter rsync" disabled=no port=873 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter gopher" disabled=no port=70 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter wais" disabled=no port=210 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter unregistered ports" disabled=no port=1025-65535 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter PROXY" disabled=no port=8000,8080,3128 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter http-mgmt" disabled=no port=280 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter gss-http" disabled=no port=488 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter filemaker" disabled=no port=591 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter multiling http" disabled=no port=777 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter cups" disabled=no port=631 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter SWAT" disabled=no port=901 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter Email Ports" disabled=no port=25,587,465,110,143,993,995 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter YM" disabled=no port=5050 protocol=tcp add action=accept chain=port-filter comment="Accept Port-Filter VPN BCA" disabled=no port=500,10000 protocol=udp add action=accept chain=port-filter comment="Accept Port-Filter DNS" disabled=no port=53,8053,35053 protocol=udp add action=accept chain=port-filter comment="Accept Port-Filter NTP" disabled=no port=123 protocol=udp add action=accept chain=port-filter comment="Accept Port-Filter ICMP" disabled=no protocol=icmp add action=drop chain=port-filter comment="Drop Port-Filter Anything Else" disabled=no add action=drop chain=forward comment="Drop Forward Anything Else" disabled=no
It is just as a complement to the ecmp dual wan load balancing bandwidth management system with failover, proxy, dns server that would be very vulnerable to the variety of things we do not want. Therefore, I think we need to add the security on the firewall filter for the network load balancing can work properly. If this QoS still not enough to manage the purpose of the bandwidth management as you desired , I will continue with the specific QoS implementation on the load balancing.
Related Articles
Hello my brother I want you to explain Squid Cash 3 Cash in YouTube and Facebook and all the sites and how to tie Maikarotik and how to pass the certification https Automatic customers
ReplyDeleteAnd explain the Squid 3 on Linux ubuntu plz
ReplyDeleteI have not implemented the squid on linux ubuntu yet, i know that this is possible in redirecting port 443 (https) to the transparent proxy but it would be rather tricky things
DeleteWhere does queue=sfq_proxy_hit , queue=pcq_upsteam , queue=pcq_downsteam & queue=pcq_proxysteam come from ? Only a pcq_hardsteam in type
ReplyDeleteUps....! any mistake in paste the script inside this note! thanks for your input, I already fix and complete it, in this load balancing i just use 512 kbps + 512 kbps
DeleteMas Agus, dimana mangle untuk packet-mark=cache-hits nya?
DeleteThanks,
I salute to the admin of this diary. i actually like and that i can sure as shooting advocate this diary to my friends.
ReplyDeleteaccess Bomb-mp3 in UK
I like your article it wordpress installation service is very nice would like to
ReplyDeleteaccess FileCrop in UK
Hi
ReplyDeleteI am looking for PCC Load Balancing Failover with Proxy and DNS in Mikrotik and Squid as external proxy. Can you make a LAB on this.
Thanks
I am very thankful to the author to write this fruitful information.It is worth sharing for other users.Thanks once again
ReplyDeleteFileCrop UK proxy
can u describe me the statement,[ i know that this is possible in redirecting port 443 (https) to the transparent proxy but it would be rather tricky things]? is there any better idea for youtube speed up? what about squid proxy? and how to configure it on mikrotik routerboard RB750? i have one public ip of internet?
ReplyDeleteI read your article and get very important information in addition if you have any query you can click here.
ReplyDeleteaccess Mp3Raid in UK
mas agus, jika load balancing 2 isp tanpa proxy apakah script untuk proxy nya di skip saja? atau bagaimana?
ReplyDeleteHi Ketut.
ReplyDeleteI saw one of your videos on YouTube: great job, steps clearly shown even without voice comments.
Congrats.
I wonder if the full script could be found in any place to use the same method you did "copy and paste" !
Doing so, step by step ill help me a lot to learn MikroTik mechanisms.
Thank you so much.
I appreciate you spending some time and energy to put this content together. I once again find myself personally spending a significant amount of time both reading and commenting.
ReplyDeleteI am Bella Brownz From Las Vegas and I am working in an NGO for many years. If anyone looking for Assisted Living Homes Colorado so then suggests you The Gardens Care Homes as per your requirement. This Organization assists citizens of Colorado in better comprehending adult daycare, assisted living, and home care costs throughout the state.
If you are much inquisitive about marriage and how your life partner will be, it’s better to have the answers to all your questions. You can go to Spouse prediction on any good astrological website.
ReplyDeleteHoney can be used to get rid of a distended stomach because honey contains ingredients that will burn the body indirectly or commonly called fructose. Hidup Sehat And ginger can suppress appetite naturally. Generally women would want a sexy body with a small stomach. That's why the way to reduce the stomach naturally for women is so important. Hidup Sehat It is recommended to drink a smoothie in the morning, Ngobrol Sehat because it can increase energy as well as a way to reduce the stomach naturally. Ngobrol Sehat Watermelon smoothies are often eaten because this fruit is rich in amino acids which have been proven to be beneficial in reducing body fat and muscle mass.
ReplyDelete