Graphic Web Design, Computer Network, Balinese Culture

Loading...
15 comments
Ecmp Load Balancing Failover with Proxy and DNS Server

After knowing the background and environment that I use previously. It is time I will explain to you Ecmp Load Balancing with Automatic Routes Failover combined with Proxy and Dns Server. Based on the topology of the above picture, we are going to use the proxy and dns servers into the system of load balancing, more details about proxy and dns server I will discuss separately the next. Just for a while we just simply should know the ip address and port that used on the proxy and the ip address of dns server that we are going to enter on the Ecmp Load Balancing Failover.


As probably you know, load balancing is better if completed with failover system, where if one of the internet connection is in problem, the access internet still able to run without being distracted each other. There are several kinds of failover techniques that have been widely discussed. But here I will use the technique of the automatic route list failover without scripting. Scripting is meant here how you make the scripts that is inserted to the system that running automatically based on the logic of the scripts that usually using system scheduler. Ok, let's get started!

1. Specifying DNS router and address List on Firewall

Assuming that you have installed the network according to the schematic of interface line as in the previous article. So for not make you confusing, I just put here the setup interface and IP address on the following scripts below!
/interface
set 1 name=wan1
set 2 name=wan2
set 3 name=proxy
set 4 name=lan1
set 5 name=not-used

/ip address
add address=172.16.1.2/24 interface=wan1
add address=172.16.2.2/24 interface=wan2 
add address=172.160.1.1/24 interface=proxy
add address=192.168.1.1/24 interface=lan1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=172.16.1.1,8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.1.0/24 comment="" disabled=no list=LocalNET
add address=172.160.1.0/24 comment="" disabled=no list=ProxyNET
Actually mikrotik has the system to save the cache dns request, we only need to determine the parent dns server. In this case I have been made local dns server side wan1 server with the same ip 172.16.1.1. It does not matter build local dns sever you build local dns server on your network, even if you do not have local dns server you can use with the common google dns server.

And then we need to create the name of the address list on firewall that will used when you want to redirect the internet connection from local area network(lan) to the proxy server.

2. Masquerading 2 Wan Connections and Redirect Web Proxy

/ip firewall nat 
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address-list=!ProxyNET dst-port=80,8080 in-interface=lan1 protocol=tcp to-addresses=172.160.1.2 to-ports=3128 comment="TRANSPARENT PROXY"
There are two rules for masquerading two source of the internet connections wan that will fix src-addresses for all outgoing packets. If the packet will leave via wan1 it will be NATed to 170.16.1.0/24, if through wan2 will be NATed to 172.16.2.0/24

For redirecting connection from lan to the proxy, we use chain=dstnat. This is a transparent web proxy, for that you must be set the squid.conf of your squid proxy server to be http_port 3128 transparent. If no transparent, this rule will not working.

3. Proxy Hit and Accepting All Traffic to Connected Networks

/ip firewall mangle
add chain=postrouting action=mark-packet new-packet-mark=cache-hits passthrough=no dscp=48 comment="PROXY HIT"

/ ip firewall mangle
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16.1.0/24 
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16.2.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.160.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=192.168.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16.2.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.160.1.0/24
This is what I have done, to mark the proxy hit packets using dscp(tos)=48 with chain=postrouting that is related with cache hits on squid.conf of the squid proxy server, in order to bypass of the connection packets from proxy to the network. For the plan of local dns server, I must put the next rules to accept all traffic on the networks as overall so that there is no obstruction of the overall network traffic by router. 

4. Mangle for The Rule Ecmp Dual Wan Load Balancing

/ip firewall mangle
add action=mark-connection chain=input in-interface=wan1 connection-mark=no-mark new-connection-mark=wan1_conn comment="Mark Connection that are Initiated from Outside"
add action=mark-connection chain=input in-interface=wan2 connection-mark=no-mark new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_traf comment="Mark Routing for Router's Replies"     
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan2_traf
The differences of the various methods of load balancing lies atthe last two rules of the above scripts, ie the rules that use chain=output. If you want to use dual wan without load balancing of two source internet that you have, you simply straighten the fourth rule above, becomes:

  • add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_traf

5. Route List ECMP Dual Wan Load Balancing Automatic Failover

/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1 check-gateway=ping
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=wan1_traf
add dst-address=0.0.0.0/0 gateway=172.16.2.1 routing-mark=wan2_traf
Look at the mark-routing on the script above that leads to new-routing of the mangle ECMP load balancing, that is wan1-traf. If you have trusted of the both wan connection is quite stable connection and ping, you don't need to extend this route again on your router, enough to route it. But if you doubt just continue with the following automatic routes failover!

/ip route
add dst-address=128.199.248.105 gateway=172.16.1.1 scope=10
add dst-address=111.67.16.202 gateway=172.16.2.1 scope=10

/ip route
add distance=1 gateway=128.199.248.105 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=111.67.16.202 routing-mark=wan2_traf check-gateway=ping

/ip route
add distance=1 gateway=111.67.16.202 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=128.199.248.105 routing-mark=wan2_traf check-gateway=ping

/ip route
add dst-address=10.129.30.1 gateway=128.199.248.105 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.129.31.1 gateway=111.67.16.202 scope=10 target-scope=10 check-gateway=ping

/ip route
add distance=1 gateway=10.129.30.1 routing-mark=wan1_traf
add distance=2 gateway=10.129.31.1 routing-mark=wan2_traf

/ip route
add distance=1 gateway=10.129.30.1
add distance=2 gateway=10.129.31.2
To complete the load balancing system with failover, note here the ip 128.199.248.105 and 111.67.16.202 is the ip dns of open nic project. It can be changed with another dns that you trust is always on, with the exception if the ISP is having problems. That means as the indication of state your isp connection. It will be a gateway as shown in group of rules 2 and 3 of the script rules above.

It's such a tricky mathematics formulas rather hard to see how it is work, that is about recursion technique that's really work. The last three rules of the script above that use virtual gateway, which is actually the ip address does not exist on our network, which is 10.129.30.1 and 10.129.31.2. It's free you specify, so the route list of your router will be as shown below! 


6. Simple QOS Implementation ECMP Dual Wan Load Balancing    


/ip firewall mangle
add action=mark-connection chain=forward in-interface=proxy out-interface=lan1 new-connection-mark=proxy-conn dscp=!48 passthrough=yes comment="DOWNLOAD VIA PROXY"
add action=mark-packet chain=forward connection-mark=proxy-conn new-packet-mark=proxy-pkt passthrough=yes
 
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=wan1 passthrough=yes comment="PUBLIC DOWNSTEAM"
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=wan2 passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=dconn new-packet-mark=dpkt passthrough=yes
 
/ip firewall mangle
add action=mark-connection chain=forward out-interface=wan1 new-connection-mark=uconn passthrough=yes comment="PUBLIC UPSTEAM"
add action=mark-connection chain=forward out-interface=wan2 new-connection-mark=uconn passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=uconn new-packet-mark=upkt passthrough=yes
 
/ip firewall mangle
add action=mark-packet chain=forward connection-bytes=1000000-0 passthrough=no packet-mark=dpkt new-packet-mark=hpkt protocol=tcp comment="PUBLIC HARD"
add action=mark-packet chain=forward connection-bytes=1000000-0 passthrough=no packet-mark=proxy-pkt new-packet-mark=hpkt protocol=tcp comment=""
For the system of Ecmp dual wan load balancing with failover here, we only use chain=forward in marking for the upload and download packets in this QOS (Quality of Service) implementation.

The First Rule is a download via proxy, If you unable to capture the cache hit traffic of the proxy as well, the packets of HIT and MISS still join here. Somebody call that this is Hit Proxy. But i think we could not say this as HIT or MISS proxy a long as we can not separate them as well. The most problem that I've found, how can we separate HIT and MISS proxy explicitly. MISS Proxy is the packets that requested by the clients (lan) to the proxy, but the proxy does't have from the cache, and will requested to the internet server directly.

The Second and Third Rules I already provide the comment on the script, the connection packets of download and upload actually from the internet server. So this is the simple qos implementation of dual wan load balancing.

The fourth Rule in order to separate the connection packets both from the clients or the proxy that greater than 1,000,000 bytes (around 1 MB) This generally captures the connection packets such download any extension files or video streaming. If you have much more bandwidth you can divide into various kind of the connection packets as you please.

After the connection packet has been captured, and finally to set queue tree and queue type rules, In this case I just give the limit value on hardsteam of queue tree to manage the bandwidth like the script below!

/queue type
add name=sfq_proxy_hit kind=sfq
add name=pcq_upsteam kind=pcq pcq-rate=0 pcq-classifier=src-address
add name=pcq_downsteam kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_hardsteam kind=pcq pcq-rate=256k pcq-classifier=dst-address
add name=pcq_proxysteam kind=pcq pcq-rate=0 pcq-classifier=dst-address
 
/queue tree
add name=HIT_PROXY parent=global-out packet-mark=cache-hits queue=sfq_proxy_hit priority=1
add name=UPSTEAM parent=global-out queue=pcq_upsteam packet-mark=upkt priority=3
add name=DOWNSTEAM parent=global-out queue=pcq_downsteam packet-mark=dpkt priority=4
add name=HARDSTEAM parent=global-out queue=pcq_hardsteam packet-mark=hpkt limit-at=100k max-limit=300k priority=8
add name=PROXYSTEAM parent=global-out queue=pcq_proxysteam packet-mark=proxy-pkt priority=2
Especially for UPSTEAM as the upload packets queue, it should be use the parent of global-out according to the mangle rules that have been defined of the connection packets. For the bandwidth capacity of dual wan load balancing that is not too big, it is going to be a quite simple QOS that effectively in bandwidth management of ecmp dual wan load balancing, and the results you can see as shown below!

7. Security Access for The System Load Balancing

/ip firewall address-list
add address=192.168.1.8 disabled=no list=internet-allowed
add address=192.168.1.11 disabled=no list=internet-allowed
add address=192.168.1.12 disabled=no list=internet-allowed
add address=192.168.1.14 disabled=no list=internet-allowed
add address=192.168.1.15 disabled=no list=internet-allowed
add address=192.168.1.16 disabled=no list=internet-allowed
add address=192.168.1.17 disabled=no list=internet-allowed
add address=192.168.1.20 disabled=no list=internet-allowed
add address=192.168.1.21 disabled=no list=internet-allowed
add address=192.168.1.22 disabled=no list=internet-allowed
add address=172.160.1.2 disabled=no list=internet-allowed

/ip firewall filter
add action=accept chain=input comment="Accept Input Established" connection-state=established disabled=no
add action=accept chain=input comment="Accept Input Related" connection-state=related disabled=no
add action=drop chain=input comment="Drop Input Invalid" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept Input Limited ICMP" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop Input Exceed ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="Accept Input Winbox" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept Input Webfig" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="Accept Input Telnet" disabled=no dst-port=23 protocol=tcp
add action=accept chain=input comment="Accept Input SSH" disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="Accept Input DNS" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="Accept Input WInbox Discovery" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="Drop Input Anything Else" disabled=no
add action=accept chain=forward comment="Accept Forward Established" connection-state=established disabled=no
add action=accept chain=forward comment="Accept Forward Related" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Forward Invalid" connection-state=invalid disabled=no
add action=jump chain=forward comment="Accept User Internet and Jump to Port-Filter" disabled=no jump-target=port-filter src-address-list=internet-allowed
add action=accept chain=port-filter comment="Accept Port-Filter HTTP" disabled=no port=80 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter HTTPS AND SNEWS" disabled=no port=443,563 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter rsync" disabled=no port=873 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gopher" disabled=no port=70 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter wais" disabled=no port=210 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter unregistered ports" disabled=no port=1025-65535 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter PROXY" disabled=no port=8000,8080,3128 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter http-mgmt" disabled=no port=280 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gss-http" disabled=no port=488 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter filemaker" disabled=no port=591 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter multiling http" disabled=no port=777 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter cups" disabled=no port=631 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter SWAT" disabled=no port=901 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter Email Ports" disabled=no port=25,587,465,110,143,993,995 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter YM" disabled=no port=5050 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter VPN BCA" disabled=no port=500,10000 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter DNS" disabled=no port=53,8053,35053 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter NTP" disabled=no port=123 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter ICMP" disabled=no protocol=icmp
add action=drop chain=port-filter comment="Drop Port-Filter Anything Else" disabled=no
add action=drop chain=forward comment="Drop Forward Anything Else" disabled=no
It is just as a complement to the ecmp dual wan load balancing bandwidth management system with failover, proxy, dns server that would be very vulnerable to the variety of things we do not want. Therefore, I think we need to add the security on the firewall filter for the network load balancing can work properly. If this QoS still not enough to manage the purpose of the bandwidth management as you desired , I will continue with the specific QoS implementation on the load balancing.
Share This Article :
Related Articles

15 comments :

  1. Hello my brother I want you to explain Squid Cash 3 Cash in YouTube and Facebook and all the sites and how to tie Maikarotik and how to pass the certification https Automatic customers

    ReplyDelete
  2. And explain the Squid 3 on Linux ubuntu plz

    ReplyDelete
    Replies
    1. I have not implemented the squid on linux ubuntu yet, i know that this is possible in redirecting port 443 (https) to the transparent proxy but it would be rather tricky things

      Delete
  3. Glad to have found your site. Keep up the good work! DB Product Review

    ReplyDelete
  4. Where does queue=sfq_proxy_hit , queue=pcq_upsteam , queue=pcq_downsteam & queue=pcq_proxysteam come from ? Only a pcq_hardsteam in type

    ReplyDelete
    Replies
    1. Ups....! any mistake in paste the script inside this note! thanks for your input, I already fix and complete it, in this load balancing i just use 512 kbps + 512 kbps

      Delete
    2. Mas Agus, dimana mangle untuk packet-mark=cache-hits nya?
      Thanks,

      Delete
  5. I salute to the admin of this diary. i actually like and that i can sure as shooting advocate this diary to my friends.
    access Bomb-mp3 in UK

    ReplyDelete
  6. I like your article it wordpress installation service is very nice would like to

    access FileCrop in UK

    ReplyDelete
  7. Hi

    I am looking for PCC Load Balancing Failover with Proxy and DNS in Mikrotik and Squid as external proxy. Can you make a LAB on this.


    Thanks

    ReplyDelete
  8. I am very thankful to the author to write this fruitful information.It is worth sharing for other users.Thanks once again
    FileCrop UK proxy

    ReplyDelete
  9. can u describe me the statement,[ i know that this is possible in redirecting port 443 (https) to the transparent proxy but it would be rather tricky things]? is there any better idea for youtube speed up? what about squid proxy? and how to configure it on mikrotik routerboard RB750? i have one public ip of internet?

    ReplyDelete
  10. I read your article and get very important information in addition if you have any query you can click here.


    access Mp3Raid in UK

    ReplyDelete
  11. mas agus, jika load balancing 2 isp tanpa proxy apakah script untuk proxy nya di skip saja? atau bagaimana?

    ReplyDelete
  12. Hi Ketut.
    I saw one of your videos on YouTube: great job, steps clearly shown even without voice comments.
    Congrats.

    I wonder if the full script could be found in any place to use the same method you did "copy and paste" !
    Doing so, step by step ill help me a lot to learn MikroTik mechanisms.

    Thank you so much.

    ReplyDelete