NTH load balancing with masquerade (another approach) From MikroTik Wiki Jump to: navigation, search Contents

[hide] 1 Summary 2 Fast forward 3 Detailed explanation 4 Packet route logic 5 How to expand this example to more WANs Summary To load balance using Nth can be done in several different ways. This approach f ocuses on performance, meaning, less rules packet takes, less attributes rule ha ve to check. At current state majority of packets will take N rules, where N is number of connections you try to load balance using this example. This example i s easy to expand from 2 connections to any number you wish, but consequences are : more connections, more rules packets have to pass, greater load on router, big ger latency. In this example N=2 NOTE: this example assumes you have empty mangle. after rules have been processe d, packets are accepted with routing-mark rules. Fast forward for those impatient: /ip /ip /ip /ip address address address address add add add add address=80.248.14.130/27 interface=first-Out address=41.84.163.2/24 interface=second-Out address=172.16.0.1/24 interface=ether3-Local address=172.16.1.1/24 interface=ether4-Local

/ip firewall address-list add address=172.16.0.0/24 list=local /ip firewall address-list add address=172.16.1.0/24 list=local /ip route add gateway=80.248.14.129 /ip route add gateway=80.248.14.129 routing-mark=first /ip route add gateway=41.84.163.1 routing-mark=second /ip firewall nat add chain=srcnat out-interface=first-Out action=masquerade /ip firewall nat add chain=srcnat out-interface=second-Out action=masquerade /ip firewall mangle add action=add-src-to-address-list address-list=first addres s-list-timeout=0s chain="mark new unseen" disabled=no nth=2,1 /ip firewall mangle add action=add-src-to-address-list address-list=second addre ss-list-timeout=0s chain="mark new unseen" disabled=no nth=2,2 /ip firewall mangle add action=add-src-to-address-list address-list=seen address -list-timeout=0s chain="mark new unseen" disabled=no /ip firewall mangle add action=jump chain="mark new unseen" disabled=no jump-tar get="mark connection" /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=first_conn passthrough=yes src-address-list=first /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=second_conn passthrough=yes src-address-list=second /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=first_conn disabled=no new-routing-mark=first passthrough=no /ip firewall mangle add action=mark-routing chain="mark connection" connection-m

ark=second_conn disabled=no new-routing-mark=second passthrough=no /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=fir st_conn disabled=no new-routing-mark=first passthrough=no src-address-list=first /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=sec ond_conn disabled=no new-routing-mark=second passthrough=no src-address-list=sec ond /ip firewall mangle add action=jump chain=prerouting connection-state=new disabl ed=no jump-target="mark connection" src-address-list=local /ip firewall mangle add action=jump chain=prerouting connection-state=new disabl ed=no jump-target="mark new unseen" src-address-list=local ________________________________________________________________________________ ________________________________________________________________________________ ________________ Detailed explanation Adding ip addresses to interfaces I am assuming i have 2 outgoing WAN and 2 Local LAN. I assume that addresses on WAN are public (not in example) /ip address add address=10.0.0.1/24 interface=first-Out /ip address add address=10.0.1.1/24 interface=second-Out /ip address add address=172.16.0.1/24 interface=ether3-Local /ip address add address=172.16.1.1/24 interface=ether4-Local Creating address list of possible local addresses We will need this list in our configuration, so only traffic from local interfaces are marked with routing mar ks. You can also use in interface if there are just one incoming LAN interface o n the router. /ip firewall address-list add address=172.16.0.0/24 list=local /ip firewall address-list add address=172.16.1.0/24 list=local Adding routes Default route for unmarked traffic, and 2 routes for marked routes. NOTE: connections to router will only work to 10.0.0.1 address. Connections to o ther WAN address will always fail, that is configurable, but it is out of scope of this document. /ip route add gateway=10.0.0.2 /ip route add gateway=10.0.0.2 routing-mark=first /ip route add gateway=10.0.1.2 routing-mark=second Masquerade rules So our local addresses can access internet addresses. /ip firewall nat add chain=srcnat out-interface=first-Out action=masquerade /ip firewall nat add chain=srcnat out-interface=second-Out action=masquerade Mangle rules Where the whole marking is made. I am dividing mangle in 5 sections (A-E) Section A These 4 rules adds address to address list, as result, we are dividing all inter nal addresses currently active to dynamic address lists first and second these w ill be correspondingly routed through corresponding gateways. When that is done, address for simplicity is added to one more address list - seen so we know that we have seen this address and do not have to check more than once. When everyth ing is done we jump to mark connection and set routing-mark for packet we are wo rking with. Here we are working just with new packets that we have not seen yet.

After this section finishes, these packets are not different from those that are matched in Section D, so they are passed to Section B for further processing. /ip firewall mangle add action=add-src-to-address-list address-list=first addres s-list-timeout=0s chain="mark new unseen" disabled=no nth=2,1 /ip firewall mangle add action=add-src-to-address-list address-list=second addre ss-list-timeout=0s chain="mark new unseen" disabled=no nth=2,2 /ip firewall mangle add action=add-src-to-address-list address-list=seen address -list-timeout=0s chain="mark new unseen" disabled=no /ip firewall mangle add action=jump chain="mark new unseen" disabled=no jump-tar get="mark connection" Section B Next 4 rules are marking connection of both, new packets from hosts we have not seen yet and with new packets from seen hosts. First, mark connection, then add routing-mark. /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=first_conn passthrough=yes src-address-list=first /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=second_conn passthrough=yes src-address-list=second /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=first_conn disabled=no new-routing-mark=first passthrough=no /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=second_conn disabled=no new-routing-mark=second passthrough=no Section C Next 2 rules are setting up routing-mark on packets that have connection-mark se t. As result majority of packets are passing though just these 2 rules. /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=fir st_conn disabled=no new-routing-mark=first passthrough=no src-address-list=first /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=sec ond_conn disabled=no new-routing-mark=second passthrough=no src-address-list=sec ond Section D This rule caches new connection packets that come from our "seen" clients, eg, c lient initiated new http download session (opening web page). Packets are passed to Section B where they are marked. /ip firewall mangle add action=jump chain=prerouting connection-state=new disabl ed=no jump-target="mark connection" src-address-list=local Section E If client ip address is not in our seen list, then address is passed to Section A where it is added to address list and after that is ready to be processed. /ip firewall mangle add action=jump chain=prerouting connection-state=new disabl ed=no jump-target="mark new unseen" src-address-list=local Packet route logic New packet from unseen addressee When router is booting up it have no seen list, and no clients are assigned to gateways. Or packet is received from previously unseen client. When first packet arrives it is checked in Section C, as it does not match there, it is passed over to Section D and then to Section E where it i s finally matched and passed for processing on Section A. In Section A packet is

matched and assigned to either of 2 address lists (first and second) and then a dded to seen address-list. After that is done, packed is passed to Section B whe re its connection is marked and then packet receives its routing mark and is acc epted. New packet from seen addressee Packet is passed through Section C to Section D w here it is matched and passed to Section C where connection is marked and accept ed Packet from seen addressee Packet arrives in Section C and is matched there and accepted. How to expand this example to more WANs To have more WANs you have to add additional IP address and additional route wit h routing-mark, eg, third Then you have have to edit Sections A-C Changes in Section A here we have to adjust nth field value first value is what number of packed we a re looking for, usually it is equal to your WAN count. And add additional rule a s in example below. /ip firewall mangle add action=add-src-to-address-list address-list=first addres s-list-timeout=0s chain="mark new unseen" disabled=no nth=3,1 /ip firewall mangle add action=add-src-to-address-list address-list=second addre ss-list-timeout=0s chain="mark new unseen" disabled=no nth=3,2 /ip firewall mangle add action=add-src-to-address-list address-list=third addres s-list-timeout=0s chain="mark new unseen" disabled=no nth=3,3 /ip firewall mangle add action=add-src-to-address-list address-list=seen address -list-timeout=0s chain="mark new unseen" disabled=no /ip firewall mangle add action=jump chain="mark new unseen" disabled=no jump-tar get="mark connection" Changes in Section B here we will have to add 2 new rules, to mark connections that source address is in third address-list, and after that mark routing corresponding to connection mark. /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=first_conn passthrough=yes src-address-list=first /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=second_conn passthrough=yes src-address-list=second /ip firewall mangle add action=mark-connection chain="mark connection" disabled= no new-connection-mark=third_conn passthrough=yes src-address-list=thrid /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=first_conn disabled=no new-routing-mark=first passthrough=no /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=second_conn disabled=no new-routing-mark=second passthrough=no /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=third_conn disabled=no new-routing-mark=third passthrough=no Changes in Section C Here have to add rule just like in section B just change chain to prerouting as all other rules in this section. /ip firewall mangle add action=mark-routing chain="mark connection" connection-m ark=third_conn disabled=no new-routing-mark=third passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=fir st_conn disabled=no new-routing-mark=first passthrough=no src-address-list=first /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=sec ond_conn disabled=no new-routing-mark=second passthrough=no src-address-list=sec ond /ip firewall mangle add action=mark-routing chain="prerouting" connection-mark=t hird_conn disabled=no new-routing-mark=third passthrough=no