load balancing is to share Internet access via two or more internet connections are balanced (balance), do not have to wait a full connection and then just move to the next connection.
During this time many of us who think wrong, that by using loadbalance two connection lines, the large bandwidth that we'll get double the bandwidth before using loadbalance (accumulation of both the bandwidth). This needs to be clear first, that loadbalance will not add much bandwidth we get, but only served to divide the traffic from both the bandwidth so they can be used in a balanced manner.
With this article, we will prove that the use of mathematical formulas loadbalancing does not like 512 + 256 = 768, but 512 + 256 = 512 + 256, or 512 + 256 = 256 + 256 + 256.
In this article we use RB433UAH with conditions as follows:
- Ether1 and ether2 connected to different ISPs with large bandwdith different. ISP1 and ISP2 at 512kbps at 256kbps.
- We will use an internal web-proxy and use OpenDNS.
- RouterOS you are using version 4.5 because the PCC has become a popular feature at the 3:24 version.
If the above condition is different from the network conditions at your house, then the configuration that we describe here will have to match you with the configuration for the network at your house.
If we have configure like this:
with command in the mikrotik:
/ip address
add address=192.168.101.2/30 interface=ether1
add address=192.168.102.2/30 interface=ether2
add address=10.10.10.1/24 interface=wlan2
/ip dns
set allow-remote-requests=yes primary-dns=208.67.222.222 secondary-dns=208.67.220.220
For client connections, we use a wireless connection at wlan2 by client IP range 10.10.10.2 s / d 10.10.10.254 netmask 255.255.255.0, which matched the IP 10.10.10.1 on wlan2 serves as a gateway and dns server from the client. If you use DNS from one of your isp, then there will be additional mangle shall we give sign of thickness
After pengkonfigurasian IP and DNS are correct, we must pair the default route to each of our ISP gateway IP for the router to forward all traffic that does not connect him to the gateway. Here we use feature check-gateway and gateway is useful if one of us dropped out, then the connection will be diverted to other gateways.
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.101.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.102.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.101.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.102.1 distance=2 check-gateway=ping
For Access Point settings so the PC can connect to the wireless client, we use the command
/interface wireless
set wlan2 mode=ap-bridge band=2.4ghz-b/g ssid=Mikrotik disabled=no
set wlan2 mode=ap-bridge band=2.4ghz-b/g ssid=Mikrotik disabled=no
In order for the client pc can connect to the internet, we also have to change the private IP to public IP client that is in our public interface that is ether1 and ether2.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
router and pc clients are able to do an internet connection. Ping the router or pc both from the client to the Internet. If not successful, check your configuration again.
Internal Webproxy
In particular RouterBoard, like RB450G, RB433AH, RB433UAH, RB800 and RB1100 has an expansion slot (USB, MicroSD, CompactFlash) for additional storage. In the next example, we will use the usb flash is attached to a USB slot. For the first time installation, this additional storage will be read status invalid in the / system store. To be used as storage media cache, then the storage must be formatted in advance and activated Later we live webproxy activate and set the cache-on-disk = yes to use our storage media. Do not forget to redirect HTTP traffic (tcp port 80) into our webproxy.
/store disk format-drive usb1
/store
add disk=usb1 name=cache-usb type=web-proxy
activate cache-usb
/ip proxy
set cache-on-disk=yes enabled=yes max-cache-size=200000KiB port=8080
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 in-interface=wlan2 action=redirect to-ports=8080
Setting Mangle
In loadbalancing this time we will use a feature called PCC (Per Connection Classifier). With the PCC we can categorize traffic or outgoing connection through a router entry into several groups. These groupings can be distinguished on the basis of src-address, dst-address, src or dst-port and-port. The router will remember the beginning of the path through which the traffic gateway connections, so that the subsequent packets that are still associated with the connection initially will be passed on the same gateway route. The advantages of this PCC is to answer many complaints often break the connection on the other loadbalancing techniques prior to the PCC because of the displacement gateway. Before making mangle loadbalance, to prevent routing loops in the traffic, then all client traffic to the networks that connect directly to the router, should we bypass the loadbalancing. We can make a list of IP that are still in a network router and install the first time following mangle
/ip firewall address-list
add address=192.168.101.0/30 list=lokal
add address=192.168.102.0/30 list=lokal
add address=10.10.10.0/24 list=lokal
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=lokal in-interface=wlan2 comment=”trafik lokal”
add action=accept chain=output dst-address-list=lokal
In certain cases, the first traffic can come from the Internet, such as the use of remote Winbox or telnet from the internet and so, therefore we also need to mark the mark-connection traffic so that traffic can pass through it also the interface where the incoming traffic.
In certain cases, the first traffic can come from the Internet, such as the use of remote Winbox or telnet from the internet and so, therefore we also need to mark the mark-connection traffic so that traffic can pass through it also the interface where the incoming traffic.
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=con-from-isp1 passthrough=yes comment=”traffic from isp1”
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=con-from-isp2 passthrough=yes comment=”traffic from isp2”
Generally, an ISP (Internet Service Provider) will restrict access to DNS server of the IP which is only known for, so if you use the DNS from one ISP, you must add mangle for traffic control through the respective ISP gateway rather than through any other ISP gateway. Here we provide mangle DNS ISP1 through ISP1 gateway. If you are using a public DNS independent, such as OpenDNS, you do not need a mangle below.
Because we use webproxy on the router, then the traffic that we need loadbalance there are 2 types. The first is the traffic from client to the Internet (non-HTTP), and traffic from webproxy to the internet. To be more structured and easier in the reading, we will use custom-chain as follows:
/ip firewall mangle
add action=jump chain=prerouting comment=”jump to client-lb” connection-mark=no-mark in-interface=wlan2 jump-target=client-lb
add action=jump chain=output comment=”jump to lb-proxy” connection-mark=no-mark out-interface=!wlan2 jump-target=lb-proxy
In the mangle above, to make sure the client loadbalance traffic parameters in-interface is the interface that is connected with the client, and for traffic loadbalance webproxy, we use the output chain with out-interface parameters which are not connected to the interface client. After a custom chain for loadbalancing made, we can create custom mangle in the following chain.
/ip firewall mangle
add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=”first loadbalancing client”
add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=return chain=client-lb comment=”end from loadbalancing”
/ip firewall mangle
add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=”first load balancing proxy”
add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=return chain=lb-proxy comment=”end from loadbalancing”
For the example above, the client and webproxy loadbalancing using PCC traffic separation parameters the same, namely both-address, so the router will keep in mind based on the src-address and dst-address of a connection. Because we are a different ISP traffic (512kbps and 256kbps), we divide the traffic load into 3 parts. 2 parts will first pass through ISP1 gateway, and a final section will pass through the gateway ISP2. If the traffic of each client and proxy is selected, the next step we need to create mangle mark-route to be used in the routing process will.
/ip firewall mangle
add action=jump chain=prerouting comment=”marking route client” connection-mark=!no-mark in-interface=wlan2 jump-target=route-client
add action=mark-routing chain=route-client connection-mark=to-isp1 new-routing-mark=route-to-isp1 passthrough=no
add action=mark-routing chain=route-client connection-mark=to-isp2 new-routing-mark=route-to-isp2 passthrough=no
add action=mark-routing chain=route-client connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 passthrough=no
add action=mark-routing chain=route-client connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 passthrough=no
add action=return chain=route-client disabled=no
/ip firewall mangle
add action=mark-routing chain=output comment=”marking route proxy” connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 out-interface=!wlan2 passthrough=no
add action=mark-routing chain=output connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 out-interface=!wlan2 passthrough=no
Routing settings
Mangle settings above will not be useful if you have not made a mark-based routing route we've created. Here we will also make a backup routing, so that if a gateway is lost, then all connections will go through gateways that connect each.
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-to-isp1 distance=1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-to-isp1 distance=2
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-to-isp2 distance=1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-to-isp2 distance=2
Tester
From the picture shown, that only by doing a file download (1 connection), we only get 56kbps speed (448kbps) because at that time through ISP1 gateway, whereas if we download a file (open a new connection) again on another website, will get 30kBps (240kbps). From this test looks can be concluded that
512kbps + 256kbps = 768kbps
Note:
Generally, an ISP (Internet Service Provider) will restrict access to DNS server of the IP which is only known for, so if you use the DNS from one ISP, you must add mangle for traffic control through the respective ISP gateway rather than through any other ISP gateway. Here we provide mangle DNS ISP1 through ISP1 gateway. If you are using a public DNS independent, such as OpenDNS, you do not need a mangle below.
/ip firewall mangle
add action=mark-connection chain=output comment=dns dst-address=202.65.112.21 dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp comment=”taffic DNS”
add action=mark-connection chain=output dst-address=202.65.112.21 dst-port=53 new-connection-mark=dns passthrough=yes protocol=udp
add action=mark-routing chain=output connection-mark=dns new-routing-mark=route-to-isp1 passthrough=no
Because we use webproxy on the router, then the traffic that we need loadbalance there are 2 types. The first is the traffic from client to the Internet (non-HTTP), and traffic from webproxy to the internet. To be more structured and easier in the reading, we will use custom-chain as follows:
/ip firewall mangle
add action=jump chain=prerouting comment=”jump to client-lb” connection-mark=no-mark in-interface=wlan2 jump-target=client-lb
add action=jump chain=output comment=”jump to lb-proxy” connection-mark=no-mark out-interface=!wlan2 jump-target=lb-proxy
In the mangle above, to make sure the client loadbalance traffic parameters in-interface is the interface that is connected with the client, and for traffic loadbalance webproxy, we use the output chain with out-interface parameters which are not connected to the interface client. After a custom chain for loadbalancing made, we can create custom mangle in the following chain.
/ip firewall mangle
add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=”first loadbalancing client”
add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=return chain=client-lb comment=”end from loadbalancing”
/ip firewall mangle
add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=”first load balancing proxy”
add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2
add action=return chain=lb-proxy comment=”end from loadbalancing”
/ip firewall mangle
add action=jump chain=prerouting comment=”marking route client” connection-mark=!no-mark in-interface=wlan2 jump-target=route-client
add action=mark-routing chain=route-client connection-mark=to-isp1 new-routing-mark=route-to-isp1 passthrough=no
add action=mark-routing chain=route-client connection-mark=to-isp2 new-routing-mark=route-to-isp2 passthrough=no
add action=mark-routing chain=route-client connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 passthrough=no
add action=mark-routing chain=route-client connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 passthrough=no
add action=return chain=route-client disabled=no
/ip firewall mangle
add action=mark-routing chain=output comment=”marking route proxy” connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 out-interface=!wlan2 passthrough=no
add action=mark-routing chain=output connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 out-interface=!wlan2 passthrough=no
Routing settings
Mangle settings above will not be useful if you have not made a mark-based routing route we've created. Here we will also make a backup routing, so that if a gateway is lost, then all connections will go through gateways that connect each.
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-to-isp1 distance=1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-to-isp1 distance=2
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-to-isp2 distance=1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-to-isp2 distance=2
Tester
From the picture shown, that only by doing a file download (1 connection), we only get 56kbps speed (448kbps) because at that time through ISP1 gateway, whereas if we download a file (open a new connection) again on another website, will get 30kBps (240kbps). From this test looks can be concluded that
512kbps + 256kbps = 768kbps
Note:
- Load balancing using this PCC technique will be effective and balanced approach when more and more connections (from clients) that occurred.
- Use an ISP that has a bandwidth of FIX not Share to obtain more optimal results.
- Load Balance using the PCC is not forever and entirely a solution that would work well in all types of networks, because the process of balancing the traffic is based on the logic of probability.
Mikrotik DUAL WAN Load Balancing using PCC method. Complete Script !
ReplyDeletehttp://mr-ekoapriadi.blogspot.com/2013/03/mikrotik-dual-wan-load-balancing-using.html
Very good your work. Congratulations! I made some adaptations for my scenario, full based on this post. It helped me a lot.
ReplyDeleteThank you.
Just to clarify the adaptations I done for my scenario:
ReplyDelete/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=con-from-isp1 passthrough=yes comment=”traffic from isp1”
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=con-from-isp2 passthrough=yes comment=”traffic from isp2”
Because I was having problem accessing internal host form outside, duplicated the above commands, but for the forward chain.
Also, because one of my links uses dynamic public IP, I modified the DynDNS update script to insert the obtained address and gateway into the "lokal" address-list.
That it.
Nice Work! Thanks
ReplyDeleteHello,
ReplyDeleteI am using above script for PCC with webproxy . it is working fine but now I am facing port forwarding issues. I have multiple tried through different source but unable to resolve.. even I try according to (Gilson de Carvalho) blog user I create 2 more rule with forward chain but still unable to resolve. can anybody help me in this regard, how can I port forward through the using above script.
Hi,
ReplyDeleteAfter many hard search and try i got port forwarding solution with above script.
We will need 2 rule add in firewall filter and one is in Nat firewall which will be standard nat rule.
for firewall filter need. 1- input and 2- forward...
now i m facing just accessing problem from internal network for this i m working on hairpin nat.
thanks,
Regards,
Wasim
Hi,
ReplyDeleteStill, i am unable to solve Nat HairPin problem can anybody provide solution using above rule.