Routing & Natting with Failover ! Brothers in Arms

~ Mikrotik CCR.1036 Performance Statistics ~

 

 

---

Reference Notes:

Mikrotik is a very powerful router that can perform variety of functions in one box. Sometimes It’s fun to do complex configuration with customized scripting to achieve our desired results. I just wanted to share some thoughts on one scenario where I configured multiple WAN links with PCC config plus public ips routing for users in single CCR RB. Routing+Natting+Fire-walling+QOS+Scripting and much more all together. Later we added failover so that if pcc wan links fails it should switch to fiber link, and if fiber link fails, it should failover to dsl by blending public ips into PCC.

• Mikrotik have 4 DSL links which are configured in PCC (Load balancing) and serving local pppoe clients.
• We have added another WAN Link via Fiber which is 1 STM (155mbps) and have acquire another large public pool for users which is routed to our /29 ip on mikrotik.
• We have configured services in such a way that normal users gets private ip upon pppoe connectivity, and goes via PCC/Natting. and few services are configured in such a way that user gets public ip and goes to internet via public ip Routing, (bypass natting, preserving his public ip)
• We have configured VLANs to isolate the different areas/networks to minimize the broadcast and for better network management. Also some corporate clients are connected to separate vlans to provide them public ip pool to be used in there routers.
• We connected some corporate clients, which of course should not be connected via pppoe method, they wanted direct public ip so they can configure it in there own router/system. So we did it by connecting that client on our vlan switch,TAG there port traffic, and on mikrotik we added new vlan interface (accordingly ) and assign public ip (as required like /30) and assigned it to this new vlan interface, and gave appropriate ip to the client.
• We have configured FAILOVER by using following techniques
• 4 vdsl links (100mb each) are configured as PCC. For fail over we are using script that monitor 2 internet hosts for each wan link. we have also created forced route for those hosts with black holes as well to make sure the hosts goes via specific wan link only. once the script failed to ping those 2 hosts, it will simply enable rule in (ip/route/rules) TABLE to lookup the speciifc wan marked packets via main table where fiber link have distance value of 1 which will be default rule. thus traffic for that failed dsl link will start natting via fiber link. of course there are various other measurements need to be done, like proper natting rules, etc.
• For fiber fail over (public ips) to dsl, we have script that checks for 2 hosts, if it fails, it will simply add the public ip pool to pcc pool as well, so the public pool also starts mixing with the pcc quern 😀
• CCR performed amazingly good with complex configuration , lots of dynamic queues, and CPU usage usually remains under 10%. We can use PCQ base queues to lower the cpu usage in specific circumstances.
• QOS is dynamically Done by the radius billing system. In this case DMASOFTLAB Radius Manager.
• FTP are in DMZ, controlled by Mikrotik Firewall and separate QOS are setup to provide each user with 4 MB of downloads from local media server. This is done to prevent over utilization by each user. I used Queue type and then tag it with the simple queue for FTP. I also marked packets in mangle going to FTP, then later used in queues.
• There are few other scripts configured like daily backup script, wan monitoring scripts, etc.
• DDNS is also configured to access mikrotik and other servers/devices behind the MT, to pass through via PCC. port forwarding with the PCC is a bit tricky, and it requires additional rules in mangle and routes. I wrote about it in details in other posts.
• Lot of port forwarding 🙂
• Filter rules to block DDOSER, Block PING access ,Port Scanning etc…

 

---

TIPS for running NATING and ROUTING TOGETHER ~

Updated: 21-Sep-2016

As few asked how to run both natting and routing together in one router, here are few tips, (as I cannot post whole configuration because every network is different so rather then getting the code, try to understand the logic and apply it on your network if required)

Example:

We have Mikrotik RouterOS with 4 DLS(100mb x 4) links plus 1 Fiber Link (1 STM bandwidth) on /30 pool and two separate /24 pools (routed to /30 pool via ISP) for user end. We also have freeradius billing system where all users account / billing is managed. Mikrotik is acting as NAS / PPPoE Server as well.

Now we want that default normal group of clients should use these 4 dsl via PCC (using src-address approach as its more stable and have no ip changing issue) and selected group of users should get public ip and go directly via routing (while preserving their own public ip). here how I did this.

on Mikrotik I have defined two pools. One for the normal clients that will be natted using PCC. and other pool with public IP’s for users that will be routed.

1- pppoe_private_pool / 172.16.0.1-172.16.10.255
2- pppoe_public_pool / 123.0.0.1-123.0.1.255

In Mikrotik pppoe server, default pool for users is pppoe_private_pool (172.16.0.1-172.16.10.255) so any client connects to pppoe server will get ip from 172.16.x.x series. in PCC Mangle rules I defined 172.16.0.1-172.16.10.255 in src-address , this way only clients with these ip series will be processed via PCC and will go via dsl links. Same I did for default NAT rules, I defined this private pool in NAT src-address as well, This is must other wise all users will be natted (private or public). So make sure you pay attention to this portion.

Now to route public ips, I add the route of Fiber link ISP Gateway as Default route with distance value of 1 (all other routes of PCC have values of 2,3,4,5 (default routes for pcc / dsl is not required because they already have routes with marked traffic, but I still created default routes on dsl with different distance values to avail failover if one dsl fail , other should take over auto using MAIN TABLE) .

Then in radius panel, I created new services with pool defined “pppoe_public_pool”. and assign this profile to users whom I wanted to get public ip. this way when these particular users connects, they gets public IP, and they don’t processed by NAT rules and straightforward goes via routing table 🙂

Z@ib

 

---

Regard’s

Syed Jahanzaib