Syed Jahanzaib Personal Blog to Share Knowledge !

October 27, 2011

MIKROTIK Policy Routing based on Client IP Address


 

 ~!!!~   Article  By  Syed Jahanzaib   ~!!!~

Recently at a local cable.network setup @ gulzar-e-hijri, an OP asked told me that he wanted to add an extra DSL line just for some specific users (VIP users who are paying some extra money for better speed, as the current single dsl is getting clogged by over subscribed users. He wanted to manage all users / link via single Mikrotik router-board.
I accomplished this task by adding 2nd DSL line with the Mikrotik BOX and few rules, and Alhamdolillah it worked fine :). I am just sharing basic logic on how i achieved it.

You can take this idea and modify it according to your requirement, either use this logic and mix it with hotspot or pppoe base setup. In this example, user MAC-IP was binded.

Let us assume that we have 2 Users lists.

DSL1_USERS_LIST = 192.168.2.6
DSL2_USERS_LIST = 192.168.2.7

 

DSL1 Router GW IP = 192.168.5.2
DSL2 Router GW IP = 192.168.6.2

Now we will route users through DSL-1 OR DSL-2 wan links based on there ip addresses.

To accomplish this task, the simple logic is …

  1. STEP#1: First we will create ADDRESS-LIST, and add our users in the list,
  2. STEP#2: Then We have to add two IP Firewall Mangle rules to mark the packets originated from user 1 and user2.
  3. STEP#3: Then we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways.
  4. STEP#4: Then simple add one NAT rule for local ip series and Action masquerade.

Code:

# Adding IP Address on interfaces like lan/wan
# IP for LAN User Network Connectivity

/ip address
add address=192.168.2.1/24 disabled=no interface=LAN network=192.168.2.0
# IP for WAN DSL Connectivity

add address=192.168.5.1/24 disabled=no interface=WAN1 network=192.168.5.0
add address=192.168.6.1/24 disabled=no interface=WAN2 network=192.168.6.0

# Create 2 Address lists and add ip as per required, you can add Range as well.
# I am adding just 2 ips only

/ip firewall address-list
add address=192.168.2.6 disabled=no list=DSL1_USERS_LIST
add address=192.168.2.7 disabled=no list=DSL2_USERS_LIST
# Marking Users connection coming from specific address lists
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan1_user passthrough=no src-address-list=DSL1_USERS_LIST
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan2_user passthrough=no src-address-list=DSL2_USERS_LIST
# Create Routes for above marked packets so each marked packets goes via specific wan link only
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.2 routing-mark=wan1_user scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.6.2 routing-mark=wan2_user scope=30 target-scope=10
# Finally create NAT rule so that users (ip range) internet can work
/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=192.168.2.0/24

TESTING

From Client PC # 1 whose ip address is 192.168.2.6, run TRACEROUTE command

For example traceroute yahoo.com

 

Results


TESTING FROM DSL1_USERS_LIST = 192.168.2.6

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1

C:\Documents and Settings\zaib>tracert yahoo.com

Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops

1     <1 ms     <1 ms     2 ms  192.168.2.1
2      2 ms      2 ms     3 ms  192.168.5.2
.
.


TESTING FROM DSL2_USERS_LIST = 192.168.2.7

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1

C:\Documents and Settings\zaib>tracert yahoo.com

Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops

1     <1 ms     <1 ms     2 ms  192.168.2.1
2      2 ms      2 ms     3 ms  192.168.6.2
.
.


 

Regard’s
SYED JAHANZAIB

September 9, 2011

Load Balancing Users Among Multiple PPPoE Servers on Same LAN !

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:57 PM


Following are few simple tips N tricks on howto load balance users among multiple PPPoE Servers working on same LAN.

This is some times required if you have thousands of users and you want to avoid overload single server. Following the tips, you will be able to do load balance as well as fail over configuration , if one server dies, other will automatically take the load 🙂

The PPPoE Client sends out a service inquiry and whichever mac address responds first is the one it tries to connect with. This is the easiest way to load balance PPPoE.

# Configure two [or more as per required] PPPoE servers with the same or likewise hardware and same service name to the same switch where clients are connected. Just make sure that on each mikrotik, ip pool for pppoe users should not overlap with each other, working example is as follows …

Mikrotik -1  >  Ip pool for pppoe users = 172.16.0.1-172.16.10.255
Mikrotik -2  >  Ip pool for pppoe users = 172.16.11.1-172.16.20.255
Mikrotik -3  >  Ip pool for pppoe users = 172.16.21.1-172.16.30.255

adn the public ip pool should be different as well.

# From Each client, the two pppoe servers must be reachable at L2.

# Each client can connect randomly to one pppoe server or the other. there will no FIXED percentage, but in practical it maybe around 60-40% or 45-55% sort of. The PPPoE Client sends out a service inquiry and whichever mac address responds first is the one it tries to connect with.

# If one server is Down, All users can Connect the second one or Only available Server.

Howto scan pppoe servers running on your Network.

# By using pppoe scanner, you can search how many pppoe servers are running in your network. Open Terminal and use

/interface pppoe-client scan ether1 [LAN]

OR Likewise
it will show you all the servers running on this interface connected network.

.

Regard’s
Syed Jahanzaib

July 27, 2011

Mikrotik DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB

Filed under: Mikrotik Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 10:16 AM


Mikrotik  DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB

pcc

Following is a complete script for Mikrotik to combine/load balance two DSL lines. In this example I used MikrotikT RB750 5 ports router.

2 ports were connected with two difference DSL Routers,
and 3rd port was connected with User LAN.
Both DSL are of same speed , i.e 10Mb each.

DSL MODEM IP’S
DSL MODEM 1 = 192.168.1.1
DSL MODEM 2 = 192.168.2.1

Also don’t forget to rename the interface names accordingly.

In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.

If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, then Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address for PCC load balancing.

Regard’s
Syed Jahanzaib

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

All Done ! Now Test the link by putting user load, the more multiple users load you put on it, the better Load Balance result you will get 🙂

PCC WITH UN-EQUAL WAN LINKS

If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and WAN,2 is of 8 Mb, and you want to force MT to use WAN42link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN2 , something like

Code:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/2 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

PCC WITH HOTSPOT (Reference)

/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

٩(●̮̮̃•̃)۶   ZaiB   ٩(●̮̮̃•̃)۶

%d bloggers like this: