Load Balancing and Policy Routing

Load Balancing удвояване на скороста с нестабилни връзки

В тази схема получаваме удвояване на скороста но на всеки 10 минути рутера изчиства рутиращата таблица което е крайно неприятно на връзки от рода на ssh и ssl например.

                                                               _____
                                         +--------------+     /
                          dhcp-client    | 10.18.5.254  |    |
                         +---------------+  Provider 1  +----- BTC
        __               |ether1-gateway |              |   /
    ___/  \_      +------+----------+    +--------------+  |
  _/        \__   |  10.18.5.3/24   |                     /
 /             \  |                 |                     |
| 192.168.88.1 ---+ MikroTik router |                     | Internet
 \           __/  |                 |                     |
   \__     __/    |93.155.130.30/30 |                     \
      \___/       +------+----------+    +--------------+  |
                         | ipip1         |93.155.130.29 |  \
                         +---------------+  Provider 2  +---- GCN
                           ipip tunnel   |              |   |
                                         +--------------+    \______

interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no
add address=10.18.5.3 netmask=255.255.255.0  interface=ether1-gateway
 
interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no
ip address add address=93.155.130.30 netmask=255.255.255.252 interface=ipip1
ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu
 
ip firewall nat add chain=srcnat action=masquerade out-interface=ether1-gateway
ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1
 
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254,93.155.130.29 check-gateway=ping
 
ip firewall mangle add chain=input in-interface=ether1-gateway action=mark-connection new-connection-mark=ether1-gateway-conn
ip firewall mangle add chain=input in-interface=ipip1  action=mark-connection new-connection-mark=ipip1-conn
ip firewall mangle add chain=output connection-mark=ether1-gateway-conn action=mark-routing new-routing-mark=to_ether1-gateway
ip firewall mangle add chain=output connection-mark=ether1-gateway-conn action=mark-routing new-routing-mark=to_ipip1
 
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 routing-mark=to_ether1-gateway
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 routing-mark=to_ipip1

Load Balancing равномерно разпределяне на клиенти

Този пример е различен вариант на горната схема на load balancing. Разликата е,че тук има устойчиви потребителски сесии, т.е. определен потребител ще използва същия източник IP адрес за всички изходящи връзки. В този смисъл скороста не се удвоява ако искате да постигнете това само на един клиент а по скоро балансира клиентите по равно и за двата доставчика (в случая са два но могат да бъдат и повече)

                                                               _____
                                         +--------------+     /
                          dhcp-client    | 10.18.5.254  |    |
                         +---------------+  Provider 1  +----- BTC
        __               |ether1-gateway |              |   /
    ___/  \_      +------+----------+    +--------------+  |
  _/        \__   |  10.18.5.3/24   |                     /
 /             \  |                 |                     |
| 192.168.88.1 ---+ MikroTik router |                     | Internet
 \           __/  |                 |                     |
   \__     __/    |93.155.130.30/30 |                     \
      \___/       +------+----------+    +--------------+  |
                         | ipip1         |93.155.130.29 |  \
                         +---------------+  Provider 2  +---- GCN
                           ipip tunnel   |              |   |
                                         +--------------+    \______

ip firewall mangle add chain=prerouting src-address-list=ISP1 in-interface=ether2-local-master action=mark-connection new-connection-mark=ISP1
ip firewall mangle add chain=prerouting src-address-list=ISP1 in-interface=ether2-local-master action=mark-routing new-routing-mark=ISP1 passthrough=no
 
ip firewall mangle add chain=prerouting src-address-list=ISP2 in-interface=ether2-local-master action=mark-connection new-connection-mark=ISP2
ip firewall mangle add chain=prerouting src-address-list=ISP2 in-interface=ether2-local-master action=mark-routing new-routing-mark=ISP2 passthrough=no
 
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-state=new nth=2,1 action=mark-connection new-connection-mark=ISP1 passthrough=yes
ip firewall mangle add chain=prerouting in-interface=ether2-local-master action=add-src-to-address-list address-list=ISP1 address-list-timeout=1d connection-mark=ISP1
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-mark=ISP1 action=mark-routing new-routing-mark=ISP1 passthrough=no
 
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-state=new nth=2,2 action=mark-connection new-connection-mark=ISP2 passthrough=yes
ip firewall mangle add chain=prerouting in-interface=ether2-local-master action=add-src-to-address-list address-list=ISP2 address-list-timeout=1d connection-mark=ISP2
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-mark=ISP2 action=mark-routing new-routing-mark=ISP2 passthrough=no
 
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 routing-mark=ISP1
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark=ISP2
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10

Policy routing отделяне на HTTP,SSL,SMTP,POP3,IMAP,RDESKOP трафик

Често се случва ситуацията да имаме два доставчика и да искаме да рутираме определени услуги само през единия от тях.

                                   ROUTING OTHER TRAFFIC =&gt; =&gt; =&gt; =&gt;
                                         +--------------+     /
                          dhcp-client    | 10.18.5.254  |    |
                         +---------------+  Provider 1  +----- BTC
        __               |ether1-gateway |              |   /
    ___/  \_      +------+----------+    +--------------+  |
  _/        \__   |  10.18.5.3/24   |                     /
 /             \  |                 |                     |
| 192.168.88.1 ---+ MikroTik router |                     | Internet
 \           __/  |                 |                     |
   \__     __/    |93.155.130.30/30 |                     \
      \___/       +------+----------+    +--------------+  |
                         | ipip1         |93.155.130.29 |  \
                         +---------------+  Provider 2  +---- GCN
                           ipip tunnel   |              |   |
                                         +--------------+    \______
             ROUTING HTTP,SSL,SSH,SMTP,POP3,IMAP TRAFFIC =&gt; =&gt; =&gt; =&gt;

 interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no
interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no
ip address add address=93.155.130.30/30 interface=ipip1
ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu
 
ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1
 
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="HTTP-traffic" passthrough=no dst-port=80 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSL-traffic" passthrough=no dst-port=443 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSH-traffic" passthrough=no dst-port=22 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SMTP-traffic" passthrough=no dst-port=25 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="POP3-traffic" passthrough=no dst-port=110 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="IMAP-traffic" passthrough=no dst-port=143 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="RDESKTOP-traffic" passthrough=no dst-port=3389 protocol=tcp disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="HTTP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSL-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSH-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SMTP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="POP3-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="IMAP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="RDESKTOP-traffic" disabled=no

interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no ip address add address=93.155.130.30/30 interface=ipip1 ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1 ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="HTTP-traffic" passthrough=no dst-port=80 protocol=tcp disabled=no ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSL-traffic" passthrough=no dst-port=443 protocol=tcp disabled=no ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSH-traffic" passthrough=no dst-port=22 protocol=tcp disabled=no ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SMTP-traffic" passthrough=no dst-port=25 protocol=tcp disabled=no ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="POP3-traffic" passthrough=no dst-port=110 protocol=tcp disabled=no ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="IMAP-traffic" passthrough=no dst-port=143 protocol=tcp disabled=no ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="RDESKTOP-traffic" passthrough=no dst-port=3389 protocol=tcp disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="HTTP-traffic" disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSL-traffic" disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSH-traffic" disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SMTP-traffic" disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="POP3-traffic" disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="IMAP-traffic" disabled=no ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="RDESKTOP-traffic" disabled=no

Policy routing разделяне по мрежа и адрес

В долната ситуация ще рутираме локалната ни мрежа 192.168.88.0/24 към единия доставчик през маршрутизатор 10.18.5.254 и ип адрес 192.168.88.19 към другия доставчик през маршрутизатор 93.155.130.29. По този начин можем да определяме коя мрежа или потребител които управляваме към кой доставчик да ги насочим.

                                                               _____
                                         +--------------+     /
                          dhcp-client    | 10.18.5.254  |    |
                         +---------------+  Provider 1  +----- BTC
        __               |ether1-gateway |              |   /
    ___/  \_      +------+----------+    +--------------+  |
  _/        \__   |  10.18.5.3/24   |                     /
 /             \  |                 |                     |
| 192.168.88.1 ---+ MikroTik router |                     | Internet
 \           __/  |                 |                     |
   \__     __/    |93.155.130.30/30 |                     \
      \___/       +------+----------+    +--------------+  |
                         | ipip1         |93.155.130.29 |  \
                         +---------------+  Provider 2  +---- GCN
                           ipip tunnel   |              |   |
                                         +--------------+    \______

ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=inet1 src-address=192.168.88.0/24 disabled=no
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 routing-mark=inet1 disabled=no
 
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=user19 src-address=192.168.88.19 disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark=user19 disabled=no

This site uses Akismet to reduce spam. Learn how your comment data is processed.

vmware on Как работи if и then в bash скриптинга ?February 18, 2024
Интересен сугестопедичен подход, за начинаещ найстина е много логично.
Operator on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTJanuary 10, 2024
ПОНЕЖЕ ПОСТОННО МЕ ПИТАТ: Срокът на валидност на ключовете на WireGuard зависи от начина, по който са конфигурирани. В WireGuard,…
Inkas on Как работи if и then в bash скриптинга ?January 3, 2024
Браво! Перфектно написан пост, както винаги!
SysTech on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 31, 2023
Аз гарантирам за 20Mbits OpenVPN срещу над 100Mbits за WireGuard което е може пи пет пъти по висока скорост но…
ViperXXX on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 31, 2023
Ха, много добро хау-ту :) Съдържанието е много професионално, събирам смелост за миграция. Може ли някой да гарантира "перформънса" пред…
Unicat on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 28, 2023
Ако добре съм разбрал схемата в Микротик е генерирания публичен ключ на рутер1 се поставя в рутер2 на таба peer…
DEVOPS on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 28, 2023
Изглежда че нещата вървят доста добре в рамките на проекта WireGuard, защо разработчиците поеха ангажимента да прехвърлят част от кода…
vesuvius on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 28, 2023
Аз като придобил вече малко опит да кажа няколко неща основно за мобилните устройства (лаптопи, телефони, таблети). За разлика от…
Румен Йорданов on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 26, 2023
Много професионално написана статия, вече почти няма такива, обикновенно са 50-60 реда на лош Индо-Английски с прикачено клипче на мякащ…
Unicat on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 26, 2023
Много добре е обяснено всичко, само малко са ми дребни снимките на Микротика но е супер всичко.