Load Balancing удвояване на скороста с нестабилни връзки
В тази схема получаваме удвояване на скороста но на всеки 10 минути рутера изчиства рутиращата таблица което е крайно неприятно на връзки от рода на ssh и ssl например.
_____
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______ |
_____
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______
interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no
add address=10.18.5.3 netmask=255.255.255.0 interface=ether1-gateway
interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no
ip address add address=93.155.130.30 netmask=255.255.255.252 interface=ipip1
ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu
ip firewall nat add chain=srcnat action=masquerade out-interface=ether1-gateway
ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254,93.155.130.29 check-gateway=ping
ip firewall mangle add chain=input in-interface=ether1-gateway action=mark-connection new-connection-mark=ether1-gateway-conn
ip firewall mangle add chain=input in-interface=ipip1 action=mark-connection new-connection-mark=ipip1-conn
ip firewall mangle add chain=output connection-mark=ether1-gateway-conn action=mark-routing new-routing-mark=to_ether1-gateway
ip firewall mangle add chain=output connection-mark=ether1-gateway-conn action=mark-routing new-routing-mark=to_ipip1
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 routing-mark=to_ether1-gateway
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 routing-mark=to_ipip1 |
interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no
add address=10.18.5.3 netmask=255.255.255.0 interface=ether1-gateway
interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no
ip address add address=93.155.130.30 netmask=255.255.255.252 interface=ipip1
ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu
ip firewall nat add chain=srcnat action=masquerade out-interface=ether1-gateway
ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254,93.155.130.29 check-gateway=ping
ip firewall mangle add chain=input in-interface=ether1-gateway action=mark-connection new-connection-mark=ether1-gateway-conn
ip firewall mangle add chain=input in-interface=ipip1 action=mark-connection new-connection-mark=ipip1-conn
ip firewall mangle add chain=output connection-mark=ether1-gateway-conn action=mark-routing new-routing-mark=to_ether1-gateway
ip firewall mangle add chain=output connection-mark=ether1-gateway-conn action=mark-routing new-routing-mark=to_ipip1
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 routing-mark=to_ether1-gateway
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 routing-mark=to_ipip1
Load Balancing равномерно разпределяне на клиенти
Този пример е различен вариант на горната схема на load balancing. Разликата е,че тук има устойчиви потребителски сесии, т.е. определен потребител ще използва същия източник IP адрес за всички изходящи връзки. В този смисъл скороста не се удвоява ако искате да постигнете това само на един клиент а по скоро балансира клиентите по равно и за двата доставчика (в случая са два но могат да бъдат и повече)
_____
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______ |
_____
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______
ip firewall mangle add chain=prerouting src-address-list=ISP1 in-interface=ether2-local-master action=mark-connection new-connection-mark=ISP1
ip firewall mangle add chain=prerouting src-address-list=ISP1 in-interface=ether2-local-master action=mark-routing new-routing-mark=ISP1 passthrough=no
ip firewall mangle add chain=prerouting src-address-list=ISP2 in-interface=ether2-local-master action=mark-connection new-connection-mark=ISP2
ip firewall mangle add chain=prerouting src-address-list=ISP2 in-interface=ether2-local-master action=mark-routing new-routing-mark=ISP2 passthrough=no
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-state=new nth=2,1 action=mark-connection new-connection-mark=ISP1 passthrough=yes
ip firewall mangle add chain=prerouting in-interface=ether2-local-master action=add-src-to-address-list address-list=ISP1 address-list-timeout=1d connection-mark=ISP1
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-mark=ISP1 action=mark-routing new-routing-mark=ISP1 passthrough=no
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-state=new nth=2,2 action=mark-connection new-connection-mark=ISP2 passthrough=yes
ip firewall mangle add chain=prerouting in-interface=ether2-local-master action=add-src-to-address-list address-list=ISP2 address-list-timeout=1d connection-mark=ISP2
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-mark=ISP2 action=mark-routing new-routing-mark=ISP2 passthrough=no
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 routing-mark=ISP1
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark=ISP2
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 |
ip firewall mangle add chain=prerouting src-address-list=ISP1 in-interface=ether2-local-master action=mark-connection new-connection-mark=ISP1
ip firewall mangle add chain=prerouting src-address-list=ISP1 in-interface=ether2-local-master action=mark-routing new-routing-mark=ISP1 passthrough=no
ip firewall mangle add chain=prerouting src-address-list=ISP2 in-interface=ether2-local-master action=mark-connection new-connection-mark=ISP2
ip firewall mangle add chain=prerouting src-address-list=ISP2 in-interface=ether2-local-master action=mark-routing new-routing-mark=ISP2 passthrough=no
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-state=new nth=2,1 action=mark-connection new-connection-mark=ISP1 passthrough=yes
ip firewall mangle add chain=prerouting in-interface=ether2-local-master action=add-src-to-address-list address-list=ISP1 address-list-timeout=1d connection-mark=ISP1
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-mark=ISP1 action=mark-routing new-routing-mark=ISP1 passthrough=no
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-state=new nth=2,2 action=mark-connection new-connection-mark=ISP2 passthrough=yes
ip firewall mangle add chain=prerouting in-interface=ether2-local-master action=add-src-to-address-list address-list=ISP2 address-list-timeout=1d connection-mark=ISP2
ip firewall mangle add chain=prerouting in-interface=ether2-local-master connection-mark=ISP2 action=mark-routing new-routing-mark=ISP2 passthrough=no
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 routing-mark=ISP1
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark=ISP2
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10
Policy routing отделяне на HTTP,SSL,SMTP,POP3,IMAP,RDESKOP трафик
Често се случва ситуацията да имаме два доставчика и да искаме да рутираме определени услуги само през единия от тях.
ROUTING OTHER TRAFFIC => => => =>
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______
ROUTING HTTP,SSL,SSH,SMTP,POP3,IMAP TRAFFIC => => => => |
ROUTING OTHER TRAFFIC => => => =>
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______
ROUTING HTTP,SSL,SSH,SMTP,POP3,IMAP TRAFFIC => => => =>
interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no
interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no
ip address add address=93.155.130.30/30 interface=ipip1
ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu
ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="HTTP-traffic" passthrough=no dst-port=80 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSL-traffic" passthrough=no dst-port=443 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSH-traffic" passthrough=no dst-port=22 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SMTP-traffic" passthrough=no dst-port=25 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="POP3-traffic" passthrough=no dst-port=110 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="IMAP-traffic" passthrough=no dst-port=143 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="RDESKTOP-traffic" passthrough=no dst-port=3389 protocol=tcp disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="HTTP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSL-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSH-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SMTP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="POP3-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="IMAP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="RDESKTOP-traffic" disabled=no |
interface ethernet set ether1-gateway mac-address=00:0C:42:54:F4:CB disabled=no
interface ipip add local-address=10.18.5.3 remote-address=93.155.131.1 disabled=no
ip address add address=93.155.130.30/30 interface=ipip1
ip firewall mangle add chain=postrouting protocol=tcp tcp-flags=syn out-interface=ipip1 action=change-mss new-mss=clamp-to-pmtu
ip firewall nat add chain=srcnat action=masquerade out-interface=ipip1
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="HTTP-traffic" passthrough=no dst-port=80 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSL-traffic" passthrough=no dst-port=443 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SSH-traffic" passthrough=no dst-port=22 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="SMTP-traffic" passthrough=no dst-port=25 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="POP3-traffic" passthrough=no dst-port=110 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="IMAP-traffic" passthrough=no dst-port=143 protocol=tcp disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark="RDESKTOP-traffic" passthrough=no dst-port=3389 protocol=tcp disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="HTTP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSL-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SSH-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="SMTP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="POP3-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="IMAP-traffic" disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark="RDESKTOP-traffic" disabled=no
Policy routing разделяне по мрежа и адрес
В долната ситуация ще рутираме локалната ни мрежа 192.168.88.0/24 към единия доставчик през маршрутизатор 10.18.5.254 и ип адрес 192.168.88.19 към другия доставчик през маршрутизатор 93.155.130.29. По този начин можем да определяме коя мрежа или потребител които управляваме към кой доставчик да ги насочим.
_____
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______ |
_____
+--------------+ /
dhcp-client | 10.18.5.254 | |
+---------------+ Provider 1 +----- BTC
__ |ether1-gateway | | /
___/ \_ +------+----------+ +--------------+ |
_/ \__ | 10.18.5.3/24 | /
/ \ | | |
| 192.168.88.1 ---+ MikroTik router | | Internet
\ __/ | | |
\__ __/ |93.155.130.30/30 | \
\___/ +------+----------+ +--------------+ |
| ipip1 |93.155.130.29 | \
+---------------+ Provider 2 +---- GCN
ipip tunnel | | |
+--------------+ \______
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=inet1 src-address=192.168.88.0/24 disabled=no
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 routing-mark=inet1 disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=user19 src-address=192.168.88.19 disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark=user19 disabled=no |
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=inet1 src-address=192.168.88.0/24 disabled=no
ip route add dst-address=0.0.0.0/0 gateway=10.18.5.254 scope=255 target-scope=10 routing-mark=inet1 disabled=no
ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=user19 src-address=192.168.88.19 disabled=no
ip route add dst-address=0.0.0.0/0 gateway=93.155.130.29 scope=255 target-scope=10 routing-mark=user19 disabled=no