Kamis, 20 Februari 2014

Mikrotik Policy-Based Routing 2 ISP

Posted by Jon on 23.23
0
2 ISP --->  2 LAN local
What we want to have happen is for all machines in the IP range 192.168.88.100 through 192.168.88.150 to use ISP1 (192.168.25.1), and all machines in the IP range 192.168.88.151 through 192.168.88.200 to use ISP2 (192.168.50.1).
So, our interface IP assignments could be something like this:

/ip address
add address=192.168.88.1/24 disabled=no interface=LAN network=192.168.88.0
add address=192.168.25.1/24 disabled=no interface=WAN1 network=192.168.25.0
add address=192.168.50.1/24 disabled=no interface=WAN2 network=192.168.50.0
First, let’s get some address lists going in IP > Firewall > Address Lists

/ip firewall address-list
add address=192.168.88.100-192.168.88.150 comment="Use ISP 1" disabled=no list=patron
add address=192.168.88.151-192.168.88.200 comment="Use ISP 2" disabled=no list=staff
Now, let’s set up routing marks based on the address lists above:

/ip firewall mangle
add action=mark-routing chain=prerouting comment=ISP1 disabled=no new-routing-mark=ISP1 passthrough=yes src-address-list=patron
add action=mark-routing chain=prerouting comment=ISP2 disabled=no new-routing-mark=ISP2 passthrough=yes src-address-list=staff
Finally, we add default routes based on the routing mark of the packets:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.25.1 routing-mark=ISP1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.50.1 routing-mark=ISP2 scope=30 target-scope=10
Another way we could use policy-based routing would be for routing packets through a filtering proxy. Suppose we have a transparent Squid proxy set up for content filtering in our network. We have would need to set up four interfaces including WAN, LAN, and two more to loop the packets out to the Squid box and back into the router. Our diagram is something like this:
Our interface list:

/ip address
add address=192.168.88.1/24 disabled=no interface=LAN network=192.168.88.0 comment="LAN"
add address=192.168.25.1/24 disabled=no interface=WAN network=192.168.25.0 comment="WAN"
add address=192.168.101.1/24 disabled=no interface=F-Out network=192.168.101.0 comment="Filter Out"
add address=192.168.102.1/24 disabled=no interface-F-In network=192.168.102.0 comment="Filter In"
What we would do is cable the filter-out (F-Out) interface of the router to the LAN port of the Squid box (assigned IP 192.168.101.2). Then, cable the Squid box WAN port (assigned IP 192.168.102.2) back to the filter-in (F-In) interface of the router. This creates a detour path to route our packets through if we wish to filter them. Then, set up an address-list for filtered machines, as well as routing marks in mangle:

/ip firewall address-list
add address=192.168.88.100-192.168.88.150 comment="Filtered" disabled=no list=patron
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Filtered disabled=no new-routing-mark=Filtered passthrough=yes src-address-list=patron
Notice in this example that we need only create address-lists and mangle rules for machines we wish to detour through the Squid box as all other packets will exit the router directly through the WAN port and out to the Internet like normal.
Now, we set one routing rule for the detour, using the Squid box LAN IP as our gateway:


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.2 routing-mark=Filtered scope=30 target-scope=10

Posted in

Senin, 03 Februari 2014

Mikrotik RouterOS Multi-WAN PPC

Posted by Jon on 00.56
0
Mikrotik RouterOS Multi-WAN PPC howto

This guide assumes the following:

"ISP1" is your 1st wan connection name
"ISP2" is your 2nd wan connection name
"LAN" is your local network name

"ISP1" recieves the IP 111.111.111.1/24 on the network 111.111.111.0/24
"ISP2" recieves the IP 222.222.222.1/24 on the network 222.222.222.0/24

1. If your ISP assigned IP's via DHCP be sure to do the following (if they are assigned static move to step 2):

Log into the routeros webfig or winbox:
  • IP
  • DHCP Client
  • Click on your first WAN DHCP client
  • Change "add default gateway" to no
  • Repeat the same for your second WAN connection

2. Remove current routing rules
  • IP
  • Firewall
  • Nat
  • Remove the entry for "masquerade" to your current single ISP.

3. SSH into your router and run the following script:
Code:
/ ip firewall mangle
add chain=prerouting dst-address=111.111.111.0/24  action=accept in-interface=LAN
add chain=prerouting dst-address=222.222.222.0/24  action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=111.111.111.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 distance=2 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade
This script assumes that you have 2 equal WAN connections(ex. two 7/1 DSL lines). If you have unbalanced connections you can modify the section of the script that defines how the traffic is balanced. That starts on line 6.

For example I have a 45/6 connection and a 30/6 connection and I have the following lines( Note that there are 5 lines and the first one starts at 5/0 and moves on from there):

Code:
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/2 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/3 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/4 action=mark-connection new-connection-mark=ISP1_conn
The PCC method automatically does failover. All around good way to load balance 2 connections. You can also balance more connections by configuring the script correctly.   

from:
http://hardforum.com/showthread.php?p=1040363288

Posted in

Langganan: Postingan (Atom)

Popular Posts

Categories

Diberdayakan oleh Blogger.

Pagerank

free counters Free Page Rank Tool My Ping in TotalPing.com