Mikrotik PCC Load Balancing dengan External Proxy

Topologi

*)IP pada ilustrasi bukanlah IP yang digunakan untuk tutorial berikut Sebagai gambarannya mungkin seperti ini : 3 line spidi, 1 line proxy dan 1 line local yang nancep di colokan RB750G nya Konfigurasi dasar :

1. Seting Interface yang digunakan

1 /interface ethernet 2 set 0 comment="Public Interface 1" name=Public_1 3 set 1 comment="Public Interface 2" name=Public_2 4 set 2 comment="Public Interface 3" name=Public_3 5 set 3 comment="Local Interface" name=Local 6 set 4 comment="Proxy Interface" name=Proxy

2. Seting pppoe-client nya, 3 line yang digunakan tanpa default route

01 /interface pppoe-client 02 add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=\ 03 04 pppoe_1 dial-on-demand=no disabled=no interface=Public_1 max-mru=1480 \ max-mtu=1480 mrru=disabled name=pppoe_1 password=********* profile=\

05 default service-name="" use-peer-dns=no user=*********@telkom.net 06 add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=\ 07 08 pppoe_2 dial-on-demand=no disabled=no interface=Public_2 max-mru=1480 \ max-mtu=1480 mrru=disabled name=pppoe_2 password=********* profile=\

09 default service-name="" use-peer-dns=no user=*********@telkom.net 10 add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment=\ 11 12 13 pppoe_3 dial-on-demand=no disabled=no interface=Public_3 max-mru=1480 \ max-mtu=1480 mrru=disabled name=pppoe_3 password=********* profile=\ default service-name="" use-peer-dns=no user=*********@telkom.net

3. IP Address yang dipake masing-masing interface pada RB750G nya

01 /ip address 02 add address=192.168.1.12/24 broadcast=192.168.1.255 comment="" disabled=no \ 03 interface=Public_1 network=192.168.1.0 04 add address=192.168.2.12/24 broadcast=192.168.2.255 comment="" disabled=no \ 05 interface=Public_2 network=192.168.2.0 06 add address=192.168.3.12/24 broadcast=192.168.3.255 comment="" disabled=no \ 07 interface=Public_3 network=192.168.3.0 08 add address=10.20.30.200/24 broadcast=10.20.30.255 comment="" disabled=no \ 09 interface=Local network=10.20.30.0 10 add address=192.168.10.1/24 broadcast=192.168.10.255 comment="" disabled=no \ 11 interface=Proxy network=192.168.10.0

4. DNS yang digunakan

1 /ip dns 2 set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \ 3 4 max-udp-packet-size=512 servers=\ 125.160.4.82,203.130.196.155,203.130.196.5,222.124.204.34,202.134.0.61

5. IP route dan routing-mark nya

01 /ip route 02 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ 03 pppoe_1 routing-mark=pppoe_1 scope=30 target-scope=10 04 add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\ 05 pppoe_1 routing-mark=pppoe_1 scope=30 target-scope=10 06 add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\ 07 pppoe_1 routing-mark=pppoe_1 scope=30 target-scope=10 08 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ 09 pppoe_2 routing-mark=pppoe_2 scope=30 target-scope=10 10 add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\ 11 pppoe_2 routing-mark=pppoe_2 scope=30 target-scope=10 12 add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\ 13 pppoe_2 routing-mark=pppoe_2 scope=30 target-scope=10 14 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\ 15 pppoe_3 routing-mark=pppoe_3 scope=30 target-scope=10 16 add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\ 17 pppoe_3 routing-mark=pppoe_3 scope=30 target-scope=10 18 add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\ 19 pppoe_3 routing-mark=pppoe_3 scope=30 target-scope=10 20 add check-gateway=ping comment="Default Route pppoe1 - Distance 1" disabled=\ 21 22 no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_1 scope=30 \ target-scope=10

23 add check-gateway=ping comment="Default Route pppoe2 - Distance 1" disabled=\ 24 no distance=2 dst-address=0.0.0.0/0 gateway=pppoe_2 scope=30 \ 25 target-scope=10 26 add check-gateway=ping comment="Default Route pppoe3 - Distance 1" disabled=\ 27 28 no distance=3 dst-address=0.0.0.0/0 gateway=pppoe_3 scope=30 \ target-scope=10

6. Bikin address list dari localnet dan proxynet

1 /ip firewall address-list 2 add address=10.20.30.0/24 comment="" disabled=no list=LocalNET 3 add address=192.168.10.0/24 comment="" disabled=no list=ProxyNET

7. Kemudian bikin NAT nya untuk masquerade pppoe, trasparent dns dan transparent proxy
01 /ip firewall nat 02 add action=masquerade chain=srcnat comment=MASQUERADE1 disabled=no \ 03 out-interface=pppoe_1 04 add action=masquerade chain=srcnat comment=MASQUERADE2 disabled=no \ 05 out-interface=pppoe_2 06 add action=masquerade chain=srcnat comment=MASQUERADE3 disabled=no \ 07 out-interface=pppoe_3 08 add action=dst-nat chain=dstnat comment="TRANSPARENT DNS" disabled=no \ 09 dst-port=53 in-interface=Local protocol=udp to-ports=53 10 add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \ 11 in-interface=Local protocol=tcp to-ports=53 12 add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \ 13 in-interface=Proxy protocol=udp to-ports=53 14 add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 \ 15 in-interface=Proxy protocol=tcp to-ports=53 16 add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no \ 17 18 dst-address-list=!ProxyNET dst-port=80,8080,3128 in-interface=Local \ protocol=tcp to-addresses=192.168.10.2 to-ports=3128

Setelah selesai dengan konfigurasi dasar, mulai dengan konfigurasi load balancingnya 8. Seperti biasa, taruh packet-mark proxy-hit pada baris teratas pada mangle
1 /ip firewall mangle 2 add action=mark-packet chain=forward comment="PROXY-HIT-DSCP 12" disabled=no \ 3 dscp=12 new-packet-mark=proxy-hit passthrough=no

9. Karena dalam pemanfaatan LB-PCC ini untuk membalance http traffic serta penggunaan external proxy, maka interface yang digunakan adalah Proxy Interface dengan protocol tcp dan dst-port 80. Langkah pertama adalah

menangkap koneksi baru yang masuk pada masing-masing interface pppoe, hal ini untuk menjamin packet yang masuk akan di reply oleh interface yang sama.
01 add action=mark-connection chain=input comment=\ 02 "-ImeR- PCC RULE ---- MARK ALL PPPoE CONN" connection-state=new \ 03 04 disabled=no in-interface=pppoe_1 new-connection-mark=pppoe1_conn \ passthrough=yes

05 add action=mark-connection chain=input comment="" connection-state=new \ 06 disabled=no in-interface=pppoe_2 new-connection-mark=pppoe2_conn \ 07 passthrough=yes 08 add action=mark-connection chain=input comment="" connection-state=new \ 09 10 disabled=no in-interface=pppoe_3 new-connection-mark=pppoe3_conn \ passthrough=yes

11 add action=mark-connection chain=prerouting comment="" connection-state=\ 12 established disabled=no in-interface=pppoe_1 new-connection-mark=\ 13 pppoe1_conn passthrough=yes 14 add action=mark-connection chain=prerouting comment="" connection-state=\ 15 16 established disabled=no in-interface=pppoe_2 new-connection-mark=\ pppoe2_conn passthrough=yes

17 add action=mark-connection chain=prerouting comment="" connection-state=\ 18 established disabled=no in-interface=pppoe_3 new-connection-mark=\ 19 pppoe3_conn passthrough=yes 20 add action=mark-connection chain=prerouting comment="" connection-state=\ 21 22 related disabled=no in-interface=pppoe_1 new-connection-mark=pppoe1_conn \ passthrough=yes

23 add action=mark-connection chain=prerouting comment="" connection-state=\ 24 related disabled=no in-interface=pppoe_2 new-connection-mark=pppoe2_conn \ 25 passthrough=yes 26 add action=mark-connection chain=prerouting comment="" connection-state=\ 27 28 related disabled=no in-interface=pppoe_3 new-connection-mark=pppoe3_conn \ passthrough=yes

29 add action=mark-routing chain=output comment="" connection-mark=pppoe1_conn \ 30 disabled=no new-routing-mark=pppoe_1 passthrough=no 31 add action=mark-routing chain=output comment="" connection-mark=pppoe2_conn \ 32 disabled=no new-routing-mark=pppoe_2 passthrough=no 33 add action=mark-routing chain=output comment="" connection-mark=pppoe3_conn \ 34 disabled=no new-routing-mark=pppoe_3 passthrough=no

10. Kemudian acara ngelbe koneksi yang masuk dari interface proxy dengan metode PCC, inget yang di routing adalah protocol tcp dengan dst-port 80

01 add action=mark-connection chain=prerouting comment=\ 02 "-ImeR- PCC RULE ---- MARK ALL PROXY CONN" \ 03 04 connection-state=new disabled=no dst-address-type=!local dst-port=80 \ in-interface=Proxy new-connection-mark=pr_pppoe_1 passthrough=yes \

05 per-connection-classifier=both-addresses-and-ports:3/0 protocol=tcp 06 add action=mark-connection chain=prerouting comment="" connection-state=new \ 07 08 disabled=no dst-address-type=!local dst-port=80 in-interface=Proxy \ new-connection-mark=pr_pppoe_2 passthrough=yes per-connection-classifier=\

09 both-addresses-and-ports:3/1 protocol=tcp 10 add action=mark-connection chain=prerouting comment="" connection-state=new \ 11 12 disabled=no dst-address-type=!local dst-port=80 in-interface=Proxy \ new-connection-mark=pr_pppoe_3 passthrough=yes per-connection-classifier=\

13 both-addresses-and-ports:3/2 protocol=tcp 14 add action=mark-connection chain=prerouting comment="" connection-state=\ 15 16 established disabled=no dst-address-type=!local dst-port=80 in-interface=\ Proxy new-connection-mark=pr_pppoe_1 passthrough=yes \

17 per-connection-classifier=both-addresses-and-ports:3/0 protocol=tcp 18 add action=mark-connection chain=prerouting comment="" connection-state=\ 19 20 established disabled=no dst-address-type=!local dst-port=80 in-interface=\ Proxy new-connection-mark=pr_pppoe_2 passthrough=yes \

21 per-connection-classifier=both-addresses-and-ports:3/1 protocol=tcp 22 add action=mark-connection chain=prerouting comment="" connection-state=\ 23 24 established disabled=no dst-address-type=!local dst-port=80 in-interface=\ Proxy new-connection-mark=pr_pppoe_3 passthrough=yes \

25 per-connection-classifier=both-addresses-and-ports:3/2 protocol=tcp 26 add action=mark-connection chain=prerouting comment="" connection-state=\ 27 28 related disabled=no dst-address-type=!local dst-port=80 in-interface=\ Proxy new-connection-mark=pr_pppoe_1 passthrough=yes \

29 per-connection-classifier=both-addresses-and-ports:3/0 protocol=tcp 30 add action=mark-connection chain=prerouting comment="" connection-state=\ 31 32 related disabled=no dst-address-type=!local dst-port=80 in-interface=\ Proxy new-connection-mark=pr_pppoe_2 passthrough=yes \

33 per-connection-classifier=both-addresses-and-ports:3/1 protocol=tcp 34 add action=mark-connection chain=prerouting comment="" connection-state=\ 35 36 37 related disabled=no dst-address-type=!local dst-port=80 in-interface=\ Proxy new-connection-mark=pr_pppoe_3 passthrough=yes \ per-connection-classifier=both-addresses-and-ports:3/2 protocol=tcp

11. Jangan lupa tandai packetnya, fungsinya untuk memberikan batasan limit pada queue tree nantinya

1 add action=mark-packet chain=forward comment=\ 2 "-ImeR- PCC RULE ---- MARK HTTP" connection-mark=pr_pppoe_1 disabled=\ 3 no new-packet-mark=http_pppoe1_pkt passthrough=no 4 add action=mark-packet chain=forward comment="" connection-mark=pr_pppoe_2 \ 5 disabled=no new-packet-mark=http_pppoe2_pkt passthrough=no 6 add action=mark-packet chain=forward comment="" connection-mark=pr_pppoe_3 \ 7 disabled=no new-packet-mark=http_pppoe3_pkt passthrough=no

12. Setelah itu mengarahkan routing-marknya

1 add action=mark-routing chain=prerouting comment=\ 2 "-ImeR- PCC RULE ---- MARK ROUTE" connection-mark=pr_pppoe_1 \ 3 disabled=no new-routing-mark=pppoe_1 passthrough=yes 4 add action=mark-routing chain=prerouting comment="" connection-mark=\ 5 pr_pppoe_2 disabled=no new-routing-mark=pppoe_2 passthrough=yes 6 add action=mark-routing chain=prerouting comment="" connection-mark=\ 7 pr_pppoe_3 disabled=no new-routing-mark=pppoe_3 passthrough=yes

Selesai deh. semua http-traffic dari proxy interface akan terbagi merata keluar masuk pada masing-masing interface pppoe. Selanjutnya tinggal markconn dari interface lokal aja untuk limit download dan upload nya. Hasil akhir kira-kira seperti ini :