Anda di halaman 1dari 22

Understanding Load

Balance and Policy


andrew zheng!
Route edcwifi co limited

1
About Me

Mikrotik Trainer No. 75!

Certificate: MTCNA, MTCWE, MTCRE,


MTCTCE, MTCUME, MTCINE, UBWA,
UEWA

EDCwifi - Andrew Zheng 2 2015, April 17 - Vietnam MUM


About EDCwifi

Mikrotik Distributor with stock point at


Hongkong, Shenzhen and Beijing.!

Mikrotik Authorized Training partner.!

Customizing partner for MfM (made for


Mikrotik) product.!

www.edcwifi.com & www.edcwifi.com.cn


EDCwifi - Andrew Zheng 3 2015, April 17 - Vietnam MUM
Made for Mikrotik
Face off your device
RB750series

RB450series

EDCwifi - Andrew Zheng 4 2015, April 17 - Vietnam MUM


SOHO customers mostly requires:

Automatic Fail Over!

Reliable Load Balance!

Policy Route

EDCwifi - Andrew Zheng 5 2015, April 17 - Vietnam MUM


Topology

Policy route to VPN


ISP1 VPN!
10.1.1.88
192.168.0.1
ether1!
Server!
192.168.0.1 ISP

Router VPN!
LAN
Server
local IP 192.168.12.99!
remote IP 192.168.12.165

ISP2
10.2.2.88

EDCwifi - Andrew Zheng 6 2015, April 17 - Vietnam MUM


Sample configuration
Get IP address from ISP

EDCwifi - Andrew Zheng 7 2015, April 17 - Vietnam MUM


Dial VPN connection (optional for
policy route)

EDCwifi - Andrew Zheng 8 2015, April 17 - Vietnam MUM


Mangle Rules!
All packets with gateway router IP as destination
should be accept

Skipping PCC rules for packets with !


router gateway IP as its destination!
0 1 2 to their gateway router.!
(for correcting DNS request and!
other services)
EDCwifi - Andrew Zheng 9 2015, April 17 - Vietnam MUM
Mangle Rules!
Make sure all packets coming from WAN interface
going out from the same WAN interface

3 4 5

EDCwifi - Andrew Zheng 10 2015, April 17 - Vietnam MUM


Mangle Rules and Address list!
VPN policy route
Address list example

6
Add all IP addresses that !
planned to go !
through VPN connection
mark connection of every packets with !
IP destination address listed in !
VPN address list
EDCwifi - Andrew Zheng 11 2015, April 17 - Vietnam MUM
Mangle Rules!
Connection Mark base on PCC

7 8

EDCwifi - Andrew Zheng 12 2015, April 17 - Vietnam MUM


Mangle Rules!
Route Mark for PCC

9 10 11

EDCwifi - Andrew Zheng 13 2015, April 17 - Vietnam MUM


Mangle Rules!
Route Mark for Output Chain

12 13 14

EDCwifi - Andrew Zheng 14 2015, April 17 - Vietnam MUM


IP Route Rules!
Add Default Gateway for our Routing Mark

EDCwifi - Andrew Zheng 15 2015, April 17 - Vietnam MUM


IP Route Rules!
Fail Over
By adding default gateway!
that not booked for routing mark!
we already create fail over system.!
Just adjust the distance for !
priority purpose

EDCwifi - Andrew Zheng 16 2015, April 17 - Vietnam MUM


NAT

EDCwifi - Andrew Zheng 17 2015, April 17 - Vietnam MUM


Checking PCC Result

EDCwifi - Andrew Zheng 18 2015, April 17 - Vietnam MUM


Checking Policy routes Result

EDCwifi - Andrew Zheng 19 2015, April 17 - Vietnam MUM


Packet Flow with mangle chain simple explanation
packet A, going into ether1 with src add: 192.168.0.2 and dst add: 222.111.222.111
checking DST-IP!
checking DST-NAT! to local or forward-!
packet A!
packet A! rules packet A! output interfacesrc:192.168.0.2! checking mangle forward-!
src:192.168.0.2! src:192.168.0.2!
dst: 222.111.222.111! dst: 222.111.222.111!
dst: 222.111.222.111! filter forward
1-conn!
1-conn! 1-conn!
1-route!
1-route! 1-route!
in int: ether1!
in int: ether1 in int: ether1
out int: ISP1

packet A!
DST- Routing Mangle Filter! src:192.168.0.2!
Decision Forward dst: 222.111.222.111!
NAT forward
1-conn!
1-route!
in int: ether1!
out int ISP1

add mangle 1-conn! checking mangle !


Mangle
and 1-route Routing post routing
Adjustment post-
routing
packet A!
Mangle src:192.168.0.2!
pre- dst: 222.111.222.111!
1-conn!
packet A! routing 1-route!
src:192.168.0.2! out int ISP1
dst: 222.111.222.111!
in int: ether1!
no mark
Mangle SRC-
input NAT Change SRC IP
connection
Recording ! tracking
packet A!
conn track src:10.1.1.97!
dst: 222.111.222.111!
1-conn!
Input interface! Output interface! 1-route!
packet A! connection Mangle out int ISP1
src:192.168.0.2! eq: ether1, Local Process eq: ether1,
dst: 222.111.222.111! tracking output
ether2,ether3, etc ether2,ether3, etc
in int: ether1!
no mark
packet A!
src:10.1.1.97!
dst: 222.111.222.111!
EDCwifi - Andrew Zheng 20 2015, April 17 - Vietnam MUM
Packet Flow with mangle chain simple explanation
replied packet A (A-1), going into ISP1 interface with src add: 222.111.222.111 and dst add: 10.1.1.97
checking DST-IP!
checking DST-NAT! to local or forward-!
packet A-1! rules packet A-1! output interface
packet A-1! checking mangle forward-!
src: 222.111.222.111!
src: 222.111.222.111! src: 222.111.222.111!
dst: 192.168.0.2! filter forward
dst: 10.1.1.97! dst: 192.168.0.2!
1-conn!
1-conn! 1-conn!
in int: ISP1!
in int: ISP1 in int: ISP1
goto Ether1

DST- Routing Mangle Filter!


packet A-1!
src: 222.111.222.111!
Decision forward Forward
NAT dst: 192.168.0.2!
1-conn!
in int: ISP1!
out int ether1
Check mangle pre-routing,!
adding mark !
1-conn
checking mangle !
Mangle
Routing post routing
Adjustment post-
routing
Mangle packet A-1!
src: 222.111.222.111!
pre- dst: 192.168.0.2!
packet A-1! routing 1-conn!
src: 222.111.222.111! out int ether1
dst: 10.1.1.97!
in int: ISP1!
recognize this packet is Mangle SRC-
one connection with A
input NAT Change SRC IP
connection
check and update! tracking
packet A-1!
conn-track src: 222.111.222.111!
dst: 192.168.0.2!
1-conn!
Input interface! Output interface! out int ether1
packet A-1! connection Mangle
eq: ether1, Local Process eq: ether1,
src: 222.111.222.111! tracking output
dst: 10.1.1.97! ether2,ether3, etc ether2,ether3, etc
in int: ISP1
packet A-1!
src: 222.111.222.111!
dst: 192.168.0.2!
EDCwifi - Andrew Zheng 21 2015, April 17 - Vietnam MUM
Any Question?

Thank you!

For Goods Inquiry: marketing@edcwifi.com!

For Training Inquiry: training@edcwifi.com!

See you again

EDCwifi - Andrew Zheng 22 2015, April 17 - Vietnam MUM