SlideShare a Scribd company logo

Mikrotik link redundancy solution

Download as PPTX, PDF
S M Tipu
S M Tipu

This document provides information on various techniques for load balancing and redundancy, including: - Load balancing over multiple gateways using policy routing based on client IP address, firewall mangle rules, and default routes. - VRRP (Virtual Router Redundancy Protocol) for high availability using a virtual IP address, master and backup routers, and fast failover detection. - Mikrotik PCC (Per Connection Classifier) load balancing which divides traffic into equal streams using a hashing algorithm on packet header fields and marks connections for policy routing out specific gateways.

Technology
1 of 27
S M Yeaser Hossain Tipu
CLASS -12 Link Redundancy solution
Topics We Cover Here. • Load Balancing • Load Balancing with fail over. • VRRP (High Availability) • Mikrotik PCC Load Balancing. • Load Balance and Redundancy with OSPF. • Load Balance other mechanism. • Bandwidth merge of different link. We also covered some load balancing and redundancy technique in our routing lecture.
Load Balancing over Multiple Gateways The typical situation where you got one router and want to connect to two ISPs, Of course, you want to do load balancing! There are several ways how to do it. Depending on the particular situation, you may find one best suited for you.
Policy Routing based on Client IP Address If you have a number of hosts, you may group them by IP addresses. Then, depending on the source IP address, send the traffic out through Gateway #1 or #2. This is not really the best approach, giving you perfect load balancing, but it's easy to implement, and gives you some control too. Let us assume we use for our workstations IP addresses from network 192.168.100.0/24. The IP addresses are assigned as follows: 192.168.100.1-127 are used for Group A workstations 192.168.100.128-253 are used for Group B workstations 192.168.100.254 is used for the router. All workstations have IP configuration with the IP address from the relevant group, they all have network mask 255.255.255.0, and 192.168.100.254 is the default gateway for them. We will talk about DNS servers later. Now, when we have workstations divided into groups, we can refer to them using subnet addressing: Group A is 192.168.100.0/25, i.e., addresses 192.168.100.0-127 Group B is 192.168.100.128/25, i.e., addresses 192.168.100.128-255
We need to add two IP Firewall Mangle rules to mark the packets originated from Group A or Group B workstations. For Group A, specify • Chain prerouting and Src. Address 192.168.100.0/25 • Action mark routing and New Routing Mark GroupA.
• It is a good practice to add a comment as well. Your mangle rules might be interesting for someone else and for yourself as well after some time. • For Group B, specify • Chain prerouting and Src. Address 192.168.100.128/25 • Action mark routing and New Routing Mark GroupB All IP traffic coming from workstations is marked with the routing marks GroupA or GroupB. We can use these marks in the routing table.
Next, we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways:
This thing is not going to work, unless you do masquerading for your LAN! The simplest way to do it is by adding one NAT rule for Src. Address 192.168.100.0/24 and Action masquerade:
ECMP load balancing with masquerade This example is improved (different) version of round-robin load balancing example. It adds persistent user sessions, i.e. a particular user would use the same source IP address for all outgoing connections. Consider the following network layout:
Quick Start / ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping / ip firewall nat add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla1 add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla2 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wla1 add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wla2
Explanation First we give a code snippet and then explain what it actually does. IP Addresses / ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24. NAT / ip firewall nat add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. if this packet will leave via wlan1 it will be NATed to 10.112.0.2/24, if via wlan2 then NATed to 10.111.0.2/24 Routing / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping This is typical ECMP (Equal Cost Multi-Path) gateway with check-gateway. ECMP is "persistent per-connection load balancing" or "per-src-dst-address combination load balancing". As soon as one of the gateway will not be reachable, check-gateway will remove it from gateway list. And you will have a "failover" effect.
You can use asymmetric bandwidth links also - for example one link is 2Mbps other 10Mbps. Just use this command to make load balancing 1:5 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1 check-gateway=ping Connections to the router itself / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1 add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan2 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 With all multi-gateway situations there is a usual problem to reach router from public network via one, other or both gateways. Explanations is very simple - Outgoing packets uses same routing decision as packets that are going trough the router. So reply to a packet that was received via wlan1 might be send out and masqueraded via wlan2. To avoid that we need to policy routing those connections.
VRRP (High Availability) This chapter describes the Virtual Router Redundancy Protocol (VRRP) support in RouterOS. Mostly on larger LANs dynamic routing protocols ( OSPF or RIP) are used, however there are number of factors that may make undesirable to use dynamic routing protocols. One alternative is to use static routing, but if statically configured first hop fails, then host will not be able to communicate with other hosts. In IPv6 networks, hosts learn about routers by receiving Router Advertisements used by Neighbor Discovery (ND) protocol. ND already has built in mechanism to determine unreachable routers. However it can take up to 38seconds to detect unreachable router. It is possible to change parameters and make detection faster, but it will increase overhead of ND traffic especially if there are a lot of hosts. VRRP allows to detect unreachable router within 3seconds without additional traffic overhead.
How to Setup?
Steps! According to this configuration, as long as the master, R1, is functional, all traffic destined to the external network gets directed to R1. But as soon as R1 fails, R2 takes over as the master and starts handling packets forwarded to the interface associated with IP(R1). In this setup Router R2 is completely idle during Backup period. R1 configuration: /ip address add address=192.168.1.1/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 priority=254 /ip address add address=192.168.1.254/32 interface=vrrp1 R2 configuration: /ip address add address=192.168.1.2/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 /ip address add address=192.168.1.254/32 interface=vrrp1
Testing First of all check if both routers have correct flags at vrrp interfaces. On router R1 it should look like this /interface vrrp print 0 RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=ether1 vrid=49 priority=254 interval=1 preemption-mode=yes authentication=none password="" on-backup="" on-master="" and on router R2: /interface vrrp print 0 B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=ether1 vrid=49 priority=100 interval=1 preemption-mode=yes authentication=none password="" on-backup="" on-master=" As you can see vrrp interface mac addresses are identical on both routers. Now to check if vrrp is working correctly, try to ping virtual address from client and check arp entries: [admin@client] > ping 192.168.1.254 192.168.1.254 64 byte ping: ttl=64 time=10 ms 192.168.1.254 64 byte ping: ttl=64 time=8 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 8/9.0/10 ms. [admin@client] /ip arp> print Flags: X - disabled, I - invalid, H - DHCP, D - dynamic # ADDRESS MAC-ADDRESS INTERFACE ... 1 D 192.168.1.254 00:00:5E:00:01:31 bridge1 Now unplug ether1 cable on router R1. R2 will become VRRP master, ARP table on client will not change but traffic will start to flow over R2 router
Load sharing In basic configuration example R2 is completely idle during Backup state. This behavior may be considered as waste of valuable resources. In such circumstances R2 router can be set as gateway for some clients. The obvious advantage of this configuration is the establishment of a load-sharing scheme. But by doing so R2 router is not protected by current VRRP setup.To make this setup work we need two virtual routers. Configuration for V1 virtual router will be identical to configuration in basic example - R1 is the Master and R2 is Backup router. In V2 Master is R2 and Backup is R1. With this configuration, we establish a load-sharing between R1 and R2; moreover, we create protection setup by having two routers acting as backups for each other.
Configuration R1 configuration: /ip address add address=192.168.1.1/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 priority=254 /interface vrrp add interface=ether1 vrid=77 /ip address add address=192.168.1.253/32 interface=vrrp1 /ip address add address=192.168.1.254/32 interface=vrrp2 R2 configuration: /ip address add address=192.168.1.2/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 /interface vrrp add interface=ether1 vrid=77 priority=254 /ip address add address=192.168.1.253/32 interface=vrrp1 /ip address add address=192.168.1.254/32 interface=vrrp2
VRRP without Preemption Each time when router with higher priority becomes available it becomes Master router. Sometimes it is not desired behavior which can be turned off by setting preemption-mode=no in vrrp configuration. Configuraton We will be using the same setup as in basic example. Only difference is during configuration set preemption-mode=no. It can be done easily modifying existing configuration: /interface vrrp set [find] preemption-mode=no Testing Try turning off R1 router, R2 will become Master router because it has highest priority among available routers.Now turn R1 router on and you will see that R2 router continues to be Master even if R1 has higher priority.
Mikrotik PCC Load Balancing. Introduction PCC matcher will allow you to divide traffic into equal streams with ability to keep packets with specific set of options in one particular stream (you can specify this set of options from src-address, src- port, dst-address, dst-port) Theory PCC takes selected fields from IP header, and with the help of a hashing algorithm converts selected fields into 32-bit value. This value then is divided by a specified Denominator and the remainder then is compared to a specified Remainder, if equal then packet will be captured. You can choose from src-address, dst-address, src- port, dst-port from the header to use in this operation.
Mikrotik PCC Load Balancing Configuration. /ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1 add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2 /ip firewall mangle add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1 add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2 add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and- ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and- ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing- mark=to_WAN1 add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing- mark=to_WAN2
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing- mark=to_WAN1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing- mark=to_WAN2 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping /ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade add chain=srcnat out-interface=WAN2 action=masquerade
PCC WITH UN-EQUAL WAN LINKS If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and WAN,2 is of 8 Mb, and you want to force MT to use WAN42link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN2 , something like add chain=prerouting dst-address-type=!local in-interface=Local per- connection-classifier=both-addresses-and-ports:2/0 action=mark- connection new-connection-mark=WAN1_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per- connection-classifier=both-addresses-and-ports:2/1 action=mark- connection new-connection-mark=WAN2_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per- connection-classifier=both-addresses-and-ports:2/2 action=mark- connection new-connection-mark=WAN2_conn passthrough=yes
More Info • http://wiki.mikrotik.com/wiki/Load_Balancing
THANKS

Recommended

ISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPGLC Networks
 
MikroTik Multicast Routing [www.imxpert.co]
MikroTik Multicast Routing [www.imxpert.co]MikroTik Multicast Routing [www.imxpert.co]
MikroTik Multicast Routing [www.imxpert.co]Faisal Reza
 
4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)medalaa
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotikAchmad Mardiansyah
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCGLC Networks
 
CCNA
CCNACCNA
CCNAAbhishek Parihari
 

Recommended

ISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPISP Load Balancing with Mikrotik ECMP
ISP Load Balancing with Mikrotik ECMPGLC Networks
 
MikroTik Multicast Routing [www.imxpert.co]
MikroTik Multicast Routing [www.imxpert.co]MikroTik Multicast Routing [www.imxpert.co]
MikroTik Multicast Routing [www.imxpert.co]Faisal Reza
 
4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)4 protocole de redondance(hsrp-vrrp-glbp)
4 protocole de redondance(hsrp-vrrp-glbp)medalaa
 
Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGPDuane Bodle
 
BGP filter with mikrotik
BGP filter with mikrotikBGP filter with mikrotik
BGP filter with mikrotikAchmad Mardiansyah
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
Mikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCMikrotik Load Balancing with PCC
Mikrotik Load Balancing with PCCGLC Networks
 
CCNA
CCNACCNA
CCNAAbhishek Parihari
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructurePrince Gautam
 
Mikrotik advanced
Mikrotik advancedMikrotik advanced
Mikrotik advancedguest8423a64e
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocolSmriti Tikoo
 
Les commandes CISCO (routeur)
Les commandes CISCO (routeur)Les commandes CISCO (routeur)
Les commandes CISCO (routeur)EL AMRI El Hassan
 
Resumen comandos router
Resumen comandos routerResumen comandos router
Resumen comandos routerjlvive
 
Redondance de routeur (hsrp, vrrp, glbp)
Redondance de routeur (hsrp, vrrp, glbp)Redondance de routeur (hsrp, vrrp, glbp)
Redondance de routeur (hsrp, vrrp, glbp)EL AMRI El Hassan
 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotikAchmad Mardiansyah
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotikAchmad Mardiansyah
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrackAchmad Mardiansyah
 
8. internal components of router
8. internal components of router8. internal components of router
8. internal components of routerSwarndeep Singh
 
Policy Based Routing (PBR)
Policy Based Routing (PBR)Policy Based Routing (PBR)
Policy Based Routing (PBR)KHNOG
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Varinder Singh Walia
 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccnasinghsukdeep
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure CommunicationDaniel-Constantin Mierla
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Protocole ARP/RARP
Protocole ARP/RARPProtocole ARP/RARP
Protocole ARP/RARPHayder Gallas
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)Netwax Lab
 
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANMUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANGLC Networks
 
BGP protocol presentation
BGP protocol presentationBGP protocol presentation
BGP protocol presentationGorantla Mohanavamsi
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCCNA4Answers
 

More Related Content

What's hot

ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructurePrince Gautam
 
Les commandes CISCO (routeur)
Les commandes CISCO (routeur)Les commandes CISCO (routeur)
Les commandes CISCO (routeur)EL AMRI El Hassan
 
Resumen comandos router
Resumen comandos routerResumen comandos router
Resumen comandos routerjlvive
 
Redondance de routeur (hsrp, vrrp, glbp)
Redondance de routeur (hsrp, vrrp, glbp)Redondance de routeur (hsrp, vrrp, glbp)
Redondance de routeur (hsrp, vrrp, glbp)EL AMRI El Hassan
 
8. internal components of router
8. internal components of router8. internal components of router
8. internal components of routerSwarndeep Singh
 
Policy Based Routing (PBR)
Policy Based Routing (PBR)Policy Based Routing (PBR)
Policy Based Routing (PBR)KHNOG
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)Netwax Lab
 
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANMUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANGLC Networks
 

What's hot (20)

ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
 
Mikrotik advanced
Mikrotik advancedMikrotik advanced
Mikrotik advanced
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
Les commandes CISCO (routeur)
Les commandes CISCO (routeur)Les commandes CISCO (routeur)
Les commandes CISCO (routeur)
 
Resumen comandos router
Resumen comandos routerResumen comandos router
Resumen comandos router
 
Redondance de routeur (hsrp, vrrp, glbp)
Redondance de routeur (hsrp, vrrp, glbp)Redondance de routeur (hsrp, vrrp, glbp)
Redondance de routeur (hsrp, vrrp, glbp)
 
BGP on mikrotik
BGP on mikrotikBGP on mikrotik
BGP on mikrotik
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotik
 
Mikrotik fasttrack
Mikrotik fasttrackMikrotik fasttrack
Mikrotik fasttrack
 
8. internal components of router
8. internal components of router8. internal components of router
8. internal components of router
 
Policy Based Routing (PBR)
Policy Based Routing (PBR)Policy Based Routing (PBR)
Policy Based Routing (PBR)
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)Dynamic routing protocols (CCNA)
Dynamic routing protocols (CCNA)
 
NAT Ccna
NAT CcnaNAT Ccna
NAT Ccna
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Protocole ARP/RARP
Protocole ARP/RARPProtocole ARP/RARP
Protocole ARP/RARP
 
BGP (border gateway routing protocol)
BGP (border gateway routing protocol)BGP (border gateway routing protocol)
BGP (border gateway routing protocol)
 
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMANMUM Melbourne : Build Enterprise Wireless with CAPsMAN
MUM Melbourne : Build Enterprise Wireless with CAPsMAN
 
BGP protocol presentation
BGP protocol presentationBGP protocol presentation
BGP protocol presentation
 

Similar to Mikrotik link redundancy solution

Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCCNA4Answers
 
Cisco discovery drs ent module 10 - v.4 in english.
Cisco discovery drs ent module 10 - v.4 in english.Cisco discovery drs ent module 10 - v.4 in english.
Cisco discovery drs ent module 10 - v.4 in english.igede tirtanata
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...NetProtocol Xpert
 
Ospf Last Modified Eng
Ospf Last Modified EngOspf Last Modified Eng
Ospf Last Modified EngAlp isik
 
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Đồng Quốc Vương
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slidesadam_merritt
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...Tarun Khaneja
 
5G Transport Network Technology.pptx
5G Transport Network Technology.pptx5G Transport Network Technology.pptx
5G Transport Network Technology.pptxssuseraab93e
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccnarobertoxe
 
Loopback address
Loopback addressLoopback address
Loopback addressCEC Landran
 
Ccna 3 Final V4.0 Answers
Ccna 3 Final V4.0 AnswersCcna 3 Final V4.0 Answers
Ccna 3 Final V4.0 Answersccna4discovery
 
To setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdfTo setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdfaptexx
 
IP Infusion Application Note for 4G LTE Fixed Wireless Access
IP Infusion Application Note for 4G LTE Fixed Wireless AccessIP Infusion Application Note for 4G LTE Fixed Wireless Access
IP Infusion Application Note for 4G LTE Fixed Wireless AccessDhiman Chowdhury
 
Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01amit singh
 

Similar to Mikrotik link redundancy solution (20)

Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 Answers
 
Cisco discovery drs ent module 10 - v.4 in english.
Cisco discovery drs ent module 10 - v.4 in english.Cisco discovery drs ent module 10 - v.4 in english.
Cisco discovery drs ent module 10 - v.4 in english.
 
ccna 4 final 2012
ccna 4 final 2012ccna 4 final 2012
ccna 4 final 2012
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
 
Ospf Last Modified Eng
Ospf Last Modified EngOspf Last Modified Eng
Ospf Last Modified Eng
 
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
Www ccnav5 net_ccna_3_v5_final_exam_answers_2014
 
Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4
 
Skip to Main content.docx
Skip to Main content.docxSkip to Main content.docx
Skip to Main content.docx
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
ccna summer training ppt ( Cisco certified network analysis) ppt. by Traun k...
 
5G Transport Network Technology.pptx
5G Transport Network Technology.pptx5G Transport Network Technology.pptx
5G Transport Network Technology.pptx
 
Vrrp Alp
Vrrp AlpVrrp Alp
Vrrp Alp
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Loopback address
Loopback addressLoopback address
Loopback address
 
Ccna 3 Final V4.0 Answers
Ccna 3 Final V4.0 AnswersCcna 3 Final V4.0 Answers
Ccna 3 Final V4.0 Answers
 
To setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdfTo setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdf
 
IP Infusion Application Note for 4G LTE Fixed Wireless Access
IP Infusion Application Note for 4G LTE Fixed Wireless AccessIP Infusion Application Note for 4G LTE Fixed Wireless Access
IP Infusion Application Note for 4G LTE Fixed Wireless Access
 
Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01Introduction 140318015826-phpapp01
Introduction 140318015826-phpapp01
 

Recently uploaded

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsVlad Stirbu
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 

Recently uploaded (20)

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

Mikrotik link redundancy solution

  • 1. S M Yeaser Hossain Tipu
  • 3. Topics We Cover Here. • Load Balancing • Load Balancing with fail over. • VRRP (High Availability) • Mikrotik PCC Load Balancing. • Load Balance and Redundancy with OSPF. • Load Balance other mechanism. • Bandwidth merge of different link. We also covered some load balancing and redundancy technique in our routing lecture.
  • 4. Load Balancing over Multiple Gateways The typical situation where you got one router and want to connect to two ISPs, Of course, you want to do load balancing! There are several ways how to do it. Depending on the particular situation, you may find one best suited for you.
  • 5. Policy Routing based on Client IP Address If you have a number of hosts, you may group them by IP addresses. Then, depending on the source IP address, send the traffic out through Gateway #1 or #2. This is not really the best approach, giving you perfect load balancing, but it's easy to implement, and gives you some control too. Let us assume we use for our workstations IP addresses from network 192.168.100.0/24. The IP addresses are assigned as follows: 192.168.100.1-127 are used for Group A workstations 192.168.100.128-253 are used for Group B workstations 192.168.100.254 is used for the router. All workstations have IP configuration with the IP address from the relevant group, they all have network mask 255.255.255.0, and 192.168.100.254 is the default gateway for them. We will talk about DNS servers later. Now, when we have workstations divided into groups, we can refer to them using subnet addressing: Group A is 192.168.100.0/25, i.e., addresses 192.168.100.0-127 Group B is 192.168.100.128/25, i.e., addresses 192.168.100.128-255
  • 6. We need to add two IP Firewall Mangle rules to mark the packets originated from Group A or Group B workstations. For Group A, specify • Chain prerouting and Src. Address 192.168.100.0/25 • Action mark routing and New Routing Mark GroupA.
  • 7. • It is a good practice to add a comment as well. Your mangle rules might be interesting for someone else and for yourself as well after some time. • For Group B, specify • Chain prerouting and Src. Address 192.168.100.128/25 • Action mark routing and New Routing Mark GroupB All IP traffic coming from workstations is marked with the routing marks GroupA or GroupB. We can use these marks in the routing table.
  • 8. Next, we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways:
  • 9. This thing is not going to work, unless you do masquerading for your LAN! The simplest way to do it is by adding one NAT rule for Src. Address 192.168.100.0/24 and Action masquerade:
  • 10. ECMP load balancing with masquerade This example is improved (different) version of round-robin load balancing example. It adds persistent user sessions, i.e. a particular user would use the same source IP address for all outgoing connections. Consider the following network layout:
  • 11. Quick Start / ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping / ip firewall nat add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla1 add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla2 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wla1 add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wla2
  • 12. Explanation First we give a code snippet and then explain what it actually does. IP Addresses / ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24. NAT / ip firewall nat add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. if this packet will leave via wlan1 it will be NATed to 10.112.0.2/24, if via wlan2 then NATed to 10.111.0.2/24 Routing / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping This is typical ECMP (Equal Cost Multi-Path) gateway with check-gateway. ECMP is "persistent per-connection load balancing" or "per-src-dst-address combination load balancing". As soon as one of the gateway will not be reachable, check-gateway will remove it from gateway list. And you will have a "failover" effect.
  • 13. You can use asymmetric bandwidth links also - for example one link is 2Mbps other 10Mbps. Just use this command to make load balancing 1:5 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1 check-gateway=ping Connections to the router itself / ip firewall mangle add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1 add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan2 / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 With all multi-gateway situations there is a usual problem to reach router from public network via one, other or both gateways. Explanations is very simple - Outgoing packets uses same routing decision as packets that are going trough the router. So reply to a packet that was received via wlan1 might be send out and masqueraded via wlan2. To avoid that we need to policy routing those connections.
  • 14. VRRP (High Availability) This chapter describes the Virtual Router Redundancy Protocol (VRRP) support in RouterOS. Mostly on larger LANs dynamic routing protocols ( OSPF or RIP) are used, however there are number of factors that may make undesirable to use dynamic routing protocols. One alternative is to use static routing, but if statically configured first hop fails, then host will not be able to communicate with other hosts. In IPv6 networks, hosts learn about routers by receiving Router Advertisements used by Neighbor Discovery (ND) protocol. ND already has built in mechanism to determine unreachable routers. However it can take up to 38seconds to detect unreachable router. It is possible to change parameters and make detection faster, but it will increase overhead of ND traffic especially if there are a lot of hosts. VRRP allows to detect unreachable router within 3seconds without additional traffic overhead.
  • 16. Steps! According to this configuration, as long as the master, R1, is functional, all traffic destined to the external network gets directed to R1. But as soon as R1 fails, R2 takes over as the master and starts handling packets forwarded to the interface associated with IP(R1). In this setup Router R2 is completely idle during Backup period. R1 configuration: /ip address add address=192.168.1.1/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 priority=254 /ip address add address=192.168.1.254/32 interface=vrrp1 R2 configuration: /ip address add address=192.168.1.2/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 /ip address add address=192.168.1.254/32 interface=vrrp1
  • 17. Testing First of all check if both routers have correct flags at vrrp interfaces. On router R1 it should look like this /interface vrrp print 0 RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=ether1 vrid=49 priority=254 interval=1 preemption-mode=yes authentication=none password="" on-backup="" on-master="" and on router R2: /interface vrrp print 0 B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=ether1 vrid=49 priority=100 interval=1 preemption-mode=yes authentication=none password="" on-backup="" on-master=" As you can see vrrp interface mac addresses are identical on both routers. Now to check if vrrp is working correctly, try to ping virtual address from client and check arp entries: [admin@client] > ping 192.168.1.254 192.168.1.254 64 byte ping: ttl=64 time=10 ms 192.168.1.254 64 byte ping: ttl=64 time=8 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 8/9.0/10 ms. [admin@client] /ip arp> print Flags: X - disabled, I - invalid, H - DHCP, D - dynamic # ADDRESS MAC-ADDRESS INTERFACE ... 1 D 192.168.1.254 00:00:5E:00:01:31 bridge1 Now unplug ether1 cable on router R1. R2 will become VRRP master, ARP table on client will not change but traffic will start to flow over R2 router
  • 18. Load sharing In basic configuration example R2 is completely idle during Backup state. This behavior may be considered as waste of valuable resources. In such circumstances R2 router can be set as gateway for some clients. The obvious advantage of this configuration is the establishment of a load-sharing scheme. But by doing so R2 router is not protected by current VRRP setup.To make this setup work we need two virtual routers. Configuration for V1 virtual router will be identical to configuration in basic example - R1 is the Master and R2 is Backup router. In V2 Master is R2 and Backup is R1. With this configuration, we establish a load-sharing between R1 and R2; moreover, we create protection setup by having two routers acting as backups for each other.
  • 19.
  • 20. Configuration R1 configuration: /ip address add address=192.168.1.1/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 priority=254 /interface vrrp add interface=ether1 vrid=77 /ip address add address=192.168.1.253/32 interface=vrrp1 /ip address add address=192.168.1.254/32 interface=vrrp2 R2 configuration: /ip address add address=192.168.1.2/24 interface=ether1 /interface vrrp add interface=ether1 vrid=49 /interface vrrp add interface=ether1 vrid=77 priority=254 /ip address add address=192.168.1.253/32 interface=vrrp1 /ip address add address=192.168.1.254/32 interface=vrrp2
  • 21. VRRP without Preemption Each time when router with higher priority becomes available it becomes Master router. Sometimes it is not desired behavior which can be turned off by setting preemption-mode=no in vrrp configuration. Configuraton We will be using the same setup as in basic example. Only difference is during configuration set preemption-mode=no. It can be done easily modifying existing configuration: /interface vrrp set [find] preemption-mode=no Testing Try turning off R1 router, R2 will become Master router because it has highest priority among available routers.Now turn R1 router on and you will see that R2 router continues to be Master even if R1 has higher priority.
  • 22. Mikrotik PCC Load Balancing. Introduction PCC matcher will allow you to divide traffic into equal streams with ability to keep packets with specific set of options in one particular stream (you can specify this set of options from src-address, src- port, dst-address, dst-port) Theory PCC takes selected fields from IP header, and with the help of a hashing algorithm converts selected fields into 32-bit value. This value then is divided by a specified Denominator and the remainder then is compared to a specified Remainder, if equal then packet will be captured. You can choose from src-address, dst-address, src- port, dst-port from the header to use in this operation.
  • 23. Mikrotik PCC Load Balancing Configuration. /ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1 add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2 /ip firewall mangle add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1 add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2 add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and- ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and- ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing- mark=to_WAN1 add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing- mark=to_WAN2
  • 24. /ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing- mark=to_WAN1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing- mark=to_WAN2 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping /ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade add chain=srcnat out-interface=WAN2 action=masquerade
  • 25. PCC WITH UN-EQUAL WAN LINKS If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and WAN,2 is of 8 Mb, and you want to force MT to use WAN42link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN2 , something like add chain=prerouting dst-address-type=!local in-interface=Local per- connection-classifier=both-addresses-and-ports:2/0 action=mark- connection new-connection-mark=WAN1_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per- connection-classifier=both-addresses-and-ports:2/1 action=mark- connection new-connection-mark=WAN2_conn passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per- connection-classifier=both-addresses-and-ports:2/2 action=mark- connection new-connection-mark=WAN2_conn passthrough=yes