This document provides information on various techniques for load balancing and redundancy, including:
- Load balancing over multiple gateways using policy routing based on client IP address, firewall mangle rules, and default routes.
- VRRP (Virtual Router Redundancy Protocol) for high availability using a virtual IP address, master and backup routers, and fast failover detection.
- Mikrotik PCC (Per Connection Classifier) load balancing which divides traffic into equal streams using a hashing algorithm on packet header fields and marks connections for policy routing out specific gateways.
3. Topics We Cover Here.
• Load Balancing
• Load Balancing with fail over.
• VRRP (High Availability)
• Mikrotik PCC Load Balancing.
• Load Balance and Redundancy with OSPF.
• Load Balance other mechanism.
• Bandwidth merge of different link.
We also covered some load balancing and redundancy technique in our routing lecture.
4. Load Balancing over Multiple
Gateways
The typical situation where you got one router and want to connect to two
ISPs, Of course, you want to do load balancing! There are several ways how to
do it. Depending on the particular situation, you may find one best suited for
you.
5. Policy Routing based on Client IP Address
If you have a number of hosts, you may group them by IP addresses. Then, depending on the source IP
address, send the traffic out through Gateway #1 or #2. This is not really the best approach, giving you
perfect load balancing, but it's easy to implement, and gives you some control too.
Let us assume we use for our workstations IP addresses from network 192.168.100.0/24. The IP
addresses are assigned as follows:
192.168.100.1-127 are used for Group A workstations
192.168.100.128-253 are used for Group B workstations
192.168.100.254 is used for the router.
All workstations have IP configuration with the IP address from the relevant group, they all have
network mask 255.255.255.0, and 192.168.100.254 is the default gateway for them. We will talk about
DNS servers later.
Now, when we have workstations divided into groups, we can refer to them using subnet addressing:
Group A is 192.168.100.0/25, i.e., addresses 192.168.100.0-127
Group B is 192.168.100.128/25, i.e., addresses 192.168.100.128-255
6. We need to add two IP Firewall Mangle rules to mark the packets originated
from Group A or Group B workstations.
For Group A, specify
• Chain prerouting and Src. Address 192.168.100.0/25
• Action mark routing and New Routing Mark GroupA.
7. • It is a good practice to add a comment as well. Your mangle rules might be
interesting for someone else and for yourself as well after some time.
• For Group B, specify
• Chain prerouting and Src. Address 192.168.100.128/25
• Action mark routing and New Routing Mark GroupB
All IP traffic coming from
workstations is marked
with the routing
marks GroupA or GroupB.
We can use these marks in
the routing table.
8. Next, we should specify two default routes
(destination 0.0.0.0/0) with appropriate routing
marks and gateways:
9. This thing is not going to work, unless you do masquerading for
your LAN! The simplest way to do it is by adding one NAT rule for
Src. Address 192.168.100.0/24 and Action masquerade:
10. ECMP load balancing with masquerade
This example is improved (different) version of round-robin load balancing example. It adds
persistent user sessions, i.e. a particular user would use the same source IP address for all
outgoing connections. Consider the following network layout:
12. Explanation
First we give a code snippet and then explain what it actually does.
IP Addresses
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1
The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN
interface has the name "Local" and IP address of 192.168.0.1/24.
NAT
/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. if this packet
will leave via wlan1 it will be NATed to 10.112.0.2/24, if via wlan2 then NATed to 10.111.0.2/24
Routing
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping
This is typical ECMP (Equal Cost Multi-Path) gateway with check-gateway. ECMP is "persistent per-connection load
balancing" or "per-src-dst-address combination load balancing". As soon as one of the gateway will not be reachable,
check-gateway will remove it from gateway list. And you will have a "failover" effect.
13. You can use asymmetric bandwidth links also - for example one link is 2Mbps other 10Mbps. Just use
this command to make load balancing 1:5
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1,10.112.0.1
check-gateway=ping
Connections to the router itself
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan2
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2
With all multi-gateway situations there is a usual problem to reach router from public network via one,
other or both gateways. Explanations is very simple - Outgoing packets uses same routing decision as
packets that are going trough the router. So reply to a packet that was received via wlan1 might be send
out and masqueraded via wlan2.
To avoid that we need to policy routing those connections.
14. VRRP (High Availability)
This chapter describes the Virtual Router Redundancy Protocol (VRRP) support in RouterOS.
Mostly on larger LANs dynamic routing protocols ( OSPF or RIP) are used, however there are
number of factors that may make undesirable to use dynamic routing protocols. One alternative
is to use static routing, but if statically configured first hop fails, then host will not be able to
communicate with other hosts. In IPv6 networks, hosts learn about routers by receiving Router
Advertisements used by Neighbor Discovery (ND) protocol. ND already has built in mechanism to
determine unreachable routers.
However it can take up to 38seconds to detect
unreachable router. It is possible to change
parameters and make detection faster, but it
will increase overhead of ND traffic especially
if there are a lot of hosts. VRRP allows to detect
unreachable router within 3seconds without
additional traffic overhead.
16. Steps!
According to this configuration, as long as the master, R1, is functional, all traffic destined to the
external network gets directed to R1. But as soon as R1 fails, R2 takes over as the master and starts
handling packets forwarded to the interface associated with IP(R1). In this setup Router R2 is completely
idle during Backup period.
R1 configuration:
/ip address
add address=192.168.1.1/24 interface=ether1
/interface vrrp
add interface=ether1 vrid=49 priority=254
/ip address
add address=192.168.1.254/32 interface=vrrp1
R2 configuration:
/ip address
add address=192.168.1.2/24 interface=ether1
/interface vrrp
add interface=ether1 vrid=49
/ip address
add address=192.168.1.254/32 interface=vrrp1
17. Testing
First of all check if both routers have correct flags at vrrp interfaces.
On router R1 it should look like this
/interface vrrp print
0 RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=ether1 vrid=49
priority=254 interval=1 preemption-mode=yes authentication=none password="" on-backup=""
on-master=""
and on router R2:
/interface vrrp print
0 B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:31 arp=enabled interface=ether1 vrid=49
priority=100 interval=1 preemption-mode=yes authentication=none password=""
on-backup="" on-master="
As you can see vrrp interface mac addresses are identical on both routers. Now to check if vrrp is working correctly, try
to ping virtual address from client and check arp entries:
[admin@client] > ping 192.168.1.254
192.168.1.254 64 byte ping: ttl=64 time=10 ms
192.168.1.254 64 byte ping: ttl=64 time=8 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 8/9.0/10 ms.
[admin@client] /ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
...
1 D 192.168.1.254 00:00:5E:00:01:31 bridge1
Now unplug ether1 cable on router R1. R2 will become VRRP master, ARP table on client will not change but traffic will
start to flow over R2 router
18. Load sharing
In basic configuration example R2 is completely idle during Backup state. This
behavior may be considered as waste of valuable resources. In such
circumstances R2 router can be set as gateway for some clients. The obvious
advantage of this configuration is the establishment of a load-sharing scheme.
But by doing so R2 router is not protected by current VRRP setup.To make this
setup work we need two virtual routers.
Configuration for V1 virtual router will be identical to configuration in basic
example - R1 is the Master and R2 is Backup router. In V2 Master is R2 and
Backup is R1.
With this configuration, we establish a load-sharing between R1 and R2;
moreover, we create protection setup by having two routers acting as
backups for each other.
21. VRRP without Preemption
Each time when router with higher priority becomes available it becomes
Master router. Sometimes it is not desired behavior which can be turned off
by setting preemption-mode=no in vrrp configuration.
Configuraton
We will be using the same setup as in basic example. Only difference is during
configuration set preemption-mode=no. It can be done easily modifying
existing configuration:
/interface vrrp set [find] preemption-mode=no
Testing
Try turning off R1 router, R2 will become Master router because it has highest
priority among available routers.Now turn R1 router on and you will see that
R2 router continues to be Master even if R1 has higher priority.
22. Mikrotik PCC Load Balancing.
Introduction
PCC matcher will allow you to divide traffic into equal streams with
ability to keep packets with specific set of options in one particular
stream (you can specify this set of options from src-address, src-
port, dst-address, dst-port)
Theory
PCC takes selected fields from IP header, and with the help of a
hashing algorithm converts selected fields into 32-bit value. This
value then is divided by a specified Denominator and the remainder
then is compared to a specified Remainder, if equal then packet will
be captured. You can choose from src-address, dst-address, src-
port, dst-port from the header to use in this operation.
25. PCC WITH UN-EQUAL WAN LINKS
If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and
WAN,2 is of 8 Mb, and you want to force MT to use WAN42link
more then other because of its capacity, Then you have to Add
more PCC rules assigning the same two marks to a specific link i.e
WAN2 , something like
add chain=prerouting dst-address-type=!local in-interface=Local per-
connection-classifier=both-addresses-and-ports:2/0 action=mark-
connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-
connection-classifier=both-addresses-and-ports:2/1 action=mark-
connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-
connection-classifier=both-addresses-and-ports:2/2 action=mark-
connection new-connection-mark=WAN2_conn passthrough=yes