18.204.227.117

MikroTik, Equipment setup and installation, Practice and programming

MikroTik, Equipment setup and installation, Practice and programming

The situation when several providers are available is not new, MikroTik Router OS allows you to configure access via several network interfaces at once, as well as configure load balancing depending on the restrictions that the provider sets.

The first step is to configure an additional interface. We initialize the interface itself.

[mkt@MikroTik] /interface> print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
# NAME TYPE MTU 
0 R ether1 ether 1500 
1 R ether2 ether 1500 
2 X ether3 ether 1500
[mkt@MikroTik] /interface> enable 2
[mkt@MikroTik] /interface> print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
# NAME TYPE MTU 
0 R ether1 ether 1500 
1 R ether2 ether 1500 
2 R ether3 ether 1500

For convenience, we set more understandable names for the interfaces.

[mkt@MikroTik] /interface> set ether1 name=ISP1
[mkt@MikroTik] /interface> set ether2 name=LOCAL
[mkt@MikroTik] /interface> set ether3 name=ISP2
[mkt@MikroTik] /interface> print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
# NAME TYPE MTU 
0 R ISP1 ether 1500 
1 R LOCAL ether 1500 
2 R ISP2 ether 1500

Now assign an IP address to the new interface.

[mkt@MikroTik] > ip address add address=192.168.222.100/24 interface=ISP2
[mkt@MikroTik] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
# ADDRESS NETWORK BROADCAST INTERFACE 
0 192.168.1.116/24 192.168.1.0 192.168.1.255 ISP1 
1 192.168.0.1/24 192.168.0.0 192.168.0.255 LOCAL 
2 192.168.222.100/24 192.168.222.0 192.168.222.255 ISP2

It is time to change the default routing. To begin with, let's assume that both providers provide the same access speed to the Internet, so we’ll adjust the balancing (this is when the channels alternate for outgoing connections), so that requests are distributed evenly, i.e. 50/50. First of all, delete the old default gateway.

[mkt@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 
0 A S 0.0.0.0/0 192.168.1.249 r... 1 
1 ADC 192.168.0.0/24 192.168.0.1 LOCAL 0 
2 ADC 192.168.1.0/24 192.168.1.116 ISP1 0 
3 ADC 192.168.222.0/24 192.168.222.100 ISP2 0
[mkt@MikroTik] > ip route remove 0
[mkt@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 
0 ADC 192.168.0.0/24 192.168.0.1 LOCAL 0 
1 ADC 192.168.1.0/24 192.168.1.116 ISP1 0 
2 ADC 192.168.222.0/24 192.168.222.100 ISP2 0

And add new ones.

[mkt@MikroTik] > ip route add dst-address=0.0.0.0/0 
gateway=192.168.1.249,192.168.222.1
[mkt@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 
0 A S 0.0.0.0/0 192.168.1.249 r... 1 
192.168.222.1 r... 
1 ADC 192.168.0.0/24 192.168.0.1 LOCAL 0 
2 ADC 192.168.1.0/24 192.168.1.116 ISP1 0 
3 ADC 192.168.222.0/24 192.168.222.100 ISP2 0

Suppose that the first provider has two times faster access speed than the second, then 2/3 of outgoing requests should be directed to the first, and the remaining 1/3 to the second.

[mkt@MikroTik] > ip route add dst-address=0.0.0.0/0 
gateway=192.168.1.249,192.168.1.249,192.168.222.1
[mkt@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 
0 A S 0.0.0.0/0 192.168.222.1 r... 1 
192.168.1.249 r... 
192.168.1.249 r... 
1 ADC 192.168.0.0/24 192.168.0.1 LOCAL 0 
2 ADC 192.168.1.0/24 192.168.1.116 ISP1 0 
3 ADC 192.168.222.0/24 192.168.222.100 ISP2 0

This is the simplest configuration option, in which we get Internet access with load balancing, but this approach has a number of drawbacks, for example, access through the NAT to the local server (web, smtp, pop services that were configured earlier) will not work, but not such a big problem, but more on that next time. After adding a second provider to our test configuration, there was a problem of the response of certain services on the desired channel, if you access them from outside through NAT. For example, a web server brought out via NAT to the IP address of the first provider receives a request, but the probability that the response will go through the desired channel is no longer 100%. What kind of web server is it after that? The mechanism for marking packages will help us solve this problem. The MANGLE table is for classifying and marking packages and connections, as well as modifying package headers. In particular, we are interested in the PREROUTING chain, which allows marking a packet before routing. Let's try to deal with the web server.

Let's say we have configured NAT port 80 from an external IP 192.168.1.116 (ISP1, the first provider) to port 80 of the web server on the local network and we need to ensure that all the responses that will go from the web server go to the gateway of the first provider. Here is the rule for the NAT table.

[mkt@MikroTik] > ip firewall nat add chain=dstnat dst-address=192.168.1.116 
protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.2 to-ports=80 
comment=NAT 80 port from ISP1 to local web server
[mkt@MikroTik] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
0 chain=srcnat action=masquerade out-interface=!LOCAL
1 ;;; NAT 80 port from ISP1 to local web server 
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=80 
protocol=tcp dst-address=192.168.1.116 dst-port=80

First, create a rule in the MANGLE table.

[mkt@MikroTik] > ip firewall mangle add chain=prerouting src-address=192.168.0.2 
protocol=tcp src-port=80 action=mark-routing new-routing-mark=to-isp1
[mkt@MikroTik] > ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
0 chain=prerouting action=add-src-to-address-list protocol=tcp 
address-list=test_list address-list-timeout=0s dst-port=23
1 chain=prerouting action=mark-routing new-routing-mark=to-isp1 
passthrough=yes protocol=tcp src-address=192.168.0.2 src-port=80

Packets from the local address 192.168.0.2 from port 80 will be marked as to-isp1. Then we add the rule to the routing table.

[mkt@MikroTik] > ip route add gateway=192.168.1.249 routing-mark=to-isp1
[mkt@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 
0 A S 0.0.0.0/0 192.168.1.249 r... 1 
1 A S 0.0.0.0/0 192.168.1.249 r... 1 
192.168.1.249 r... 
192.168.222.1 r... 
2 ADC 192.168.0.0/24 192.168.0.1 LOCAL 0 
3 ADC 192.168.1.0/24 192.168.1.116 ISP1 0 
4 ADC 192.168.222.0/24 192.168.222.100 ISP2 0

Everything that comes with the to-isp1 token is sent to the gateway of the first provider. Now let's complicate the situation, let's say the second provider will provide on favorable terms a large local network throughout the city and through this network all 10 branches of your company are united. All branches and offices use the same site, but what's the point of going to it through the first provider, when you can configure access to it almost locally. First of all, we add the rule to the NAT table, according to which all requests that came to the external IP address provided by the 2nd provider will be forwarded to port 80 on the local port of the web server.

[mkt@MikroTik] > ip firewall nat add chain=dstnat dst-address=192.168.222.100 
protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.0.2 to-ports=80 
comment=NAT 80 port from ISP2 to local web server
[mkt@MikroTik] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
0 chain=srcnat action=masquerade out-interface=!LOCAL
1 ;;; NAT 80 port from ISP1 to local web server 
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=80 
protocol=tcp dst-address=192.168.1.116 dst-port=80
2 ;;; NAT 80 port from ISP2 to local web server 
chain=dstnat action=dst-nat to-addresses=192.168.0.2 to-ports=80 
protocol=tcp dst-address=192.168.222.100 dst-port=80

The next step is to add another rule to the MANGLE table:

[mkt@MikroTik] > ip firewall mangle add chain=prerouting src-address=192.168.0.2 
protocol=tcp src-port=80 dst-address=192.168.222.0/24 action=mark-routing 
new-routing-mark=to-isp2
[mkt@MikroTik] > ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
0 chain=prerouting action=add-src-to-address-list protocol=tcp 
address-list=test_list address-list-timeout=0s dst-port=23
1 chain=prerouting action=mark-routing new-routing-mark=to-isp2 
passthrough=yes protocol=tcp src-address=192.168.0.2 
dst-address=192.168.222.0/24 src-port=80
2 chain=prerouting action=mark-routing new-routing-mark=to-isp1 
passthrough=yes protocol=tcp src-address=192.168.0.2 src-port=80

Packets from the local address 192.168.0.2 from port 80 will be marked as to-isp2 if they are intended for the subnet of the second provider. Well, in conclusion, the rule in the routing table:

[mkt@MikroTik] > ip route add gateway=192.168.222.1 routing-mark=to-isp2 

[mkt@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE 
0 A S 0.0.0.0/0 192.168.1.249 r... 1 
1 A S 0.0.0.0/0 192.168.222.1 r... 1 
2 A S 0.0.0.0/0 192.168.1.249 r... 1 
192.168.1.249 r... 
192.168.222.1 r... 
3 ADC 192.168.0.0/24 192.168.0.1 LOCAL 0 
4 ADC 192.168.1.0/24 192.168.1.116 ISP1 0 
5 ADC 192.168.222.0/24 192.168.222.100 ISP2 0

Now, the requests received from the first provider will be answered by the gateway of the first provider, and the requests from the second provider and from the subnet of the second provider will be answered by the gateway of the second provider.