Saturday, 2 April 2011

Load balancing multiple same subnet links

Summary

This example demonstrates how to set up load balancing if provider is giving IP addresses from the same subnet for all links.

Application Example

File:two-link-example.png

Provider is giving us two links with IP addresses from the same network range (10.1.101.10/24 and 10.1.101.18/24). Gateway for both of these links is the same 10.1.101.1

Configuration

Here is the whole configuration for those who want to copy&paste

/ip address add address=10.1.101.18/24 interface=ether1  add address=10.1.101.10/24 interface=ether2 add address=192.168.1.1/24 interface=Local add address=192.168.2.1/24 interface=Local  /ip route add gateway=10.1.101.1 add gateway=10.1.101.1%ether1 routing-mark=first add gateway=10.1.101.1%ether2 routing-mark=other  /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat out-interface=ether2  /ip firewall mangle add action=mark-routing chain=prerouting src-address=192.168.1.0/24 new-routing-mark=first add action=mark-routing chain=prerouting src-address=192.168.2.0/24 new-routing-mark=other  

IP address

In previous RouterOS version multiple IP addresses from the same subnet on different interfaces were not allowed. Fortunately v4 allows such configurations.

In this example our provider assigned two upstream links, one connected to ether1 and other to ether2. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24

/ip address add address=10.1.101.18/24 interface=ether1  add address=10.1.101.10/24 interface=ether2 add address=192.168.1.1/24 interface=Local add address=192.168.2.1/24 interface=Local 

After IP address is set up, connected route will be installed as ECMP route

[admin@MikroTik] /ip route> print detail  0 ADC  dst-address=10.1.101.0/24 pref-src=10.1.101.18 gateway=ether1,ether2          gateway-status=ether1 reachable,ether2 reachable distance=0 scope=10 

Note: Routing filters can be used to adjust preferred source if needed


Mangle and NAT

In our example very simple policy routing is used. Clients from 192.168.1.0/24 subnet is marked to use "first" routing table and 192.168.2.0/24 to use "other" subnet.

Note: The same can be achieved by setting up route rules instead of mangle.


/ip firewall mangle add action=mark-routing chain=prerouting src-address=192.168.1.0/24 new-routing-mark=first add action=mark-routing chain=prerouting src-address=192.168.2.0/24 new-routing-mark=other 

And masquerade our local networks

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat out-interface=ether2 

Warning: You will also have to deal with traffic coming to and from the router itself. For explanations look at PCC configuration example.


IP route

We are adding two gateways, one to resolve in "first" routing table and another to "other" routing table.

/ip route add gateway=10.1.101.1%ether1 routing-mark=first add gateway=10.1.101.1%ether2 routing-mark=other 

Interesting part of these routes is how we set gateway. gateway=10.1.101.1%ether1 means that gateway 10.1.101.1 will be explicitly reachable over ether1

[admin@MikroTik] /ip route> print detail  Flags: X - disabled, A - active, D - dynamic,  C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,  B - blackhole, U - unreachable, P - prohibit   0 A S  dst-address=0.0.0.0/0 gateway=10.1.101.1%ether2          gateway-status=10.1.101.1 reachable ether2 distance=1 scope=30          target-scope=10 routing-mark=other    1 A S  dst-address=0.0.0.0/0 gateway=10.1.101.1%ether1          gateway-status=10.1.101.1 reachable ether1 distance=1 scope=30          target-scope=10 routing-mark=first   

Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) will be resolved in main routing table.

/ip route add gateway=10.1.101.1 

MPLS over PPPoE in MIKROTIK

This example shows how to set up MPLS network over PPPoE interfaces.

Example network

Image:mpls-pppoe-f.png

As you ca see from illustration above, router R2 is pppoe server and routers R3 and R4 are pppoe clients. Our goal is to run MPLS on this network.

When running MPLS over PPPoE or other tunnels you have to deal with MTU issues. Tunnels add more overhead (in our case PPPoE adds 8 more bytes). To be able to forward 1500 byte IP packet without fragmentation we will need interface that supports

1500 (IP frame)
+ 8 (PPPoE header)
+ 4 (MPLS header)
= 1512bytes

From RouterBoard MTU table you can check if RouterBoard supports 1512 L2MTU.

Lets say that R2 is RB433 and pppoe clients are connected to ether2. From the table you can see that max supported l2MTU for this interface is 1522.

It means that router will be able to forward packets without fragmentations.

Note: Since v5.0 is added proper support for MPLS over PPP. Now by default MPLS is disabled, to enable it go to
/ppp profile menu and set use-mpls=yes


Configuration

R1

/system identity set name=R1  # add loopback interface /interface bridge  add name=loopback /ip address add address=10.255.255.1/32 interface=loopback add address=172.16.0.1/30 interface=ether1  #set up ospf /routing ospf instance set default redistribute-connected=as-type-1 /routing ospf network add network=172.16.0.0/30 area=backbone  # set up MPLS/LDP /mpls interface set 0 mpls-mtu=1512 /mpls ldp set enabled=yes lsr-id=10.255.255.1 transport-address=10.255.255.1 /mpls ldp interface add interface=ether1  

R2

Note that we have to add static interface for each PPPoE clients, because later on these interfaces will be added to LDP configuration.

/system identity set name=R2  # add loopback interface /interface bridge  add name=loopback /ip address add address=10.255.255.2/32 interface=loopback add address=172.16.0.2/30 interface=ether1  # set up pppoe /interface pppoe-server server  add interface=ether2 service-name=mpls max-mru=1500 max-mtu=1500  /ppp secret  add name=mplsR3 service=pppoe remote-address=192.168.0.2 local-address=192.168.0.1 add name=mplsR4 service=pppoe remote-address=192.168.0.3 local-address=192.168.0.1  /interface pppoe-server add name="mplsR3" user="mplsR3" service="mpls"  add name="mplsR4" user="mplsR4" service="mpls"  #set up ospf /routing ospf instance set default redistribute-connected=as-type-1 /routing ospf network add network=172.16.0.0/30 area=backbone add network=192.168.0.2/32 area=backbone add network=192.168.0.3/32 area=backbone  # set up MPLS/LDP /mpls interface set 0 mpls-mtu=1512 /mpls ldp set enabled=yes lsr-id=10.255.255.2 transport-address=10.255.255.2 /mpls ldp interface add interface=ether1 add interface=mplsR3 add interface=mplsR4 


R3

/system identity set name=R3  # add loopback interface /interface bridge  add name=loopback /ip address add address=10.255.255.3/32 interface=loopback  # set up pppoe /interface pppoe-client  add name="mplsR3" max-mtu=1500max-mru=1500 interface=ether2 user="mplsR3" service-name=mpls  #set up ospf /routing ospf instance set default redistribute-connected=as-type-1 /routing ospf network add network=192.168.0.1/32 area=backbone  # set up MPLS/LDP /mpls interface set 0 mpls-mtu=1512 /mpls ldp set enabled=yes lsr-id=10.255.255.3 transport-address=10.255.255.3 /mpls ldp interface add interface=mplsR3  

R4

/system identity set name=R4  # add loopback interface /interface bridge  add name=loopback /ip address add address=10.255.255.4/32 interface=loopback  # set up pppoe /interface pppoe-client  add name="mplsR4" max-mtu=1500 max-mru=1500 interface=ether2 user="mplsR4" service-name=mpls  #set up ospf /routing ospf instance set default redistribute-connected=as-type-1 /routing ospf network add network=192.168.0.1/32 area=backbone  # set up MPLS/LDP /mpls interface set 0 mpls-mtu=1512 /mpls ldp set enabled=yes lsr-id=10.255.255.4 transport-address=10.255.255.4 /mpls ldp interface add interface=mplsR4  

Testing

At first make sure pppoe clients are connected successfully

[admin@R2] /ppp active> print  Flags: R - radius   #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING    0   mplsR3       pppoe   00:0C:42:21:F1:EA 192.168.0.2     46m                  1   mplsR4       pppoe   00:0C:42:21:F1:ED 192.168.0.3     46m55s   

Check if OSPF is running properly

[admin@R2] /routing ospf neighbor> print   0 router-id=10.255.255.1 address=172.16.0.1 interface=wlan1 priority=1     dr-address=172.16.0.2 backup-dr-address=172.16.0.1 state="Full"     state-changes=5 ls-retransmits=0 ls-requests=0 db-summaries=0     adjacency=5m19s    1 router-id=10.255.255.3 address=192.168.0.2 interface=mplsR3 priority=1     dr-address=0.0.0.0 backup-dr-address=0.0.0.0 state="Full" state-changes=4     ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=49m33s    2 router-id=10.255.255.4 address=192.168.0.3 interface=mplsR4 priority=1     dr-address=0.0.0.0 backup-dr-address=0.0.0.0 state="Full" state-changes=4     ls-retransmits=0 ls-requests=0 db-summaries=0 adjacency=50m31s   

Ensure LDP is running

[admin@R2] /mpls ldp neighbor> print  Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hello,  V - vpls   #      TRANSPORT       LOCAL-TRANSPORT PEER                       SEN  0 DO   10.255.255.3    10.255.255.2    10.255.255.3:0             no   1 DO   10.255.255.4    10.255.255.2    10.255.255.4:0             no   2 DO   10.255.255.1    10.255.255.2    10.255.255.1:0             no  
[admin@R2] /mpls forwarding-table> print  Flags: L - ldp, V - vpls, T - traffic-eng   #   IN-LABEL      OUT-LABELS  DESTINATION                    I NEXTHOP          0   expl-null      1 L 20                        192.168.0.1/32                 m 192.168.0.3      2 L 21                        10.255.255.4/32                m 192.168.0.3      3 L 22                        10.255.255.3/32                m 192.168.0.2      4 L 23                        10.255.255.1/32                w 172.16.0.1       5 L 24                        192.168.88.0/24                w 172.16.0.1   

Now we can check if packet switching is working as expected

[admin@R4] /mpls ldp neighbor> /tool traceroute 10.255.255.1 src-address=10.255.255.4      ADDRESS                                    STATUS    1     192.168.0.1 13ms 19ms 143ms                       mpls-label=23    2    10.255.255.1 38ms 15ms 14ms 

VPLS over PPPoE

Overview

This example extends previous setup by connecting two local networks using VPLS tunnel

Example network

Image:mpls-pppoe-vpls.png

Simple Static Routing

Introduction

Let's look on the simplest network example, when we have one router for different computers.

Image:SR1.png

Computers are connected to router directly. Generally packets are sent by the simple path, for example client 192.168.0.2 wants to open one web page. Packets path is:

  • 192.168.0.2 checks routing table, web page does not belong to any DST-address network, which is present in /ip route table;
  • 192.168.0.2 uses default gateway, it is 192.168.0.1 the address of the router. Default gateway network is 0.0.0.0/0 or everything except destinations for other present routes;

Fitur Mikrotik RouterOS

Penanganan Protokol TCP/IP:
  • Firewall and NAT - stateful packet filtering; Peer-to-Peer protocol filtering; source and destination NAT; classification by source MAC, IP addresses, ports, protocols, protocol options, interfaces, internal marks, content, matching frequency

  • Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification by source and destination addresses and/or by firewall mark); RIP v1 / v2, OSPF v2, BGP v4

  • Data Rate Management - per IP / protocol / subnet / port / firewall mark; HTB, PCQ, RED, SFQ, byte limited queue, packet limited queue; hierarchical limitation, CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ)

  • HotSpot - HotSpot Gateway with RADIUS authentication/accounting; data rate limitation; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication

  • Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation; PPPoE dial on demand

  • Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)

  • IPsec - IP security AH and ESP protocols; Diffie-Hellman groups 1,2,5; MD5 and SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms; Perfect Forwarding Secresy (PFS) groups 1,2,5

  • Web proxy - FTP, HTTP and HTTPS caching proxy server; transparent HTTP caching proxy; SOCKS protocol support; support for caching on a separate drive; access control lists; caching lists; parent proxy support

  • Caching DNS client - name resolving for local use; Dynamic DNS Client; local DNS cache with static entries

  • DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks; static and dynamic DHCP leases

  • Universal Client - Transparent address translation not depending on the client's setup

  • VRRP - VRRP protocol for high availability

  • UPnP - Universal Plug-and-Play support

  • NTP - Network Time Protocol server and client; synchronization with GPS system

  • Monitoring/Accounting - IP traffic accounting, firewall actions logging

  • SNMP - read-only access

  • M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet

  • MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol (CDP)

  • Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer

Layer 2 connectivity
  • Wireless - IEEE802.11a/b/g wireless client and Access Point; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit WEP; access control list; authentication on RADIUS server; roaming (for wireless client); Access Point bridging

  • Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling

  • VLAN - IEEE802.1q Virtual LAN support on Ethernet and WLAN links; multiple VLANs; VLAN bridging

  • Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC, Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A) Frame Relay LMI types

  • Asynchronous - serial PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; onboard serial ports; modem pool with up to 128 ports; dial on demand

  • ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand

  • SDSL - Single-line DSL support; line termination and network termination modes

Hardware requirements
  • CPU and motherboard - advanced 4th generation (core frequency 100MHz or more), 5th generation (Intel Pentium, Cyrix 6X86, AMD K5 or comparable) or newer uniprocessor Intel IA-32 (i386) compatible (multiple processors are not supported)

  • RAM - minimum 48 MB, maximum 1 GB; 64 MB or more recommended

  • Hard Drive/Flash - standard ATA interface controller and drive (SCSI and USB controllers and drives are not supported; RAID controllers that require additional drivers are not supported) with minimum of 64 MB space

Hardware needed for installation time only

Depending on installation method chosen the router must have the following hardware:
  • Floppy-based installation - standard AT floppy controller and 3.5'' disk drive connected as the first floppy disk drive (A); AT, PS/2 or USB keyboard; VGA-compatible video controller card and monitor

  • CD-based installation - standard ATA/ATAPI interface controller and CD drive supporting "El Torito" bootable CDs (you might need also to check if the router's BIOS supports booting from this type of media); AT, PS/2 or USB keyboard; VGA-compatible video controller card and monitor

  • Floppy-based network installation - standard AT floppy controller and 3.5'' disk drive connected as the first floppy disk drive (A); PCI Ethernet network interface card supported by MikroTik RouterOS (see the Device Driver List for the list)

  • Full network-based installation - PCI Ethernet network interface card supported by MikroTik RouterOS (see the Device Driver List for the list) with PXE or EtherBoot extension booting ROM (you might need also to check if the router's BIOS supports booting from network)

Configuration possibilities

RouterOS provides powerful command-line configuration interface. You can also manage the router through WinBox - the easy-to-use remote configuration GUI for Windows -, which provides all the benefits of the command-line interface, without the actual "command-line", which may scare novice users. Major features:
  • Clean and consistent user interface
  • Runtime configuration and monitoring
  • Multiple connections
  • User policies
  • Action history, undo/redo actions
  • safe mode operation
  • Scripts can be scheduled for executing at certain times, periodically, or on events. All command-line commands are supported in scripts

When router is not configured, there are only two ways to configure it:
  • Local terminal console - AT, PS/2 or USB keyboard and VGA-compatible video controller card with monitor
  • Serial console - First RS232 asynchronous serial port (usually, onboard port marked as COM1), which is by default set to 9600bit/s, 8 data bits, 1 stop bit, no parity
After the router is configured, it may be managed through the following interfaces:
  • Local teminal console - AT, PS/2 or USB keyboard and VGA-compatible video controller card with monitor

  • Serial console - any (you may choose any one; the first, also known as COM1, is used by default) RS232 asynchronous serial port, which is by default set to 9600bit/s, 8 data bits, 1 stop bit, no parity

  • Telnet - telnet server is running on 23 TCP port by default

  • SSH - SSH (secure shell) server is running on 22 TCP port by default (available only if security package is installed)

  • MAC Telnet - MikroTik MAC Telnet potocol server is by default enabled on all Ethernet-like interfaces

  • Winbox - Winbox is a RouterOS remote administration GUI for Windows, that use 3986 TCP port (or 3987 if security package is installed)

Load Balance menggunakan Metode PCC

Load balance pada mikrotik adalah teknik untuk mendistribusikan beban trafik pada dua atau lebih jalur koneksi secara seimbang, agar trafik dapat berjalan optimal, memaksimalkan throughput, memperkecil waktu tanggap dan menghindari overload pada salah satu jalur koneksi. Selama ini banyak dari kita yang beranggapan salah, bahwa dengan menggunakan loadbalance dua jalur koneksi , maka besar bandwidth yang akan kita dapatkan menjadi dua kali lipat dari bandwidth sebelum menggunakan loadbalance (akumulasi dari kedua bandwidth tersebut).

Hal ini perlu kita perjelas dahulu, bahwa loadbalance tidak akan menambah besar bandwidth yang kita peroleh, tetapi hanya bertugas untuk membagi trafik dari kedua bandwidth tersebut agar dapat terpakai secara seimbang.

Dengan artikel ini, kita akan membuktikan bahwa dalam penggunaan loadbalancing tidak seperti rumus matematika 512 + 256 = 768, akan tetapi 512 + 256 = 512 + 256, atau 512 + 256 = 256 + 256 + 256. Pada artikel ini kami menggunakan RB433UAH dengan kondisi sebagai berikut :
  1. Ether1 dan Ether2 terhubung pada ISP yang berbeda dengan besar bandwdith yang berbeda. ISP1 sebesar 512kbps dan ISP2 sebesar 256kbps.

  2. Kita akan menggunakan web-proxy internal dan menggunakan openDNS.

  3. Mikrotik RouterOS anda menggunakan versi 4.5 karena fitur PCC mulai dikenal pada versi 3.24.
Jika pada kondisi diatas berbeda dengan kondisi jaringan ditempat anda, maka konfigurasi yang akan kita jabarkan disini harus anda sesuaikan dengan konfigurasi untuk jaringan ditempat anda.

Konfigurasi Dasar

Berikut ini adalah Topologi Jaringan dan IP address yang akan kita gunakan




/ip address add address=192.168.101.2/30 interface=ether1 add address=192.168.102.2/30 interface=ether2 add address=10.10.10.1/24 interface=wlan2 /ip dns set allow-remote-requests=yes primary-dns=208.67.222.222 secondary-dns=208.67.220.220

Untuk koneksi client, kita menggunakan koneksi wireless pada wlan2 dengan range IP client 10.10.10.2 s/d 10.10.10.254 netmask 255.255.255.0, dimana IP 10.10.10.1 yang dipasangkan pada wlan2 berfungsi sebagai gateway dan dns server dari client. Jika anda menggunakan DNS dari salah satu isp anda, maka akan ada tambahan mangle yang akan kami berikan tanda tebal Setelah pengkonfigurasian IP dan DNS sudah benar, kita harus memasangkan default route ke masing-masing IP gateway ISP kita agar router meneruskan semua trafik yang tidak terhubung padanya ke gateway tersebut. Disini kita menggunakan fitur check-gateway berguna jika salah satu gateway kita putus, maka koneksi akan dibelokkan ke gateway lainnya.

-------------------------------------------------------------------------------------------------
/ip route add dst-address=0.0.0.0/0 gateway=192.168.101.1 distance=1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.102.1 distance=2 check-gateway=ping
-------------------------------------------------------------------------------------------------

Untuk pengaturan Access Point sehingga PC client dapat terhubung dengan wireless kita, kita menggunakan perintah

-------------------------------------------------------------------------------------------------
/interface wireless set wlan2 mode=ap-bridge band=2.4ghz-b/g ssid=Mikrotik disabled=no
-------------------------------------------------------------------------------------------------
Agar pc client dapat melakukan koneksi ke internet, kita juga harus merubah IP privat client ke IP publik yang ada di interface publik kita yaitu ether1 dan ether2.

-------------------------------------------------------------------------------------------------
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat out-interface=ether2
-------------------------------------------------------------------------------------------------

Sampai langkah ini, router dan pc client sudah dapat melakukan koneksi internet. Lakukan ping baik dari router ataupun pc client ke internet. Jika belum berhasil, cek sekali lagi konfigurasi anda.


Webproxy Internal
Pada routerboard tertentu, seperti RB450G, RB433AH, RB433UAH, RB800 dan RB1100 mempunyai expansion slot (USB, MicroSD, CompactFlash) untuk storage tambahan.

Pada contoh berikut, kita akan menggunakan usb flashdisk yang dipasangkan pada slot USB. Untuk pertama kali pemasangan, storage tambahan ini akan terbaca statusnya invalid di /system store. Agar dapat digunakan sebagai media penyimpan cache, maka storage harus diformat dahulu dan diaktifkan Nantinya kita tinggal mengaktifkan webproxy dan set cache-on-disk=yes untuk menggunakan media storage kita. Jangan lupa untuk membelokkan trafik HTTP (tcp port 80) kedalam webproxy kita.
------------------------------------------------------------------------------------------------- /store disk format-drive usb1
/store add disk=usb1 name=cache-usb type=web-proxy activate cache-usb
/ip proxy set cache-on-disk=yes enabled=yes max-cache-size=200000KiB port=8080

/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface=wlan2 action=redirect to-ports=8080
-------------------------------------------------------------------------------------------------
Pengaturan Mangle

Pada loadbalancing kali ini kita akan menggunakan fitur yang disebut PCC (Per Connection Classifier).
  • Dengan PCC kita bisa mengelompokan trafik koneksi yang melalui atau keluar masuk router menjadi beberapa kelompok.
  • Pengelompokan ini bisa dibedakan berdasarkan src-address, dst-address, src-port dan atau dst-port.
  • Router akan mengingat-ingat jalur gateway yang dilewati diawal trafik koneksi, sehingga pada paket-paket selanjutnya yang masih berkaitan dengan koneksi awalnya akan dilewatkan pada jalur gateway yang sama juga.
Kelebihan dari PCC ini yang menjawab banyaknya keluhan sering putusnya koneksi pada teknik loadbalancing lainnya sebelum adanya PCC karena perpindahan gateway..

Sebelum membuat mangle loadbalance, untuk mencegah terjadinya loop routing pada trafik, maka semua trafik client yang menuju network yang terhubung langsung dengan router, harus kita bypass dari loadbalancing. Kita bisa membuat daftar IP yang masih dalam satu network router dan memasang mangle pertama kali sebagai berikut
-------------------------------------------------------------------------------------------------
/ip firewall address-list add address=192.168.101.0/30 list=lokal add address=192.168.102.0/30 list=lokal add address=10.10.10.0/24 list=lokal

/ip firewall mangle add action=accept chain=prerouting dst-address-list=lokal in-interface=wlan2 comment=”trafik lokal” add action=accept chain=output dst-address-list=lokal
-------------------------------------------------------------------------------------------------

Pada kasus tertentu, trafik pertama bisa berasal dari Internet, seperti penggunaan remote winbox atau telnet dari internet dan sebagainya, oleh karena itu kita juga memerlukan mark-connection untuk menandai trafik tersebut agar trafik baliknya juga bisa melewati interface dimana trafik itu masuk

-------------------------------------------------------------------------------------------------
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=con-from-isp1 passthrough=yes comment=”trafik dari isp1” add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=con-from-isp2 passthrough=yes comment=”trafik dari isp2”
-------------------------------------------------------------------------------------------------
Umumnya, sebuah ISP akan membatasi akses DNS servernya dari IP yang hanya dikenalnya, jadi jika anda menggunakan DNS dari salah satu ISP anda, anda harus menambahkan mangle agar trafik DNS tersebut melalui gateway ISP yang bersangkutan bukan melalui gateway ISP lainnya. Disini kami berikan mangle DNS ISP1 yang melalui gateway ISP1. Jika anda menggunakan publik DNS independent, seperti opendns, anda tidak memerlukan mangle dibawah ini.

-------------------------------------------------------------------------------------------------
/ip firewall mangle add action=mark-connection chain=output comment=dns dst-address=202.65.112.21 dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp comment=”trafik DNS citra.net.id” add action=mark-connection chain=output dst-address=202.65.112.21 dst-port=53 new-connection-mark=dns passthrough=yes protocol=udp add action=mark-routing chain=output connection-mark=dns new-routing-mark=route-to-isp1 passthrough=no
-------------------------------------------------------------------------------------------------

Karena kita menggunakan webproxy pada router, maka trafik yang perlu kita loadbalance ada 2 jenis:

-------------------------------------------------------------------------------------------------
  • Yang pertama adalah trafik dari client menuju internet (non HTTP), dan trafik dari webproxy menuju internet. Agar lebih terstruktur dan mudah dalam pembacaannya, kita akan menggunakan custom-chain sebagai berikut :
/ip firewall mangle add action=jump chain=prerouting comment=”lompat ke client-lb” connection-mark=no-mark in-interface=wlan2 jump-target=client-lb add action=jump chain=output comment=”lompat ke lb-proxy” connection-mark=no-mark out-interface=!wlan2 jump-target=lb-proxy

Pada mangle diatas, untuk trafik loadbalance client pastikan parameter in-interface adalah interface yang terhubung dengan client, dan untuk trafik loadbalance webproxy, kita menggunakan chain output dengan parameter out-interface yang bukan terhubung ke interface client. Setelah custom chain untuk loadbalancing dibuat, kita bisa membuat mangle di custom chain tersebut sebagai berikut:
-------------------------------------------------------------------------------------------------
/ip firewall mangle add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=”awal loadbalancing klien” add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1 add action=mark-connection chain=client-lb dst-address-type=!local new-connection-mark=to-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2 add action=return chain=client-lb comment=”akhir dari loadbalancing”
/ip firewall mangle add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/0 comment=”awal load balancing proxy” add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp1 passthrough=yes per-connection-classifier=both-addresses:3/1 add action=mark-connection chain=lb-proxy dst-address-type=!local new-connection-mark=con-from-isp2 passthrough=yes per-connection-classifier=both-addresses:3/2 add action=return chain=lb-proxy comment=”akhir dari loadbalancing”

Untuk contoh diatas, pada loadbalancing client dan webproxy menggunakan parameter pemisahan trafik pcc yang sama, yaitu both-address, sehingga router akan mengingat-ingat berdasarkan src-address dan dst-address dari sebuah koneksi. Karena trafik ISP kita yang berbeda (512kbps dan 256kbps), kita membagi beban trafiknya menjadi 3 bagian. 2 bagian pertama akan melewati gateway ISP1, dan 1 bagian terakhir akan melewati gateway ISP2.

  • Jika masing-masing trafik dari client dan proxy sudah ditandai, langkah berikutnya kita tinggal membuat mangle mark-route yang akan digunakan dalam proses routing nantinya:

-------------------------------------------------------------------------------------------------
/ip firewall mangle add action=jump chain=prerouting comment=”marking route client” connection-mark=!no-mark in-interface=wlan2 jump-target=route-client add action=mark-routing chain=route-client connection-mark=to-isp1 new-routing-mark=route-to-isp1 passthrough=no add action=mark-routing chain=route-client connection-mark=to-isp2 new-routing-mark=route-to-isp2 passthrough=no add action=mark-routing chain=route-client connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 passthrough=no add action=mark-routing chain=route-client connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 passthrough=no add action=return chain=route-client disabled=no

/ip firewall mangle add action=mark-routing chain=output comment=”marking route proxy” connection-mark=con-from-isp1 new-routing-mark=route-to-isp1 out-interface=!wlan2 passthrough=no add action=mark-routing chain=output connection-mark=con-from-isp2 new-routing-mark=route-to-isp2 out-interface=!wlan2 passthrough=no
-------------------------------------------------------------------------------------------------
Pengaturan Routing

Pengaturan mangle diatas tidak akan berguna jika anda belum membuat routing berdasar mark-route yang sudah kita buat. Disini kita juga akan membuat routing backup, sehingga apabila sebuah gateway terputus, maka semua koneksi akan melewati gateway yang masing terhubung

-------------------------------------------------------------------------------------------------
/ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-to-isp1 distance=1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-to-isp1 distance=2 add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.102.1 routing-mark=route-to-isp2 distance=1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-to-isp2 distance=2
-------------------------------------------------------------------------------------------------
Pengujian

Dari hasil pengujian kami, didapatkan sebagai berikut :

Dari gambar terlihat, bahwa hanya dengan melakukan 1 file download (1 koneksi), kita hanya mendapatkan speed 56kBps (448kbps) karena pada saat itu melewati gateway ISP1, sedangkan jika kita mendownload file (membuka koneksi baru) lagi pada web lain, akan mendapatkan 30kBps (240kbps). Dari pengujian ini terlihat dapat disimpulkan bahwa:

512kbps + 256kbps ≠ 768kbps

Catatan :

  • Loadbalancing menggunakan teknik pcc ini akan berjalan efektif dan mendekati seimbang jika semakin banyak koneksi (dari client) yang terjadi.
  • Gunakan ISP yang memiliki bandwith FIX bukan Share untuk mendapatkan hasil yang lebih optimal.
  • Load Balance menggunakan PCC ini bukan selamanya dan sepenuhnya sebuah solusi yang pasti berhasil baik di semua jenis network, karena proses penyeimbangan dari traffic adalah berdasarkan logika probabilitas.

Thursday, 31 March 2011

Tuesday, 29 March 2011

TUTORIAL Forward IP Publik Speedy

Forward IP Publik Speedy menggunakan Modem ADSL SMC di maksudkan untuk memudahkan anda melakukan remote komputer anda di kantor dari manapun anda inginkan dengan syarat harus terhubung dengan koneksi internet. Pada postingan sebelumnya sudah di bahas mengenai meremote PC menggunakan software remote desktop Teamviewer yang versi personal (free) namun apabila di gunakan untuk business adalah kurang etis dan apabila di gunakan untuk broadcast ke beberapa komputer lain akan expired. Artikel ini adalah sebagai solusi bagi anda untuk meremote PC anda apalagi bagi pekerja IT yang tidak harus datang di tempat dan cukup melakukan konfigurasi di Modem ADSL khususnya yang menggunakan jasa ISP Telkom Speedy sebagai berikut :

Langkah pertama login dulu ke modem ADSL anda, dalam hal ini IP Modem 192.168.1.1
Jalankan aplikasi browser seperti IE, Firefox, Opera, Safari, dll kemudian ketikkan di halaman address http://192.168.1.1 maka akan muncul login sebagai berikut :

login adsl

Default password login ke Modem ADSL SMC sebelum anda ganti adalah smcadmin
setelah berhasil login maka akan muncul pilihan sebagai berikut

advanced

Sebaiknya pilih Advanced Setup kemudian akan muncul layar sebagai berikut :
nat adsl

Pilih NAT kemudian klik Virtual Server maka akan muncul kolom Daftar IP Address sebagai berikut :
ip list

Pada baris pertama anda isikan IP Komputer anda yang akan di remote dalam hal ini adalah 192.168.1.10 Protocol Type pilih TCP kemudian pada LAN Port dan Public Port isi 22 karena yang akan diremote adalah Port SSH lalu beri tanda centang Enable kemudian klik Add untuk menyimpan.

Pada baris kedua isikan IP yang sama tetapi LAN Port dan Public Port isikan 80 yaitu untuk meremote aplikasi berbasis web,

Sedangkan pada baris ketiga isikan IP 192.168.1.11 dimana IP tsb adalah IP Mikrotik, pada LAN Port dan Public Port isikan 8291 agar mikrotik anda bisa di remote melalui aplikasi Winbox.

Untuk aplikasi lain yang yg ingin anda remote silahkan anda isikan pada baris berikutnya dan seterusnya sebanyak anda inginkan.

Kemudian untuk mengetahui IP Publik Speedy anda silahkan cek di whatismyip.com maka akan muncul sebagai berikut :

Public IP
IP 125.167.20.73 adalah IP Publik speedy yang akan anda remote dari lokasi lain, silahkan lakukan test remoting ke PC anda dari tempat lain dengan syarat sudah terkoneksi ke internet. Sebagai catatan, setting forward IP Publik Speedy di atas adalah untuk Modem Merk SMC, beda merk modem beda menu dan konfigurasi tapi pada prinsipnya sama.


http://www.kotainternet.com/forward-ip-publik-speedy-menggunakan-modem-adsl-smc.html