Professional Documents
Culture Documents
Per-Traffic Load Balancing: Functions of Routeros Used
Per-Traffic Load Balancing: Functions of Routeros Used
Now for a quick explanation of why there can be some issues depending on the traffic type. Some websites/programs
do not play friendly with multiple requests from different IP addresses, this is the reason why ECMP has so many
problems. I will provide a simple solution to the rare conditions where load-balancing can't be completed.
Again using the above as an example lets explain where and why issues can be arise. SSL - The beauty of a website
is that are separate requests for different data, ie. loading pictures from 3 different sources would be a request to each
respective server. The result is if a we have a website that uses both SSL and HTTP traffic we know that in most
cases the website will just answer the request without care of the originating IP address. However, and this is a
special case, if the website/program developer checks where the requests are originating and they find that the IP are
different, they may not succesfully answer those requests (this can be by design or by accident). I had 2 cases of this,
in both cases it was secured medical websites that where using it as a method of protecting their data.
P2P and Unknown - I am addressing these together because the issue is one and the same. RouterOS doesn't identify
P2P based on any single condition, but instead analyzes the packets! This means RouterOS needs time to watch the
data before it realizes that is in fact P2P traffic. As a result RouterOS doesn't know the data is P2P until AFTER the
connection is made. This is important because the only way to send data out a specific internet connection you must
know that traffic is BEFORE the connection is made. So as with P2P traffic, unknown traffic is just that, it is
unknown. By marking the unknown traffic though you can control what internet connection is used for both P2P and
the left over unknown traffic (very useful!)
Asuming that the IPs, default routes, and DNS settings are already in place the following allow users to get internet
access.
Per-Traffic Load Balancing 3
/ ip firewall address-list
add list="Allowed-Internet" address=172.18.1.0/24 comment="" disabled=no
/ ip firewall address-list
add list="WAN-01" address=172.18.1.24/32 comment="" disabled=no
add list="WAN-02" address=172.18.1.76/32 comment="" disabled=no
Clients should be able to browse the internet, however only one internet connection would be used (the current
default route in RouterOS)
add chain=prerouting action=mark-routing new-routing-mark="HTTP traffic" passthrough=no dst-port=80 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SSL traffic" passthrough=no dst-port=443 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="POP3 traffic" passthrough=no dst-port=110 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SMTP traffic" passthrough=no dst-port=25 protocol=tcp comment="" disabled=no
The first two lines provide a method of marking certain clients to bypass the load-balancing and use only a specific
internet connection for all of their traffic.
The next lines then will mark traffic based on the dst-port, notice how we are not passing through, also notice that we
are marking all traffic, even if not known and that there is always a different internet connection to be specified for
the Unknown and P2P instead of using the router's default route. I also mark P2P separate, even though it must go
out the same internet connection as Unknown traffic.
I do this for a couple of reasons, one is that I could easily stop all traffic by simply disabling a route, and the other is
in my RouterOS configuration I use a lot of QoS, it's very easy to remember how everything is configured if the QoS
mirrors the load-balancing.
So now that we are marking traffic for their respective routes, we next have to add those actual routes.
Per-Traffic Load Balancing 4
Step 4 - Using the routing functions of RouterOS to force traffic out to certain
internet connections
This following is the necessary RouterOS commands to provide routes for the marked HTTP, SSL, POP3, SMTP,
P2P, and Unknown Traffic
/ ip route
The first two lines provide the routes necessary to give the clients that are not being load-balanced via traffic type the
correct gateway to the internet. The remaining lines are the routes necessary to provide the appropiate gateway based
on traffic type
Conclusion
What you have done is very powerful and this tutorial provides just the tip of the iceberg so to say. The traffic types I
have listed here are only a small amout of the total and you may want to add many others (ie. DNS, Terminal
Services, ICMP, etc). This can be used is a great deal of different ways be it in a small offfice enviroment (separating
your email usage from your browsing) or a large wireless ISP (for load-balancing). Some tips and final thougths
1. Think though what you want to achieve before you start 2. Pay attention to the traffic of type on each line (is it
incoming intensive or outgoing intensive) 3. Finally experiment, nothing better then finding better, faster, and more
intelligent ways to improve your services with a little capital costs
Article Sources and Contributors 5