Quick Start for Impatient

(1)

Quick Start for Impatient

Configuration export from the gateway router:

/ ip address

add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local

add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2

/ ip firewall mangle

add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \

new-connection-mark=odd passthrough=yes

add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \

new-routing-mark=odd passthrough=no

add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \

new-connection-mark=even passthrough=yes

add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \

new-routing-mark=even passthrough=no

add chain=prerouting in-interface=Local connection-state=new nth=2,1 \ action=mark-connection new-connection-mark=odd passthrough=yes

add chain=prerouting in-interface=Local action=add-src-to-address-list \ address-list=odd address-list-timeout=1d connection-mark=odd

passthrough=yes

add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \

add chain=prerouting in-interface=Local connection-state=new nth=2,2 \ action=mark-connection new-connection-mark=even passthrough=yes add chain=prerouting in-interface=Local action=add-src-to-address-list \ address-list=even address-list-timeout=1d connection-mark=even

passthrough=yes

add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \

new-routing-mark=even passthrough=no / ip firewall nat

add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade / ip route

add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd

add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even

add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10

Explanation

(2)

IP Addresses

/ ip address

The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and

10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.

Mangle

new-routing-mark=odd

All traffic from customers having their IP address previously placed in the address list "odd"

is instantly marked with connection and routing marks "odd". Afterwards the traffic is

excluded from processing against successive mangle rules in prerouting chain.

new-routing-mark=even

Same stuff as above, only for customers having their IP address previously placed in the

address list "even".

passthrough=yes

First we take every second packet that establishes new session (note connection-state=new),

and mark it with connection mark "odd". Consequently all successive packets belonging to

the same session will carry the connection mark "odd". Note that we are passing these

packets to the second and third rules (passthrough=yes). Second rule adds IP address of the

client to the address list to enable all successive sessions to go through the same gateway.

Third rule places the routing mark "odd" on all packets that belong to the "odd" connection

and stops processing all other mangle rules for these packets in prerouting chain.

(3)

passthrough=yes

These rules do the same for the remaining half of the traffic as the first three rules for the first half of the

traffic.

The code above effectively means that each new connection initiated through the router from the local

network will be marked as either "odd" or "even" with both routing and connection marks.

The above works fine. There are however some situations where you might find that the same IP

address is listed under both the ODD and EVEN scr-address-lists. This behavior causes issues with

apps that require persistent connections. A simple remedy for this situation is to add the following

statement to your mangle rules:

add chain=prerouting in-interface=Local connection-state=new nth=2,2 \ src-address-list=!odd action=mark-connection new-connection-mark=even \ passthrough=yes

This will ensure that the new connection will not already be part of the ODD src-address-list.

You will have to do the same for the ODD mangle rule thus excluding IP's already part of the

EVEN scr-address-list.

NAT

/ ip firewall nat

add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade

Fix the source address according to the outgoing interface.

Routing

/ ip route

For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we

use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed through the

10.112.0.1 gateway.

/ ip route

Finally, we have one additional entry specifying that traffic from the router itself (the traffic

without any routing marks) should go to 10.112.0.1 gateway.

(4)

Ekspor konfigurasi dari router gerbang :

Mulai Cepat untuk sabar

Ekspor konfigurasi dari router gerbang:

/ ip address

passthrough=yes

new-routing-mark=even passthrough=no / ip firewall nat

add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade / ip route

penjelasan

Pertama kita memberikan potongan kode dan kemudian menjelaskan apa yang sebenarnya.

Alamat IP

(5)

/ ip address

Router memiliki dua hulu (WAN) interface dengan alamat 10.111.0.2/24 dan 10.112.0.2/24. The LAN

antarmuka memiliki nama "lokal" dan alamat IP dari 192.168.0.1/24.

Mangle

new-routing-mark=odd

Semua lalu lintas dari pelanggan yang memiliki alamat IP mereka sebelumnya ditempatkan dalam

daftar alamat " odd " ini langsung ditandai dengan koneksi dan routing tanda " odd " . Setelah itu lalu

lintas yang dikecualikan dari pengolahan terhadap aturan mangle berturut-turut dalam chain

PREROUTING

.

new-routing-mark=even

Hal yang sama seperti di atas , hanya untuk pelanggan yang memiliki alamat IP mereka sebelumnya

ditempatkan dalam daftar alamat " Even" .

passthrough=yes

Pertama kita mengambil setiap paket kedua yang menetapkan sesi baru (catatan connection- state =

new ) , dan menandainya dengan tanda koneksi " odd " . Akibatnya semua paket berturut-turut milik

sesi yang sama akan membawa tanda koneksi " odd " . Perhatikan bahwa kita mengirimkan paket ini

dengan aturan kedua dan ketiga ( passthrough = yes ) . Aturan kedua menambahkan alamat IP dari

klien ke daftar alamat untuk mengaktifkan semua sesi berturut-turut untuk pergi melalui gateway yang

sama . Aturan ketiga menempatkan tanda routing " odd " pada semua paket yang termasuk dalam "

odd " koneksi dan berhenti memproses semua aturan mangle lainnya untuk paket ini dalam chain

PREROUTING .

(6)

passthrough=yes

Aturan-aturan ini melakukan hal yang sama untuk sisa separuh lalu lintas sebagai yang pertama tiga

aturan untuk semester pertama lalu lintas .

Kode di atas secara efektif berarti bahwa setiap sambungan baru dimulai melalui router dari jaringan

lokal akan ditandai sebagai " odd " atau " even" dengan baik routing dan tanda koneksi .

Karya-karya di atas baik-baik saja . Namun ada beberapa situasi di mana Anda mungkin menemukan

bahwa alamat IP yang sama terdaftar di bawah kedua ODD dan EVEN scr -address - list . Perilaku ini

menyebabkan masalah dengan aplikasi yang membutuhkan koneksi persistent . Obat sederhana untuk

situasi ini adalah dengan menambahkan pernyataan berikut untuk aturan mangle Anda :

add chain=prerouting in-interface=Local connection-state=new nth=2,2 \ src-address-list=!odd action=mark-connection new-connection-mark=even \ passthrough=yes

Ini akan memastikan bahwa koneksi baru tidak akan sudah menjadi bagian dari ODD src - address-list .

Anda harus melakukan hal yang sama untuk mangle aturan ODD sehingga tidak termasuk IP sudah

bagian dari scr - address-list EVEN .

NAT

/ ip firewall nat

add chain=srcnat out-interface=wlan1 action=masquerade add chain=srcnat out-interface=wlan2 action=masquerade

Perbaiki alamat sumber sesuai dengan outgoing interface .

Routing

/ ip route

Untuk semua lalu lintas yang ditandai " odd " ( akibatnya memiliki 10.111.0.2 alamat sumber

diterjemahkan ) kita menggunakan 10.111.0.1 gerbang . Dalam cara yang sama semua lalu lintas

ditandai " even" disalurkan melalui 10.112.0.1 gerbang .]

/ ip route

Akhirnya, kami memiliki satu entri tambahan yang menspesifikasikan lalu lintas dari router itu sendiri (

lalu lintas tanpa tanda routing) harus pergi ke 10.112.0.1 gerbang .

(7)

ringkasan

Untuk memuat keseimbangan menggunakan Nth dapat dilakukan dengan beberapa cara yang

berbeda. Pendekatan ini berfokus pada kinerja, makna, aturan kurang packet membutuhkan, kurang

atribut aturan harus memeriksa. Pada sebagian negara saat paket akan mengambil aturan N, di

mana N adalah jumlah koneksi Anda mencoba untuk memuat keseimbangan menggunakan contoh

ini. Contoh ini mudah untuk memperluas dari 2 koneksi ke nomor yang Anda inginkan, tetapi

konsekuensinya adalah: lebih banyak koneksi, aturan yang lebih paket harus melewati, beban yang

lebih besar pada router, latency yang lebih besar.

Dalam contoh ini N = 2

CATATAN: Contoh ini mengasumsikan Anda memiliki mangle kosong. setelah aturan telah diolah,

paket yang diterima dengan aturan routing-mark.

fast forward

untuk sabar mereka:

/ip address add address=10.0.0.1/24 interface=first-Out /ip address add address=10.0.1.1/24 interface=second-Out /ip address add address=172.16.0.1/24 interface=ether3-Local /ip address add address=172.16.1.1/24 interface=ether4-Local /ip firewall address-list add address=172.16.0.0/24 list=local /ip firewall address-list add address=172.16.1.0/24 list=local /ip route add gateway=10.0.0.2

/ip route add gateway=10.0.0.2 routing-mark=first /ip route add gateway=10.0.1.2 routing-mark=second

/ip firewall nat add chain=srcnat out-interface=first-Out action=masquerade /ip firewall nat add chain=srcnat out-interface=second-Out

action=masquerade

/ip firewall mangle add action=add-src-to-address-list address-list=first address-list-timeout=0s chain="mark new unseen" disabled=no nth=2,1

/ip firewall mangle add action=add-src-to-address-list address-list=second address-list-timeout=0s chain="mark new unseen" disabled=no nth=2,2

/ip firewall mangle add action=add-src-to-address-list address-list=seen address-list-timeout=0s chain="mark new unseen" disabled=no

/ip firewall mangle add action=jump chain="mark new unseen" disabled=no jump-target="mark connection"

/ip firewall mangle add action=mark-connection chain="mark connection" disabled=no new-connection-mark=first_conn passthrough=yes src-address-list=first

/ip firewall mangle add action=mark-connection chain="mark connection" disabled=no new-connection-mark=second_conn passthrough=yes src-address-list=second

/ip firewall mangle add action=mark-routing chain="mark connection" connection-mark=first_conn disabled=no new-routing-mark=first

passthrough=no

/ip firewall mangle add action=mark-routing chain="mark connection" connection-mark=second_conn disabled=no new-routing-mark=second passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=first_conn disabled=no new-routing-mark=first passthrough=no src-address-list=first

(8)

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=second_conn disabled=no new-routing-mark=second passthrough=no src-address-list=second

/ip firewall mangle add action=jump chain=prerouting connection-state=new disabled=no jump-target="mark connection" src-address-list=local

/ip firewall mangle add action=jump chain=prerouting connection-state=new disabled=no jump-target="mark new unseen" src-address-list=local

Detailed explanation



Adding ip addresses to interfaces

I am assuming i have 2 outgoing WAN and 2 Local LAN. I assume that addresses on WAN

are public (not in example)

/ip address add address=10.0.0.1/24 interface=first-Out /ip address add address=10.0.1.1/24 interface=second-Out /ip address add address=172.16.0.1/24 interface=ether3-Local /ip address add address=172.16.1.1/24 interface=ether4-Local



Creating address list of possible local addresses

We will need this list in our configuration, so only traffic from local interfaces are marked

with routing marks. You can also use in interface if there are just one incoming LAN

interface on the router.

/ip firewall address-list add address=172.16.0.0/24 list=local /ip firewall address-list add address=172.16.1.0/24 list=local



Adding routes

Default route for unmarked traffic, and 2 routes for marked routes.

NOTE: connections to router will only work to 10.0.0.1 address. Connections to other WAN

address will always fail, that is configurable, but it is out of scope of this document.

/ip route add gateway=10.0.0.2

/ip route add gateway=10.0.0.2 routing-mark=first /ip route add gateway=10.0.1.2 routing-mark=second



Masquerade rules

So our local addresses can access internet addresses.

/ip firewall nat add chain=srcnat out-interface=first-Out action=masquerade /ip firewall nat add chain=srcnat out-interface=second-Out

action=masquerade 

Mangle rules

(9)



Section A

These 4 rules adds address to address list, as result, we are dividing all internal addresses

currently active to dynamic address lists first and second these will be correspondingly routed

through corresponding gateways. When that is done, address for simplicity is added to one

more address list - seen so we know that we have seen this address and do not have to check

more than once. When everything is done we jump to mark connection and set routing-mark

for packet we are working with. Here we are working just with new packets that we have not

seen yet.

After this section finishes, these packets are not different from those that are matched in

Section D, so they are passed to Section B for further processing.



Section B

Next 4 rules are marking connection of both, new packets from hosts we have not seen yet

and with new packets from seen hosts. First, mark connection, then add routing-mark.

passthrough=no



Section C

Next 2 rules are setting up routing-mark on packets that have connection-mark set. As result

majority of packets are passing though just these 2 rules.

(10)

This rule caches new connection packets that come from our "seen" clients, eg, client

initiated new http download session (opening web page). Packets are passed to Section B

where they are marked.

/ip firewall mangle add action=jump chain=prerouting connection-state=new disabled=no jump-target="mark connection" src-address-list=local



Section E

If client ip address is not in our seen list, then address is passed to Section A where it is added

to address list and after that is ready to be processed.

/ip firewall mangle add action=jump chain=prerouting connection-state=new disabled=no jump-target="mark new unseen" src-address-list=local

Packet route logic



New packet from unseen addressee

When router is booting up it have no seen list, and no clients are assigned to gateways. Or

packet is received from previously unseen client. When first packet arrives it is checked in

Section C, as it does not match there, it is passed over to Section D and then to Section E

where it is finally matched and passed for processing on Section A. In Section A packet is

matched and assigned to either of 2 address lists (first and second) and then added to seen

address-list. After that is done, packed is passed to Section B where its connection is marked

and then packet receives its routing mark and is accepted.



New packet from seen addressee

Packet is passed through Section C to Section D where it is matched and passed to Section C

where connection is marked and accepted



Packet from seen addressee

Packet arrives in Section C and is matched there and accepted.

How to expand this example to more WANs

To have more WANs you have to add additional IP address and additional route with

routing-mark, eg, third

Then you have have to edit Sections A-C



Changes in Section A

here we have to adjust nth field value first value is what number of packed we are looking

for, usually it is equal to your WAN count. And add additional rule as in example below.

(11)

/ip firewall mangle add action=add-src-to-address-list address-list=third address-list-timeout=0s chain="mark new unseen" disabled=no nth=3,3



Changes in Section B

here we will have to add 2 new rules, to mark connections that source address is in third

address-list, and after that mark routing corresponding to connection mark.

/ip firewall mangle add action=mark-connection chain="mark connection" disabled=no new-connection-mark=third_conn passthrough=yes src-address-list=thrid

passthrough=no

/ip firewall mangle add action=mark-routing chain="mark connection" connection-mark=third_conn disabled=no new-routing-mark=third

passthrough=no



Changes in Section C

Here have to add rule just like in section B just change chain to prerouting as all other rules in

this section.

/ip firewall mangle add action=mark-routing chain="mark connection" connection-mark=third_conn disabled=no new-routing-mark=third

passthrough=no

/ip firewall mangle add action=mark-routing chain="prerouting" connection-mark=third_conn disabled=no new-routing-mark=third passthrough=no

(12)

Contoh: n = Setiap, Counter, Packet n = 2,3,0. 2,3,1 2,3,2

membagi semua paket ke dalam kelompok tiga (2 +1). Paket akan diberi nomor dari 0 sampai 2 Jadi, urutan

paket aturan yang cocok seperti:. (0 1 2) (0 1 2) (0 1 2) (0 1 2) (0 1 2) ...

aturan pertama akan cocok dengan paket pertama dalam setiap kelompok ("Packet" = 0). Aturan kedua akan

cocok dengan paket kedua di masing-masing kelompok ("Packet" = 1) dan sebagainya. Setiap pertandingan

sukses akan menambahkan meja. Ketika nilai "Setiap" tercapai, penghitung ulang ke 0. Untuk ini untuk bekerja,

"Counter" harus sama untuk semua aturan (Anda dapat memilih nilai dari 0 sampai 15, IIRC).

Manual: NTH di RouterOS 3.x

Dalam v3.0 ini adalah implementasi yang berbeda sedikit dari NTH. Ini hanya memiliki dua parameter 'setiap'

dan 'paket'.

Cara kerjanya dalam v3.0

Setiap aturan memiliki kontra sendiri. Ketika aturan menerima paket counter untuk aturan saat ini bertambah

satu. Jika kontra sesuai nilai 'setiap' paket akan dicocokkan dan kontra akan diatur ke nol.

Jika passthrough tidak diatur maka paket akan ditandai sebagai berikut:

Aturan pertama n = 2,1 aturan akan cocok dengan setiap paket pertama dari 2, maka, 50% dari semua lalu

lintas yang cocok dengan aturan

Aturan kedua jika passthrough = no akan cocok HANYA 25% dari lalu lintas karena dalam 3,0 Anda hanya

perlu satu aturan untuk menangkap lalu lintas tidak seperti 2.9

contoh

Sekarang adalah mungkin untuk mencocokkan 50% dari semua lalu lintas hanya dengan satu aturan:

/ip firewall mangle

add action=mark-packet chain=prerouting new-packet-mark=AAA nth=2,1;

Jika lebih dari satu aturan yang dibutuhkan, maka ada dua cara untuk mencocokkan paket:

Aturan pertama melihat semua paket dan sesuai dengan 1/3 dari semua, aturan kedua melihat 2/3

dari paket dan sesuai dengan 1/2, Aturan ketiga melihat dan cocok dengan semua paket yang

melewati dua aturan pertama (1/3 dari semua paket).

/ip firewall mangle

add action=mark-packet chain=prerouting new-packet-mark=AAA nth=3,1 passthrough=no;

add action=mark-packet chain=prerouting new-packet-mark=BBB nth=2,1 passthrough=no;

add action=mark-packet chain=prerouting new-packet-mark=CCC ;

semua aturan dapat melihat semua paket dan setiap aturan sesuai setiap paket 3-rd.

/ip firewall mangle

add action=mark-packet chain=prerouting new-packet-mark=AAA nth=3,1 passthrough=yes;

add action=mark-packet chain=prerouting new-packet-mark=BBB nth=3,2 passthrough=yes;

add action=mark-packet chain=prerouting new-packet-mark=CCC nth=3,3 passthrough=yes;