Mikrotik, 3 providers, traffic switching and sharing
Write this post I was moved by this question habrahabr.ru/qa/38801
Those who are interested in please under the cat.
And so it is given:
Port 1 - Provider 1
Port 2 - Provider 2
Port 3 - Provider 3 (Backup)
4 port - Network 1 192.168.101.0
Port 5 - Network 2 192.168.102.0
Question:
From here it is a little unclear what to do if the first provider fails, to drive traffic from the 4th port to the second provider or immediately to the third one.
Suppose that the third provider considers traffic in our country and therefore it will be our last.
And so here are our interfaces
Further, our IP addresses
Finally, our routing table
Explanations are needed here, for each provider we have created a default route with route marking.
I need the first route in order to configure MikroTik itself.
Actually that's all. Our MikroTik is ready for further fine-tuning.
In the next step, we will configure the responsiveness of MikroTik from all providers.
')
Our task is to make it so that MikroTik can be reached through all three providers.
To do this, we have to catch incoming connections and mark connections, the following rule is for the labeled connection to make the return connection to the provider from which the connection came.
I'll try to decipher humanly
Rule 0
If the packet that came to the first interface (ISP 1) in the destination address contains the IP address 172.25.25.247 (ISP 1), then we mark the connection with the name (ISP 1 -> Input)
Rule 1
If the outgoing packet belongs to the connection with marking (ISP 1 -> Input), then for it we use the route ISP 1
Thus, the router knows that if it (ping or any incoming traffic) from the ISP 1 provider, then the answer will be returned via the ISP 1 provider
Picture to fix. And understanding.
Great now we can go to MikroTik through any provider.
It’s time for each office to get traffic from the fourth port. But beforehand, we will prudently prepare one small but subtle nuance, since we will use prerouting then the traffic before the “Hit” in the routing table must be filtered out.
It is necessary to create address sheets with networks that should not be marked.
I usually call it LocalNet and this time we will do the same.
And so we created the local network lists, now proceed to the routing of traffic.
Before the packet leaves the router: if the sender's address is on the network 192.168.101.0/24 and the destination address is not listed in the sheets, then mark the route with the name office 1
Quite simply, this is all traffic that belongs to office 1 and does not go to our other local subnets.
Next we need to create three routes for office traffic 1
A little clarification of check-gateway is the procedure for automatically checking the availability of the gateway, since I have this L2 connection, in my case arp is better than ping, if you have L3 (pptp etc) then set ping.
You also need to pay attention to the distance just for it, the router determines, with the same destination address, which routes priority.
And now the final part of our “Marlezonsky ballet”.
Since chek-gateway only checks the availability of the gateway, we are absolutely not satisfied with this.
Our task is to determine whether a live channel on the Internet is through each provider and, depending on the living creatures, enable and disable routes.
In this case, we have two networks.
office1 ISP1-> ISP2-> ISP3
office2 ISP2-> ISP1-ISP3
As you can see, the end result will be ISP3 in any case; naturally, we don’t have to check the ISP3 channel.
And so before we need to set the date and time on MikroTik. I hope you do it without my help.
We will use the MikroTik functionality. Netwatch
Create two rules.
Netwacth works as a trigger.
If the state has changed, then the script specified in the current trigger value is executed.
In our case, if the ping to 8.8.8.8 fails, then the status changes to down and the ISP1-DOWN script is executed, as soon as the value is up, the ISP1-UP script is executed
Let's write scripts for our events.
ISP1-UP
In my case, I’m looking like this, someone determines by comments to the routes.
But so far I have only met once where the distance of more than 10 was actually used.
ISP1-DOWN
In order for our entire netwatch to work fully, we need to add two routes that traffic will send to 8.8.8.8 via ISP1, and traffic to 8.8.4.4 via ISP2
Actually everything.
Those who are interested in please under the cat.
And so it is given:
Port 1 - Provider 1
Port 2 - Provider 2
Port 3 - Provider 3 (Backup)
4 port - Network 1 192.168.101.0
Port 5 - Network 2 192.168.102.0
Question:
- On the 4th port network, with its DHCP server on MikroTik, they should go to the Internet through provider 1.
- On port 5 there is also a separate network with its own DHCP server and they must go to the Internet through provider 2.
- 3 provider is obtained as a backup, if 1 or 2 fails, MikroTik should switch the Internet to it, and then return everything to the place when the channel is restored.
From here it is a little unclear what to do if the first provider fails, to drive traffic from the 4th port to the second provider or immediately to the third one.
Suppose that the third provider considers traffic in our country and therefore it will be our last.
And so here are our interfaces
Further, our IP addresses
Finally, our routing table
Explanations are needed here, for each provider we have created a default route with route marking.
I need the first route in order to configure MikroTik itself.
Actually that's all. Our MikroTik is ready for further fine-tuning.
In the next step, we will configure the responsiveness of MikroTik from all providers.
')
To begin with we will adjust a masquerade for all three interfaces.
[admin@kirilka] /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade comment="ISP 1" [admin@kirilka] /ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade comment="ISP 2" [admin@kirilka] /ip firewall nat add chain=srcnat out-interface=ether3 action=masquerade comment="ISP 3" Now probably the most interesting Mangle
Our task is to make it so that MikroTik can be reached through all three providers.
To do this, we have to catch incoming connections and mark connections, the following rule is for the labeled connection to make the return connection to the provider from which the connection came.
[admin@kirilka] /ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=mark-connection new-connection-mark=ISP 1 -> Input passthrough=no dst-address=172.25.25.247 in-interface=ether1 1 chain=output action=mark-routing new-routing-mark=ISP 1 passthrough=no connection-mark=ISP 1 -> Input 2 chain=input action=mark-connection new-connection-mark=ISP 2 -> Input passthrough=no dst-address=192.168.99.2 in-interface=ether2 3 chain=output action=mark-routing new-routing-mark=ISP 2 passthrough=no connection-mark=ISP 2 -> Input 4 chain=input action=mark-connection new-connection-mark=ISP 3 -> Input passthrough=no dst-address=192.168.100.2 in-interface=ether3 5 chain=output action=mark-routing new-routing-mark=ISP 3 passthrough=no connection-mark=ISP 3 -> Input I'll try to decipher humanly
Rule 0
If the packet that came to the first interface (ISP 1) in the destination address contains the IP address 172.25.25.247 (ISP 1), then we mark the connection with the name (ISP 1 -> Input)
Rule 1
If the outgoing packet belongs to the connection with marking (ISP 1 -> Input), then for it we use the route ISP 1
Thus, the router knows that if it (ping or any incoming traffic) from the ISP 1 provider, then the answer will be returned via the ISP 1 provider
Picture to fix. And understanding.
Great now we can go to MikroTik through any provider.
It’s time for each office to get traffic from the fourth port. But beforehand, we will prudently prepare one small but subtle nuance, since we will use prerouting then the traffic before the “Hit” in the routing table must be filtered out.
It is necessary to create address sheets with networks that should not be marked.
I usually call it LocalNet and this time we will do the same.
[admin@kirilka] /ip firewall address-list> print Flags: X - disabled, D - dynamic # LIST ADDRESS 0 LocalNet 192.168.101.0/24 1 LocalNet 192.168.102.0/24 And so we created the local network lists, now proceed to the routing of traffic.
6 chain=prerouting action=mark-routing new-routing-mark=office 1 passthrough=no src-address=192.168.101.0/24 dst-address-list=!LocalNet Before the packet leaves the router: if the sender's address is on the network 192.168.101.0/24 and the destination address is not listed in the sheets, then mark the route with the name office 1
Quite simply, this is all traffic that belongs to office 1 and does not go to our other local subnets.
Next we need to create three routes for office traffic 1
dst-address=0.0.0.0/0 gateway=172.25.25.1 check-gateway=arp distance=10 routing-mark=office 1 dst-address=0.0.0.0/0 gateway=192.168.99.1 check-gateway=arp distance=11 routing-mark=office 1 dst-address=0.0.0.0/0 gateway=192.168.100.1 check-gateway=arp distance=12 routing-mark=office 1 A little clarification of check-gateway is the procedure for automatically checking the availability of the gateway, since I have this L2 connection, in my case arp is better than ping, if you have L3 (pptp etc) then set ping.
You also need to pay attention to the distance just for it, the router determines, with the same destination address, which routes priority.
And now the final part of our “Marlezonsky ballet”.
Since chek-gateway only checks the availability of the gateway, we are absolutely not satisfied with this.
Our task is to determine whether a live channel on the Internet is through each provider and, depending on the living creatures, enable and disable routes.
In this case, we have two networks.
office1 ISP1-> ISP2-> ISP3
office2 ISP2-> ISP1-ISP3
As you can see, the end result will be ISP3 in any case; naturally, we don’t have to check the ISP3 channel.
And so before we need to set the date and time on MikroTik. I hope you do it without my help.
Retreat: there are many different scripts on the Internet, but most of them execute a script at a given time interval that changes the distance values ​​in the routes. We are not satisfied with this option as in MikroTik there is a NAND memory and it has its own recording limit. We will save it. Of course, it was possible to edit the script and make a check, but this is not our method. )
We will use the MikroTik functionality. Netwatch
Create two rules.
[admin@kirilka] /tool netwatch> print detail Flags: X - disabled 0 host=8.8.8.8 timeout=1s interval=1m status=up up-script=ISP1-UP down-script=ISP1-DOWN 1 host=8.8.4.4 timeout=1s interval=1m status=up up-script=ISP2-UP down-script=ISP2-DOWN Netwacth works as a trigger.
If the state has changed, then the script specified in the current trigger value is executed.
In our case, if the ping to 8.8.8.8 fails, then the status changes to down and the ISP1-DOWN script is executed, as soon as the value is up, the ISP1-UP script is executed
Let's write scripts for our events.
ISP1-UP
/ip route enable [find dst-address=0.0.0.0/0 and gateway=172.25.25.1 and distance >= 10]; In my case, I’m looking like this, someone determines by comments to the routes.
But so far I have only met once where the distance of more than 10 was actually used.
ISP1-DOWN
/ip route disable [find dst-address=0.0.0.0/0 and gateway=172.25.25.1 and distance >= 10]; In order for our entire netwatch to work fully, we need to add two routes that traffic will send to 8.8.8.8 via ISP1, and traffic to 8.8.4.4 via ISP2
[admin@kirilka] > ip route add dst-address=8.8.8.8 gateway=172.25.25.1 [admin@kirilka] > ip route add dst-address=8.8.4.4 gateway=192.168.99.1 Actually everything.
Leftovers
Mangle:
Route:
Script:
[admin@kirilka] > ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=mark-connection new-connection-mark=ISP 1 -> Input passthrough=no dst-address=172.25.25.247 in-interface=ether1 1 chain=output action=mark-routing new-routing-mark=ISP 1 passthrough=no connection-mark=ISP 1 -> Input 2 chain=input action=mark-connection new-connection-mark=ISP 2 -> Input passthrough=no dst-address=192.168.99.2 in-interface=ether2 3 chain=output action=mark-routing new-routing-mark=ISP 2 passthrough=no connection-mark=ISP 2 -> Input 4 chain=input action=mark-connection new-connection-mark=ISP 3 -> Input passthrough=no dst-address=192.168.100.2 in-interface=ether3 5 chain=output action=mark-routing new-routing-mark=ISP 3 passthrough=no connection-mark=ISP 3 -> Input 6 chain=prerouting action=mark-routing new-routing-mark=office 1 passthrough=no src-address=192.168.101.0/24 dst-address-list=!LocalNet 7 chain=prerouting action=mark-routing new-routing-mark=office 2 passthrough=no src-address=192.168.102.0/24 dst-address-list=!LocalNet Route:
[admin@kirilka] > ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 AS dst-address=0.0.0.0/0 gateway=172.25.25.1 gateway-status=172.25.25.1 reachable via ether1 distance=1 scope=30 target-scope=10 routing-mark=ISP 1 1 AS dst-address=0.0.0.0/0 gateway=192.168.99.1 gateway-status=192.168.99.1 reachable via ether2 distance=1 scope=30 target-scope=10 routing-mark=ISP 2 2 AS dst-address=0.0.0.0/0 gateway=192.168.100.1 gateway-status=192.168.100.1 reachable via ether3 distance=1 scope=3> target-scope=10 routing-mark=ISP 3 3 AS dst-address=0.0.0.0/0 gateway=172.25.25.1 gateway-status=172.25.25.1 reachable via ether1 check-gateway=arp distance=10 scope=30 target-scope=10 routing-mark=office 1 4 S dst-address=0.0.0.0/0 gateway=192.168.99.1 gateway-status=192.168.99.1 reachable via ether2 check-gateway=arp distance=11 scope=30 target-scope=10 routing-mark=office 1 5 S dst-address=0.0.0.0/0 gateway=192.168.100.1 gateway-status=192.168.100.1 reachable via ether3 check-gateway=arp distance=12 scope=30 target-scope=10 routing-mark=office 1 6 AS dst-address=0.0.0.0/0 gateway=192.168.99.1 gateway-status=192.168.99.1 reachable via ether2 check-gateway=arp distance=10 scope=30 target-scope=10 routing-mark=office 2 7 S dst-address=0.0.0.0/0 gateway=172.25.25.1 gateway-status=172.25.25.1 reachable via ether1 check-gateway=arp distance=11 scope=30 target-scope=10 routing-mark=office 2 8 S dst-address=0.0.0.0/0 gateway=192.168.100.1 gateway-status=192.168.100.1 reachable via ether3 check-gateway=arp distance=12 scope=30 target-scope=10 routing-mark=office 2 9 AS dst-address=0.0.0.0/0 gateway=172.25.25.1 gateway-status=172.25.25.1 reachable via ether1 distance=1 scope=30 target-scope=10 10 AS ;;; Netwatch ->ISP2 dst-address=8.8.4.4/32 gateway=192.168.99.1 gateway-status=192.168.99.1 reachable via ether2 distance=1 scope=30 target-scope=10 11 AS ;;; Netwatch ->ISP1 dst-address=8.8.8.8/32 gateway=172.25.25.1 gateway-status=172.25.25.1 reachable via ether1 distance=1 scope=30 target-scope=10 12 ADC dst-address=172.25.25.0/24 pref-src=172.25.25.247 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 13 ADC dst-address=192.168.99.0/24 pref-src=192.168.99.2 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10 14 ADC dst-address=192.168.100.0/24 pref-src=192.168.100.2 gateway=ether3 gateway-status=ether3 reachable distance=0 scope=10 15 ADC dst-address=192.168.101.0/24 pref-src=192.168.101.1 gateway=ether4 gateway-status=ether4 reachable distance=0 scope=10 16 ADC dst-address=192.168.102.0/24 pref-src=192.168.102.1 gateway=ether5 gateway-status=ether5 reachable distance=0 scope=10 Script:
[admin@kirilka] /system script> print Flags: I - invalid 0 name="ISP1-UP" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api last-started=jul/11/2013 05:07:34 run-count=9 source=/ip route enable [find dst-address=0.0.0.0/0 and gateway=172.25.25.1 and distance >= 10]; 1 name="ISP1-DOWN" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api last-started=jul/11/2013 04:47:03 run-count=2 source=/ip route disable [find dst-address=0.0.0.0/0 and gateway=172.25.25.1 and distance >= 10]; 2 name="ISP2-UP" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api last-started=jul/11/2013 05:08:01 run-count=1 source=/ip route enable [find dst-address=0.0.0.0/0 and gateway=192.168.99.1 and distance >= 10]; 3 name="ISP2-DOWN" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api last-started=jul/11/2013 05:07:36 run-count=1 source=/ip route disable [find dst-address=0.0.0.0/0 and gateway=192.168.99.1 and distance >= 10]; Source: https://habr.com/ru/post/186284/
All Articles