Tools Setup
Last updated
Last updated
Basic configuration of all routers
Mount a Failover with Backup Paths
Mount a VRRP
Mount a Bandwidth in a specific LAN and equipment
Set up a PCC Load Balancing with the two Internet providers
For this we will be guided by the following topography.
The ISP routers would not be necessary to touch them since the IP should be given to us by our internet provider, but as this is a virtualization we will briefly explain what type of basic configuration we will give it.
We will only define that it will have three interfaces, one that leads to the internet, which will have a dynamic ip and the other two interfaces will correspond to the routers of our company where we will give it a static ip of / 30 .
Let's start by defining the ISP interfaces, and where each one will go.
We will continue giving dynamic ip to the WAN interface, for this as always we will go to ip → dhcp client and define the rule for the WAN.
Now we will address the other two interfaces that will go to the two routers that are in the company, these IPs will be static so we will not create a dhcp service, and they will be / 30.
We define the DNS servers and check the Allow Remote Request box .
Finally we create masking in NAT.
All these steps will be carried out in both ISP routers, taking care not to give the same address to the static IPs that go to the company's routers, for example.
The following IPs have been configured on ISP1:
192.168.1.1/30 → Master Router
192.168.3.1/.30 → Slave Router
And for ISP2 the following ip have been configured:
192.168.2.1/30 → Master Router
192.168.4.1/30 → Slave Router
A good practice when working with several routers and being able to differentiate them is to give them a name or identifier, for this we go to the left menu where it says System → Identity , in this window we can give the router a name to define it.
As always, the first thing we will do will be the basic configuration of the router, defining the interfaces, the addressing of each interface, the dns, and the dhcp service, but in this case it will not be necessary.
For this reason, we will only leave the images of how the configuration of both routers would be, doing the same procedure in the other router, where we will only have to change the ips of the interfaces.
Interfaces
Ips
DNS
NAT, as we have two WANs, we must create two NAT rules, one for each WAN
Ips
Now we will go on to configure the Failover in both routers of the company, the idea of this is to define the routers that when the connection with one of the ISPs is lost, pull through the other defining which will be the main one and which one the secondary one, therefore both router will have two WAN interfaces one for each ISP. To do this, we just have to go to the left menu, give IP → Routes, we add a new route by giving the symbol (+). In this window we define:
Dst Address 0.0.0.0/0 (All IP)
Gateway 192.168.1.1
Check Gateway ping (with this it will validate by pinging the gateway that it works and there is a connection to it)
Distance 1 (with 1 we define what will be the main one)
The rest we can leave it by default.
Once this rule is created, we create the following one, with the following parameters:
Dst Address 0.0.0.0/0 (All IP)
Gateway 192.168.2.1
Check Gateway ping (with this it will validate by pinging the gateway that it works and there is a connection to it)
Distance 2 (with 2 we define what will be the secondary or backup)
As we can see, the only difference with respect to the previous one has been that we have defined the other gateway that will correspond to the other ISP, it will be the secondary or backup route, defined in Distance as 2.
It can be seen in both images that the first route that we define with Distance 1 has a black color and to the left of the window it has the initials AS corresponding to A → active and S → static . While the route that we define with Distance 2 has a blue color and the acronym that appears is only S → static , that indicates that the blue route is waiting and when the first one falls, the second will be activated, that is It will be seen in the checks section.
With this we achieve that when there is any problem with the ISP1, our router when pinging and checking that there is no response will go on to ping the backup route and if it responds, it will drop the traffic through it, with this we will not lose connection to the internet, just a short drop.
This same process will have to be done in the other router of the company, where you will only have to change the IPs of the gateways in the creation of both routes.
We will use this protocol in those LANs that are not too large and whose ip are static, this is due to the fact that when an ip is dynamic and has 2 routers providing dhcp service, as soon as one falls down with asking again for ip for dhcp itself The computer will change the IP and the gateway, but with a static IP this does not happen.
For this reason, what the vrrp protocol does is create a virtual router, and the ip that we define in that virtual router must be the same in both routers, and it will be the gateway that we will use in our teams that use static ip, in this way when there is Any problem with one of the routers, the vrrp protocol will detect it and jump to the backup router, thus ensuring that the client computer does not run out of internet.
The first thing we will have to do is go to the VRRP tab within the list interfaces window, and hit the (+) symbol to create one. In the window that appears in the General tab, we only define the name that we want our vrrp to have, then we go to the VRRP tab, and within this we will configure the following:
Ethernet6-LAN interface (where we will define on which interface our vrrp will go, in this case it will be on LAN)
VRID 10 (this will be the identifier of our vrrp, it is important that this number matches the vrrp that we will create in the backup router otherwise the vrrp will not work)
Priority 100 (the priority defines who will be the master and who will be the backup, the one with a higher number in this section will be the master)
The rest of the parameters can be left by default.
As in this Network example we have 2 static networks, we create another vrrp, where we will only have to modify the name, the interface that will now be LAN2 and the VRID to 20 for example, remaining as in the following image.
Once both vrrp are created we can see how they look in the interfaces section.
The abbreviations on the left of RM refer to R → running and M → master . This will appear once both routers are configured.
The next step will be to give ip to both vrrp, as always for this we go to the left menu IP → Address, symbol of the (+). In the window we select one of the vrrp created and give it an IP within the range of the network, with the caution that it must end in / 32.
We do the same procedure for the other vrrp, defining an IP that corresponds to your network since each vrrp that we have created is for a different LAN.
As we did with the master router, the first thing will be to create the vrrp for each LAN, where the only thing that we will change will be the interface and the priority, leaving the same VRID, leaving both routers as shown in the following images.
Once both vrrp have been created, in the part of interfaces we can see how they are already created and that the abbreviation B appears on the left, referring to B → backup .
The next step will be to give the ip to both vrrp. where the ip of those should coincide with the ones we use in the master router, being as follows.
Once created, they will appear red that is because they are in standby mode, and when the master fails it will jump changing the color to black because it will have been activated.
Once both Routers have been configured with their respective vrrp, it only remains to set the fixed IP to our client computers with the corresponding gateway to each one according to the LAN to which they belong. With what to a LAN team we will put the gateway 192.168.10.10, and those that belong to LAN 2 we will put the gateway 192.168.20.20.
We will perform the bandwidth in LAN 2 for example, for this from Winbox we go to the left menu and select the Queues option, in the window that appears we mark the Simple Queues tab and then we click the (+) symbol. In this new window where it says Name, we just write a name to the rule to define it. In Target we define who the bandwidth is assigned to, being able to use a specific IP , the CIDR of the network or even the interface . In Target Upload we go to Max Limit and define the upload speed. In Target Download we go to Max Limit and define the download speed. We can leave the rest by default, apply and click OK.
In order to make it more visual, we will apply another rule in which we will define the entire LAN 2 network. With this, what we will achieve is to define the speed limit of the LAN2 and at the same time be able to define the speed limit of each computer within the network.
It must be taken into account that these rules are applied the same as those of the firewall, that is, the rules begin to apply from the first to the last, therefore the most generic rule must be below, which in this case is the rule that refers to the LAN2 network, and the most specific rule must be higher, which in this case corresponds to the ip 192.168.20.4, remaining as shown in the image.
If we do not follow this order and leave the most general rule first, the entire LAN2 network will have the indicated speed limit, without applying the other rules that define the IP of each computer.
Note: The colors of the icon change depending on how you use the allocated bandwidth; so if it is used from 0% to 50% of the bandwidth, the rule will be green, if it is used from 50% to 70%, it will turn yellow, and if it exceeds 70% it will turn color Red.
To carry out the load balancing, we will follow the network diagram at the beginning with the difference that we will add a new network with the following network 192.168.30.0/24, which we will call DMZ. The rest will be the same. We start by going to IP → FIREWALL and then to the Mangle tab, then we add a new rule by giving the (+) symbol, in the new window that appears to us being in the General tab, we only define in the Chain section with prerouting and In the Dst.Address section we add the network of one of the WANs that we have. If we have several LAN networks we can define it in In. Interface , if we only have one or we want it to apply to all of them, it is not necessary to define it.
Then we go to the Action Tab and in the Action section we select Accept , apply and ok.
We must repeat this rule for each interface that accesses the internet, that is, if for example we have four internet providers, we will have to create four rules like these, where we will only have to change the Dst.Address section by the CIDR corresponding to each ISP. In our case it will be only two rules, since we have two Wan interfaces.
Our next step will be to create rules to mark all requests for connections that come from the internet. To do this we create a new rule, in the General tab we define Chain as prerouting , in In Interface we select one of the interfaces that give Internet access, and in the Connection Mark setting we leave it in no mark .
Now we go to the Action tab, here in the Action section we select mark connection , in the New Connection Mark section we give a name that we want, that helps us to define it, and we leave the Passthrough box checked, this allows us to do This rule is not fulfilled, go to the next one that we have created.
The following rules correspond to each internet provider and an interface that goes to a local network that we define. As we always start by giving the symbol of the (+) to create a new rule, in the General tab we select prerouting in the Chain section, in the In Interface section we select the Lan network we want, in this case it will be the interface that is going to the DMZ.
Then we go to the Advanced tab and in the Per Connection Classifer section we select both addresses and two sections will appear on the right to insert numbers. The first number corresponds to the total number of ISPs that we have connected to our router, and the next number corresponds to the ISP for which we are creating the rule, always starting from scratch. For example, if we have four ISPs connected to the router, we will have to create four rules, one for each ISP connected to our router and the numerical order for each rule would be as follows:
4/0
4/1
4/2
4/3 As you can see, the first number does not change because it refers to the total, the one that changes is the second to know to whom the rule is being applied, as it starts counting from 0, if we have 4 ISPs the account will be from 0 to 3.
Now we go to the Extra tab, here we look for the Dst.Address Type option, and in Addres Type _ we select local , and we mark the Invert box.
Finally we go to the Action tab, in this we select mark connection in the Action section, in the New Connection Mark section we select one of the names that we define in the previous rules for each ISP, and we leave the Passtrough option checked.
As we will always create as many rules as we have, as in this case we have two, we will have to create another rule identical to the previous one, changing only in the Action tab in the New connection Mark section to the name that we have given for the rule of the other ISP that we have connected, and in the Advanced tab in the Per Connection Classifier section, when selecting both addresses, we must change the second number to the corresponding one, which in this case will be 1, referring to the second ISP.
The following rules will be to mark the route of all the packets that go through the connections. In the General tab we select the interface that goes to our local network in the In Interface section , and in the Connection Mark section we select one of the names that we create when defining the connection request dialing rule for each ISP.
Then we go to the Action tab where we select mark routing in the Action section, we leave the Passthrough option marked and in the New Routing Mark section we give a name that refers to one of the ISPs. We apply and ok.
We create another rule identical to the previous one for the other ISP changing only the Connection Mark section within the General tab by the name of the rule that refers to the other ISP, and in the Action tab we will give another name to identify the other ISP in the New Routing Mark section
Now we will create other rules as always one for each ISP that we have connected to the router, for the chain outpust . Therefore, in the new rule, in the General tab we select output in the Chain section, and in the Connection Mark section we select one of the names that we define in the rules for marking requests for connections for the ISP, in the following rule that we believe, only this section should be changed by selecting the name of the other rule from the other ISP.
We go to the Action tab, where we select mark routing in the Action section, we leave Passthroug marked and in the New Routing Mark section we select one of the names that we create when we define the packet routing rules. When we create the other rules, this section will be another one that changes defining the other names that we define when creating the packet marking rules.
Once all the rules for the two ISPs that we have in this example have been created, it should look like the following image.
The next step will be to add the routes to the routing table, for this we go to IP → Routes , and we give the (+). We will create a route for each ISP that we have connected to the router. In this window we define all destination addresses, so in the Dst. Address we write 0.0.0.0/0. In Gateway we write the IP of our ISP, in Check Gateway we leave it in ping, we leave everything else by default and what we must modify is the Routing Mark section where we will select one of the names that we define in the rules that we create for marking of route of the packets, the interesting thing will be that the name corresponds with the IP of the ISP that we are defining in the route.
With this we get all the traffic marked for isp1 to go out through the gateway that we have defined. The next route that we create for the other ISP will be identical to the previous one, changing only the IP of the Gateway for the other ISP and the Routing Mark section where we will select the other name of the other created route marking rule.
Leaving the routes as shown in the image.
