####################################################### Konsep dan Terapan NTH utk Loadbalancing pada Mikrotik ####################################################### I N T R O --------- O----------------------------------------------------------------------------------- nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets Every - match every Every+1th packet. For example, if Every=1 then the rule matches every 2nd packet Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively. O----------------------------------------------------------------------------------- nth ada 3 bagian bilang lah A,B,C A = every B = counter C = packet setelah gw baca lagi dan lagi dan lagi manual diatas sampe sekarang gw gak ngerti2 dari ketiga bagian diatas. jika pake 2 line load balance ada yang buat : every 1 counter 1 packet 0 <-- line 1 every 1 counter 1 packet 1 <--- line 2 ada juga yang buat : 1,2,0 - 1,2,1 Pemahaman Saya Mengenai Nth: Pada dasarnya koneksi yang masuk ke proses di router akan menjadi satu arus yang sama, walaupun mereka datang dari interface yang berbeda. (well, this one is debatable) Saat kita ingin menerapkan metode Nth, tentunya kita juga memberikan batasan ke router untuk hanya mem-proses koneksi dari sumber tertentu saja (ex. dari IP lokal). Nah, begitu router telah membuat semacam 'antrian' baru untuk batasan yang kita berikan diatas, baru proses Nth dimulai. #Every Angka Every adalah jumlah kelompok yang ingin dihasilkan. Jadi bila kita ingin membagi alur koneksi yang ada menjadi 4 kelompok yang nantinya akan di load balance ke 4 koneksi yang ada, maka angka Every = 4. Namun, setelah saya bandingkan manual yang ada di Mikrotik dengan penjelasan tentang penerapan Nth di Linux, ada perbedaan disini. Pada Mikrotik, angka Every harus dikurangkan 1, hingga bila mengikuti contoh diatas, maka kita harus mengisikan Every = 3. Hal ini mungkin dikarenakan proses Nth di Mikrotik akan menerapkan Every+1 (lihat manual) pada pengenalan koneksinya. Jadi, kesimpulan sementara saya, bila kita ingin membagi 2 kelompok, maka : - Pada Linux, Every = 4 - Pada Mikrotik, Every = 3 #Counter Angka Counter dapat diisikan angka 0-15. Maksudnya adalah menentukan counter mana yang akan kita pakai. Pada Mikrotik terdapat 16 Counter yang dapat dipakai, hal ini juga sama dengan penerapan yang ada di Linux. Setelah Diskusi dengan bro D3V4, ternyata penerapan counter cukup berpengaruh. Jadi kesimpulan sementara, counter sebaiknya diset ke every+1 untuk Mikrotik #Packet Nah, kita sampe ke parameter terakhir. Parameter terakhir ini yang cukup menentukan. Bila kita ingin membuat 4 kelompok, tentunya kita harus membuat 4 mangle rules. Nah, pada rules tersebut, angka untuk Every dan Counter haruslah sama. Namun untuk angka packet harus berubah. Untuk 4 kelompok, berarti angka packet untuk 4 rules tersebut adalah 0,1,2 dan 3. Angka ini ditentukan dari 0 ... (n-1). Penerapan angka Packet untuk Linux dan Mikrotik sama. Contoh Mari kita ambil contoh untuk penerapan Nth untuk 4 koneksi. Maka Angka Nth untuk masing2 rule di Mikrotik adalah (counter yg dipakai adalah 4) : Rule 1 = 3,4,0 Rule 2 = 3,4,1 Rule 3 = 3,4,2 Rule 4 = 3,4,3 T E O R I --------- tcp connections 3 way handshake 1. connection establishment 2. data transfer 3. connection termination dengan tahapan sbb : 1. LISTEN 2. SYN-SENT 3. SYN-RECEIVED 4. ESTABLISHED 5. FIN-WAIT-1 6. FIN-WAIT-2 7. CLOSE-WAIT 8. CLOSING 9. LAST-ACK 10. TIME-WAIT 11. CLOSED jika teori gw bener (CMIIW lagi ) proses mangle itu memotong di nomer 4 alias connection nya belum ketutup tapi udah request baru lagi (new connections state) jadi dengan kata lain : kenoksi masih kebuka udah ngerequest ke gateway yang lainnya ... jadi semua speedy yang kita punay kebuka dan di gunakan. jadi walaupun kedetek ip speedy 1 tetapi bebannya masih kebagi ke sebanyak n-th yang kita punya.. ROUND ROBIN ! CONTOH KONFIGURASI I -------------------- Untuk koneksi dengan Modem ADSL ada 2 pilihan: - Set Modem sebagai Bridge, berarti Router sebagai PPPoE Client - Set Modem sebagai PPPoE, berarti Router tinggal sesuaikan dengan IP Local Modem Topologi ISP1/wlan2 ISP2/wlan1 10.111.0.1/24 10.112.0.1/24 | | | | | | \ / \ / \ / \ / \ / 10.111.0.2/24 ===== 10.112.0.2/24 ==|== | Local Configuration export from the gateway router: ######################################################################################## '''/ ip address''' add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 '''/ ip firewall mangle''' add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \ new-connection-mark=odd passthrough=yes add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \ new-routing-mark=odd passthrough=no add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \ new-connection-mark=even passthrough=yes add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \ new-routing-mark=even passthrough=no add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \ action=mark-connection new-connection-mark=odd passthrough=yes add chain=prerouting in-interface=Local action=add-src-to-address-list \ address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \ new-routing-mark=odd passthrough=no add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \ action=mark-connection new-connection-mark=even passthrough=yes add chain=prerouting in-interface=Local action=add-src-to-address-list \ address-list=even address-list-timeout=1d connection-mark=even passthrough=yes add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \ new-routing-mark=even passthrough=no '''/ ip firewall nat''' add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \ to-ports=0-65535 add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \ to-ports=0-65535 '''/ ip route''' add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 ######################################################################################## ### Explanation First we give a code snippet and then explain what it actually does. ~IP Addresses The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24. ---------------------------------------------------------------------------------------- / ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 ---------------------------------------------------------------------------------------- ~ Mangle All traffic from customers having their IP address previously placed in the address list "odd" is instantly marked with connection and routing marks "odd". Afterwards the traffic is excluded from processing against successive mangle rules in prerouting chain. ---------------------------------------------------------------------------------------- / ip firewall mangle add chain=prerouting src-address-list=odd in-interface=Local action=mark-connection \ new-connection-mark=odd passthrough=yes add chain=prerouting src-address-list=odd in-interface=Local action=mark-routing \ new-routing-mark=odd ---------------------------------------------------------------------------------------- Same stuff as above, only for customers having their IP address previously placed in the address list "even". ---------------------------------------------------------------------------------------- / ip firewall mangle add chain=prerouting src-address-list=even in-interface=Local action=mark-connection \ new-connection-mark=even passthrough=yes add chain=prerouting src-address-list=even in-interface=Local action=mark-routing \ new-routing-mark=even ---------------------------------------------------------------------------------------- First we take every second packet that establishes new session (note connection-state=new), and mark it with connection mark "odd". Consequently all successive packets belonging to the same session will carry the connection mark "odd". Note that we are passing these packets to the second and third rules (passthrough=yes). Second rule adds IP address of the client to the address list to enable all successive sessions to go through the same gateway. Third rule places the routing mark "odd" on all packets that belong to the "odd" connection and stops processing all other mangle rules for these packets in prerouting chain. ---------------------------------------------------------------------------------------- / ip firewall mangle add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \ action=mark-connection new-connection-mark=odd passthrough=yes add chain=prerouting in-interface=Local action=add-src-to-address-list \ address-list=odd address-list-timeout=1d connection-mark=odd passthrough=yes add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \ new-routing-mark=odd passthrough=no ---------------------------------------------------------------------------------------- These rules do the same for the remaining half of the traffic as the first three rules for the first half of the traffic. The code above effectively means that each new connection initiated through the router from the local network will be marked as either "odd" or "even" with both routing and connection marks. ---------------------------------------------------------------------------------------- / ip firewall mangle add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \ action=mark-connection new-connection-mark=even passthrough=yes add chain=prerouting in-interface=Local action=add-src-to-address-list \ address-list=even address-list-timeout=1d connection-mark=even passthrough=yes add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \ new-routing-mark=even passthrough=no ---------------------------------------------------------------------------------------- The above works fine. There are however some situations where you might find that the same IP address is listed under both the ODD and EVEN scr-address-lists. This behavior causes issues with apps that require persistent connections. A simple remedy for this situation is to add the following statement to your mangle rules: ---------------------------------------------------------------------------------------- add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \ src-address-list=!odd action=mark-connection new-connection-mark=even \ passthrough=yes ---------------------------------------------------------------------------------------- This will ensure that the new connection will not already be part of the ODD s rc-address-list. You will have to do the same for the ODD mangle rule thus excluding IP's already part of the EVEN scr-address-list. ~NAT All traffic marked "odd" is being NATted to source IP address of 10.111.0.2, while traffic marked "even" gets "10.112.0.2" source IP address. ---------------------------------------------------------------------------------------- / ip firewall nat add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \ to-ports=0-65535 add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \ to-ports=0-65535 ---------------------------------------------------------------------------------------- ~Routing For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed through the 10.112.0.1 gateway. ---------------------------------------------------------------------------------------- / ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even ---------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------- / ip route add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 ---------------------------------------------------------------------------------------- Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to 10.112.0.1 gateway. CONTOH KONFIGURASI II (PPPoE di MT) ----------------------------------- ####################################################################################### # mar/15/2008 21:38:00 by RouterOS 2.9.XX # software id = 2XX-RXX # / interface ethernet set Speedy1 name=”Speedy1" mtu=1500 mac-address=00:D0:5E:39:70:5C arp=enabled \ disable-running-check=yes auto-negotiation=yes full-duplex=yes \ cable-settings=default speed=100Mbps comment=”" disabled=no set Speedy2 name=”Speedy2" mtu=1500 mac-address=00:D0:5E:39:6F:69 arp=enabled \ disable-running-check=yes auto-negotiation=yes full-duplex=yes \ cable-settings=default speed=100Mbps comment=”" disabled=no set Local name=”Local” mtu=1500 mac-address=00:D0:5E:39:6F:BA arp=enabled \ disable-running-check=yes auto-negotiation=yes full-duplex=yes \ cable-settings=default speed=100Mbps comment=”" disabled=no / interface pppoe-client add name=”pppoe-out1" max-mtu=1480 max-mru=1480 interface=Speedy1 \ user=”111xxxx@telkom.net” password=”xxxx” profile=default \ service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \ use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no add name=”pppoe-out2" max-mtu=1480 max-mru=1480 interface=Speedy2 \ user=”111xxxxx@telkom.net” password=”xxxx” profile=default \ service-name=”" ac-name=”" add-default-route=yes dial-on-demand=no \ use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no / ip dns set primary-dns=203.130.193.74 secondary-dns=202.134.0.155 \ allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w / ip address --- ??? add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \ interface=Speedy1 comment=”" disabled=no add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 \ interface=Speedy2 comment=”" disabled=no add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \ interface=Local comment=”" disabled=no / ip route add dst-address=0.0.0.0/0 gateway=125.162.80.1 scope=255 target-scope=10 \ comment=”" disabled=no add dst-address=0.0.0.0/0 gateway=125.162.92.1 check-gateway=ping scope=255 \ target-scope=10 comment=”" disabled=no / ip firewall mangle add chain=prerouting in-interface=Local src-address-list=Games \ action=mark-connection new-connection-mark=Games passthrough=yes \ comment=”Multi ISP” disabled=no add chain=prerouting in-interface=Local src-address-list=Games \ action=mark-routing new-routing-mark=Games passthrough=no comment=”" \ disabled=no add chain=prerouting in-interface=Local src-address-list=Net \ action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \ disabled=no add chain=prerouting in-interface=Local src-address-list=Net \ action=mark-routing new-routing-mark=Net passthrough=no comment=”" \ disabled=no add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \ action=mark-connection new-connection-mark=Games passthrough=yes \ comment=”" disabled=no add chain=prerouting in-interface=Local connection-mark=Games \ action=add-src-to-address-list address-list=Games address-list-timeout=1d \ comment=”" disabled=no add chain=prerouting in-interface=Local connection-mark=Games \ action=mark-routing new-routing-mark=Games passthrough=no comment=”" \ disabled=no add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \ action=mark-connection new-connection-mark=Net passthrough=yes comment=”" \ disabled=no add chain=prerouting in-interface=Local connection-mark=Net \ action=add-src-to-address-list address-list=Net address-list-timeout=1d \ comment=”" disabled=no add chain=prerouting in-interface=Local connection-mark=Net \ action=mark-routing new-routing-mark=Net passthrough=no comment=”" \ disabled=no ### add chain=prerouting protocol=tcp src-port=1-1000 dst-port=1-1000 \ action=mark-connection new-connection-mark=spnet_conn passthrough=yes \ comment=”Routing Per Port Net” disabled=no add chain=prerouting protocol=udp dst-port=1-1000 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=3128 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=5050-5060 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=5050-5060 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=6660-7000 action=mark-connection \ new-connection-mark=spnet_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=spnet_conn action=mark-packet \ new-packet-mark=spnet passthrough=no comment=”" disabled=no #### add chain=prerouting protocol=tcp dst-port=1001-3127 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”Routing Per Port \ games” disabled=no add chain=prerouting protocol=udp dst-port=1001-3127 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=3129-5049 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=3129-5049 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=5061-6659 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=5061-6659 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=7001-8079 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=7001-8079 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=tcp dst-port=8081-65535 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting protocol=udp dst-port=8081-65535 action=mark-connection \ new-connection-mark=spgames_conn passthrough=yes comment=”" disabled=no add chain=prerouting connection-mark=spgames_conn action=mark-packet \ new-packet-mark=spgames passthrough=no comment=”" disabled=no / ip firewall nat add chain=dstnat dst-address=64.4.0.0/18 action=accept comment=”" disabled=no add chain=srcnat out-interface=pppoe-out1 packet-mark=!spgames \ connection-mark=!spgames_conn dst-address-list=!Games action=masquerade \ comment=”NAT CLIENT” disabled=no add chain=srcnat out-interface=pppoe-out2 packet-mark=!spnet \ connection-mark=!spnet_conn dst-address-list=!Net action=masquerade \ comment=”" disabled=no ###################################################################################### ##FAil OVEr Script bukanya kalo maenan fail over enakan di tool netwatch misalkan dengan script kaya gini: Code: ------------------------------------------------------------------------------------- /system script add name=check-gw source={ :local R1 :local R2 :if ([/tool netwatch get R1 status]=up) do={:set R1 192.168.1.1} :if ([/tool netwatch get R2 status]=up) do={:set R2 203.81.xxx.xxx} /ip route set [/ip route find dst-address=0.0.0.0/0] \ gateway=($R1 . , . $R2) } /tool netwatch add comment=R1 host=192.168.1.1 interval=5s up-script=check-gw \ down-script=check-gw /tool netwatch add comment=R2 host=203.81.xxx.xxx interval=5s up-script=check-gw \ down-script=check-gw --------------------------------------------------------------------------------------- CONTOh KASUS ------------ menggunakan 5 speeda kasus 1, Nth = 4,5,n-1 pas di cabut satu modem koneksi jadi ngaco... kebanyakan lagging time.... trus... cabut lagi satu lagi modem nya....... jadi lebih parah.... ancur2an koneksinya.. banyak yang muncul bacaan connection time out kasus 2, Nth = 4,0,n-1 cabut 1 modem ........... masih ga masalah.... cabut modem ke2 baru berasa ada beberapa website yang musti di refresh...... cabut modem ke3 ..... mulai ancur2 an......... sepertinya nTh (n,0,n-1) bisa jadi fail over dengan syarat hanya 1 koneksi yg mati. dan melihat dari segi respon pembagian beban jauh lebih cepat dengan counter 0 (n,0,n-1) di bandingkan dengan (n,n,n-1) Masalah: - Gateway yang sama - Priority DNS - NTH yang cocok ? - Firewall NAT, pilihan antara Action Masquarade dengan SrcNat ? edited by baratev Diramu dari: - www.forummikrotik.com ([a],d3v4,akangage,dkk] - wiki.mikrotik.com 22:21 27/04/2008