Scribd
Upload
161 views4 pages

Ecmp Load Balancing Failover With Proxy and DNS

This document configures load balancing and failover between two WAN connections (wan1 and wan2) using a transparent proxy (proxy) and DNS. Traffic is classified and marked to be routed over wan1 or wan2 based on connection origin and packet markings. Quality of service queues are configured to prioritize different traffic types. Extensive firewall rules allow inbound and outbound traffic on necessary ports and interfaces while dropping all other traffic.

Uploaded by

trianto_ari_nugroho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
161 views4 pages

Ecmp Load Balancing Failover With Proxy and DNS

This document configures load balancing and failover between two WAN connections (wan1 and wan2) using a transparent proxy (proxy) and DNS. Traffic is classified and marked to be routed over wan1 or wan2 based on connection origin and packet markings. Quality of service queues are configured to prioritize different traffic types. Extensive firewall rules allow inbound and outbound traffic on necessary ports and interfaces while dropping all other traffic.

Uploaded by

trianto_ari_nugroho
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

Ecmp Load Balancing Failover with Proxy and DNS

/interface
set 1 name=wan1
set 2 name=wan2
set 3 name=proxy
set 4 name=lan1
set 5 name=not-used

/ip address
add address=172.16.1.2/24 interface=wan1
add address=172.16.2.2/24 interface=wan2
add address=172.160.1.1/24 interface=proxy
add address=192.168.1.1/24 interface=lan1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet
-size=512 servers=172.16.1.1,8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.1.0/24 comment="" disabled=no list=LocalNET
add address=172.160.1.0/24 comment="" disabled=no list=ProxyNET
/ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address-list=!ProxyNET dst-port=
80,8080 in-interface=lan1 protocol=tcp to-addresses=172.160.1.2 to-ports=3128 co
mment="TRANSPARENT PROXY"
/ip firewall mangle
add chain=postrouting action=mark-packet new-packet-mark=cache-hits passthrough=
no dscp=48 comment="PROXY HIT"

/ ip firewall mangle
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16
.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16
.2.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16
0.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=192.16
8.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16
.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16
.2.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16
0.1.0/24
/ip firewall mangle
add action=mark-connection chain=input in-interface=wan1 connection-mark=no-mark
new-connection-mark=wan1_conn comment="Mark Connection that are Initiated from
Outside"
add action=mark-connection chain=input in-interface=wan2 connection-mark=no-mark
new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=
wan1_traf comment="Mark Routing for Router's Replies"
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=
wan2_traf
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1 check-gateway=ping
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=wan1_traf
add dst-address=0.0.0.0/0 gateway=172.16.2.1 routing-mark=wan2_traf
/ip route
add dst-address=128.199.248.105 gateway=172.16.1.1 scope=10
add dst-address=111.67.16.202 gateway=172.16.2.1 scope=10

/ip route
add distance=1 gateway=128.199.248.105 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=111.67.16.202 routing-mark=wan2_traf check-gateway=ping

/ip route
add distance=1 gateway=111.67.16.202 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=128.199.248.105 routing-mark=wan2_traf check-gateway=ping

/ip route
add dst-address=10.129.30.1 gateway=128.199.248.105 scope=10 target-scope=10 che
ck-gateway=ping
add dst-address=10.129.31.1 gateway=111.67.16.202 scope=10 target-scope=10 check
-gateway=ping

/ip route
add distance=1 gateway=10.129.30.1 routing-mark=wan1_traf
add distance=2 gateway=10.129.31.1 routing-mark=wan2_traf

/ip route
add distance=1 gateway=10.129.30.1
add distance=2 gateway=10.129.31.2
/ip firewall mangle
add action=mark-connection chain=forward in-interface=proxy out-interface=lan1 n
ew-connection-mark=proxy-conn dscp=!48 passthrough=yes comment="DOWNLOAD VIA PRO
XY"
add action=mark-packet chain=forward connection-mark=proxy-conn new-packet-mark=
proxy-pkt passthrough=yes

/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=
wan1 passthrough=yes comment="PUBLIC DOWNSTEAM"
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=
wan2 passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=dconn new-packet-mark=dpkt
passthrough=yes

/ip firewall mangle
add action=mark-connection chain=forward out-interface=wan1 new-connection-mark=
uconn passthrough=yes comment="PUBLIC UPSTEAM"
add action=mark-connection chain=forward out-interface=wan2 new-connection-mark=
uconn passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=uconn new-packet-mark=upkt
passthrough=yes
/queue type
add name=pcq_game kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_browsing kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_hardsteam kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_p2ptorrent kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_residual kind=pcq pcq-rate=0 pcq-classifier=dst-address

/queue tree
add name=HIT_PROXY parent=global-out packet-mark=cache-hits queue=sfq_proxy_hit
priority=1
add name=UPSTEAM parent=global-out queue=pcq_upsteam packet-mark=upkt priority=8
add name=DOWNSTEAM parent=global-out queue=pcq_downsteam packet-mark=dpkt priori
ty=8
add name=PROXYSTEAM parent=global-out queue=pcq_proxysteam packet-mark=proxy-pkt
priority=8
/ip firewall address-list
add address=192.168.1.8 disabled=no list=internet-allowed
add address=192.168.1.11 disabled=no list=internet-allowed
add address=192.168.1.12 disabled=no list=internet-allowed
add address=192.168.1.14 disabled=no list=internet-allowed
add address=192.168.1.15 disabled=no list=internet-allowed
add address=192.168.1.16 disabled=no list=internet-allowed
add address=192.168.1.17 disabled=no list=internet-allowed
add address=192.168.1.20 disabled=no list=internet-allowed
add address=192.168.1.21 disabled=no list=internet-allowed
add address=192.168.1.22 disabled=no list=internet-allowed
add address=172.160.1.2 disabled=no list=internet-allowed

/ip firewall filter
add action=accept chain=input comment="Accept Input Established" connection-stat
e=established disabled=no
add action=accept chain=input comment="Accept Input Related" connection-state=re
lated disabled=no
add action=drop chain=input comment="Drop Input Invalid" connection-state=invali
d disabled=no
add action=accept chain=input comment="Accept Input Limited ICMP" disabled=no li
mit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop Input Exceed ICMP" disabled=no protoco
l=icmp
add action=accept chain=input comment="Accept Input Winbox" disabled=no dst-port
=8291 protocol=tcp
add action=accept chain=input comment="Accept Input Webfig" disabled=no dst-port
=80 protocol=tcp
add action=accept chain=input comment="Accept Input Telnet" disabled=no dst-port
=23 protocol=tcp
add action=accept chain=input comment="Accept Input SSH" disabled=no dst-port=22
protocol=tcp
add action=accept chain=input comment="Accept Input DNS" disabled=no dst-port=53
protocol=udp
add action=accept chain=input comment="Accept Input WInbox Discovery" disabled=n
o dst-port=5678 protocol=udp
add action=drop chain=input comment="Drop Input Anything Else" disabled=no
add action=accept chain=forward comment="Accept Forward Established" connection-
state=established disabled=no
add action=accept chain=forward comment="Accept Forward Related" connection-stat
e=related disabled=no
add action=drop chain=forward comment="Drop Forward Invalid" connection-state=in
valid disabled=no
add action=jump chain=forward comment="Accept User Internet and Jump to Port-Fil
ter" disabled=no jump-target=port-filter src-address-list=internet-allowed
add action=accept chain=port-filter comment="Accept Port-Filter HTTP" disabled=n
o port=80 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter HTTPS AND SNEWS"
disabled=no port=443,563 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter rsync" disabled=
no port=873 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gopher" disabled
=no port=70 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter wais" disabled=n
o port=210 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter unregistered por
ts" disabled=no port=1025-65535 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter PROXY" disabled=
no port=8000,8080,3128 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter http-mgmt" disab
led=no port=280 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gss-http" disabl
ed=no port=488 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter filemaker" disab
led=no port=591 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter multiling http"
disabled=no port=777 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter cups" disabled=n
o port=631 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter SWAT" disabled=n
o port=901 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter Email Ports" dis
abled=no port=25,587,465,110,143,993,995 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter YM" disabled=no
port=5050 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter VPN BCA" disable
d=no port=500,10000 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter DNS" disabled=no
port=53,8053,35053 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter NTP" disabled=no
port=123 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter ICMP" disabled=n
o protocol=icmp
add action=drop chain=port-filter comment="Drop Port-Filter Anything Else" disab
led=no
add action=drop chain=forward comment="Drop Forward Anything Else" disabled=no

You might also like