Hello everyone, my
name is Martins and I am one of the guys from the
MikroTik Technical Support Team. Today I am here to try to explain
to you how to configure multiple internet connection scenarios
on your RouterOS device and make sure that it
will work even if not all of the internet
connections are available at the time. First of all, let us
go through the game plan. When I have to make a network or
network configuration, I make a plan first and only then I make sure that
I follow all the steps in the way. So what we will do in this video today? First of all, we will
go through my test setup so we can understand what and
why are we trying to configure. Then we will create a router
configuration for multiple uplinks which will allow for the router to
work properly when you try to access the router
itself from the internet, access your local network from the
internet and finally also distribute internet access from your LAN to the
public network between your multiple uplinks. So let us start with my
setup. In order to test this scenario I did choose to use
four separate routers and my computer. We will be doing
configuration only on one of the routers which in your
case would be your network gateway. We will connect the computer to this
router LAN network and in my scenario I will use three different devices which
will be used as ISP routers for my gateway. I will use different types of ISP
connections, static one, dynamic and VPN just to show you that load
balancing configuration does not care what
kind of internet connection or how many internet
connections you have. It is possible to build it
on any RouterOS installation. Before we put the configuration in a real environment we do need
to test it in the lab first. So in my test case I have configured one dummy IP address on
all of these three routers, which we will call as my.internet.test
and which I will try to reach from my computer later on you will see that
it is reachable through multiple uplinks and connections to it are
distributed between ISPs automatically. In RouterOS and other
networking devices there are several ways how to make a
load balancing scenario type of setup. PCC, NTH, BONDING,
ECMP and others. Today we will use the so called PCC or pair
connection classifier method. Why? Because we do
consider this as the most flexible configuration for the user
and it is really easy to configure. Before we are moving to
the setup itself there is one very very important
thing that you have to understand. Do you remember old movies from
the 90s where twins are born and separated? Each of them gets half of
a medallion and later on after many years they do find
each other and join their medallions. Well this is not how
networking works. This method is called the pair
connection classifier for a reason. It is not possible to break a
network connection in half, send each half of the connection to the
internet through different ISPs and hope that
they will somehow meet again. We will distribute
connections, not bandwidth or parts of
connections between different ISPs. It will be as simple as that.
Connection number 1 - uses ISP1 Connection number 2 - uses ISP2 Connection number 3 - uses ISP3 and connection number 4
uses ISP1 again and so on. The router does not know how much
bandwidth each connection will consume. It will just lead them to the internet through different uplinks
based on a simple counter. Ok, that is enough for the
introduction. Let us move on to the RouterOS. I have already set up my
ISP routers and all three client connections on my gateway
since this video is not about that. Here I have three internet
connections. Static one, dynamic one and VPN. My router is configured as a simple DHCP server for LAN network
just for simulation purposes. As I mentioned before, we do test
this setup in the lab first and we will use the domain my.internet.test in
order to simulate internet access. So the first thing that we need to do
is create routing tables in order to force a connection to use a
specific path, a specific road in a separate
routing table will be created. In order to do so, we need to
create these routing tables first. I just add new tables under the
routing menu and make sure that checkbox FIB is selected, which means that routes in
these routing tables will be installed in the actual routing table
used for traffic processing. After that, I have to add default routes for each ISP in
their specific routing tables. I also specify the
check gateway so the routers would check their status and
become invalid if ISP is not reachable. Specifically for the
load balancing scenario, this is all that is required to
be added under the routing menu. However, I will also make a few
adjustments in my already existing main routing table and specify
the distance for my uplinks. Why you may ask? We
will point connections towards specific routing tables
later on by using a firewall. However, when ISP is
down and there is no internet, for example on ISP 3, then the
traffic still needs to be processed. Connection marked with ISP 3 will at
that moment fall back to the main routing table and will use the
main routing table priorities list. That is why I create
prioritized default routes and specify different
distance parameters on them. You can consider distance as a
priority, lower distance, higher priority. Now we can forget about our routing
table. That is all that we had to do here. The remaining part of the
configuration now has to be done in firewall. We will use a firewall mangle
section in which you can do a lot of stuff. But now we will only
need to mark connections since we use a per connection
classifier load balancing method. And then tell the
router which connections must use which routing table.
It's actually very very simple. We do separate
incoming connections between each other based
on the incoming interface. And we do that in the
pre routing chain which is the first place where we
can detect traffic on firewall. We cannot do that earlier. If the
connection reaches the router through for example ISP 2, then we need to make sure
that it is also replied through ISP 2. You can do this in many
ways, but I will show you the configuration which I
do consider the most effective. In our scenario we need to mark
connections. So there is no need to recheck incoming ISP on each
and every network packet. That is why I create a rule with
parameter connection state new specified. My personal recommendation, I
specify the connection mark as no mark. Since later on you
will add new mangle rules before the
configuration that we are making now. And since mangle marking rules works
as pass through rules by default, this rule would override the
exception that you made earlier. But if you specify connection
mark as no mark, then you are safe. At this point I try to reach my
router from ISP 2 and ISP 3. It does not work. Because the connection reaches the
router through ISP 2 and ISP 3, but replies to it through ISP 1 due
to the main routing table. Now I will force the
router to reply to connections with ISP 2 and ISP 3 mark
through correct routing table. Here all I need to
do is create three mangle rules, one for each
ISP, in the output chain. Output is responsible for packets leaving the router itself.
Not the LAN, but the router. I just specify that all connections
in the output chain that how connection mark ISP 1 will use routing
table ISP 1, ISP 2 will use routing table ISP 2 and
ISP 3 will use ISP 3 routing table. And that is it.
Access to your router is now working properly as
you can see on my screen. However, sometimes you might see
that you did just add a marking type of configuration, but it is not working yet. Yes, that might happen, because we
are now marking new connections. It will not apply to connections
that were already active. So just to be sure
that we do use a new set of mangle rules, I will
clear the connection tracking table. Now all connections
will be new. Remember this when debugging your load balancing
setups. Usually this is forgotten. Now let us work on connections from
LAN to the internet. This is a part of the configuration where
this video gets its name. We will force the
router to make a routing decision based on a counter
called per connection classifier. Now we will mark
connections similarly as we did with incoming
traffic from the internet. But now we will mark new connections
from LAN. We will make sure that we specify the connection mark as an
o-mark as I explained already before why. Now we add a parameter called
destination address type. Since we are now talking about forwarded traffic, I will
specify that I want to use this rule only for connections that are
not destined to the router itself, because I do not
want to mark input traffic from LAN. I specify that I want to increase
the counter on each connection where source address and port
is different to make setup more flexible and
balance load more frequently. Finally, we will specify per
connection classifier parameter. It is super easy actually. We need to
count how many ISPs we have. We do have 3 ISPs in my lab, so the
divider for PCC will be 3. And for ISP1 we will use a connection in which the
sequence number divided by 3 has nothing left. This reminder is 0. Of course we now
do a sign connection mark on the action tab for each per
connection classifier reminder and make a separate
rule for each PCC divider. For ISP2, the
connection with the reminder is 1. And for ISP3 the reminder is 2. This counter will do the same
thing also for connections number 26. If we divide 26 by 3
then the reminder is too. So the mark will be ISP3. One interesting side note here. Remember that at the
beginning of this video I told you that we will distribute
connections here, not the bandwidth. That is still true
but more often than not you have ISP connections
with different guaranteed speeds. For example 1 gigabit from ISP1
and 500 megabits from others ISP2 and ISP3. Then we can divide all the
traffic into not three but four parts and simply increase the
divider by one and add one more Mangle rule which will mark
connections with mark ISP1. So two rules for ISP1,
one for ISP2, one for ISP3. In total four rules. You will not be able
to consume more bandwidth but the possibility of fully
utilizing one of the ISPs will be lower now. For the forwarded traffic from LAN
all I need to add now is mark routing rules which again will tell for
connection which routing table to choose. We need to show the way only
four packets from LAN to the internet. We do not want to mark
packets from the internet to LAN. That is absolutely unnecessary because routing to LAN is
already done in the main routing table. So now we can see that if I try
to access the internet from my computer, then I can access
the same IP address, but through different
ISPs on each new connection. In my example, you can see that I
try to access our dummy fake internet IP, and on each connection I
have accessed another device. This is just to
show you the idea, in real life it will also
work for any connections passing through your router. Now
here is the last thing that you should notice. If there is traffic
from the internet towards your LAN, for example a port
forwarding type of scenario, then this will
work right away. Because at the very beginning
we did mark connections, coming into the router from each ISP,
the very first manual rules that we added. And just now we did tell packets
coming from the LAN which routing table to use based on the connection mark.
So also this will work right away. Now last but not least, I will disconnect the cable from my
router to, for example, ISP2. We do see that
route for ISP2 is not active anymore, but we can
still create new connections from our computer to
the internet, and even if they do get ISP2
marked, then they are able to reach the internet.
But through ISP1, which was selected as the main
uplink at the beginning of this video due to the lowest default
route distance in the main routing table. So what did we
just do? We learned a little bit about how load
balancing works in general. We made sure that
if we do have multiple ISP connections, then we
can access the router itself through all of
them. We can access LAN from internet through any
of the ISPs. Traffic from LAN to the internet
is distributed between all ISPs and can be
actually distributed based on guaranteed bandwidth
speed differences between uplinks. If some ISP
is not working at the time, the traffic marked
for this ISP usage will fall back to the main
routing table and will use ISP, which has the highest priority. I think that this is kind of
a good job for one video. I hope that it will help you to
understand something about networking on RouterOS a little bit better, and we will receive fewer and fewer
support emails about this topic. So good luck, and sorry
that the video was so long. Goodbye!
