S
S
Sergey2018-01-29 08:17:36
Mikrotik
Sergey, 2018-01-29 08:17:36

How to balance two channels from one provider?

Good afternoon. Our office receives 2 lines from one provider (100 mbit + 50 mbit). On his side, they are included in 2 ports of one switch, on ours - in 2 mikrotik rb750gr3 ports. Each line has its own PPPoE connection, mikrotik is configured to balance ECMP. Accordingly, the settings from the provider come to both lines identical. Both of our ports are in the same network from the provider side, we are united (seemingly) only by balancing.
Last week, after rebooting Mikrotik (to remove the remnants of the FastTrack rules from the Fierwall), the connections of both lines stopped rising, there was no response from the PPPoE server on any cable. A few hours later, we managed to get information from the provider that our router had formed a ring that "laid" several nearby houses, so the switch with our lines was turned off. I left 1 cable physically turned on, the switch was unlocked.
1) How could this happen? Ports in Mikrotik (as far as I know) are not interconnected in any way, if they are not combined via a switch or bridge, and balancing should not cause such consequences.
2) until we are blocked, everythingworked well, except for the Vkontakte site. Apparently, balancing constantly confused packets and connections, some worked and others did not send messages, and everything on the site was stupid. All options were tried with tcp-mss, but to no avail, while there are 2 lines - there are glitches. One channel is ok. Where did something go wrong in the settings?

Excerpts from the configuration
/interface bridge
add arp=reply-only fast-forward=no name=bridge1
add arp=reply-only name=bridge2_guest
/interface ethernet
set [ find default-name=ether5 ] name="lan1(5)"
set [ find default-name=ether4 ] master-port="lan1(5)" name="lan2(4)"
set [ find default-name=ether3 ] master-port="lan1(5)" name="lan3(3)"
set [ find default-name=ether1 ] advertise=100M-full name="wan1(1)"
set [ find default-name=ether2 ] advertise=100M-full name="wan2(2)"
/interface pppoe-client
add disabled=no interface="wan1(1)" keepalive-timeout=60 name=pppoe-out1 password=*** use-peer-dns=yes user=***
add disabled=no interface="wan2(2)" keepalive-timeout=60 name=pppoe-out2 password=*** use-peer-dns=yes user=***
/interface list
add name=wans
add name=lans
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.250
add name=dhcp_pool2 ranges=192.168.100.30-192.168.100.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface="lan1(5)" lease-time=5h name=rv_dhcp
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=bridge2_guest lease-time=1h name=rv_dhcp_guest_wifi
/ppp profile
set *0 change-tcp-mss=no
set *FFFFFFFE change-tcp-mss=no
/interface list member
add interface="wan1(1)" list=wans
add interface="wan2(2)" list=wans
add interface="lan1(5)" list=lans
add interface="lan2(4)" list=lans
add interface="lan3(3)" list=lans
add interface=pppoe-out1 list=wans
add interface=pppoe-out2 list=wans
/ip address
add address=192.168.1.1/24 interface="lan1(5)" network=192.168.1.0
add address=192.168.100.1/24 interface=bridge2_guest network=192.168.100.0
/ip dhcp-server network
add address=192.168.1.0/24 comment="Rosvideo DHCP settings" dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
add address=192.168.100.0/24 comment="Guest wifi" dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,78.8.8.8
/ip dns static
add address=192.168.1.1 name=router
/ip firewall address-list
add address=0.0.0.0/8 list=bogon
add address=10.0.0.0/8 list=bogon
add address=100.64.0.0/10 list=bogon
add address=127.0.0.0/8 list=bogon
add address=169.254.0.0/16 list=bogon
add address=172.16.0.0/12 list=bogon
add address=192.0.0.0/24 list=bogon
add address=192.0.2.0/24 list=bogon
add address=192.168.0.0/16 list=bogon
add address=198.18.0.0/15 list=bogon
add address=198.51.100.0/24 list=bogon
add address=203.0.113.0/24 list=bogon
add address=224.0.0.0/4 list=bogon
add address=240.0.0.0/4 list=bogon
/ip firewall filter
add action=drop chain=input connection-state=invalid in-interface-list=wans
add action=drop chain=input in-interface-list=wans src-address-list=bogon
add action=accept chain=input connection-state=established,related in-interface-list=wans
add action=accept chain=input protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input src-address=192.168.1.0/24
add action=drop chain=input in-interface-list=wans
/ip firewall mangle
add action=change-mss chain=forward new-mss=1436 out-interface=pppoe-out1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1440-65535
add action=change-mss chain=forward new-mss=1436 out-interface=pppoe-out2 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1440-65535
add action=change-mss chain=forward in-interface=pppoe-out1 new-mss=1436 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1440-65535
add action=change-mss chain=forward in-interface=pppoe-out2 new-mss=1436 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1440-65535
add action=mark-connection chain=input in-interface=pppoe-out1 new-connection-mark=mts1 passthrough=no
add action=mark-connection chain=input in-interface=pppoe-out2 new-connection-mark=mts2 passthrough=no
add action=mark-connection chain=forward disabled=yes in-interface=pppoe-out1 new-connection-mark=mts1 passthrough=no
add action=mark-connection chain=forward disabled=yes in-interface=pppoe-out2 new-connection-mark=mts2 passthrough=no
add action=mark-routing chain=output connection-mark=mts1 new-routing-mark=mts1routing passthrough=no
add action=mark-routing chain=output connection-mark=mts2 new-routing-mark=mts2routing passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=mts1routing
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=mts2routing
add check-gateway=ping distance=1 gateway=pppoe-out2,pppoe-out1,pppoe-out1
add disabled=yes distance=1 gateway=192.168.1.1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="wan1(1)" type=external
add interface="wan2(2)" type=external
add interface="lan1(5)" type=internal

Answer the question

In order to leave comments, you need to log in

4 answer(s)
G
Gansterito, 2018-01-29
@grey_fx

It is possible that the RouterBoard (specifically your model) becomes a simple switch during a reboot.
Ran into this on RB1100AHx2. It goes to one switch with two ports. During the reboot, I looped one VLAN, the switch did not catch the loop (I don’t remember the reason).
I asked a question to the Saab95 Mikrotik expert on forum.nag.ru, but received no answer.
I think you should test this version with an experiment.

P
poisons, 2018-01-29
@poisons

1) Mud in interface naming
2) Mud in dhcp
3) Mud in the firewall, clearly copied from another article "how to properly prepare Mikrotik".
The result is a factory reset and setting from 0 without using copy-paste.
P.S. - kick the provider in the head, so that you would be allocated a gigabit port and give your 150 Mbps without these perversions.

Y
yurapupan, 2018-01-29
@yurapupan

I abandoned such ideas on Mikrotik, because it doesn’t exist and it will fail, I use only channel reservation via netwatch. Medicine in my opinion only one, CISCO.

D
Dmitry Tallmange, 2018-01-29
@p00h

Since we are talking about traffic from the local network, none of the rules:

add action=mark-connection chain=input in-interface=pppoe-out1 new-connection-mark=mts1 passthrough=no
add action=mark-connection chain=input in-interface=pppoe-out2 new-connection-mark=mts2 passthrough=no
add action=mark-connection chain=forward disabled=yes in-interface=pppoe-out1 new-connection-mark=mts1 passthrough=no
add action=mark-connection chain=forward disabled=yes in-interface=pppoe-out2 new-connection-mark=mts2 passthrough=no
add action=mark-routing chain=output connection-mark=mts1 new-routing-mark=mts1routing passthrough=no
add action=mark-routing chain=output connection-mark=mts2 new-routing-mark=mts2routing passthrough=no

not a single packet from the local network will be affected, because the rules in the forward chain are disabled, and the input and output chains only apply to packets sent from the router itself (or to the router itself).
Therefore, in the route chain,
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=mts1routing
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=mts2routing
add check-gateway=ping distance=1 gateway=pppoe-out2,pppoe-out1,pppoe-out1
add disabled=yes distance=1 gateway=192.168.1.1

only this one works:
add check-gateway=ping distance=1 gateway=pppoe-out2,pppoe-out1,pppoe-out1
.
Each new TCP connection will be directed in turn to one of the interfaces. Mikrotik monitors and will not forward only open (active) connections to another gateway. Therefore, it is very possible that authorization in vk.com went through pppoe-out1, and the next GET went through pppoe-out2. I don’t know how important this is for contact, I didn’t understand.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question