Load Balance PCC Mikrotik dengan 2 WAN + 1 VPN


Per Connection Classifier (PCC) Load Balance ini digunakan untuk load balancing round-robin dengan konfigurasi sebagai berikut:

  1. Internet: Speedy menggunakan PPPOE.
  2. Internet: Wireless kantor menggunakan IP statis.
  3. VPN menggunakan IP statis.
Konfigurasi PPPoE Speedy
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \
    dial-on-demand=yes disabled=no interface=ether1-speedy max-mru=1480 \
    max-mtu=1480 mrru=disabled name=pppoe-speedy password=********** profile=\
    default service-name="" use-peer-dns=no user=************@telkom.net
Konfigurasi IP Address

Interface-interface yang menggunakan ip statis adalah br-lan yang merupakan interface lokal pada network 10.3.8.0/24, sedangkan WAN kantor (ether2-pde) pada network 192.168.51.0/24, dan VPN (ether3-sapk) pada network 178.199.25.176/28.

/ip address
add address=10.3.8.1/24 broadcast=10.3.8.255 comment=LAN disabled=\
    no interface=br-lan network=10.3.8.0
add address=192.168.51.52/24 broadcast=192.168.51.255 comment=PDE disabled=no \
    interface=ether2-pde network=192.168.51.0
add address=178.199.25.178/28 broadcast=178.199.25.191 comment=SAPK disabled=\
    no interface=ether3-sapk network=178.199.25.176

Untuk interface DMZ Speedy ether1-speedy menggunakan dhcp.

/ip dhcp-client
add comment="" disabled=no interface=ether1-speedy
Konfigurasi Firewall

Konfigurasi firewall mangle untuk menandai koneksi dan routing pada interface pppoe-speedy dan ether2-pde.

/ip firewall mangle
add action=mark-connection chain=input comment="PCC LB" disabled=no \
    in-interface=ether2-pde new-connection-mark=pde passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    pppoe-speedy new-connection-mark=speedy passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pde disabled=\
    no new-routing-mark=pde passthrough=no
add action=mark-routing chain=output comment="" connection-mark=speedy \
    disabled=no new-routing-mark=speedy passthrough=no

Mangle berikut berfungsi untuk meloloskan paket dari lan yang menuju router.

/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.1.0/24 in-interface=br-lan
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.51.0/24 in-interface=br-lan
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    178.199.25.176/28 in-interface=br-lan

Mangle untuk balancing dengan PCC.

/ip firewall mangle
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=br-lan new-connection-mark=pde \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=br-lan new-connection-mark=speedy \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=pde \
    disabled=no in-interface=br-lan new-routing-mark=pde passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=speedy \
    disabled=no in-interface=br-lan new-routing-mark=speedy passthrough=yes

Konfigurasi masquerade.

/ip firewall nat
add action=masquerade chain=srcnat comment=SPEEDY disabled=no out-interface=\
    pppoe-speedy
add action=masquerade chain=srcnat comment="SPEEDY DMZ" disabled=no \
    out-interface=ether1-speedy
add action=masquerade chain=srcnat comment=PDE disabled=no out-interface=\
    ether2-pde
add action=masquerade chain=srcnat comment=SAPK disabled=no out-interface=\
    ether3-sapk
Konfigurasi Routing
/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.51.1 routing-mark=pde scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=pppoe-speedy routing-mark=speedy scope=30 target-scope=\
    10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.51.1 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-speedy scope=30 target-scope=10

Route ini merupakan route statis yang digunakan untuk meneruskan traffic ke interface VPN.

/ip route
add comment="" disabled=no distance=1 dst-address=178.200.200.0/24 gateway=\
    178.199.25.177 scope=30 target-scope=10
Konfigurasi DNS Resolver
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=125.160.4.82,118.97.232.51
Advertisements

, , ,

  1. #1 by dedienugraha on October 25, 2010 - 8:00 pm

    wah bagus nih pencerahannya , saya juga lagi pingin buat yg seperti ini cuma ga tau settingannya tolong di bantu ya di warnet kebetulan bandwith internasional lambat jadi rencana nya pake bandwith yang dikantor saja khusus untuk yang koneksi internasional via vpn dan di warnet pake koneksi wireless yg notabene besar iix-nya tapi ketika koneksi di kantor putus maka dipakai kembali koneksi internasional yang di warnet cuma saya kurang paham setingan rulenya , mungkin jadi topologinya loadbalancing + failover vpn kali ya… bisa di bantu pak ; terimakasih sebelumnya

  2. #2 by tohenk on October 25, 2010 - 8:54 pm

    Untuk konfigurasi di atas saya menggunakan RB750G, jika mas dedie nugraha mau bikin load balancing dengan WAN kantor dan WAN warnet, konfigurasi di atas masih bisa diterapkan. Tinggal diganti saja Speedy => Wireless, PDE => Warnet, SAPK => dihilangkan (network 178.199.25.176/28).

    • #3 by derian on June 25, 2011 - 12:29 pm

      ini baru pencerahan …jika memakai 1 speedy ama 1 vpn ip gimana yaa..sbb klau di atas speedy nya model DMZ..makasih mas tutornya

  3. #4 by ari on September 12, 2011 - 11:52 am

    wah..nice info nih.
    mas,,sekalian mau nanya, itu speedyx harus setting dial PPPoe dri mikrotikx y?
    bisa g’ kalo dial speedyx, langsung dri modem bukan dri mikrotik??

    • #5 by tohenk on September 12, 2011 - 12:06 pm

      Bisa, tinggal ganti interface pppoe-speedy dengan interface wan yang terhubung ke modem speedy.

  4. #6 by ari on September 13, 2011 - 11:00 am

    hmmm…mksdx gini mas,
    kan contohnya mas,,,dialUp speedyx langsung dri mikrotikx. kan kelihatan tuh ip public speedyx langsung di mikrotik
    sedang kalo dialUp speedyx di modem…kan di mikrotikx g’klihatan ip public speedyx.
    yg di dapat di mikrotikx kan cuman ip local bukan public
    takutx ntar client g’bisa konek ke internet

    bingung y?? heee

  5. #7 by ari on September 13, 2011 - 11:05 am

    mas,,sekalian. sy lagi punya masalah
    mohon bantuannya mas…
    topologinya kyk gini…..
    mesti gimana setting mikrotikx??

    ini link gambarx yg udah sy upload…

    mohon pencerahanx

  6. #8 by tohenk on September 14, 2011 - 3:05 pm

    Interface:
    ether1-speedy => modem speedy ip dinamis (set diluar net 192.168.1.0/24)
    ether2-wan    => wan network 172.27.239.0/24 dengan assumsi router menggunakan ip statis 172.27.239.2
    ether3-lan1   => lan
    ether4-lan2   => lan
    ether5-lan3   => lan
    br-lan        => bride port ether3-lan1, ether4-lan2, ether5-lan3
    
    Konfigurasi:
    /ip address
    add address=192.168.1.1/24 broadcast=192.168.1.255 comment=LAN disabled=\
        no interface=br-lan network=192.168.1.0
    add address=172.27.239.2/24 broadcast=172.27.239.255 comment=WAN disabled=no \
        interface=ether2-wan network=172.27.239.0
    
    /ip dhcp-client
    add comment="" disabled=no interface=ether1-speedy
    
    /ip firewall mangle
    add action=mark-connection chain=input comment="PCC LB" disabled=no \
        in-interface=ether2-wan new-connection-mark=wan passthrough=yes
    add action=mark-connection chain=input comment="" disabled=no in-interface=\
        ether1-speedy new-connection-mark=speedy passthrough=yes
    add action=mark-routing chain=output comment="" connection-mark=wan disabled=\
        no new-routing-mark=wan passthrough=no
    add action=mark-routing chain=output comment="" connection-mark=speedy \
        disabled=no new-routing-mark=speedy passthrough=no
    
    /ip firewall mangle
    add action=accept chain=prerouting comment="" disabled=no dst-address=\
        192.168.1.0/24 in-interface=br-lan
    add action=accept chain=prerouting comment="" disabled=no dst-address=\
        172.27.239.0/24 in-interface=br-lan
    
    /ip firewall mangle
    add action=mark-connection chain=prerouting comment="" disabled=no \
        dst-address-type=!local in-interface=br-lan new-connection-mark=wan \
        passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
    add action=mark-connection chain=prerouting comment="" disabled=no \
        dst-address-type=!local in-interface=br-lan new-connection-mark=speedy \
        passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
    add action=mark-routing chain=prerouting comment="" connection-mark=wan \
        disabled=no in-interface=br-lan new-routing-mark=wan passthrough=yes
    add action=mark-routing chain=prerouting comment="" connection-mark=speedy \
        disabled=no in-interface=br-lan new-routing-mark=speedy passthrough=yes
    
    /ip firewall nat
    add action=masquerade chain=srcnat comment=SPEEDY disabled=no out-interface=\
        ether1-speedy
    add action=masquerade chain=srcnat comment=wan disabled=no out-interface=\
        ether2-wan
    
    /ip route
    add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
        0.0.0.0/0 gateway=172.27.239.1 routing-mark=wan scope=30 target-scope=10
    add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
        0.0.0.0/0 gateway=ether1-speedy routing-mark=speedy scope=30 target-scope=\
        10
    add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
        172.27.239.1 scope=30 target-scope=10
    add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
        ether1-speedy scope=30 target-scope=10
    
    /ip dns
    set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
        max-udp-packet-size=512 servers=125.160.4.82,118.97.232.51
  7. #9 by agusksaid on November 8, 2011 - 7:12 pm

    mau nanya nih masih sama dengan vpn sapk.. namun skarang.. koneksinya sudah langsung di web..
    bagaimana klu user buka web sapk.bkn.go.id.. mikrotik otomatis mengalihkan ke koneksi vpn..
    sapk juga kan bisa di buka dari internet..
    di buat otomatis. klu koneksi vpnnya berhasil.. maka masuknya ke vpn..
    klu vpnnya nga berhasil maka masuknya ke speedy..

  8. #10 by Buana on November 9, 2014 - 5:43 pm

    Saya punya 2 Speedy (speedy1+speedy2) Gimana caranya mas mengarahkan hanya speedy1 yang boleh melewati jalur VPN (VPN menggunakan PPTP) gimana mangle dan route list nya? thanks jawabannya

    • #11 by Toha on November 17, 2014 - 10:35 am

      Coba gunakan static routing:

      /ip route
      add distance=1 dst-address=x.x.x.x/32 gateway=speedy1
      

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: