Sie sind auf Seite 1von 4

Ecmp Load Balancing Failover with Proxy and DNS

/interface
set 1 name=wan1
set 2 name=wan2
set 3 name=proxy
set 4 name=lan1
set 5 name=not-used

/ip address
add address=172.16.1.2/24 interface=wan1
add address=172.16.2.2/24 interface=wan2
add address=172.160.1.1/24 interface=proxy
add address=192.168.1.1/24 interface=lan1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet
-size=512 servers=172.16.1.1,8.8.8.8,8.8.4.4

/ip firewall address-list
add address=192.168.1.0/24 comment="" disabled=no list=LocalNET
add address=172.160.1.0/24 comment="" disabled=no list=ProxyNET
/ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address-list=!ProxyNET dst-port=
80,8080 in-interface=lan1 protocol=tcp to-addresses=172.160.1.2 to-ports=3128 co
mment="TRANSPARENT PROXY"
/ip firewall mangle
add chain=postrouting action=mark-packet new-packet-mark=cache-hits passthrough=
no dscp=48 comment="PROXY HIT"

/ ip firewall mangle
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16
.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16
.2.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=172.16
0.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=192.16
8.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16
.1.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16
.2.0/24
add action=accept chain=prerouting src-address=172.160.1.0/24 dst-address=172.16
0.1.0/24
/ip firewall mangle
add action=mark-connection chain=input in-interface=wan1 connection-mark=no-mark
new-connection-mark=wan1_conn comment="Mark Connection that are Initiated from
Outside"
add action=mark-connection chain=input in-interface=wan2 connection-mark=no-mark
new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=
wan1_traf comment="Mark Routing for Router's Replies"
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=
wan2_traf
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1,172.16.2.1 check-gateway=ping
/ ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=wan1_traf
add dst-address=0.0.0.0/0 gateway=172.16.2.1 routing-mark=wan2_traf
/ip route
add dst-address=128.199.248.105 gateway=172.16.1.1 scope=10
add dst-address=111.67.16.202 gateway=172.16.2.1 scope=10

/ip route
add distance=1 gateway=128.199.248.105 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=111.67.16.202 routing-mark=wan2_traf check-gateway=ping

/ip route
add distance=1 gateway=111.67.16.202 routing-mark=wan1_traf check-gateway=ping
add distance=2 gateway=128.199.248.105 routing-mark=wan2_traf check-gateway=ping

/ip route
add dst-address=10.129.30.1 gateway=128.199.248.105 scope=10 target-scope=10 che
ck-gateway=ping
add dst-address=10.129.31.1 gateway=111.67.16.202 scope=10 target-scope=10 check
-gateway=ping

/ip route
add distance=1 gateway=10.129.30.1 routing-mark=wan1_traf
add distance=2 gateway=10.129.31.1 routing-mark=wan2_traf

/ip route
add distance=1 gateway=10.129.30.1
add distance=2 gateway=10.129.31.2
/ip firewall mangle
add action=mark-connection chain=forward in-interface=proxy out-interface=lan1 n
ew-connection-mark=proxy-conn dscp=!48 passthrough=yes comment="DOWNLOAD VIA PRO
XY"
add action=mark-packet chain=forward connection-mark=proxy-conn new-packet-mark=
proxy-pkt passthrough=yes

/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=
wan1 passthrough=yes comment="PUBLIC DOWNSTEAM"
add action=mark-connection chain=forward new-connection-mark=dconn in-interface=
wan2 passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=dconn new-packet-mark=dpkt
passthrough=yes

/ip firewall mangle
add action=mark-connection chain=forward out-interface=wan1 new-connection-mark=
uconn passthrough=yes comment="PUBLIC UPSTEAM"
add action=mark-connection chain=forward out-interface=wan2 new-connection-mark=
uconn passthrough=yes comment=""
add action=mark-packet chain=forward connection-mark=uconn new-packet-mark=upkt
passthrough=yes
/queue type
add name=pcq_game kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_browsing kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_hardsteam kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_p2ptorrent kind=pcq pcq-rate=0 pcq-classifier=dst-address
add name=pcq_residual kind=pcq pcq-rate=0 pcq-classifier=dst-address

/queue tree
add name=HIT_PROXY parent=global-out packet-mark=cache-hits queue=sfq_proxy_hit
priority=1
add name=UPSTEAM parent=global-out queue=pcq_upsteam packet-mark=upkt priority=8
add name=DOWNSTEAM parent=global-out queue=pcq_downsteam packet-mark=dpkt priori
ty=8
add name=PROXYSTEAM parent=global-out queue=pcq_proxysteam packet-mark=proxy-pkt
priority=8
/ip firewall address-list
add address=192.168.1.8 disabled=no list=internet-allowed
add address=192.168.1.11 disabled=no list=internet-allowed
add address=192.168.1.12 disabled=no list=internet-allowed
add address=192.168.1.14 disabled=no list=internet-allowed
add address=192.168.1.15 disabled=no list=internet-allowed
add address=192.168.1.16 disabled=no list=internet-allowed
add address=192.168.1.17 disabled=no list=internet-allowed
add address=192.168.1.20 disabled=no list=internet-allowed
add address=192.168.1.21 disabled=no list=internet-allowed
add address=192.168.1.22 disabled=no list=internet-allowed
add address=172.160.1.2 disabled=no list=internet-allowed

/ip firewall filter
add action=accept chain=input comment="Accept Input Established" connection-stat
e=established disabled=no
add action=accept chain=input comment="Accept Input Related" connection-state=re
lated disabled=no
add action=drop chain=input comment="Drop Input Invalid" connection-state=invali
d disabled=no
add action=accept chain=input comment="Accept Input Limited ICMP" disabled=no li
mit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop Input Exceed ICMP" disabled=no protoco
l=icmp
add action=accept chain=input comment="Accept Input Winbox" disabled=no dst-port
=8291 protocol=tcp
add action=accept chain=input comment="Accept Input Webfig" disabled=no dst-port
=80 protocol=tcp
add action=accept chain=input comment="Accept Input Telnet" disabled=no dst-port
=23 protocol=tcp
add action=accept chain=input comment="Accept Input SSH" disabled=no dst-port=22
protocol=tcp
add action=accept chain=input comment="Accept Input DNS" disabled=no dst-port=53
protocol=udp
add action=accept chain=input comment="Accept Input WInbox Discovery" disabled=n
o dst-port=5678 protocol=udp
add action=drop chain=input comment="Drop Input Anything Else" disabled=no
add action=accept chain=forward comment="Accept Forward Established" connection-
state=established disabled=no
add action=accept chain=forward comment="Accept Forward Related" connection-stat
e=related disabled=no
add action=drop chain=forward comment="Drop Forward Invalid" connection-state=in
valid disabled=no
add action=jump chain=forward comment="Accept User Internet and Jump to Port-Fil
ter" disabled=no jump-target=port-filter src-address-list=internet-allowed
add action=accept chain=port-filter comment="Accept Port-Filter HTTP" disabled=n
o port=80 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter HTTPS AND SNEWS"
disabled=no port=443,563 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter rsync" disabled=
no port=873 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gopher" disabled
=no port=70 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter wais" disabled=n
o port=210 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter unregistered por
ts" disabled=no port=1025-65535 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter PROXY" disabled=
no port=8000,8080,3128 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter http-mgmt" disab
led=no port=280 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter gss-http" disabl
ed=no port=488 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter filemaker" disab
led=no port=591 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter multiling http"
disabled=no port=777 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter cups" disabled=n
o port=631 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter SWAT" disabled=n
o port=901 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter Email Ports" dis
abled=no port=25,587,465,110,143,993,995 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter YM" disabled=no
port=5050 protocol=tcp
add action=accept chain=port-filter comment="Accept Port-Filter VPN BCA" disable
d=no port=500,10000 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter DNS" disabled=no
port=53,8053,35053 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter NTP" disabled=no
port=123 protocol=udp
add action=accept chain=port-filter comment="Accept Port-Filter ICMP" disabled=n
o protocol=icmp
add action=drop chain=port-filter comment="Drop Port-Filter Anything Else" disab
led=no
add action=drop chain=forward comment="Drop Forward Anything Else" disabled=no