(ARCHIVED) EdgeRouter - Legacy WAN Load-Balancing with Policy-Based Routing

This article has been archived. Applies to versions prior to: EdgeOS 1.4.0

This article is no longer supported and will not be updated further. Find the current version of this article here. We recommend to always upgrade to the newest firmware release to prevent security issues.


Overview


Readers will learn how to configure an EdgeRouter to load-balance traffic across multiple WAN interfaces using the legacy marking-style method. For information on using the newer load-balancing feature (which is also included in the wizards), please visit this article instead.

ATTENTION: This manual marking-style load-balancing method was used before the load-balancing feature was added to EdgeOS. This article is mainly kept for legacy and information purposes. Traffic that is load-balanced using this marking-style method is not eligible for offloading.

Table of Contents


  1. Network Diagram
  2. Configuration
  3. New WAN Connections / Port Forwarding
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter.

  • eth0 (WAN1) - 203.0.113.1/30
  • eth2 (WAN2) - 192.0.2.1/30
  • eth1 (LAN) - 192.168.1.1/24


Configuration


Back to Top

The goal of this load-balancing method is to add packet marking information to two different routing tables. Table 11 will be used for the connection to ISP1 and table 12 will be used for the connection to ISP2.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add the default routes for the main routing table and the two routing tables (11 and 12) that the clients will use.

set protocols static route 0.0.0.0/0 next-hop 192.0.2.2
set protocols static route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static table 11 mark 11
set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2
set protocols static table 12 mark 12
set protocols static table 12 route 0.0.0.0/0 next-hop 203.0.113.2

When the stateful firewall is in use, the system keeps track of all the connections in the system. Both the connection entry and the packet can have a mark applied to them and each mark has a 50% chance of being applied.

Basically what we're trying to do here is for a new connection 50% of the time we'll mark the packet with mark 11 and the rest of the time we'll mark it with 12. Then we'll save that packet mark to the new connection entry. For existing connections there should already be a mark, so we'll restore that mark to the packet.

2. Add the modify firewall rules.

set firewall modify balance rule 10 action modify
set firewall modify balance rule 10 description 'restore mark from connection'
set firewall modify balance rule 10 modify connmark restore-mark
set firewall modify balance rule 20 action accept set firewall modify balance rule 20 description 'accept the packet if the mark isnt zero' set firewall modify balance rule 20 mark '!0'
set firewall modify balance rule 30 action modify set firewall modify balance rule 30 description 'for new connections mark 50% with mark 11' set firewall modify balance rule 30 modify mark 11 set firewall modify balance rule 30 protocol tcp_udp set firewall modify balance rule 30 state new enable set firewall modify balance rule 30 statistic probability 50%
set firewall modify balance rule 40 action modify set firewall modify balance rule 40 description 'for packets with mark zero, mark with 12' set firewall modify balance rule 40 mark 0 set firewall modify balance rule 40 modify mark 12 set firewall modify balance rule 40 protocol tcp_udp set firewall modify balance rule 40 state new enable
set firewall modify balance rule 50 action modify set firewall modify balance rule 50 description 'save the packet mark to the connection mark' set firewall modify balance rule 50 modify connmark save-mark

3. Apply the firewall rule in the ingress (in) direction to the LAN interface.

set interfaces ethernet eth1 firewall in modify balance

4. Commit the changes and save the configuration.

commit ; save

Here we can see that rules 30 and 40 are nearly balanced 50/50:

show firewall modify statistics
 --------------------------------------------------------------------------------
 IPv4 Firewall "balance"
Active on (eth2,IN)
rule packets bytes action description ---- ------- ----- ------ ----------- 10 399516 61839166 MODIFY restore mark from connection 20 366897 59641481 ACCEPT accept the packet if the mark isn't zero 30 16196 1094021 MODIFY for new connections mark 50% with mark 1 40 16377 1101667 MODIFY for packets with mark zero, mark with 2 50 32619 2197685 MODIFY save the packet mark to the connection mark 10000 32619 2197685 ACCEPT DEFAULT ACTION

New WAN Connections / Port Forwarding


Back to Top

If we have port forwarding rules configured, then we may have new connections initiated from the WAN side. In order to keep those new connections going out the same interface they came in, we'll mark 11 on new connections from ISP1 and mark 12 on new connections from ISP2.

1. Enter configuration mode.

configure

2. Add the modify firewall rules.

set firewall modify ISP1_IN rule 10 description 'use mark 1 for new ISP1 connections'
set firewall modify ISP1_IN rule 10 action modify
set firewall modify ISP1_IN rule 10 modify connmark set-mark 11
set firewall modify ISP1_IN rule 10 protocol tcp_udp
set firewall modify ISP1_IN rule 10 state new enable
set firewall modify ISP2_IN rule 10 description 'use mark 2 for new ISP2 connections' set firewall modify ISP2_IN rule 10 action modify set firewall modify ISP2_IN rule 10 modify connmark set-mark 12 set firewall modify ISP2_IN rule 10 protocol tcp_udp set firewall modify ISP2_IN rule 10 state new enable

3. Apply the firewall rules in the ingress (in) direction to the LAN interface.

set interfaces ethernet eth0 firewall in modify ISP1_IN
set interfaces ethernet eth2 firewall in modify ISP2_IN

4. Commit the changes and save the configuration.

commit ; save

Related Articles


Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - Hardware Offloading Explained

EdgeRouter - Dual WAN Load-Balance Feature