(ARCHIVED) EdgeRouter - Legacy WAN Load-Balancing with Policy-Based Routing

This article has been archived and applies to older EdgeOS releases (pre v1.4.0)

This article is no longer supported and will not be updated further. Find the updated version of this article here.


Overview


Readers will learn how to configure an EdgeRouter to Load Balance traffic across multiple WAN interfaces using the legacy marking-style method. Have a look at our WAN Load-Balancing article for the newer recommended way to configure Load Balancing.

ATTENTION: This manual marking-style load-balancing method was used before the Load Balancing feature was added to EdgeOS. This article is mainly kept for legacy and information purposes. Traffic that is balanced using this method is not eligible for offloading.

Table of Contents


  1. Configuring Load-Balancing using PBR
  2. Port Forwarding and Destination NAT
  3. Related Articles

Configuring Load-Balancing using PBR


Back to Top

topology.png

The goal of this load-balancing method is to add packet marking information to two different routing tables. Table 11 will be used for the connection to ISP1 and table 12 will be used for the connection to ISP2.


CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add the default routes for the main routing table and the two routing tables (11 and 12) that the clients will use.

set protocols static route 0.0.0.0/0 next-hop 192.0.2.2
set protocols static route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static table 11 mark 11
set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2
set protocols static table 12 mark 12
set protocols static table 12 route 0.0.0.0/0 next-hop 203.0.113.2
NOTE: For new connections, the packets are marked with either 11 and 12. Each mark is applied 50% of the time.

2. Add the modify firewall rules.

set firewall modify balance rule 10 action modify
set firewall modify balance rule 10 description 'restore mark from connection'
set firewall modify balance rule 10 modify connmark restore-mark
set firewall modify balance rule 20 action accept set firewall modify balance rule 20 description 'accept the packet if the mark is not zero' set firewall modify balance rule 20 mark '!0'
set firewall modify balance rule 30 action modify set firewall modify balance rule 30 description 'for new connections mark 50% with mark 11' set firewall modify balance rule 30 modify mark 11 set firewall modify balance rule 30 protocol tcp_udp set firewall modify balance rule 30 state new enable set firewall modify balance rule 30 statistic probability 50%
set firewall modify balance rule 40 action modify set firewall modify balance rule 40 description 'for packets with mark zero, mark with 12' set firewall modify balance rule 40 mark 0 set firewall modify balance rule 40 modify mark 12 set firewall modify balance rule 40 protocol tcp_udp set firewall modify balance rule 40 state new enable
set firewall modify balance rule 50 action modify set firewall modify balance rule 50 description 'save the packet mark to the connection mark' set firewall modify balance rule 50 modify connmark save-mark

3. Apply the firewall rule in the ingress/in direction to the LAN interface.

set interfaces ethernet eth2 firewall in modify balance

4. Commit the changes and save the configuration.

commit ; save

Use the command below to verify the Load Balanced traffic.

show firewall modify statistics
 --------------------------------------------------------------------------------
 IPv4 Firewall "balance"
Active on (eth2,IN)
rule packets bytes action description ---- ------- ----- ------ ----------- 10 399516 61839166 MODIFY restore mark from connection 20 366897 59641481 ACCEPT accept the packet if the mark is not zero 30 16196 1094021 MODIFY for new connections mark 50% with mark 1 40 16377 1101667 MODIFY for packets with mark zero, mark with 2 50 32619 2197685 MODIFY save the packet mark to the connection mark 10000 32619 2197685 ACCEPT DEFAULT ACTION

Port Forwarding and Destination NAT


Back to Top

If Port Forwarding or Destination NAT rules are configured, then new connections are also initiated from the WAN side. In order to keep these new connections on the same interface, mark 11 is added to new connections from ISP1 and mark 12 to new connections from ISP2.

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add the modify firewall rules.

set firewall modify ISP1_IN rule 10 description 'use mark 11 for new ISP1 connections'
set firewall modify ISP1_IN rule 10 action modify
set firewall modify ISP1_IN rule 10 modify connmark set-mark 11
set firewall modify ISP1_IN rule 10 protocol tcp_udp
set firewall modify ISP1_IN rule 10 state new enable
set firewall modify ISP2_IN rule 10 description 'use mark 12 for new ISP2 connections' set firewall modify ISP2_IN rule 10 action modify set firewall modify ISP2_IN rule 10 modify connmark set-mark 12 set firewall modify ISP2_IN rule 10 protocol tcp_udp set firewall modify ISP2_IN rule 10 state new enable

3. Apply the firewall rules in the ingress/in direction to the WAN interfaces.

set interfaces ethernet eth0 firewall in modify ISP1_IN
set interfaces ethernet eth1 firewall in modify ISP2_IN

4. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

EdgeRouter - WAN Load-Balancing

EdgeRouter - Policy-Based Routing

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!