SUKSES Load balancing dengan sticky connection

Jodoh saya tetap nth kalau pakai load balancing, hal ini karena tidak ada waktu untuk ngoprek dengan pcc. Obyek eksperimen belum ada . Setelah beberapa jam ngoprek akhirnya berhasil buat koneksi download ke rapidshare tidak stuck.


Contoh script-nya (router dengan 5 koneksi spidi):

Code:
/ip firewall mangle
...
25   chain=prerouting action=mark-connection new-connection-mark=wan5-rs-con passthrough=yes connection-state=new 
     src-address-list=client-rapid-5 dst-address-list=rapidshare in-interface=lan 
26   chain=prerouting action=mark-routing new-routing-mark=wan5 passthrough=no in-interface=lan 
     connection-mark=wan5-rs-con 

27   chain=prerouting action=mark-connection new-connection-mark=wan4-rs-con passthrough=yes connection-state=new 
     src-address-list=client-rapid-4 dst-address-list=rapidshare in-interface=lan 
28   chain=prerouting action=mark-routing new-routing-mark=wan4 passthrough=no in-interface=lan 
     connection-mark=wan4-rs-con 

29   chain=prerouting action=mark-connection new-connection-mark=wan3-rs-con passthrough=yes connection-state=new 
     src-address-list=client-rapid-3 dst-address-list=rapidshare in-interface=lan 
30   chain=prerouting action=mark-routing new-routing-mark=wan3 passthrough=no in-interface=lan 
     connection-mark=wan3-rs-con 

31   chain=prerouting action=mark-connection new-connection-mark=wan2-rs-con passthrough=yes connection-state=new 
     src-address-list=client-rapid-2 dst-address-list=rapidshare in-interface=lan 
32   chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no in-interface=lan 
     connection-mark=wan2-rs-con 

33   chain=prerouting action=mark-connection new-connection-mark=wan1-rs-con passthrough=yes connection-state=new 
     src-address-list=client-rapid-1 dst-address-list=rapidshare in-interface=lan 
34   chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no in-interface=lan 
     connection-mark=wan1-rs-con 

35   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wan5-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=5,1 
36   chain=prerouting action=add-src-to-address-list dst-address-list=rapidshare address-list=client-rapid-5 
     address-list-timeout=15m in-interface=lan connection-mark=wan5-con 
37   ;;; LB_NTH
     chain=prerouting action=mark-routing new-routing-mark=wan5 passthrough=no in-interface=lan 
     connection-mark=wan5-con 

38   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wan4-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=4,1 
39   chain=prerouting action=add-src-to-address-list dst-address-list=rapidshare address-list=client-rapid-4 
     address-list-timeout=15m in-interface=lan connection-mark=wan4-con 
40   ;;; LB_NTH
     chain=prerouting action=mark-routing new-routing-mark=wan4 passthrough=no in-interface=lan 
     connection-mark=wan4-con 

41   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wan3-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=3,1 
42   chain=prerouting action=add-src-to-address-list dst-address-list=rapidshare address-list=client-rapid-3 
     address-list-timeout=15m in-interface=lan connection-mark=wan3-con 
43   ;;; LB_NTH
     chain=prerouting action=mark-routing new-routing-mark=wan3 passthrough=no in-interface=lan 
     connection-mark=wan3-con 

44   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wan2-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=2,1 
45   chain=prerouting action=add-src-to-address-list dst-address-list=rapidshare address-list=client-rapid-2 
     address-list-timeout=15m in-interface=lan connection-mark=wan2-con 
46   ;;; LB_NTH
     chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=no in-interface=lan 
     connection-mark=wan2-con 

47   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wan1-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=1,1 
48   chain=prerouting action=add-src-to-address-list dst-address-list=rapidshare address-list=client-rapid-1 
     address-list-timeout=15m in-interface=lan connection-mark=wan1-con 
49   ;;; LB_NTH
    chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=no in-interface=lan 
     connection-mark=wan1-con
Prinsipnya sederhana
  1. Ada new connection, koneksi ini misalnya masuk ke wan5-con (rule 35).
  2. Di bawahnya ada rule yang cek apakah wan5-con mempunyai tujuan ke rapidshare? jika ya lakukan action=add-src-to-address-list, misal nama listnya client-rapid-5. List ini mempunyai usia tertentu atau timeout (rule 36).
  3. Rule di bawahnya buat routing mark untuk koneksi wan5-con (rule 37).
  4. Di atas rule load balancing nth ada rule sticky connection yang fungsinya membuat static routing berdasarkan src address list dan tujuan tertentu.
  5. Jika ada new connection ke rapidshare dan src-nya client-rapid-5 maka buat connection mark wan5-rs-con (rule 26).
  6. Di bawahnya ada rule routing mark yang akan menandai wan5 untuk connection wan5-rs-con (rule 27).
  7. Jadi setiap kali ada new connection ke rapidshare dan src-nya client-rapid-5 (usianya belum timeout) maka akan selalu mendapat connection mark wan5-rs-con.


Trik ini bisa dipakai pula untuk koneksi yang lain seperti pada kasus point blank, dimana dituntut agar setiap kali ada new connection dari pengakses yang sama harus selalu lewat jalur wan yang sama seperti sebelumnya. Begitu pula untuk akses ke port tertentu seperti ssl. Caranya sederhana, buat rule seperti ini di setiap load balancing nth:

Code:
xx   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wanX-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=X,1 
xx   ;;; LB_NTH
     chain=prerouting action=mark-routing new-routing-mark=wanX passthrough=no in-interface=lan 
     connection-mark=wanX-con
menjadi

Code:
xx   ;;; LB_NTH
     chain=prerouting action=mark-connection new-connection-mark=wanX-con passthrough=yes connection-state=new 
     dst-address-list=!local in-interface=lan nth=X,1
xx   ;;; RAPIDSHARE
     chain=prerouting action=add-src-to-address-list dst-address-list=rapidshare address-list=client-rapid-X 
     address-list-timeout=24h in-interface=lan connection-mark=wanX-con
xx   ;;; POINTBLANK
     chain=prerouting action=add-src-to-address-list dst-address-list=pointblank address-list=client-rapid-X 
     address-list-timeout=24h in-interface=lan connection-mark=wanX-con
xx   ;;; SSL
     chain=prerouting action=add-src-to-address-list protocol=tcp dst-port=443 address-list=client-ssl-X 
     address-list-timeout=24h in-interface=lan connection-mark=wanX-con
xx   ;;; LB_NTH
     chain=prerouting action=mark-routing new-routing-mark=wanX passthrough=no in-interface=lan 
     connection-mark=wanX-con
Jadi disisipkan mangle lagi untuk menandai koneksi ke rapidshare, pointblank, dan ssl. Kemudian rule paling atas di-modifikasi sbb:

Code:
xx   ;;; RAPIDSHARE
     chain=prerouting action=mark-connection new-connection-mark=wanX-rapidshare-con passthrough=yes connection-state=new 
     src-address-list=client-rapid-X dst-address-list=rapidshare in-interface=lan
xx   ;;; ROUTING MARK
     chain=prerouting action=mark-routing new-routing-mark=wanX passthrough=no in-interface=lan 
     connection-mark=wanX-rapidshare-con
xx   ;;; POINTBLANK
     chain=prerouting action=mark-connection new-connection-mark=wanX-pointblank-con passthrough=yes connection-state=new 
     src-address-list=client-pointblank-X dst-address-list=pointblank in-interface=lan 
xx   ;;; ROUTING MARK
     chain=prerouting action=mark-routing new-routing-mark=wanX passthrough=no in-interface=lan 
     connection-mark=wanX-pointblank-con
xx   ;;; SSL
     chain=prerouting action=mark-connection new-connection-mark=wanX-ssl-con passthrough=yes connection-state=new 
     src-address-list=client-ssl-X protocol=tcp dst-port=443 in-interface=lan
xx   ;;; ROUTING MARK
     chain=prerouting action=mark-routing new-routing-mark=wanX passthrough=no in-interface=lan 
     connection-mark=wanX-ssl-con
Mungkin ada yang bertanya mengapa timeout diset 24 jam? Hal ini untuk antisipasi berapa lama waktu yang dibutuhkan client untuk konek ke suatu aplikasi apakah itu download rapidshare, main pb atau ssl. Konek di sini dalam arti dia akan selalu buat new connection selama masih pakai aplikasi tersebut. Kalau rapidshare rasanya cukup diset 2 menit, ssl mungkin 15 menit dan point blank tergantung berapa lamanya user main. Nah ini yang bikin bingung. Untuk amannya diset 24 jam dan dibantu script lain yang mantau connection-mark.

Code:
# number of wan
:local wan 5;
:for i from=1 to="$wan" \
do={ :local a [ :len [/ip firewall connection find connection-mark="wan$i-rapidshare-con"] ]; \
     :if ( $a<1 ) do={ /ip firewall address-list remove [ find list="client-rapid-$i" ] }; \
     :local a [ :len [/ip firewall connection find connection-mark="wan$i-pointblank-con"] ]; \
     :if ( $a<1 ) do={ /ip firewall address-list remove [ find list="client-pointblank-$i" ] }; \
     :local a [ :len [/ip firewall connection find connection-mark="wan$i-ssl-con"] ]; \
     :if ( $a<1 ) do={ /ip firewall address-list remove [ find list="client-ssl-$i" ] }; \
};
Maksud script ini adalah jika tidak ditemukan connection mark yang dicari maka hapus address-list yang bersesuaian dengan connection mark tersebut. Contoh wan1-ssl-con selalu berkorelasi dengan client-ssl-1, dst.


Script ini dischedule untuk dieksekusi secara periodik misal 1 jam. Cara lain, buat script untuk ping ke ip client, jika tidak direspon berarti client mati, sehingga langkah selanjutnya hapus address-list yang bersesuai dengan client tersebut.

Code:
# ip client 192.168.0.1-10
:for i from=1 to=10 \
do={ :if ([ /ping "192.168.0.$i" count=5 size=28]>1) \
do { } \
else={ /ip firewall address-list remove [ find list="client-rapid-$i" ]; \
          /ip firewall address-list remove [ find list="client-pointblank-$i" ]; \
          /ip firewall address-list remove [ find list="client-ssl-$i" ] }
};
Jalankan script dengan schedule 1 menit.


Penjelasan lengkap dengan gambar2 akan saya taruh di tutorial load balancing.


Salam,
Label:
Sabtu, 14 Mei 2011
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description
  • description

Video Gallery

  • Linux
    sekedar informasi, sekarang zimbra sudah diakuisisi oleh VMWare. jadi nantinya logo webmail zimbra kita akan ada logo VMware-nya.
  • Foto
    kalo mau buat efek foto kembar yang penting pilih minimal 3 foto (mau lebih juga terserah anda aj..)yang setingan tempat dan letak kameranya
  • Network
    setelah anda membongkar dus, dan menyiapkan koneksi. yang perlu anda lakukan adalah:
  • Serba-Serbi
    16 Cara Mengikat Sepatu Ala Jepang share buat teman2 & cew ato cow yang senang menggunakan sepatu bertali. Selamat mencoba
  • Tips-Trik
    Jika agan pengguna komputer, pasti sudah tidak asing lagi dengan yang namanya mouse. Mouse adalah salah satu pendamping setia dari komputer. Hampir semua jenis mouse memiliki 3 buah tombol. Tombol kiri, tombol kanan dan tombol scroll yang ada di tengah
  • Windows
    Windows 7 merupakan versi yang jauh lebih baik daripada versi terbaru windows, yaitu windows Vista. Dan windows 7 dilengkapi dengan banyak fitur baru.