Hello

i have a problem configuring a router to use load balance with 2 ISP and recursive routes
this conf doesn't do load balance only fail-over how can i fix it ?
any ideas ?


this is my conf :

model = CCR1009-7G-1C-1S+

/interface bridge
add name=LAN_Management
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] name=eth1_ISP1 speed=100Mbps
set [ find default-name=ether2 ] name=eth1_ISP2 speed=100Mbps
set [ find default-name=ether3 ] name=eth3_LAN1 speed=100Mbps
set [ find default-name=ether4 ] name=eth4_LAN2 speed=100Mbps
set [ find default-name=ether7 ] name=eth7_LAN3 speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=
10M-full,100M-full,1000M-full disabled=yes
/interface vlan
add interface=eth4_LAN2 name=VL110_P vlan-id=110
add interface=eth3_LAN1 name=VL120_M vlan-id=120
add interface=eth3_LAN1 name=VL130_PERS vlan-id=130
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=LAN_Management interface=eth7_LAN3
add bridge=LAN_Management interface=ether6
/interface l2tp-server server
set enabled=yes ipsec-secret=testvpn use-ipsec=yes

/ip address
add address=192.168.0.1/24 interface=VL130_PERS network=192.168.0.0
add address=10.0.0.1/22 interface=VL110_P network=10.0.0.0
add address=86.34.186.154/29 interface=eth1_ISP1 network=86.34.186.152
add address=185.132.173.29/25 interface=eth1_ISP2 network=185.132.173.0
add address=172.16.172.1/24 interface=eth7_LAN3 network=172.16.172.0
add address=192.168.2.1/24 interface=VL120_M network=192.168.2.0
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=LAN
add address=172.16.172.0/24 list=LAN
add address=192.168.2.0/24 list=LAN
add address=10.0.0.0/22 list=LAN
add address=86.34.186.0/24 list=Connected
add address=185.132.173.0/24 list=Connected
add address=192.168.0.0/24 list=Connected
add address=172.16.172.0/24 list=Connected
add address=192.168.2.0/24 list=Connected
add address=10.0.0.0/22 list=Connected
add address=192.168.89.0/24 list=Connected
add address=192.168.89.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="accept snmp de la 172.16.172.22"
dst-port=161 protocol=udp src-address=172.16.172.22
add action=drop chain=input comment="drop snmp from all" dst-port=161
protocol=udp
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=RTL>LAN
new-routing-mark=ISP1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=RTL>LAN
new-routing-mark=ISP2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=input comment=WAN>ROS connection-mark=
no-mark in-interface=eth1_ISP1 new-connection-mark=RTL>ROS
passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=
eth1_ISP2 new-connection-mark=CBS>ROS passthrough=yes
add action=accept chain=prerouting comment="Connected networks -> accept"
dst-address-list=Connected src-address-list=Connected
add action=mark-routing chain=output connection-mark=RTL>ROS
new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=CBS>ROS
new-routing-mark=ISP2 passthrough=yes
add action=mark-connection chain=forward comment=WAN>LAN connection-mark=
no-mark in-interface=eth1_ISP1 new-connection-mark=RTL>LAN
passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=eth1_ISP2 new-connection-mark=CBS>LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=RTL>LAN
new-routing-mark=ISP1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=CBS>LAN
new-routing-mark=ISP2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment="LAN > WAN"
connection-mark=no-mark dst-address-list=!Connected dst-address-type=
!local new-connection-mark=LAN>WAN passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load Balancehere"
connection-mark=LAN>WAN new-routing-mark=ISP1 passthrough=yes
src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=LAN>WAN
new-routing-mark=ISP2 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=LAN>WAN
new-routing-mark=ISP1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=LAN>WAN
new-routing-mark=ISP2 passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting comment=
"Stick connections after this" connection-mark=LAN>WAN
new-connection-mark=Sticky_ISP1 passthrough=yes routing-mark=ISP1
add action=mark-connection chain=prerouting connection-mark=LAN>WAN
new-connection-mark=Sticky_ISP2 passthrough=yes routing-mark=ISP2
add action=mark-routing chain=prerouting connection-mark=Sticky_ISP1
new-routing-mark=ISP1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_ISP2
new-routing-mark=ISP2 passthrough=yes src-address-list=LAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.254 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.254 to-ports=443
add action=dst-nat chain=dstnat dst-port=554 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.19 to-ports=554
add action=dst-nat chain=dstnat dst-port=555 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.20 to-ports=555
add action=dst-nat chain=dstnat dst-port=8000 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.19 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.20 to-ports=8001
add action=dst-nat chain=dstnat dst-port=8003 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.75 to-ports=8003
add action=dst-nat chain=dstnat dst-port=8083 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.19 to-ports=8083
add action=dst-nat chain=dstnat dst-port=8084 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.20 to-ports=8084
add action=dst-nat chain=dstnat dst-port=8103 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.236 to-ports=8103
add action=dst-nat chain=dstnat dst-port=8185 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.236 to-ports=8185
add action=dst-nat chain=dstnat dst-port=8881 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.254 to-ports=8881
add action=dst-nat chain=dstnat comment="nms monitor" dst-port=8080
in-interface=eth1_ISP1 protocol=tcp to-addresses=192.168.0.7
to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8307 in-interface=
eth1_ISP1 protocol=tcp to-addresses=172.16.172.101 to-ports=8307
add action=masquerade chain=srcnat out-interface=eth1_ISP1
add action=masquerade chain=srcnat out-interface=eth1_ISP2
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address-list="" dst-port=
35265 in-interface=eth1_ISP1 log=yes protocol=tcp to-addresses=
172.16.172.2 to-ports=23
/ip route
add distance=1 gateway=10.1.1.1 routing-mark=ISP1
add distance=2 gateway=10.2.2.2 routing-mark=ISP1
add distance=1 gateway=10.2.2.2 routing-mark=ISP2
add distance=2 gateway=10.1.1.1 routing-mark=ISP2
add distance=1 dst-address=1.0.0.1/32 gateway=185.132.173.x scope=10
add distance=1 dst-address=1.1.1.1/32 gateway=86.34.186.x scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=185.132.173.x scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=86.34.186.x scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=8.8.8.8
scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=1.1.1.1
scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=1.0.0.1
scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=8.8.4.4
scope=10

Not qualified to talk mangle or routing but I would simplify those dst nat rules some.

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80,443,881 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.254
add action=dst-nat chain=dstnat dst-port=554,8000,8083 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.19
add action=dst-nat chain=dstnat dst-port=555,8001,8084 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.20 to-ports=555
add action=dst-nat chain=dstnat dst-port=8003 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.75
add action=dst-nat chain=dstnat dst-port=8103,8185 in-interface=eth1_ISP1
protocol=tcp to-addresses=192.168.0.236
add action=dst-nat chain=dstnat comment=“nms monitor” dst-port=8080
in-interface=eth1_ISP1 protocol=tcp to-addresses=192.168.0.7
to-ports=80

Disabled rules

add action=dst-nat chain=dstnat disabled=yes dst-port=8307 in-interface=
eth1_ISP1 protocol=tcp to-addresses=172.16.172.101
add action=dst-nat chain=dstnat disabled=yes dst-address-list=“” dst-port=
35265 in-interface=eth1_ISP1 log=yes protocol=tcp to-addresses=
172.16.172.2 to-ports=23

cannot connect to mikrotik from outside in this conf also

Your mangle rules are extremely detailed and complex, some of them are redundant, and there are even mistakes compensated by other mistakes.

If you want to use WAN redundancy together with load distribution, I’d recommend to assign the connection marks only when processing packets coming in via WAN and translate connection marks to routing marks enforcing a route through a single WAN (no backup route through the other WAN for them). When NAT is involved, a failure of a WAN path breaks any connections established through that path anyway, so there is no point in using a backup route for mid-connection packets. The redundancy consists in giving the first packet of a LAN-originated connection a chance to take a backup route if the primary one is down. The connection mark is only assigned to LAN-originated connections when the first response packet arrives, sticking that connection to its actually used WAN path.

So there would be four routing tables in total:

/ip route

add routing-mark=only-WAN1 gateway=wan1.virtual.gateway.ip

add routing-mark=only-WAN2 gateway=wan2.virtual.gateway.ip

add routing-mark=prefer-WAN1 gateway=wan1.virtual.gateway.ip
add routing-mark=prefer-WAN1 gateway=wan2.virtual.gateway.ip distance=2

add routing-mark=prefer-WAN2 gateway=wan2.virtual.gateway.ip
add routing-mark=prefer-WAN2 gateway=wan1.virtual.gateway.ip distance=2

The mangle rules would look as follows:

/ip firewall mangle

add chain=prerouting connection-mark=no-mark action=jump jump-target=mark-pre
add chain=prerouting src-address-list=LAN connection-mark=use-WAN1 action=mark-routing new-routing-mark=only-WAN1 passthrough=no
add chain=prerouting src-address-list=LAN connection-mark=use-WAN2 action=mark-routing new-routing-mark=only-WAN2

add chain=output connection-mark=use-WAN1 action=mark-routing new-routing-mark=only-WAN1 passthrough=no
add chain=output connection-mark=use-WAN2 action=mark-routing new-routing-mark=only-WAN2

add chain=mark-pre in-interface=WAN1 action=mark-connection new-connection-mark=use-WAN1
add chain=mark-pre in-interface=WAN2 action=mark-connection new-connection-mark=use-WAN2
add chain=mark-pre connection-mark=!no-mark action=return
add chain=mark-pre …conditions selecting traffic which has to use of WAN1 no matter what… action=mark-routing new-routing-mark=only-WAN1 passthrough=no
add chain=mark-pre …conditions selecting traffic which has to use of WAN2 no matter what… action=mark-routing new-routing-mark=only-WAN2 passthrough=no
add chain=mark-pre nth=2,1 action=mark-routing new-routing-mark=prefer-WAN1 passthrough=no
add chain=mark-pre action=mark-routing new-routing-mark=prefer-WAN2 passthrough=no

A rule with nth=2,1 matches on every second packet it gets; only initial packets of LAN->WAN connections which are free to use any WAN make it to that rule. Initial packets of LAN->WAN connections which are ignored by that rule get processed by the next one.