2 WAN loadbalancing configuration

neptune87 · November 1, 2024, 10:34am

Hi Everyone,
I just bought a Mikrotik Hex router and my goals are:

attach 2 WAN in loadbalancing (Maybe 1 in failover) an attach to it 1 LAN;
say that some group of IP instead need to use directly and only use the failover WAN (like using this for my homelab traffic without impacting on the user connection).

Just to give additional details I already have two router, provided from the ISP, that connect to the internet:

Faster one (to be used by the user) that you can connect to it and have an ip on the lan 192.168.3.0/24 => I will call it WAN1
Second one (to be used as failover/by the homelab/) that you can connect to it and have an ip on the lan 192.168.1.0/24 => I will call it WAN2

And I would like that the Mikrotik router create the LAN on 192.168.4.0/24 where everything is connected and reachable (user pc and homelab).
I already done it with a TP-LINK Router/Load Balancer, but it works only to 100Mbit. Now I changed it with this Microtik because it support the 1Gibabit and with the purpose in future to be able to add more detailed configuration (the TP-LINK is easy to configure, but a lot basic things seems really impossible to configure).

For the goals 1) I tried to follow this wiki:
https://wiki.mikrotik.com/Manual:PCC

So I tried to edit the wiki quick start for impatient in this way:

# oct/30/2024 18:36:58 by RouterOS 6.49.13
# software id = NRBT-RFM0
#
# model = RB760iGS
# serial number = HGJ09ZBKGJZ


/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=ether5 ] name=LAN5

#/interface list
#add name=WAN
#add name=LAN

/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=LAN5 list=LAN
add interface=sfp1 list=LAN

/ ip address
add address=192.168.4.1/24 network=192.168.4.0 broadcast=192.168.4.255 interface=LAN5
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=WAN1
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN2

/ ip firewall mangle
add chain=prerouting dst-address=192.168.3.1/24 action=accept in-interface=LAN5
add chain=prerouting dst-address=192.168.1.1/24  action=accept in-interface=LAN5
add chain=prerouting in-interface=WAN1 connection-mark=no-mark action=mark-connection new-connection-mark=WAN1_conn
add chain=prerouting in-interface=WAN2 connection-mark=no-mark action=mark-connection new-connection-mark=WAN2_conn
add chain=prerouting  in-interface=LAN5 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn 
add chain=prerouting  in-interface=LAN5 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn
add chain=prerouting connection-mark=WAN1_conn in-interface=LAN5 action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN5 action=mark-routing new-routing-mark=to_WAN2
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1     
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1  distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=2 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

The first problem is that in the terminal just using the import command didn’t work good because said that some interface already exist. So the problem was that I don’t know how to say “rewrite every configuration and just import this” and this means that the new configuration go in conflict with which the existing one. So that I just include command by command in the terminal interface (looking at what already exist and avoiding it) and then re-export the entire configuration to show it to you, and that’s it:

# jan/02/1970 00:05:45 by RouterOS 6.49.13
# software id = NRBT-RFM0
#
# model = RB760iGS
# serial number = HGJ09ZBKGJZ
/interface bridge
add admin-mac=D4:01:C3:C9:39:58 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=ether5 ] name=LAN5
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=WAN2
add bridge=bridge comment=defconf interface=LAN3
add bridge=bridge comment=defconf interface=LAN4
add bridge=bridge comment=defconf interface=LAN5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=LAN5 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.4.1/24 interface=LAN5 network=192.168.4.0
add address=192.168.3.1/24 interface=WAN1 network=192.168.3.0
add address=192.168.1.1/24 interface=WAN2 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=WAN1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
# in/out-interface matcher not possible when interface (LAN5) is slave - use master instead (bridge)
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    LAN5
# in/out-interface matcher not possible when interface (LAN5) is slave - use master instead (bridge)
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    LAN5
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn
# in/out-interface matcher not possible when interface (WAN2) is slave - use master instead (bridge)
# bad new connection mark
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2
# in/out-interface matcher not possible when interface (WAN2) is slave - use master instead (bridge)
# bad new connection mark
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1_conn
# in/out-interface matcher not possible when interface (WAN2) is slave - use master instead (bridge)
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2_conn
# in/out-interface matcher not possible when interface (LAN5) is slave - use master instead (bridge)
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN5 new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/0
# in/out-interface matcher not possible when interface (LAN5) is slave - use master instead (bridge)
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN5 new-connection-mark=WAN2_conn \
    per-connection-classifier=both-addresses:2/1
# in/out-interface matcher not possible when interface (LAN5) is slave - use master instead (bridge)
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
    in-interface=LAN5 new-routing-mark=to_WAN1
# in/out-interface matcher not possible when interface (LAN5) is slave - use master instead (bridge)
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
    in-interface=LAN5 new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WAN1
# in/out-interface matcher not possible when interface (WAN2) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=2 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So the result is that I have a lot of error like:

# in/out-interface matcher not possible when interface (WAN2) is slave - use master instead (bridge)

that not being an expert I don’t know what does it mean and how to fix it. Also I’m recognizing that I have a lot of extra line of code that I didn’t input.

Also connection to the internet work “strange” because I was able to reach google for searchign things but then I wasn’t able to open any other page.

I thing I’m very far to the solution even if what I need seems “simple” that is not for me to configure. So that, is there any step-by-step how-to that can I follow? Maybe I’m not the first that want to ioad balance 2 WAN connection.

Thanks in advance,
Neptune.

anav · November 1, 2024, 11:29pm

Lets get some clarity.
You are going to keep the two ISP modems and ISP routers in place.
They will each provide their own private LAN like 192.168.1.0/24 and 192.168.2.0/24
You will assign a fixed private IP on each ISP router and will use that as the WANIP for the hex, WAN1 and WAN2
++++++++++++++++++++++
Behind the hex you want a single private LAN
Most Users should use WAN1, a few users should use WAN2

If WAN1 fails, then all the users there should use WAN2
IF WAN2 fails, then the few users there should use WAN1.

AKA there is no load balancing going on

I think it would be much easier and smarter to simply have two subnets, one for all users and one for the lab, much easier to make rules for.
I would do it as two vlans attached to the bridge

+++++++++++++++++++++++++++++++++++++++++++

Not sure why you named your etherports LAN3, LAN4, LAN5, you only have one LAN.
In any case,
if the bridge is indicated as LAN interface list member then none of the etherports should be. ( for the ports associated to the bridge )

Why did you associate the IP address to LAN5, it needs to be associated to the bridge?? Or is this a off bridge config access…if so GOOD.

EDIT: Okay I see on the lower config shown, you added the .88 address to the bridge.
If that is the case and ether5 is a separate subnet, then it should be REMOVED from the bridge and if indeed separate you ONLY need the bridge and ether5 as part of your LAN interface list.

PROBLEM WITH YOUR WAN1, ( its either IP address or IP dhcp client, but NOT both ), suggest DISABLE the IP DHCP client setting!!.

Your mangles, LB and Routes are hosed.
YOu need to decide what are the actual requirements PRIOR to creating the config, as I alluded to at the top of this post.
Mangle rules and Routes take like 5 minutes once there is a clear understanding.

I see no identification of the LAB in your scenario, I was expecting a source address list for example.