I have 2 WANs via PPPOE client and I want to establish a load balancer
I have used the following code
/ip firewall mangle
add chain=prerouting dst-address-list=MEGARON src-address-list=MEGARON
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=pppoe-CYTA1 new-connection-mark=ISP1_conn passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=pppoe-CYTA2 new-connection-mark=ISP2_conn passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=pppoe-CYTA1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=pppoe-CYTA2 new-connection-mark=ISP2_conn
/ip firewall mangle
add action=jump chain=prerouting connection-mark=no-mark in-interface=WLAN \
jump-target=policy_routing
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
new-routing-mark=ISP1_traffic src-address-list=MEGARON
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
new-routing-mark=ISP2_traffic src-address-list=MEGARON
/ip firewall mangle
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=ISP1_traffic
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=ISP2_traffic
/ip firewall mangle
add action=mark-connection chain=policy_routing dst-address-type=!local \
new-connection-mark=ISP1_conn per-connection-classifier=\
both-addresses:2/0
add action=mark-connection chain=policy_routing dst-address-type=!local \
new-connection-mark=ISP2_conn per-connection-classifier=\
both-addresses:2/1
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=443 \
new-routing-mark=HTTPS passthrough=no protocol=tcp
/ip route
add check-gateway=arp distance=1 gateway=pppoe-CYTA1 routing-mark=ISP1_traffic
add check-gateway=arp distance=1 gateway=pppoe-CYTA2 routing-mark=ISP2_traffic
add check-gateway=arp distance=2 gateway=pppoe-CYTA1
add check-gateway=arp distance=3 gateway=pppoe-CYTA2
/ip route
add check-gateway=arp disabled=no distance=7 dst-address=0.0.0.0/0 gateway=\
pppoe-1 routing-mark=HTTPS scope=30 target-scope=10
add check-gateway=arp disabled=no distance=8 dst-address=0.0.0.0/0 gateway=\
pppoe-2 routing-mark=HTTPS scope=30 target-scope=10
I have these blue values on routes as seen on screenshot
Why are these values in blue ?
My balancer always is loading more the first ppoe wan interface and less the second ppoe wan
Any suggestion ?
the route changes to "s " blue is because of “distance” which set to 3
use pcc to load balance
You can have only DEFAULT route active at a time.
Route in Blue shows that they are available but will not be used as ACTIVE gateway (until previous active route with lowest distance value is not available)
If you have multiple default routes available , then the route with lowest distance value will be selected as ACTIVE, rest will be available but will not be used until first goes down.
Regarding 2 wan pppoe LB, sample working config is attached. Hope it may help you.
### make sure to change the src-address list to match you or use address-list feature, 172.16.0.0/16 is our pppoe client ip pool
/ip firewall mangle
add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2
# Mark connection
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address=172.16.0.0/16
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address=172.16.0.0/16
# Routing marks
add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address=172.16.0.0/16
### NATTING both WAN connection for PPPoE IP Pool users only
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2 src-address=172.16.0.0/16
### Setting Default Routes for MARKED packets (zaib)
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
# Setting default routes for non marked packets if any
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=10
Thank you Syed
Does your sample config solves issues with the routing of secure websites with 2 factor authentication?
I mean do I have to mark https traffic and route it to other gateways as shown below
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=443 \
new-routing-mark=HTTPS passthrough=no protocol=tcp
/ip route
add check-gateway=arp disabled=no distance=7 dst-address=0.0.0.0/0 gateway=\
pppoe-1 routing-mark=HTTPS scope=30 target-scope=10
add check-gateway=arp disabled=no distance=8 dst-address=0.0.0.0/0 gateway=\
pppoe-2 routing-mark=HTTPS scope=30 target-scope=10
Sample config is using SRC-ADDRESS as classifier.
In src-address approach, the source address of a client will always be the same, so all traffic from a particular client will always match the same PCC matcher, and will always be put on the same link therefore there will be no issue of IP changing and HTTPS or similar secure sites will run fine.
Give it a try & adjust according to your requirements.
