Hi everyone.
Recently, my office bought a brand new Mikrotik CCR2116-12G-4S+ with v7.8 firmware. Currently, we have two WAN connections at the office. Both connections are dialed up using PPPoE but they are from two different ISPs. Our plan is whenever WAN1 goes down, WAN2 would be able to take over and vice versa.
I’ve been watching some tutorials on youtube on how to do PCC load balancing, particularly on the video linked below. This is the video from Mikrotik official channel.https://www.youtube.com/watch?v=nlb7XAv57tw
However, I could not get my script to run properly. Can someone enlighten me on how to make sure that the script is correct or not? If there are any mistakes, fell free to let me know.
Thanks a lot!
Disclaimer:
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface vlan
add interface=ether1-WAN1 name=vlan500-1 vlan-id=500
add interface=ether2-WAN2 name=vlan500-2 vlan-id=500
/interface pppoe-client
add disabled=no interface=vlan500-1 name=UNIFI-WAN1 user=\
xxxxxxxxxxxx2@unifibiz
add disabled=no interface=vlan500-2 name=UNIFI-WAN2 user=\
xxxxxxxxxxxx123@unifibiz
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-local ranges=192.168.103.151-192.168.103.254
/ip dhcp-server
add address-pool=pool-local interface=bridge-local name=server-local
/port
set 0 name=serial0
/routing table
add disabled=no fib name=UNIFI1
add disabled=no fib name=UNIFI2
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip dhcp-server network
add address=192.168.103.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,192.168.103.4 \
gateway=192.168.103.4
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether1-WAN1 in-interface-list=all \
new-connection-mark=UNIFI1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether2-WAN2 in-interface-list=all \
new-connection-mark=UNIFI2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=UNIFI1_conn \
new-routing-mark=UNIFI1 passthrough=yes
add action=mark-routing chain=output connection-mark=UNIFI2_conn \
new-routing-mark=UNIFI2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark="" \
connection-state=new in-interface=bridge-local new-connection-mark=\
UNIFI1_conn passthrough=yes per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark="" \
connection-state=new in-interface=bridge-local new-connection-mark=\
UNIFI2_conn passthrough=yes per-connection-classifier=\
src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=UNIFI1_conn \
dst-address-type=!local in-interface=bridge-local new-routing-mark=UNIFI1 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=UNIFI2_conn \
dst-address-type=!local in-interface=bridge-local new-routing-mark=UNIFI2 \
passthrough=yes src-address-type=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UNIFI-WAN1
# UNIFI-WAN2 not ready
add action=masquerade chain=srcnat out-interface=UNIFI-WAN2
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN1 pref-src="" routing-table=UNIFI1 scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN2 pref-src="" routing-table=UNIFI2 scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.103.0/24 gateway=bridge-local \
routing-table=main suppress-hw-offload=no
/system routerboard settings
set enter-setup-on=delete-key
anav
January 8, 2024, 2:08pm
2
Sure, first I would update the firmware to the lastest stable update, 7.8 and earlier 7 versions had issues.
Just to confirm you DON’T WANT primary/failover you want PCC/failover.
Typically its important to know the full breadth of requirements before designing the config
I do note on a quick look that both ISPs although you claim are different looking strikingly the same aka both use vlan 500. Can you confirm that is indeed the case??
anav
January 8, 2024, 2:34pm
3
For mangle rules you dont need the first sets of rules… Not explained properly by the video author, why he has the first set of rules which dont apply YET in your simple case.
add action=mark-connection chain=prerouting connection-mark=no-mark connection-mark=“no-mark” no
LETS look at IP Routes.
This route is not required, its automatically created by the router.add disabled=no dst-address=192.168.103.0/24 gateway=bridge-local
You can check in ip routes and you will see one already dst-address=192.168.103.0/24 gateway=bridge-local
The rest of the routes seem fine.
Sure, first I would update the firmware to the lastest stable update, 7.8 and earlier 7 versions had issues.
Just to confirm you DON’T WANT primary/failover you want PCC/failover.
Typically its important to know the full breadth of requirements before designing the config
I do note on a quick look that both ISPs although you claim are different looking strikingly the same aka both use vlan 500. Can you confirm that is indeed the case??
There is no external traffic to the router and the LAN. There is no LAN traffic that needs to be PCCd as well. Only two WAN connections are attached to the Mikrotik router, since my office is just a small enterprise.
For the second question, it is not the case. My bad. I have edited the ISPs in the script attached later in the second reply.
For mangle rules you dont need the first sets of rules… Not explained properly by the video author, why he has the first set of rules which dont apply YET in your simple case.
add action=mark-connection chain=prerouting connection-mark=no-mark connection-mark=“no-mark” no
LETS look at IP Routes.
This route is not required, its automatically created by the router.add disabled=no dst-address=192.168.103.0/24 gateway=bridge-local
You can check in ip routes and you will see one already dst-address=192.168.103.0/24 gateway=bridge-local
The rest of the routes seem fine.
/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface vlan
add interface=ether1-WAN1 name=vlan500 vlan-id=500
add interface=ether2-WAN2 name=vlan621 vlan-id=621
/interface pppoe-client
add disabled=no interface=vlan500 name=UNIFI-WAN1 user=\
xxxxxxxxxxxxxxxxxxx@unifibiz
add disabled=no interface=vlan621 name=MAXIS-WAN2 user=\
xxxxxxxxxxxxxxxxxxx@maxis
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-local ranges=192.168.103.151-192.168.103.254
/ip dhcp-server
add address-pool=pool-local interface=bridge-local name=server-local
/port
set 0 name=serial0
/routing table
add disabled=no fib name=UNIFI
add disabled=no fib name=MAXIS
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.103.4/24 interface=bridge-local network=192.168.103.0
/ip dhcp-client
add comment=defconf interface=*12
/ip dhcp-server network
add address=192.168.103.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1 gateway=\
192.168.103.4
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall mangle
add action=mark-routing chain=output connection-mark=UNIFI_conn \
new-routing-mark=UNIFI passthrough=yes
add action=mark-routing chain=output connection-mark=MAXIS_conn \
new-routing-mark=MAXIS passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=bridge-local \
new-connection-mark=UNIFI_conn passthrough=yes \
per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface=bridge-local \
new-connection-mark=MAXIS_conn passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=UNIFI_conn \
in-interface=bridge-local new-routing-mark=UNIFI passthrough=yes
add action=mark-routing chain=prerouting connection-mark=MAXIS_conn \
in-interface=bridge-local new-routing-mark=MAXIS passthrough=yes
add action=mark-routing chain=output connection-mark=UNIFI_conn \
new-routing-mark=UNIFI passthrough=yes
add action=mark-routing chain=output connection-mark=MAXIS_conn \
new-routing-mark=MAXIS passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge-local new-connection-mark=\
UNIFI_conn passthrough=yes per-connection-classifier=\
src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=bridge-local new-connection-mark=\
MAXIS_conn passthrough=yes per-connection-classifier=\
src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=UNIFI_conn \
new-routing-mark=UNIFI passthrough=no
add action=mark-routing chain=prerouting connection-mark=MAXIS_conn \
new-routing-mark=MAXIS passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UNIFI-WAN1
# UNIFI-WAN2 not ready
add action=masquerade chain=srcnat out-interface=MAXIS-WAN2
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN1 pref-src="" routing-table=UNIFI scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
MAXIS-WAN2 pref-src="" routing-table=MAXIS scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
MAXIS-WAN2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN1 pref-src="" routing-table=UNIFI scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
MAXIS-WAN2 pref-src="" routing-table=MAXIS scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
UNIFI-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
MAXIS-WAN2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system routerboard settings
set enter-setup-on=delete-key
Sorry but I have tried to run the script as per your guidance but I’m not exactly sure why it doesn’t work. I might have missed a detail or two. Do you have any idea why?
My current Load Balancing Config.
# 2025-07-31 14:11:39 by RouterOS 7.19.3
# software id = **ELIDED**
#
# model = RB4011iGS+
# serial number = **ELIDED**
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Mark-Connection-ISP2 connection-mark=no-mark connection-state=new in-interface=PPP-ISP2 new-connection-mark=ISP2-MARK
add action=mark-connection chain=prerouting comment=Mark-Connection-ISP3 connection-mark=no-mark connection-state=new in-interface=PPP-ISP3 new-connection-mark=ISP3-MARK
add action=mark-routing chain=output comment=Mark-Routing-ISP2 connection-mark=ISP2-MARK new-routing-mark=ISP2
add action=mark-routing chain=output comment=Mark-Routing-ISP3 connection-mark=ISP3-MARK new-routing-mark=ISP3
add action=mark-connection chain=prerouting comment=PCC-ISP2 connection-mark=no-mark connection-state=new dst-address-type=!local in-interface=all-vlan new-connection-mark=ISP2-MARK \
per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting comment=PCC-ISP3 connection-mark=no-mark connection-state=new dst-address-type=!local in-interface=all-vlan new-connection-mark=ISP3-MARK \
per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting comment=Ag-Mark-Routing-ISP2 connection-mark=ISP2-MARK in-interface=all-vlan new-routing-mark=ISP2
add action=mark-routing chain=prerouting comment=Ag-Mark-Routing-ISP3 connection-mark=ISP3-MARK in-interface=all-vlan new-routing-mark=ISP3
any external traffic to the router itself?? aka wireguard vpn NO NEEDED
any external traffic to the LAN?? aka port forwarding to servers Required
any LAN traffic that should not be PCCd and perhaps go out a specific WAN? NO NEEDED
any traffic entering/leaving the router by VPN? MAKE IT IN DISABLE STATE USE IN FUTURE
Make Sure all Office Workers get Stable Internet Connection especially no session breaking by using src-address
Please Make config for me according to the above requirement.
My Current Global Config.
anav
July 31, 2025, 1:32pm
8
You funny, you dont start your own thread, and on top of that you fail to provide a full config…
# 2025-07-31 22:29:37 by RouterOS 7.19.4
# software id = NULL
#
# model = RB4011iGS+
# serial number = NULL
/interface bridge
add name=BRIDGE-VLAN
/interface ethernet
set [ find default-name=ether1 ] comment=NAYATEL name=eth1-ISP1
set [ find default-name=ether2 ] comment=PTCL-FLASH name=eth2-ISP2
set [ find default-name=ether3 ] comment=STORM-FIBER name=eth3-ISP3
set [ find default-name=ether4 ] comment="Exam-SW-Port-2,(4-12)" name=eth4-vlan-10
set [ find default-name=ether5 ] comment="Office-SW-Port-(13-28)" name=eth5-vlan-20
set [ find default-name=ether6 ] comment=Dev-Testing-to-MT name=eth6-Test
set [ find default-name=ether7 ] comment="Cameras-SW-Port-(29-48)" name=eth7-vlan-30
set [ find default-name=ether8 ] comment=Server-SW-Port-3 name=eth8-vlan-40
set [ find default-name=ether9 ] comment=PortChannel-SW-Port-1 name=eth9-PC1
set [ find default-name=ether10 ] comment=PortChannel-SW-Port-SFP-4 name=eth10-PC2
/interface pppoe-client
add comment=PPP-PTCL-FLASH disabled=no interface=eth2-ISP2 keepalive-timeout=200 max-mtu=1500 name=PPP-ISP2 service-name=PTCL-FLASH use-peer-dns=yes user=
add comment=PPP-STORM-FIBER disabled=no interface=eth3-ISP3 keepalive-timeout=200 max-mtu=1500 name=PPP-ISP3 service-name=STORM-FIBER use-peer-dns=yes user=
/interface vlan
add interface=BRIDGE-VLAN name=VLAN-10 vlan-id=10
add interface=BRIDGE-VLAN name=VLAN-20 vlan-id=20
add interface=BRIDGE-VLAN name=VLAN-30 vlan-id=30
add interface=BRIDGE-VLAN name=VLAN-40 vlan-id=40
/interface bonding
add comment=Bond-eth9-eth10 lacp-rate=1sec mode=802.3ad name=Bond-2 slaves=eth9-PC1,eth10-PC2 transmit-hash-policy=layer-2-and-3
/interface list
add name=WAN
add name=LAN
add comment=All-VLAN-Interfaces name=VLANS
add name=NET
/ip pool
add name=P-VLAN-10 ranges=10.10.0.50-10.10.15.254
add name=P-VLAN-20 ranges=10.20.0.50-10.20.15.254
add name=P-VLAN-30 ranges=10.30.0.50-10.30.15.254
add name=P-VLAN-40 ranges=10.40.0.50-10.40.15.254
add name=P-Test ranges=192.168.200.10-192.168.200.40
/ip dhcp-server
add address-pool=P-VLAN-10 interface=VLAN-10 lease-time=1d30m name=D-VLAN-10
add address-pool=P-VLAN-20 interface=VLAN-20 lease-time=1d30m name=D-VLAN-20
add address-pool=P-VLAN-30 interface=VLAN-30 lease-time=1d30m name=D-VLAN-30
add address-pool=P-VLAN-40 interface=VLAN-40 lease-time=1d30m name=D-VLAN-40
add address-pool=P-Test interface=eth6-Test lease-time=8h30m name=D-Test
/ipv6 dhcp-server
add address-pool=P-VLAN-10 disabled=yes interface=VLAN-10 name=D-VLAN-10 prefix-pool=P-VLAN-10
add address-pool=P-VLAN-20 disabled=yes interface=VLAN-20 name=D-VLAN-20 prefix-pool=P-VLAN-20
add address-pool=P-VLAN-30 disabled=yes interface=VLAN-30 name=D-VLAN-30 prefix-pool=P-VLAN-30
add address-pool=P-VLAN-40 disabled=yes interface=VLAN-40 name=D-VLAN-40 prefix-pool=P-VLAN-40
add address-pool=P-Test disabled=yes interface=eth6-Test name=D-Test prefix-pool=P-Test
/ipv6 pool
add name=P-VLAN-10 prefix=2025:db8:abcd:10::/64 prefix-length=64
add name=P-VLAN-20 prefix=2025:db8:abcd:20::/64 prefix-length=64
add name=P-VLAN-30 prefix=2025:db8:abcd:30::/64 prefix-length=64
add name=P-VLAN-40 prefix=2025:db8:abcd:40::/64 prefix-length=64
add name=P-Test prefix=2025:db8:abcd:200::/64 prefix-length=64
add name=P-VPN prefix=2025:db8:abcd:89::/64 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=ISP2
add disabled=no fib name=ISP3
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=BRIDGE-VLAN interface=eth4-vlan-10 pvid=10
add bridge=BRIDGE-VLAN interface=eth5-vlan-20 pvid=20
add bridge=BRIDGE-VLAN interface=eth7-vlan-30 pvid=30
add bridge=BRIDGE-VLAN interface=eth8-vlan-40 pvid=40
add bridge=BRIDGE-VLAN interface=Bond-2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=BRIDGE-VLAN tagged=Bond-2 untagged=eth4-vlan-10 vlan-ids=10
add bridge=BRIDGE-VLAN tagged=Bond-2 untagged=eth5-vlan-20 vlan-ids=20
add bridge=BRIDGE-VLAN tagged=Bond-2 untagged=eth7-vlan-30 vlan-ids=30
add bridge=BRIDGE-VLAN tagged=Bond-2 untagged=eth8-vlan-40 vlan-ids=40
/interface detect-internet
set detect-interface-list=all internet-interface-list=NET lan-interface-list=VLANS
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=L-VLAN-10 interface=VLAN-10 list=VLANS
add comment=L-VLAN-20 interface=VLAN-20 list=VLANS
add comment=L-VLAN-30 interface=VLAN-30 list=VLANS
add comment=L-VLAN-40 interface=VLAN-40 list=VLANS
add interface=PPP-ISP3 list=NET
add interface=eth2-ISP2 list=NET
/interface ovpn-server server
add mac-address=FE:63:E4:39:FC:55 name=ovpn-server1
/ip address
add address=10.10.0.1/20 interface=VLAN-10 network=10.10.0.0
add address=10.20.0.1/20 interface=VLAN-20 network=10.20.0.0
add address=10.30.0.1/20 interface=VLAN-30 network=10.30.0.0
add address=10.40.0.1/20 interface=VLAN-40 network=10.40.0.0
add address=192.168.200.1/24 interface=eth6-Test network=192.168.200.0
add address=ISP1-PUBLIC-IP interface=eth1-ISP1 network=ISP1-GW
add address=10.50.0.1/20 interface=BRIDGE-VLAN network=10.50.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=10.20.1.100 client-id=1:f4:ce:46:48:f5:5e comment="HP LaserJet P2055dn" mac-address=F4:CE:46:48:F5:5E server=D-VLAN-20
add address=10.30.0.100 comment="Device1" mac-address=00:17:61:11:2C:AE server=D-VLAN-30
add address=10.30.0.200 client-id=1:80:7c:62:1:fb:4e comment="SAT NVR" mac-address=80:7C:62:01:FB:4E server=D-VLAN-30
add address=10.20.0.100 comment="Dev2" mac-address=64:00:6A:78:E4:20 server=D-VLAN-20
add address=10.20.0.200 comment="Dev3" mac-address=00:17:61:11:2C:AE server=D-VLAN-20
add address=10.20.0.101 comment="Dev4" mac-address=24:41:8C:F6:96:68 server=D-VLAN-20
add address=10.20.0.197 client-id=1:68:d7:9a:13:c0:44 comment=Dev5 mac-address=68:D7:9A:13:C0:44 server=D-VLAN-20
add address=10.20.0.199 client-id=1:f4:92:bf:13:88:e4 comment=Dev6 mac-address=F4:92:BF:13:88:E4 server=D-VLAN-20
add address=10.20.1.97 client-id=1:b8:3a:8:8f:6d:c0 comment=Dev7 mac-address=B8:3A:08:8F:6D:C0 server=D-VLAN-20
add address=10.20.0.89 client-id=1:44:85:0:9c:de:75 comment=Dev8 mac-address=44:85:00:9C:DE:75 server=D-VLAN-20
add address=10.20.0.65 client-id=1:84:3a:4b:3b:1c:78 comment=Dev9 mac-address=84:3A:4B:3B:1C:78 server=D-VLAN-20
add address=10.20.0.102 client-id=1:d8:9e:f3:12:a0:7e comment=Dev10 mac-address=D8:9E:F3:12:A0:7E server=D-VLAN-20
add address=10.20.0.219 client-id=1:12:3f:cc:f7:d2:88 comment=Dev11 mac-address=12:3F:CC:F7:D2:88 server=D-VLAN-20
add address=10.20.1.5 client-id=1:48:f:cf:31:4a:95 comment=Dev12 mac-address=48:0F:CF:31:4A:95 server=D-VLAN-20
add address=10.20.0.140 comment=Dev13 mac-address=10:5F:02:69:45:52 server=D-VLAN-20
/ip dhcp-server network
add address=10.10.0.0/20 dns-server=10.10.0.1 gateway=10.10.0.1
add address=10.20.0.0/20 dns-server=10.20.0.1 gateway=10.20.0.1
add address=10.30.0.0/20 dns-server=10.30.0.1 gateway=10.30.0.1
add address=10.40.0.0/20 dns-server=10.40.0.1 gateway=10.40.0.1
add address=172.16.200.0/24 dns-server=172.16.200.1 gateway=172.16.200.1 netmask=24
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=4048KiB max-concurrent-tcp-sessions=40
/ip dns static
add address=10.10.0.1 disabled=yes name=router.vlan-10 type=A
add address=10.20.0.1 disabled=yes name=router.vlan-20 type=A
add address=10.30.0.1 disabled=yes name=router.vlan-30 type=A
add address=10.40.0.1 disabled=yes name=router.vlan-40 type=A
/ip firewall address-list
add address=10.10.0.0/20 comment=EXAM list=VLAN-10
add address=10.20.0.0/20 comment=OFFICE list=VLAN-20
add address=10.30.0.0/20 comment=CAMS list=VLAN-30
add address=10.40.0.0/20 comment=SERVER list=VLAN-40
add address=10.50.0.0/20 comment=BRIDGE list=BRIDGE-LAN
/ip firewall filter
add action=accept chain=input comment=ICMP-Accept protocol=icmp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Mark-Connection-ISP2 connection-mark=no-mark connection-state=new in-interface=PPP-ISP2 new-connection-mark=ISP2-MARK
add action=mark-connection chain=prerouting comment=Mark-Connection-ISP3 connection-mark=no-mark connection-state=new in-interface=PPP-ISP3 new-connection-mark=ISP3-MARK
add action=mark-routing chain=output comment=Mark-Routing-ISP2 connection-mark=ISP2-MARK new-routing-mark=ISP2
add action=mark-routing chain=output comment=Mark-Routing-ISP3 connection-mark=ISP3-MARK new-routing-mark=ISP3
add action=mark-connection chain=prerouting comment=PCC-ISP2 connection-mark=no-mark connection-state=new dst-address-type=!local in-interface=all-vlan new-connection-mark=ISP2-MARK \
per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting comment=PCC-ISP3 connection-mark=no-mark connection-state=new dst-address-type=!local in-interface=all-vlan new-connection-mark=ISP3-MARK \
per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting comment=Ag-Mark-Routing-ISP2 connection-mark=ISP2-MARK in-interface=all-vlan new-routing-mark=ISP2
add action=mark-routing chain=prerouting comment=Ag-Mark-Routing-ISP3 connection-mark=ISP3-MARK in-interface=all-vlan new-routing-mark=ISP3
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade-ISP1 disabled=yes out-interface=eth1-ISP1
add action=masquerade chain=srcnat comment=Masquerade-ISP2 out-interface=PPP-ISP2
add action=masquerade chain=srcnat comment=Masquerade-ISP3 out-interface=PPP-ISP3
add action=masquerade chain=srcnat comment=Masquerade-VLAN-10 out-interface=VLAN-10
add action=masquerade chain=srcnat comment=Masquerade-VLAN-20 out-interface=VLAN-20
add action=masquerade chain=srcnat comment=Masquerade-VLAN-30 out-interface=VLAN-30
add action=masquerade chain=srcnat comment=Masquerade-VLAN-40 out-interface=VLAN-40
add action=dst-nat chain=dstnat comment="ISP1 DEV Sat NVR Port 8000" disabled=yes dst-address=ISP1-PUBLIC-IP dst-port=8000 protocol=tcp to-addresses=10.30.0.200 to-ports=8000
add action=dst-nat chain=dstnat comment="ISP2 DEV Sat NVR Port 8000-8000" dst-address=ISP2-PUBLIC-IP dst-port=8000 protocol=tcp to-addresses=10.30.0.200 to-ports=8000
add action=dst-nat chain=dstnat comment="ISP3 DEV Sat NVR Port 8000-8000" dst-address=ISP3-PUBLIC-IP dst-port=8000 protocol=tcp to-addresses=10.30.0.200 to-ports=8000
add action=dst-nat chain=dstnat comment="ISP1 DEV Sat NVR Port 80" disabled=yes dst-address=ISP1-PUBLIC-IP dst-port=81 protocol=tcp to-addresses=10.30.0.200 to-ports=80
add action=dst-nat chain=dstnat comment="ISP2 DEV Sat NVR Port 81-80" dst-address=ISP2-PUBLIC-IP dst-port=81 protocol=tcp to-addresses=10.30.0.200 to-ports=80
add action=dst-nat chain=dstnat comment="ISP3 DEV Sat NVR Port 81-80" dst-address=ISP3-PUBLIC-IP dst-port=81 protocol=tcp to-addresses=10.30.0.200 to-ports=80
add action=dst-nat chain=dstnat comment="ISP1 ZKTeco Machine Port XXXX" disabled=yes dst-address=ISP1-PUBLIC-IP dst-port=1500 protocol=tcp to-addresses=10.30.0.100 to-ports=4370
add action=dst-nat chain=dstnat comment="ISP2 ZKTeco Machine Port XXXX-4370" dst-address=ISP2-PUBLIC-IP dst-port=XXXX protocol=tcp to-addresses=10.30.0.100 to-ports=4370
add action=dst-nat chain=dstnat comment="ISP3 ZKTeco Machine Port XXXX-4370" dst-address=ISP3-PUBLIC-IP dst-port=XXXX protocol=tcp to-addresses=10.30.0.100 to-ports=4370
add action=dst-nat chain=dstnat comment="ISP2 Cisco SW Port XXXX-22" dst-address=ISP2-PUBLIC-IP dst-port=XXXX protocol=tcp to-addresses=10.40.0.100 to-ports=22
add action=dst-nat chain=dstnat comment="ISP3 Cisco SW Port XXXX-22" dst-address=ISP3-PUBLIC-IP dst-port=XXXX protocol=tcp to-addresses=10.40.0.100 to-ports=22
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping comment=unmarked disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ISP1-GW routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=unmarked disabled=no distance=2 dst-address=0.0.0.0/0 gateway=ISP1-GW routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=marked disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ISP1-GW routing-table=*400 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=marked disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP1-GW routing-table=ISP2 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=unmarked disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP2-GW routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=marked disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ISP2-GW routing-table=ISP3 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes port=4444
set winbox port=XXXX
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add disabled=yes interface=*15 type=internal
add disabled=yes interface=eth2-ISP2 type=internal
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*5
/ppp secret
add name=vpn
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=MIKROTIK-NAME
/system logging
add topics=account
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=time.google.com
/system routerboard settings
set enter-setup-on=delete-key
/tool e-mail
set from=EMAIL-1 port=587 server=smtp.gmail.com tls=starttls user=EMAIL-1
/tool netwatch
add comment=Failover-ISP1 disabled=yes down-script="/ip route disable [find comment~\"Failover-ISP1\"]" host=1.1.1.1 interval=10s test-script="" timeout=1s type=simple up-script=\
"/ip route enable [find comment~\"Failover-ISP1\"]"
add comment=Failover-ISP2 disabled=yes down-script="/ip route disable [find comment~\"Failover-ISP2\"]" host=1.1.1.1 interval=10s test-script="" timeout=1s type=simple up-script=\
"/ip route enable [find comment~\"Failover-ISP2\"]"
add comment=ISP1 disabled=yes down-script="/tool e-mail send to=\"EMAIL-1,EMAIL-2\" subject=\"Host DOWN\" body=\"ISP1 NET ELASTIC ISP1-GW Status DOWN DEV-SATY\
ANA is not reachable on \$[/system clock get time] \$[/system clock get date]\"" host=ISP1-GW name="ISP1 NET ELASTIC" test-script="" type=simple up-script="/tool e-mail send to=\"DEV\
,EMAIL-2\" subject=\"Host UP\" body=\"ISP1 NET ELASTIC ISP1-GW Status UP MIKROTIK-NAME is reachable again on \$[/system clock get time] \$[/system clock get date]\
\""
add comment=ISP2 disabled=no down-script="/tool e-mail send to=\"EMAIL-1,EMAIL-2\" subject=\"Host DOWN\" body=\"ISP2 PTCL FLASH FIBER ISP1-GW Status DOWN DEV\
-SATYANA is not reachable on \$[/system clock get time] \$[/system clock get date]\"" host=ISP1-GW name="ISP2 PTCL FLASH" test-script="" type=simple up-script="/tool e-mail send to=\"DEV\
,EMAIL-2\" subject=\"Host UP\" body=\"ISP2 PTCL FLASH FIBER ISP1-GW Status UP MIKROTIK-NAME is reachable again on \$[/system clock get time] \$[/system clock\
\_get date]\""
add comment=ISP3 disabled=no down-script="/tool e-mail send to=\"EMAIL-1,EMAIL-2\" subject=\"Host DOWN\" body=\"ISP3 STORM FIBER ISP2-GW Status DOWN DEV-SAT\
YANA is not reachable on \$[/system clock get time] \$[/system clock get date]\"" host=ISP2-GW name="ISP3 STORM FIBER" test-script="" type=simple up-script="/tool e-mail send to=\"DEV\
,EMAIL-2\" subject=\"Host UP\" body=\"ISP3 STORM FIBER ISP2-GW Status UP MIKROTIK-NAME is reachable again on \$[/system clock get time] \$[/system clock get d\
ate]\""
This is my all config.
I just want stable internet connection setup with load balancing
Also, I am facing some problem
Like long loading for linkedin crashing
anav
July 31, 2025, 7:01pm
10
Since there are two separate chips on the RB4011, it may make sense to optimize for traffic between vlans but only if easy. I see you have all vlans going out bond interface. So is there much traffic between ethers 4,5,7,8
i have untagged eth 4 5 7 8 and tagged to Bond interface
there is nothing connected to eth 4 5 7 8
all vlans have APs switches and direct PC end point devices
means all my devices are connected to my switch cisco 3750
anav
July 31, 2025, 9:04pm
12
If this is an IPV6 network, then I should let someone else post as I have no experience with those rules.
Okay if there is nothing attached to ether4,5,7,8, then recommend
Ports 4,5 are used for bond , ether6 for whatever other purpose you have…
/interface ethernet
......
......
set [ find default-name=ether4 ] comment=PortChannel-SW-Port-4 name=eth4-PC1
set [ find default-name=ether5] comment=PortChannel-SW-Port-5 name=eth5-PC2
/interface bonding
add comment=Bond-eth4-eth5 lacp-rate=1sec mode=802.3ad name=Bond-2 slaves=eth4-PC1, PC1,eth5-PC2 transmit-hash-policy=layer-2-and-3
/interface bridge port
add bridge=BRIDGE-VLAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=Bond-2
/interface bridge vlan
add bridge=BRIDGE-VLAN tagged=BRIDGE-VLAN vlan-ids=10,20,30,40
+++++++++++++++++++++++++++++
Other settings
2. Why is this set to NO? If no reason leave it enabled.
3. Set this........
/interface detect-internet
set detect-interface-list=all internet-interface-list=NET lan-interface-list=VLANS
To NONE!!
/interface detect-internet
set detect-interface-list=NONE
4. REMOVE ALL MANGLING............ except for first four rules slightly modded.
/ip firewall mangle
{ To ensure vpn or port forwarding go back out same WAN }
add action=mark-connection chain=input comment="Mark Incoming WAN2" connection-mark=no-mark in-interface=PPP-ISP2 new-connection-mark=ISP2-MARK passthrough=yes
add action=mark-connection chain=input comment=Mark-Incoming-WAN3 connection-mark=no-mark in-interface=PPP-ISP3 new-connection-mark=ISP3-MARK passthrough=yes
++++++++++++++++++++
add action=mark-routing chain=output comment="Route out WAN2" connection-mark=ISP2-MARK new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output comment=Route out WAN3" connection-mark=ISP3-MARK new-routing-mark=ISP3 passthrough=no
5. These are the only sourcenat rules you need, two of them..........
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade-ISP2 out-interface=PPP-ISP2
add action=masquerade chain=srcnat comment=Masquerade-ISP3 out-interface=PPP-ISP3
6. For the destination nat rules anything to ISP 1 should be removed or disabled.
The rules otherwise look fine ONLY IF indeed your wanip addresses are static not dynamic.
7. For easy load balancing using ECMP we make both gateways the same distance........ You seemed to have most of these set to ISP-1 gateway which was weird considering its not used!! Also use table names that are clearer....
/routing table
add disabled=no fib name=use-ISP2
add disabled=no fib name=-use-ISP3
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-GW routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP3-GW routing-table=main
+++++++++++
add dst-address=0.0.0.0/0 gateway=ISP2-GW routing-table=use-ISP2
add dst-address=0.0.0.0/0 gateway=ISP3-GW routing-table=use-ISP3
anav
July 31, 2025, 9:08pm
13
Also, should NOT need upnp and thus recommending for security reasons to disable.
YOu can still use netwatch to detect if WAN2 or WAN3 is up, but only to then adjust the outgoing email traffic.
