DUAL-WAN PPPOE CLIENT WITH PCC LOAD BALANCING FAILED TO WORK

danielmodlite · January 8, 2024, 9:24am

Hi everyone.

Recently, my office bought a brand new Mikrotik CCR2116-12G-4S+ with v7.8 firmware. Currently, we have two WAN connections at the office. Both connections are dialed up using PPPoE but they are from two different ISPs. Our plan is whenever WAN1 goes down, WAN2 would be able to take over and vice versa.

I’ve been watching some tutorials on youtube on how to do PCC load balancing, particularly on the video linked below. This is the video from Mikrotik official channel.
https://www.youtube.com/watch?v=nlb7XAv57tw

However, I could not get my script to run properly. Can someone enlighten me on how to make sure that the script is correct or not? If there are any mistakes, fell free to let me know.

Thanks a lot!

Disclaimer:
[*] I’ve been using Mikrotik for about 1.5 years, particularly the Mikrotik RB1100AHx4 model which ran on v6.48 firmware. But, I’m a still noob without networking background.

/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface vlan
add interface=ether1-WAN1 name=vlan500-1 vlan-id=500
add interface=ether2-WAN2 name=vlan500-2 vlan-id=500
/interface pppoe-client
add disabled=no interface=vlan500-1 name=UNIFI-WAN1 user=\
    xxxxxxxxxxxx2@unifibiz
add disabled=no interface=vlan500-2 name=UNIFI-WAN2 user=\
    xxxxxxxxxxxx123@unifibiz
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-local ranges=192.168.103.151-192.168.103.254
/ip dhcp-server
add address-pool=pool-local interface=bridge-local name=server-local
/port
set 0 name=serial0
/routing table
add disabled=no fib name=UNIFI1
add disabled=no fib name=UNIFI2
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip dhcp-server network
add address=192.168.103.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,192.168.103.4 \
    gateway=192.168.103.4
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether1-WAN1 in-interface-list=all \
    new-connection-mark=UNIFI1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-WAN2 in-interface-list=all \
    new-connection-mark=UNIFI2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=UNIFI1_conn \
    new-routing-mark=UNIFI1 passthrough=yes
add action=mark-routing chain=output connection-mark=UNIFI2_conn \
    new-routing-mark=UNIFI2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark="" \
    connection-state=new in-interface=bridge-local new-connection-mark=\
    UNIFI1_conn passthrough=yes per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark="" \
    connection-state=new in-interface=bridge-local new-connection-mark=\
    UNIFI2_conn passthrough=yes per-connection-classifier=\
    src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=UNIFI1_conn \
    dst-address-type=!local in-interface=bridge-local new-routing-mark=UNIFI1 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=UNIFI2_conn \
    dst-address-type=!local in-interface=bridge-local new-routing-mark=UNIFI2 \
    passthrough=yes src-address-type=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UNIFI-WAN1
# UNIFI-WAN2 not ready
add action=masquerade chain=srcnat out-interface=UNIFI-WAN2
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN1 pref-src="" routing-table=UNIFI1 scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN2 pref-src="" routing-table=UNIFI2 scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.103.0/24 gateway=bridge-local \
    routing-table=main suppress-hw-offload=no
/system routerboard settings
set enter-setup-on=delete-key

anav · January 8, 2024, 2:08pm

Sure, first I would update the firmware to the lastest stable update, 7.8 and earlier 7 versions had issues.

Just to confirm you DON’T WANT primary/failover you want PCC/failover.
The difference is that in primary/failover, only one ISP is providing connections. In PCC both ISPs are used at the same time providing additional bandwidth to share among all users.
I will assume the latter.

Typically its important to know the full breadth of requirements before designing the config
… any external traffic to the router itself?? aka wireguard vpn
… any external traffic to the LAN?? aka port forwarding to servers
… any LAN traffic that should not be PCCd and perhaps go out a specific WAN?
… any traffic entering/leaving the router by VPN?

I do note on a quick look that both ISPs although you claim are different looking strikingly the same aka both use vlan 500. Can you confirm that is indeed the case??

anav · January 8, 2024, 2:34pm

For mangle rules you dont need the first sets of rules… Not explained properly by the video author, why he has the first set of rules which dont apply YET in your simple case.
Start here for required rules…
You dont need both new and no-mark, no-mark is a better option normally
You forgot the dst-address=!local which is clearly on the video!!
EDIT: I see now you just put that on the wrong rules (on the mark route rules and should be on mark connection rules)… ( interface LAN is not required again on routing rules and passthrough=no)

add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=bridge-local new-connection-mark=UNIFI1_conn passthrough=yes
per-connection-classifier=src-address-and-port:2/0 dst-address-type=!local
add action=mark-connection chain=prerouting connection-mark=“no-mark”
in-interface=bridge-local new-connection-mark=UNIFI2_conn passthrough=yes
per-connection-classifier src-address-and-port:2/1 dst-address-type=!local
add action=mark-routing chain=prerouting connection-mark=UNIFI1_conn
new-routing-mark=UNIFI1 passthrough**=no**
add action=mark-routing chain=prerouting connection-mark=UNIFI2_conn
new-routing-mark=UNIFI2 passthrough=no

LETS look at IP Routes.

This route is not required, its automatically created by the router.
add disabled=no dst-address=192.168.103.0/24 gateway=bridge-local
routing-table=main suppress-hw-offload=no

You can check in ip routes and you will see one already
dst-address=192.168.103.0/24 gateway=bridge-local

The rest of the routes seem fine.
You have the two main routes with preference for WAN1 over WAN2 for any non-pc related traffic and alerts the router that in case WAN1 is down to go to WAN2 and vice versa.

danielmodlite · January 9, 2024, 3:46am

Sure, first I would update the firmware to the lastest stable update, 7.8 and earlier 7 versions had issues.

Just to confirm you DON’T WANT primary/failover you want PCC/failover.
The difference is that in primary/failover, only one ISP is providing connections. In PCC both ISPs are used at the same time providing additional bandwidth to share among all users.
I will assume the latter.

Typically its important to know the full breadth of requirements before designing the config
… any external traffic to the router itself?? aka wireguard vpn
… any external traffic to the LAN?? aka port forwarding to servers
… any LAN traffic that should not be PCCd and perhaps go out a specific WAN?
… any traffic entering/leaving the router by VPN?

I do note on a quick look that both ISPs although you claim are different looking strikingly the same aka both use vlan 500. Can you confirm that is indeed the case??

There is no external traffic to the router and the LAN. There is no LAN traffic that needs to be PCCd as well. Only two WAN connections are attached to the Mikrotik router, since my office is just a small enterprise.

For the second question, it is not the case. My bad. I have edited the ISPs in the script attached later in the second reply.

danielmodlite · January 9, 2024, 4:13am

For mangle rules you dont need the first sets of rules… Not explained properly by the video author, why he has the first set of rules which dont apply YET in your simple case.
Start here for required rules…
You dont need both new and no-mark, no-mark is a better option normally
You forgot the dst-address=!local which is clearly on the video!!
EDIT: I see now you just put that on the wrong rules (on the mark route rules and should be on mark connection rules)… ( interface LAN is not required again on routing rules and passthrough=no)

add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=bridge-local new-connection-mark=UNIFI1_conn passthrough=yes
per-connection-classifier=src-address-and-port:2/0 dst-address-type=!local
add action=mark-connection chain=prerouting connection-mark=“no-mark”
in-interface=bridge-local new-connection-mark=UNIFI2_conn passthrough=yes
per-connection-classifier src-address-and-port:2/1 dst-address-type=!local
add action=mark-routing chain=prerouting connection-mark=UNIFI1_conn
new-routing-mark=UNIFI1 passthrough**=no**
add action=mark-routing chain=prerouting connection-mark=UNIFI2_conn
new-routing-mark=UNIFI2 passthrough=no

LETS look at IP Routes.

This route is not required, its automatically created by the router.
add disabled=no dst-address=192.168.103.0/24 gateway=bridge-local
routing-table=main suppress-hw-offload=no

You can check in ip routes and you will see one already
dst-address=192.168.103.0/24 gateway=bridge-local

The rest of the routes seem fine.
You have the two main routes with preference for WAN1 over WAN2 for any non-pc related traffic and alerts the router that in case WAN1 is down to go to WAN2 and vice versa.

/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface vlan
add interface=ether1-WAN1 name=vlan500 vlan-id=500
add interface=ether2-WAN2 name=vlan621 vlan-id=621
/interface pppoe-client
add disabled=no interface=vlan500 name=UNIFI-WAN1 user=\
    xxxxxxxxxxxxxxxxxxx@unifibiz
add disabled=no interface=vlan621 name=MAXIS-WAN2 user=\
    xxxxxxxxxxxxxxxxxxx@maxis
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-local ranges=192.168.103.151-192.168.103.254
/ip dhcp-server
add address-pool=pool-local interface=bridge-local name=server-local
/port
set 0 name=serial0
/routing table
add disabled=no fib name=UNIFI
add disabled=no fib name=MAXIS

/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.103.4/24 interface=bridge-local network=192.168.103.0
/ip dhcp-client
add comment=defconf interface=*12
/ip dhcp-server network
add address=192.168.103.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1 gateway=\
    192.168.103.4
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall mangle
add action=mark-routing chain=output connection-mark=UNIFI_conn \
    new-routing-mark=UNIFI passthrough=yes
add action=mark-routing chain=output connection-mark=MAXIS_conn \
    new-routing-mark=MAXIS passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=UNIFI_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=MAXIS_conn passthrough=yes \
    per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=UNIFI_conn \
    in-interface=bridge-local new-routing-mark=UNIFI passthrough=yes
add action=mark-routing chain=prerouting connection-mark=MAXIS_conn \
    in-interface=bridge-local new-routing-mark=MAXIS passthrough=yes
add action=mark-routing chain=output connection-mark=UNIFI_conn \
    new-routing-mark=UNIFI passthrough=yes
add action=mark-routing chain=output connection-mark=MAXIS_conn \
    new-routing-mark=MAXIS passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-local new-connection-mark=\
    UNIFI_conn passthrough=yes per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge-local new-connection-mark=\
    MAXIS_conn passthrough=yes per-connection-classifier=\
    src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=UNIFI_conn \
    new-routing-mark=UNIFI passthrough=no
add action=mark-routing chain=prerouting connection-mark=MAXIS_conn \
    new-routing-mark=MAXIS passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UNIFI-WAN1
# UNIFI-WAN2 not ready
add action=masquerade chain=srcnat out-interface=MAXIS-WAN2
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN1 pref-src="" routing-table=UNIFI scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    MAXIS-WAN2 pref-src="" routing-table=MAXIS scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    MAXIS-WAN2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN1 pref-src="" routing-table=UNIFI scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    MAXIS-WAN2 pref-src="" routing-table=MAXIS scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    UNIFI-WAN1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    MAXIS-WAN2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system routerboard settings
set enter-setup-on=delete-key

Sorry but I have tried to run the script as per your guidance but I’m not exactly sure why it doesn’t work. I might have missed a detail or two. Do you have any idea why?

anav · January 9, 2024, 11:18am

Observations.

Remove IP DHCP client settings, your WAN connections are handled in the PPP menu.
/ip dhcp-client
add comment=defconf interface=*12
MAIN REASON is that you botched the mangles. YOur mangle rules are a large mess.
I provided the short and sweet config needed…

FOUR RULES ONLY…

You keep getting this RED entry in your sourcenat rule ??? Something wrong with this wan connection??
/ip firewall nat
add action=masquerade chain=srcnat out-interface=UNIFI-WAN1
# UNIFI-WAN2 not ready
add action=masquerade chain=srcnat out-interface=MAXIS-WAN2