HAP ac2 need help with load balancing on 2 WAN connections

Hello everyone! Sorry for me beginner post, but I’m reading and trying solutions from this forum for about a week already and I didn’t manage to fix or to find a solution for my problem:
Problem is like this :
HAP ac 2 : Port 1 - PPPOE connection to ISP 1
Port 2 - Fixed IP from ISP 2
Port 3 - 5 - Bridge - Internal LAN
from HAP I have one VPN to another location with some routes via RIP
Since my seccond ISP just came in last week, I’m trying to set an Failover, Load Balancing and PPC forward policies for my router for having all services working as they should , even when one ISP is down, to make load balancing on both ISP’s , and to have my internal ports routed depending on interface that the request is coming.

Can someone help me to configure this?

I will give a big beer to him.

Thank in advance.

What is PPC…
In terms of requirements.
a. identify all the user(s)/devices, groups of users and devices ( including admin and external users)
b. identify all the traffic they require do accomplish.

What is the purpose of the two WANS.
Use a primary and have a secondary as backup?
USE both at the same time sharing the LAN load?

I suppose it should be PCC.
Per Connection Classifier.

PCC sorry
I wanted two WANS from 2 different ISPS because I have security system in location , that not need to lose internet connection. So if one ISP is down, internet should work on second ISP.
Don’t have a primary one, they both provide 1 Gbps speed, just for backup.
Yes, can be both used if LAN load is big.

This one from Mikrotik helped me a lot setting up pcc between vdsl and lte.
But you need to hide the subtitles since some key info was hidden under them

https://youtu.be/nlb7XAv57tw?si=Jcst1QXGBJI-8Fp-

Do you have any port forwarding?
Do you have any VPNs…
Hoelve needs to learn to find all the requirements before planning a config

Yes, I have 2-3 port forward rules, and one VPN out, with RIP on it, and one VPN in wireguard to an interner Homeassistent server.

Thank you, I used that video and now everything is working like it should, I did not have time to test fail over also, to see how fast is it.
My big problem now is that in the video is using OS 7.12 and my OS was 6.49, so I needed to upgrade my device, and I discovered that my L2TP VPN to my work is not taking routes by RIP now, since it is something changed from 6/49 to 7.12. As I can not upgrade my VPN server from work, I even have to add routes manually , or to find a solution to make RIP to work between OS 6.49 and OS 7.12.

Thank you for your help!

Find that hard to believe, wireguard was not possible on vers6
edit: I didnt consider wG on another device, mia culpa!!

Who says wireguard was setup on Tik ?
It’s WG in to internal HA server, so I understand …

Who’s making assumptions now ?

Between location I have L2TP VPN, not WIREGUARD, I have an WG server on an internal HA machine.

Witch will be the easiest way to share routes between routers now? Keeping in mind that one is 7.12 and other is 6.49, and it is an L2TP VPN between them?

Just setup L2TP.
It should work between 6.9 and 7.12

Yes VPN is working, but RIP is not working between 6.49 and 7.12 , that us why I’m asking if there is a better way than RIP to share routes via VPN.

No experience with RIP.
I could be wrong but I didn’t see anything specifically being mentioned on that function not working anymore in release notes for ROS7 ?

Maybe best to open new topic on that specific part.
As a workaround, you can still setup the needed routes manually for now.

Question from my side: why use RIP if there are only 2 routers ?

First, to answer your question about RIP, as I’ve mention befoure , in my work place is an VPN server witch connect 22 locations witch are sharing their network classes between them using RIP, it was the easiest way in 6.49.

NOW, I’ve suposed that the solution from video is working OK, but it seams not, as in location I have a configuration like this :
Lan 1- ISP1
Lan 2- ISP2
Lan 3- Local Network with IP class 10.10.20.x/20
Lan 4- Local Network with IP calss 192.168.1.0/24
Lan 5- Local Network with IP calss 192.168.4.0/24

when I activate these mangle rules :

chain=prerouting action=mark-connection new-connection-mark=ISP1_con passthrough=yes connection-state=new dst-address-type=!local connection-mark=no-mark in-interface=Lan10
per-connection-classifier=src-address-and-port:2/0 log=no log-prefix=“”

chain=prerouting action=mark-connection new-connection-mark=ISP2_con passthrough=yes connection-state=new dst-address-type=!local connection-mark=no-mark in-interface=Lan10
per-connection-classifier=src-address-and-port:2/1 log=no log-prefix=“”

chain=prerouting action=mark-connection new-connection-mark=ISP1_con passthrough=yes connection-state=new dst-address-type=!local connection-mark=no-mark in-interface=Lan192.4
per-connection-classifier=src-address-and-port:2/0 log=no log-prefix=“”

chain=prerouting action=mark-connection new-connection-mark=ISP2_con passthrough=yes connection-state=new dst-address-type=!local connection-mark=no-mark in-interface=Lan192.4
per-connection-classifier=src-address-and-port:2/1 log=no log-prefix=“”

chain=prerouting action=mark-connection new-connection-mark=ISP1_con passthrough=yes connection-state=new dst-address-type=!local connection-mark=no-mark in-interface=Lan192.1
per-connection-classifier=src-address-and-port:2/0 log=no log-prefix=“”

chain=prerouting action=mark-connection new-connection-mark=ISP2_con passthrough=yes connection-state=new dst-address-type=!local connection-mark=no-mark in-interface=Lan192.1
per-connection-classifier=src-address-and-port:2/1 log=no log-prefix=“”
trafic between local network is dead, it is trying to take trafic out on ISP and not to other lan port. For example, if I want to ping from 10.10.20.x to 192.168.1.x , I get request time out, and at traceroute I can see that it tries to send traffic out on ISP and …

Any idea what I did worng?

You got me Holvoe, apologies to the OP. I know squat about L2TP so will bow out.

You never mentioned before there were 22 sites connected to that VPN

As far as I can see:
Are those 3 LAN interfaces part of the same bridge ? If so, you need to reduce your rules and use in-interface=bridge.
If not, you may have to adjust that rule to use dst-address_list instead of dst-address-type=!local (which means you need to put those LAN interfaces in 1 common interface list).
“local” should be used for any of the routers address assignments on any of its interfaces but is this the case ??

Full config might be helpful to check (minus serial, minus WANIP, minus passwords …)
Post between [__code] quotes for easier readability.