Help with load balancing setup.

I have a RouterBoard RB450G, with connections from two ISPs, one is an ADSL connection which uses PPPoE and the other is a cable connection which uses DHCP.

I have already configured the interfaces, ADSL modem is connected to ether1-wan1 and uses pppoe-out1 as the reachable interface. Cable modem connects to ether2-wan2 which is also the reachable interface.

All that works ok, and I can get internet access successfully from one connection or the other.

However I’ve been trying to set up load balancing as per the tutorial in the MikroTik wiki (http://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing). I’ve been messing around with it for weeks and am still unable to get it to work. As soon as I add the routing rules everything goes dead, no applications can access the internet at all. It’s not a DNS issue.

Ideally what I’d like to do is this:

-server at 192.168.1.150 TCP ports 27080-27149 forwarded and going through cable (ether2-wan2), all other traffic through ADSL (pppoe-out1)

-all other computers TCP ports 80, 21, 22, 27014-27050 through cable, everything else through ADSL

-automatic failover in the event either connection goes down, all traffic pushed down the connection that is still up


How would I go about setting this up to work correctly and effectively? Any help greatly appreciated.

please post your configs (both working and not working). it’s hard to guess what exactly goes wrong - people sometimes are very “inventive” =)

Here are the relevant configurations. Just for testing purposes thus far I only added two mangle rules. I can see that traffic is being marked correctly, however as soon as I enable the associated route, complete loss of connectivity occurs for any traffic that is marked for that route.

I must be doing something wrong here but I can’t figure out what.

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s l2mtu=1524 max-message-age=20s \
    mtu=1500 name=bridge priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:59:16:D3 \
    master-port=none mtu=1500 name=ether1-wan1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:59:16:D4 \
    master-port=none mtu=1500 name=ether2-wan2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:59:16:D5 \
    master-port=none mtu=1500 name=ether3-local speed=1Gbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:59:16:D6 \
    master-port=none mtu=1500 name=ether4-local speed=1Gbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:59:16:D7 \
    master-port=none mtu=1500 name=ether5-local speed=1Gbps
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
    "" dial-on-demand=no disabled=no interface=ether1-wan1 max-mru=1480 \
    max-mtu=1480 mrru=disabled name=pppoe-out1 password=****** profile=\
    default service-name="" use-peer-dns=yes user=******@teksavvy.com
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1 \
    switch-all-ports=yes
/interface bridge port
add bridge=bridge comment="" disabled=no edge=auto external-fdb=auto horizon=\
    none interface=ether3-local path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge comment="" disabled=no edge=auto external-fdb=auto horizon=\
    none interface=ether4-local path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge comment="" disabled=no edge=auto external-fdb=auto horizon=\
    none interface=ether5-local path-cost=10 point-to-point=auto priority=\
    0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
    no

/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
    interface=ether2-wan2 use-peer-dns=yes

/ip route
add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    ether2-wan2 routing-mark="steam download" scope=255 target-scope=10
add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-mark="other traffic" scope=255 target-scope=10

/ip firewall filter
add action=passthrough chain=forward comment="" disabled=no in-interface=\
    pppoe-out1
add action=passthrough chain=forward comment="" disabled=no out-interface=\
    pppoe-out1
add action=passthrough chain=forward comment="" disabled=no in-interface=\
    ether2-wan2
add action=passthrough chain=forward comment="" disabled=no out-interface=\
    ether2-wan2
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=pppoe-out1
add action=accept chain=input comment="" connection-state=established \
    disabled=no in-interface=ether2-wan2
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=pppoe-out1
add action=accept chain=input comment="" connection-state=related disabled=no \
    in-interface=ether2-wan2
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=pppoe-out1
add action=drop chain=input comment="" disabled=no in-interface=ether2-wan2

/ip firewall nat
add action=dst-nat chain=dstnat comment="port forward for HTTP server" \
    disabled=no dst-address=!192.168.1.0/24 dst-address-type=local dst-port=\
    80 protocol=tcp to-addresses=192.168.1.150 to-ports=80
add action=dst-nat chain=dstnat comment="port forward for server SSH" \
    disabled=no dst-port=2222 in-interface=pppoe-out1 protocol=tcp \
    to-addresses=192.168.1.150 to-ports=2222
add action=dst-nat chain=dstnat comment=P2P disabled=no dst-port=27080-27149 \
    in-interface=ether2-wan2 protocol=tcp to-addresses=192.168.1.150
add action=dst-nat chain=dstnat comment="srcds TCP ports" disabled=no \
    dst-port=27000-27039 in-interface=pppoe-out1 protocol=tcp to-addresses=\
    192.168.1.150
add action=dst-nat chain=dstnat comment="srcds UDP ports" disabled=no \
    dst-port=27000-27030 in-interface=pppoe-out1 protocol=udp to-addresses=\
    192.168.1.150
add action=dst-nat chain=dstnat comment="Steam friends port" disabled=no \
    dst-port=1200 in-interface=pppoe-out1 protocol=udp to-addresses=\
    192.168.1.150
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    pppoe-out1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    ether2-wan2 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=\
    "NAT local to local for HTTP server" disabled=no dst-port=80 protocol=tcp \
    src-address=192.168.1.0/24

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no \
    new-routing-mark="steam download" passthrough=no protocol=tcp src-port=\
    27014-27050
add action=mark-routing chain=prerouting comment="" disabled=no \
    new-routing-mark="other traffic" passthrough=no

Well two things pop out immediately at me.

1.) You’re marking routing without marking connections. It may be doable that way, but I think you’re probably asking for problems.
2.) You don’t have any routes that don’t have a routing mark, so if nothing gets a routing mark, it’s not going to be able to route anything out to the internet. You’re going to want a route for each ISP without any routing mark listed to cover fail-over situations.

How would I do it the other way? I just followed what the wiki said to do.

2.) You don’t have any routes that don’t have a routing mark, so if nothing gets a routing mark, it’s not going to be able to route anything out to the internet. You’re going to want a route for each ISP without any routing mark listed to cover fail-over situations.

There are the default routes for each of the gateways/wan interfaces, which are not shown in the configuration dump since they are automatically added by “add-default-route=yes”.

if you set gateway=ether2-wan2, it means that the whole internet is directly on that port, and not beyond some gateway. you should specify here IP address of gateway obtained via DHCP

Not totally sure what you mean by that. That port is connected to the cable modem which is just a modem. Unless you mean the ISP’s gateway/network is beyond that?

Aside from the load balancing routes, everything else works with gateway=ether2-wan2 and gateway=pppoe-out1.

And I can’t set that to an IP address anyways as it is dynamic.

so, you have traffic both on ether1 and ether2? i.e., it’s working setup? and what rules do you add that broke your setup?

I can have traffic on either one (by enabling/disabling the default routes so only one is active), but not both (one always takes precedence over the other when I enable both, but that is probably expected behavior).

The problem comes when I enable the following (notice they are disabled right now):

/ip route
add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    ether2-wan2 routing-mark="steam download" scope=255 target-scope=10
add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-mark="other traffic" scope=255 target-scope=10

If I enable the route for routing-mark=“steam download”, then all steam download traffic fails.

If I enable the route for routing-mark=“other traffic”, everything but steam download traffic fails to work (assuming the steam download route is disabled).

Both enabled, nothing comes through to the internet.