Load balance first attempt

guilleb · July 16, 2024, 2:40pm

Hello! My name is Guillermo. This is my first attempt at configuring a setup more complex than what the basic setup wizard offers. Due to poor internet quality in my area, I’ve opted for two PPPoE connections through air antennas to ensure better connectivity. I aim to implement package-based load balancing and have crafted a script by combining my current SSH configuration with advice from chatbots and tutorials. My background in programming, though not directly related to networking, has made me more comfortable using code for this task.

Additionally, I have two Ubiquiti APs in my setup. The first AP is connected to the ether3 interface of the MikroTik router, and the second AP is configured to extend the Wi-Fi network, effectively acting as a repeater.

I would really appreciate if you can review this code and see if i’m doing something wrong:

/interface bridge
add admin-mac=mac auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=no disabled=no interface=ether1 name=pppoe-out1 password=password1 use-peer-dns=yes user=user1
add add-default-route=no disabled=no interface=ether2 name=pppoe-out2 password=password2 use-peer-dns=yes user=user2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=defconf interface=ether2 list=WAN
add interface=pppoe-out2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge #network=192.168.88.0
/ip dhcp-server lease
add address=192.168.88.18 client-id=mac mac-address=mac server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 # dns-server=8.8.8.8,8.8.4.4
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
# add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
# Mark packets for load balancing
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=packets_to_wan1 passthrough=yes src-address=192.168.88.0/24 connection-state=new nth=2,1,0
add action=mark-packet chain=prerouting new-packet-mark=packets_to_wan2 passthrough=yes src-address=192.168.88.0/24 connection-state=new nth=2,1,1
# Routing marked packets through specific WAN interfaces
/ip route
add distance=1 gateway=pppoe-out1 packet-mark=packets_to_wan1
add distance=1 gateway=pppoe-out2 packet-mark=packets_to_wan2
# Ensure masquerade rules are present for both WAN interfaces
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
# Misc
/system clock
set time-zone-name=time-zone-name
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks!

rextended · July 16, 2024, 3:48pm

The basic mistake is splitting packets, perhaps from the same connection, between two different sources.
The device that receives the packets, if it sees them coming from two different IPs, blocks the connection,
and if instead they had the same source, the ISPs doing their job would block the spoofed IPs belonging to another provider…

2 + 2 do not do 5 4, but 2 and 2. You can’t sum the bandwidth.
You can only choice what ISP must be used for each device, or what ISP use each service (or both).

guilleb · July 16, 2024, 4:12pm

Perfect! i didn’t knew that, i will change the load balance per connection then:

# Mark connections for load balancing
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=conn_to_wan1 passthrough=yes src-address=192.168.88.0/24 connection-state=new nth=2,1,0
add action=mark-connection chain=prerouting new-connection-mark=conn_to_wan2 passthrough=yes src-address=192.168.88.0/24 connection-state=new nth=2,1,1

# Adjust routing rules to use connection marks
/ip route
add distance=1 gateway=pppoe-out1 routing-mark=conn_to_wan1
add distance=1 gateway=pppoe-out2 routing-mark=conn_to_wan2

# Ensure masquerade rules are present for both WAN interfaces
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2

Is this better? Thanks in advance

llamajaja · July 16, 2024, 4:13pm

The easy way to load balance on MT routers ( PCC ) is to take traffic coming from the LAN and send some to WAN1 and some to WAN2.
If the throughput is somewhat equal then its a one to one type of setup.
If WAN1 has closer to 2/3 than 2/4s of traffic then one could send traffic in one cycle to WAN1, to WAN2, to WAN1 and repeat.

Dual WANS is primarily about providing more bandwidth to share for all users and redundancy in case of failure. If your pppoe connections are from the same provider there is no redundancy.

Post complete config for analysis, not interested in snippets…
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc. )

guilleb · July 16, 2024, 4:45pm

Thank you for your feedback. I will incorporate your suggestion regarding redundancy. The modifications I provided are intended to enhance the load balancing setup from the initial code (no snippet). These changes specifically adjust the load balancing strategy.

anav · July 16, 2024, 7:19pm

You are using an unfamiliar method (i have not studied nth as its described as inferior) for load balancing, and thus unable to help further,

guilleb · July 17, 2024, 2:52am

I’ve updated the load balancing method based on a tutorial I found on YouTube, and it’s now functioning correctly. Below is the complete export of my configuration for review. Any insights or suggestions would be greatly appreciated. Additionally, I’ve checked the logs and haven’t noticed any anomalies; everything seems to be running smoothly.

Thanks for your help

#RouterOS 6.48.6
# software id = 8K55-F9W9
#
# model = RB750Gr3
# serial number = *
/interface bridge
add admin-mac=* auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=\
    user1
add disabled=no interface=ether2 name=pppoe-out2 use-peer-dns=yes user=\
    user2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="local,ftp,reboot,read,write,test,winbox,password,web,sn\
    iff,sensitive,romon,dude,tikapp,!telnet,!ssh,!policy,!api"
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=defconf interface=ether2 list=WAN
add interface=pppoe-out2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-server lease
add address=192.168.88.18 client-id=* mac-address=\
    * server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out1 log=yes new-connection-mark=\
    WAN1_input nth=2,1 passthrough=yes src-address=192.168.88.0/24
add action=mark-connection chain=input connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out2 log=yes new-connection-mark=\
    WAN2_input nth=2,1 passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=output connection-mark=WAN1_input \
    new-routing-mark=WAN1_output passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_input \
    new-routing-mark=WAN2_output passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=WAN1_output
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=WAN2_output
add check-gateway=ping distance=1 gateway=pppoe-out1,pppoe-out2
/ip service
set api port=14248
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=RouterOS
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN