Load Balance with routers at the same network

Hello, i’m new here but i know a thing or two..
I would like some advice about my settings and my case.

For the record, i can change the ip only on the one router..the other one is cisco 2811 and i dont have the password and i dont want to go there actually.
In my network there are about 60 users. I have one connection at 2Mbps up and 2Mbps down and one connection at 24Mbps down and 1Mbps up. The problem is that because i cant change the networks ip, because of servers, applications and people in my way , by following your great talks about load balance and fail over, i can only make it work by creating a bridge with all ports in it.(local, WAN1,WAN2).

So the 2/2Mbps router ip is 10.0.0.1 and the 24/1Mbps is 10.0.0.2.
I gave 10.0.0.3 at lan interface and also made it as default gateway in the pcs. The routerboard is the rb951ui-2hnd witch i bought recently.
the code im using is this, but the only way to have at least internet at local interface, is to make WAN1 and WAN2 slave and local their master. But then, some firewall ,nat and mangle rules need to set master ports instead of slave WAN1 and WAN2. So i created a bridge with all the ports and use the bridge port, which is master by its nature, in nat and mangle rules. So here it is.

/interface bridge
add name=Localwan

/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] master-port=none name=Local1
set [ find default-name=ether3 ] master-port=none name=WAN1
set [ find default-name=ether4 ] master-port=none name=WAN2
set [ find default-name=ether5 ] disabled=yes

/interface bridge port
add bridge=Localwan interface=Local1
add bridge=Localwan interface=WAN1
add bridge=Localwan interface=WAN2

/ip address
add address=10.0.0.3/24 network=10.0.0.0 broadcast=10.0.0.255 interface=Local1
add address=10.0.0.4/24 network=10.0.0.0 broadcast=10.0.0.255 interface=WAN1
add address=10.0.0.5/24 network=10.0.0.0 broadcast=10.0.0.255 interface=WAN2

/ip dns
set allow-remote-requests=no servers=8.8.8.8,8.8.4.4

/ip firewall layer7-protocol
add name=FACEBOOK regexp=“^.+(facebook.com|el-gr.facebook.com|youtube.com|newsit.gr|nooz.gr|whatsapp.com|instagram.com|pinterest.com|linkedin.com|twitter.com|xing.com|renren-inc.com|disqus.com|snapchat.com|tumblr.com|twoo.com|mymfb.com|vine.co|meetup.com|secret.ly|medium.com|plus.google.com).*$”

/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward layer7-protocol=FACEBOOK

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=Local1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local1 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local1 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Local1 new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=Local1 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=Local1 new-routing-mark=to_WAN2


/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.0.0.2 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.0.0.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.0.0.2 check-gateway=ping distance=1


Am i good or do i have to make any changes? im watching the traffic but im not sure if the load balance works.
Thank you in advance!
b.t.w. rb951ui-2hnd is awesome!

The load balance doesnt work. it just watches the traffic and chooses the wan from which, will give internet to locan interface, according the distance i give to wans..dont know what else i can do. Please help!

For start, if you have all ports bridged, any traffic to router will come on bridge interface, you won’t get any hits for in-interface=Local1/WAN1/WAN2. You will need to tell the traffic from LAN from the rest using some other way. Using src-address=10.0.0.0/24 should probably work (that would be LAN->inet, and the rest inet->LAN). Another problem is your firewall, the “action=drop chain=forward connection-state=invalid” rule will kill your traffic, because what you’re creating is asymmetric routing (traffic from LAN to inet will go to router, but return traffic will be simply bridged and router’s firewall won’t see it). You will also need to make sure that you disable sending redirects, otherwise clients could be redirected to one of real gateways. If you fix these problems, I think it could probably work.

Thank you very much! I think its working!! At speedtests at least…i’m getting the right numbers. Althought, now i download a file at 400kbps when the bandwidth is free… while before, when only the 24/1Mbps line where used, i could download at 1Mbps when the bandwidth was free…this is what i did:

/ip firewall filter
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward layer7-protocol=FACEBOOK

/ip firewall mangle
add action=mark-connection chain=input in-interface=Localwan new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input in-interface=Localwan new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=Localwan
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Localwan new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Localwan new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Localwan new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=Localwan new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/3
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=Localwan new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=Localwan new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=WAN1_conn out-interface=Localwan
add action=masquerade chain=srcnat connection-mark=WAN2_conn out-interface=Localwan
/ip route
add check-gateway=ping distance=1 gateway=10.0.0.2 routing-mark=to_WAN1
add check-gateway=ping distance=2 gateway=10.0.0.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=10.0.0.2
add check-gateway=ping distance=2 gateway=10.0.0.1

Few things:

1. Your current input marking is useless, everything will just end up with WAN2_conn mark. If you want it to work and actually mark traffic coming from different gateways, add src-mac-address condition with MAC of each gateway to marking rules.

2. It’s good idea to use connection-mark=no-mark with connection marking rules. You really want it marked only once, no need to do anything with it again, if it already has a mark. You can also use it to optimize processing a little, if you jump to dedicated marking chain for unmarked connections.

3. You shouldn’t need NAT at all. All you need is to distribute connections between gateways. Now they look to them as if they come from your router (10.0.0.3). But if they kept their original addresses (e.g. 10.0.0.123), gateways would still know how to reach them.

4. You only need one address (10.0.0.3) and it should be on bridge interface. The other ones are useless.

Edit: On second look, some things might be a little more complicated. You probably need to keep NAT, otherwise connection marking won’t work well I think.. Also if you had some ports forwarded from public addresses, they wouldn’t work either with this config. You would have to add the same kind of marking with src-mac-address as I suggested for input. In fact, you can just move it to prerouting and use it for both input and forward.

Edit2: Maybe you could get rid of NAT if you enabled bridge to use IP firewall, that could allow connection tracking to work reliably. But I’m not completely sure if it can be combined this way (one direction coming to firewall using normal routing and the other irection from bridge). I would have to test it.