load balancing and failover on mikrotik from generic router with ppoe and static connection

myconfig.txt (2.13 KB)
Good morning, everyone,
I can use a single connection at a time by configuring the connected computer now I would like to do load balancing and failover between the 2 connections.
I tried to use these instructions but I have difficulty in the firewall mangle because I can’t mark the gateways because they are marked only by ip.
Can someone help me?

I’ve tried this previous configuration, but it’s blocking the entire lan.

/ip firewall filter 

add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!WAN2_conn log=no log-prefix="" comment="defconf: fasttrack"
add chain=forward action=accept in-interface=bridge out-interface=bridge log=no log-prefix="" comment="accetta pacchetti che usano LTE come gateway"
add chain=forward action=drop

/ip firewall nat 
add chain=srcnat action=src-nat to-addresses=192.168.8.10 src-address=192.168.1.0/24 dst-address=!192.168.1.0/24 out-interface=bridge log=no log-prefix="" 
 
 
 

/ip firewall mangle
add chain=input action=mark-connection new-connection-mark=WAN1_conn connection-mark=no-mark in-interface=ether4 comment="PCC for LTE"

add chain=input action=mark-connection new-connection-mark=WAN2_conn src-address=!192.168.1.0/24 connection-mark=no-mark in-interface=bridge 

add chain=output action=mark-routing new-routing-mark=to_WAN1 connection-mark=WAN1_conn 

add chain=output action=mark-routing new-routing-mark=to_WAN2 connection-mark=WAN2_conn 

add chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=bridge per-connection-classifier=both-addresses-and-ports:2/0 

add chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=bridge per-connection-classifier=both-addresses-and-ports:2/1 

add chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn in-interface=bridge 
add chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn in-interface=bridge log=no log-prefix="" 

/ip route
add dst-address=0.0.0.0/0 gateway=ether4 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-mark=to_WAN2 check-gateway=ping

/ip route rule:
add action=lookup-only-in-table table=main dst-address=192.168.1.0/24
add action=lookup-only-in-table table=main dst-address=192.168.8.0/24

It seems to me that you’re looking at wrong place. If both WANs are connected to Ubiquity router and RB is only bridge, it’s the router that should be handling any kind of load balancing.

I understand that the ubiquity router should handle the balancing but I can’t reverse the devices because the mikrotik has only 4 ports. I thought you could handle balancing from the bridge as well.

It depends, there are many tricks, but so far I don’t see any obvious solution, not even speaking about clean one. There would either have to be some cooperation from main router, it would have to be able to tell which WAN you want to use when sending packets from RB, but that’s problematic. Or you could exclude it and pass connection from TLE router to RB, either separated from main LAN in VLAN, or you could just bridge it with main LAN and it would work too. But then you have another problem. RB could intercept connections from devices connected behind it, but not from other devices connected directly to main router and not passing through RB.

it might not be a problem, I am interested that on mikrotik and its wifi area there is load balancing and failover, as far as the ubiquity router can create two untagged VLANs.

Sorry, I missed this one. There are two important pieces:

1. You need two distinct gateways. You have one on main router and then you need other one from LTE router. You can either connect it to RB using vlan, or you could simply bridge everything together (you’d have one L2 segment with two L3 subnets). Vlan would be cleaner solution.
2. You need to intercept traffic from connected devices. I don’t use it much, but I think all you need is to enable option to use IP firewall for bridge. Then you’ll see everything passing through router in IP firewall and you can select connections to internet with src-address=192.168.1.0/24 dst-address=!192.168.1.0/24, and use any kind of dual-WAN config for them.

Sob, I’d already lost all hope, thank you for the answer.
The management of VLANs on the ubiquity router is very limited (I’ll send you a screenshot), maybe you can configure it from the command line but I’m not able.
If I understood correctly, to solve my particular situation, on the bridge, you should mark the traffic coming from ISP1 and another one on all the traffic except ISP1.
Can you give me a hand? mikrotik routers are very versatile but very complex and I don’t have enough experience to do it alone.

Let’s start with RouterOS, this is basic bridge config, pretty much what you have now:

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
...
/ip address
add address=192.168.1.170/24 interface=bridge
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1

You need second gateway. Let’s assume you were able to get it here in VLAN, so you can add it as another interface:

/interface vlan
add interface=bridge name=vlan-lte vlan-id=8
/ip address
add address=192.168.8.X/24 interface=vlan-lte

Now you have two available gateways, so you can add dual-WAN config. It’s all private addresses, so you probably don’t need to care about incoming connections (unless you’re forwarding ports to connected devices). Simple example:

/ip route
add gateway=192.168.1.1 routing-mark=wan1
add gateway=192.168.8.1 routing-mark=wan2
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.8.0/24
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=wan1conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=wan2conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1conn new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2conn new-routing-mark=wan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-lte

But it won’t work, because connected devices use 192.168.1.1 as gateway, so the bridge’s routing won’t be interested in them. You can change that with:

/interface bridge nat
add action=redirect chain=dstnat dst-address=!192.168.0.0/16 mac-protocol=ip

It will redirect all IP packets with non-local destination to RB, as if device used RB as gateway, so there will be standard routing for them. I originally thought that it could be done with bridge’s use-ip-firewall=yes, but it doesn’t work.

Now for the main router, the goal is very simple, connect interface with LTE router with tagged VLAN in main LAN. I don’t know this UI, and it’s not very clear how it’s done, but it must be possible. My guess is that if you have LAN0 (main LAN) and LAN1 (interface with LTE router), you should define VLAN (I used id 8 in example) on LAN0, and then make another bridge containing LAN1 and LAN0.8. You’ll know that it’s correct when you’re able to ping 192.168.8.1 from RB (after you added VLAN interface and its IP address there).

Hi, Sob,
your configuration is brilliant, I tried to create a vlan on the ubiquity router, but this is not possible because it hasn’t the possibility to tag ports .practically it can do two vlan but only with LAN, WAN, WLAN interfaces it can’t assign a vlan to a port .

I don’t know Ubiquity’s VLAN config, but it sounds almost unbeliveable. Why would it even be there, if it couldn’t do such simple thing? So what exactly e.g. LAN0.10 in screenshot does? I’d expect it to be tagged VLAN 10 on top of LAN0 interface.

associates only the prefixed interfaces to the vlan does not tag the individual port

So what exactly e.g. LAN0.10 in screenshot does? I’d expect it to be tagged VLAN 10 on top of LAN0 interface.

yes

the LAN0 is practically a whole block of 4 non-tackable ports

I’m still lost, I’m affraid.

Where exactly is LTE modem connected to? Does it have some LAN1 on router?

Assuming that it does and that LAN0 is your main LAN with 192.168.1.0/24, what happens if you add VLAN with id 8 in “VLAN Network” on top of LAN0 and then create new BRIDGE2 containing LAN0.8 and LAN1? Is it possible?

LAN0 is the main LAN 192.168.1.1/24 .
You can define a LAN0.8 by assigning an ip 192.168.8.x, but the port to which the LTE is connected remains untagged.

If this is a ubiquiti issue you are in the wrong forum.
https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-Hardware
https://www.youtube.com/watch?v=grg8TxsSops

https://community.ui.com/questions/Beginners-VLAN-Setup/68f554d0-4196-4cc8-a1d9-1fe81f7da55c
https://community.ui.com/questions/Passing-VLANS/c2425b5a-937a-4a5f-acc3-4f592c883111
https://community.ui.com/questions/A-non-expert-Guide-to-VLAN-and-Trunks-in-Unifi-Switches/7462245c-95a7-455e-a711-209f44e194cb

Port with LTE should be untagged and you want same network segment tagged on the port with RB.

But do you mean that both LTE and RB are on LAN0, i.e. there are two L3 subnets in same L2 segment? In that case, forget VLANs and simply add 192.168.2.x/24 on bridge. The only thing you’ll need to tweak is srcnat rule. I’ll think about that if you confirm this.

ihhh I know I’m trying to make two different routers get along, only the ubiquity router is really lame.
I’ll write a bit on the ubi forum and ask for opinions.

yes, RB and LTE are on the same network segment

So on RB, scrap VLAN interface and move 192.168.8.X/24 to bridge. You should be able to reach 192.168.8.1 directly (do a traceroute to it from RB and it should be first hop). The rest of config remains, only srcnat needs to be different. I don’t have much time now, but as a quick way you can use:

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24 dst-address=!192.168.0.0/16

It will apply also to connections it wouldn’t necessarily have to, but that can be fixed later.

mythical Sob,
works well , I am very happy , for the failover as you could do since the two gateways to the two gateways can not ping.

I’m not sure I understand the last part. Both 192.168.1.1 and 192.168.8.1 should be pingable from RB. If not, on Ubi router it would be caused by your config. And for LTE it’s unlikely that manufacturer would block ping from LAN.

For failover, there are different methods. You can add route via LTE also to main routing table (without routing mark) with higher metric, add check-gateway option (ping or arp) for all four routes and you have the simplest config. Or you can go for Advanced Routing Failover without Scripting or anything else you like.

And you can use this as optimized srcnat rule, because you can keep original source addresses for connections using WAN1:

/ip firewall nat
add action=masquerade chain=srcnat connection-mark=wan2conn

You could also get rid of it completely, if you merged both subnets. Since there no separation anyway, LTE could be e.g. 192.168.1.2/24 (if it’s not already used by something else).