Load-balancing NAT with multiple WAN interfaces WITHOUT BONDING and WITH L3HW/NAT-PMP?

RouterOS General
1

[ Environment ]
We are going to setup NAT-based network for a single office room with CRS309-1G-8S+.
We have two 1GbE wall sockets for WAN connections, but we do not know whether the both WAN physical connection are connected to the same switch/router or not.
But we do know that the “uplink” bandwidth of this uplink is >1Gbps, and there is no bandwidth limit on each of WAN public IP address.
We cannot touch any configuration at the uplink side, including bonding.
We can use multiple public IP addresses for WANs (but not enough for all local endpoints), and each of them is fixed, not dynamic.

balance-alb/balance-tlb/etc. is not an option as we do want L3HW NAT offload here.
802.3ad and balance-xor requires configurations on the uplink side for load-balancing traffics towards the downlink.

The another problem is that NAT-PMP with the Mikrotik is limited to work with only one WAN interface without bonding.
We do want that all endpoints are able to use NAT-PMP.

[ What we want to achieve ]
We want to distribute LAN-to-WAN loads to both of WAN 1GbE connections in most efficient way possible without bonding, for both ingress-initiated and egress-initiated connections.



Basic solutions I know are:

  1. (if we do care about a fixed WAN IP address for each endpoint) Put a separate WAN IP address for each WAN interface, then do:
/ip firewall nat add action=src-nat to-address=[WAN_IP_1] chain=srcnat in-interface-list=[VLAN_LIST_1]
/ip firewall nat add action=src-nat to-address=[WAN_IP_2] chain=srcnat in-interface-list=[VLAN_LIST_2]

(the load-balancing with the above configuration is too limited)

  1. (if we are fine with continuously varying WAN IP address for each endpoint) Put a separate WAN IP address for each WAN interface, then do:
/interface list add name=WAN
/interface list member add interface=sfp-sfpplus1 list=WAN
/interface list member add interface=sfp-sfpplus2 list=WAN
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

(but does #2 even do any sort of load-balancing anyway?)

Both #1 and #2 approach have limited NAT-PMP support of that all connections initiated by NAT-PMP rules are binded to a single WAN interface.

Is there a better way?

2

First and foremost CRS309-1G-8S+ is a switch with limited routing capability you will be disappointed that it won’t hit your 1G mark, just my 0.2$