Hello all,
I have looked for a solution to this, but cannot find it.
I need to load balance two cable modem feeds into my Mikrotik. Problem is, both connections have the same gateway.
Is this possible?
Thank you.
I will add some more information to this, perhaps it will help with responses…
I have the following interfaces:
Cable1 10MB
Cable2 10MB
ATT 4.5MB
Local
PTP
I need to load balance cable1 and cable2 so that stations connected to local and PTP interfaces can use the load balanced interfaces and take advantage of the doubled bandwidth available. As I said, cable1 and cable2 have the same gateway, which I know presents a problem.
If that is not possible, then I can use either Cable1 or Cable2 and load balance it with ATT interface, for the same use as above.
I can supply more information if needed.
Any help would be appreciated.
You could create a route with a routing mark and then mark every other new connection with that routing mark.
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0
action=mark-connection new-connection-mark=odd passthrough=yes comment=“”
disabled=no
The above is a part of the following:
http://wiki.mikrotik.com/wiki/Improved_Load_Balancing_over_Multiple_Gateways
Use the PCC or ECMP method for load balancing, and in the routes specify the gateway by interface, not by IP. For example:
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=whatever
Don’t you have to list two or more gateways in a single route for ECMP routing? Also, how would you use PCQ to select a gateway?
Once the route is selected I think queuing is irrelevant unless the goal is to hold some traffic back. I generally use SFQ to prioritize traffic types within one interface unless I am worried about fair distribution of a rate controlled service in which case I use PCQ.
I would solve this with packet marking and route selection. I would also note that one TCP connection should always go out the same interface so your going to want to also mark connections. If you don’t keep connections sourced from the same ip then you may have issues with https sites or other services that care about having valid tcp connections.
If PCQ can somehow be used to split connections out over different interfaces to the same gateway then please provide more detail. I’ve never thought of this type of use.
It is PCC, not PCQ 
I agree with using PCC. You can use the same gateway and specify an interface by using the % sign.
Example: /ip route add gateway=1.1.1.1%ether1
add gateway=1.1.1.1%ether2 distance=2
Your right on. Sorry I obviously misread. And PCC would be easier then connection and packet marking.
OK, I will try it tonite. I tried using the script from this page: http://aacable.wordpress.com/2011/07/27/mikrotik-dual-wan-load-balancing-using-pcc-method-complete-script-by-zaib/
To try to get one of the cable WANs and my ATT WAN to load balance, But a couple of the lines in the firewall chain are staying at 0 on their counters, so something is not quite right yet.
Thank you.
I have not been able to get this to work. Here is my export:
Its probably something very simple, but I have tried many different configs and have not had any luck. This is PCC with cable-1 and ATT. Once I get those two to work together, then I will try to add in cable-2 (has the same gateway and in the same subnet as cable-1)
/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=
Public-gateway new-connection-mark=Public-gateway_conn passthrough=no
add action=mark-connection chain=input disabled=no in-interface=SL-1
new-connection-mark=SL-1_conn passthrough=no
add action=mark-routing chain=output connection-mark=Public-gateway_conn
disabled=no new-routing-mark=to_Public-gateway passthrough=no
add action=mark-routing chain=output connection-mark=SL-1_conn disabled=no
new-routing-mark=to_SL-1 passthrough=no
add action=accept chain=prerouting disabled=no dst-address=x.165.234.128/25
in-interface=Office-network
add action=accept chain=prerouting disabled=no dst-address=y.76.133.1
in-interface=Office-network
add action=accept chain=prerouting disabled=no dst-address-type=!local
in-interface=Office-network per-connection-classifier=
both-addresses-and-ports:3/0
add action=accept chain=prerouting disabled=no dst-address-type=!local
in-interface=Office-network per-connection-classifier=
both-addresses-and-ports:3/1
add action=mark-routing chain=prerouting connection-mark=SL-1_conn disabled=
no in-interface=Office-network new-routing-mark=to_SL-1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=Public-gateway_conn
disabled=no in-interface=Office-network new-routing-mark=
to_Public-gateway passthrough=no
/ip address
add address=192.168.100.1/24 disabled=no interface=Office-network network=
192.168.100.0
add address=10.90.90.1/23 disabled=no interface=PTP-to-Hoxie network=10.90.90.0
add address=x.165.234.132/25 disabled=no interface=Public-gateway network=
x.165.234.128
add address=y.76.133.250/32 disabled=no interface=SL-1 network=y.76.133.0
/ip route
add check-gateway=ping comment=“added by setup” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=x.165.234.129 routing-mark=to_Public-gateway
scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
SL-1 routing-mark=to_SL-1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
x.165.234.129 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=
y.76.133.1%SL-1 scope=30 target-scope=10
/ip route rule
add action=lookup disabled=no dst-address=0.0.0.0/0 src-address=0.0.0.0/0
table=main
You need to use the gateway=1.1.1.1%interface for the routes with packet marks as well. Setting the routes to use an interface is really only useful for tunnel interfaces.
When I try this on the routes with marks and without:
gateway = x.76.133.250%SL-1
Both routes then say unreachable
Also, this line: add action=accept chain=prerouting disabled=no dst-address=y.76.133.1
in-interface=Office-network
Will not accept me putting in a subnet mask. The counter on this line is staying at zero, as is the counter for this line:
add action=mark-routing chain=prerouting connection-mark=SL-1_conn disabled=
no in-interface=Office-network new-routing-mark=to_SL-1 passthrough=no
I have been issued these IPs from Cable: y.76.133.250 - y.76.133.254
Can you post your entire config with /export compact
Here is the export.
[admin@MikroTik] > export compact
apr/08/2013 05:40:14 by RouterOS 5.22
software id = S3YX-FI7K
/interface ethernet
set 0 name=Public-gateway
set 1 name=SL-1
set 2 disabled=yes name=PTP-to-H
set 3 name=Office-network
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=Office-pool ranges=192.168.100.10-192.168.100.254
add name=Wireless-pool ranges=
10.90.90.11-10.90.90.254,10.90.91.11-10.90.91.254
/ip dhcp-server
add add-arp=yes address-pool=Office-pool always-broadcast=yes disabled=no
interface=Office-network lease-time=1d name=Office-DHCP
add add-arp=yes address-pool=Wireless-pool always-broadcast=yes interface=
PTP-to-H name=Wireless-network
/port
set 0 flow-control=hardware
set 1 flow-control=hardware
/system logging action
set 3 remote=0.0.0.0
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.100.1/24 interface=Office-network
add address=10.90.90.1/23 interface=PTP-to-H
add address=x.165.234.132/25 interface=Public-gateway
add address=x.76.133.250/29 interface=SL-1
/ip dhcp-client
add add-default-route=no interface=SL-1
/ip dhcp-server lease
add address=192.168.100.252 client-id=1:0:50:da:cd:1e:70 mac-address=
00:50:DA:CD:1E:70 server=Office-DHCP
add address=192.168.100.10 client-id=1:0:30:bd:2e:68:54 mac-address=
00:30:BD:2E:68:54 server=Office-DHCP
add address=192.168.100.15 client-id=1:0:f:1f:78:9c:cb mac-address=
00:0F:1F:78:9C:CB server=Office-DHCP
add address=192.168.100.20 client-id=1:0:d:56:5f:8d:19 mac-address=
00:0D:56:5F:8D:19 server=Office-DHCP
/ip dhcp-server network
add address=10.90.90.0/23 dns-server=192.168.100.1,12.165.234.130 gateway=
10.90.90.1
add address=192.168.100.0/24 dns-server=x.165.234.132,68.94.156.1 gateway=
192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=10240KiB servers=
x.94.156.1,x.94.157.1
/ip dns static
add address=192.168.100.1 name=m.w.net
add address=x.165.234.130 name=t.w.net
add address=x.165.234.131 disabled=yes name=g.w.net
add address=x.180.42.100 disabled=yes name=rdns02.s.net ttl=5d
add address=8.8.8.8 disabled=yes
add address=68.94.156.1 disabled=yes
/ip firewall address-list
/ip firewall filter
add chain=input comment=“Router protection - Allow established connections”
connection-state=established
add action=drop chain=input comment=
“Router protection - drop invalid connections” connection-state=invalid
add chain=input comment=“Router protection - allow access from these IPs”
src-address=10.90.90.0/23
add chain=input src-address=192.168.100.0/24
add chain=input src-address=192.168.68.0/24
add chain=input src-address=x.76.133.248/29
add chain=input comment=“Router protection - Allow UDP” protocol=udp
add chain=input comment=“Router Protection - Allow ICMP” protocol=icmp
add action=drop chain=input comment=
“Router protection - drop everything else”
add chain=forward comment=“Customer protection (data going through router) - A
llow Established connections” connection-state=established
add chain=forward comment=“Customer protection - Allow related connections”
connection-state=related
add action=drop chain=forward comment=
“Customer protection - Drop Invalid connections” connection-state=invalid
add action=jump chain=forward comment=“Jump to virus port scan” jump-target=
Virus
add action=jump chain=input comment=“Jump to virus port scan” disabled=yes
jump-target=Virus
add action=drop chain=input comment=“block all other access” disabled=yes
add action=drop chain=Virus comment=
“port block warning - disabled for x” disabled=yes
dst-port=1434 protocol=tcp
add action=drop chain=Virus comment=“Disabled for x” disabled=
yes dst-port=1434 protocol=udp
add action=drop chain=Virus dst-port=2745 protocol=udp
add action=drop chain=Virus dst-port=6344-6381 protocol=tcp
add action=drop chain=Virus dst-port=6344-6381 protocol=udp
add action=drop chain=Virus comment=“MyDoom - leave disabled for x!”
disabled=yes dst-port=1080 protocol=tcp
add action=drop chain=Virus dst-port=1214 protocol=tcp
add action=drop chain=Virus disabled=yes dst-port=593 protocol=tcp
add action=drop chain=Virus dst-port=1024-1030 protocol=tcp
add action=drop chain=Virus comment=“Blaster Worm” disabled=yes dst-port=
135-139 protocol=tcp
add action=drop chain=Virus comment=“Messenger Worm” dst-port=135-139
protocol=udp
add action=drop chain=Virus comment=“Blaster Worm” disabled=yes dst-port=445
protocol=tcp
add action=drop chain=Virus comment=“Blaster Worm” disabled=yes dst-port=445
protocol=udp
add action=drop chain=Virus comment=“ndm requester” dst-port=1363 protocol=
tcp
add action=drop chain=Virus comment=“ndm server” dst-port=1364 protocol=tcp
add action=drop chain=Virus comment=“screen cast” dst-port=1368 protocol=tcp
add action=drop chain=Virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=Virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=Virus comment=“Worm - disabled for x”
disabled=yes dst-port=1433-1434 protocol=tcp
add action=drop chain=Virus comment=“Bagle Virus” dst-port=2745 protocol=tcp
add action=drop chain=Virus comment=“Drop Dumaru.Y” dst-port=2283 protocol=
tcp
add action=drop chain=Virus comment=“Drop Beagle” dst-port=2235 protocol=tcp
add action=drop chain=Virus comment=“Drop Beagle.C-K” disabled=yes dst-port=
2745 protocol=tcp
add action=drop chain=Virus comment=“Drop MyDoom” dst-port=3127-3128
protocol=tcp
add action=drop chain=Virus comment=“Drop Backdoor OptixPro” dst-port=3410
protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=Virus comment=“Drop Sasser” dst-port=5554 protocol=tcp
add action=drop chain=Virus comment=“Drop Beagle.B” dst-port=8866 protocol=
tcp
add action=drop chain=Virus comment=“Drop Dabber.A-B” dst-port=9898 protocol=
tcp
add action=drop chain=Virus comment=“Drop Dumaru.Y” dst-port=10000 protocol=
tcp
add action=drop chain=Virus comment=“Drop MyDoom.B” dst-port=10080 protocol=
tcp
add action=drop chain=Virus comment=“Drop NetBus” dst-port=12345 protocol=tcp
add action=drop chain=Virus comment=“Drop Kuang2” dst-port=17300 protocol=tcp
add action=drop chain=Virus comment=“Drop PhatBot, Agobot, Gaobot” dst-port=
65506 protocol=tcp
add action=drop chain=Virus comment=“Drop SubSeven” dst-port=27374 protocol=
tcp
add chain=Virus comment=“Age of Conan game” dst-port=6881-6889 protocol=tcp
add chain=Virus comment=“Age of Conan game #2” dst-port=6881-6889 protocol=
udp
add chain=Virus comment=“Age of Conan game #3” dst-port=7000-7999 protocol=
tcp
add chain=Virus comment=“Star Wars Old Republic #1” dst-port=8995 protocol=
tcp
add chain=Virus comment=“Star Wars Old Republic #2” dst-port=12000-12999
protocol=tcp
add chain=Virus comment=“Star Wars Old Republic #3” dst-port=20000-3000
protocol=tcp
add action=drop chain=forward comment=“block bogon” disabled=yes src-address=
127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward disabled=yes src-address=224.0.0.0/3
add action=drop chain=forward disabled=yes dst-address=224.0.0.0/3
add action=drop chain=input comment=“Drop telnet attempts” dst-port=23
protocol=tcp
add chain=input dst-port=1080 protocol=udp
add action=log chain=input comment=“Log everything else” disabled=yes
log-prefix=“DROP INPUT”
add action=mark-connection chain=input in-interface=Public-gateway
new-connection-mark=Public-gateway_conn passthrough=no
add action=mark-connection chain=input in-interface=SL-1 new-connection-mark=
SL-1_conn passthrough=no
add action=mark-routing chain=output connection-mark=Public-gateway_conn
new-routing-mark=to_Public-gateway passthrough=no
add action=mark-routing chain=output connection-mark=SL-1_conn
new-routing-mark=to_SL-1 passthrough=no
add chain=prerouting dst-address=x.165.234.128/25 in-interface=
Office-network
add chain=prerouting dst-address=x.76.133.248/29 in-interface=Office-network
add chain=prerouting dst-address-type=!local in-interface=Office-network
per-connection-classifier=both-addresses-and-ports:2/0
add chain=prerouting dst-address-type=!local in-interface=Office-network
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=SL-1_conn
in-interface=Office-network new-routing-mark=to_SL-1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=Public-gateway_conn
in-interface=Office-network new-routing-mark=to_Public-gateway
passthrough=no
/ip firewall nat
add action=redirect chain=dstnat comment=“Redirect for Unpaid customers”
dst-port=80 protocol=tcp src-address-list=Unpaid to-ports=8081
add action=masquerade chain=srcnat out-interface=Public-gateway to-addresses=
0.0.0.0
add action=masquerade chain=srcnat out-interface=SL-1
/ip neighbor discovery
set PTP-to-H disabled=no
/ip proxy
set enabled=yes max-cache-size=none port=8081
/ip proxy access
add action=deny comment=“block telnet & spam e-mail relaying” dst-port=23-25
add dst-address=x.165.234.130
add disabled=yes src-address=10.90.90.0/23
add disabled=yes src-address=192.168.100.0/24
add disabled=yes src-address=x.165.234.0/25
add disabled=yes dst-address=x.165.234.130
add action=deny disabled=yes redirect-to=x.165.234.130
add disabled=yes dst-address=x.165.234.130
add action=deny disabled=yes redirect-to=x.165.234.130
add action=deny redirect-to=x.165.234.130 src-address=10.90.90.0/23
add action=deny redirect-to=x.165.234.130 src-address=172.16.16.0/24
/ip proxy cache
add action=deny dst-host=“:cgi-bin \?” local-port=“”
/ip route
add check-gateway=ping comment=“added by setup” distance=1 gateway=
x.165.234.129%Public-gateway routing-mark=to_Public-gateway
add check-gateway=ping distance=1 gateway=x.76.133.248%SL-1 routing-mark=
to_SL-1
add check-gateway=ping distance=1 gateway=x.165.234.129%Public-gateway
add check-gateway=ping distance=2 gateway=x.76.133.248%SL-1
add disabled=yes distance=1 dst-address=10.92.92.0/23 gateway=SL-1
add distance=1 dst-address=172.16.16.0/24 gateway=10.90.90.9
/ip route rule
add dst-address=0.0.0.0/0 src-address=0.0.0.0/0 table=main
/ip service
set telnet address=x.165.234.0/25
set ftp disabled=yes
set www address=x.165.234.0/25,192.168.100.0/24
set ssh disabled=yes
/ip traffic-flow
set enabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes
/ip upnp interfaces
add interface=Public-gateway type=external
add interface=PTP-to-H type=internal
/ppp aaa
set accounting=no use-radius=yes
/radius incoming
set accept=yes port=1645
/routing rip interface
add receive=v2
/snmp
set enabled=yes trap-target=0.0.0.0
/system clock
set time-zone-name=America/Chicago
/tool bandwidth-server
set max-sessions=10
/tool graphing interface
add interface=Public-gateway
add interface=SL-1
add interface=PTP-to-H
add interface=Office-network
/tool sniffer
set file-limit=10KiB filter-direction=any filter-mac-protocol=!ip interface=
Public-gateway memory-limit=10KiB
/user aaa
set accounting=no use-radius=yes
[admin@MikroTik] >
The counter for this line in my config is zero (not moving any data): add chain=prerouting dst-address=x.76.133.248/29 in-interface=Office-network
Also, the following route is not active (font is blue): add check-gateway=ping distance=2 gateway=x.76.133.248%SL-1
On my Interfaces, my SL-1 WAN is receiving, but not transferring at all.
I can ping and traceroute across the SL-1 WAN interface, but it does not appear to be being used for web access.
Thank you.
Anyone care to look at this?
I don’t have the time at the moment to build it on my bench and I cannot give you an answer without building it to find the problem myself. If you wanted to create credentials so I could login to your equipment then I would take a look and see if I can find something but I don’t expect you to want to open your router to me… if you do then email me at joshaven at dmcibb dot net which is my day job address and I’ll send you a user/pass to add to your router.
I think there are a couple of things that need to be changed in the mangle rules:
/ip firewall mangle
add action=mark-connection chain=input comment=Router_in_out_connections \
disabled=no in-interface=Public-gateway new-connection-mark=\
Public-gateway_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=SL-1 \
new-connection-mark=SL-1_conn passthrough=yes
add action=mark-routing chain=output connection-mark=Public-gateway_conn \
disabled=no new-routing-mark=to_Public-gateway passthrough=no
add action=mark-routing chain=output connection-mark=SL-1_conn disabled=no \
new-routing-mark=to_SL-1 passthrough=no
add action=accept chain=prerouting disabled=no dst-address=192.168.100.0/24 \
in-interface=Office-network
add action=mark-connection chain=prerouting comment=PCC disabled=no \
dst-address-type=!local in-interface=Office-network new-connection-mark=\
Public-gateway_conn passthrough=yes per-connection-classifier=\
both-addresses:2/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=\
!local in-interface=Office-network new-connection-mark=SL-1_conn \
passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=SL-1_conn disabled=\
no in-interface=Office-network new-routing-mark=to_SL-1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=Public-gateway_conn \
disabled=no in-interface=Office-network new-routing-mark=\
to_Public-gateway passthrough=no
Try this in your mangle rules. Make a backup of your current config anyway.
Let me clear up a few things - it is kind of confusing:
My WAN connection public-gateway is my ATT connection.
The above router code I listed is me trying to get the ATT and one of my cable feeds working together.
Thank you.
This is a copy from the code above that was suggested I try:
I have put in notes about what is happening now after I put the code in:
/ip firewall mangle
add action=mark-connection chain=input comment=Router_in_out_connections
disabled=no in-interface=Public-gateway new-connection-mark=
Public-gateway_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=SL-1
new-connection-mark=SL-1_conn passthrough=yes
add action=mark-routing chain=output connection-mark=Public-gateway_conn
disabled=no new-routing-mark=to_Public-gateway passthrough=no
add action=mark-routing chain=output connection-mark=SL-1_conn disabled=no
new-routing-mark=to_SL-1 passthrough=no
***This line has very little activity, compared to all the others. In about ten minutes it is at 224 and 4 packets.
add action=accept chain=prerouting disabled=no dst-address=192.168.100.0/24
in-interface=Office-network
add action=mark-connection chain=prerouting comment=PCC disabled=no
dst-address-type=!local in-interface=Office-network new-connection-mark=
Public-gateway_conn passthrough=yes per-connection-classifier=
both-addresses:2/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=
!local in-interface=Office-network new-connection-mark=SL-1_conn
passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=SL-1_conn disabled=
no in-interface=Office-network new-routing-mark=to_SL-1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=Public-gateway_conn
disabled=no in-interface=Office-network new-routing-mark=
to_Public-gateway passthrough=no
The TX on WAN interface SL-1 is always at 0. The RX is moving, however.
Also, the following route is still not active (font is blue): add check-gateway=ping distance=2 gateway=x.76.133.1%SL-1
Please someone help me with this,
Thanks