Load Balancing two DSL lines using PPPoE and PPTP

jvegaseg · October 12, 2013, 3:35pm

Hi everyone, this is my first topic and I have read a lot of examples and tutorials before writing this topic, but I need help in order to get success with my poblem.

My objective: Load balance two DLS lines connected with PPPoE to the ISP router in bridge mode and using two PPTP tunnels to route all the traffic towards our PBX.

Schematic:

WAN1 → PPPoE1 → PPTP1 → PBX
WAN2 → PPPoE2 → PPTP2 → PBX

We use the PPTP tunnels only for the traffic going out to our VoIP PBX (the IP = PBX.PBX.PBX.PBX). The rest of the traffic should go out as usually not using the PPTP tunnel.

What we achieved:

Load Balancing without the PPTP client connection works fine.
The PPTP client connection without load balancing work fine.

The problem is making work all together. When we put all toguether, everything work except all traffic goes out throught PPPoE1 and PPPoE2 is never used.

The addresses we use:
VPN.VPN.VPN.VPN = VPN PPTP server
PBX.PBX.PBX.PBX = Our VoIP PBX

We are trying this in a RB951 with RouterOS 6.4

The script we are using (only relevant rules):

/interface pppoe-client
add allow=pap,chap disabled=no interface=ether1-wan1 name=pppoe-out1 \
    password=adslppp use-peer-dns=yes user=adslppp@telefonicanetpa
add allow=pap,chap disabled=no interface=ether2-wan2 name=pppoe-out2 \
    password=adslppp use-peer-dns=yes user=adslppp@telefonicanetpa
/ip pool
add name=default-dhcp ranges=192.168.88.30-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
/ppp profile
add change-tcp-mss=yes name=pptp-vozitel use-encryption=yes
set 2 dns-server=8.8.8.8
/interface pptp-client
add connect-to=VPN.VPN.VPN.VPN disabled=no max-mru=1436 max-mtu=1436 name=\
    pptp-vozitel1 password=XXXX profile=pptp-vozitel user=USER1
add connect-to=VPN.VPN.VPN.VPN disabled=no max-mru=1436 max-mtu=1436 name=\
    pptp-vozitel2 password=XXXX profile=pptp-vozitel user=USER2
/ip address
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=pppoe-out1 new-connection-mark=pppoe-out1_conn
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=pptp-vozitel1 new-connection-mark=pptp-vozitel1_conn
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=pppoe-out2 new-connection-mark=pppoe-out2_conn
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=pptp-vozitel2 new-connection-mark=pptp-vozitel2_conn
add action=mark-routing chain=output connection-mark=pppoe-out1_conn \
    new-routing-mark=to_pppoe-out1
add action=mark-routing chain=output connection-mark=pptp-vozitel1_conn \
    new-routing-mark=to_pptp-vozitel1
add action=mark-routing chain=output connection-mark=pppoe-out2_conn \
    new-routing-mark=to_pppoe-out2
add action=mark-routing chain=output connection-mark=pptp-vozitel2_conn \
    new-routing-mark=to_pptp-vozitel2
add action=mark-connection chain=prerouting connection-state=new dst-address=\
    !PBX.PBX.PBX.PBX dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=pppoe-out1_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new dst-address=\
   PBX.PBX.PBX.PBX dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=pptp-vozitel1_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new dst-address=\
    !PBX.PBX.PBX.PBX dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=pppoe-out2_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-connection chain=prerouting connection-state=new dst-address=\
    PBX.PBX.PBX.PBX dst-address-type=!local in-interface=bridge-local \
    new-connection-mark=pptp-vozitel2_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn \
    in-interface=bridge-local new-routing-mark=to_pppoe-out1
add action=mark-routing chain=prerouting connection-mark=pptp-vozitel1_conn \
    in-interface=bridge-local new-routing-mark=to_pptp-vozitel1
add action=mark-routing chain=prerouting connection-mark=pppoe-out2_conn \
    in-interface=bridge-local new-routing-mark=to_pppoe-out2
add action=mark-routing chain=prerouting connection-mark=pptp-vozitel2_conn \
    in-interface=bridge-local new-routing-mark=to_pptp-vozitel2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pptp-vozitel1
add action=masquerade chain=srcnat out-interface=pptp-vozitel2 
/ip route
add distance=1 gateway=pppoe-out1 routing-mark=to_pppoe-out1
add distance=1 dst-address=VPN.VPN.VPN.VPN/32 gateway=pppoe-out1 routing-mark=to_pptp-vozitel1
add distance=1 dst-address=PBX.PBX.PBX.PBX/32 gateway=pptp-vozitel1 routing-mark=to_pptp-vozitel1
add distance=1 gateway=pppoe-out2 routing-mark=to_pppoe-out2
add distance=1 dst-address=VPN.VPN.VPN.VPN/32 gateway=pppoe-out2 routing-mark=to_pptp-vozitel2
add distance=1 dst-address=PBX.PBX.PBX.PBX/32 gateway=pptp-vozitel2 routing-mark=to_pptp-vozitel2
add distance=1 gateway=pppoe-out1
add distance=2 gateway=pppoe-out2
/routing filter
add chain=connected-in prefix=VPN.VPN.VPN.VPN set-disabled=yes

What is wrong? Why it does not balance?

Regards,

jvegaseg · October 14, 2013, 5:04pm

Has anyone working a similar configuration with Mikrotik?

I was debuging and it seams that the connection-mark is lost when connection pass thought the pptp interface. Can anyone if this is truth?

Regards,