Load Balancing WAN2 unreachable

Matilabo · January 6, 2023, 8:17pm

Hi, I have a problem with RouterOS 6.49.6

software id = RFR8-41YJ

model = RB3011UiAS

WAN1 is default ether1 master
WAN2 is ether9 (not slave)
these routes show reachable, the first rule is default:

/ip route
add distance=0 dst-address=190.168.10.0/24 gateway=ether1 pref-src=190.168.10.3
add distance=1 dst-address=186.20.10.0/24 gateway=ether9 pref-src=186.20.10.5

The other routes from WAN1 show reachable:

/ip route
add check-gateway=ping distance=1 gateway=190.168.10.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=190.168.10.1

The routes from ether9, WAN2 (186.20.10.5) show unreachable:

/ip route
add check-gateway=ping distance=1 gateway=186.20.10.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=186.20.10.1

Here are my Firewall Mangle rules:

/ip firewall mangle
add action=accept chain=prerouting dst-address=190.168.10.0/24 in-interface=bridge
add action=accept chain=prerouting dst-address=186.20.10.0/24 in-interface=bridge

add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether9 new-connection-mark=WAN2_conn passthrough=yes

add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses:2/1

add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge new-routing-mark=to_WAN2 passthrough=yes

add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes

add action=mark-connection chain=prerouting dst-address-list=WANs new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANs

Here are NAT Masquerade Firewall routes:

/ip firewall nat
add action=masquerade chain=srcnat comment="Load balancing WAN1" out-interface=ether1
add action=masquerade chain=srcnat comment="Load balancing WAN2" out-interface=ether9

add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

I dont know if the Hairpin NAT is interfering
And here are some of the address lists, the rest are some other LANs, I also included some VPN config just in case:

/ip firewall address-list
add address=10.2.2.8 comment=Switch list=LANs
add address=190.168.10.3 comment="Public WAN1" list=WANs
add address=186.20.10.5 comment="Public WAN2" list=WANs

add address=10.2.2.3-10.2.2.99 comment=VPN list=allowed_to_router
add address=190.186.10.3-190.186.10.99 comment=IKEV list=allowed_to_router

I also have IKEV (with IPsec) and Hairpin NAT setup, if you want I can provide more info

anav · January 8, 2023, 7:07pm

Your basic routes make no sense to me…

Typically they are
internet 1 add dst-address=0.0.0.0/0 gwy=ISP1 gateway IP1 distance=5 chk-gateway=ping
internet 2 add dst-address=0.0.0.0/0 gwy=ISP2 gateway IP1 distance=10

In this regard all traffic will go out primary ISP1, unless we create some additional rules … which includes mangling and a bunch of other stuff.

If you want to learn load balancing…
https://mum.mikrotik.com/presentations/US12/steve.pdf