Load balancing with a hotspot lots of problems

I have been trying to do load balancing with a hotpsot for sometime now. Each time i come up with a new way it looks to work but then everything eventually goes out the default route.

My latest and simplest attempt is to send a set range of IP out WAN1 and the other set out WAN2. This works fine until I turn back on my hotspot then it fails and all traffic goes our Active Static router. My mangle rules look like this
13 chain=prerouting action=mark-routing new-routing-mark=11.5 passthrough=yes src-address=192.168.11.5 auth in-interface=Hotspot_BR
My routes like this
1 A S dst-address=0.0.0.0/0 gateway=24.227.116.185 gateway-status=24.227.116.185 reachable WAN1-ether1 distance=1 scope=255 target-scope=10 routing-mark=11.5

/ip firewall nat
add action=accept chain=pre-hotspot  disabled=no dst-address-type=!local hotspot=auth

Since the hotspot handles all the web requests, in order to load balance things need to be on the input and output chains. This NAT rule changes it so that after someone has connected to the hotspot and is authorized on it, go through the normal process and you can apply load balancing normally to them.

Unfortunately this still did not work any more thoughts? I also tried moving the rule you gave me both to the top and the bottom and in between my other nat rules.

Thanks

You’re going to have to provide a full export of your mangle and nat rules then.

For this testing I tried to make it as easy as possible so I only have one mangle rule:
0 chain=prerouting action=mark-routing new-routing-mark=11.5 passthrough=yes
src-address=192.168.11.5 dst-address-type=“” hotspot=auth
in-interface=Hotspot_BR
Here are all my nat rules
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

1 D chain=hotspot action=jump jump-target=pre-hotspot

2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst
dst-port=80

5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst
dst-port=443

6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth

7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth

8 D ;;; test-alogin.hotairnetwork.net
chain=hs-unauth action=return protocol=tcp dst-address=63.168.20.114
in-interface=Hotspot_BR dst-port=443

9 D ;;; alogin.hotairnetwork.net
chain=hs-unauth action=return protocol=tcp dst-address=63.168.20.114
in-interface=Hotspot_BR dst-port=80

10 D ;;; alogin.hotairnetwork.net
chain=hs-unauth action=return protocol=tcp dst-address=63.168.20.114
in-interface=Hotspot_BR dst-port=8001

11 D ;;; asecurelogin.hotairnetwork.net
chain=hs-unauth action=return protocol=tcp dst-address=74.208.221.214
in-interface=Hotspot_BR dst-port=80

12 D chain=hs-unauth action=return protocol=tcp dst-address=8.8.8.8
in-interface=Hotspot_BR dst-port=80

13 D chain=hs-unauth action=return protocol=tcp dst-address=207.59.153.242
in-interface=Hotspot_BR dst-port=80

14 D ;;; crl.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=50.63.243.228
in-interface=Hotspot_BR dst-port=0-65535

15 D ;;; crl.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=72.167.18.237
in-interface=Hotspot_BR dst-port=0-65535

16 D ;;; crl.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=72.167.239.237
in-interface=Hotspot_BR dst-port=0-65535

17 D ;;; crl.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=188.121.36.237
in-interface=Hotspot_BR dst-port=0-65535

18 D ;;; certificates.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=50.63.243.228
in-interface=Hotspot_BR dst-port=0-65535

19 D ;;; certificates.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=72.167.18.237
in-interface=Hotspot_BR dst-port=0-65535

20 D ;;; certificates.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=72.167.239.237
in-interface=Hotspot_BR dst-port=0-65535

21 D ;;; certificates.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=188.121.36.237
in-interface=Hotspot_BR dst-port=0-65535

22 D ;;; asecurelogin.hotairnetwork.net
chain=hs-unauth action=return protocol=tcp dst-address=74.208.221.214
in-interface=Hotspot_BR dst-port=449

23 D ;;; certs.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=68.178.177.2
in-interface=Hotspot_BR dst-port=0-65535

24 D ;;; certs.godaddy.com
chain=hs-unauth action=return protocol=tcp dst-address=173.201.19.2
in-interface=Hotspot_BR dst-port=0-65535

25 D ;;; testalogin.hotairnetwork.net
chain=hs-unauth action=return protocol=tcp dst-address=24.227.116.189
in-interface=Hotspot_BR dst-port=80

26 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.240.11
in-interface=Hotspot_BR dst-port=0-65535

27 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.240.13
in-interface=Hotspot_BR dst-port=0-65535

28 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.241.10
in-interface=Hotspot_BR dst-port=0-65535

29 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.241.11
in-interface=Hotspot_BR dst-port=0-65535

30 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.248.10
in-interface=Hotspot_BR dst-port=0-65535

31 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.248.11
in-interface=Hotspot_BR dst-port=0-65535

32 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.249.10
in-interface=Hotspot_BR dst-port=0-65535

33 D ;;; www.cnn.com
chain=hs-unauth action=return protocol=tcp dst-address=157.166.249.11
in-interface=Hotspot_BR dst-port=0-65535

34 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80

35 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128

36 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080

37 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443

38 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

39 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http

40 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

41 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

42 chain=srcnat action=masquerade src-address=192.168.11.0/24

43 chain=srcnat action=masquerade src-address=192.168.10.0/24

44 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.12.0/24

45 chain=srcnat action=src-nat to-addresses=24.227.116.187 to-ports=0-65535
protocol=tcp connection-mark=odd

46 chain=srcnat action=src-nat to-addresses=71.43.217.158 to-ports=0-65535
protocol=tcp connection-mark=even

47 chain=srcnat action=src-nat to-addresses=24.227.116.187 to-ports=0-65535
protocol=udp connection-mark=odd

48 chain=srcnat action=src-nat to-addresses=71.43.217.158 to-ports=0-65535
protocol=tcp connection-mark=odd

49 chain=dstnat action=dst-nat to-addresses=192.168.10.21 to-ports=8291
protocol=tcp dst-port=60001

50 chain=srcnat action=masquerade out-interface=WAN1-ether1

51 chain=srcnat action=masquerade out-interface=WAN2-ether2

52 chain=dstnat action=dst-nat to-addresses=192.168.10.121 to-ports=8291
protocol=tcp dst-port=60002

53 chain=dstnat action=dst-nat to-addresses=192.168.10.15 to-ports=80
protocol=tcp dst-port=60003

54 chain=pre-hotspot action=accept dst-address-type=local hotspot=auth
in-interface=Hotspot_BR


Thanks again for any light you can shed

You didn’t get the nat rule right.

dst-address-type=local Should read dst-address-type=!local, note the ! to denote not local.

Thanks I had been playing around with it and just set dst-address-type to be off and started to work for me. Is there a reason to put dst-address-type=!local or can I just leave it not set?

Thanks again for all your help

The not local means addresses that are not local to the router. You can just leave it out if you want, but I think it might break a few things by doing so. The one that comes to mind as most likely being broken is not giving the guest the ability to pull up the status page and log out of their session.

Thanks for all your help!!!