Load balancing with RB2011UiAS-2HnD-IN and RouterOS 6.49.6

RouterOS Beginner Basics
1

Hi,

I have a RB2011UiAS-2HnD-IN and I followed all instructions in order to have load balancing from my 2 WAN lines (192.168.1.0/24 & 192.168.2.0/24) to 192.168.0.0/24.
Load balancing is not working from 192.168.2.1 and I probably make a mistake that I cannot see the last 4 days searching… :frowning:
Firefox_Screenshot_2022-05-30T09-03-32.885Z.png
Thanks in advanced for your help.
BR,
Filippos

PS: I removed from this quote all interfaces from 7 to 10 in order to make it simpler.

# may/30/2022 11:26:49 by RouterOS 6.49.6
# software id =
#
# model = 2011UiAS-2HnD
# serial number =

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge

/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=ether2_wan
set [ find default-name=ether3 ] name=ether3_lan
set [ find default-name=ether4 ] name=ether4_lan
set [ find default-name=ether5 ] name=ether5_lan
set [ find default-name=ether6 ] name=ether6_wlan

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-SSID wireless-protocol=802.11

/interface list
add comment=defconf name=WAN
add comment=defconf exclude=WAN name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface=ether3_lan
add bridge=bridge comment=defconf interface=ether4_lan
add bridge=bridge comment=defconf interface=ether5_lan
add bridge=bridge comment=defconf interface=ether6_wlan
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=*2000011

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN
add comment=defconf interface=ether2_wan list=WAN

/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=192.168.0.244/24 interface=ether5_lan network=192.168.0.0

/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=ether1_wan
add add-default-route=no comment=defconf disabled=no interface=ether2_wan

/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 \
    gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1_wan new-connection-mark=ether1_wan_conn passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2_wan new-connection-mark=ether2_wan_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=\
    ether1_wan_conn passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=\
    ether2_wan_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ether1_wan_conn \
    in-interface=bridge new-routing-mark=to_ether1_wan passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ether2_wan_conn \
    in-interface=bridge new-routing-mark=to_ether2_wan passthrough=yes
add action=mark-routing chain=output connection-mark=ether1_wan_conn \
    new-routing-mark=to_ether1_wan passthrough=yes
add action=mark-routing chain=output connection-mark=ether2_wan_conn \
    new-routing-mark=to_ether2_wan passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1_wan
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    ether2_wan

/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_ether1_wan
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ether2_wan
add check-gateway=ping distance=1 gateway=192.168.2.1
add check-gateway=ping distance=1 gateway=192.168.1.1
2

Hello,

I think I had an issue previosly with

dst-address-type=!local

Try using dst-address or dst-address-list instead of dst-address-type, something like

dst-address=!192.168.0.0/24

After a while, check in “ip->firewall->connections”, in gui, if most traffic is with connection-mark

Regards,
Damián

3

Hi Damián,
no luck with that.
It seems that the wan1 isn’t recognized, but in IP → Routes → Nexthops notes that Gateway State both addresses are “reachable”, but when I view Routes one (192.168.2.1) is “unreachable” !!!
Thanks for your help.

BR,
Filippos

4

Hello,

It seems that wan1 is not working, it does not seem an issue with the load balancing
Did you test wan1 connection with a PC?

Regards,
Damián

5

Hi Damián,
Of course I did tested it already.

I do backed it up and rebooted it, interchanged the ports, but the problem remains the same.

BR,
Filippos

6

Sorry my questions, just to be on the same page
When you tested the ISP modem in a PC, did you set the IP address statically like in the settings?
What happen if you ping the default gateway from the Mikrotik?

Regards
Damián

7

(1) FROM THIS:
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=
bridge
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=
bridge
TO:
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.2.0/24

(2) FROM THIS:
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1_wan new-connection-mark=ether1_wan_conn passthrough=
yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2_wan new-connection-mark=ether2_wan_conn

TO:
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1_wan new-connection-mark=ether1_wan_conn passthrough=
yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2_wan new-connection-mark=ether2_wan_conn passthrough=
yes

8

Hi to all!

@anav
Yes I saw that passthrough and had already changed it. Thanks for noting that.
The other mangle firewall rule doesn’t helped at all and I think that it is a security issue to leave all interfaces to talk to each other.
@all
Nevertheless, I managed to make it work connecting my pc to router and ping to it. It didn’t work!!! Regardless Nexthops noted that was pinging to router ip, it doesn’t!!!
So, I changed “ping” to “arp” and now it somehow works.
When I disconnect one router it falls back to the other not on the specific downloading process, but on another.
When I plug it in again it seems to ignore it and uses only one router at a time.

BR,
Filippos

:EDIT
Now it’s okay, speedtest downloads with the sum of download from 2 routers. Only upload remains the same. Thank you both for your help.

9

Hello may be will be better to Anav to respond because he know much more than me.
But IMHO, when you started a session through WAN2, it remains using the same interface until the session finnish or the interface is not available, for example. I think this describes the behavior you mentioned.

Regards,
Damián

10

when it comes to pcc load balancing I have no experience but am to compare working scripts to other scripts.
Called notepad++ compare plugin :slight_smile:

11

Change add check-gateway=ping distance=1 gateway=192.168.1.1 to

add check-gateway=ping distance=2 gateway=192.168.1.1

12

What are you smoking? This is load balancing not failover ???
Im presuming the DISCHER way (PCC) and not the Thomas way which is more akin to manual load balance via bandwidth and includes failover.

13

Hi
everything is fine now

14

Please filippos, I want to know how you did. Me too since many days i’m struggling. I’m new in Mikrotik, I need a good script or tutorial to have load balancing in my RB2011UiAS-2HnD-IN

15

https://mum.mikrotik.com/presentations/US12/steve.pdf

Once you have followed this guide and if not working then
come back and post your full config /export (minus serial number and any public WANIP info).