mangle for load balancing 5 gateway

I have x86 router machine with 6 ethernet port.
ether1 will using for incloming transaction. and pptp server interface
and another 5 ether port will using for outgoing trafic(Uplink form ISP)
All 6 of IP Address form same ISP (Public &Dynamic IP)
I want to load balancing 5Uplink on 5 ethernet port for PPTP clients Group.

This is what i pre-configuration.

/ interface ethernet
set ether1 name=“income”
set ether2 name=“out1”
set ether3 name=“out2”
set ether4 name=“out3”
set ether5 name=“out4”
set ether6 name=“out5”

/ ip dhcp-client add interface=income user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out1 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out2 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out3 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out4 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out5 user-peer=yes add-default-route=yes disable=no

/ interface bridge
add name=“lan” arp=proxy-arp

/ interface bridge port
add interface=income bridge=lan

/ ip address
add address=10.0.0.1/20 interface=lan

/ ip dns
allow-remote-requests=yes

/ ip firewall service-port
set pptp disabled=no

/ ip pool
add name=“pptp” ranges=10.0.0.2-10.0.16.254

/ ppp profile
add name=“pptp-in” local-address=10.0.0.1 remote-address=pptp use-encryption=default only-one=default change-tcp-mss=yes dns-server=10.0.0.1

/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 default-profile=pptp-in

/ ip firewall nat add chain=srcnat src-address=10.0.0.2-10.0.16.254 action=masquerade

/ ip firewall mangle add chain=prerouting in-interface=lan connection-state=new nth=5,1 action=mark-connection new-connection-mark=conn1 passthrough=yes comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-mark=conn1 action=mark-routing new-routing-mark=conn1 passthrough=no comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-state=new nth=4,1 action=mark-connection new-connection-mark=conn2 passthrough=yes comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-mark=conn2 action=mark-routing new-routing-mark=conn2 passthrough=no comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-state=new nth=3,1 action=mark-connection new-connection-mark=conn3 passthrough=yes comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-mark=conn3 action=mark-routing new-routing-mark=conn3 passthrough=no comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-state=new nth=2,1 action=mark-connection new-connection-mark=conn4 passthrough=yes comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-mark=conn4 action=mark-routing new-routing-mark=conn4 passthrough=no comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-state=new action=mark-connection new-connection-mark=conn5 passthrough=yes comment=“” disabled=no
/ ip firewall mangle add chain=prerouting in-interface=lan connection-mark=conn5 action=mark-routing new-routing-mark=conn5 passthrough=no comment=“” disabled=no

/ ip firewall nat add chain=srcnat connection-mark=conn1 action=masquerade out-interface=out1 comment=“” disabled=no
/ ip firewall nat add chain=srcnat connection-mark=conn2 action=masquerade out-interface=out2 comment=“” disabled=no
/ ip firewall nat add chain=srcnat connection-mark=conn3 action=masquerade out-interface=out3 comment=“” disabled=no
/ ip firewall nat add chain=srcnat connection-mark=conn4 action=masquerade out-interface=out4 comment=“” disabled=no
/ ip firewall nat add chain=srcnat connection-mark=conn5 action=masquerade out-interface=out5 comment=“” disabled=no

/ ip route add dst-address=0.0.0.0/0 gateway=out1 scope=255 target-scope=10 routing-mark=conn1 comment=“” disabled=no
/ ip route add dst-address=0.0.0.0/0 gateway=out2 scope=255 target-scope=10 routing-mark=conn2 comment=“” disabled=no
/ ip route add dst-address=0.0.0.0/0 gateway=out3 scope=255 target-scope=10 routing-mark=conn3 comment=“” disabled=no
/ ip route add dst-address=0.0.0.0/0 gateway=out4 scope=255 target-scope=10 routing-mark=conn4 comment=“” disabled=no
/ ip route add dst-address=0.0.0.0/0 gateway=out5 scope=255 target-scope=10 routing-mark=conn5 comment=“” disabled=no
/ ip route add dst-address=0.0.0.0/0 gateway=out1 scope=255 target-scope=10 comment=“” disabled=no



Question..

Actually I don’t much know about mangle. so i got few configuration example form googling.
This confiuration looks like do loadbalancing based on connection. but I want to make loadbalancing based on PPTP-connection.
I mean, If PPTP client login to “lan” interface they will get local ip address from “ip pool” then loadbalancer asign 1 of 5 “upstram” port for this coneection until disconnect or logout.

what i need to change?

Jin Lee

This is second try to pre-config using PCC.
it seems better then earlier post.
but still not sure to woking well or not.

and I marked red color “lan” interface.
this is bridged interface. should i change to “income”?
any suggestion.???

please reply …

ether1 ip dhcp ISP1 222.222.222.2/24 gateway 222.222.222.1 100Mbps ftth optic fiber
ether2~6 ip dhcp ISP2 111.111.111.2~6/24 gateway 111.111.111.1 (so same gateway and network using) 500Mbps ftth optic fiber


/ interface ethernet
set ether1 name=“income”
set ether2 name=“out1”
set ether3 name=“out2”
set ether4 name=“out3”
set ether5 name=“out4”
set ether6 name=“out5”

/ ip dhcp-client add interface=income user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out1 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out2 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out3 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out4 user-peer=yes add-default-route=yes disable=no
/ ip dhcp-client add interface=out5 user-peer=yes add-default-route=yes disable=no

/ interface bridge
add name=“lan” arp=proxy-arp

/ interface bridge port
add interface=income bridge=lan

/ ip address
add address=10.0.0.1/20 interface=lan

/ ip dns
allow-remote-requests=yes

/ ip firewall service-port
set pptp disabled=no

/ ip pool add name=“pptp” ranges=10.0.0.2-10.0.16.254

/ ppp profile add name=“pptp-in” local-address=10.0.0.1 remote-address=pptp use-encryption=default only-one=default change-tcp-mss=yes dns-server=10.0.0.1

/ interface pptp-server server set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 default-profile=pptp-in

/ ip firewall nat add chain=srcnat src-address=10.0.0.2-10.0.16.254 action=masquerade

/ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no in-interface=out1 new-connection-mark=out1_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=out2 new-connection-mark=out2_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=out3 new-connection-mark=out3_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=out4 new-connection-mark=out4_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=out5 new-connection-mark=out5_conn passthrough=yes

add action=mark-routing chain=output comment=“” connection-mark=out1_conn disabled=no new-routing-mark=to_out1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=out2_conn disabled=no new-routing-mark=to_out2 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=out3_conn disabled=no new-routing-mark=to_out3 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=out4_conn disabled=no new-routing-mark=to_out4 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=out5_conn disabled=no new-routing-mark=to_out5 passthrough=yes

add action=accept chain=prerouting comment=“” disabled=no dst-address=222.222.222.0/24 in-interface=lan
add action=accept chain=prerouting comment=“” disabled=no dst-address=111.111.111.0/24 in-interface=lan


add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=lan new-connection-mark=out1_conn passthrough=yes per-connection-classifier=both-addresses:5/0
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=lan new-connection-mark=out2_conn passthrough=yes per-connection-classifier=both-addresses:5/1
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=lan new-connection-mark=out3_conn passthrough=yes per-connection-classifier=both-addresses:5/2
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=lan new-connection-mark=out4_conn passthrough=yes per-connection-classifier=both-addresses:5/3
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local in-interface=lan new-connection-mark=out5_conn passthrough=yes per-connection-classifier=both-addresses:5/4


add action=mark-routing chain=prerouting comment=“” connection-mark=out1_conn disabled=no in-interface=lan new-routing-mark=to_out1 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=out2_conn disabled=no in-interface=lan new-routing-mark=to_out2 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=out3_conn disabled=no in-interface=lan new-routing-mark=to_out3 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=out4_conn disabled=no in-interface=lan new-routing-mark=to_out4 passthrough=yes
add action=mark-routing chain=prerouting comment=“” connection-mark=out5_conn disabled=no in-interface=lan new-routing-mark=to_out5 passthrough=yes


/ ip route add dst-address=0.0.0.0/0 gateway=out1 scope=255 target-scope=10 routing-mark=to_out1 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=out2 scope=255 target-scope=10 routing-mark=to_out2 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=out3 scope=255 target-scope=10 routing-mark=to_out3 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=out4 scope=255 target-scope=10 routing-mark=to_out4 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=out5 scope=255 target-scope=10 routing-mark=to_out5 comment=“” disabled=no check-gateway=ping


/ ip firewall nat add chain=srcnat action=masquerade out-interface=out1 comment=“” disabled=no
/ ip firewall nat add chain=srcnat action=masquerade out-interface=out2 comment=“” disabled=no
/ ip firewall nat add chain=srcnat action=masquerade out-interface=out3 comment=“” disabled=no
/ ip firewall nat add chain=srcnat action=masquerade out-interface=out4 comment=“” disabled=no
/ ip firewall nat add chain=srcnat action=masquerade out-interface=out5 comment=“” disabled=no

/ ip route add dst-address=0.0.0.0/0 gateway=out1

unfortunately, you can use ‘gateway=interface’ only in case of point-to-point interfaces. you cannot use it for ethernet (it won’t work as you expected)

as far as I remember, you should use scripting to obtain addresses received via dhcp and then change your routes correspondingly

Thank you Chupaka!

I think you are most answer man in this forum. people will appreciate to you include me.

Anyway.
So do you think my second pre-configuration with pcc seems OK except “/ ip route add dst-address=0.0.0.0/0 gateway=out1” setting?
If yes. I need to dirnk bottle of beer for celebrate myself. LoL
I’m just heard about Mikrotik last month and still struggling for it since i buy RB-450Gs.
RouterOS is very attractive software to me.
Frankly speaking,
One of korean company selling kind a PPTP server (p4 2.4 1G ram 30G HDD 4 10/100 NIC with some of customized linux OS) and they charge 10,000USD
that machin is not even Server form. it just looks like old PC with heavy box.

and for scripting. I also need to study about it few more days.

Or, maybe …all dhcp client from same network. it mean they using same gateway IP which assign by DHCP server
IP address will change when i rebooting but gateway is same.
can I using fixed gateway address from dhcp gaved for “/ ip route add dst-address=0.0.0.0/0 gateway=” ?
like a

/ ip route add dst-address=0.0.0.0/0 gateway=“gateway from DHCP” scope=255 target-scope=10 routing-mark=to_out1 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=“gateway from DHCP” scope=255 target-scope=10 routing-mark=to_out2 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=“gateway from DHCP” scope=255 target-scope=10 routing-mark=to_out3 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=“gateway from DHCP” scope=255 target-scope=10 routing-mark=to_out4 comment=“” disabled=no check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=“gateway from DHCP” scope=255 target-scope=10 routing-mark=to_out5 comment=“” disabled=no check-gateway=ping

I will expect reply soon.

Jin Lee

you created bridge, but have not added any ports to it =)

also, if you clients connect via pptp, then in-interface for their packets is ‘pptp-’. so you cannot use ‘in-interface=lan’, replace it with ‘src-address=10.0.0.2-10.0.16.254’, for example

about routes - if you have tha same gateway address on all ethernets, then use ‘gateway=address%interface’ syntax (in ROS v3 you will need ‘routing-test’ package for this), like ‘gateway=1.2.3.4%out1’, etc. and then do not touch these routes with WinBox - it still don’t know about ‘%interface’ part and removes it even if you simply disable the route

also, if you don’t route between your LAN segments, remove this:

add action=accept chain=prerouting comment=“” disabled=no dst-address=222.222.222.0/24 in-interface=lan
add action=accept chain=prerouting comment=“” disabled=no dst-address=111.111.111.0/24 in-interface=lan

Thanks again Chupaka.

Yes you right. i forgot to add port for bridge.

I will install Router-test package today and testing what you let me know.

If there are some kind a argument like address%interface, it realy make sense.

I will let people know when i finish testing ..


Jin Lee

hmmmmmmm

I can’t understand why not working porpery.

this is my lasest configuration for 6 wan port pptp ROS server.

/interface ethernet
set 0 name=ether1
set 1 name=ether2
set 2 name=ether3
set 3 name=ether4
set 4 name=ether5
set 5 name=ether6
/interface bridge
add ageing-time=5m arp=proxy-arp auto-mac=yes comment=“” disabled=no forward-delay=15s l2mtu=65535 max-message-age=20s mtu=1500 name=lan priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip pool
add name=pptp ranges=10.0.0.2-10.0.254.254
/ppp profile
add change-tcp-mss=default comment=“” dns-server=10.0.0.1 local-address=10.0.0.1 name=profile1-ppp only-one=default remote-address=pptp use-compression=default use-encryption=default use-vj-compression=default
/system logging action
set memory disk-file-count=20 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=memory target=disk
/interface bridge port
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=profile1-ppp enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460 mrru=disabled
/ip address
add address=10.0.0.1/16 broadcast=10.0.255.255 comment=“” disabled=no interface=lan network=10.0.0.0
add address=xxx.xxx.xxx.xxx/29 broadcast=xxx.xxx.xxx.xxx comment=“” disabled=no interface=ether1 network=xxx.xxx.xxx.x
add address=xxx.xxx.xxx.xxx/29 broadcast=xxx.xxx.xxx.xxx comment=“” disabled=no interface=ether2 network=xxx.xxx.xxx.x
/ip dhcp-client
add add-default-route=yes comment=“” default-route-distance=0 disabled=no interface=ether3 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes comment=“” default-route-distance=0 disabled=no interface=ether4 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes comment=“” default-route-distance=0 disabled=no interface=ether5 use-peer-dns=yes use-peer-ntp=yes
add add-default-route=yes comment=“” default-route-distance=0 disabled=no interface=ether6 use-peer-dns=yes use-peer-ntp=yes
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 primary-dns=“isp dns ip1” secondary-dns=“isp dns ip2”
/ip firewall filter
add action=reject chain=input comment=“” disabled=no dst-port=22 protocol=tcp reject-with=icmp-admin-prohibited
/ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether1 new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether2 new-connection-mark=ether2_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether3 new-connection-mark=ether3_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether4 new-connection-mark=ether4_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether5 new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=ether6 new-connection-mark=ether6_conn passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether1_conn disabled=no new-routing-mark=to_ether1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether2_conn disabled=no new-routing-mark=to_ether2 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether3_conn disabled=no new-routing-mark=to_ether3 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether4_conn disabled=no new-routing-mark=to_ether4 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether5_conn disabled=no new-routing-mark=to_ether5 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether6_conn disabled=no new-routing-mark=to_ether6 passthrough=yes
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=ether1_conn passthrough=yes
per-connection-classifier=both-addresses:6/0 src-address=10.0.0.2-10.0.0.254
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=ether2_conn passthrough=yes
per-connection-classifier=both-addresses:6/1 src-address=10.0.0.2-10.0.0.254
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=ether3_conn passthrough=yes
per-connection-classifier=both-addresses:6/2 src-address=10.0.0.2-10.0.0.254
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=ether4_conn passthrough=yes
per-connection-classifier=both-addresses:6/3 src-address=10.0.0.2-10.0.0.254
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=ether5_conn passthrough=yes
per-connection-classifier=both-addresses:6/4 src-address=10.0.0.2-10.0.0.254
add action=mark-connection chain=prerouting comment=“” disabled=no dst-address-type=!local new-connection-mark=ether6_conn passthrough=yes
per-connection-classifier=both-addresses:6/5 src-address=10.0.0.2-10.0.0.254
add action=mark-routing chain=prerouting comment=“” connection-mark=ether1_conn disabled=no new-routing-mark=to_ether1 passthrough=yes
src-address=10.0.0.2-10.0.0.254
add action=mark-routing chain=prerouting comment=“” connection-mark=ether2_conn disabled=no new-routing-mark=to_ether2 passthrough=yes
src-address=10.0.0.2-10.0.0.254
add action=mark-routing chain=prerouting comment=“” connection-mark=ether3_conn disabled=no new-routing-mark=to_ether3 passthrough=yes
src-address=10.0.0.2-10.0.0.254
add action=mark-routing chain=prerouting comment=“” connection-mark=ether4_conn disabled=no new-routing-mark=to_ether4 passthrough=yes
src-address=10.0.0.2-10.0.0.254
add action=mark-routing chain=prerouting comment=“” connection-mark=ether5_conn disabled=no new-routing-mark=to_ether5 passthrough=yes
src-address=10.0.0.2-10.0.0.254
add action=mark-routing chain=prerouting comment=“” connection-mark=ether6_conn disabled=no new-routing-mark=to_ether6 passthrough=yes
src-address=10.0.0.2-10.0.0.254
/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no src-address=10.0.0.2-10.0.254.254
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether1
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether2
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether3
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether4
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether5
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=ether6
/ip firewall service-port
set pptp disabled=no
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set lan discover=no
/ip route
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=“ether1~2 gateway ip”%ether1 routing-mark=to_ether1 scope=255 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=“ether1~2 gateway ip”%ether2 routing-mark=to_ether2 scope=255 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=“ether3~4 gateway ip form dhcp1”%ether3 routing-mark=to_ether3 scope=255 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=“ether3~4 gateway ip form dhcp1”%ether4 routing-mark=to_ether4 scope=255 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=“ether5~6 gateway ip form dhcp2”%ether5 routing-mark=to_ether5 scope=255 target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=“ether5~6 gateway ip form dhcp2”%ether6 routing-mark=to_ether6 scope=255 target-scope=10

I have 3 Trunk with 3 of 6 optical fiber cable to ISP and each trunk’s banthwith 500Mbps. anyway
ether1 and ether2 will connect to trunk1 100Mbps/ip with fixed public ip address. subnet=/29
etehr3 and ether4 will connect to trunk2 100Mbps/ip with dynamic public ip addrss subnet=/29
ether5 and ether6 will connect to trunk3 100Mbps/ip with dynamic public ip addrss subnet=/29
each trunk have different ip band.


/ppp aaa
set accounting=yes interim-update=1m use-radius=yes
/radius
add accounting-backup=no accounting-port=1813 address=“radius ip address”
authentication-port=1812 called-id=“” comment=“” disabled=no domain=“”
realm=“” secret=“radius secret” service=ppp timeout=2s
/radius incoming
set accept=yes port=1700
/system clock I just set time-zone as london cause of why to make sync with radius server
set time-zone-name=Europe/London
/system clock manual
set dst-delta=+00:00 time-zone=+00:00
/system console screen
set line-count=40
/system hardware
set multi-cpu=yes
/system identity
set name=“vpn-test”
/system logging
add action=memory disabled=no prefix=“” topics=info
add action=memory disabled=no prefix=“” topics=error
add action=memory disabled=no prefix=“” topics=warning
add action=memory disabled=no prefix=“” topics=critical
add action=memory disabled=yes prefix=pptp topics=pptp
/system ntp client
set enabled=yes mode=unicast primary-ntp=“ntp server1 ip” secondary-ntp=“ntp server2 ip”

Can anybody try to fix this configuration for me?


Jin Lee

P.S. in ROS 4.5, I can’t find routing-test package but “%” is looks like working well. am i right?

set add-default-route=no for DHCP Clients

are all your routes active?

OK.

Now i Just change Set add-default-route=no for all dhcp clients.

Actually i’m not sure it work well or not.

for testing, I just ask to my friends for test using.
but I don’t know much about how to check it whether it work or not…

In here korea. time is 3:30am . i need to waing few hours to wake up my friends…hhh


Thanks again. and If it working well. I will upload Actuall configuration to share (exclude private inform.)

OK.
Now all my route is working well.
All clients access to PPTP service at Ether1 Interface. and they using all 6 Interface for their services.(include Ether1 itself)
But I’m not sure. Is this Load balanced services can make My client satisfy?


Anyway. As i promissed before, My actull configuration as below.
Basic Network connection for ROS server is

ISP1 : 2 Fix Public IP (100Mbps/100Mbps each IP) — I coneect to ether 1&2
ISP2 : 2 Dynamic Public IP (100Mbps/100Mbps each IP) — I coneect to ether 3&4
ISP3 : 2 Dynamic Public IP (100Mbps/100Mbps each IP) — I coneect to ether 5&6
all 3 ISP provide differnt IP Band.
I assigned domain name to ether1 IP to make easy access of PPTP client & etc

/interface bridge
add arp=proxy-arp comment=“” disabled=no name=lan

/interface ethernet
set 0 name=ether1
set 1 name=ether2
set 2 name=ether3
set 3 name=ether4
set 4 name=ether5
set 5 name=ether6

/ip pool
add name=pptp ranges=10.0.0.2-10.0.254.254

/ppp profile
add change-tcp-mss=default comment=“” dns-server=10.0.0.1 local-address=
10.0.0.1 name=profile1-ppp only-one=default remote-address=pptp
use-compression=default use-encryption=default use-vj-compression=default
/interface bridge port
add bridge=lan comment=“” disabled=no interface=ether1
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=profile1-ppp enabled=yes
keepalive-timeout=60 max-mru=1460 max-mtu=1460 mrru=disabled
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.0.0.1/16 broadcast=10.0.255.255 comment=“” disabled=no
interface=lan network=10.0.0.0
add address=“ether1 IP from ISP1”/xx broadcast=“ISP1 Broadcast” comment=“” disabled=no
interface=ether1 network=“ISP1 Network”
add address=“ether2 IP from ISP1”/xx broadcast=“ISP1 Broadcast” comment=“” disabled=no
interface=ether2 network=“ISP1 Network”

/ip dhcp-client
add comment=“” disabled=no interface=ether3 use-peer-dns=yes use-peer-ntp=yes
add comment=“” disabled=no interface=ether4 use-peer-dns=yes use-peer-ntp=yes
add comment=“” disabled=no interface=ether5 use-peer-dns=yes use-peer-ntp=yes
add comment=“” disabled=no interface=ether6 use-peer-dns=yes use-peer-ntp=yes
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=512 primary-dns=“ISP Primary DNS” secondary-dns=
“ISP secondary DNS”
/ip firewall mangle
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether1 new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether2 new-connection-mark=ether2_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether3 new-connection-mark=ether3_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether4 new-connection-mark=ether4_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether5 new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=input comment=“” disabled=no in-interface=
ether6 new-connection-mark=ether6_conn passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether1_conn
disabled=no new-routing-mark=to_ether1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether2_conn
disabled=no new-routing-mark=to_ether2 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether3_conn
disabled=no new-routing-mark=to_ether3 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether4_conn
disabled=no new-routing-mark=to_ether4 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether5_conn
disabled=no new-routing-mark=to_ether5 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=ether6_conn
disabled=no new-routing-mark=to_ether6 passthrough=yes
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=ether1_conn passthrough=yes
per-connection-classifier=both-addresses:6/0 src-address=
10.0.0.2-10.0.254.254
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=ether2_conn passthrough=yes
per-connection-classifier=both-addresses:6/1 src-address=
10.0.0.2-10.0.254.254
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=ether3_conn passthrough=yes
per-connection-classifier=both-addresses:6/2 src-address=
10.0.0.2-10.0.254.254
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=ether4_conn passthrough=yes
per-connection-classifier=both-addresses:6/3 src-address=
10.0.0.2-10.0.254.254
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=ether5_conn passthrough=yes
per-connection-classifier=both-addresses:6/4 src-address=
10.0.0.2-10.0.254.254
add action=mark-connection chain=prerouting comment=“” disabled=no
dst-address-type=!local new-connection-mark=ether6_conn passthrough=yes
per-connection-classifier=both-addresses:6/5 src-address=
10.0.0.2-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=
ether1_conn disabled=no new-routing-mark=to_ether1 passthrough=yes
src-address=10.0.0.2-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=
ether2_conn disabled=no new-routing-mark=to_ether2 passthrough=yes
src-address=10.0.0.2-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=
ether3_conn disabled=no new-routing-mark=to_ether3 passthrough=yes
src-address=10.0.0.2-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=
ether4_conn disabled=no new-routing-mark=to_ether4 passthrough=yes
src-address=10.0.0.2-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=
ether5_conn disabled=no new-routing-mark=to_ether5 passthrough=yes
src-address=10.0.0.2-10.0.254.254
add action=mark-routing chain=prerouting comment=“” connection-mark=
ether6_conn disabled=no new-routing-mark=to_ether6 passthrough=yes
src-address=10.0.0.2-10.0.254.254
/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no src-address=
10.0.0.2-10.0.254.254
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether1
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether2
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether3
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether4
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether5
add action=masquerade chain=srcnat comment=“” disabled=no out-interface=
ether6
/ip firewall service-port
set pptp disabled=no
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set lan discover=no
/ip route
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=“ISP1 Gateway IP”%ether1 routing-mark=to_ether1 scope=255
target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=“ISP1 Gateway IP”%ether2 routing-mark=to_ether2 scope=255
target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=“ISP2 Gateway IP”%ether3 routing-mark=to_ether3 scope=255
target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=“ISP2 Gateway IP”%ether4 routing-mark=to_ether4 scope=255
target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=“ISP3 Gateway IP”%ether5 routing-mark=to_ether5 scope=255
target-scope=10
add check-gateway=ping comment=“” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=“ISP3 Gateway IP”%ether6 routing-mark=to_ether6 scope=255
target-scope=10
/ppp aaa
set accounting=yes interim-update=10m use-radius=yes
/radius
add accounting-backup=no accounting-port=1813 address=“RADIUS server IP”
authentication-port=1812 called-id=“” comment=“” disabled=no domain=“”
realm=“” secret=“RADIUS Secret” service=ppp timeout=2s
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-name=Europe/London
/system clock manual
set dst-delta=+00:00 time-zone=+00:00
set multi-cpu=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=“Primary NTP Server IP” secondary-ntp=
“Secondary NTP Server IP”

It is working well as Traffic Load Balancer.


Thank you again Mr.Chupaka.
It hard to say this is last time for asking. but i will always appreciate to you.

Jin Lee.

glad to hear that all is working!

i did all steps and here is my configuration i dont know where i m getting wrong its nt working well i also want to distribute youtube and facebook traffic on diffrent WANs here is my configuration

/ ip address
add address=10.10.1.1/24 network=10.10.1.0 broadcast=10.10.1.255 interface=Local
add address=221.120.234.132/29 network=221.120.234.128 broadcast=221.120.234.135 interface=fiber-Red-1
add address=192.168.124.2/24 network=192.168.124.0 broadcast=192.168.124.255 interface=ldn-yellow-2
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ptcl-green-3
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ptcl2-black-4
/ ip firewall mangle
add chain=input in-interface=fiber-Red-1 action=mark-connection new-connection-mark=red_conn
add chain=input in-interface=ldn-yellow-2 action=mark-connection new-connection-mark=yellow_conn
add chain=input in-interface=ptcl-green-3 action=mark-connection new-connection-mark=green_conn
add chain=input in-interface=ptcl2-black-4 action=mark-connection new-connection-mark=black_conn
add chain=output connection-mark=red_conn action=mark-routing new-routing-mark=to_red
add chain=output connection-mark=yellow_conn action=mark-routing new-routing-mark=to_yellow
add chain=output connection-mark=green_conn action=mark-routing new-routing-mark=to_green
add chain=output connection-mark=black_conn action=mark-routing new-routing-mark=to_black
add chain=prerouting dst-address=221.120.234.128/29 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.124.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/0 action=mark-connection new-connection-mark=red_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/1 action=mark-connection new-connection-mark=yellow_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/2 action=mark-connection new-connection-mark=green_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/3 action=mark-connection new-connection-mark=black_conn passthrough=yes
add chain=prerouting connection-mark=red_conn in-interface=Local action=mark-routing new-routing-mark=to_red
add chain=prerouting connection-mark=yellow_conn in-interface=Local action=mark-routing new-routing-mark=to_yellow
add chain=prerouting connection-mark=green_conn in-interface=Local action=mark-routing new-routing-mark=to_green
add chain=prerouting connection-mark=black_conn in-interface=Local action=mark-routing new-routing-mark=to_black
/ ip route
add dst-address=0.0.0.0/0 gateway=221.120.234.129 routing-mark=to_red check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.124.1 routing-mark=to_yellow check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_green check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_black check-gateway=ping
add dst-address=0.0.0.0/0 gateway=221.120.234.129 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.124.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=4 check-gateway=ping
/ ip firewall nat
add chain=srcnat out-interface=fiber-Red-1 action=masquerade
add chain=srcnat out-interface=ldn-yellow-2 action=masquerade
add chain=srcnat out-interface=ptcl-green-3 action=masquerade
add chain=srcnat out-interface=ptcl2-black-4 action=masquerade

If you doing same like me.

consequently, all connection form “interface=local” will jump to all of 4 out-interfaces.

In case of me. i change few line.

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:4/0 action=mark-connection new-connection-mark=red_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:4/1 action=mark-connection new-connection-mark=yellow_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:4/2 action=mark-connection new-connection-mark=green_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address:4/3 action=mark-connection new-connection-mark=black_conn passthrough=yes

then, each local client get thier own out-interface which assigned by mangle rule.

i’m not sure but can you try add one more line at last?

add action=masquerade chain=srcnat comment=“” disabled=no in-interface=Local

Jin

Jin thank u for your reply..
i will check and will let u know, clear me one thing, u mean i have to write src-address or my client address network ??

can anyone help

my configuration
3 dynamic ISP
1Lan

doing all of the latest config of hli1ll

and when i ping from router write to me can find route for host

and how a can export my config from router?
thanks

from winbox new terminal

export file “filename”

then you can find that file at file section on winbox.



and when i ping from router write to me can find route for host
I don’t understand what you mean.
do you mean " when pinging from router, it reply … can’t find route to host?"
did you pinging domain name?
maybe it cause of why you didn’t add dns setting

jin

thanks tomorrow i try

I think, the problem is router do not have default route in ‘main’ table =)

I Couldn’t thought that.

because he said 3 dynamic isp so i thought he add ip address from dhcp.

some time i’m just overlapping my experience to real situation..

Jin.

sorry jin after src address my connection chokes, and the last line which u told me regarding masquerade on local interface, the rule is not working