Hello everyone,
I am currently setting up a load balancing system on my MikroTik router.
My goal is:
To make certain websites go through one Internet connection (WAN1)
And other websites go through another Internet connection (WAN2).
Could someone please help me with the proper configuration (mangle rules, routing, policy routing, etc.) to achieve this setup?
Thank you in advance for your support and guidance.
Welcome @Algassim, have you already found the documentation?
First thing is that your request has nothing to do with load balancing which is using the routers tools to equitably send your LAN users out multi-wans. It would seem your request is to control which traffic goes out which WAN.
However, what you may think you can do, may not be possible. Mikrotik devices are not DPI type devices and thus cannot effectively be used to ensure some applications go here or there.
They can force a subnet, users within subnets, etc to go out certain WAN.
For example you might have a VLAN for an SSID aka identify a certain group of users, then use this vlan to send all those user out WAN2, or out wireguard for internet etc.....
Until we know your requirements in more detail, its hard to go any further.
I'm with Anav on this one.
Simple load balancing might not be sufficient.
Hello,
I have a MikroTik router with two uplinks:
WAN1 (ISP1)
WAN2 (ISP2)
Requirement:
Traffic for Facebook, YouTube, WhatsApp, and Instagram must always egress via WAN1.
All other traffic must be blocked on WAN1 (no egress via WAN1 except those four services).
All remaining traffic (other sites/apps) must go via WAN2.
Related to topic https://forum.mikrotik.com/t/block-android-app/264092 for traffic detection and see responses there.
The answer is no, you need different hardware brand.
Try fortigate for example. The FG/FWF 50G will get you 1Gbs HTTPS and 2.8Gps on specific applications, anything lower and you give up capacity. ( the FG-FWF 40F gives 300Mbps HTTPs and 990Mbps for applications )
Now thats mainly for security purposes and often one has to purchase additional services. YOu would have to call them to see if directing traffic out certain WANS was a capability included or not designed for........
Still no solution.
And there won’t be in the near future. You need a next-gen firewall that has DPI capabilities and can work at application layer. This is not the right tool for this job.
Not until Mikrotik does two things.
a. starts using later V8 cortex versions: 5x/7x series ( or new V9 ) which are better suited for IDS/IDP type detections: and
b. implements a MT server for it ( similar to dydns/BTH )
If speaking about those mentioned services specifically: there’s just a tool for that, and it’s called BGP.
More of that, you can find public route servers you can establish BGP session with, and get those service’s IP blocks you can then route as you like with practically zero performance trade-off.
Another way would be through DNS: you start with something like this
/ip dns static add address-list=to_WAN1 match-subdomain=yes name=youtu.be type=FWD
Then just use that address list for mangle rules. Performance impact of this approach is considerable, but can be partially mitigated by implying connection marking.
I wonder how you see that working with BGP.
The OP asks for Youtube to be sent to one WAN, and “other services” (e.g. Google, Gmail etc) to another.
I can understand how you could use BGP AS# to separate Google corporation traffic from e.g. Microsoft, Meta, or others. But how do you separate services offered by the same Google (Alphabet) corporation?
Well, you just need a proper route server that would use specific communities for marking. Such as this one for instance.
Off course, this approach isn’t 100% bullet-proof and might lead to false-positive (or (but less likely) false-negative) processing, but let’s be honest: none of them are. DNS can be bypassed via DOH, and DPI isn’t very useful for encrypted traffic such as ECH and QUIC.
I just tried to add my “few cents” to the topic 
Well sounds like off topic to me. There is lots that can be done by introducing non-MT products, which is really not relevant. Such as getting a Fortigate idp/ids device etc……
“getting a Fortigate (or whatever) device” will not get you anything unless your users agree to install your locally generate root certificate on their devices. So that works only in controlled corporate devices where you can use a MDM or similar to push the certificate.
When the scenario is not like that (e.g. you have occasional visitors that have to be “allowed to use the WiFi” but you want to control the perceived waste of bandwidth), such a device, no matter how powerful it is, is not going to do the job.
And in the intended use case, it degrades the security and privacy of the users.
How would DPI solve the routing part?
If you want to sniff SNI, which is being sent after TCP and TLS handshakes, re-routing this connection to another WAN would break it.
The only reason I joined this topic is because I use previously describer solution and it works. BGP is actually quite supplementary, DNS does the thing for me. And it’s 100% MT native, no 3rd party services involved. It’s a little bit tricky to set up as you have to track a number of domain names, but still get things done pretty nicely.
Well, it requires a full investigation of the domain names used by the services you want to classify (this is not only something like “youtube.com” but many other names as well), and you need to track that over time as it may change.
Also, when you put these in e.g. address lists to be handled by the router, you need to be sure that your users use the DNS of your router as well. When they or their OS implicitly use something like 8.8.8.8 and you are using another, the addresses received for the DNS names will be different, and your address list will be wrong.
This used to be easy, just redirect all port 53 traffic to your own router, but it is not easy anymore because of DoH and DoT.
Yes, that’s true. That’s what I meant by saying there are no 100% bluet-proof solutions.
In my case, I do that for myself so there is no intention from the user side to bypass this solution.
For youtube I use these: googlevideo.com`` ``youtube.com`` ``youtubei.googleapis.com`` ``ytimg.com`` youtu.be