Hi Experts,
Is there a simple way to share 2 internet connections.
I do not mean use one for HTTP and another SMTP etc. So not splitting outbound policies to say which WAN is used.
I mean when the first computer goes out it users WAN1, then second user connects and uses WAN2, then 3rd connects and uses WAN1, then 4th connects and uses WAN2, and so on.
But all traffic then goes out of that WAN for that computer /user.
Regards
Richy
Hi,
yes, see example of NTH in the mikrotik wiki.
http://wiki.mikrotik.com/wiki/NTH_load_balancing_with_masquerade
regards
Marcus
Don’t,
use PCC - less problems:
http://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing
I‘m not an super expert, but IMO if the described behavior is desired than NTH is most suitable. (supposed ‘user’ is a computer with different IP).
Both solutions NTH or PPC will work without problems, only the behavior of balancing is different. One thing to keep in mind with NTH is you need to ‘stick’ the IP or connection to keep the traffic assigned to single WAN.
May be NTH be an advantage if less connections are expected, because with PPC the capacity run in the risk of ‘unbalanced’ assignment. Or i’m complete wrong ?
Thanks for the answers,
In the Example it keeps calling a interface “local”
If I want it to apply only to a VLAN should I change it to say the name of the VLAn interface.
VLAN Interface are the Wifi users who are browsing the internet, its those users I want to balance outbound.
Richy
Hi experts,
The other curve ball is both my WANs are PPPoE
So not sure how you would alter the example configs in the Wiki for PPPoE
As they refer to a destination address being 10.111.0.0/24 being the WAN Network.
Regards
Richy
Hi i want to do a failover load balancing but a cant get it right i will aprecciate for any help
This is my configuration
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=SpeedyNet
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=Choice
set [ find default-name=ether6 ] comment=“Router Plaza”
set [ find default-name=ether7 ] comment=Server
/ip neighbor discovery
set ether1 comment=SpeedyNet
set ether2 comment=Switch
set ether3 comment=Choice
set ether6 comment=“Router Plaza”
set ether7 comment=Server
/interface vlan
add comment=“Manejo Switch PTP” interface=ether2 l2mtu=1574 name=“vlan15 eth2”
vlan-id=15
add comment=“Loma Vera” interface=ether2 l2mtu=1574 name=“vlan16 eth2” vlan-id=
16
add comment=Pancholo interface=ether2 l2mtu=1574 name=“vlan17 eth2” vlan-id=17
add comment=Parking interface=ether2 l2mtu=1574 name=“vlan18 eth2” vlan-id=18
add comment=“Plaza Mercado” interface=ether6 l2mtu=1576 name=“vlan19 eth6”
vlan-id=19
add interface=ether1 l2mtu=1574 name=“vlan892 eth1” vlan-id=892
/ip neighbor discovery
set “vlan15 eth2” comment=“Manejo Switch PTP”
set “vlan16 eth2” comment=“Loma Vera”
set “vlan17 eth2” comment=Pancholo
set “vlan18 eth2” comment=Parking
set “vlan19 eth6” comment=“Plaza Mercado”
/ip pool
add name=dhcp_pool1 ranges=10.10.100.2-10.10.100.254
add name=dhcp_pool2 ranges=10.10.100.2-10.10.100.254
add name=dhcp_pool3 ranges=10.10.200.2-10.10.200.254
add name=dhcp_pool4 ranges=10.10.200.2-10.10.200.254
add name=dhcp_pool5 ranges=10.10.200.2-10.10.200.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether5 name=dhcp1
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1
redistribute-connected=as-type-2 redistribute-other-ospf=as-type-2
redistribute-static=as-type-2
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=104.219.29.2/30 interface=“vlan892 eth1” network=104.219.29.0
add address=10.10.15.1/24 interface=“vlan15 eth2” network=10.10.15.0
add address=10.10.16.1/30 interface=“vlan16 eth2” network=10.10.16.0
add address=10.10.17.1/30 interface=“vlan17 eth2” network=10.10.17.0
add address=10.10.19.1/30 interface=“vlan19 eth6” network=10.10.19.0
add address=192.168.10.1/24 interface=ether7 network=192.168.10.0
add address=104.219.28.249/29 interface=bridge1 network=104.219.28.248
add address=10.10.18.1/30 interface=“vlan18 eth2” network=10.10.18.0
add address=24.139.125.60/24 interface=ether3 network=24.139.125.0
add address=10.10.100.1/24 interface=ether5 network=10.10.100.0
/ip dhcp-server network
add address=10.10.100.0/24 gateway=10.10.100.1
add address=10.10.200.0/24 gateway=10.10.200.1
/ip dns
set allow-remote-requests=yes servers=162.244.16.20,162.244.16.21,8.8.8.8
/ip firewall filter
add chain=forward comment=“allow established connections” connection-state=
established disabled=yes
add chain=forward comment=“allow related connections” connection-state=related
disabled=yes
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid disabled=yes
add action=drop chain=forward comment=“drop loose source” disabled=yes
ipv4-options=loose-source-routing
add chain=forward comment=“No forward check” disabled=yes src-address-list=
“no forward check”
add chain=input comment=“acept from whitelist” disabled=yes src-address-list=
whitelist
add action=jump chain=forward comment=“jump to the virus chain” disabled=yes
jump-target=virus
add chain=forward comment=“Allow HTTP” disabled=yes dst-port=80 protocol=tcp
add action=drop chain=input comment=“drop psd Blacklist” disabled=yes
src-address-list=psd_blacklist
add action=add-src-to-address-list address-list=psd_blacklist
address-list-timeout=1w3d chain=input comment=“detect PSD” disabled=yes
protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment=“Jump to Bruteforce pevention” disabled=yes
jump-target=bruteforce-prevention
add chain=output comment=“Allow only 10 FTP login incorrect answers per minute”
content=“530 Login incorrect” disabled=yes dst-limit=1/1m,9,dst-address/1m
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output comment=
“FTP brute forcers blacklisting” content=“530 Login incorrect” disabled=yes
protocol=tcp
add action=drop chain=bruteforce-prevention comment=“Drop FTP brute forcers”
disabled=yes dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add chain=bruteforce-prevention comment=“Allow SSH safe hosts”
connection-state=new disabled=yes dst-port=22 protocol=tcp
src-address-list=safe
add action=drop chain=bruteforce-prevention comment=“Drop SSH brute forcers”
disabled=yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=bruteforce-prevention comment=
“SSH brute forcers blacklisting” connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=bruteforce-prevention comment=
“SSH brute forcers the third stage” connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=bruteforce-prevention comment=
“SSH brute forcers the second stage” connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=bruteforce-prevention comment=
“SSH brute forcers the first stage” connection-state=new disabled=yes
dst-port=22 protocol=tcp
add chain=bruteforce-prevention comment=“Allow WinBox safe hosts”
connection-state=new disabled=yes dst-port=8291 protocol=tcp
src-address-list=safe
add action=drop chain=bruteforce-prevention comment=“Drop WinBox brute forcers”
disabled=yes dst-port=8291 protocol=tcp src-address-list=wb_blacklist
add action=add-src-to-address-list address-list=wb_blacklist
address-list-timeout=1w3d chain=bruteforce-prevention comment=
“WinBox brute forcers blacklisting” connection-state=new disabled=yes
dst-port=8291 protocol=tcp src-address-list=wb_stage3
add action=add-src-to-address-list address-list=wb_stage3 address-list-timeout=
1m chain=bruteforce-prevention comment=
“WinBox brute forcers the third stage” connection-state=new disabled=yes
dst-port=8291 protocol=tcp src-address-list=wb_stage2
add action=add-src-to-address-list address-list=wb_stage2 address-list-timeout=
1m chain=bruteforce-prevention comment=
“WinBox brute forcers the second stage” connection-state=new disabled=yes
dst-port=8291 protocol=tcp src-address-list=wb_stage1
add action=drop chain=input disabled=yes dst-port=53 in-interface=
“vlan892 eth1” protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=
“vlan892 eth1” protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1
protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1
protocol=tcp
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.16.1.0/24 to-addresses=
104.219.29.250
add action=src-nat chain=srcnat src-address=10.17.1.0/24 to-addresses=
104.219.29.251
add action=src-nat chain=srcnat src-address=10.18.1.0/24 to-addresses=
104.219.29.252
add action=src-nat chain=srcnat src-address=192.168.10.0/24 to-addresses=
104.219.29.249
add action=src-nat chain=srcnat src-address=192.168.88.0/24 to-addresses=
104.219.29.249
add action=src-nat chain=srcnat src-address=192.168.16.0/25 to-addresses=
104.219.29.250
add action=src-nat chain=srcnat src-address=192.168.17.0/25 to-addresses=
104.219.29.251
add action=dst-nat chain=dstnat dst-address=104.219.29.251 dst-port=8291
protocol=tcp to-addresses=10.10.17.2 to-ports=8291
add action=dst-nat chain=dstnat comment="Camaras Joe " dst-address=
104.219.29.251 dst-port=9000 protocol=tcp to-addresses=192.168.17.4
to-ports=9000
add action=dst-nat chain=dstnat comment=“Camaras Juan Carlos Echevarria”
dst-address=104.219.29.251 dst-port=6000 protocol=tcp to-addresses=
10.17.1.16 to-ports=6000
add action=dst-nat chain=dstnat comment=“Camaras Juan Carlos Echevarria”
dst-address=104.219.29.251 dst-port=7000 protocol=tcp to-addresses=
10.17.1.16 to-ports=7000
add action=dst-nat chain=dstnat comment=“Camaras Jose Matos Rivera”
dst-address=104.219.29.251 dst-port=8000 protocol=tcp to-addresses=
10.17.1.12 to-ports=8000
add action=dst-nat chain=dstnat comment=“Camaras Jose Matos Rivera”
dst-address=104.219.29.251 dst-port=5000 protocol=tcp to-addresses=
10.17.1.12 to-ports=5000
add action=dst-nat chain=dstnat comment="Camaras Joe " dst-address=
104.219.29.251 dst-port=84 protocol=tcp to-addresses=192.168.17.4 to-ports=
84
add action=dst-nat chain=dstnat comment="Camaras Joe " dst-address=
104.219.29.251 dst-port=3000 protocol=tcp to-addresses=192.168.17.4
to-ports=3000
add action=dst-nat chain=dstnat dst-address=104.219.29.250 dst-port=8291
protocol=tcp to-addresses=10.10.16.2 to-ports=8291
add action=dst-nat chain=dstnat dst-address=104.219.29.252 dst-port=8291
protocol=tcp to-addresses=10.10.18.2 to-ports=8291
add action=masquerade chain=srcnat out-interface=ether1 src-address=50.50.50.2
add action=masquerade chain=srcnat out-interface=“vlan892 eth1”
add action=masquerade chain=srcnat out-interface=ether3
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=104.219.29.1
add distance=2 gateway=24.139.125.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing ospf interface
add authentication=simple authentication-key=network2014 interface=
“vlan16 eth2” network-type=point-to-point
add authentication=simple authentication-key=network2014 interface=
“vlan17 eth2” network-type=point-to-point
add authentication=simple authentication-key=network2014 interface=
“vlan18 eth2” network-type=point-to-point
add authentication=simple authentication-key=network2014 interface=
“vlan19 eth6” network-type=broadcast
/routing ospf network
add area=backbone network=10.10.17.0/30
add area=backbone network=10.10.18.0/30
add area=backbone network=10.10.19.0/30
add area=backbone network=10.10.16.0/30
I have gotten a dual wan with two PPPoE connections setup with pcc and it works great. Port forwarding can be tricky as I have found, but if you not worried about that then you are gold. I get double the speed on torrents and any multi link connection.
Sent from my iPhone using Tapatalk
Thanks Cormacs,
But what is the Syntax you use in your config when its PPPoE
as the examples in the Wiki are more like a leased line / Wan Network example.
http://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing
Regards
Richy
Instead of gateway Ip addresses you need to write PPP interface name as gateway (it is ok for Point-to-point interfaces)
how does two pppoe port forwarding are different from 2 regular wan interface port forwarding???
Dst-nat setup is easy - create 2 action=jump rules (one for each wan interface ), to jumt to your custom nat chain that have all your regular dst-nat rules (like you have in single wan configuration)
Sorry if being a bit behind here,
So this part
/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN
I would change to be
/ ip firewall mangle
add chain=prerouting dst-address=PPPoE1 action=accept in-interface=VLAN101
add chain=prerouting dst-address=PPPoE2 action=accept in-interface=VLAN101
As I do not know my ISP upstream Network range.
and the name of my interface I want to use the Multi Wan is called VLAN101
Richy
You can configure Nth correctly, but you need to keep in mind many things that pcc does automatically. for example when you open https pages with several simultaneous connections, that must go from the same src-address. you need to make dynamic address lists and stuff.
just specify IP address of the gateway there /32
When you say just specify the IP of the gateway. Do you mean the Static Ip that gets assigned to the PPPoE connection? As its Gateway can change, it is not consistent with PPPoE in UK as far as I have seen.
Richy