PCC-DUAL WAN Load Balancing

mikrotik2014 · August 7, 2013, 7:52am

hello ,
I’ve used this way : Mikrotik DUAL WAN Load Balancing using PCC method

Local : 192.168.0.1
DSL MODEM 1 = 10.111.0.1
DSL MODEM 2 = 10.112.0.1

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=WAN1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=WAN2
 
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8
 
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
 
/ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
 
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

I have successfully completed .

Now I do three-line and four-line . How do I add an additional line? How can I?
please help me . thanx .

Rudios · August 7, 2013, 9:02am

mikrotik2014:

hello ,
I’ve used this way : Mikrotik DUAL WAN Load Balancing using PCC method

Local : 192.168.0.1
DSL MODEM 1 = 10.111.0.1
DSL MODEM 2 = 10.112.0.1

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=WAN1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=WAN2
 
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8
 
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
 
/ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
 
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

I have successfully completed .

Now I do three-line and four-line . How do I add an additional line? How can I?
please help me . thanx .

You have to duplicate all your mangle rules and update them according to the new infp.
Also double your nat rules and your /ip route settings.
Change your per-connection-classifier to 4:0 → 4:3

SomeYoungGuy · June 17, 2014, 9:51am

I followed your configuration, and got Dual WAN working great, now im looking for a way to adapt this to act only on a VPN, so i can specifically route traffic over a VPN, and the VPN has the benefit of the dual WAN configuration.

So far what I have is two VPNs VPN1 and VPN2, they are connected and route in and out differently, as they have two different headed IPs.
so: VPN1 = 10.0.0.100 ↔ 10.0.0.99
and VPN2 = 10.0.0.101 ↔ 10.0.0.98

So now with the same script, rather then using WAN1 and WAN2… im using VPN1 and VPN2… bit its not working

This is my attempt, but traffic only flows over VPN1, since the connection mark only seems to set as “WAN1_conn”

Local : 192.168.1.1
VPN1 = 10.0.0.100(DHCP assigned local) 10.0.0.99 (server)
VPN2 = 10.0.0.101(DHCP assigned local) 10.0.0.98 (server)

/ip firewall mangle
add chain=input in-interface=VPN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=VPN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=10.0.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
 
/ip route
add dst-address=X.X.X.X gateway=10.0.0.99 routing-mark=to_WAN1 check-gateway=ping
add dst-address=X.X.X.X gateway=10.0.0.98 routing-mark=to_WAN2 check-gateway=ping

But when i ping X.X.X.X it only goes out via 10.0.0.99 (VPN1).

Am I barking up the wrong tree here?? or is there better way to load balance / combine multiple VPN links. Essentially what im trying to achieve is to have either a VPN array - or some bonded VPN or something like that, so that if one of the ISP’s / links goes down, traffic simply flows over the other without modification.

This is in an attempt to make sip calls over a “robust” VPN, a VPN that uses any number on internet connections.

kei888 · October 15, 2014, 5:44am

Hi folks!

I’m having a problem also using PCC load balancing method on my two ISPs. WAN2 (ISP2) has no traffic even after mangles had been configured.

Here’s my script.

Both WAN1 and WAN2 has the same Bandwidth which is 6 Mbps Upload and 6 Mbps Download each link.

Below is the configuration of my Mikrotik RB951G-2HnD (6.20):

/interface bridge
add mtu=1500 name=bridge1-LAN

/interface ethernet
set [ find default-name=ether1 ] disabled=yes mac-address=D4:CA:6D:80:A5:8A
set [ find default-name=ether2 ] mac-address=D4:CA:6D:80:A5:8B name=ether2-WAN1
set [ find default-name=ether3 ] mac-address=D4:CA:6D:80:A5:8C name=ether3-WAN2
set [ find default-name=ether4 ] mac-address=D4:CA:6D:80:A5:8D name=ether4-LAN
set [ find default-name=ether5 ] mac-address=D4:CA:6D:80:A5:8E name=ether5-LAN

/interface vlan
add interface=bridge1-LAN l2mtu=1594 name=vlan10-President vlan-id=10
add interface=bridge1-LAN l2mtu=1594 name=vlan20-Recruiting vlan-id=20
add interface=bridge1-LAN l2mtu=1594 name=vlan30-VoIP vlan-id=30
add interface=bridge1-LAN l2mtu=1594 name=vlan40-Employees vlan-id=40

/interface bridge port
add bridge=bridge1-LAN interface=ether4-LAN
add bridge=bridge1-LAN interface=ether5-LAN

/ip address

add address=192.168.1.5/27 comment=“WAN1 GW” interface=ether2-WAN1 network=192.168.1.0
add address=192.168.2.2/30 comment=“WAN2 GW” interface=ether3-WAN2 network=192.168.2.0

add address=172.30.8.1/24 comment=“Management VLAN” interface=bridge1-LAN network=172.30.8.0
add address=172.16.20.1/28 comment=“Recruiting IP Block GW” interface=vlan20-Recruiting network=172.16.20.0
add address=172.16.10.1/27 comment=“President IP Block GW” interface=vlan10-President network=172.16.10.0
add address=172.16.30.1/28 comment=“VoIP IP Block GW” interface=vlan30-VoIP network=172.16.30.0
add address=172.30.40.1/24 comment=“Employees IP Block GW” interface=vlan40-Employees network=172.30.40.0

/ip firewall mangle EXPORT
add action=mark-connection chain=input comment=“Dual WAN Load Balancing w/ Fail Over” in-interface=ether2-WAN1 new-connection-mark=WAN1_mark
passthrough=no
add action=mark-connection chain=input comment=“Dual WAN Load Balancing w/ Fail Over” in-interface=ether3-WAN2 new-connection-mark=WAN2_mark
passthrough=no

add action=mark-routing chain=output comment=“Dual WAN Load Balancing w/ Fail Over” connection-mark=WAN1_mark new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output comment=“Dual WAN Load Balancing w/ Fail Over” connection-mark=WAN2_mark new-routing-mark=to_ISP2 passthrough=no

add chain=prerouting comment=“Dual WAN Load Balancing w/ Fail Over” dst-address=192.168.1.0/27 in-interface=bridge1-LAN
add chain=prerouting comment=“Dual WAN Load Balancing w/ Fail Over” dst-address=192.168.2.0/30 in-interface=bridge1-LAN

add action=mark-connection chain=prerouting comment=“Dual WAN Load Balancing w/ Fail Over” dst-address-type=!local in-interface=bridge1-LAN
new-connection-mark=WAN1_mark per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=“Dual WAN Load Balancing w/ Fail Over” dst-address-type=!local in-interface=bridge1-LAN
new-connection-mark=WAN2_mark per-connection-classifier=both-addresses-and-ports:2/1

add action=mark-routing chain=prerouting comment=“Dual WAN Load Balancing w/ Fail Over” connection-mark=WAN1_mark in-interface=bridge1-LAN
new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting comment=“Dual WAN Load Balancing w/ Fail Over” connection-mark=WAN2_mark in-interface=bridge1-LAN
new-routing-mark=to_ISP2 passthrough=no

/ip firewall mangle PRINT

0 ;;; Dual WAN Load Balancing w/ Fail Over
chain=input action=mark-connection new-connection-mark=WAN1_mark passthrough=no in-interface=ether2-WAN1 log=no
log-prefix=“”

1 ;;; Dual WAN Load Balancing w/ Fail Over
chain=input action=mark-connection new-connection-mark=WAN2_mark passthrough=no in-interface=ether3-WAN2 log=no
log-prefix=“”

2 ;;; Dual WAN Load Balancing w/ Fail Over
chain=output action=mark-routing new-routing-mark=to_ISP1 passthrough=no connection-mark=WAN1_mark log=no log-prefix=“”

3 ;;; Dual WAN Load Balancing w/ Fail Over
chain=output action=mark-routing new-routing-mark=to_ISP2 passthrough=no connection-mark=WAN2_mark log=no log-prefix=“”

4 ;;; Dual WAN Load Balancing w/ Fail Over
chain=prerouting action=accept dst-address=192.168.1.0/27 in-interface=bridge1-LAN log=no log-prefix=“”

5 ;;; Dual WAN Load Balancing w/ Fail Over
chain=prerouting action=accept dst-address=192.168.2.0/30 in-interface=bridge1-LAN log=no log-prefix=“”

6 ;;; Dual WAN Load Balancing w/ Fail Over
chain=prerouting action=mark-connection new-connection-mark=WAN1_mark passthrough=yes dst-address-type=!local
in-interface=bridge1-LAN per-connection-classifier=both-addresses-and-ports:2/0 log=no log-prefix=“”

7 ;;; Dual WAN Load Balancing w/ Fail Over
chain=prerouting action=mark-connection new-connection-mark=WAN2_mark passthrough=yes dst-address-type=!local
in-interface=bridge1-LAN per-connection-classifier=both-addresses-and-ports:2/1 log=no log-prefix=“”

8 ;;; Dual WAN Load Balancing w/ Fail Over
chain=prerouting action=mark-routing new-routing-mark=to_ISP1 passthrough=no in-interface=bridge1-LAN
connection-mark=WAN1_mark log=no log-prefix=“”

9 ;;; Dual WAN Load Balancing w/ Fail Over
chain=prerouting action=mark-routing new-routing-mark=to_ISP2 passthrough=no in-interface=bridge1-LAN
connection-mark=WAN2_mark log=no log-prefix=“”

/ip route
add check-gateway=ping comment=“WAN1 GW” distance=1 gateway=192.168.1.1 routing-mark=to_ISP1
add check-gateway=ping comment=“WAN2 GW” distance=1 gateway=192.168.2.1 routing-mark=to_ISP2
add check-gateway=ping comment=“Normal Default Route excep for ‘Distance set to 1’” distance=1 gateway=210.213.67.65
add check-gateway=ping distance=2 gateway=202.78.78.189

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-WAN1
add action=masquerade chain=srcnat out-interface=ether3-WAN2

Thank you.