Recommendations for Load Balancing

Hello experts,

I come here to see if you can give me some recommendations/guidance on my Load Balance configuration. I’m having some issues like Netflix not working, some initial slowness to load sites, some sites logout and i have to keep logging in.

I have 2 ISP, WAN1 is 50Mbps pppoe and WAN2 is 100Mbps dynamic IP.

The following is my config, if you can take a look and give me some recommendations to have this right and also some explanation to the suggestions, I will really appreciate it.

Thanks in advance.

JP.

# jan/07/2020 21:34:45 by RouterOS 6.43.8
# software id = 8HC2-7XN7
#
# model = 951Ui-2HnD
# serial number = 
/interface bridge
add name=bridge1
add name=bridge2_wlan_Lily
/interface ethernet
set [ find default-name=ether1 ] name=1_WAN1
set [ find default-name=ether2 ] name=2_WAN2
set [ find default-name=ether3 ] name=3_PtP_CerroSanNicolas
set [ find default-name=ether4 ] name=4_IPTV_IN
set [ find default-name=ether5 ] name=5_CCTV poe-out=off poe-priority=1
/interface pppoe-client
add add-default-route=yes default-route-distance=3 disabled=no interface=1_WAN1 keepalive-timeout=1 name=pppoe-out1 password=xxxxxx user=xxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto mode=ap-bridge name=wlan1_CALLISTO ssid=CALLISTO wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxx wpa2-pre-shared-key=xxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=sec_profile_visitas supplicant-identity=MikroTik wpa-pre-shared-key=xxxx wpa2-pre-shared-key=xxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=sec_profile_devices supplicant-identity="" wpa-pre-shared-key=xxxx wpa2-pre-shared-key=xxxx
/interface wireless
add disabled=no mac-address=D6:CA:6D:D7:70:BD master-interface=wlan1_CALLISTO name=wlan2_VISITAS security-profile=sec_profile_visitas ssid=VISITAS
add disabled=no mac-address=02:00:00:AA:00:00 master-interface=wlan1_CALLISTO name=wlan3_DEVICES security-profile=sec_profile_devices ssid=DEVICES wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.100.101-192.168.100.149
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge filter
add action=drop chain=forward in-interface=wlan2_VISITAS
add action=drop chain=forward out-interface=wlan2_VISITAS
/interface bridge port
add bridge=bridge1 interface=3_PtP_CerroSanNicolas
add bridge=bridge1 interface=4_IPTV_IN
add bridge=bridge1 interface=5_CCTV
add bridge=bridge1 interface=wlan1_CALLISTO
add bridge=bridge1 interface=wlan2_VISITAS
add bridge=bridge2_wlan_Lily interface=wlan3_DEVICES
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=2_WAN2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set servers=4.2.2.2,8.8.8.8
/ip dns static
add address=8.8.8.8 name=google
/ip firewall filter
add action=drop chain=input connection-limit=100,32 disabled=yes hotspot="" log=yes src-address=195.154.156.3 src-address-list=77.202.192.113
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=bridge1 new-connection-mark=conn1 nth=3,2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn1 in-interface=bridge1 new-routing-mark=conn1 passthrough=no
add action=mark-connection chain=prerouting connection-state=new in-interface=bridge1 new-connection-mark=conn2 nth=1,1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn2 in-interface=bridge1 new-routing-mark=conn2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat disabled=yes out-interface=2_WAN2
add action=masquerade chain=srcnat disabled=yes out-interface=1_WAN1
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=conn1 scope=255
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=conn2 scope=255
add check-gateway=ping distance=4 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/xxxxx
/tool bandwidth-server

Some servers don’t like when client sends multiple requests from different source addresses. And it’s exactly what using “nth” does. You can either convince them to change it (near impossible), or use different balancing method that will let each client access each remote server using only one link. PCC (https://wiki.mikrotik.com/wiki/Manual:PCC) with some “safer” classifier (e.g. both-addresses) will do that. You will lose ability to have one client downloading from one server with combined speeds of both links, but you won’t have the problems you have now (some of them at least, I can’t say if it’s all related to this). It’s a tradeoff.