Hello i have 2 internet connections and i wanted to do load balancing (symmetric) to utilize the whole bandwidth of 2. All guides i found were either incomplete or not working (properly). The closest i found to be (almost) working was this:
https://gist.github.com/zaqueo/3af80715a97d6e7752887f8deeb589b9
But it has it’s flaws and sometimes it’s not working at all. So i based on this and made some modifications so it works properly until now and i want to share it for others to test and use or make a better version of it and share back.
First i want to say my hardware is RB750 (yes the old one!!) with ROS 6.48.7 (long term) and it has been reseted as a router with complete firewall configuration.
An important thing to note is to disable the by default enabled fasttrack connection rule on firewall so the mangle rules work properly.
I have disabled the DHCP client on mikrotik and i have set ether1 and ether2 as WAN’s with static ip’s and L2 mtu 1600 and put them on WAN interface list (both of them) so the default firewall configuration (and nat) secures them both.
I have configured the isp routers with different subnets and i have optionally dmz drop all traffic on my mikrotik from both routers each one to the ip assigned to each interface (ether1, ether2).
I have set a custom DNS (cloudflare)
you can check the configuration above on github and i will highligh the modifications need to be done below.
Optional to allow incoming connections as usual you can make the dstnat rule to your server ip and port (i suppose you know how) and on the incoming interface list you pick WAN to allow input and dstnat from the 2 WAN’s with one rule.
As you will have the default configuration loaded the srcnat-masquerade will be output on WAN interface list by default.
I will start with mangle rules step by step.
Make appropriate syntax correction as i copied pasted the conf from export command on mikrotik term window. Better read and add conf manually.
- the following rules are an addition to code from github to properly mark and redirect incoming dstnat’ed ports to a local server to originating interface and they go on top of magle rules. without these the outgoing replies will be split to 2 WAN’s following the load balancing rules resulting in “half” connections. (THEY ARE OPTIONAL ONLY IF YOU HAVE A SERVICE TO PUBLIC INTERNET)
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“–start of rules to direct
dstnat inputs to interface of which they originated. need ports and interfac
es–” dst-port=80,443 in-interface=ether1-wan1
new-connection-mark=WAN1_conn-input passthrough=no protocol=tcp
add action=mark-connection chain=prerouting dst-port=80,443
in-interface=ether2-wan2 new-connection-mark=WAN2_conn-input passthrough=no
protocol=tcp
add action=mark-routing chain=prerouting comment=
“route incoming marked to specific interface” connection-mark=WAN1_conn-input
new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting comment=
“–end of rules to direct incoming dstnat to interfaces they originated–”
connection-mark=WAN2_conn-input new-routing-mark=to_WAN2 passthrough=no
2) the following rules are the complete ones from github code BUT i made a modification and made a new-different connection mark at lines 13,14,15,16 and merged 23,24 into one rule. I have the rules to be modified in BOLD and UNDERLINE
/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn_1 passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn_2 passthrough=yes
add chain=prerouting connection-mark=WAN1_conn_1 in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn_2 in-interface=Local action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade
I made the modification to the mangle section because the input rules were messed up with the prerouting rules because they had the same connection mark (i suppose) so i splited them. So far after the modification seems to be working ok i tested it with multiple parallel downloads and pc’s and watched traffic flow to 2 wan interfaces at the same time and the total bandwidth was indeed the sum of 2.
The route rules i left them as is.
The nat rules i merged them in one with interface list instead of 2 separate interfaces.