Preface: I have tried using multiple howtos for the dual WAN, including what was in the Wiki, but it did not work for me. Either one connection is only used, or get weird routing issues. In this setup, I am able to use both connections at the same time, and it round-robins new connections. I lock HTTPS connections to a specific WAN, as HTTPS does not like going back out a different interface for a new connection.
Even speedtest.net works, as it uses multiple connections. Also, there are dhclient hook scripts to update the routing tables and firewall as needed.
Setup:
Fasttrack rules have been disabled
ether1-wan1 : cable connection DHCP (Monitors 4.2.2.1)
ether2-4: LAN (192.168.10.0/24)
ether5-wan2 : DSL connection DHCP (Monitors 4.2.2.2)
Set IP address to bridge and DHCP pool (you don't *need* to do this, as you probably have your own network setup, but other commands are based on this network):
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan1
set [ find default-name=ether5 ] name=ether5-wan2
/ip address
add address=192.168.10.254/24 interface=bridge network=192.168.10.0
/ip pool
add name=dhcp ranges=192.168.10.200-192.168.10.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=192.168.10
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 domain=home.lan gateway=192.168.10.254 netmask=24 ntp-server=192.168.10.254
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222Change TCP timeout, and add ether5-wan2 to the WAN interface list:
Code: Select all
/ip firewall connection tracking
set tcp-established-timeout=6h
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan1 list=WAN
add interface=ether5-wan2 list=WANThe two dhcp-client settings and scripts:
Code: Select all
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1-wan1 script="{\r\
\n :local rmark \"to_WAN1\"\r\
\n :local count [/ip route print count-only where comment=\"WAN1\"]\r\
\n\r\
\n :if (\$bound=1) do={\r\
\n :if (\$count = 0) do={\r\
\n /ip route add dst-address=\"4.2.2.1\" scope=10 gateway=\$\"gateway-address\" comment=\"WAN1\"\r\
\n /ip firewall mangle add chain=prerouting dst-address=\$\"lease-address\" place-before=1 action=accept comment=\"dhcp-client-WAN1\"\r\
\n :delay 5s\r\
\n :local tmpnetwork [ /ip route find where dynamic=yes gateway=\$\"interface\" ]\r\
\n :local network [ /ip route get \$tmpnetwork dst-address ]\r\
\n /ip route add dst-address=\"\$network\" gateway=\$\"gateway-address\" routing-mark=\"to_WAN1\" comment=\"WAN1_Mark1\"\r\
\n /ip route add dst-address=\$network gateway=\$\"gateway-address\" routing-mark=\"to_WAN2\" comment=\"WAN1_Mark2\"\r\
\n } else={\r\
\n :if (\$count = 1) do={\r\
\n :local test [/ip route find where comment=\"WAN1\"]\r\
\n :if ([/ip route get \$test gateway] != \$\"gateway-address\") do={\r\
\n /ip route set \$test gateway=\$\"gateway-address\"\r\
\n }\r\
\n } else={\r\
\n :error \"Multiple routes found\"\r\
\n }\r\
\n }\r\
\n } else={\r\
\n /ip route remove [find comment=\"WAN1\"]\r\
\n /ip route remove [find comment=\"WAN1_Mark1\"]\r\
\n /ip route remove [find comment=\"WAN1_Mark2\"]\r\
\n /ip firewall mangle remove [find comment=\"dhcp-client-WAN1\"]\r\
\n }\r\
\n\r\
\n}" use-peer-dns=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether5-wan2 script="{\r\
\n :local rmark \"to_WAN2\"\r\
\n :local count [/ip route print count-only where comment=\"WAN2\"]\r\
\n\r\
\n :if (\$bound=1) do={\r\
\n :if (\$count = 0) do={\r\
\n /ip route add dst-address=\"4.2.2.2\" scope=10 gateway=\$\"gateway-address\" comment=\"WAN2\"\r\
\n /ip firewall mangle add chain=prerouting dst-address=\$\"lease-address\" place-before=1 action=accept comment=\"dhcp-client-WAN2\"\r\
\n :delay 5s\r\
\n :local tmpnetwork [ /ip route find where dynamic=yes gateway=\$\"interface\" ]\r\
\n :local network [ /ip route get \$tmpnetwork dst-address ]\r\
\n /ip route add dst-address=\"\$network\" gateway=\$\"gateway-address\" routing-mark=\"to_WAN1\" comment=\"WAN2_Mark1\"\r\
\n /ip route add dst-address=\$network gateway=\$\"gateway-address\" routing-mark=\"to_WAN2\" comment=\"WAN2_Mark2\"\r\
\n } else={\r\
\n :if (\$count = 1) do={\r\
\n :local test [/ip route find where comment=\"WAN1\"]\r\
\n :if ([/ip route get \$test gateway] != \$\"gateway-address\") do={\r\
\n /ip route set \$test gateway=\$\"gateway-address\"\r\
\n }\r\
\n } else={\r\
\n :error \"Multiple routes found\"\r\
\n }\r\
\n }\r\
\n } else={\r\
\n /ip route remove [find comment=\"WAN2\"]\r\
\n /ip route remove [find comment=\"WAN2_Mark1\"]\r\
\n /ip route remove [find comment=\"WAN2_Mark2\"]\r\
\n /ip firewall mangle remove [find comment=\"dhcp-client-WAN2\"]\r\
\n }\r\
\n\r\
\n}\r\
\n" use-peer-dns=no
Firewall scripts (the meat and potatoes of the whole setup):
Code: Select all
/ip firewall address-list
add address=192.168.10.0/24 list=local
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=jump chain=forward connection-state=new jump-target=forward-new
add action=accept chain=forward-new in-interface=bridge out-interface-list=LAN src-address=192.168.10.0/24
add action=accept chain=forward-new in-interface=bridge out-interface-list=WAN src-address=192.168.10.0/24
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward in-interface=ether1-wan1
add action=drop chain=forward in-interface=ether5-wan2
add action=drop chain=forward
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall mangle
add action=jump chain=prerouting comment="HTTPS to always use wan2" connection-mark=no-mark dst-port=443 in-interface=bridge jump-target=WAN2 protocol=tcp
add action=jump chain=prerouting connection-mark=no-mark connection-state=new jump-target=RANDOM
add action=jump chain=RANDOM connection-mark=no-mark in-interface=ether1-wan1 jump-target=WAN1
add action=jump chain=RANDOM connection-mark=no-mark in-interface=ether5-wan2 jump-target=WAN2
add action=jump chain=RANDOM connection-mark=no-mark dst-address-list=!local dst-address-type=!local in-interface-list=LAN jump-target=WAN1 random=50 src-address-list=local
add action=jump chain=RANDOM connection-mark=no-mark dst-address-list=!local dst-address-type=!local in-interface-list=LAN jump-target=WAN2 src-address-list=local
add action=accept chain=prerouting in-interface=ether1-wan1
add action=accept chain=prerouting in-interface=ether5-wan2
add action=jump chain=output connection-mark=no-mark jump-target=WAN1 out-interface=ether1-wan1
add action=jump chain=output connection-mark=no-mark jump-target=WAN2 out-interface=ether5-wan2
add action=mark-connection chain=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-routing chain=WAN1 new-routing-mark=to_WAN1 passthrough=yes
add action=accept chain=WAN1
add action=mark-connection chain=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-routing chain=WAN2 new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=WAN2
/ip firewall nat
add action=masquerade chain=srcnat connection-mark=WAN1_conn out-interface=ether1-wan1
add action=masquerade chain=srcnat connection-mark=WAN2_conn out-interface=ether5-wan2
add action=masquerade chain=srcnat comment="Should only be match if WAN2 is down" connection-mark=WAN2_conn out-interface=ether1-wan1
add action=masquerade chain=srcnat comment="Should only be matched if WAN1 is down" connection-mark=WAN1_conn out-interface=ether5-wan2Routes needed to be added manually (recursive routing in use to monitor WANs):
Code: Select all
/ip route
add check-gateway=ping distance=1 gateway=4.2.2.1 routing-mark=to_WAN1
add check-gateway=ping comment="Should only be active if WAN1 is down" distance=2 gateway=4.2.2.2 routing-mark=to_WAN1
add distance=1 dst-address=192.168.10.0/24 gateway=bridge routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=4.2.2.2 routing-mark=to_WAN2
add check-gateway=ping comment="Should only be active if WAN2 is down" distance=2 gateway=4.2.2.1 routing-mark=to_WAN2
add distance=1 dst-address=192.168.10.0/24 gateway=bridge routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=4.2.2.2
add check-gateway=ping comment="Should only be active if WAN2 is down" distance=2 gateway=4.2.2.1
/ip route rule
add action=lookup-only-in-table routing-mark=to_WAN1 table=to_WAN1
add action=lookup-only-in-table routing-mark=to_WAN2 table=to_WAN2
Screenshot (my cable is 55mb, and my DSL is 12mb):
I have destroyed and re-did this setup multiple times, and each time the dual-wan started working, so I am hoping it helps you guys out as well!
Good luck and let me know if you run into problems.
--John