Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

load balance 2 WAN connection and a VPN

Post Reply
 
User avatar
raystream
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue Mar 20, 2018 6:56 pm
Location: Germany
Contact:
Contact raystream

load balance 2 WAN connection and a VPN

Mon Jun 24, 2019 3:02 pm

Hi

i have used mikrotikwizard to create a config to load balance 2 WAN connections.
now i have setup a vpn connection and it connects.
but how do i set that all traffic coming from clients go through the VPN connection?

i have setup that before but only with 1 WAN connection.

please help me.

that is the config mikrotikwizard gave me:
Code: Select all
# Created by MikroTik configuration wizard v2.9 (www.mikrotikwizard.com)
#
# Configuration Name: Kroegen6
# Modified:   2019-06-18 10:58
# Downloaded: 2019-06-18 10:59
#
# wait for interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={ 
	:if ($count = 30) do={
		:log warning "mikrotikwizard: Unable to find ethernet interfaces";
		/quit;
	}
	:delay 1s;
  :set count ($count +1); 
};

# Ports
:global wan1name "";
:global wan2name "";
:global tmp1name "";
:global tmp2name "";
:foreach k in=[/interface ethernet find] do={
if ($tmp1name = "") do={
:set tmp1name [/interface ethernet get $k name];
} else {
:if ($tmp2name = "") do={
:set tmp2name [/interface ethernet get $k name];
}
}
}
/interface list add name=WAN comment="WAN ports"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="masquerade"
:set wan1name ($tmp1name."-wan");
/interface ethernet set [find name="$tmp1name"] name="$wan1name" comment="isp1"
:set wan2name ($tmp2name."-wan2");
/interface ethernet set [find name="$tmp2name"] name="$wan2name" comment="isp2"

/interface bridge add name=bridge-local disabled=no auto-mac=yes protocol-mode=rstp;
:delay 1s;
/interface list add name=LAN comment="LAN ports"
:local bMACIsSet 0;
:foreach p in=[/interface ethernet find where !(name~"wan" || name~"bridge")] do={
:local tmpPortName [/interface ethernet get $p name];
:if ($bMACIsSet = 0) do={
:if ([/interface get $p type] = "ether") do={
/interface bridge set "bridge-local" auto-mac=no admin-mac=[/interface ethernet get $tmpPortName mac-address];
:set bMACIsSet 1;
}
}
/interface bridge port add bridge="bridge-local" interface="$tmpPortName";
/interface list member add list=LAN interface=$tmpPortName
}

# LAN
/ip address add address=10.200.0.1/16 disabled=no interface=bridge-local
/ip pool add name=pool-lan ranges=10.200.0.2-10.200.255.254
/ip dhcp-server add address-pool=pool-lan interface=bridge-local name=dhcp-lan disable=no
/ip dhcp-server network add address=10.200.0.0/16 dns-server=10.200.0.1 gateway=10.200.0.1

# ISP1
/ip dhcp-client add dhcp-options=hostname,clientid interface=$wan1name add-default-route=no use-peer-dns=yes disabled=no
/interface list member add list=WAN interface=$wan1name

# ISP2
/ip dhcp-client add dhcp-options=hostname,clientid interface=$wan2name add-default-route=no use-peer-dns=yes disabled=no
/interface list member add list=WAN interface=$wan2name

# Recursive
/ip route add dst-address=8.8.8.8 gateway=127.0.0.1 distance=1 scope=30 comment=isp1
/ip route add dst-address=8.8.4.4 gateway=127.0.0.1 distance=1 scope=30 comment=isp2
/ip route add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 check-gateway=ping target-scope=30
/ip route add dst-address=0.0.0.0/0 gateway=8.8.4.4 distance=2 check-gateway=ping target-scope=30

/ip firewall mangle add action=mark-connection chain=input in-interface=$wan1name new-connection-mark=isp1in_c passthrough=yes
/ip firewall mangle add action=mark-connection chain=input in-interface=$wan2name new-connection-mark=isp2in_c passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=isp1in_c new-routing-mark=isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=isp2in_c new-routing-mark=isp2 passthrough=no
/ip route add dst-address=0.0.0.0/0 gateway=127.0.0.1 distance=1 routing-mark=isp1 comment=isp1
/ip route add dst-address=0.0.0.0/0 gateway=127.0.0.1 distance=1 routing-mark=isp2 comment=isp2

# Load balancing
/ip firewall mangle add in-interface=bridge-local dst-address-type=!local action=mark-routing chain=prerouting new-routing-mark=isp1lb per-connection-classifier=both-addresses:2/0 comment=isp1-20
/ip firewall mangle add in-interface=bridge-local dst-address-type=!local action=mark-routing chain=prerouting new-routing-mark=isp2lb per-connection-classifier=both-addresses:2/1 comment=isp2-21
/ip route add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 check-gateway=ping target-scope=30 routing-mark=isp1lb
/ip route add dst-address=0.0.0.0/0 gateway=8.8.4.4 distance=2 check-gateway=ping target-scope=30 routing-mark=isp1lb
/ip route add dst-address=0.0.0.0/0 gateway=8.8.4.4 distance=1 check-gateway=ping target-scope=30 routing-mark=isp2lb
/ip route add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=2 check-gateway=ping target-scope=30 routing-mark=isp2lb
/system scheduler add disabled=no interval=30s name=CheckGateway on-event=CheckGateway
/system script add name=CheckGateway owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#Name: CheckGateway v.1\r\
\n#Created by MikroTik configuration wizard (www.mikrotikwizard.com)\r\
\n:local debug false;\r\
\n# isp1 \r\
\n:if ([/interface find comment=isp1] != \"\") do={\r\
\n:local wan1 [/interface get [find comment=isp1] name];\r\
\n:if ( [/ip dhcp-client get [find interface=\$wan1] status] = \"bound\") do={\r\
\n:local NewGW [/ip dhcp-client get [find interface=\$wan1] gateway];\r\
\n:foreach g in=[/ip route find where comment=isp1] do={\r\
\n:local OldGW [/ip route get \$g gateway];\r\
\n:if (\$OldGW!=\$NewGW) do={\r\
\n/ip route set \$g gateway=\$NewGW;\r\
\n:log info \"CheckGateway: isp1 change gateway from \$OldGW to \$NewGW\";\r\
\n} else {\r\
\nif (\$debug) do={:log info \"CheckGateway: isp1 route is not change \$OldGW / \$NewGW\";}\r\
\n}\r\
\n}	\r\
\n} else {\r\
\nif (\$debug) do={:log info \"CheckGateway: interface \$wan1 is not ready\";}\r\
\n}\r\
\n} else {\r\
\n:log warning \"CheckGateway: ERROR isp1 interface NOT found\";\r\
\n}\r\
\n \r\
\n# isp2 \r\
\n:if ([/interface find comment=isp2] != \"\") do={\r\
\n:local wan2 [/interface get [find comment=isp2] name];\r\
\n:if ( [/ip dhcp-client get [find interface=\$wan2] status] = \"bound\") do={\r\
\n:local NewGW [/ip dhcp-client get [find interface=\$wan2] gateway];\r\
\n:foreach g in=[/ip route find where comment=isp2] do={\r\
\n:local OldGW [/ip route get \$g gateway];\r\
\n:if (\$OldGW!=\$NewGW) do={\r\
\n/ip route set \$g gateway=\$NewGW;\r\
\n:log info \"CheckGateway: isp2 change gateway from \$OldGW to \$NewGW\";\r\
\n} else {\r\
\nif (\$debug) do={:log info \"CheckGateway: isp2 route is not change \$OldGW / \$NewGW\";}\r\
\n}\r\
\n}	\r\
\n} else {\r\
\nif (\$debug) do={:log info \"CheckGateway: interface \$wan2 is not ready\";}\r\
\n}\r\
\n} else {\r\
\n:log warning \"CheckGateway: ERROR isp2 interface NOT found\";\r\
\n}\r\
\n \r\
"
# DNS
/ip dns set allow-remote-requests=yes
/ip dns static add address=10.200.0.1 name=router

# Firewall Input
/ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="Accept established,related,untracked"
/ip firewall filter add chain=input action=drop connection-state=invalid comment="Drop invalid"
/ip firewall filter add chain=input action=accept protocol=icmp comment="Accept ICMP"
/ip firewall filter add chain=input action=accept in-interface=bridge-local comment="Accept all from bridge-local"
/ip firewall filter add chain=input action=accept src-address-list=ManageIP comment="Accept access for ManageIP group"
/ip firewall filter add chain=input action=drop comment="Drop all other"

# Firewall Forward
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related disabled=yes comment="fasttrack"
/ip firewall filter add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
/ip firewall filter add action=drop chain=forward connection-state=invalid comment="Drop invalid"
/ip firewall address-list add address=10.200.0.0/16 list=Internet
/ip firewall filter add chain=forward action=accept in-interface=bridge-local out-interface=$wan1name src-address-list=Internet connection-state=new comment="Accept Internet via ISP1 for Internet group"
/ip firewall address-list add address=10.200.0.0/16 list=Internet2
/ip firewall filter add chain=forward action=accept in-interface=bridge-local out-interface=$wan2name src-address-list=Internet2 connection-state=new comment="Accept Internet via ISP2 for Internet2 group"
/ip firewall filter add chain=forward action=drop comment="Drop all other"

# Other
/system clock set time-zone-autodetect=yes
/ip cloud set ddns-enabled=yes update-time=yes

/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/system identity set name="MT-Kroegen"
# End
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: load balance 2 WAN connection and a VPN

Mon Jun 24, 2019 3:38 pm

Hi

diagram would help as well as the resulting configuration on the router (/export hide-sensitive)
Top
 
User avatar
raystream
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue Mar 20, 2018 6:56 pm
Location: Germany
Contact:
Contact raystream

Re: load balance 2 WAN connection and a VPN

Mon Jun 24, 2019 3:44 pm

here is the export:

i have WAN1 on eth1, WAN2 on eth2 and an unifi AP on eth10.

The users connecting over the AP should be routed over the hide.me VPN

you can ignore the KVP VPN connection this is only for administration from our main office.
Code: Select all
# jun/24/2019 14:40:52 by RouterOS 6.44.3
# software id = Z016-BF3A
#
# model = 2011iL
# serial number = 8E7A0A95396D
/interface bridge
add admin-mac=74:4D:28:31:D1:9D auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=isp1 name=ether1-wan
set [ find default-name=ether2 ] comment=isp2 name=ether2-wan2
/interface sstp-client
add connect-to=195.226.122.90:444 disabled=no http-proxy=0.0.0.0:444 name=KVP \
    user=kroegen verify-server-address-from-certificate=no
/interface list
add comment="WAN ports" name=WAN
add comment="LAN ports" name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x0104509ADE33
/ip dhcp-server option sets
add name=unifi options=unifi
/ip pool
add name=pool-lan ranges=10.200.0.2-10.200.255.254
/ip dhcp-server
add address-pool=pool-lan disabled=no interface=bridge-local name=dhcp-lan
/interface sstp-client
add connect-to=berlin.hide.me disabled=no name=hide.me profile=\
    default-encryption user=edv1@kroegen \
    verify-server-address-from-certificate=no
/queue simple
add burst-limit=8M/8M burst-threshold=6M/6M burst-time=30s/30s max-limit=5M/5M \
    name=WAN target=""
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether1-wan list=WAN
add interface=ether2-wan2 list=WAN
/ip address
add address=10.200.0.1/16 interface=bridge-local network=10.200.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
    ether1-wan
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
    ether2-wan2
/ip dhcp-server network
add address=10.200.0.0/16 dhcp-option-set=unifi dns-server=10.200.0.1 gateway=\
    10.200.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.200.0.1 name=router
/ip firewall address-list
add address=10.200.0.0/16 list=Internet
add address=10.200.0.0/16 list=Internet2
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=KVP protocol=tcp
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept all from bridge-local" \
    in-interface=bridge-local
add action=accept chain=input comment="Accept access for ManageIP group" \
    src-address-list=ManageIP
add action=drop chain=input comment="Drop all other"
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
    "Accept Internet via ISP1 for Internet group" connection-state=new \
    in-interface=bridge-local out-interface=ether1-wan src-address-list=\
    Internet
add action=accept chain=forward comment=\
    "Accept Internet via ISP2 for Internet2 group" connection-state=new \
    in-interface=bridge-local out-interface=ether2-wan2 src-address-list=\
    Internet2
add action=drop chain=forward comment="Drop all other"
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-wan \
    new-connection-mark=isp1in_c passthrough=yes
add action=mark-connection chain=input in-interface=ether2-wan2 \
    new-connection-mark=isp2in_c passthrough=yes
add action=mark-routing chain=output connection-mark=isp1in_c new-routing-mark=\
    isp1 passthrough=no
add action=mark-routing chain=output connection-mark=isp2in_c new-routing-mark=\
    isp2 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=hide.me passthrough=\
    yes src-address=10.200.0.2-10.200.255.255
add action=mark-routing chain=prerouting comment=isp1-20 dst-address-type=\
    !local in-interface=bridge-local new-routing-mark=isp1lb passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting comment=isp2-21 dst-address-type=\
    !local in-interface=bridge-local new-routing-mark=isp2lb passthrough=yes \
    per-connection-classifier=both-addresses:2/1
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=hide.me
/ip route
add comment=isp1 distance=1 gateway=192.168.89.1 routing-mark=isp1
add comment=isp2 distance=1 gateway=127.0.0.1 routing-mark=isp2
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=isp1lb \
    target-scope=30
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=isp1lb \
    target-scope=30
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=isp2lb \
    target-scope=30
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=isp2lb \
    target-scope=30
add distance=1 gateway=hide.me routing-mark=hide.me
add check-gateway=ping distance=1 gateway=8.8.8.8 target-scope=30
add check-gateway=ping distance=2 gateway=8.8.4.4 target-scope=30
add comment=isp2 distance=1 dst-address=8.8.4.4/32 gateway=127.0.0.1
add comment=isp1 distance=1 dst-address=8.8.8.8/32 gateway=192.168.89.1
add distance=1 dst-address=10.90.33.0/24 gateway=10.90.40.8
add distance=1 dst-address=10.90.40.253/32 gateway=10.90.40.8
add distance=1 dst-address=172.17.73.0/24 gateway=10.90.40.8
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=172.17.73.0/24,10.200.0.0/16
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RB-Kroegen
/system scheduler
add interval=30s name=CheckGateway on-event=CheckGateway policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/02/1970 start-time=00:01:46
/system script
add dont-require-permissions=no name=CheckGateway owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#Name: Ch\
    eckGateway v.1\r\
    \n#Created by MikroTik configuration wizard (www.mikrotikwizard.com)\r\
    \n:local debug false;\r\
    \n# isp1 \r\
    \n:if ([/interface find comment=isp1] != \"\") do={\r\
    \n:local wan1 [/interface get [find comment=isp1] name];\r\
    \n:if ( [/ip dhcp-client get [find interface=\$wan1] status] = \"bound\") do\
    ={\r\
    \n:local NewGW [/ip dhcp-client get [find interface=\$wan1] gateway];\r\
    \n:foreach g in=[/ip route find where comment=isp1] do={\r\
    \n:local OldGW [/ip route get \$g gateway];\r\
    \n:if (\$OldGW!=\$NewGW) do={\r\
    \n/ip route set \$g gateway=\$NewGW;\r\
    \n:log info \"CheckGateway: isp1 change gateway from \$OldGW to \$NewGW\";\r\
    \n} else {\r\
    \nif (\$debug) do={:log info \"CheckGateway: isp1 route is not change \$OldG\
    W / \$NewGW\";}\r\
    \n}\r\
    \n}\t\r\
    \n} else {\r\
    \nif (\$debug) do={:log info \"CheckGateway: interface \$wan1 is not ready\"\
    ;}\r\
    \n}\r\
    \n} else {\r\
    \n:log warning \"CheckGateway: ERROR isp1 interface NOT found\";\r\
    \n}\r\
    \n \r\
    \n# isp2 \r\
    \n:if ([/interface find comment=isp2] != \"\") do={\r\
    \n:local wan2 [/interface get [find comment=isp2] name];\r\
    \n:if ( [/ip dhcp-client get [find interface=\$wan2] status] = \"bound\") do\
    ={\r\
    \n:local NewGW [/ip dhcp-client get [find interface=\$wan2] gateway];\r\
    \n:foreach g in=[/ip route find where comment=isp2] do={\r\
    \n:local OldGW [/ip route get \$g gateway];\r\
    \n:if (\$OldGW!=\$NewGW) do={\r\
    \n/ip route set \$g gateway=\$NewGW;\r\
    \n:log info \"CheckGateway: isp2 change gateway from \$OldGW to \$NewGW\";\r\
    \n} else {\r\
    \nif (\$debug) do={:log info \"CheckGateway: isp2 route is not change \$OldG\
    W / \$NewGW\";}\r\
    \n}\r\
    \n}\t\r\
    \n} else {\r\
    \nif (\$debug) do={:log info \"CheckGateway: interface \$wan2 is not ready\"\
    ;}\r\
    \n}\r\
    \n} else {\r\
    \n:log warning \"CheckGateway: ERROR isp2 interface NOT found\";\r\
    \n}\r\
    \n \r"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
raystream
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue Mar 20, 2018 6:56 pm
Location: Germany
Contact:
Contact raystream

Re: load balance 2 WAN connection and a VPN

Tue Jun 25, 2019 11:08 am

can anybody please help and give me a hint?

i need to get this setup up and running.
Top
Post Reply

Who is online

Users browsing this forum: 9m2pju, immateriale and 27 guests
  4. RouterOS
  5. Beginner Basics