Community discussions

MikroTik App
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Mon Jul 30, 2018 3:57 pm

Hi all

I would like to load balance 2 x WAN connections (PPPoE Clients Dial out through DSL rotuers in Bridge mode), allowing internet access over both connections on the MT Bridge and PPPoE Server.

I have the current setup:

2 x DSL ROUTERS (BRIDGE) (Ether1, Ether 3) --> RB750UP (DIAL PPPOE x 2) --> UBNT SECTOR (ETHER2) --> PPPoE Server on Bridge (Ether2, 4, 5).

When editing the script to match my topology, I still only have traffic on ONE WAN interface.

Anyone able to help find what the problem is please?

Thanks!

I found the following script:

/ ip firewall mangle
add chain=prerouting dst-address=111.111.111.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=222.222.222.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=111.111.111.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=111.111.111.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=222.222.222.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade


----- MY CONFIG:

/interface bridge
add admin-mac=4C:5E:0C:A2:63:4C auto-mac=no comment="To view all traffic:" \
name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="ALL ETHERNET" mtu=1492 name=WAN1
set [ find default-name=ether3 ] name=WAN2
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether4 ] name="ether4-slave-local BASE HOUSE" \
poe-out=off
set [ find default-name=ether5 ] name=ether5-slave-local


/interface pppoe-client
add add-default-route=yes allow=pap comment="DSL CONNECTIONS" disabled=no \
interface=WAN1 keepalive-timeout=60 max-mru=1400 max-mtu=1400 mrru=1600 \
name=ISP1 use-peer-dns=yes user=
add add-default-route=yes allow=pap disabled=no interface=WAN2 name=ISP2 \
use-peer-dns=yes user=


/interface pptp-client
add connect-to=154.117.185.86 mrru=1600 name=pptp-out1 user=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik


/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.40
add name=PPPoE ranges=192.168.88.100-192.168.88.200
add name=pool1 ranges=192.168.88.50-192.168.88.100


/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge name=default


/ppp profile
set *0 bridge=bridge dns-server=192.168.88.2 local-address=PPPoE \
use-encryption=no
set *FFFFFFFE bridge=bridge use-encryption=no


/queue tree
add limit-at=5M max-limit=5M name=queue1 packet-mark=streaming-video-out \
parent=bridge priority=5
add burst-time=5s limit-at=7M max-limit=10M name=HTTP packet-mark=http-out \
parent=bridge queue=hotspot-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=8Mbit name-for-users="" override-shared-users=unlimited owner=admin \
price=449 starts-at=logon validity=0s
add name=2Mbit name-for-users="" override-shared-users=unlimited owner=admin \
price=449 starts-at=logon validity=0s
add name=4Mbit name-for-users="" override-shared-users=unlimited owner=admin \
price=0 starts-at=logon validity=0s
add name=1Mbit name-for-users="" override-shared-users=off owner=admin price=\
0 starts-at=logon validity=0s
add name="2MbnDavis " name-for-users="" override-shared-users=off owner=admin \
price=0 starts-at=logon validity=0s
add name="2mb domingo" name-for-users="" override-shared-users=off owner=\
admin price=0 starts-at=logon validity=0s
add name="2Mbit Salie" name-for-users="" override-shared-users=1 owner=admin \
price=0 starts-at=logon validity=0s
add name=Full name-for-users="" override-shared-users=off owner=admin price=0 \
starts-at=logon validity=0s
add name="2Mbit Bardien" name-for-users="" override-shared-users=off owner=\
admin price=0 starts-at=logon validity=0s
add name="2Mbit Atta Mohamed" name-for-users="" override-shared-users=off \
owner=admin price=0 starts-at=logon validity=0s
add name=20Mbit name-for-users="" override-shared-users=off owner=admin \
price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=8Mbit \
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
rate-limit-priority=1 rate-limit-rx=10485760B rate-limit-tx=15728640B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=2Mbit \
owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=1048576B \
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1843200B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=4Mbit \
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=4194304B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=1Mbit \
owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=1048576B \
rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1048576B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=20Mbit \
owner=admin rate-limit-min-rx=20971520B rate-limit-min-tx=12582912B \
rate-limit-rx=20971520B rate-limit-tx=20971520B transfer-limit=0B \
upload-limit=0B uptime-limit=0s


/interface bridge filter
add action=accept chain=input in-bridge=bridge in-interface=\
ether2-master-local mac-protocol=pppoe
add action=accept chain=input in-bridge=bridge in-interface=\
ether2-master-local mac-protocol=pppoe-discovery
/interface bridge port
add bridge=bridge interface=ether5-slave-local
add bridge=bridge interface=ether2-master-local
add bridge=bridge interface="ether4-slave-local BASE HOUSE"
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge max-mru=1360 max-mtu=1360 \
mrru=1600 one-session-per-host=yes service-name=Internet
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
add address=10.0.0.2 interface=WAN1 network=10.0.0.0
add address=192.168.88.4 interface="ether4-slave-local BASE HOUSE" network=\
192.168.88.4


/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=WAN1
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=WAN2
/ip dhcp-server lease
add address=192.168.88.50 client-id=HOME mac-address=C8:3A:35:F3:7E:91
add address=192.168.88.60 mac-address=C4:E9:84:71:27:C3
add address=192.168.88.70 mac-address=F4:F2:6D:BB:11:96
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.2 gateway=192.168.88.2 netmask=24


/ip dns
set allow-remote-requests=yes


/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=192.168.88.0/24 comment="Internal Subnet" list=internal-nets
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=accept chain=input comment=\
"Accept all connections from local network" in-interface=bridge
add action=accept chain=input comment="Accept WinBox Access from Local" \
dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment="Accept WebFig Access from Local" \
dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=accept chain=input connection-state=new connection-type="" \
dst-port=1812 in-interface=bridge protocol=tcp src-port=1812
add action=accept chain=input connection-state=new in-interface=bridge \
protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
"internal-traffic packet mark" dst-address-list=internal-nets \
new-packet-mark=internal-traffic passthrough=no src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment=\
"customer-servers-out packet mark" new-packet-mark=customer-servers-out \
passthrough=no src-address-list=customer-servers
add action=mark-packet chain=prerouting comment=\
"customer-servers-in packet mark" dst-address-list=customer-servers \
new-packet-mark=customer-servers-in passthrough=no
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
in-interface=WAN1 new-packet-mark=admin-in passthrough=no protocol=udp \
src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
dst-port=161 in-interface=WAN1 new-packet-mark=admin-in passthrough=no \
protocol=udp
add action=mark-connection chain=prerouting comment=\
"Remote Protocols admin connection mark" new-connection-mark=admin \
passthrough=yes port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
"icmp connection mark as admin" new-connection-mark=admin passthrough=yes \
protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
connection-mark=admin in-interface=WAN1 new-packet-mark=admin-in \
passthrough=no
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
connection-mark=admin new-packet-mark=admin-out passthrough=no
add action=mark-packet chain=prerouting comment=\
"streaming video in packet mark" connection-mark=streaming-video \
in-interface=WAN1 new-packet-mark=streaming-video-in passthrough=no
add action=mark-packet chain=prerouting comment=\
"streaming video out packet mark" connection-mark=streaming-video \
new-packet-mark=streaming-video-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"http traffic connection mark" dst-port=80,443 new-connection-mark=http \
passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"http traffic connection mark" connection-bytes=5000000-4294967295 \
dst-port=80,443 new-connection-mark=http-download passthrough=yes \
protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
connection-mark=http in-interface=WAN1 new-packet-mark=http-in \
passthrough=no
add action=mark-packet chain=prerouting comment="http out packet mark" \
connection-mark=http new-packet-mark=http-out passthrough=no
add action=mark-connection chain=prerouting comment=\
"wow connetion mark as gaming" dst-port=\
1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games passthrough=\
yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"eve online connetion mark as gaming" dst-address=87.237.38.200 \
new-connection-mark=games passthrough=yes src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
internal-nets
add action=mark-connection chain=prerouting comment=\
"steam connetion mark as gaming" dst-port=27014-27050 \
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
internal-nets
add action=mark-connection chain=prerouting comment=\
"xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
"wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment=\
"games packet mark forever-saken-game" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no src-address-list=\
forever-saken-game
add action=mark-packet chain=prerouting comment=\
"games packet mark starcraft2" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark wow" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
new-packet-mark=games-out passthrough=no protocol=udp src-address-list=\
internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
"games packet mark ps3 online" dst-address-list=external-nets \
new-packet-mark=games-in passthrough=no protocol=udp src-port=\
3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
connection-mark=games dst-address-list=external-nets new-packet-mark=\
games-in passthrough=no
add action=mark-packet chain=prerouting comment="games packet mark out" \
connection-mark=games new-packet-mark=games-out passthrough=no
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark teamspeak" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
"voip-in packet mark ventrilo" dst-address-list=external-nets \
new-packet-mark=voip-in passthrough=no protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
passthrough=no protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
new-packet-mark=voip-out passthrough=no port=5060 protocol=tcp \
src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
dst-address-list=internal-nets new-packet-mark=voip-in passthrough=no \
port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
"voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=no \
port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
100-400 passthrough=no port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
new-packet-mark=voip-in packet-size=100-400 passthrough=no port=\
16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
new-packet-mark=vpn-out passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=\
ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
new-packet-mark=vpn-out passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
"vpn-in packet mark VPN UDP ports" in-interface=WAN1 new-packet-mark=\
vpn-in passthrough=no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment=\
"vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
no protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
in-interface=WAN1 new-packet-mark=vpn-in passthrough=no protocol=tcp \
src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
new-packet-mark=vpn-out passthrough=no protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="all in" in-interface=WAN1 \
new-packet-mark=in passthrough=no
add action=mark-packet chain=forward new-packet-mark=voip-in passthrough=yes \
src-address=192.168.88.2
add action=mark-packet chain=forward dst-address=192.168.88.2 \
new-packet-mark=voip-out passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.88.2 \
dst-port=4569 new-connection-mark=VoIP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VoIP dst-address=\
192.168.88.2 new-packet-mark=VoIP passthrough=no
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=\
all-ppp
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=\
all-ppp
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=all-ppp new-connection-mark=\
ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=all-ppp new-connection-mark=\
ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=all-ppp new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
in-interface=all-ppp new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2


/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2


/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=53281


/ip route
add check-gateway=ping distance=1 gateway=192.168.88.2 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=192.168.88.1
add check-gateway=ping distance=2 gateway=169.0.139.185
add distance=1 dst-address=10.0.0.2/32 gateway=WAN1
add distance=1 dst-address=192.168.88.0/24 gateway=bridge
add distance=1 dst-address=192.168.88.1/32 gateway=WAN1 pref-src=192.168.88.1
add distance=1 dst-address=192.168.88.2/32 gateway=bridge
add distance=1 dst-address=192.168.88.2/32 gateway=bridge pref-src=\
192.168.88.50
add distance=1 dst-address=192.168.88.3/32 gateway=*F00002
add distance=1 dst-address=192.168.88.50/32 gateway=bridge


/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes


/ppp aaa
set use-radius=yes

/radius
add address=192.168.88.2 service=ppp

/radius incoming
set accept=yes port=1700

/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg

/system routerboard settings
set silent-boot=no

/system script
add name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ip fir\
ewall filter\r\
\n\r\
\nadd action=drop chain=input comment=\"Drop to syn flood list\" disabled=\
no src-address-list=Syn_Flooder\r\
\nadd action=add-src-to-address-list address-list=Port_Scanner address-lis\
t-timeout=1w chain=input comment=\"Port Scanner Detect\"\r\
\ndisabled=no protocol=tcp psd=21,3s,3,1\r\
\nadd action=drop chain=input comment=\"Drop to port scan list\" disabled=\
no src-address-list=Port_Scanner\r\
\nadd action=jump chain=input comment=\"Jump for icmp input flow\" disable\
d=no jump-target=ICMP protocol=icmp\r\
\nadd action=drop chain=input\r\
\ncomment=\"Block all access to the winbox - except to support list # DO N\
OT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST\"\r\
\ndisabled=yes dst-port=8291 protocol=tcp src-address-list=!support\r\
\nadd action=jump chain=forward comment=\"Jump for icmp forward flow\" dis\
abled=no jump-target=ICMP protocol=icmp\r\
\nadd action=drop chain=forward comment=\"Drop to bogon list\" disabled=no\
\_dst-address-list=bogons\r\
\nadd action=add-src-to-address-list address-list=spammers address-list-ti\
meout=3h chain=forward comment=\"Add Spammers to the list for 3 hours\"\r\
\nconnection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protoco\
l=tcp\r\
\nadd action=drop chain=forward comment=\"Avoid spammers action\" disabled\
=no dst-port=25,587 protocol=tcp src-address-list=spammers\r\
\nadd action=accept chain=input comment=\"Accept DNS - UDP\" disabled=no p\
ort=53 protocol=udp\r\
\nadd action=accept chain=input comment=\"Accept DNS - TCP\" disabled=no p\
ort=53 protocol=tcp\r\
\nadd action=accept chain=input comment=\"Accept to established connection\
s\" connection-state=established\r\
\ndisabled=no\r\
\nadd action=accept chain=input comment=\"Accept to related connections\" \
connection-state=related disabled=no\r\
\nadd action=accept chain=input comment=\"Full access to SUPPORT address l\
ist\" disabled=no src-address-list=support\r\
\nadd action=drop chain=input comment=\"Drop anything else! # DO NOT ENABL\
E THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED\"\r\
\ndisabled=yes\r\
\nadd action=accept chain=ICMP comment=\"Echo request - Avoiding Ping Floo\
d\" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=\"Echo reply\" disabled=no icmp-opt\
ions=0:0 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=\"Time Exceeded\" disabled=no icmp-\
options=11:0 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=\"Destination unreachable\" disable\
d=no icmp-options=3:0-1 protocol=icmp\r\
\nadd action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 \
protocol=icmp\r\
\nadd action=drop chain=ICMP comment=\"Drop to the other ICMPs\" disabled=\
no protocol=icmp\r\
\nadd action=jump chain=output comment=\"Jump for icmp output\" disabled=n\
o jump-target=ICMP protocol=icmp"


/tool user-manager database
set db-path=user-manager

/tool user-manager profile profile-limitation
add from-time=0s limitation=8Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=2Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=4Mbit profile=4Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Mbit profile=1Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2MbnDavis " till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2mb domingo" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Salie" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Atta Mohamed" till-time=\
23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=8Mbit profile=8Mbit till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=20Mbit profile=20Mbit till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.88.2 log=\
auth-fail name=RB750UP shared-secret="" use-coa=yes
/tool user-manager user
add customer=admin disabled=no ip-address=192.168.88.110 shared-users=\
unlimited username=samodien@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.103 shared-users=\
unlimited username=domingo@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.105 shared-users=\
unlimited username=bardien@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.106 shared-users=\
unlimited username=attamohamed@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.115 shared-users=\
unlimited username=abdol2@spiderweb wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
 
Beone
Trainer
Trainer
Posts: 250
Joined: Fri Feb 11, 2011 1:11 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Sat Sep 01, 2018 9:26 am

even though your PPPoE server is connected to LAN, traffic from your PPPoE customers won't match the mangle in-interface=LAN

Instead use in-interface=all-ppp but watchout as your uplinks are also PPPoE...
 
User avatar
ADahi
Member Candidate
Member Candidate
Posts: 209
Joined: Thu Sep 21, 2017 7:16 pm
Location: Iraq, Ninavah
Contact:

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Sat Sep 01, 2018 10:01 am

even though your PPPoE server is connected to LAN, traffic from your PPPoE customers won't match the mangle in-interface=LAN

Instead use in-interface=all-ppp but watchout as your uplinks are also PPPoE...


better idea use
in-interface=all-ppp + src-address=customersIP/24
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Mon Sep 03, 2018 12:29 pm

Thank you for the responses.

I have tried what you suggested, but it still does not work :(.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Mon Sep 03, 2018 1:30 pm

What I can see in your configuration is that you use connection-marks to mark connections for further translation to packet-marks for prioritization (queueing). And to the end of this pre-existing list of mangle rules you have copy-pasted other mangle rules to implement the load distribution using per-connection-classifier.

However, these added rules only assign connection-marks to packets belonging to connections which don't have any connection-mark assigned yet (because you use the connection-mark=no-mark condition in these rules). Therefore, no connection is ever marked with any of those connection-marks which would be translated to routing-marks by the subsequent rules, so no routing-marks are ever assigned, and so the default routing table is used for all packets.

Unfortunately, removing the condition connection-mark=no-mark from those rules wouldn't resolve the issue plus it would break the assignment of packet-marks.

This is a limitation of the current firewall implementation. You would have to use combined connection-marks (like games-isp1, games-isp2), assign them in a complex manner (I would use chains to do that), and translate them to packet-marks and routing-marks appropriately, like (simplified!):
chain=prerouting action=jump jump-target=games ...conditions from the rule previously assiging new-connection-mark=games...
chain=prerouting action=jump jump-target=http ...conditions from the rule previously assiging new-connection-mark=http...
...
chain=prerouting action=mark-packet new-packet-mark=games-in connection-mark=games-isp1,games-isp2 passthrough=yes ...
...
chain=prerouting action=mark-routing new-routing-mark=isp1 connection-mark=http-isp1,games-isp1,... ...
...
chain=games action=mark-connection per-connection-classifier=both-addresses:2/0 new-connection-mark=games-isp1
chain=games action=mark-connection per-connection-classifier=both-addresses:2/1 new-connection-mark=games-isp2
..
chain=http action=mark-connection per-connection-classifier=both-addresses:2/0 new-connection-mark=http-isp1
chain=http action=mark-connection per-connection-classifier=both-addresses:2/1 new-connection-mark=http-isp2
That's still not all, because you have to properly address also the issue of routes marked with routing marks being used also for packets with dst-addresses from connected subnets. As you use both the bridge and ppp interfaces as the LAN zone, in-interface-list=all-ppp is not the best choice as it doesn't cover the bridge. So /ip route rule rules overriding the routing-marks for anything with dst-address matching any of your LAN zone subnets is a better approach.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Tue Sep 04, 2018 12:02 pm

Thank you!

As much as this makes sense to me it also does not make sense lol.

I am not a MT guru as it seems you are.

Would you be able to assist me to get this working perhaps?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Tue Sep 04, 2018 1:50 pm

I believe in teaching how to fish, not in catering a free fish daily.

So: either you know that you need to have it done once forever, or you want to understand networking because you can use the knowledge for other purposes. In the first case, find a local friend/consultant to do it for you and take care of the fine tuning later on, in the second case, I can explain you how it all works.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Tue Sep 04, 2018 4:36 pm

I believe in learning how to fish. Apologies - this is what I meant by "helping me to get it to work".

Thank you. How can we do this?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Tue Sep 04, 2018 5:18 pm

When I have more time to concentrate, I'll try to explain to you the magic behind connection-mark, packet-mark, and routing-mark relationship and use.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Tue Sep 04, 2018 8:22 pm

That would be great. Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 12:46 am

OK. So here comes the theory. While writing it, I've realized that you actually can do it in a simpler way, but never mind, once it's been already written it will be useful :-)

As a packet travels through the system, it is processed by various stages of the firewall, queuing, and routing. These processes take decisions how to handle the packet based on information contained in the packet itself and also some meta-fields - labels attached to the packet by previous processing stages which are not part of the packet contents but accompany it through all the subsequent processing once assigned.

When a packet comes in, one of the first processing stages to handle it is the connection tracker module. It maintains a list of existing communication exchanges like TCP sessions, bi-directional UDP flows, ICMP echo request/response flows, and compares each new packet to arrive with that list. If the packet's source and destination IP address and some additional fields match one of the existing connections, the packet is considered part of it and its meta-field connection-state is set to established; if the packet doesn't match any existing connection but is potentially able to establish a new one, its connection-state is set to new. This allows to set up complex firewall rules only for the "new" packets and assume that once a connection has been established, there is no need to check subsequent packets belonging to that connection.

Source NAT and destination NAT are also part of connection context. Every packet establishing a new connection is handled by a firewall table called nat, and if processing by this table results in assigning a new source and/or destination socket, this information is stored in that connection's context and all subsequent packets of that connection are treated the same or symmetric way depending on their direction, starting from the step of matching the packet to the connection list. You can refer to this using a meta-field called connection-nat-state.

If you need that all packets of a given connection, or just some packets of a given connection depending on additional conditions, are systematically handled the same way, you can attach a text label - a connection-mark - to the connection as you handle one of its packets. This label gets also stored in the connection context, and all packets belonging to the same connection, starting already from the one during whose processing the connection-mark has been assigned to the connection, get this meta-field attached as they pass through the connection tracker, so you can refer to it in firewall rules' match expressions when processing these packets. There are no tools available which would allow you to compute an individual label for each connection, so effectively you can create and use connection categories and handle the same way all connections belonging to the same category (i.e. marked with the same connection-mark) rather than a single individual connection.

You can replace the connection-mark previously assigned to a connection, but you cannot add another one.

To influence packet routing, you need to assign to it a routing-mark, which is another meta-field, and unlike the connection-mark, it is assigned just to a single packet. The routing-mark is then used in the routing stage to choose one of the routing tables.

To influence packet queuing, you need to assign a packet-mark which the queues match on.

A single packet can have both a routing-mark and a packet-mark assigned, but also at most one of each type.

A connection-mark can only be matched by firewall rules. If you need to use a connection-mark to influence routing, you have to use a firewall rule to assign a routing-mark to packets bearing a specific connection-mark, and the same applies for using connection-marks to influence queuing.

When distributing the traffic among WAN interfaces which use NAT, it is essential that all packets of any given connection use the same WAN, so either the firewall rules which control the load distribution must assign the same routing-mark to all packets of the same direction of the same connection or, if this is not the case, the firewall rules which control the load distribution must assign a connection-mark when choosing the WAN for the initial packet and the routing-mark for all subsequent packets outbound packets of a connection must be assigned based on this connection-mark.

In your scenario, the problem is that you want to prioritize the traffic and at the same time distribute it among two WANs, and to do this independently of each other. Which actually means that
  • you need two independent queue sets for the upload traffic (one for each of the WANs) and one queue set for the download traffic (which you throttle using the queues as you send it to LAN)
  • as it is not possible to assign two independent connection-marks to a single connection:
    • if you would want to use traffic distribution classifiers like nth or random, or
    • if you would want to establish connections to the Mikrotik itself or to devices on its LAN from the Internet via more than a single one out of all its WAN addresses, or
    • if you would want to combine load distribution with a failover if one of the WANs fails,
    you would have to use connection-marks which would bear both the information used to assign packet-marks and the information used to assign routing-marks, thus you would have to assign these composite connection-marks using chained mangle rules.

Now we come back to what I wrote in the very beginning: if you are sure that you don't need to connect from the Internet to more than one of the Mikrotik's WAN interfaces, or if you simply cannot do it because at most a single WAN has a public IP address, and if per-connection-classifier is a satisfactory enough method of load distribution and you don't need a WAN failover (which actually provides little advantage as compared to load distribution alone if NAT is in use), you can use the per-connection-classifier to assign routing-marks directly, i.e. without any relationship to connection-marks, so the connection-marks may stay as they are and only the rules added to provide load distribution need to be changed accordingly.

What is your standpoint here?
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 2:35 am

A load to take in indeed!

It has provided some clarity, but will need some time to understand the workings better.

Re: my standpoint - I will not need to connect to the MT WAN via internet. Also, both WANs have public IPs.

Essentially, what I would like to do is distribute the load over the two WANs, and if possible, have failover. By distribute, I mean having a larger bandwidth available so as to accommodate more users. Both WANs are 10Mbit, and I am currently only making use of one. With the load distribution you mention in the latter part, would I be able to achieve this?

I may be understanding incorrectly, but are you saying that with the routing-mark method I would assign a specific "user" to a specific WAN, meaning that if that WAN is down, the user will not connect to the internet?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 1:11 pm

I may be understanding incorrectly, but are you saying that with the routing-mark method I would assign a specific "user" to a specific WAN, meaning that if that WAN is down, the user will not connect to the internet?
The choice of WAN is not done per user but per each connection of that user. So if the same device opens the same web page twice, it is well possible that each connection will use another WAN. It is not guaranteed for each pair of subsequent connections, but statistically 50 of 100 connections of that device should use one WAN and the other 50 connections should use the other one.

Essentially, what I would like to do is distribute the load over the two WANs, and if possible, have failover. By distribute, I mean having a larger bandwidth available so as to accommodate more users. Both WANs are 10Mbit, and I am currently only making use of one. With the load distribution you mention in the latter part, would I be able to achieve this?
Yes for load distribution. For failover, the issue is whether it is worth the effort. If you use per-connection-classifier in a proper way (i.e. if you include proper fields into the hash), the individual connections from the same LAN device to the same remote server will be distributed among the WANs.

Assuming that your two uplinks are unrelated to each other, i.e. your ISP doesn't know that if one of them is down, it should send the packets to you via the other one: if one of the WANs fails, all the connections currently running via that WAN fail, and no new connections routed via that WAN can establish. So in this state (one WAN down), the users will have to retry their requests until eventually one of them succeeds. The only thing you can achieve by adding a dedicated failover to the per-connection-classifier-based load distribution would be that when one WAN is down, connections which the per-connection-classifier sends to that WAN get established via the other one (so always already the first re-connection attempt after WAN failure succeeds), and will stay there even if their "proper" WAN gets back up. But to achieve this, you need to use the per-connection-classifier only for the initial packet of each connection, and use connection-mark to glue the connection to the WAN it actually used. But doing so makes the firewall rules a lot more complex (as the composite connection-marks have to be used) and my personal opinion is that it is a too high price to pay for such a small improvement of user comfort.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 1:29 pm

[/quote]
Yes for load distribution. For failover, the issue is whether it is worth the effort. If you use per-connection-classifier in a proper way (i.e. if you include proper fields into the hash), the individual connections from the same LAN device to the same remote server will be distributed among the WANs.

I follow your thoughts.

I believe I should then go with the routing-mark option.

Now the question remains - how do I begin to do this?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 2:29 pm

By simplifying the copy-pasted load distribution solution (btw, where have you found it? There is a mistake in it), replacing the original
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=all-ppp new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=all-ppp new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn in-interface=all-ppp new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn in-interface=all-ppp new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2
by just
add action=mark-routing chain=prerouting in-interface=bridge new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=src-address-and-port:2/0
add action=mark-routing chain=prerouting in-interface=bridge new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=src-address-and-port:2/1
Also, you have to add
/ip route rule
add dst-address=192.168.88.0/24 action=lookup-only-in-table table=main
to avoid problems with return traffic (provided that your LAN subnet is 192.168.88.0/24)

And then you have to tidy up the routes, because I have no idea how your two WANs look like, but for sure your own IP address cannot be the gateway of WAN1 like it is now in the default route marked with to_ISP1.

So you need to change those two routes to
/ip route
add check-gateway=ping distance=1 gateway=xxxxx routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=yyyyy routing-mark=to_ISP2
where xxxxx is the gateway IP (or interface name if it is a PPPoE interface) of WAN1, and yyyyy is the gateway IP (or interface name if it is a PPPoE interface) of WAN2.

And you have to set passthrough=yes to all the other mangle rules which have any other action than accept or drop.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:08 pm

Okay, so I have added the above - I also do understand it somewhat. Thank you.

However, I still see no activity on ISP2. I think it may be a routes issue?
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:15 pm

/ip route
add check-gateway=ping distance=1 gateway=192.168.88.1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=10.0.0.2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=ISP1
add check-gateway=ping distance=2 gateway=ISP2
/ip route rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:20 pm

Post the complete current configuration export after all the modifications and the output of /ip route print, /ip address print, obfuscate any public IPs in a logical way (e.g. if your WAN1 address is 4.3.2.5 and the gateway you get from there is 4.3.2.1, translate both to wan.1.subnet.5 and wan.1.subnet.1).

And provide a diagram of how the two WANs are practically implemented, I am scared to see one of the gateways to be in the LAN subnet, as that at least makes the default firewall rules unsafe and may require some modifications to the rules.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:46 pm

/interface ethernet
set [ find default-name=ether1 ] comment="ALL ETHERNET" mtu=1492 name=\
    "ether1-gateway DSL 1"
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether3 ] name="ether3-slave-local DSL 2"
set [ find default-name=ether4 ] name="ether4-slave-local BASE HOUSE" \
    poe-out=off
set [ find default-name=ether5 ] name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes allow=pap comment="DSL CONNECTIONS" disabled=no \
    interface="ether1-gateway DSL 1" keepalive-timeout=60 max-mru=1400 \
    max-mtu=1400 mrru=1600 name=ISP1 user=HIDDEN
add add-default-route=yes default-route-distance=2 disabled=no interface=\
    "ether3-slave-local DSL 2" name=ISP2 user=HIDDEN
/interface pptp-client
add connect-to=154.117.185.86 mrru=1600 name=pptp-out1 user="Cape Town"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.40
add name=PPPoE ranges=192.168.88.100-192.168.88.200
add name=pool1 ranges=192.168.88.50-192.168.88.100
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge name=default
/ppp profile
set *0 dns-server=192.168.88.2 local-address=PPPoE use-encryption=no
set *FFFFFFFE use-encryption=no
/queue tree
add limit-at=5M max-limit=5M name=queue1 packet-mark=streaming-video-out \
    parent=bridge priority=5
add burst-time=5s limit-at=7M max-limit=10M name=HTTP packet-mark=http-out \
    parent=bridge queue=hotspot-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=8Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=449 starts-at=logon validity=0s
add name=2Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=449 starts-at=logon validity=0s
add name=4Mbit name-for-users="" override-shared-users=unlimited owner=admin \
    price=0 starts-at=logon validity=0s
add name=1Mbit name-for-users="" override-shared-users=off owner=admin price=\
    0 starts-at=logon validity=0s
add name="2MbnDavis " name-for-users="" override-shared-users=off owner=admin \
    price=0 starts-at=logon validity=0s
add name="2mb domingo" name-for-users="" override-shared-users=off owner=\
    admin price=0 starts-at=logon validity=0s
add name="2Mbit Salie" name-for-users="" override-shared-users=1 owner=admin \
    price=0 starts-at=logon validity=0s
add name=Full name-for-users="" override-shared-users=off owner=admin price=0 \
    starts-at=logon validity=0s
add name="2Mbit Bardien" name-for-users="" override-shared-users=off owner=\
    admin price=0 starts-at=logon validity=0s
add name="2Mbit Atta Mohamed" name-for-users="" override-shared-users=off \
    owner=admin price=0 starts-at=logon validity=0s
add name=20Mbit name-for-users="" override-shared-users=off owner=admin \
    price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=8Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
    rate-limit-priority=1 rate-limit-rx=10485760B rate-limit-tx=15728640B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=2Mbit \
    owner=admin rate-limit-min-rx=131072B rate-limit-min-tx=1048576B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1843200B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=4Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=2097152B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=4194304B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=1Mbit \
    owner=admin rate-limit-min-rx=262144B rate-limit-min-tx=1048576B \
    rate-limit-priority=1 rate-limit-rx=262144B rate-limit-tx=1048576B \
    transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=20Mbit \
    owner=admin rate-limit-min-rx=20971520B rate-limit-min-tx=12582912B \
    rate-limit-rx=20971520B rate-limit-tx=20971520B transfer-limit=0B \
    upload-limit=0B uptime-limit=0s
/interface bridge port
add bridge=bridge interface=ether5-slave-local
add bridge=bridge interface=ether2-master-local
add bridge=bridge interface="ether4-slave-local BASE HOUSE"
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge max-mru=1360 max-mtu=1360 \
    mrru=1600 one-session-per-host=yes service-name=Internet
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
add address=10.0.0.2 interface="ether1-gateway DSL 1" network=10.0.0.0
add address=192.168.88.4 interface="ether4-slave-local BASE HOUSE" network=\
    192.168.88.4
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface="ether1-gateway DSL 1"
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface="ether3-slave-local DSL 2"
/ip dhcp-server lease
add address=192.168.88.50 client-id=HOME mac-address=C8:3A:35:F3:7E:91
add address=192.168.88.60 mac-address=C4:E9:84:71:27:C3
add address=192.168.88.70 mac-address=F4:F2:6D:BB:11:96
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.2 gateway=192.168.88.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=192.168.88.0/24 comment="Internal Subnet" list=internal-nets
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=bridge
add action=accept chain=input comment="Accept WinBox Access from Local" \
    dst-port=81 protocol=tcp src-address=192.168.88.0/24
add action=accept chain=input comment="Accept WebFig Access from Local" \
    dst-port=80 in-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=accept chain=input connection-state=new connection-type="" \
    dst-port=1812 in-interface=bridge protocol=tcp src-port=1812
add action=accept chain=input connection-state=new in-interface=bridge \
    protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "internal-traffic packet mark" dst-address-list=internal-nets \
    new-packet-mark=internal-traffic passthrough=yes src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "customer-servers-out packet mark" new-packet-mark=customer-servers-out \
    passthrough=yes src-address-list=customer-servers
add action=mark-packet chain=prerouting comment=\
    "customer-servers-in packet mark" dst-address-list=customer-servers \
    new-packet-mark=customer-servers-in passthrough=yes
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=admin-in passthrough=\
    yes protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
    dst-port=161 in-interface="ether1-gateway DSL 1" new-packet-mark=admin-in \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=\
    "Remote Protocols admin connection mark" new-connection-mark=admin \
    passthrough=yes port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "icmp connection mark as admin" new-connection-mark=admin passthrough=yes \
    protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
    connection-mark=admin in-interface="ether1-gateway DSL 1" \
    new-packet-mark=admin-in passthrough=yes
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
    connection-mark=admin new-packet-mark=admin-out passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "streaming video in packet mark" connection-mark=streaming-video \
    in-interface="ether1-gateway DSL 1" new-packet-mark=streaming-video-in \
    passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "streaming video out packet mark" connection-mark=streaming-video \
    new-packet-mark=streaming-video-out passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" dst-port=80,443 new-connection-mark=http \
    passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" connection-bytes=5000000-4294967295 \
    dst-port=80,443 new-connection-mark=http-download passthrough=yes \
    protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
    connection-mark=http in-interface="ether1-gateway DSL 1" new-packet-mark=\
    http-in passthrough=yes
add action=mark-packet chain=prerouting comment="http out packet mark" \
    connection-mark=http new-packet-mark=http-out passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "wow connetion mark as gaming" dst-port=\
    1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games passthrough=\
    yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "eve online connetion mark as gaming" dst-address=87.237.38.200 \
    new-connection-mark=games passthrough=yes src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment=\
    "steam connetion mark as gaming" dst-port=27014-27050 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment=\
    "xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "games packet mark forever-saken-game" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes src-address-list=\
    forever-saken-game
add action=mark-packet chain=prerouting comment=\
    "games packet mark starcraft2" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark wow" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
    dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
    new-packet-mark=games-out passthrough=yes protocol=udp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
    "games packet mark ps3 online" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes protocol=udp src-port=\
    3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
    connection-mark=games dst-address-list=external-nets new-packet-mark=\
    games-in passthrough=yes
add action=mark-packet chain=prerouting comment="games packet mark out" \
    connection-mark=games new-packet-mark=games-out passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
    passthrough=yes protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=yes protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=yes \
    port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
    new-packet-mark=voip-out passthrough=yes port=5060 protocol=tcp \
    src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=yes \
    port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=yes \
    port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
    dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
    100-400 passthrough=yes port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
    new-packet-mark=voip-in packet-size=100-400 passthrough=yes port=\
    16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
    new-packet-mark=vpn-out passthrough=yes protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
    new-packet-mark=vpn-out passthrough=yes protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
    "vpn-in packet mark VPN UDP ports" in-interface="ether1-gateway DSL 1" \
    new-packet-mark=vpn-in passthrough=yes protocol=udp src-port=\
    500,1701,4500
add action=mark-packet chain=prerouting comment=\
    "vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
    yes protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
    new-packet-mark=vpn-out passthrough=yes protocol=tcp src-port=1723
add action=mark-routing chain=prerouting in-interface=bridge \
    new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-routing chain=prerouting in-interface=bridge \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:2/1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ISP1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ISP2
/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=53281
/ip route
add check-gateway=ping distance=1 gateway=ISP1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=ISP2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=ISP1
add check-gateway=ping distance=2 gateway=ISP2
add distance=1 dst-address=192.168.88.3/32 gateway=\
    <pppoe-attamohamed@spiderweb>
add distance=1 dst-address=192.168.88.50/32 gateway=bridge
/ip route rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/radius
add address=192.168.88.2 service=ppp
/radius incoming
set accept=yes port=1700
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Johannesburg
/system routerboard settings
set silent-boot=no
/system script
add name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ip fir\
    ewall filter\r\
    \n\r\
    \nadd action=drop chain=input comment=\"Drop to syn flood list\" disabled=\
    no src-address-list=Syn_Flooder\r\
    \nadd action=add-src-to-address-list address-list=Port_Scanner address-lis\
    t-timeout=1w chain=input comment=\"Port Scanner Detect\"\r\
    \ndisabled=no protocol=tcp psd=21,3s,3,1\r\
    \nadd action=drop chain=input comment=\"Drop to port scan list\" disabled=\
    no src-address-list=Port_Scanner\r\
    \nadd action=jump chain=input comment=\"Jump for icmp input flow\" disable\
    d=no jump-target=ICMP protocol=icmp\r\
    \nadd action=drop chain=input\r\
    \ncomment=\"Block all access to the winbox - except to support list # DO N\
    OT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST\"\r\
    \ndisabled=yes dst-port=8291 protocol=tcp src-address-list=!support\r\
    \nadd action=jump chain=forward comment=\"Jump for icmp forward flow\" dis\
    abled=no jump-target=ICMP protocol=icmp\r\
    \nadd action=drop chain=forward comment=\"Drop to bogon list\" disabled=no\
    \_dst-address-list=bogons\r\
    \nadd action=add-src-to-address-list address-list=spammers address-list-ti\
    meout=3h chain=forward comment=\"Add Spammers to the list for 3 hours\"\r\
    \nconnection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protoco\
    l=tcp\r\
    \nadd action=drop chain=forward comment=\"Avoid spammers action\" disabled\
    =no dst-port=25,587 protocol=tcp src-address-list=spammers\r\
    \nadd action=accept chain=input comment=\"Accept DNS - UDP\" disabled=no p\
    ort=53 protocol=udp\r\
    \nadd action=accept chain=input comment=\"Accept DNS - TCP\" disabled=no p\
    ort=53 protocol=tcp\r\
    \nadd action=accept chain=input comment=\"Accept to established connection\
    s\" connection-state=established\r\
    \ndisabled=no\r\
    \nadd action=accept chain=input comment=\"Accept to related connections\" \
    connection-state=related disabled=no\r\
    \nadd action=accept chain=input comment=\"Full access to SUPPORT address l\
    ist\" disabled=no src-address-list=support\r\
    \nadd action=drop chain=input comment=\"Drop anything else! # DO NOT ENABL\
    E THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED\"\r\
    \ndisabled=yes\r\
    \nadd action=accept chain=ICMP comment=\"Echo request - Avoiding Ping Floo\
    d\" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=\"Echo reply\" disabled=no icmp-opt\
    ions=0:0 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=\"Time Exceeded\" disabled=no icmp-\
    options=11:0 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=\"Destination unreachable\" disable\
    d=no icmp-options=3:0-1 protocol=icmp\r\
    \nadd action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 \
    protocol=icmp\r\
    \nadd action=drop chain=ICMP comment=\"Drop to the other ICMPs\" disabled=\
    no protocol=icmp\r\
    \nadd action=jump chain=output comment=\"Jump for icmp output\" disabled=n\
    o jump-target=ICMP protocol=icmp"
/tool graphing interface
add interface=bridge store-on-disk=no
/tool traffic-monitor
add interface="ether1-gateway DSL 1" name=tmon1 threshold=0
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=8Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile=2Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=4Mbit profile=4Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=1Mbit profile=1Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2MbnDavis " till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2mb domingo" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Salie" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Atta Mohamed" till-time=\
    23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=8Mbit profile=8Mbit till-time=23h59m59s weekdays=\
    sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=2Mbit profile="2Mbit Bardien" till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=20Mbit profile=20Mbit till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.88.2 log=\
    auth-fail name=RB750UP shared-secret="" use-coa=yes
/tool user-manager user
add customer=admin disabled=no ip-address=192.168.88.110 shared-users=\
    unlimited username=samodien@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.103 shared-users=\
    unlimited username=domingo@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.105 shared-users=\
    unlimited username=bardien@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.106 shared-users=\
    unlimited username=attamohamed@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no ip-address=192.168.88.115 shared-users=\
    unlimited username=abdol2@spiderweb wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:50 pm

/ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 ISP1 1
1 A S 0.0.0.0/0 ISP2 1
2 A S 0.0.0.0/0 ISP1 1
3 S 0.0.0.0/0 ISP2 2
4 ADC 10.0.0.0/24 10.0.0.3 ether3-slave-lo... 0
5 ADC 10.0.0.0/32 10.0.0.2 ether1-gateway ... 0
6 ADC 1.1.1.1 2.2.2.2 ISP2 0
ISP1
7 ADC 192.168.88.0/24 192.168.88.2 bridge 0
ether1-gateway ...

Sorry, I am a bit confused with how you explained to translate public IP.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:52 pm

# ADDRESS NETWORK INTERFACE
0 192.168.88.2/24 192.168.88.0 bridge
1 10.0.0.2/32 10.0.0.0 ether1-gateway DSL 1
2 192.168.88.4/32 192.168.88.4 ether4-slave-local BASE HOUSE
3 D 192.168.88.2/24 192.168.88.0 ether1-gateway DSL 1
4 D 10.0.0.3/24 10.0.0.0 ether3-slave-local DSL 2
5 D 192.168.88.198/32 192.168.88.106 <pppoe-attamohamed@spiderweb>
6 D 192.168.88.197/32 192.168.88.105 <pppoe-bardien@spiderweb>
7 D 192.168.88.200/32 192.168.88.103 <pppoe-domingo@spiderweb>
8 D 1.1.1.1/32 3.3.3.3 ISP2
9 D 2.2.2.2/32 3.3.3.3 ISP1
10 D 192.168.88.199/32 192.168.88.110 <pppoe-samodien@spiderweb>
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 4:59 pm

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 05, 2018 5:35 pm

Sorry, I am a bit confused with how you explained to translate public IP.
That's nothing compared to my confusion by your network topology.

ether1 seems to, at the same time,
  • be a carrier interface for a WAN PPPoE client interface ISP1
  • have an IP address assigned dynamically by DHCP from the same subnet you use on your LAN bridge (192.168.88.2/24),
  • bear another IP address assigned statically, 10.0.0.2/32.
ether3 is a carrier interface for a WAN PPPoE client interface ISP2 and at the same time it has a dynamically assigned IP address 10.0.0.3/24.

So I don't understand the overall topology and I just hope you do.

I wouldn't mind much the IP addresses on carrier interfaces of PPPoE client interfaces (maybe they are used to manage the connected DSL modem), but I am afraid of the same or overlapping subnets being used on unrelated interfaces.

Other than that, I can see that you have replaced the public IP assigned by the ISP by 1.1.1.1 and the other one by 2.2.2.2, but the gateway IP of both is replaced by 3.3.3.3. Does it really mean that it is the same in both cases? If yes, are both these connections from the same ISP?

Also, please post /ip route print detail, I forgot that the routing-marks are not shown without the detail.

Only from the /ip address print and /ip route print I've understood that you probably have no client devices connected to the device's local LAN and you test the load distribution from your PPPoE clients pppoe-userXXX@spiderweb, correct? If so, replace the in-interface=bridge in the two mangle rules with action=mark-routing by in-interface-list=all-ppp and try again.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 12, 2018 1:39 pm

That's nothing compared to my confusion by your network topology.

So I don't understand the overall topology and I just hope you do.
Forgive me hahaha. I built this network when I knew VERY little about networking. (Still do), so thanks for the patience.
I wouldn't mind much the IP addresses on carrier interfaces of PPPoE client interfaces (maybe they are used to manage the connected DSL modem), but I am afraid of the same or overlapping subnets being used on unrelated interfaces.
They are supposed to be used for managing the DSL routers, yes.
Other than that, I can see that you have replaced the public IP assigned by the ISP by 1.1.1.1 and the other one by 2.2.2.2, but the gateway IP of both is replaced by 3.3.3.3. Does it really mean that it is the same in both cases? If yes, are both these connections from the same ISP?
Yes - they are the same (This refers to the network IP. Is this the gateway?)

Only from the /ip address print and /ip route print I've understood that you probably have no client devices connected to the device's local LAN and you test the load distribution from your PPPoE clients pppoe-userXXX@spiderweb, correct? If so, replace the in-interface=bridge in the two mangle rules with action=mark-routing by in-interface-list=all-ppp and try again.
THIS HAS MADE IT WORK!!! THANK YOU!! :D
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 12, 2018 1:41 pm

Would you still like to se ip route print detail?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 12, 2018 2:14 pm

Other than that, I can see that you have replaced the public IP assigned by the ISP by 1.1.1.1 and the other one by 2.2.2.2, but the gateway IP of both is replaced by 3.3.3.3. Does it really mean that it is the same in both cases? If yes, are both these connections from the same ISP?
Yes - they are the same (This refers to the network IP. Is this the gateway?)
That's actually a tough question.

For an interface connected to a point-to-multipoint "environment" (ethernet, most wireless ones), you need the IP address of the gateway device so the networking stack could identify first the interface to use (as the gateway IP address and the local address on one of the multipoint interfaces belong to the same IP subnet) and then, using the ARP protocol, the MAC address of the gateway device accessible through that interface, and send the packets for other IP addresses to that device via that interface for forwarding them further.

For an interface connected to a point-to-point channel (serial lines, tunnels), the gateway device is by nature "the remote end of the line/tunnel", so although that remote device may have an IP address, you rarely need to use that address on your end. You can specify such a remote IP address as a gateway and the networking stack will translate it into the interface name, but you can get the same result by specifying the interface name directly as route's gateway.

In some situations (recursive next-hop search, which is among other things useful for implementation of scriptless failover monitoring the actual availability of a WAN link), you have to use only IP addresses as gateway identifiers, but in these situations two identical addresses break things because you need unique ones by principle - you cannot augment that identifier with anything else.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Wed Sep 12, 2018 2:15 pm

Would you still like to se ip route print detail?
As it works, no need now.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 12:36 pm

Hi Sindy

This method has been working really well over the last while - thanks again.

Now, as user number increases, I've noticed something -

When the network is busy, there are a few clients who end up getting no bandwidth , even though for example only WAN1 is maxed out, but bandwidth is available on WAN 2.

This results in those specific clients having momentary internet disconnection and cannot surf/browse until say another client stops browsing and space becomes available on WAN 1, or the connection somehow realises it can go to WAN2.

Is this an unfixable disadvantage of this setup?

It seems to be affecting QoS negatively.

Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 1:31 pm

The only thing which decides which connection will use which WAN are the two rules below:

add action=mark-routing chain=prerouting in-interface=bridge \
new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=\
src-address-and-port:2/0
add action=mark-routing chain=prerouting in-interface=bridge \
new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
src-address-and-port:2/1


So first question would be whether both PPPoE connections have the same contracted speed (and thus the reason why there remains free bandwidth on WAN2 is that the two rules do not distribute the traffic evenly among the WANs) or whether you need to point a bigger share of the total traffic to WAN2 as it has more bandwidth available in absolute figures.

If the WANs have a different contract bandwidth, or if you can see that the traffic volume distribution is systematically directing more traffic to WAN1, you can modify the rules above to change the distribution ratio from 1:1 to n:m (n<m) by using n+1 rules instead of those two, the first n ones with per-connection-classifier=src-address-and-port/X/Y where X=n+m and Y is one of n randomly chosen numbers from 0 to (n+m-1) assigning the routing-mark for the thinner WAN and the last one having no per-connection-classifier confition and assigning the routing-mark for the fatter WAN.

The per-connection-classifier hash may not distribute the traffic evenly enough because some clients (addresses) may be more hungry than others and the way the hash is calculated may send requests from these clients to the same WAN. So reassigning client addresses might help if you are able to track this down.

Introducing full randomness in WAN choice would be quite complicated here, given that it requires to use connection-mark. The per-connection-classifier gives the same result (match or non-match) on all packets belonging to the same connection because it only uses the invariant attributes of the connection (addresses and port) for its verdict; if you use random, you have to "remember" the choice made when handling the initial packet of the connection, which is what connection-mark is used for. But you already use connection-mark for QoS, so you would have to use combined connection marks representing both the traffic class (to be converted into packet-mark) and the wan choice (to be converted into routing-mark). This would actually have also a positive side as you could then control QoS on each uplink separately, but it would require a serious reworking of the mangle rules.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 1:50 pm

The only thing which decides which connection will use which WAN are the two rules below:

add action=mark-routing chain=prerouting in-interface=bridge \
new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=\
src-address-and-port:2/0
add action=mark-routing chain=prerouting in-interface=bridge \
new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
src-address-and-port:2/1


So first question would be whether both PPPoE connections have the same contracted speed
WAN 1 is about 10Mbit and WAN 2 about 7.5Mbit.
If the WANs have a different contract bandwidth, or if you can see that the traffic volume distribution is systematically directing more traffic to WAN1, you can modify the rules above to change the distribution ratio from 1:1 to n:m (n<m) by using n+1 rules instead of those two, the first n ones with per-connection-classifier=src-address-and-port/X/Y where X=n+m and Y is one of n randomly chosen numbers from 0 to (n+m-1) assigning the routing-mark for the thinner WAN and the last one having no per-connection-classifier confition and assigning the routing-mark for the fatter WAN.


Will have to take some time to understand this.
The per-connection-classifier hash may not distribute the traffic evenly enough because some clients (addresses) may be more hungry than others and the way the hash is calculated may send requests from these clients to the same WAN. So reassigning client addresses might help if you are able to track this down.
This may be the case, so is it correct to say that hungry addresses are maxing WAN1, but then why are non-hungry addresses not jumping to WAN2? Would it be possible to split bandwidth from hungry addresses over both WAN to reduce pressure?
This would actually have also a positive side as you could then control QoS on each uplink separately, but it would require a serious reworking of the mangle rules.
I would like to manage QoS per client. Been reading up and watching tutorials.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 2:08 pm

Putting the n,m maths simply using an example (I do know that the actual distribution of traffic is reverse, it is just an example):
WAN1 has 10 Mbit/s, WAN2 only 7.5 Mbit/s. So let's think about it as 4 times 2.5 Mbit/s and 3 times 2.5Mbit/s. So you want 4/7 of the total traffic on WAN1 and 3/7 of the total traffic on WAN2.
And we are lazy so we want as few rules as possible.

So we use three rules to send the 3/7 to WAN2 and let the rest go to WAN1.

So three rules would have the per-connection-classifier divider and remainder values set to 7/0, 7/1 and 7/2. What none of these rules matches on would match 7/3 to 7/6, so we may assign the other routing-mark using a single rule which must be the very last one in the chain (but you can create a custom chain only for the purpose).


"Non-hungry addresses" cannot jump anywhere. per-connection-classifier has no knowledge of the current load of the WANs, it only uses addresses and ports to decide. Nor do the routiing tables chosen by routing-mark have an information about the WAN load, so adding a route via WAN2 with higher distance value to th routing table "via-WAN1" won't help.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 2:43 pm

So three rules would have the per-connection-classifier divider and remainder values set to 7/0, 7/1 and 7/2.


I get this part.
What none of these rules matches on would match 7/3 to 7/6, so we may assign the other routing-mark using a single rule which must be the very last one in the chain (but you can create a custom chain only for the purpose).
A bit confused here.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 2:48 pm

add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=\
    src-address-and-port:7/0
add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:7/1
add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:7/2
Is this correct?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 3:19 pm

The above sends 1/7 of all requests to WAN1 (first rule), 2/7 of all requests to WAN2 (second and thir rule), and remaining 4/7 to whatever is the WAN of the default route in the default routing table (with no routing-mark).

What I had in mind was

add action=mark-routing chain=prerouting in-interface-list=all-ppp \
new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
src-address-and-port:7/0
add action=mark-routing chain=prerouting in-interface-list=all-ppp \
new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
src-address-and-port:7/1
add action=mark-routing chain=prerouting in-interface-list=all-ppp \
new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
src-address-and-port:7/2
add action=mark-routing chain=prerouting in-interface-list=all-ppp \
new-routing-mark=to_ISP1 passthrough=no per-connection-classifier=\
src-address-and-port:7/2




Which BTW brings me to a thought - if there is some traffic from other sources than pppoe clients, that traffic doesn't match in-interface-list=all-ppp and thus it uses the default route of the default routing table which probably sends it out via WAN1. Which would explain better than a biased per-connection-classifier hash why you can see more traffic on WAN1. Counter rules in chain=postrouting of /ip firewall mangle, which seems to be empty so you don't need to worry about ruining anything by adding them, should show you that:

/ip firewall mangle
add chain=postrouting action=accept routing-mark=to_ISP1 out-interface=ISP1
add chain=postrouting action=accept routing-mark=to_ISP2 out-interface=ISP2
add chain=postrouting action=accept out-interface=ISP1
add chain=postrouting action=accept out-interface=ISP2


The rules with routing-mark match conditions count the routing-marked ougoing packets, the other two ones count those without a routing mark.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 3:56 pm

Okay, so I've added accordingly.

What I notice now is that one connection eg. my home pppoe cannot access both WANs and run full bandwidth i.e 17.5Mbit.

Is this correct?
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 4:03 pm

Sorry - re-added and it seems to be working.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 4:08 pm

Will wait to monitor the network once everyone is home from work etc. and things get busy.
 
ZSam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Tue May 10, 2016 6:40 pm

Re: Load Balance/Dual WAN (PPPoE Dial out) + PPPoE Server HELP

Thu Oct 25, 2018 4:32 pm

So to improve QoS and strain on bandwidth, I'd like to priorotize bandwidth in the following way:

1 - HTTP Browsing, Youtube, WhatsApp, Facebook Instagram and other social media
2 - WhatsApp/Skype/VoIP and Video calls (mobile)
3 - Video Streaming sites and Netflix etc.
4 - P2P limited to ZERO when the network is busy, but allowed the user's full bandwidth allocation when not.

Questions:
a) Can this be implemented for the network as a whole or does it have to be done per client?
b) Do the queues HAVE to be allocated only a portion of the bandwidth (relative in amount to importance), or can they (all protocols) each be allowed to pull the full available bandwidth in the event that say (for understanding purposes), all clients are doing HTTP, or YouTube, or Netflix?
So essentially, if everyone is streaming, the full bandwidth is used (limited per user by their PPPoE profile limit), but when someone wants to browse, they can then use their full bandwidth to browse or YouTube, while others continue streaming at their full bandwidth?

HOPE THIS MAKES SENSE.

I have the following mangle rules:
*I am not sure if they are set up correctly in terms of interfaces they are pointed at etc. as when trying to create queue trees, I do not see traffic flow through the queues.
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "internal-traffic packet mark" dst-address-list=internal-nets \
    new-packet-mark=internal-traffic passthrough=yes src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "customer-servers-out packet mark" new-packet-mark=customer-servers-out \
    passthrough=yes src-address-list=customer-servers
add action=mark-packet chain=prerouting comment=\
    "customer-servers-in packet mark" dst-address-list=customer-servers \
    new-packet-mark=customer-servers-in passthrough=yes
add action=mark-packet chain=prerouting comment="admin-in packet mark DNS" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=admin-in passthrough=\
    yes protocol=udp src-port=53
add action=mark-packet chain=prerouting comment="admin-in packet mark snmp" \
    dst-port=161 in-interface="ether1-gateway DSL 1" new-packet-mark=admin-in \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=\
    "Remote Protocols admin connection mark" new-connection-mark=admin \
    passthrough=yes port=20,21,22,23,3389,8291 protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "icmp connection mark as admin" new-connection-mark=admin passthrough=yes \
    protocol=icmp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="admin-in packet mark" \
    connection-mark=admin in-interface="ether1-gateway DSL 1" \
    new-packet-mark=admin-in passthrough=yes
add action=mark-packet chain=prerouting comment="admin-out packet mark" \
    connection-mark=admin new-packet-mark=admin-out passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "streaming video in packet mark" connection-mark=streaming-video \
    in-interface="ether1-gateway DSL 1" new-packet-mark=streaming-video-in \
    passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "streaming video out packet mark" connection-mark=streaming-video \
    new-packet-mark=streaming-video-out passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" dst-port=80,443 new-connection-mark=http \
    passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "http traffic connection mark" connection-bytes=5000000-4294967295 \
    dst-port=80,443 new-connection-mark=http-download passthrough=yes \
    protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="http in packet mark" \
    connection-mark=http in-interface=ISP1 new-packet-mark=http-in \
    passthrough=yes
add action=mark-packet chain=prerouting comment="http out packet mark" \
    connection-mark=http in-interface=ISP1 new-packet-mark=http-out \
    passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "wow connetion mark as gaming" dst-port=\
    1119,3724,6112-6114,4000,6881-6999 new-connection-mark=games passthrough=\
    yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "eve online connetion mark as gaming" dst-address=87.237.38.200 \
    new-connection-mark=games passthrough=yes src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "starcraft 2 connetion mark as gaming" dst-port=1119 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "heros of newerth connetion mark as gaming" dst-port=11031,11235-11335 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment=\
    "steam connetion mark as gaming" dst-port=27014-27050 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-connection chain=prerouting comment=\
    "xbox live connetion mark as gaming" dst-port=3074 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "ps3 online connetion mark as gaming" dst-port=5223 new-connection-mark=\
    games passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-connection chain=prerouting comment=\
    "wii online connetion mark as gaming" dst-port=28910,29900,29901,29920 \
    new-connection-mark=games passthrough=yes protocol=tcp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment=\
    "games packet mark forever-saken-game" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes src-address-list=\
    forever-saken-game
add action=mark-packet chain=prerouting comment=\
    "games packet mark starcraft2" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes protocol=udp src-port=1119,6113
add action=mark-packet chain=prerouting comment="games packet mark wow" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=53,3724
add action=mark-packet chain=prerouting comment="games packet mark HoN" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=11031,11235-11335
add action=mark-packet chain=prerouting comment="games packet mark steam in" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=no \
    port=4380,28960,27000-27030 protocol=udp
add action=mark-packet chain=prerouting comment="games packet mark steam out" \
    dst-port=53,1500,3005,3101,3478,4379-4380,4380,28960,27000-27030,28960 \
    new-packet-mark=games-out passthrough=yes protocol=udp src-address-list=\
    internal-nets
add action=mark-packet chain=prerouting comment="games packet mark xbox live" \
    dst-address-list=external-nets new-packet-mark=games-in passthrough=yes \
    protocol=udp src-port=88,3074,3544,4500
add action=mark-packet chain=prerouting comment=\
    "games packet mark ps3 online" dst-address-list=external-nets \
    new-packet-mark=games-in passthrough=yes protocol=udp src-port=\
    3478,3479,3658
add action=mark-packet chain=prerouting comment="games packet mark in" \
    connection-mark=games dst-address-list=external-nets new-packet-mark=\
    games-in passthrough=yes
add action=mark-packet chain=prerouting comment="games packet mark out" \
    connection-mark=games new-packet-mark=games-out passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-port=9987 new-packet-mark=voip-out \
    passthrough=yes protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark teamspeak" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=9987
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=udp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=yes protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment=\
    "voip-in packet mark ventrilo" dst-address-list=external-nets \
    new-packet-mark=voip-in passthrough=yes protocol=tcp src-port=3784
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark ventrilo" dst-port=3784 new-packet-mark=voip-out \
    passthrough=yes protocol=tcp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=yes \
    port=5060 protocol=tcp
add action=mark-packet chain=prerouting comment="voip-out packet mark SIP" \
    new-packet-mark=voip-out passthrough=yes port=5060 protocol=tcp \
    src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark udp SIP" \
    dst-address-list=internal-nets new-packet-mark=voip-in passthrough=yes \
    port=5004,5060 protocol=udp
add action=mark-packet chain=prerouting comment=\
    "voip-out packet mark udp SIP" new-packet-mark=voip-out passthrough=yes \
    port=5004,5060 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="voip-in packet mark RTP" \
    dst-address-list=internal-nets new-packet-mark=voip-in packet-size=\
    100-400 passthrough=yes port=16348-32768 protocol=udp
add action=mark-packet chain=prerouting comment="voip-out packet mark RTP" \
    new-packet-mark=voip-in packet-size=100-400 passthrough=yes port=\
    16348-32768 protocol=udp src-address-list=internal-nets
add action=mark-packet chain=prerouting comment="vpn-in packet mark GRE" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=gre
add action=mark-packet chain=prerouting comment="vpn-out packet mark GRE" \
    new-packet-mark=vpn-out passthrough=yes protocol=gre
add action=mark-packet chain=prerouting comment="vpn-in packet mark ESP" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=ipsec-esp
add action=mark-packet chain=prerouting comment="vpn-out packet mark ESP" \
    new-packet-mark=vpn-out passthrough=yes protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=\
    "vpn-in packet mark VPN UDP ports" in-interface="ether1-gateway DSL 1" \
    new-packet-mark=vpn-in passthrough=yes protocol=udp src-port=\
    500,1701,4500
add action=mark-packet chain=prerouting comment=\
    "vpn-out packet mark VPN UDP ports" new-packet-mark=vpn-out passthrough=\
    yes protocol=udp src-port=500,1701,4500
add action=mark-packet chain=prerouting comment="vpn-in packet mark PPTP" \
    in-interface="ether1-gateway DSL 1" new-packet-mark=vpn-in passthrough=\
    yes protocol=tcp src-port=1723
add action=mark-packet chain=prerouting comment="vpn-out packet mark PPTP" \
    new-packet-mark=vpn-out passthrough=yes protocol=tcp src-port=1723
add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:7/0
add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:7/1
add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP2 passthrough=no per-connection-classifier=\
    src-address-and-port:7/2
add action=mark-routing chain=prerouting in-interface=all-ppp \
    new-routing-mark=to_ISP1 passthrough=no

Who is online

Users browsing this forum: CGGXANNX, godel0914, qadir52786 and 69 guests