Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

p0p · Fri Feb 16, 2024 3:37 pm

Hey,
I need help setting up a load balancer between the interfaces eth1 and lte1 please.
There are tutorials like this https://www.youtube.com/watch?v=klnUvBXEVQI and that one https://www.youtube.com/watch?v=dLI2bcH0grw but the Interface lte1 isn't selectable. It seems like LTE connections are treated differently inside RouterOS.

eth1 is connected to the internet over LAN/WAN through a server of my students dorm. It needs a DHCP client to work.
As the connection isn't reliable I need a failover strategy through one of the interfaces, eth1 xor lte1, if one of the connection fails.

Special: I want to keep the DNS configuration using DoH over Cloudflare.

Router: S53UG+M-5HaxD2HaxD (arm64)
LTE/5G module: RG502Q-EA

Thanks in advance for your help!
p0p

Amm0 · Fri Feb 16, 2024 3:55 pm

You mention load balance & failover. Do you mean: if BOTH "ether1" ("dorm server with DHCP") and "lte1" have working internet, split the traffic between them & if one fails all internet traffic goes out the one working one? Or do you want it always using ether1 if it's working, and only use LTE if ether1 is down?

Also, do you have LTE already setup? e.g. if you unplug ether1, does the Chateau work via the LTE? If so, do a speediest (or several) to get a sense of the LTE speed. Then plugin ether1, and do same speed test with "dorm-server internet". e.g. If you want to load balance, it's helpful to know the relative performance of two internet (dhcp and lte), to know HOW to "balance" them.

Mesquite · Fri Feb 16, 2024 4:22 pm

So it would appear ether1, is a fixed private IP you get from an upstream router?
The LTE would appear to be possibly a public IP that is dynamic (can change)??

Amm0 · Fri Feb 16, 2024 6:25 pm

So it would appear ether1, is a fixed private IP you get from an upstream router?
The LTE would appear to be possibly a public IP that is dynamic (can change)??

Both are dynamic I believe. First step be making sure LTE is working

Out of the box... if LTE is working, and WAN is plugged into ether1.... unplugging the ether1 will cause a failover. The issue may not be sufficient e.g. understandably most folk actually want to switch if there is no internet (but the ethernet is still connected). But out-of-box default do failover "manually".

But @Mesquite make a good point about DHCP WANs.... The main thing that makes this tricky is you need a "DHCP Client Lease Script", see https://help.mikrotik.com/docs/display/ ... iptexample to deal with dynamic IP. But WHAT goes into that script depending on the preferences and decision on the HOW you want to LB/failover....

Essentially ALL failover and/or load balancing requires some "liveness" check. This is usually done by setting "check-gateway=ping" on the default route. With the distance= on the default routes controlling the order of multiple internet routes. In /ip/route, the lowest wins; if two routes have same distance= values, that creates ECMP load balance based on src/dst addresshashing). For background: https://help.mikrotik.com/docs/display/ ... g-Overview .

p0p · Wed Feb 21, 2024 11:22 am

You mention load balance & failover. Do you mean: if BOTH "ether1" ("dorm server with DHCP") and "lte1" have working internet, split the traffic between them & if one fails all internet traffic goes out the one working one? Or do you want it always using ether1 if it's working, and only use LTE if ether1 is down?

Also, do you have LTE already setup? e.g. if you unplug ether1, does the Chateau work via the LTE? If so, do a speediest (or several) to get a sense of the LTE speed. Then plugin ether1, and do same speed test with "dorm-server internet". e.g. If you want to load balance, it's helpful to know the relative performance of two internet (dhcp and lte), to know HOW to "balance" them.

Really good questions, thanks!
- Yes, both (eth1 and lte1) have working internet
- Yes, LTE is set up and working the speed is around 70 mbps at day and 200 mbps at night (depends of the usage of the cell towers)
- Yes, eth1 is connected to the dorm-internet-server and needs a DHCP-client to work to retrieve an IP from the dorm-internet-server. The speed is around 25 mbps at day and 80 mbps at night.

- Yes, I want to split the internet traffic between them
- Yes, if one fails, all internet traffic should be forwarded to the working port
- No, at this point I don't know how to balance them and what's important to know.

Also it would be helpful to know the setup of the firewall against security breaches.

So it would appear ether1, is a fixed private IP you get from an upstream router?
The LTE would appear to be possibly a public IP that is dynamic (can change)??

- Yes, eth1 gets a fixed private ID from the dorm-internet-server (router)
- I don't know if the lte1 public ip is dynamic and can change.

Question:
I want to achieve that the lte1 intereface is "selectabel" in the device list and gets a fixed IP. As workaround: Would it work if I create a virtual ethernet interface (virteth1) with a fixed IP and forward the lte1 traffic though the virtual ethernet? Afterwards setup load balancing between eth1 and virteth1...

Mesquite · Wed Feb 21, 2024 9:36 pm

Okay so this a Chateau unit with an LTE module/capability.

1. Got it you get LTE of unknown type and thus dont know if the ISP provides a fixed IP, or a dynamic IP that changes?
2. Dont know if the LTE IP is actually public, or cgnat type, either ?? Can you call them and ask??
3. Can you confirm that you always get the same IP address from the "dorm server" ???

Reading your statements it would appear to be that you want.
a. User LAN traffic is split between both connections
b. Some method for LAN users to be able to select LTE and bypass the sharing noted in a?? ( not sure why but is it a requirement).
c. each provides failover for the other...........
d. any vpn traffic remote connection needs to the router ( for remote access to chateau subnets, to access chateau internet or routerconfig when remote? )
e. any server traffic??

Mesquite · Wed Feb 21, 2024 9:42 pm

Conceptually speaking,,,,,,,
LTE is roughly double that of dorm wrt throughput.
Thus would PCC 3 connections to provide a 2:1 type ration..
session X goes to LTE
session X +1 goes to dorn
session X+2 goes to LTE
rinse and repeat.

++++++++++++++++++++++++++++++++++++

If you want partition some traffic only to LTE AND make it selectable that is difficult.
I would handle the selectable by creaing a VLAN that only goes to LTE2
I would assign one port on the chateua for that, and create one WLAN associated with that vlan.
Thus you can physically or wifi select the LTE only connection.

However, I would say for simplicity sake, it may not be possible to give that single special port and that LTE only wifi, backup to dorm in case LTE goes down.
No harm done anyway becuase the other ports and other wifi are being used for PCC and thus will have backkup failover working in both directions.

p0p · Thu Feb 22, 2024 4:04 pm

Okay so this a Chateau unit with an LTE module/capability.

1. Got it you get LTE of unknown type and thus dont know if the ISP provides a fixed IP, or a dynamic IP that changes?
2. Dont know if the LTE IP is actually public, or cgnat type, either ?? Can you call them and ask??
3. Can you confirm that you always get the same IP address from the "dorm server" ???

Reading your statements it would appear to be that you want.
a. User LAN traffic is split between both connections
b. Some method for LAN users to be able to select LTE and bypass the sharing noted in a?? ( not sure why but is it a requirement).
c. each provides failover for the other...........
d. any vpn traffic remote connection needs to the router ( for remote access to chateau subnets, to access chateau internet or routerconfig when remote? )
e. any server traffic??

regarding
1. and 2. The LTE ISP allocation of IPs is dynamic and cgnat. Thanks for the hint to call them

3. It's always the same IP adress from the "dorm server"

a. True, this includes LAN and WiFi.
b. Not really a requirement, it's optional / a backup solution "in case of something's wrong, one thing works"
c. True
d. Yes, a WireShark connection to the private network. Atm there is only one "main" subnet.
e. Yes, my Homelab Server on eth4 that's planned to be exposed over Cloudflare Tunnel. Cloudflare configuration will be made on the server.

Thanks for showing me the way through this rabbit hole

Haven't thought of some points you've mentioned.

jaclaz · Thu Feb 22, 2024 4:18 pm

But is actually the LTE "unlimited[1]" data?

[1] the definition of "unlimited" that many ISP's use can vary from "almost unlimited, but don't do too much streaming/downloading, or else ..." to "I mean no more than xx GB/month, noone needs to use more than that", it would be a rare case that they actually mean "unlimited".

Mesquite · Thu Feb 22, 2024 4:22 pm

Okay so b. b for bogus, there is no special requirment for people to access the OTHER WAN.
Since both will be available thru PCC we dont care about b.
Since each will failover to the other we dont care about b.

Now for the tough question.
Can you forward any ports on the dorm server router to your router?
I Suspect not.
Hence this makes life very challenging.
If you could pay for an upgrade on LTE to a proper public IP, not cgnat then you can do more stuff.
++++++++++++++++++++++++++++++++++++++++++++++

Now I know why doing the server over cloudflare........
Suggest zerotier as well for any kind of external connection to the router for config purposes.
Good think is that your router supports cloudflare.

You could also do BTH WIreguard but I am no expert on that.
Basically your router and your remote devices are sent to a relay server that MT has and the connection is done there.
Supposedly works well.

However, this has nothign to do with PCC....which should work fine

p0p · Thu Feb 22, 2024 4:26 pm

Just for clearification:
"Selectabel" by the means of 'lte1 isn't selectable as any other interface on the Mikrotik Frontend'.
lte1 isn't allocated to / used by a bridge or any other device.
Therefore I think RouterOS lte1 interface is a "special kid" and uses some other internal methods for providing internet access to all interfaces.

Image of selectable interfaces:

p0p · Thu Feb 22, 2024 4:32 pm

Off topic:

But is actually the LTE "unlimited[1]" data?

Yesn't. It is "unlimited" in case of fair use. And fair use is a wide term. Users with a similiar contract as mine were kicked of their contract by using over 1TB/month. I don't think that I'll reach those numbers, I would have to download holiday videos in 4k in a huge amount.

Mesquite · Thu Feb 22, 2024 4:53 pm

Relaxing watch: https://www.youtube.com/watch?v=BSJrplxIs6w
https://help.mikrotik.com/docs/display/ ... tupexample
...

lte.jpg

p0p · Thu Feb 22, 2024 4:58 pm

Conceptually speaking,,,,,,,
LTE is roughly double that of dorm wrt throughput.
Thus would PCC 3 connections to provide a 2:1 type ration..
session X goes to LTE
session X +1 goes to dorn
session X+2 goes to LTE
rinse and repeat.

Yes that's one idea, Load Balancing over PCC (Per Connection Classifier). I think one of the videos I mentioned in the 1st post uses this method.
As mentioned before the lte1 interface isn't selectable over the RouterOS frontend so this tutorial isn't working for me.

Okay so b. b for bogus, there is no special requirment for people to access the OTHER WAN.
Since both will be available thru PCC we dont care about b.
Since each will failover to the other we dont care about b.

Now for the tough question.
Can you forward any ports on the dorm server router to your router?
I Suspect not.
Hence this makes life very challenging.
If you could pay for an upgrade on LTE to a proper public IP, not cgnat then you can do more stuff.

Regarding b. ... so let's forget b. and focus on the main stuff.
Regarding port forwarding: No, I don't have virtual/physical access to the dorm server / router and I can't config stuff there. It's more or less just an ISP.
Regarding static IP: Yes it's possible to get an public, dynamic IPv4 address for 50€ but I want to avoid that as folks mentioned in the O2 telefonica DE forums that this solution isn't working properly. Therefore my idea was to forward the lte1 traffic to an virtual interface that manages the connection and this virtual interface would have a fixed IP. So "linking" eth1 and the virtual interface would be possible. This might be bogus as well and the idea just comes from my stomache.

p0p · Thu Feb 22, 2024 5:47 pm

Relaxing watch: https://www.youtube.com/watch?v=BSJrplxIs6w

Important parts:
Private IPv4 address (typical for cgnat)
https://youtu.be/BSJrplxIs6w?t=626
- cgnat shares an public IP address with their clients and isn't routeable (reachable from the Internet)
Public non-static IPv4 address
https://youtu.be/BSJrplxIs6w?t=771
Redundant Setup / Load Balancing
[/url]https://www.youtube.com/watch?v=BSJrplxIs6w&t=1261s
- Routing Table is used to switch between the interfaces based on availability and other conditions

I don't get the "routable setup" part where the speaker talks about using Private IPv4 addresses with Layer2 and Layer 3. Could someone please explain it to me?
https://www.youtube.com/watch?v=BSJrplxIs6w&t=1337s

Also the passthrough part isn't clear to me. I'm "

" atm.

Does it mean that I can passthrough the lte1 connection to a bridge/virtual device/..., put that on the WAN table for firewall rules and create a load balancer / PCC over that?

The video is a high overview that helps to understand technology, opportunities and points to start but it doesn't go deep enough to actually know "what to do" / how to get in action and setup a load balancer.

Mesquite · Thu Feb 22, 2024 6:54 pm

The essentials remain the same, the problem seems to be how to setup LTE, forget about load balancing at the moment, on the chateau.
Did you find the LTE interface tab I displayed?
Did you try and select LTE APN and insert the information provided by the provider ( or perhaps the MODEM ) not sure the entry point for adding an ISP ????

p0p · Thu Feb 22, 2024 7:14 pm

The essentials remain the same, the problem seems to be how to setup LTE, forget about load balancing at the moment, on the chateau.
Did you find the LTE interface tab I displayed?
Did you try and select LTE APN and insert the information provided by the provider ( or perhaps the MODEM ) not sure the entry point for adding an ISP ????

Yes, as mentioned before, LTE / lte1 is up and running:

Mesquite · Thu Feb 22, 2024 8:19 pm

Sorry I didnt see where you said it was up and running. Thus you do have an interface right.

Does it not show up on the interface tab ?
Does it show up anywhere for selection on any rules?? ie the name LTE1 ???

p0p · Thu Feb 22, 2024 9:08 pm

Yes, it does show up:

Yes, I've got a mangle rule set to lte1. I believe this was made by Mikrotik or their support:

Otherwise please tell me what kind of rules do you mean?

Mesquite · Thu Feb 22, 2024 9:17 pm

Can you confirm more information.

Do you get an actual IP address as /32 (single IP)
OR
Do you get some other mask.................

AND
Do you ever get the gateway IP information.

p0p · Fri Feb 23, 2024 2:46 pm

Hi, could you please go into details about your "mask" question?

About the /32 question:

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; defconf
     address=192.168.178.1/24 network=192.168.178.0 interface=bridge 
     actual-interface=bridge 

 1 D address=10.xxx.xxx.205/32 network=10.xxx.xxx.205 interface=lte1 
     actual-interface=lte1

I'm also getting an IPv6 Address:

DG: xaxx:xxxx:xxc:cxxx:xx:33ff:fe25:1214/64
DL: fexx::xx:xxff:fexx:1214/64

About the gateway informations:

[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, m - MODEM
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS        GATEWAY  DISTANCE
DAm 0.0.0.0/0          lte1            2
DAc 10.xxx.xxx.205/32  lte1            0
DAc 192.168.178.0/24   bridge          0

[admin@MikroTik] /routing/route> print
Flags: A - ACTIVE; c - CONNECT, m - MODEM; H - HW-OFFLOADED; B - BLACKHOLE
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
     DST-ADDRESS              GATEWAY                        AFI   DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW                 
Am   0.0.0.0/0                lte1                           ip4          2     30            10  lte1                         
Ac   10.xxx.xxx.205/32        lte1                           ip4          0     10                lte1                         
Ac   192.168.178.0/24         bridge                         ip4          0     10                bridge                       
Am   ::/0                     fexx::ccxx:cxxc:xxxc:3b4%lte1  ip6          2     30            10  fexx::ccxx:cxxc:xxxc:3b4%lte1
Ac   xaxx:xxxx:xxc:c559::/64  lte1                           ip6          0     10                lte1                         
 m B xaxx:xxxx:xxc:c559::/64                                 ip6          1     30            10                               
Ac   fe80::%lte1/64           lte1                           ip6          0     10                lte1                         
Ac   fe80::%bridge/64         bridge                         ip6          0     10                bridge                       
A H  ether3                                                  link         0                                                    
A H  wifi1                                                   link         0                                                    
A H  wifi2                                                   link         0                                                    
A H  lte1                                                    link         0                                                    
A H  bridge                                                  link         0

(x-ed out the IP numbers for privacy reasons

EDIT: ether1 isn't presented in the list because I've temporarily disabled it to just use lte

Mesquite · Fri Feb 23, 2024 4:39 pm

/routing table add fib name=to-dorm
/routing table add fib name=to-LTE

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=LTE2 \
passthrough=yes per-connection-classifier=src-address-and-port:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=dorm1 \
passthrough=yes per-connection-classifier=src-address-and-port:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface-list=LAN new-connection-mark=LTE2 \
passthrough=yes per-connection-classifier=src-address-and-port:3/2
+++++++++++++++++++++++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=LTE2 \
new-routing-mark=to-LTE passthrough=no
add action=mark-routing chain=prerouting connection-mark=dorm1 \
new-routing-mark=to-dorm passthrough=no

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 distance=1 gateway=dorm1-gateway-IP routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 distance=2 gateway=lte1 routing-table=main
++++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=dorm1-gateway-IP routing-table=to-dorm1
add dst-address=0.0.0.0/0 gateway=lte1 routing-table=to-LTE2

You can read up on whats best to use for PCC for your situation,
src address and port, src address alone, both src and dst address etc. etc..........

READ how PCC Works
https://help.mikrotik.com/docs/display/ ... classifier

p0p · Thu Feb 29, 2024 12:58 am

Thanks for your contribution and your time!

I've added some comments and made the naming conventions more consistance.
Would you please check if everything is alright?

# 1. Add Routing Tables
/routing table add fib name=to-dorm
/routing table add fib name=to-LTE

# 2. Add firewall Mangle Rules
# 3 Connections: 2 over LTE / 1 over ether1
## Step 2.1.: mark-connection
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=to-LTE \
    passthrough=yes per-connection-classifier=src-address-and-port:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=to-dorm \
    passthrough=yes per-connection-classifier=src-address-and-port:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface-list=LAN new-connection-mark=to-LTE \
    passthrough=yes per-connection-classifier=src-address-and-port:3/2

## Step 2.2.: mark-routing 
# Add Mark Routing Rules
add action=mark-routing chain=prerouting connection-mark=to-LTE \
    new-routing-mark=to-LTE passthrough=no
add action=mark-routing chain=prerouting connection-mark=to-dorm \
    new-routing-mark=to-dorm passthrough=no

# 3. Add IP Routes
# Note: Replace <add-dorm1-gateway-IP> with the actual IP address
/ip/route
add dst-address=0.0.0.0/0 gateway=<add-dorm1-gateway-IP> routing-table=to-dorm
add dst-address=0.0.0.0/0 gateway=lte1 routing-table=to-LTE

p0p · Thu Feb 29, 2024 1:07 am

Should I keep ether1 in LAN Interface List or would it make sense to put it into WAN? I think the WAN list is more strict in terms of security, right?
I saw in cour command line that you've pointed to "in-interface-list=LAN".

[admin@MikroTik] /interface/list/member> /interface/list print
Flags: * - BUILTIN
Columns: NAME
#   NAME   
;;; contains all interfaces
0 * all    
;;; contains no interfaces
1 * none   
;;; contains dynamic interfaces
2 * dynamic
;;; contains static interfaces
3 * static 
;;; defconf
4   WAN    
;;; defconf
5   LAN

[admin@MikroTik] /interface/list/member> /interface/list/member print
Columns: LIST, INTERFACE
# LIST  INTERFACE
;;; defconf
0 LAN   bridge   
;;; defconf
1 WAN   lte1     
2 WAN   ether1

Mesquite · Thu Feb 29, 2024 2:00 am

If ether1 goes to the Internet (via modem etc..) then yes its part of the WAN interface list, NOT the LAN interface list.

p0p · Sun Mar 03, 2024 12:59 pm

Thanks for your help so far!

I've switched ether1 to WAN list.

There is no Rx-rate comming through ether1.

www google bilder de
lte1 is working fine.
If I disable lte1, the connection automatically goes through ether1.

anav · Sun Mar 03, 2024 2:56 pm

Hi there, so you are saying that failover is working fine?
Now is the PCC working as well, when both WANs are up is traffic being distributed as desired?

Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Re: Mikrotik Chateau AX (5G) eth1 + lte1 load balancer with failover - looking for a tutorial

Who is online