Community discussions

MikroTik App
 
User avatar
killermantv
just joined
Topic Author
Posts: 16
Joined: Fri Feb 12, 2021 12:51 pm
Location: Czech Republic

Dual WAN + load balancing, port forward problem

Sun May 08, 2022 9:03 pm

Hello,
I got recently second ISP connection and i have been trying to setup load balancing + failover if one of them was to go offline.

Context why i am writing on forum: I have no idea why did the reddit one work or why did port forwarding stopped working and hoped someone here could help me.

First i went to mikrotik updated wiki for routeros 7 https://help.mikrotik.com/docs/display/ ... ll+Marking, however the closest method to working was example 3, PCC method, but that was unstable and it was loading websites really long for some reason.

I managed to get it to work after a day thanks to a https://www.reddit.com/r/mikrotik/comme ... using_pcc/ tutorial that i am using right now as it is relatively stable and fast, however i am not hitting the full speed but close.

My setup is as follows:
  • RB4011iGS+5HacQ2HnD-IN and about 25% on cpu on speedtest
  • ISP1 (Antik) with speed 1gbps/1gbps over dhcp client
  • ISP2 (Telekom) with speed 1gbps/300mbps over pppoe client
  • Hairpin NAT
  • Long Term os version - 7.1.5
  • Configuration is all the way below.
  • Previously i only had ISP2 and everything listed as issues fully worked.
  • 88.***.**.*** is external Antik IP
  • 87.**.***.*** is exernal Telekom IP
  • 10.56.60.19/24 is my assigned dhcp address in ISP1's network
  • 10.56.60.1/24 is the default gateway in ISP1's network

I have 4 issues in total.
1. First major is that my port forwading stopped working completely and i would like it to work with Hairpin NAT as well as i am confused how to adjust it for load balanced network. If i was to guess i think it's something with router sending reply through different ISP from which did the original packet come.

2 Second major is that external monitoring server that sends pings somehow works for ISP2 but not on ISP1 and could be relevant to first issue. (I'm allowing those pings from only 2 IPs that are added in firewall and it worked always before)

3. Third major is that in my ip/routes/ i have check gateway for pppoe disabled because the remote end does not reply to icmp and arp, the check gateway thing was unchecked and after 2 minutes the route was 'unreachable'.

4. And the last minor one is that the router itself has no connection to internet, for that i need to enable ip/route/ that has 'main' routing table to for example check for updates, but then if route for 'main' routing table is enabled, something happens and there's no connection to entire network.

Thanks to everyone taking the time to help me as i am still learning.
# may/08/2022 19:12:48 by RouterOS 7.1.5
# software id = TZ3I-X6ZH
#
# model = RB4011iGS+5HacQ2HnD
# serial number = F03C0E51807D
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name=2ghz
add band=5ghz-a/n/ac extension-channel=XXXXXXXX name=5ghz
/caps-man datapath
add arp=enabled name=main
add arp=enabled name=guest vlan-id=100 vlan-mode=use-tag
/interface bridge
add admin-mac=2C:C8:1B:45:66:46 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
    1000M-half,1000M-full,10000M-full,2500M-full,5000M-full
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovakia disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=wlan1 ssid=TPLTCom24 wireless-protocol=802.11 wps-mode=\
    disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80/160mhz-XXXXXXXX country=slovakia distance=indoors frequency=auto \
    mode=ap-bridge name=wlan2 ssid=TPLTCom5 wireless-protocol=802.11 \
    wps-mode=disabled
/interface pppoe-client
add disabled=no interface=ether1 name=Telekom use-peer-dns=yes user=\
    ###########
/caps-man security
add authentication-types=wpa2-psk,wpa2-eap eap-methods=eap-tls encryption=\
    aes-ccm group-encryption=aes-ccm name=main
add authentication-types=wpa2-psk,wpa2-eap eap-methods=eap-tls encryption=\
    aes-ccm group-encryption=aes-ccm name=guest
/caps-man configuration
add channel=2ghz country=slovakia datapath=main installation=any mode=ap \
    name=TPLTCom24 security=main security.authentication-types=wpa2-psk \
    .encryption=aes-ccm ssid=TPLTCom24
add channel=2ghz country=slovakia datapath=guest datapath.vlan-id=100 \
    installation=any mode=ap name="TPLTCom24's Guests" security=guest ssid=\
    "TPLTCom24's Guests"
add channel=5ghz country=slovakia datapath=main installation=any mode=ap \
    name=TPLTCom5 security=main ssid=TPLTCom5
add channel=5ghz country=slovakia datapath=guest installation=any mode=ap \
    name="TPLTCom5's Guests" security=guest ssid="TPLTCom5's Guests"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    hostia supplicant-identity=""
/interface wireless
add default-forwarding=no keepalive-frames=disabled mac-address=\
    0A:55:31:FE:AC:31 master-interface=wlan1 multicast-buffering=disabled \
    name="wlan1 guest" security-profile=hostia ssid="TPLTCom24's Guests" \
    vlan-id=100 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add default-forwarding=no keepalive-frames=disabled mac-address=\
    0A:55:31:FE:AC:31 master-interface=wlan2 multicast-buffering=disabled \
    name="wlan2 guest" security-profile=hostia ssid="TPLTCom5's Guests" \
    vlan-id=100 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=8h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add disabled=yes max-limit=64k/5M name=test target=192.168.0.169/32
add disabled=yes max-limit=16k/5M name=test3 target=192.168.0.169/32
add disabled=yes max-limit=32k/5M name=test2 target=192.168.0.169/32
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add name=default-v2
add name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add disabled=no fib name=Antik
add disabled=no fib name=Telekom
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=TPLTCom24 \
    name-format=prefix-identity
add action=create-dynamic-enabled disabled=yes master-configuration=\
    "TPLTCom5's Guests" name-format=prefix-identity
add action=create-dynamic-enabled disabled=yes master-configuration=\
    "TPLTCom24's Guests" name-format=prefix-identity
add action=create-dynamic-enabled disabled=yes master-configuration=TPLTCom5 \
    name-format=prefix-identity
/interface bridge filter
# wlan2 guest not ready
# in/out-bridge-port matcher not possible when interface (wlan2 guest) is not slave
add action=drop chain=forward in-interface="wlan2 guest"
# wlan2 guest not ready
# in/out-bridge-port matcher not possible when interface (wlan2 guest) is not slave
add action=drop chain=forward out-interface="wlan2 guest"
# wlan1 guest not ready
# in/out-bridge-port matcher not possible when interface (wlan1 guest) is not slave
add action=drop chain=forward in-interface="wlan1 guest"
# wlan1 guest not ready
# in/out-bridge-port matcher not possible when interface (wlan1 guest) is not slave
add action=drop chain=forward out-interface="wlan1 guest"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=Telekom list=WAN
/interface wireless cap
set bridge=bridge caps-man-addresses=127.0.0.1 interfaces=wlan1,wlan2
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip arp
add address=192.168.0.169 interface=bridge mac-address=04:92:26:DA:F6:B1
add address=192.168.0.195 interface=bridge mac-address=1A:1D:F0:DE:EE:58
add address=192.168.0.80 interface=bridge mac-address=08:60:6E:6F:7D:5E
add address=192.168.0.166 interface=bridge mac-address=00:11:32:79:5E:B7
add address=192.168.0.101 interface=bridge mac-address=00:1D:EC:0B:83:CD
add address=192.168.0.10 interface=bridge mac-address=B8:69:F4:FE:E6:37
/ip dhcp-client
add add-default-route=no interface=ether2
add disabled=yes interface=ether2
/ip dhcp-server lease
add address=192.168.0.169 mac-address=04:92:26:DA:F6:B1
add address=192.168.0.167 comment="Lampa Mi Beside" mac-address=\
    04:CF:8C:D9:C1:2A server=defconf
add address=192.168.0.164 mac-address=D4:F5:47:16:AE:B8 server=defconf
add address=192.168.0.168 client-id=1:c8:c2:fa:e2:28:b4 comment="Luki mobil" \
    mac-address=C8:C2:FA:E2:28:B4 server=defconf
add address=192.168.0.153 client-id=1:8:c5:e1:7:59:a1 comment=\
    "Moj mobil SGS9+" mac-address=08:C5:E1:07:59:A1 server=defconf
add address=192.168.0.152 client-id=1:70:54:b4:49:7:61 comment="TV v kuchni" \
    mac-address=70:54:B4:49:07:61 server=defconf
add address=192.168.0.150 client-id=1:30:7:4d:53:e2:b comment=\
    "Monika mobil SGS8" mac-address=30:07:4D:53:E2:0B server=defconf
add address=192.168.0.160 comment="L355 Series EPSONA25574" mac-address=\
    AC:18:26:A2:55:74 server=defconf
add address=192.168.0.149 client-id=1:d8:f2:ca:58:f3:54 comment="Laptop P52s" \
    mac-address=D8:F2:CA:58:F3:54 server=defconf
add address=192.168.0.147 client-id=1:48:2a:e3:6:5e:69 mac-address=\
    48:2A:E3:06:5E:69 server=defconf
add address=192.168.0.122 comment="Mini Audio veza" mac-address=\
    00:09:B0:29:99:61 server=defconf
add address=192.168.0.101 client-id=1:0:1d:ec:b:83:cd comment=SAT \
    mac-address=00:1D:EC:0B:83:CD server=defconf
add address=192.168.0.157 client-id=1:74:da:88:da:8d:d4 mac-address=\
    74:DA:88:DA:8D:D4 server=defconf
add address=192.168.0.104 mac-address=CC:50:E3:74:D1:CC server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=\
    192.168.0.2,1.1.1.1,1.0.0.1,9.9.9.9 domain=TPLTCom gateway=192.168.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.2,1.1.1.1,1.0.0.1,9.9.9.9
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.0/24 list=LAN
add address=87.**.***.*** list=WAN
add address=192.168.0.0/24 list=DUAL
add address=88.***.**.*** list=WAN
add address=10.56.60.19 list=WAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input dst-port=53,8291,22 in-interface-list=WAN \
    protocol=tcp
add action=drop chain=input dst-port=53,8291,22 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input comment="blackhole ping" protocol=icmp \
    src-address=185.111.88.182
add action=accept chain=input comment="sakal.sk ping" protocol=icmp \
    src-address=195.181.212.29
add action=accept chain=input comment="Allow limited pings" disabled=yes \
    limit=1,5:packet protocol=icmp
add action=drop chain=input comment="Disable Pings" in-interface-list=!LAN \
    limit=1,2:packet protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=con-one passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address-list=DUAL
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=con-two passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-one \
    new-routing-mark=Antik passthrough=no src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-two \
    new-routing-mark=Telekom passthrough=no src-address-list=DUAL
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment=Antik ipsec-policy=out,none \
    out-interface=ether2
add action=masquerade chain=srcnat comment=Telekom ipsec-policy=out,none \
    out-interface=Telekom
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=443,80 \
    protocol=tcp to-addresses=192.168.0.15 to-ports=67-443
add action=dst-nat chain=dstnat comment="mc tcp linuxVM" dst-address-list=WAN \
    dst-port=25565,25566 protocol=tcp to-addresses=192.168.0.195 to-ports=\
    25565-25566
add action=dst-nat chain=dstnat comment="mc udp linuxVM" dst-address-list=WAN \
    dst-port=25565,25566 protocol=udp to-addresses=192.168.0.195 to-ports=\
    25565-25566
add action=dst-nat chain=dstnat comment="zombie linuxVM" dst-address-list=WAN \
    dst-port=2302,2312,27015-27030,27036-27037,16261 protocol=tcp \
    to-addresses=192.168.0.195 to-ports=0-65535
add action=dst-nat chain=dstnat comment="zombie linuxVM" dst-address-list=WAN \
    dst-port=2302,2312,27015-27030,27036-27037,16261 protocol=udp \
    to-addresses=192.168.0.195 to-ports=0-65535
add action=dst-nat chain=dstnat comment="ark linuxVM" disabled=yes \
    dst-address-list=WAN dst-port=7722,7777,7778,27015,27020 protocol=tcp \
    to-addresses=192.168.0.195 to-ports=7722-27020
add action=dst-nat chain=dstnat comment="ark linuxVM" disabled=yes \
    dst-address-list=WAN dst-port=7722,7777,7778,27015,27020 protocol=udp \
    to-addresses=192.168.0.195 to-ports=7722-27020
/ip firewall raw
add action=drop chain=prerouting comment=hadajcz src-address=89.203.247.77
/ip route
add check-gateway=ping comment=Antik disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=10.56.60.1 pref-src=0.0.0.0 routing-table=Antik scope=\
    30 suppress-hw-offload=no target-scope=10
add comment=Telekom disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    Telekom pref-src=0.0.0.0 routing-table=Telekom scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=main disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=10.56.60.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=main disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    Telekom pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl port=19216
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=Telekom type=external
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=RB4011
/system leds
add interface=wlan1 leds="wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-le\
    d,wlan1_signal4-led,wlan1_signal5-led" type=wireless-signal-strength
add interface=wlan1 leds=wlan1_tx-led type=interface-transmit
add interface=wlan1 leds=wlan1_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
add address=0.sk.pool.ntp.org
add address=1.sk.pool.ntp.org
add address=2.sk.pool.ntp.org
add address=3.sk.pool.ntp.org
/system package update
set channel=long-term
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by killermantv on Tue May 10, 2022 8:19 pm, edited 1 time in total.
 
User avatar
killermantv
just joined
Topic Author
Posts: 16
Joined: Fri Feb 12, 2021 12:51 pm
Location: Czech Republic

Re: Dual WAN + load balancing  [SOLVED]

Tue May 10, 2022 8:18 pm

After 2 days of brainstorming, i figured it out.

The solution in my case was to change PCC from both addresses and ports to src address and port. That solved all of those 3 major problems, however the minor one is still there but that's acceptable.

Who is online

Users browsing this forum: Bing [Bot], ItchyAnkle, JDF, RobertsN and 70 guests