/ip address add address=192.168.0.1/24 disabled=no interface=LAN network=192.168.0.0 add address=192.168.1.2/24 disabled=no interface=WAN1 network=192.168.1.0 add address=192.168.2.2/24 disabled=no interface=WAN2 network=192.168.2.0 /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB \ max-udp-packet-size=512 servers=126.96.36.199,188.8.131.52 # Or use your ISP's DNS /ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=WAN1 add action=masquerade chain=srcnat disabled=no out-interface=WAN2 #### Following is ROUTE section where we will be using check-gateway function to monitor external hosts from each wan /ip route add dst-address=184.108.40.206 gateway=192.168.1.1 scope=10 add dst-address=220.127.116.11 gateway=192.168.2.1 scope=10 add distance=1 gateway=18.104.22.168 check-gateway=ping add distance=2 gateway=22.214.171.124 check-gateway=ping
Dual Wan Load balacing with failover mikrotik
Let us suppose that we have two WAN links, and we want load balance the two WAN links and do a fail-over if one of the WAN links fails ( eg: traffic redirected to the link which is up ) . the problem is to monitor, whether the Internet is accessible through each of them. The problem can be everywhere.
If your VPN cannot connect – then there’s no problem, your default route with gateway=that-vpn-connection will be inactive.
If your ADSL modem is down – then check-gateway=ping is on stage, and no problem again.
But what if your modem is up, and telephone line is down? Or one of your ISP has a problem inside it, so traceroute shows only a few hops – and then stops…
Some people use NetWatch tool to monitor remote locations. Others use scripts to periodically ping remote hosts. And then disable routes or in some other way change the behaviour of routing.
But RouterOS facilities allow us to use only /ip routes to do such checking – no scripting and netwatch at all!
Let’s suppose that we have two uplinks: GW1, GW2. It can be addresses of ADSL modems , DSL modems , a satic ip and a local ip (like 192.168.1.1 and 192.168.2.1), or addresses of PPP interfaces (like pppoe-out1 and pptp-out1). Then, we have some PCC Load balancing rules in ip > firewall > mangle and in ip > routes , so all outgoing traffic is marked with ISP1 (which goes to GW1) and ISP2 (which goes to GW2) marks and using mangle PCC method the traffic will be splited to both WAN links evenly. And we want to monitor Host1 and Host2 via GW1, and Host3 and Host4 via GW2 – those may be some popular Internet websites, like Google, Yahoo, etc.
First Add ips to the interfaces : ( don’t forget to rename the interface names accordingly )
/ip address add address=192.168.10.1/24interface=Local add address=192.168.1.2/24 interface=WAN1 add address=192.168.2.2/24 interface=WAN2
Since some most of the ISP’s does not allow dns request’s outside of there network. it’s better to run our own dns server on mikrotik
or simply use opendns or google dns servers
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=126.96.36.199,188.8.131.52
The mangle rule set for distributing the traffic evenly to both links
/ip firewall mangle add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_mark add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_mark add chain=output connection-mark=WAN1_mark action=mark-routing new-routing-mark=to_ISP1 add chain=output connection-mark=WAN2_mark action=mark-routing new-routing-mark=to_ISP2 add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark passthrough=yes add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark passthrough=yes add chain=prerouting connection-mark=WAN1_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP1 add chain=prerouting connection-mark=WAN2_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP2
FAIL OVER WITH ROUTING the wan Links
For checking the remote address i am using these hosts
184.108.40.206 Google-DNS host1A
220.127.116.11 Yahoo host1B
18.104.22.168 Google-DNS host2A
22.214.171.124 Twitter host2B
first we need routes to our checking hosts:
/ip route add dst-address=126.96.36.199 gateway=192.168.1.1 scope=10 add dst-address=188.8.131.52 gateway=192.168.1.1 scope=10 add dst-address=184.108.40.206 gateway=192.168.2.1 scope=10 add dst-address=220.127.116.11 gateway=192.168.2.1 scope=10
Then, let’s create destinations to “virtual” hops to use in further routes. I’m using 10.1.1.1 and 10.2.2.2 as an example:
/ip route add dst-address=10.1.1.1 gateway=18.104.22.168 scope=10 target-scope=10 check-gateway=ping add dst-address=10.1.1.1 gateway=22.214.171.124 scope=10 target-scope=10 check-gateway=ping add dst-address=10.2.2.2 gateway=126.96.36.199 scope=10 target-scope=10 check-gateway=ping add dst-address=10.2.2.2 gateway=188.8.131.52 scope=10 target-scope=10 check-gateway=ping
And now we may add default routes for clients:
/ip route add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1 add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1 add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2 add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2
And masquerade both wan interfaces
/ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade add chain=srcnat out-interface=WAN2 action=masquerade