SCRIPTS
Using PCC to load balance across multiple non bonded links.
This is my ongoing work at using multiple ADSL services and the Mikrotik PCC rules along with some inbound mangling to allow a single router to load balance traffic across as many non bonded links as required.
Updated: 7th Jan 2010 – notes: added static routing marks for inbound traffic as inbound should never fall over to backup routes, while outbound should go over whatever is available. Also cleaned up routing order so it’s easier to read.
Note that none of this config requires the use of IP addresses at all, as it simply uses the pppoe-client interfaces and your lan interface to mark traffic. In my example wan1-pppoe,wan2-pppoe,wan3-pppoe are used and lan
/ip route add check-gateway=arp comment="WAN 3 - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan3 add check-gateway=arp comment="WAN 2 - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2 add check-gateway=arp comment="WAN 1 - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1 add check-gateway=arp comment="WAN 1 - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1 add check-gateway=arp comment="WAN 2 - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan2 add check-gateway=arp comment="WAN 3 - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan3 add check-gateway=arp comment="WAN 1 - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan1 add check-gateway=arp comment="WAN 2 - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan2 add check-gateway=arp comment="WAN 3 - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan3 add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe add check-gateway=arp comment="Static Route - WAN1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=static-wan1 add check-gateway=arp comment="Static Route - WAN2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=static-wan2 add check-gateway=arp comment="Static Route - WAN3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=static-wan3 /ip firewall mangle add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 \ passthrough=yes add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 \ passthrough=yes add action=mark-connection chain=input comment="Mark new inbound connection wan3" connection-state=new disabled=no in-interface=wan3-pppoe new-connection-mark=wan3 \ passthrough=yes add action=mark-connection chain=prerouting comment="Mark established inbound connection wan1" connection-state=established disabled=no in-interface=wan1-pppoe \ new-connection-mark=wan1 passthrough=yes add action=mark-connection chain=prerouting comment="Mark established inbound connection wan2" connection-state=established disabled=no in-interface=wan2-pppoe \ new-connection-mark=wan2 passthrough=yes add action=mark-connection chain=prerouting comment="Mark established inbound connection wan3" connection-state=established disabled=no in-interface=wan3-pppoe \ new-connection-mark=wan3 passthrough=yes add action=mark-connection chain=prerouting comment="Mark related inbound connection wan1" connection-state=related disabled=no in-interface=wan1-pppoe \ new-connection-mark=wan1 passthrough=yes add action=mark-connection chain=prerouting comment="Mark related inbound connection wan2" connection-state=related disabled=no in-interface=wan2-pppoe \ new-connection-mark=wan2 passthrough=yes add action=mark-connection chain=prerouting comment="Mark related inbound connection wan3" connection-state=related disabled=no in-interface=wan3-pppoe \ new-connection-mark=wan3 passthrough=yes add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 disabled=no new-routing-mark=static-wan1 passthrough=no add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 disabled=no new-routing-mark=static-wan2 passthrough=no add action=mark-routing chain=output comment="Mark new inbound route wan3" connection-mark=wan3 disabled=no new-routing-mark=static-wan3 passthrough=no add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=new disabled=no \ dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0 add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=new disabled=no \ dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1 add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=new disabled=no \ dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2 add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=\ established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=\ both-addresses:3/0 add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=\ established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=\ both-addresses:3/1 add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=\ established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=\ both-addresses:3/2 add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=related \ disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0 add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=related \ disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1 add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=related \ disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2 add action=mark-routing chain=prerouting comment="Mark routing for PCC mark - option 1" connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=\ yes add action=mark-routing chain=prerouting comment="Mark routing for PCC mark - option 2" connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=\ yes add action=mark-routing chain=prerouting comment="Mark routing for PCC mark - option 3" connection-mark=wan3_pcc_conn disabled=no new-routing-mark=wan3 passthrough=\ yes
Advertisement
What is the difference between this config and the one in the wiki, does it load balance more efficiently? Does it drop links?
hey Hennie,
This config is my own that was originally created as part of my experimentation with the PCC rules, the dropping links thing I mentioned on the forum was specifically related to 4.X whereas 3.28-3.30 work fine.
This config also allows fallover in the event that any of the pppoe connections dropout or disconnect the routing adjusts to continue piping traffic out the other 2 links.
The first section of the mangle rules are explicitly made to allow inbound connections such as winbox/ftp/http/etc basically anything you want to forward to an internal user will work correctly and be forwarded back out the same link (including anything added by upnp rules)
This is a 3 link setup but it can be modified to work the same way with 2 or 4 links quite easily.
In the example the interface “hotspot-bridge” is the users interface and the ppoe interfaces are obviously the internet connections, if you plan on using it for multiple interfaces and/or ip ranges you will need to adjust the rules accordingly.
This one seems to work better than the one in the official wiki.
Hi, first fo all let me thankyou for posting this example, with yours I have tried 3 examples and I always get more traffic in the first WAN, do you have the same problem? I downgraded to 3.30 and still have the same problem.
Regards.
I have done the above configuration , i have 2 ADSL lines 2MB each….seems that one of them is the only one loading traffic and another seems to be having very little activity….any ideas??
here is my configuration
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 3.30 (c) 1999-2009 http://www.mikrotik.com/
[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> mangle
[admin@MikroTik] /ip firewall mangle> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Mark new inbound connection WAN1
chain=input action=mark-connection new-connection-mark=wan1
passthrough=yes connection-state=new in-interface=LinkDotNet
1 ;;; Mark new inbound connection wan2
chain=input action=mark-connection new-connection-mark=wan2
passthrough=yes connection-state=new in-interface=TeData
2 ;;; Mark established inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1
passthrough=yes connection-state=established in-interface=LinkDotNet
3 ;;; Mark established inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2
passthrough=yes connection-state=established in-interface=TeData
4 ;;; Mark related inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1
passthrough=yes connection-state=related in-interface=LinkDotNet
5 ;;; Mark related inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2
passthrough=yes connection-state=related in-interface=TeData
6 ;;; Mark new inbound route wan1
chain=output action=mark-routing new-routing-mark=wan1 passthrough=yes
connection-mark=wan1
7 ;;; Mark new inbound route wan2
chain=output action=mark-routing new-routing-mark=wan2 passthrough=yes
connection-mark=wan2
8 chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn
passthrough=yes connection-state=new dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/0
9 chain=prerouting action=mark-connection new-connection-mark=wan2_pcc
passthrough=yes connection-state=new dst-address-type=!local
in-interface=LAN per-connection-classifier=src-address:2/1
10 chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn
passthrough=yes connection-state=established dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/0
11 chain=prerouting action=mark-connection new-connection-mark=wan2_pcc
passthrough=yes connection-state=established dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/1
12 chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn
passthrough=yes connection-state=related dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/0
13 chain=prerouting action=mark-connection new-connection-mark=wan2_pcc
passthrough=yes connection-state=related dst-address-type=!local
in-interface=LAN per-connection-classifier=both-addresses:2/1
14 chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=ye>
connection-mark=wan1_pcc_conn
15 chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=ye>
connection-mark=wan2_pcc
[admin@MikroTik] /ip firewall mangle> /ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> nat
[admin@MikroTik] /ip firewall nat> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.80.0/24
2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24
[admin@MikroTik] /ip firewall nat> /ip
[admin@MikroTik] /ip> route
[admin@MikroTik] /ip route> print
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf, m – mme,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S ;;; WAN 1 – Distance 1
0.0.0.0/0 reachable LinkDotNet 1 LinkDotNet
1 S ;;; WAN 1 – Distance 2
0.0.0.0/0 reachable TeData 2 TeData
2 A S ;;; WAN 2 – Distance 1
0.0.0.0/0 reachable TeData 1 TeData
3 S ;;; WAN 2 – Distance 2
0.0.0.0/0 reachable LinkDotNet 2 LinkDotNet
4 S ;;; Default Route – Distance 2
0.0.0.0/0 reachable TeData 2 TeData
5 A S ;;; Default Route – Distance 1
0.0.0.0/0 reachable LinkDotNet 1 LinkDotNet
6 ADC 41.130.0.1/32 41.130.11.54 0 LinkDotNet
7 ADC 163.121.170.22/32 196.202.112.105 0 TeData
8 ADC 192.168.80.0/24 192.168.80.1 0 wlan1
9 ADC 192.168.88.0/24 192.168.88.1 0 LAN
[admin@MikroTik] /ip route>
Why do you have separate rules for established & related?
In the Nth wiki it says that once a connection is marked, all realated should be automatically marked as well?
Then on the last part, your passthrough=yes, I suppose it should be no, however since it’s the last it does not matter.
You’re probably correct, I created these rules when PCC was a pre-release and I didn’t have full access to the wiki that was since written, I’ll have to give it a further try and see if I need the established or related sections.
Hey admin, I see what you mean by version 4.x giving issues. I have 4.3 and I can’t port forward anything using standard NAT rules. It just won’t work. I think I’ll try and go back to 3.30 if I can. Thanx but try and test it with 4.x as that will be great, I’ve found this setup to work the best by far…
I presume the following is a typo?
add action=mark-connection chain=prerouting comment=”Mark related inbound connection wan1″ connection-state=related disabled=no in-interface=wan1-pppoe \
new-connection-mark=wan2 passthrough=yes
and should be: new-connection-mark=wan1?
Thank you for your work.
Indeed it was, thanks for pointing it out. Guide has been updated.
Hey admin.
i have 5 dsl connections and i want to split them in 50 PCs. But i wanna load balance by traffic type. 2 dsl lines for http and 3 for gaming.
i was thinking the following(please correct the lines if any errors)
-=-=-=-=-=-==-=-=-=-=-=
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan2
add address=10.113.0.2/24 network=10.113.0.0 broadcast=10.113.0.255 interface=wlan3
add address=10.114.0.2/24 network=10.114.0.0 broadcast=10.114.0.255 interface=wlan4
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn
add chain=input in-interface=wlan4 action=mark-connection new-connection-mark=wlan4_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
add chain=output connection-mark=wlan3_conn action=mark-routing new-routing-mark=to_wlan3
add chain=output connection-mark=wlan4_conn action=mark-routing new-routing-mark=to_wlan4
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.113.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.114.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wlan4_conn passthrough=yes
add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan1
add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan2
add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan3
add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan4
add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark=”http1″ dst-port=80 protocol=tcp
add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark=”http2″ dst-port=80 protocol=tcp
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=”http1″ check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=”http2″ check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.113.0.1 routing-mark=to_wlan3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.114.0.1 routing-mark=to_wlan4 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.113.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.114.0.1 distance=2 check-gateway=ping
/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
add chain=srcnat out-interface=wlan3 action=masquerade
add chain=srcnat out-interface=wlan4 action=masquerade
please tell me is this correct 😀 ?
This has some corrections, specifically in the ip route section and in the way you created your PCC rules (because you have 4 outbound routes you need the PCC rule to pick out of 4 possible rules)
/ ip addressadd address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan2
add address=10.113.0.2/24 network=10.113.0.0 broadcast=10.113.0.255 interface=wlan3
add address=10.114.0.2/24 network=10.114.0.0 broadcast=10.114.0.255 interface=wlan4
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn
add chain=input in-interface=wlan4 action=mark-connection new-connection-mark=wlan4_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
add chain=output connection-mark=wlan3_conn action=mark-routing new-routing-mark=to_wlan3
add chain=output connection-mark=wlan4_conn action=mark-routing new-routing-mark=to_wlan4
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.113.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.114.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/2 \
action=mark-connection new-connection-mark=wlan3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/3 \
action=mark-connection new-connection-mark=wlan4_conn passthrough=yes
add chain=prerouting connection-mark=wlan1_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan1
add chain=prerouting connection-mark=wlan2_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan2
add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan3
add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark=to_wlan4
add chain=prerouting connection-mark=wlan3_conn in-interface=Local action=mark-routing new-routing-mark="http1" dst-port=80 protocol=tcp
add chain=prerouting connection-mark=wlan4_conn in-interface=Local action=mark-routing new-routing-mark="http2" dst-port=80 protocol=tcp
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.113.0.1 routing-mark=to_wlan3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.114.0.1 routing-mark=to_wlan4 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark="http1" check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark="http2" check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.113.0.1 distance=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.114.0.1 distance=4 check-gateway=ping
/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
add chain=srcnat out-interface=wlan3 action=masquerade
add chain=srcnat out-interface=wlan4 action=masquerade
so my extra port80 monitoring on wlan3 and wlan 4 and redirecting to wlan1-wlan2 is correct?
and btw, is this suitable for gaming?
The way I’ve setup my PCC uses the “both-addresses” option. So any traffic from (for example) 1.1.1.1 to 9.9.9.9 will always go via the same link once the first connection is made, regardless of the port used. It should be ok and I’ve yet to find a game that doesn’t like it.
will this pcc work nice in my rb450g?
add action=mark-connection chain=input comment=”Input – New” connection-state=new disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1 \
passthrough=yes
add action=mark-connection chain=input comment=”” connection-state=new disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2 \
passthrough=yes
add action=mark-connection chain=prerouting comment=”Input – Established” connection-state=established disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1 passthrough=yes
add action=mark-connection chain=prerouting comment=”” connection-state=established disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2 passthrough=yes
add action=mark-connection chain=prerouting comment=”Input – Related” connection-state=related disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1 passthrough=yes
add action=mark-connection chain=prerouting comment=”” connection-state=related disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2 passthrough=yes
add action=mark-routing chain=output comment=”Output – Route Marking” connection-mark=pppoe-out1 disabled=no new-routing-mark=pppoe_out1 passthrough=no
add action=mark-routing chain=output comment=”” connection-mark=pppoe-out2 disabled=no new-routing-mark=pppoe_out2 passthrough=no
add action=mark-connection chain=prerouting comment=”Prerouting – New” connection-state=new disabled=no \
dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”” connection-state=new disabled=no \
dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment=”Prerouting – Established” connection-state=\
established disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out1 passthrough=yes per-connection-classifier=\
both-addresses:2/0
add action=mark-connection chain=prerouting comment=”” connection-state=\
established disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out2 passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-connection chain=prerouting comment=”Prerouting – Related” connection-state=related \
disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe_out1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”” connection-state=related \
disabled=no dst-address-type=!local in-interface=ether1 new-connection-mark=pppoe-out2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=”Prerouting – Route Marking ” connection-mark=pppoe_out1 disabled=no new-routing-mark=pppoe_out1 passthrough=\
yes
add action=mark-routing chain=prerouting comment=”” connection-mark=pppoe-out2 disabled=no new-routing-mark=pppoe_out2 passthrough=\
yes
does it miss much?
its for a 2 adsl line … same provider…. same gateway
Hello admin
Have you encouter any problem with the poker on facebook? I have used the setup on the Mikrotik Wiki, but looks like it does not work with the poker on facebook.
Thank you, Toni
You’d have to give me more information about what poker etc, but I’ve yet to find an application that doesn’t work for it so long as you use the both-addresses option.
hi omega-00, very good your contributions to the community Mikrotik, a question, this setting automatically accepts DHCP on the WAN, is necessary to make a script to failover? or failover is automatic with check-gateway=ping
Hi Birkot,
With the routes I’ve listed in the example, each has 2 backup routes that it’ll failover to if one or more aren’t working.
Eg: if the adsl3 line disconnects and goes offline, any routes with that as ‘distance=1’ will now be marked as invalid/down so it’ll fall back to any higher distanced routes (distance=2 and then distance=3 and so on).
In this case we’ve given each of the main routes wan1, wan2, wan3, 2 backup routes for each.. so other than end user connections breaking and re-connecting (msn, vpn’s etc) you’ve got no actual downtime as everything just shifts over to one of the other connections until the broken one comes back online.
Regards,
Omega-00
hi omega-oo, I used the PCC for 3 WAN configuration does not work, I have a RB/750G, I can not connect to internet with this configuration and I’ve done no wrong, this is my configuration:
You can review and coreg, please.
[admin@MikroTik] /ip route> print
Flags: X – disabled, A – active, D – dynamic, C – connect, S – static, r – rip, b – bgp, o – ospf, m – mme,
B – blackhole, U – unreachable, P – prohibit
# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 S ;;; WAN 3 – Distance 1
0.0.0.0/0 unreachable wan3 1 wan3
1 A S ;;; WAN 1 – Distance 1
0.0.0.0/0 reachable wan1 1 wan1
2 S ;;; WAN 2 – Distance 1
0.0.0.0/0 unreachable wan2 1 wan2
3 S ;;; WAN 2 – Distance 2
0.0.0.0/0 unreachable wan3 2 wan3
4 S ;;; Default Route – Distance 3
0.0.0.0/0 unreachable wan2 2 wan2
5 S ;;; WAN 1 – Distance 2
0.0.0.0/0 unreachable wan2 2 wan2
6 S ;;; WAN 3 – Distance 3
0.0.0.0/0 unreachable wan2 3 wan2
7 ADS 0.0.0.0/0 reachable 201.211.128.1 0 wan1
8 S ;;; Default Route – Distance 2
0.0.0.0/0 unreachable wan3 3 wan3
9 S ;;; WAN 1 – Distance 3
0.0.0.0/0 unreachable wan3 3 wan3
10 S ;;; Default Route – Distance 1
0.0.0.0/0 reachable wan1 1 wan1
11 A S ;;; WAN 3 – Distance 2
0.0.0.0/0 reachable wan1 2 wan1
12 A S ;;; WAN 2 – Distance 3
0.0.0.0/0 reachable wan1 3 wan1
13 A S ;;; Static Route – WAN1
0.0.0.0/0 reachable wan1 1 wan1
14 S ;;; Static Route – WAN2
0.0.0.0/0 unreachable wan2 2 wan2
15 S ;;; Static Route – WAN3
0.0.0.0/0 unreachable wan3 3 wan3
16 ADC 192.168.1.0/32 192.168.1.1 0 Local
17 ADC 201.211.128.0/19 201.211.137.176 0 wan1
[admin@MikroTik] /ip firewall mangle> print
Flags: X – disabled, I – invalid, D – dynamic
0 ;;; Mark new inbound connection wan1
chain=input action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=new in-interface=wan1
1 ;;; Mark new inbound connection wan2
chain=input action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=new in-interface=wan2
2 ;;; Mark new inbound connection wan3
chain=input action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=new in-interface=wan3
3 ;;; Mark established inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=established in-interface=wan1
4 ;;; Mark established inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=established in-interface=wan2
5 ;;; Mark established inbound connection wan3
chain=prerouting action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=established in-interface=wan3
6 ;;; Mark related inbound connection wan1
chain=prerouting action=mark-connection new-connection-mark=wan1 passthrough=yes connection-state=related in-interface=wan1
7 ;;; Mark related inbound connection wan2
chain=prerouting action=mark-connection new-connection-mark=wan2 passthrough=yes connection-state=related in-interface=wan2
8 ;;; Mark related inbound connection wan3
chain=prerouting action=mark-connection new-connection-mark=wan3 passthrough=yes connection-state=related in-interface=wan3
9 ;;; Mark new inbound route wan1
chain=output action=mark-routing new-routing-mark=static-wan1 passthrough=no connection-mark=wan1
10 ;;; Mark new inbound route wan2
chain=output action=mark-routing new-routing-mark=static-wan2 passthrough=no connection-mark=wan2
11 ;;; Mark new inbound route wan3
chain=output action=mark-routing new-routing-mark=static-wan3 passthrough=no connection-mark=wan3
12 ;;; Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 1
chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes connection-state=new
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0
13 ;;; Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 2
chain=prerouting action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes connection-state=new
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1
14 ;;; Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 3
chain=prerouting action=mark-connection new-connection-mark=wan3_pcc_conn passthrough=yes connection-state=new
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2
15 ;;; Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 1
chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes connection-state=established
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0
16 ;;; Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 2
chain=prerouting action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes connection-state=established
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1
17 ;;; Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 3
chain=prerouting action=mark-connection new-connection-mark=wan3_pcc_conn passthrough=yes connection-state=established
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2
18 ;;; Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 1
chain=prerouting action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes connection-state=related
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0
19 ;;; Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 2
chain=prerouting action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes connection-state=related
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1
20 ;;; Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 3
chain=prerouting action=mark-connection new-connection-mark=wan3_pcc_conn passthrough=yes connection-state=related
dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2
21 ;;; Mark routing for PCC mark – option 1
chain=prerouting action=mark-routing new-routing-mark=wan1 passthrough=yes connection-mark=wan1_pcc_conn
22 ;;; Mark routing for PCC mark – option 2
chain=prerouting action=mark-routing new-routing-mark=wan2 passthrough=yes connection-mark=wan2_pcc_conn
23 ;;; Mark routing for PCC mark – option 3
chain=prerouting action=mark-routing new-routing-mark=wan3 passthrough=yes connection-mark=wan3_pcc_conn
[admin@MikroTik] /ip firewall mangle> /ip firewall nat
[admin@MikroTik] /ip firewall nat> print
0 X ;;; default configuration
chain=srcnat action=masquerade out-interface=wan1
1 chain=srcnat action=masquerade out-interface=wan1
2 chain=srcnat action=masquerade out-interface=wan2
3 chain=srcnat action=masquerade out-interface=wan3
[admin@MikroTik] /ip firewall nat> /ip dhcp-client
[admin@MikroTik] /ip dhcp-client> print
Flags: X – disabled, I – invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ;;; default configuration
wan1 yes yes bound 201.211.137.176/19
1 wan2 yes yes searching…
2 wan3 yes yes searching..
[admin@MikroTik] /ip dhcp-client> /ip dhcp-server
[admin@MikroTik] /ip dhcp-server> print
Flags: X – disabled, I – invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 X default wan2 default-dhcp 3d
1 dhcp1 Local dhcp_pool1 3d
[admin@MikroTik] /ip dhcp-server> /ip address
[admin@MikroTik] /ip address> print
Flags: X – disabled, I – invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 wan2
1 192.168.1.1/32 192.168.1.0 192.168.1.255 Local
2 D 201.211.137.176/19 201.211.128.0 201.211.159.255 wan1
Hi! can you update the config for 4 adsl? thanks
Hey Nicholas,
I’ll email you a 4-dsl version shortly. 🙂
Hi omega-00,
Thanks for fast response.
My setup is for cyber cafe with 45PCs using RB/750G, I have little knowledge about RouterOS, please help me to write the complete config including the pppoe dial up for 4 adsl line (with dynamic ip), and also the required ip route and ip firewall nat config. please help me to make it work, your help is much appreciated. Thank you.
Hi omega-00,
Loaded your 4-dsl config, it is working great, thanks.
Hi there. I would like to thank you ever so much for this script ! I am currently load balancing accross 10 interfaces on RB1100, and its working like a charm ! I have two questions if I may:
1. I am using static DSL lines, so I have this router connected straight with public ip’s. I would like to implement my firewall on any incoming traffic on all of my incoming lines, for any traffic. I did add a rule for each port, on the connection state ‘new’, but then the mangle rule of this config doesnt mark the ‘static-wanpppoe’on th output chain. What would be the way forward ?
2. This balances traffic evenly accross all interfaces. I currently have 4mbps lines on all the interfaces, so this is not a problem. But lets presume I will get 2 lines on 10 mbps, and 1 line on 4mbps, will this config be intelligent enough to push through the amount of traffic allowed by each line, or would the config be different in concept ? Once again, thank you !
Hi Wimpie,
1. If you’re just trying to use firewall rules you should be fine to tag them using the in or out interface flag or alternatively the src or dst address flags, however if you’re adding more mangle rules you have to take note of the passthrough option on the routing rules.
2. If you’re working with connections of different speeds the easiest way would be to divide your PCC rules up further. Eg: say you have 2 x 1Mbps connections and 1 x 2Mbps connections, divide this by the lowest common denominator and you have 4 x 1Mbps blocks. You then create 1 PCC rule for each block, where 2 of those blocks will be pointing to the 2Mbps connection.
I hope I’ve made myself understandable here, it’s a bit to wrap your head around 🙂
Will try to get that through my thick skull……At the moment I luckily dont need it, but in South Africa we might be getting 10mbps lines, which will upgrade my current 4mbps, and as I will most probably do them 1 by 1, I will have to look at this. Once again, fantastic work, the Internet has never been this good !!
Hey there
I have two more questions if I may:
As you know, port 443 doesn’t like to get a changed IP once the connection has been established. I did try to send my 443 traffic straight through the PCC rules, but it didn’t work. I ended up mangling the 443 traffic, and sending it out through a spesific interface, which works well. Any thoughts ?
Then, I have a strange problem. As you know I have 10 lines with your configuration, and I can see that the traffic is evenly balanced accross all the lines. My problem is, we have bad DSL here. I want to disable the interface, when the Internet via that interface is currently offline. When I am doing a ping / traceroute, out of 10 lines, 7 I can ping / traceroute to any host from my RB1100. But from 3 of the interfaces, I can’t. It just times out, although the Internet is flowing through there from the internal side. I looks like it has something to do that the request is coming from the Mikrotik itself. Thoughts ?
Admin or Nicholas,
First of all hats off to you Admin for a wonderful job and others too keeping Admin’s mind crunching with new ideas and how to make the config better. 🙂
I would really appreciate it if either Nicholas or Admin could please send the 4dsl config. Thank you
Hi there
Still no answer ?
Hi Wimpie, sorry I’ve been away for the last 2 weeks interstate, following up on everything now 😉
It’s great when you get to travel. I hope your travel was not just all work and no play. Hope you had fun. Oh yes I am really really waiting in anticipation for the 4 ADSL config. Umm btw will this config be any different if the four DSLs are from different providers.
Hi Slot,
Emailed you a copy. Config shouldn’t be any different using different providers unless you’re getting a higher speed from one provider than another.
In that case you expand the config out and skew it to prefer a particular link. So if you had 2 DSL’s you’d use the 3 DSL config and make it use the faster DSL for 2/3 parts.
Regards,
Omega-00
Cool thanx man, I posted something earlier. I will check for replies every now and then. Once again, great work !
Hi Omega….I think I have made a plan with my issue above, but would like to get your input, so that I can see if I made a stupid plan or a decent one.
Ah sorry, I thought I emailed you a reply.
Anyway, the config I use (in specific the “per-connection-classifier=both-addresses” bit) pushes connections to the same address out via the same link, provided you’re using that any connections from a user to a set ip address shouldn’t change unless the adsl drops out and forces them out another connection.
– Omega-00
Hi Omega-00,
Thank you very much. No problem you are a busy guy. We are just absolutely lucky that we get to see whole configs not just bits and pieces of your experience and research. Once again thank you very much. Cheers
Hi Omega
Is that something I have to do on the client side ? I have mangled my 443 traffic, and now the banking works fine. Without the rule, just with the rules in your config, it cuts me out of the banking.
Hi Omega
I just to check something with you. I have grouped my rules in the mangle, but I am not sure how this is affecting my performance. I will give you the order, and you can correct me please ?
For example:
2 x wan lines (wan1,wan2), and lan
order from top:
new inbound – wan1
established – wan1
related – wan1
routing mark – wan1 connections
new inbound – wan2
established – wan2
related – wan2
routing mark – wan2 connections
pcc – lan option 1 – conn mark wan1 – new
pcc – lan option 1 – conn mark wan1 – establish
pcc – lan option 1 – conn mark wan1 – related
conn mark – mark routing – wan1
pcc – lan option 1 – conn mark wan1 – new
pcc – lan option 1 – conn mark wan1 – establish
pcc – lan option 1 – conn mark wan1 – related
conn mark – mark routing – wan1
Please let me know
Thank you
PS: I can also send you the config if that is easier for you.
I normally work it the same way (as the ordering is important to the way inbound traffic is affected)
1. Inbound marking for wan interfaces
2. pcc marking for all internal traffic heading out
3. any other QoS rules or mangling that uses passthrough=no
Hi there
Do you think there is a way to script this ? So that I can just give the amount of Interfaces, and stick to some standard on the naming, and let a script add all the rules accordingly ?
I could probably work on something however for more links the the links would have to be all the same speed for it to work without modification.
All my lines are the same speed, so yes that would work for me. Should I work on it myself ? Im a noobie to scripting, but I guess I could get there….
The trick would just be to do everything recursively and pre-label the interfaces you wanted it to apply to.
Eg: use a script that assigns a variable to “interfaces” to match the number of interfaces you want. Then for each rule, run through $interfaces number of times.
I will get around to it later this week however scripting comes in very handy, you could probably do it yourself in a couple of hours using previous bits of script I’ve done as examples 😉
Thank you very much, I will try it and if I may, will ask you for tips. I will have to use some sort of loop, and some sort of array ? Which commands should I investigate for that ?
Hi, I am using a similar configuration, although i do not use pcc at the moment, only route traffic based on destination port and I would like to ask you a question. I have trouble rerouting incoming traffic back to the same interface. My difference is I do not use dsl routers in bridge mode but as normal routers. That means that the dsl routers nat the traffic to mikrotik (which again nats the traffic to clients) I port forward all ports from dsl routers (192.168.1.254, 192.168.2.254 etc) to mikrotik wlan interfaces (192.168.1.1, 192.168.2.1 etc). I can connect to services (e.g. remote desktop) to a specific client computer, but only through the default route of that specific client.
Using
/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=input in-interface=wlan3 action=mark-connection new-connection-mark=wlan3_conn
add chain=input in-interface=wlan4 action=mark-connection new-connection-mark=wlan4_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2
add chain=output connection-mark=wlan3_conn action=mark-routing new-routing-mark=to_wlan3
add chain=output connection-mark=wlan4_conn action=mark-routing new-routing-mark=to_wlan4
Only enables me to connect to mikrotik from any wlan connection, but I still cannot connect to clients. How do I mark connections/packets coming from the wlan interfaces and route them back to the same interface?
I, i don’t undertand the diference marking the rules with new, estableshed and related, i think that works only marking without estate connections,. Is this correct?
Good
hello admin
is pcc work with pppoe server if ur answer is yes then plz make config for me for 2x wan.
here is my ip address detail
isp 1
ip address=192.168.1.2/24
gateway=192.168.1.1
isp 2
ip address=192.168.2.2/24
gateway=192.168.2.1
Local addres(mikrotik)
10.10.0.1/24
thanks in advace
Note=i want to configure pppoe server in mikrotik for pppoe cients.
i hope u understand
Sorry if I’m wrong, but is this part of your script wrong?
add check-gateway=arp comment=”Default Route – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment=”Default Route – Distance 2″ disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
add check-gateway=arp comment=”Default Route – Distance 3″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
Should it not be:
add check-gateway=arp comment=”Default Route – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment=”Default Route – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
add check-gateway=arp comment=”Default Route – Distance 3″ disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
Regards,
Matt.
Hi Matt,
Yeah should’ve been wan1,wan2,wan3 but in these rules the order doesn’t matter. It simply means that the default route will fall over to wan3 before it falls to wan2.
This won’t stop it from continuing to work in the event wan1 goes offline.
Thanks for pointing it out though, I’ll change it now 🙂
I see the above is for pppoe. Do you have or can you recommend a “reliable” config that works with all the different scenarios? (scenario’s are dhcp/dhcp, dhcp/pppoe, dhcp/static) The ones I have come across are not very reliable.
http://wiki.mikrotik.com/wiki/Policy_Base_Routing
Hi Jerry,
This setup will also work for DHCP and/or static options, you simply need to ensure for each routing table (wan1,wan2,wan3) that a polling method has been setup for each route and that the failover routes don’t rely on receiving the same DHCP details each time (hint: use the interface as the gateway rather than an IP on DHCP interfaces).
How is SRCNAT configured for this scenario? Would there be a SRCNAT entry for each pppoe interface?
Correct, src-nat for each outbound interface.
will this load balance multiple different TCP sessions from the same source IP accross several links?
If you have the “both-addresses” mode selected (as in my example) then connections from the same src to the same dst address will be kept on 1 link.
This prevents causing issues for servers that expect multiple connections from the same source IP address (banks, game servers etc).
If your multiple TCP connections are going to different dst addresses then they will be sent across different links (as decided by the PCC).
thanks also, line 4 and line 14 seem to have the same logic, but different markings, could you please explain what your achieving by marking the same packet on two different lines?
Line 4 ends up being used for marking outbound traffic tagged as wan1 by the PCC rules.
Line 14 is used to ensure that traffic from an external source inbound (such as a winbox connection to the router) will always be passed out the same link it came in on (ensuring you have access to the router via any of the connected links and not just the default route).
ok so mangle rules are to make sure packets go out same WAN they came in, mangle is not used to load balance. Routing rules are used to load balance per session. correct?
Rules 14-16 and 19-39 are used for ensuring traffic goes out the same WAN interfaces it comes in.
Rules 2-10 and 40-66 are used to achieve the load balancing + failover for load balancing if one of the links goes offline.
Rules 11-13 are the default routes with failover for connections originating from the router (eg: proxy out or DNS lookups)
Hope this clears things up 🙂
Hi There,
thanks for that, the thing is as soon as i disable these rules 10,11,12, no outbound packets work , so packets being marked, arent actually trying to take the marked path, its like the packets are unmarked by the time they reach the routing table.
add check-gateway=arp comment=”Default Route – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment=”Default Route – Distance 2″ disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
add check-gateway=arp comment=”Default Route – Distance 3″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
Are you able to confirm that the “Distance 1” copies of all other routes (specifically the wan1 dist1, wan2 dist1, wan3 dist1) are showing as active?
yep their all active…
all good, looks like the default route is used to initiate the outbound connection so it’s required, the rest of the routes are used once the packets is marked there onwards
I found your load balance using PCC the best example. The comments has made it much easier to understand – thank you.
I hope you can point me in the correct direction – I have been trying to find a way for the Mikrotik to send me an email if one of the links goes down. Basically if wan3-pppoe goes down and email is generated letting me know that specific interface is down.
Easiest way to do something like that would be to write a script (to be run periodically via the scheduler) that checks each of your interfaces (or specific routes) to see if they’re up or down and then emails you.
Alternatively monitor/poll each of the external IP addresses with the dude; or via a free service like http://uptimerobot.com/
I have playing around with a few scripts but have not been successful – but uptimerobot.com looks like the perfect solution.
Thank you very much.
I have found one small problem which I have not been able to figure out..I created a port forwarding (port 80) rule in NAT to connect to a webserver for each of the In. Interfaces – the strange thing is when I try to connect to the webserver only wan3-pppoe works. If I try to connect via wan1-pppoe and wan2-pppoe no connection. Would I need some special mangle rules to fix this?
can’t lines 19-35 just be sumarised because essentially your interested in just inbound traffic from the pppoe interfaces so no need to worry about the state
Hi,
This worked great with my 2 PPPoE connections setup. Even though it doesn’t merge connections but it really eases the load on one link by adding another.
I set it up for a small organization of 15 Users and was trying to implement a squid with the setup that it redirects traffic to squid on the same LAN switch Users connected to, but no luck.
Do you have any advice how I can make mikrotik redirects to squid then squid back to mikrotik with the load balancing not effected. I would like to to make squid in transparent mode.
I would like also to hint that squid setup works when no load balancing is used and only with one PPPoE Con.
Here is my network topology:
PPPoE 2 Internet User1
| 192.168.0.0/24 |
Internet Wlan1- MT Router Load Balancing-Ether1 Switch ———- User 2
| |
PPPoE 1 Internet 192.168.0.5
Squid in
Transparent Mode *
* I do load balancing on two connections with the same ISP over two 12 Mbits PPPoE connected by wlan1 and I only have 1 ethernet port on my SXT router so I have to put squid on ether1 too.
** With out transparent mode where I put proxy information in User’s browser works just fine but my goal is transparent mode because I am thinking on implementing the same setup with a larger organization where I don’t have to put proxy information.
I tried these rules on router:
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-port=80 protocol=tcp * even disabling or enabling this or the order of it had no luck
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-port=80 new-routing-mark=http passthrough=yes protocol=tcp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.5 routing-mark=http scope=30 target-scope=10
Rules on the proxy server are:
# DNAT port 80 request comming from LAN systems to squid 8080 transparent proxy.
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.5:8080
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Squid.conf:
#==============================
#Transparent Mode
#==============================
http_port 8080 transparent
acl mylocalnet src 0.0.0.0/0.0.0.0
http_access allow mylocalnet
Thank you so much,
Tom
Sorry, Here is my Net Topology
[IMG]http://i47.tinypic.com/b3n1o8.png[/IMG]
Thanks for the reply – but I am not sure what you mean. Are you able give an example?
I was trying to make your setup work with Squid in transparent mode with original source ip address on one NIC where squid is in the same subnet Users at. anyways, I eventually managed to make it work on my own.
The solution was,
Two NAT rules setup in this order
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=accept chain=srcnat connection-mark=adsl1_pcc_conn disabled=no \
dst-port=80 protocol=tcp src-address=!192.168.0.5 to-addresses=\
192.168.0.5 to-ports=8080
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2
add action=accept chain=srcnat connection-mark=adsl2_pcc_conn disabled=no \
dst-port=80 protocol=tcp src-address=!192.168.0.5 to-addresses=\
192.168.0.5 to-ports=8080
and two mangle rules put next after all the load balancing rules
add action=mark-routing chain=prerouting disabled=no dst-port=80 \
new-routing-mark=http passthrough=yes protocol=tcp src-address=\
!192.168.0.5
add action=mark-routing chain=prerouting disabled=no dst-port=80 \
new-routing-mark=http2 passthrough=yes protocol=tcp src-address=\
!192.168.0.5
and two routes like this:
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.0.5 routing-mark=http scope=30 target-scope=10
add check-gateway=arp disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
192.168.0.5 routing-mark=http2 scope=30 target-scope=10
Note my squid IP is 192.168.0.5 and clients are also connected to DHCP 192.168.0.0/24 and I am using one NIC on squid box. Firewall mangles HTTP traffic and routes it to squid. squid setup in transparent mode with only one iptables rule:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp –dport 80 -j DNAT –to 192.168.0.5:8080
I am still facing one problem though, extreme delays in http request response. when I put client browser to point to squid IP 192.168.0.5 and port 8080, it works perfectly with no delays but when clients browser is not setup to point to squid. squid still works but there is delays in response. I don’t know what causing that delay. Could it be DNS or what. I am sure it is not related to overload, cache performance or too low mem since it is working perfectly when the client is pointed to it. So what do you think is the problem? It is been intriguing me for a while.
The first 3 lines of this script on the IP Route are giving me an “invalid value for augment addr” Any ideas?
Hi Tom, please make sure the prompt shows [admin@UMikroTik] /ip route> before where you’re pasting these.
If not, it means you’ve left out the first line, namly “/ip route” which sets the command context.
Its Lovely, Just awesome … I replaced PCC with Both-Addresses-and-Ports and now its combining the bandwidth as well.. What a charm… Just wasnt able to find anywhere on internet..
Thumbs UP.
I would like to make Loadbalance for 2 WAN (PPPoE).
WAN1 – 10 Mbps
WAN2 – 13 Mbps
I found that some website suggest about adding some line for maintain unbalance ration
Could you please verify the script below?
/ip route
add check-gateway=arp comment=”WAN 2 – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2
add check-gateway=arp comment=”WAN 1 – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1
add check-gateway=arp comment=”WAN 1 – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1
add check-gateway=arp comment=”WAN 2 – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan2
add check-gateway=arp comment=”Default Route – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment=”Default Route – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
add check-gateway=arp comment=”Static Route – WAN1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=static-wan1
add check-gateway=arp comment=”Static Route – WAN2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=static-wan2
/ip firewall mangle
add action=mark-connection chain=input comment=”Mark new inbound connection wan1″ connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment=”Mark new inbound connection wan2″ connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment=”Mark established inbound connection wan1″ connection-state=established disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment=”Mark established inbound connection wan2″ connection-state=established disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment=”Mark related inbound connection wan1″ connection-state=related disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment=”Mark related inbound connection wan2″ connection-state=related disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment=”Mark new inbound route wan1″ connection-mark=wan1 disabled=no new-routing-mark=static-wan1 passthrough=no
add action=mark-routing chain=output comment=”Mark new inbound route wan2″ connection-mark=wan2 disabled=no new-routing-mark=static-wan2 passthrough=no
add action=mark-connection chain=prerouting comment=”Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 1″ connection-state=new disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”Mark traffic that isn’t local with PCC mark rand (3 possibilities) – option 2″ connection-state=new disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment=”Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 1″ connection-state=established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”Mark established traffic that isn’t local with PCC mark rand (3 possibilities) – option 2″ connection-state=established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment=”Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 1″ connection-state=related disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=”Mark related traffic that isn’t local with PCC mark rand (3 possibilities) – option 2″ connection-state=related disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=”Mark routing for PCC mark – option 1″ connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=yes
add action=mark-routing chain=prerouting comment=”Mark routing for PCC mark – option 2″ connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=yes
hi there i have a different configuration
WAN1 = DHCP Client
WAN2 = DHCP Client
WAN3 = DHCP Client
LAN = 10.10.10.1
can you please tell me the configuration according to this for PCC load balancing
Can the setup work for me. I have to ISP, one is USM(ppp-client USB dongle) and the other one is with a router to mikrotik thru ether1. My Lan is on port 3 (hotspot-193.168.30.1/24), ether2 (10.11.6.1/24) and wlan1(192.168.2.1/24). I want a situation where the ppp-client USB will be my primary ISP (WAN1) and My secondary ISP will be from (ether1). How will my settings or configuration be so that if primary isp is down, the secodnary will come up and if primary comes up, it switches over to it.
thank you!!! very helpful how-to!!!
what mean per-connection-classifier=both-addresses-and-ports:2/0 ?
Can the setup work for me. I have two ISPs. primary ISP IP 10.10.10.1 and secondary ip is 192.168.19 my lan is 172.16.0.1 How will my settings or configuration be so that if primary isp is down, the secodnary will come up and if primary comes up, it switches over to it.
Congratulations!!
Nice work, bravo
I’ m new in RouterOS and I realized that it is magical.
I usedyour codewith an RB1100AHx2 and I used an RB750 as a PPPoE Server for testing. I used the ether1,2,3 as gateways to the RB750 and ports 4,5 as local LAN.
The system works great.
Omega-00 is it possible to write a few words, like a small documentation for us the newbies? A few words for each set of rules, would be greatly appreciated.
And a last question:
I would like to use the Hotspot manager on the Lan side. Do you think it is possible?
Thanks again
Hi Andreas,
I tried to leave most of my comments in for rules so the explanation tells what they are doing but to fully understand how PCC works it is best to start off by reading the MikroTik wiki article then coming here and implementing the example code. This will mean you should also have a basic idea of why traffic will go out each of the links and how to increase it to cover more links or to preference more traffic out one specific link over others.
http://wiki.mikrotik.com/wiki/Manual:PCC is the main article but there is another good one here too: http://gregsowell.com/?p=2395
Hi Omega-00,
Please confirm the script for 2 WANs
It seems to be working but …. better be sure. thanks
01 /ip route
02 add check-gateway=arp comment=”WAN 1 – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1
03 add check-gateway=arp comment=”WAN 2 – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2
04
05
06 add check-gateway=arp comment=”WAN 1 – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1
07 add check-gateway=arp comment=”WAN 2 – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan2
08
09
10 add check-gateway=arp comment=”Default Route – Distance 1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
11 add check-gateway=arp comment=”Default Route – Distance 2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
12
13 add check-gateway=arp comment=”Static Route – WAN1″ disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=static-wan1
14 add check-gateway=arp comment=”Static Route – WAN2″ disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=static-wan2
15
16
17 /ip firewall mangle
18 add action=mark-connection chain=input comment=”Mark new inbound connection wan1″ connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 \
19 passthrough=yes
20 add action=mark-connection chain=input comment=”Mark new inbound connection wan2″ connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 \
21 passthrough=yes
22
23 add action=mark-connection chain=prerouting comment=”Mark established inbound connection wan1″ connection-state=established disabled=no in-interface=wan1-pppoe \
24 new-connection-mark=wan1 passthrough=yes
25 add action=mark-connection chain=prerouting comment=”Mark established inbound connection wan2″ connection-state=established disabled=no in-interface=wan2-pppoe \
26 new-connection-mark=wan2 passthrough=yes
27
28
29 add action=mark-connection chain=prerouting comment=”Mark related inbound connection wan1″ connection-state=related disabled=no in-interface=wan1-pppoe \
30 new-connection-mark=wan1 passthrough=yes
31 add action=mark-connection chain=prerouting comment=”Mark related inbound connection wan2″ connection-state=related disabled=no in-interface=wan2-pppoe \
32 new-connection-mark=wan2 passthrough=yes
33
34 add action=mark-routing chain=output comment=”Mark new inbound route wan1″ connection-mark=wan1 disabled=no new-routing-mark=static-wan1 passthrough=no
35 add action=mark-routing chain=output comment=”Mark new inbound route wan2″ connection-mark=wan2 disabled=no new-routing-mark=static-wan2 passthrough=no
36
37
38
39 add action=mark-connection chain=prerouting comment=”Mark traffic that isn’t local with PCC mark rand (2 possibilities) – option 1″ connection-state=new disabled=no \
40 dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0
41
42 add action=mark-connection chain=prerouting comment=”Mark traffic that isn’t local with PCC mark rand (2 possibilities) – option 2″ connection-state=new disabled=no \
43 dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1
44
45 add action=mark-connection chain=prerouting comment=”Mark established traffic that isn’t local with PCC mark rand (2 possibilities) – option 1″ connection-state=\
46 established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=\
47 both-addresses:2/0
48 add action=mark-connection chain=prerouting comment=”Mark established traffic that isn’t local with PCC mark rand (2 possibilities) – option 2″ connection-state=\
49 established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=\
50 both-addresses:2/1
51
52 add action=mark-connection chain=prerouting comment=”Mark related traffic that isn’t local with PCC mark rand (2 possibilities) – option 1″ connection-state=related \
53 disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0
54 add action=mark-connection chain=prerouting comment=”Mark related traffic that isn’t local with PCC mark rand (2 possibilities) – option 2″ connection-state=related \
55 disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1
56
57 add action=mark-routing chain=prerouting comment=”Mark routing for PCC mark – option 1″ connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=\
58 yes
59 add action=mark-routing chain=prerouting comment=”Mark routing for PCC mark – option 2″ connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=\
60 yes
hi i have rb2011 mikrotik and using pptp client 9WAN but my all pptp traffic go from one Ethernet i want fix my 1st pptp traffic goo from Ethernet1 2nd pptp go from eth2 with this i want load balance
Hi can someone help in my script. I will post it below. Thanks. I am using RB1100AH
DSL MODEM IP’s
DSL MODEM 1 = 192.168.3.1
DSL MODEM 2 = 192.168.4.1
DSL MODEM 3 = 192.168.52.1
DSL MODEM 4 = 192.168.60.1
DSL MODEM 5 = 10.10.1.1
DSL MODEM 6 = 10.10.2.1
DSL MODEM 7 = 10.10.3.1
DSL MODEM 8 = 10.10.4.1
DSL MODEM 9 = 10.10.5.1
DSL MODEM 10 = 10.10.6.1
DSL MODEM 11 = 10.10.7.1
/ip address
add address=10.10.100.1/24 network=10.10.100.0 broadcast=10.10.100.255 interface=ether13
add address=172.16.100.1/24 network=172.16.100.0 broadcast=172.16.100.255 interface=ether12
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=ether1
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255 interface=ether2
add address=192.168.52.2/24 network=192.168.52.0 broadcast=192.168.52.255 interface=ether3
add address=192.168.60.2/24 network=192.168.60.0 broadcast=192.168.60.255 interface=ether4
add address=10.10.1.2/24 network=10.10.1.0 broadcast=10.10.1.255 interface=ether5
add address=10.10.2.2/24 network=10.10.2.0 broadcast=10.10.2.255 interface=ether6
add address=10.10.3.2/24 network=10.10.3.0 broadcast=10.10.3.255 interface=ether7
add address=10.10.4.2/24 network=10.10.4.0 broadcast=10.10.4.255 interface=ether8
add address=10.10.5.2/24 network=10.10.5.0 broadcast=10.10.5.255 interface=ether9
add address=10.10.6.2/24 network=10.10.6.0 broadcast=10.10.6.255 interface=ether10
add address=10.10.7.2/24 network=10.10.7.0 broadcast=10.10.7.255 interface=ether11
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8,8.8.4.4
/ip firewall mangle
add chain=input in-interface=ether1 action=mark-connection new-connection-mark=ether1_conn
add chain=input in-interface=ether2 action=mark-connection new-connection-mark=ether2_conn
add chain=input in-interface=ether3 action=mark-connection new-connection-mark=ether3_conn
add chain=input in-interface=ether4 action=mark-connection new-connection-mark=ether4_conn
add chain=input in-interface=ether5 action=mark-connection new-connection-mark=ether5_conn
add chain=input in-interface=ether6 action=mark-connection new-connection-mark=ether6_conn
add chain=input in-interface=ether7 action=mark-connection new-connection-mark=ether7_conn
add chain=input in-interface=ether8 action=mark-connection new-connection-mark=ether8_conn
add chain=input in-interface=ether9 action=mark-connection new-connection-mark=ether9_conn
add chain=input in-interface=ether10 action=mark-connection new-connection-mark=ether10_conn
add chain=input in-interface=ether11 action=mark-connection new-connection-mark=ether11_conn
add chain=output connection-mark=ether1_conn action=mark-routing new-routing-mark=to_ether1
add chain=output connection-mark=ether2_conn action=mark-routing new-routing-mark=to_ether2
add chain=output connection-mark=ether3_conn action=mark-routing new-routing-mark=to_ether3
add chain=output connection-mark=ether4_conn action=mark-routing new-routing-mark=to_ether4
add chain=output connection-mark=ether5_conn action=mark-routing new-routing-mark=to_ether5
add chain=output connection-mark=ether6_conn action=mark-routing new-routing-mark=to_ether6
add chain=output connection-mark=ether7_conn action=mark-routing new-routing-mark=to_ether7
add chain=output connection-mark=ether8_conn action=mark-routing new-routing-mark=to_ether8
add chain=output connection-mark=ether9_conn action=mark-routing new-routing-mark=to_ether9
add chain=output connection-mark=ether10_conn action=mark-routing new-routing-mark=to_ether10
add chain=output connection-mark=ether11_conn action=mark-routing new-routing-mark=to_ether11
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=192.168.4.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=192.168.4.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=192.168.52.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=192.168.52.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=192.168.60.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=192.168.60.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.1.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.1.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.2.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.2.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.3.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.3.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.4.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.4.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.5.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.5.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.6.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.6.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address=10.10.7.0/24 action=accept in-interface=ether13
add chain=prerouting dst-address=10.10.7.0/24 action=accept in-interface=ether12
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/0 action=mark-connection new-connection-mark=ether1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/0 action=mark-connection new-connection-mark=ether1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/1 action=mark-connection new-connection-mark=ether2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/1 action=mark-connection new-connection-mark=ether2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/2 action=mark-connection new-connection-mark=ether3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/2 action=mark-connection new-connection-mark=ether3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/3 action=mark-connection new-connection-mark=ether4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/3 action=mark-connection new-connection-mark=ether4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/4 action=mark-connection new-connection-mark=ether5_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/4 action=mark-connection new-connection-mark=ether5_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/5 action=mark-connection new-connection-mark=ether6_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/5 action=mark-connection new-connection-mark=ether6_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/6 action=mark-connection new-connection-mark=ether7_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/6 action=mark-connection new-connection-mark=ether7_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/7 action=mark-connection new-connection-mark=ether8_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/7 action=mark-connection new-connection-mark=ether8_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/8 action=mark-connection new-connection-mark=ether9_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/8 action=mark-connection new-connection-mark=ether9_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/9 action=mark-connection new-connection-mark=ether10_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/9 action=mark-connection new-connection-mark=ether10_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether13 per-connection-classifier=both-addresses-and-ports:11/10 action=mark-connection new-connection-mark=ether11_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=ether12 per-connection-classifier=both-addresses-and-ports:11/10 action=mark-connection new-connection-mark=ether11_conn passthrough=yes
add chain=prerouting connection-mark=ether1_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether1
add chain=prerouting connection-mark=ether1_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether1
add chain=prerouting connection-mark=ether2_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether2
add chain=prerouting connection-mark=ether2_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether2
add chain=prerouting connection-mark=ether3_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether3
add chain=prerouting connection-mark=ether3_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether3
add chain=prerouting connection-mark=ether4_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether4
add chain=prerouting connection-mark=ether4_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether4
add chain=prerouting connection-mark=ether5_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether5
add chain=prerouting connection-mark=ether5_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether5
add chain=prerouting connection-mark=ether6_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether6
add chain=prerouting connection-mark=ether6_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether6
add chain=prerouting connection-mark=ether7_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether7
add chain=prerouting connection-mark=ether7_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether7
add chain=prerouting connection-mark=ether8_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether8
add chain=prerouting connection-mark=ether8_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether8
add chain=prerouting connection-mark=ether9_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether9
add chain=prerouting connection-mark=ether9_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether9
add chain=prerouting connection-mark=ether10_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether10
add chain=prerouting connection-mark=ether10_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether10
add chain=prerouting connection-mark=ether11_conn in-interface=ether13 action=mark-routing new-routing-mark=to_ether11
add chain=prerouting connection-mark=ether11_conn in-interface=ether12 action=mark-routing new-routing-mark=to_ether11
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_ether1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_ether2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.52.1 routing-mark=to_ether3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.60.1 routing-mark=to_ether4 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.1.1 routing-mark=to_ether5 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.2.1 routing-mark=to_ether6 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.3.1 routing-mark=to_ether7 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.4.1 routing-mark=to_ether8 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.5.1 routing-mark=to_ether9 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.6.1 routing-mark=to_ether10 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.7.1 routing-mark=to_ether11 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.52.1 distance=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.60.1 distance=4 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.1.1 distance=5 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.2.1 distance=6 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.3.1 distance=7 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.4.1 distance=8 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.5.1 distance=9 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.6.1 distance=10 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.7.1 distance=11 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masquerade
add chain=srcnat out-interface=ether4 action=masquerade
add chain=srcnat out-interface=ether5 action=masquerade
add chain=srcnat out-interface=ether6 action=masquerade
add chain=srcnat out-interface=ether7 action=masquerade
add chain=srcnat out-interface=ether8 action=masquerade
add chain=srcnat out-interface=ether9 action=masquerade
add chain=srcnat out-interface=ether10 action=masquerade
add chain=srcnat out-interface=ether11 action=masquerade
Hi there,
Nice info, thank you. What about games that have multiple IP addresses(dest. addr.) but your source address(WAN) needs to remain the same? A game might have one IP for a chat lobby, another for authentication and another for the game server.
What would you suggest in this case?
Hi Brandon,
In this case you could switch to just using the “src-address” to force each customers traffic to always pick just one link.
You can mix and match these sort of rules too if you’re willing to test them out; IE: Try using PCC on traffic to ports 80,443 with src & dst pairing, then use src-address only for ports 1000-65535 (to cover anything else) but your millage may vary.
Andrew
Dear Matt.
i am trying to setup my mikrotik by following your tutorial and i am facing a problem.
[admin@MikroTik] /ip route> add check-gateway=arp comment=”Static Route – WAN1″ di
sabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=static-
wan1
invalid value for argument gw:
invalid value for argument address
input does not match any value of interface
invalid value for argument addr
that goes for all the setup in ip route.
i am simply pasting in a clear config mikrotik 750. could you help me please?
I know this is an old post but I’d just like to thank you for it. It’s the clearest PCC setup I’ve found and worked perfectly for me. Thanks.
Steve
Glad to hear it’s still useful to others; I still come back here copy it sometimes too 🙂
I may have spoken too soon! My “lan” interface is ether2 and that’s the switch master port for ports 3 and 4. Port 4 has all of our VoIP traffic from the LAN and once these rules are implemented the phones start dropping, seemingly at random. Will the rule specifying ether2 as the interface mangle traffic from 3 and 4 as well (as it’s the master port) or do I need to specify ports 3 and 4 in their own mangle rules?
Andreas K. From way back on May 24, 2013 at 12:58 am
You asked:
“And a last question:
I would like to use the Hotspot manager on the Lan side. Do you think it is possible?”
Hotspot seems to work just fine. But,,,,, not knowing if it’s needed, I did add in all 9 prerouting, that have the Pre Connection Classifier 3/0, 3/1, 3/2.
In: Extra, Hotspot, auth
Now the reason is that in every PCC w/Hotspot this has been done to make it work.
Good Luck if you are still looking into this. I would hope not.
/rk
Hello, omega-00, you are awesome! The script worked like a charm after weeks of testing different mangle rules. Thank-you
Hi admin ,
Is ok that lines 46 to 61 is balancing related and stablished connecions ?
Awesome job.
Regard.