add disabled=yes name=FIBER_Bridge
set [ find default-name=ether1 ] name=”ether1-WAN 1″
set [ find default-name=ether2 ] name=”ether2-WAN 2″
set [ find default-name=ether3 ] name=”ether3-LAN 1″
set [ find default-name=ether4 ] name=”ether4-LAN 2″
add add-default-route=yes disabled=no interface=”ether2-WAN 2″ name=\
FIBER_PPPoE password=0000000 user=0842
add add-default-route=yes disabled=no interface=”ether1-WAN 1″ name=\
VDSL_PPPoE password=0000000 user=0842
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add name=VDSL ranges=192.168.1.20-192.168.1.254
add name=FIBER ranges=192.168.2.20-192.168.2.254
add address-pool=VDSL disabled=no interface=”ether3-LAN 1″ name=VDSL-DHCP
add address-pool=FIBER disabled=no interface=”ether4-LAN 2″ name=FIBER-DHCP
add address=192.168.1.1/24 interface=”ether3-LAN 1″ network=192.168.1.0
add address=192.168.2.1/24 interface=”ether4-LAN 2″ network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=220.127.116.11 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=18.104.22.168 gateway=192.168.2.1
/ip firewall mangle
add action=mark-routing chain=prerouting comment=”LAN1 go to WAN1″ \
new-routing-mark=LAN1_TO_WAN1 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting comment=”LAN2 go to WAN2″ \
new-routing-mark=LAN2_TO_WAN2 passthrough=yes src-address=192.168.2.0/24
add action=accept chain=prerouting comment=”Allow ping gateway LAN1″ \
add action=accept chain=prerouting comment=”Allow ping gateway LAN2″ \
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VDSL_PPPoE
add action=masquerade chain=srcnat out-interface=FIBER_PPPoE
add comment=”Ndrysho Gateway me ate te ISP LINJA VDSL!!!” distance=1 gateway=\
add comment=”Ndrysho Gateway me ate te ISP- LINJA FIBER!!!” distance=1 \
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=192.168.1.1/32,192.168.2.1/32
set winbox address=192.168.1.1/32,192.168.2.1/32
set api-ssl address=192.168.1.1/32,192.168.2.1/32
add interval=5d name=”Sys Auto Reboot ” on-event=”/system reboot” policy=\
So you want to have your MikroTik router rebooted every day at 6 a.m. in the morning before the business start to prevent possible random issues from happening?
Go to MikroTik Winbox, open a New Terminal and enter this one line simple command:
Some of the most requested topics folks ask me for are multi-WAN and load balancing implementations. Unfortunately, as easy as most solutions are on MikroTik, these aren’t simple. Many vendors like Ubiquiti have wizards that you can use during the initial device setup to configure multi-WAN and load balancing, but that hasn’t come to RouterOS yet. Those wizard-based implementations are still complex, but that complexity is hidden from the device administrators.
Using a load balanced multi-WAN setup helps us meet a few design goals:
- Failover in case of ISP failure
- Increase total available bandwidth for users
- Distribute bandwidth utilization across providers
Something that should be noted before you go further – this is a fairly complex topic. Multi-WAN and load balancing requires us to configure multiple gateways and default routes, connection and router mark Mangle rules, and multiple outbound NAT rules. If you aren’t familiar with MikroTik firewalls, routing, and NAT then it might be best to put this off until you’ve had some time to revisit those topics.
A single MikroTik router is connected to two ISPs (Charter and Integra Telecom) on ether1 and ether2 respectively, and a LAN on ether3. Traffic from the LAN will be NAT’d out both WAN ports and load balanced. See the topology below:
Configure the local IP addresses:
/ip address add address=22.214.171.124/24 interface=ether1 comment="Charter" add address=126.96.36.199/24 interface=ether2 comment="Integra Telecom" add address=192.168.1.1/24 interface=ether3 comment="LAN Gateway"
Set the default gateways:
/ip route add dst-address=0.0.0.0/0 check-gateway=ping gateway=188.8.131.52,184.108.40.206
NAT (masquerade) out the WAN ports:
/ip firewall nat add action=masquerade chain=srcnat comment="Charter" out-interface=ether1 add action=masquerade chain=srcnat comment="Integra Telecom" out-interface=ether2
At this point you could stop configuring the router and things would work just fine in a failover situation. Should one of the two providers go down the other would be used. However there is no load-balancing, and this is strictly a failover-only solution. Most organizations wouldn’t want to pay for a second circuit only to have it used just when the first goes down.
Input Output Marking
One problem with having more than one WAN is that packets coming in one WAN interface might go out the other. This could cause issues, and may break VPN-based networks. We want packets that belong to the same connection to go in and out the same WAN port. Should one provider go down the connections across that port would die, then get re-established over the other WAN. Mark connections coming in the router on each WAN:
/ip firewall mangle add action=mark-connection chain=input comment="Charter Input" in-interface=ether1 new-connection-mark="Charter Input" add action=mark-connection chain=input comment="Integra Telecom Input" in-interface=ether2 new-connection-mark="Integra Telecom Input"
This helps the router keep track of what port each connection came in from.
Now we’ll use the connection mark just created for packets coming IN to trigger a routing mark. This routing mark will be used later on in a route that tells a connection which provider’s port to go OUT.
add action=mark-routing chain=output comment="Charter Output" connection-mark="Charter Input" new-routing-mark="Out Charter" add action=mark-routing chain=output comment="Integra Telecom Output" connection-mark="Integra Telecom Input" new-routing-mark="Out Integra Telecom"
Connections that have been marked then get a routing mark so the router can route the way we want. In the next step we’ll have the router send packets in the connections with those marks out the corresponding WAN interface.
LAN Route Marking
Some special Mangle rules are needed to tell the router to load balance headed across the router from the LAN. How this load balancing works is beyond the scope of this article, but suffice to say a lot of hashing happens. If you want to learn more check out the MikroTik documentation.
These rules tell the router to balance traffic coming in ether3 (LAN), heading to any non-local (!local) address over the Internet. We grab the traffic in the pre-routing chain, so we can redirect it to the WAN port that we want based on the routing mark.
The following commands balance ether3 LAN traffic across two groups:
add action=mark-routing chain=prerouting comment="LAN load balancing 2-0" \ dst-address-type=!local in-interface=ether3 new-routing-mark=\ "Out Charter" passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/0 add action=mark-routing chain=prerouting comment="LAN load balancing 2-1" \ dst-address-type=!local in-interface=ether3 new-routing-mark=\ "Out Integra Telecom" passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/1
NOTE: The routing marks above are the same in this step as they were in the previous step, and correspond with the routes we’re about to create.
Special Default Routes
At this point we’ve marked connections coming in the WANs, and used those connection marks to create routing marks. LAN load balancing steps above also create routing marks, and they correspond with what the next step does. Create default routes that grab traffic with the routing marks we created above:
/ip route add distance=1 gateway=220.127.116.11 routing-mark="Out Charter" add distance=1 gateway=18.104.22.168 routing-mark="Out Integra Telecom"
Note: These routes only get applied with a matching routing mark. Unmarked packets use the other default route rule created during router setup.
Routes that came in the Charter connection get a connection mark. That connection mark triggers a routing mark. The routing mark matches the mark in the route above, and the return packet goes out the interface it came in.
Here’s what we’ve configured:
- New connections inbound on a WAN get marked
- Connections with that mark get a routing mark
- LAN traffic heading outbound gets load balanced with the same routing marks
- Routing marks match default gateway routes and head out that interface
- Wash, Rinse, Repeat
Down and dirty version. The command line version is below the Winbox instructions. Let’s say you have a DVR that has a static IP of 192.168.1.200, and you need to forward port 3999.
1) Go to IP -> Firewall -> NAT (Figure 1-1).
2) Click the “+” to add a new NAT rule. Modify the “Chain” to “dstnat”, “Protocol” to “tcp”, and “Dst. Port” to “3999”. Set the “In. Interface” to your WAN port. (Note: You are telling the router that any traffic coming IN from the Internet on port 3999 should follow this rule. If you forget this step, the router will grab ANY traffic on port 3999 and send it to the IP you specify in the next step) (Figure 1-2).
3) Click the “Action” tab, change the “Action” value to “dst-nat”, the “To Addresses” to “192.168.1.200” and “To Ports” to “3999” (Figure 1-3).
Type the following value into a Terminal window to enter this port forwarding rule.
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=3999 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.1.200 to-ports=3999