Load Balancing Two or More WAN Connections With Failover

Rules:
/ip address
add address=YOUR LAN IP interface=LAN
add address=YOUR WAN1 IP interface=WAN1
add address=YOUR WAN2 IP interface=WAN2

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN
add chain=prerouting dst-address=YOUR WAN2 SUBNET action=accept in-interface=LAN

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=YOUR WAN1 GATEWAY routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN2 GATEWAY routing-mark=to_WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=YOUR WAN1 GATEWAY distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=YOUR WAN2 GATEWAY distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

IF YOU HAVE HOTSPOT ENABLED, ADD THIS

/ip firewall nat
add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

source

43 COMMENTS

  1. this code worked for me, but I have some problem, I have forwarded 3389 port both WANs, when both are enabled forwarding is working on WAN1 and WAN2 not, or vise vise versa, and sometimes on none of WANs, what I must do to make it work. I have to disable one of WANs to make it work for now.
    Please help 🙁

  2. GRACIAS AMIGO  POR EL TUTORIAL LO JUNTE LAS  DOS LINIAS  QUE TENIA CADA  UNO DE 4  MEGAS  AHORA  AL HACERLE EL TES  ME  SALE  UN APROXIMADO DE 8 MEGAS,  SALUDOS DESDE PERU ,  DIOS LE  BENDIGA

  3. Hi I'm new at this can you tell me what is wrong with the script

    /ip address
    add address=192.168.1.1/24 interface=LAN
    add address=192.168.1.3/24 interface=WAN1
    add address=192.168.2.3/24 interface=WAN2

    /ip firewall mangle
    add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
    add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

    add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
    add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

    add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=LAN
    add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=LAN

    add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses­-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
    add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses­-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
    add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses­-and-ports:2/2 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
    add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses­-and-ports:2/3 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes

    add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
    add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2

    /ip route
    add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
     
    add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

    /ip firewall nat
    add chain=srcnat out-interface=WAN1 action=masquerade
    add chain=srcnat out-interface=WAN2 action=masquerade

    Thanks

  4. I have a few questions for you when you had:
    "add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN
    add chain=prerouting dst-address=YOUR WAN1 SUBNET action=accept in-interface=LAN"
    Did you mean wan2 on the second?
    Second question on the ip route why did you put the distance on their own and not on the first ones with the mark? do these need to be separated?

  5. help how can iadd 2 wan with static ip address of the following

    1 isp
    ip address 210.4.113.185
    subnet 255.255.255.248
    gateway 210.4.113.183
    dns 202.69.191.11
    dns 202.69.165.11

    2isp
    ip address 110.45.103.135
    subnet 255.255.255.252
    gateway 110.45.103.133
    dns 203.176.116.18

    how to load balnce and failover

  6. Dear Raymond Rudman
    how you can help me to make load balance for 8 broadband connect and then create broadband servers for user
    and create limit for download and upload
    i will waiting your help
    sincerely

  7. Awesome thing. Works great, but tell me 1 thing which i can't fix because i am missing something.

    Why can't I ping or access IP's in WAN1 and WAN2 network? What should I add?
    I added a static route to WAN1 subnet from LAN subnet, but i get "network unreachable".

    Some easy fix to be able to ping/connect from LAN subnet/network to WAN1 and WAN2 subnet PC's/devices?

    EDIT: found the problem, my WAN2 was an internet connection from a mikrotik router working as a pure switch, seems there are issues if the WAN connection comes from a switch…

  8. Gracias por el tutorial, tengo dos redes una para usuarios normales y otra con un hotspot, los usuarios normales trabajan sin problema hago el test y me suma las dos wan, pero los usuarios del hotspot no pueden hacer nada, no les sale la pagina del login, etc, ahora bien si el usuario ya esta logeado puede seguir navegando y cuando hacemos un test de velocidad muestra las dos wan sumadas, pero si el usuario trata de entrar desde 0 no puede entrar a internet
    gracias

  9. Hi
    I have already setup a PPPOE and hotspot with userman on 1 WAN, i want to add another WAN can i type in this configuration with the WAN IP's will it work in my case.

    I am very new to mikrotik please help.

    Thanks In advance.

  10. Great job man ! It works like a charm !
    Just a note: if the carrier of one of the two wan connections goes down but the ISP router/gateway that you have in your lan segment continues to respond to the ping, the failover does not work because the rules feel that the gateway is still up and reachable.
    In this case, how would you do?

  11. it works when WAN1 down, route automatically switch to WAN2.
    the problem is, when WAN1 UP again after DOWN, connection is timed out…. unless I manually disable WAN2 and enable WAN2 again.
    Help, anyone?Ty

  12. i'm having some problems with mikrotik. Amm, i have a wan connection of 4mb now there is some problem with that connection so its slow down so i decided to merge another wan connection. i know some networking principles but newbie in mikrotik i watch videos of load-balancing. So when i merge two wan it works perfectly and hotspot runs fine but pppoe doesn't get internet access. Note: I first have set hotspot and pppoe for 1 wan, and it works perfectly.
    WAN 1: 192.168.98.2 | 4 mb
    WAN 2: 192.168.97.2 | 2mb
    LAN : 172.16.1.1/24 with hotspot
    PPPOE: 172.16.3.1/24

    my code

    ip>firewall>mangle chain: prerouting, in interface: ether5, connection state: new nth: every:2, packet:1, action mark connection, new connection mark:conn_1, pass throught: check

    chain: prerouting, in interface: ether5, connection mark: conn_1, action: mark routing, new routing mark: conn_1, passthrough: uncheck

    chain: prerouting, in interface ether 5, connection state: new, nth: every:1, packet:1, action: mark connection, new connection mark: conn_2, passthrought: check

    chain: prerouting, in interface: ether5, connection mark: conn_2, action: mark routing, new routing mark: conn_2, passthrough: uncheck

    ip>firewall>nat chain:srcnet, out interface: ether1, connection mark: conn_1, action: masquerade

    chain:srcnet, out interface: ether2, routing mark: conn_2, action: masquerade

    ip>firewall>routes gateway: 192.168.98.1, distance: 1, scope:255, target scope:10, routing mark:conn_1

    gateway: 192.168.97.1, distance: 2, scope:255, target scope:10, routing mark:conn_2

    now i have another mikrotik router so i decided to load balance on another router and hotspot and pppoe on other router. so i remove load balancing from one mikrotik to another
    mikrotik1 with load balancing ip: 192.168.99.1
    mikrotik2 with pppoe & hotspot ip: 192.168.99.2

    now pppoe load balancing is working some how good and hotspot is also working fine but pppoe don't work properly it connects and give internet access for 10 seconds the no internet access and can't access mikrotik (i have to disable internet adapter in network setting then re-enable it then i see mikrotik ip in neighbours)

    What i want?

    I want to load balance 2 wan now but it will be unequal because wan1/ether2/192.168.97.1 is going to be 2 mb from 20 january (currently both wan has 4 mb) and i want to run pppoe, hotspot and load balancing on one mikrotik.

  13. I am experiencing a problem whereby I cannot ping or get into the modems now that I have done the config. Load balancing is working though. I have checked all settings but cant find the fault. If I plug the pc into the modems, then I can get into the modems but I can't via the 750GL I am using for the bonding. I also set up dhcp server on the 750GL but via my wifi on the adsl modem,  it doesn't work. My script is as follows/ip firewall mangle
    add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
    add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_connadd chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
    add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2add chain=prerouting dst-address=10.0.0.0/24 action=accept in-interface=LAN
    add chain=prerouting dst-address=10.0.1.0/24 action=accept in-interface=LANadd chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yesadd chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yesadd chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
    add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2/ip route
    add dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=to_WAN1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.0.1.1 routing-mark=to_WAN2 check-gateway=pingadd dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.0.1.1 distance=2 check-gateway=ping/ip firewall nat
    add chain=srcnat out-interface=WAN1 action=masquerade
    add chain=srcnat out-interface=WAN2 action=masquerade

LEAVE A REPLY