MikroTik Load balancing across two ISP connections using Mangle

byee-diary 2 min read
0

Here, I can describe how to set up load balancing across two ISP WAN connections using Mangle on your MikroTik CCR2004-16G-2S+ router via WinBox. Below is a step-by-step guide for setting this up.

 Cloud-based applications for CCR2004-16G-2S+

Goal:

We will load balance outgoing traffic across two ISPs using the Mangle feature to mark packets and connections, with the routing decisions based on these marks.

Assumptions:

  • WAN1 on interface ether1 (ISP1)
  • WAN2 on interface ether2 (ISP2)
  • LAN on interface ether3
  • The goal is to split the traffic load between two WANs and ensure that responses follow the same WAN they originated from (symmetric routing).

Steps Using WinBox:

1. Open WinBox and Connect to Your Router

  • Open WinBox and connect to your router by its MAC address or IP address.
  • Once connected, navigate to the IPFirewall window from the left-hand menu.

2. Configure Mangle Rules

Step 1: Mark Incoming Connections

This will create rules to mark connections based on the WAN interface they originate from.

  1. In the Firewall window, go to the Mangle tab.
  2. Click the "+" button to add a new Mangle rule.
  3. Set the following options:
    • Chain: prerouting
    • In Interface: ether1 (WAN1)
    • Action: mark connection
    • New Connection Mark: WAN1_conn
    • Passthrough: Check this option (so the packet can be further processed)
  4. Click OK to save the rule.
  5. Repeat steps 1–4, but this time:
    • Set In Interface to ether2 (WAN2).
    • Set New Connection Mark to WAN2_conn.

Now, the router will mark packets coming from WAN1 with WAN1_conn and those from WAN2 with WAN2_conn.

Step 2: Mark Routing Based on Connection

Next, you'll mark the routing path based on the connection mark.

  1. In the Mangle tab, click the "+" button again.
  2. Set the following options:
    • Chain: prerouting
    • Connection Mark: WAN1_conn (choose it from the dropdown)
    • Action: mark routing
    • New Routing Mark: to_WAN1
    • Passthrough: Check this option
  3. Click OK to save the rule.
  4. Repeat steps 1–3, but this time:
    • Set Connection Mark to WAN2_conn.
    • Set New Routing Mark to to_WAN2.

This step makes sure that any packets marked with WAN1_conn will be routed through WAN1, and the same for WAN2.

Step 3: Load Balance Using nth (Per-Connection Classifier)
  1. Click the "+" button again in the Mangle tab.
  2. Set the following options:
    • Chain: prerouting
    • In Interface: ether3 (LAN)
    • Dst. Address Type: !local (this ensures the rule is only applied to external traffic)
    • Per Connection Classifier: Set to both-addresses-and-ports:2/0 (this evenly splits the traffic).
    • Action: mark connection
    • New Connection Mark: WAN1_conn
    • Passthrough: Check this option
  3. Click OK to save the rule.
  4. Repeat this process, but:
    • Set Per Connection Classifier to both-addresses-and-ports:2/1.
    • Set New Connection Mark to WAN2_conn.

These rules ensure that half of your traffic will go through WAN1, and the other half will go through WAN2.

3. Setup Routing

After marking traffic with Mangle, you need to configure routing based on the Mangle marks. Here's how:

  1. Go to IPRoutes.
  2. Click the "+" button to add a new route.
  3. Set the following options:
    • Dst. Address: 0.0.0.0/0 (for the default route)
    • Gateway: Enter the gateway IP address for WAN1 (you can obtain this from your ISP or through DHCP).
    • Routing Mark: to_WAN1 (select the mark you created in the Mangle rule).
  4. Click OK to save the route.
  5. Repeat steps 1–4, but:
    • Set Gateway to the gateway IP for WAN2.
    • Set Routing Mark to to_WAN2.

This ensures that traffic marked for WAN1 goes through WAN1, and the same for WAN2.

4. (Optional) Set Up Failover

To configure failover, you can set route priorities using distance.

  1. Go to IPRoutes.
  2. For the default route through WAN1, set distance to 1.
  3. For the default route through WAN2, set distance to 2.
  4. To add failover detection, select Check Gateway: ping for both routes.

If WAN1 fails (the router can't ping the WAN1 gateway), traffic will automatically switch to WAN2.

5. Test the Configuration

  • After configuring the Mangle rules and routes, test the load balancing setup.
  • Use a tool like Torch in WinBox (located under Tools) to monitor traffic on both WAN interfaces and verify that traffic is being distributed evenly across both.

Summary:

In this WinBox-based guide, we used the Mangle feature to:

  • Mark incoming connections based on their WAN interface.
  • Mark routes for outgoing traffic based on the connection mark.
  • Distribute new connections evenly across WAN1 and WAN2 using the per-connection-classifier.
  • Configure routing to send traffic via the appropriate WAN.

This configuration ensures that your MikroTik CCR2004-16G-2S+ router will load balance traffic across both internet connections and can failover to a secondary WAN if one goes down. This can be usefull if you want to build WISP network.

4.94 / 169 rates

Post a Comment

Previous Post Next Post