Mikrotik Load Balance Dual WAN With WACAN Link


Dual WAN (Internet) with failover, PCC load balancing PLUS 3rd WAN (Private)

Firstly, this guide assumes you have basic knowledge with logging into the Mikrotik and configuring via either CLI or Winbox GUI.

The network will look like this:

So we need to setup some of the basics first,
I will simply highlight some of the key points in the excerpt from my working example.
Rename the interfaces

/interface ethernet
set [ find default-name=ether1 ] name=LAN
set [ find default-name=ether6 ] name="WAN01"
set [ find default-name=ether7 ] name="WAN02"
set [ find default-name=ether10 ] name="private wan"

Set the pool of addresses available to the DHCP server you will create shortly

/ip pool
add name=dhcp_pool1 ranges=

Now create the DHCP Server

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=dhcp1
/ip dhcp-server network
add address= gateway=

And specify the DNS server(s) of your choice

/ip dns
set servers=

Add the pppoe connections (ADSL)

/interface pppoe-client
*ADSL Service 1*
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface="WAN01" \
    keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name="adsl-1" password=password profile=default service-name="" \
    use-peer-dns=no user=username
*ADSL Service 2*
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface="WAN02" \
    keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name="adsl-2" password=password profile=default service-name="" \
    use-peer-dns=no user=username

Configure BGP

/routing bgp instance
set default as=65222
/routing bgp network
add network=
/routing bgp peer
add in-filter=wafreenet name=peer-name out-filter=wafreenet remote-address= remote-as=65211 ttl=default update-source=\  "private wan"

Set the ip addresses for the router on it’s LAN and Private WAN Interfaces, The Internet WAN Interfaces will receive ip addresses via DHCP as set in the pppoe settings

/ip address
add address= interface=LAN network=
add address= interface="private WAN" network=

Here we will add some firewall rules

/ip firewall filter

This one will drop DHCP traffic from the private WAN interface as in my situation we use fixed ip addressing

add action=drop chain=input in-interface="private wan" port=67-68 protocol=udp

Mangle rules allow us to manage the packets in many wonderful ways, we will be utilising mangle to mark connections where both the source and destination ip combination will count as 1 mark, variations will count as a separate mark. This allows us to keep connections for certain applications persistent so that internet banking or other security intense applications remain working

/ip firewall mangle

These first rules exclude traffic to the private wan from having routing marks applied which would send the packets through the wrong interfaces

add chain=prerouting dst-address= in-interface=LAN
add chain=forward dst-address= in-interface=LAN

These rules should point to your “next hop” or the first ip after your own WAN IP on the way out

add chain=prerouting dst-address=
add chain=prerouting dst-address=

The following rules mark the packets so that they may exit and return in the correct interfaces

add action=mark-connection chain=prerouting comment="use pcc to mark connections 0 of 2" connection-mark=no-mark dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN1 per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="use pcc to mark connection 1 of 2" connection-mark=no-mark dst-address-type=!local in-interface=LAN \
    new-connection-mark=WAN2 per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=LAN new-routing-mark=ether1-mark
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=ether1-mark
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=ether2-mark
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=LAN new-routing-mark=ether2-mark
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="adsl-1" new-connection-mark=WAN2
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="adsl-2" new-connection-mark=WAN1

We now need to add NAT to the interfaces, we are masquerading all of the interfaces in this situation

/ip firewall nat
add action=masquerade chain=srcnat out-interface="private-wan " to-addresses=
add action=masquerade chain=srcnat out-interface="adsl-1"
add action=masquerade chain=srcnat out-interface="adsl-2"
/ip route
add distance=100 gateway="adsl-2" routing-mark=ether1-mark
add distance=100 gateway=”adsl-1" routing-mark=ether2-mark
/ip route
add distance=100 gateway="adsl-1" routing-mark=ether1-mark
add distance=100 gateway="adsl-2" routing-mark=ether2-mark