Load balancing with Fail-over

Q: We want to have the mikrotik manage the connections to be load balanced, so we aren’t hammering either link more than the other. The only caveat for us is there’s a bunch of inbound traffic that will come over one link, obviously that needs to go back out over that link… right?


Of course, we want failover too, so if one link drops, the other will do its job.


The technique is conceptually straight-forward:


1. Use ‘mangle’ feature to select and mark connections, e.g. add connection mark “web” to traffic with dest port=80:

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new \
disabled=no dst-port=80 new-connection-mark=web passthrough=yes protocol=tcp


2. Use ‘mangle’ feature to add route mark on selected connections, e.g. add route mark “isp2” when connection mark is “web”:

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=web disabled=no \
new-routing-mark=isp2 passthrough=yes


3. Add default route for marked traffic with distance=1, e.g. send traffic via ppp-out2 for route mark “isp2”:

/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
routing-mark=isp2


4.Add backup route (distance >1) via other uplink for failover, e.g. use pppoe-out1 when check-gateway=ping fails for primary uplink path:

/ip route add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
routing-mark=isp2


Notes:

a. When the uplink path is not ppp, use the next hop gateway address instead of pppoe interface name
b. Use ‘per connection classifier’ (ppc) feature to balance approximately equally across multiple uplinks


You are welcome to contact us at any time if you wish to discuss these concepts further.