Mikrotik 4 WAN Load Balancing using PCC method.

This post illustrates on how you can configure load balancing of multiple wan links using Mikrotik Routerboard hardware (or RouterOS x86 version).  In this example I have used Mikrotik Routerboard CCR 1036 model.  4 ports are connected with Four DSL Routers, and 5th port was connected with User LAN. Don’t forget to rename the interface names accordingly if you are a copy paste fan.

In this example, we are using PCC (per connection classifier) method to achieve the load balancing. There are few options using this approach & each option may give you different results.

Example#1:  src-address
Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc (dueot ip changing on each request) . Load balancing using this PCC technique (src-address) requires that users must be hitting the PCC box directly (either dhcp/ppp server etc). In this method user will be tagged with specific WAN link once connected with the mikrotik. This way till his online session he will stick to that particular wan link. A single user will not be ale to use all WAN links. This approach works good if you have a bit higher amount of bandwidth on each link.

Example#2: both-addresses-and-ports
If somehow you are not satisfied with the src-address approach (OR your requirements is to achieve maximum download speed using all WAN links simultaneously) , Then play with the PCC Classifier, Try both addresses and ports as the classifier (as used in this guide as well). While this will randomize things the most and in theory give you the most fair allocation of bandwidth (as any request will be distributed among all WAN links), BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually like to go with src-address PCC load balancing approach (but only if users are hitting the pcc box)

  • Mikrotik LAN IP = 192.168.0.1
  • DSL1 Router IP = 192.168.1.1 / INTERFACE NAME = WAN1
  • DSL2 Router IP = 192.168.1.1 / INTERFACE NAME = WAN2
  • DSL3 Router IP = 192.168.1.1 / INTERFACE NAME = WAN3
  • DSL4 Router IP = 192.168.1.1 / INTERFACE NAME = WAN4
# IP Addresses for reference purpose
/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=WAN3
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255 interface=WAN4
# Add NET ALLOWED users Address list, to make sure only allowed users get internet access. Make sure to modify this as per your requirements, we can use this list later for other management purposes
/ip firewall address-list
add address=192.168.0.1-192.168.0.255 list=allowed_users
# Accept Connections
/ip firewall mangle
add action=accept chain=prerouting in-interface=WAN1
add action=accept chain=prerouting in-interface=WAN2
add action=accept chain=prerouting in-interface=WAN3
add action=accept chain=prerouting in-interface=WAN4
# Mangle Section
# Marking connections for 4 dsl distribution
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes src-address-list=allowed_users
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes src-address-list=allowed_users
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes src-address-list=allowed_users
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes src-address-list=allowed_users
# Marking Routing Marks to be used by ROUTES Section
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN3
add chain=prerouting connection-mark=WAN4_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN4
# Adding ROUTE for marked routes (done by mangle earlier)
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN4 check-gateway=ping
# DEFAULT ROUTES, OR Fail over routes , just incase in any router goes offline, then these default routes as per distance, will be used as default
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 distance=4 check-gateway=ping
# NAT/MASQUERADE the requests going on each interface (used by ROUTES)
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade src-address-list=allowed_users
add chain=srcnat out-interface=WAN2 action=masquerade src-address-list=allowed_users
add chain=srcnat out-interface=WAN3 action=masquerade src-address-list=allowed_users
add chain=srcnat out-interface=WAN4 action=masquerade src-address-list=allowed_users
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/4 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes

PCC WITH SAME GATEWAY

/ip route
 add dst-address=0.0.0.0/0 gateway=1.2.3.4 routing-mark=to_wan-ISP1 check-gateway=ping
 add dst-address=0.0.0.0/0 gateway=1.2.3.4 routing-mark=to_wan-ISP2 check-gateway=ping
With following
/ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.4%eth1-ISP routing-mark=to_wan-ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.2.3.4%eth2-ISP routing-mark=to_wan-ISP2 check-gateway=ping