Mikrotik Dual WAN

How to setup a mikrotik router with dual WANs

Table of contents:

Equipment

Method Overview

There are several ways to share multiple internet connections. The way I settled on was to use Per Connection Classification (PCC), which basically chooses one outgoing connection everytime there's a new connection, and then ensures that that connection continues to use the same WAN port.

Method

There are several guides on the internet, but I had to rely on a combination of several because of a couple of complicating factors:

  1. Both of my cellular router/antennas provide the exact same gateway IP (my ISP was unresponsive to requests to change this).
  2. I do not have a windows machine, and many of the guides rely on using Mikrotik's windows application.

I did all setup and testing from inside the LAN, so I could continue to access the internet while performing the setup.

0. Environment

1. Physical Setup

Unpack the mikrotik, plug it into the LAN, and connect a computer to the LAN port. When you first boot a new Mikrotik device (or at least when I did), it provides an IP address of 192.168.88.1 to the internal ports.

Set a static IP on your configuration computer of 192.168.88.2, and point a web browser at http://192.168.88.1.

2. Initial setup of device

In the initial web page provided by the mikrotik, change the admin password

Check for and install updates by clicking "Check for Updates" from the "Quick Set" page.

3. Change interface names

On the left navigation menu, select Interfaces. Clicking on an interface in the right pane brings up a configuration menu for that interface. Click on each of ether2 - ether5 and change the Name to the following and click Ok (skip ether1):

4. Remove WANs from bridge

Unplug from port 2 (which will be a WAN port), and plug into port 4 or 5. Refresh the browser and log in again.

Click Bridge on the left, and then the Ports tab at the top on the right. Click the - on the far left next to ether2-WAN1 and ether3-WAN2.

In Mikrotik UX, a - on the left will completely remove something; a D will leave it in place but disable whatever it is, and an E will enable something that's disabled.

5. Disable DHCP on port 1

Navigate to IP -> DHCP Client, click the D next to ether1 to disable DHCP.

6. Set static IP addresses on the WAN ports

Since they are on the same subnet, and each have identical gateways, and we need to know which port goes to which ISP, we statically set their IP addresses. I chose 192.168.100.241 for WAN1 and 192.168.100.242 for WAN2.

Navigate to IP->Addresses. Click the Add New button at the top, and enter:

Click the Ok button. Repeat for 192.168.100.242 on WAN2.

7. Setup DNS info

Navigate to IP -> DNS, and add servers to your liking (such as 1.1.1.1 and 9.9.9.9).

When you see a little down arrow next to a field, it means you can add another item by clicking it. The corresponding down arrow that appears to the right of an item will remove it.

8. Add new default routes for each WAN port

Navigate to IP -> Routes. Click the Add New button, and enter:

and click Ok.

Repeat with:

The 0.0.0.0/0 address means all IP addresses. It means that the given route can find any IP address that isn't matched by a more specific route.

9. Add new routes for marked packets

In a moment we will be setting up rules to mark packets for a specific WAN port. We need to establish routes for those packets.

Navigate again to IP -> Routes, and click Add New again. Enter the exact same information again, but this time also set the Routing Mark field:

Click Ok, then repeat for ether3-WAN2 with mark isp2.

10. Mark unmarked incoming WAN connections based on switch port

This step marks incoming packets based on the ISP they came from.

Navigate to IP -> Firewall, and click the Mangle tab. Click the Add New button:

Click Ok and repeat with ether3-WAN2 and isp2.

11. Mark outgoing LAN connections

Now we'll mark outgoing connections for one of the two ISP ports.

Navigate to IP -> Firewall, and click the Mangle tab. Click Add New:

Click Ok, then repeat the above for isp2 (note the different PCC):

Click Ok again.

12. Mark outgoing routes based on connection mark

IP -> Firewall -> Mangle tab, Add New:

Click Ok, then repeat with isp2.

13. Mark incoming routes based on connection mark

IP -> Firewall -> Mangle tab, Add New:

Click Ok, then repeat with isp2.

14. Disable Fasttrack

From the documentation and guides this appears to be necessary for PCC.

Navigate to IP -> Firewall, and click the D next to the action called fasttrack connection.

15. Add Drop rules for unrequested WAN connections

Navigate to IP -> Firewall, and click Add New:

Click Ok to save, then repeat with ether3-WAN2.

16. Disable the default NAT rule

Navigate to IP -> Firewall, and click the NAT tab.

Click the D next to the defconf; masquerade rule.

17. Add new NAT rules

IP -> Firewall, and click the NAT tab.

Click Add New:

Click Ok, then repeat for ether3-WAN2.

18. Update DHCP

IP -> Pool, select the pool, and modify settings as desired.

IP -> DHCP Server, Networks tab.

Click the default network, and adjust settings as desired.

You should also navigate to DHCP tab, then click the DHCP ruleset. Paste the following in the lease script text area:

local DHCPtag
:set DHCPtag "#DHCP"

:if ( [ :len $leaseActIP ] <= 0 ) do={ :error "empty lease address" }

:if ( $leaseBound = 1 ) do=\
{
  :local ttl
  :local domain
  :local hostname
  :local fqdn
  :local leaseId
  :local comment

  /ip dhcp-server
  :set ttl [ get [ find name=$leaseServerName ] lease-time ]
  network 
  :set domain [ get [ find $leaseActIP in address ] domain ]

  .. lease
  :set leaseId [ find address=$leaseActIP ]

# Check for multiple active leases for the same IP address. It's weird and it shouldn't be, but just in case.

  :if ( [ :len $leaseId ] != 1) do=\
  {
   :log info "DHCP2DNS: not registering domain name for address $leaseActIP because of multiple active leases for $leaseActIP"
   :error "multiple active leases for $leaseActIP"
  }  

  :set hostname [ get $leaseId host-name ]
  :set comment [ get $leaseId comment ]
  /

  :if ( [ :len $hostname ] <= 0 ) do={ :set hostname $comment }

  :if ( [ :len $hostname ] <= 0 ) do=\
  {
    :log error "DHCP2DNS: not registering domain name for address $leaseActIP because of empty lease host-name or comment"
    :error "empty lease host-name or comment"
  }
  :if ( [ :len $domain ] <= 0 ) do=\
  {
    :log error "DHCP2DNS: not registering domain name for address $leaseActIP because of empty network domain name"
    :error "empty network domain name"
  }

  :set fqdn "$hostname.$domain"

  /ip dns static
  :if ( [ :len [ find name=$fqdn and address=$leaseActIP and disabled=no ] ] = 0 ) do=\
  {
    :log info "DHCP2DNS: registering static domain name $fqdn for address $leaseActIP with ttl $ttl"
    add address=$leaseActIP name=$fqdn ttl=$ttl comment=$DHCPtag disabled=no
  } else=\
  {
    :log error "DHCP2DNS: not registering domain name $fqdn for address $leaseActIP because of existing active static DNS entry with this name or address" 
  }
  /
} \
else=\
{
  /ip dns static
  :local dnsDhcpId 
  :set dnsDhcpId [ find address=$leaseActIP and comment=$DHCPtag ]

  :if ( [ :len $dnsDhcpId ] > 0 ) do=\
  {
    :log info "DHCP2DNS: removing static domain name(s) for address $leaseActIP"
    remove $dnsDhcpId
  }
  /
}

There are a bunch of these around the internet. This one is from https://forum.mikrotik.com/viewtopic.php?p=837415.

Back Story

Because I live in a somewhat rural area without good selection of internet, I am in the unenviable position of needing to be on a cellular plan for my internet. Previously we were on a local WISP, but we were just barely on the edge of the capabilities of their equipment and service became extremely unreliable.

Where I am there is not coax run to the houses, so cable internet is not an option. The copper lines to our house are barely adequate for voice calls, and it goes out after thunderstorms. DSL is not remotely feasible, and even dial-up wouldn't be reliable.

I contacted every WISP (wireless ISP) in the area, and not one of them (other than the one I already had) could offer service, either due to distance or topology or both. One, however, also resold cellular service, and came out for a site survey. I wasn't very hopeful, but with a directional antenna he was able to get pretty good signal (speed test of 80Mbps!).

The big downside, of course, is the data caps. For this provider, on the plans our ISP is able to get, that's 400GB/month. Which sounds like a log, until you want to update a bunch of computers, and your kids want to watch Netflix, and you are working at home so are on constant webex or zoom calls. After skating by and hsaving to swap SIMs once because of getting one suspended for overages, I asked him to install a second line.

For a couple months I manually swapped which connection was plugged into my pfsense SG-1100, but that's what a caveman would do! I bought a Mikrotik Hex router with POE on four ports, and waded through the configuration to setup PCC dual WAN.

Sources:

https://help.mikrotik.com/docs/display/ROS/Firewall+Marking#FirewallMarking-LoadBalancingWithPerConnectionClassifier