Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Mikrotik dual/triple dhcp wan recursive failover w/ pcc load balancing
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether2
add bridge=bridge interface=ether1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether4 list=WAN
/interface detect-internet set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether5 type=external
add interface=ether4 type=external
/ip settings
set allow-fast-path=no
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip firewall address-list add address=192.168.88.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="bridge access" dst-address-list=local in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether4 new-connection-mark=CONN2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=CONN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN2 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=CONN1 in-interface=bridge new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CONN2 in-interface=bridge new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN1 new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN2 new-routing-mark=ISP2 passthrough=yes
/routing filter
add chain=dynamic-in distance=33 set-distance=2 set-route-comment=ISP2 set-scope=10
add chain=dynamic-in distance=34 set-distance=3 set-route-comment=ISP1 set-scope=10
/ip dhcp-client
add default-route-distance=33 disabled=no interface=ether4 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP2_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n}" use-peer-dns=no use-peer-ntp=no
add default-route-distance=32 disabled=no interface=ether5 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP1_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n}" use-peer-dns=no use-peer-ntp=no
/ip route
add comment=ISP1_VALIDATE distance=1 dst-address=185.228.168.9/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.220.220/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.222.222/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.14.14/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.15.15/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=8.20.247.20/32 gateway=127.0.0.1 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=185.228.168.9 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.14.14 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.15.15 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=8.20.247.20 scope=10
add distance=1 gateway=10.1.1.1 routing-mark=ISP1
add distance=2 gateway=10.2.2.1 routing-mark=ISP1
add distance=1 gateway=10.2.2.1 routing-mark=ISP2
add distance=2 gateway=10.1.1.1 routing-mark=ISP2
add distance=20 dst-address=185.228.168.9/32 type=blackhole
add distance=20 dst-address=208.67.220.220/32 type=blackhole
add distance=20 dst-address=208.67.222.222/32 type=blackhole
add distance=20 dst-address=94.140.14.14/32 type=blackhole
add distance=20 dst-address=94.140.15.15/32 type=blackhole
add distance=20 dst-address=8.20.247.20/32 type=blackhole
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether4 list=WAN
add interface=ether3 list=WAN
/interface detect-internet set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether5 type=external
add interface=ether4 type=external
add interface=ether3 type=external
/ip settings
set allow-fast-path=no
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip firewall address-list add address=192.168.88.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="bridge access" dst-address-list=local in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3 new-connection-mark=CONN3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether4 new-connection-mark=CONN2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=CONN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN2 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN3 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=CONN1 in-interface=bridge new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CONN2 in-interface=bridge new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CONN3 in-interface=bridge new-routing-mark=ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN1 new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN2 new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN3 new-routing-mark=ISP3 passthrough=yes
/routing filter
add chain=dynamic-in distance=32 set-distance=1 set-route-comment=ISP3 set-scope=10
add chain=dynamic-in distance=33 set-distance=2 set-route-comment=ISP2 set-scope=10
add chain=dynamic-in distance=34 set-distance=3 set-route-comment=ISP1 set-scope=10
/ip dhcp-client
add default-route-distance=34 disabled=no interface=ether3 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP3_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN3\"]\
\n}" use-peer-dns=no use-peer-ntp=no
add default-route-distance=33 disabled=no interface=ether4 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP2_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN3\"]\
\n}" use-peer-dns=no use-peer-ntp=no
add default-route-distance=32 disabled=no interface=ether5 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP1_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN3\"]\
\n}" use-peer-dns=no use-peer-ntp=no
/ip route
add comment=ISP1_VALIDATE distance=1 dst-address=185.228.168.9/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.220.220/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.222.222/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.14.14/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.15.15/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=8.20.247.20/32 gateway=127.0.0.1 scope=10
add comment=ISP3_VALIDATE distance=1 dst-address=9.9.9.9/32 gateway=127.0.0.1 scope=10
add comment=ISP3_VALIDATE distance=1 dst-address=9.9.9.10/32 gateway=127.0.0.1 scope=10
add comment=ISP3_VALIDATE distance=1 dst-address=8.26.56.26/32 gateway=127.0.0.1 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=185.228.168.9 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.14.14 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.15.15 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=8.20.247.20 scope=10
add check-gateway=ping distance=1 dst-address=10.3.3.1/32 gateway=9.9.9.9 scope=10
add check-gateway=ping distance=1 dst-address=10.3.3.1/32 gateway=9.9.9.10 scope=10
add check-gateway=ping distance=1 dst-address=10.3.3.1/32 gateway=8.26.56.26 scope=10
add distance=1 gateway=10.1.1.1 routing-mark=ISP1
add distance=2 gateway=10.2.2.1 routing-mark=ISP1
add distance=3 gateway=10.3.3.1 routing-mark=ISP1
add distance=1 gateway=10.2.2.1 routing-mark=ISP2
add distance=2 gateway=10.1.1.1 routing-mark=ISP2
add distance=3 gateway=10.3.3.1 routing-mark=ISP2
add distance=1 gateway=10.3.3.1 routing-mark=ISP3
add distance=2 gateway=10.2.2.1 routing-mark=ISP3
add distance=3 gateway=10.1.1.1 routing-mark=ISP3
add distance=20 dst-address=185.228.168.9/32 type=blackhole
add distance=20 dst-address=208.67.220.220/32 type=blackhole
add distance=20 dst-address=208.67.222.222/32 type=blackhole
add distance=20 dst-address=94.140.14.14/32 type=blackhole
add distance=20 dst-address=94.140.15.15/32 type=blackhole
add distance=20 dst-address=8.20.247.20/32 type=blackhole
add distance=20 dst-address=9.9.9.9/32 type=blackhole
add distance=20 dst-address=9.9.9.10/32 type=blackhole
add distance=20 dst-address=8.26.56.26/32 type=blackhole
@apriady

This comment has been minimized.

Copy link

@apriady apriady commented Jun 14, 2021

Hi, thanks for sharing your script.

If let's say I want to use this script to loadbalance 3 ISP or more, how is the config for route look like? Especially the distance for failover function.

@marfillaster

This comment has been minimized.

Copy link
Owner Author

@marfillaster marfillaster commented Jun 14, 2021

@apriady I'm on the same boat. Tried 3 wan and somehow the 0401_WAN4_PING1 is only active for a brief moment before turning inactive. This means 2 of 3 routing mark are using the same WAN and 1 is un-utilized. Not sure though how to fix.

@marfillaster

This comment has been minimized.

Copy link
Owner Author

@marfillaster marfillaster commented Jun 16, 2021

@apriady added triple

@apriady

This comment has been minimized.

Copy link

@apriady apriady commented Jul 11, 2021

@marfillaster thanks dude, that's great. 👍

I Will try it on my network and will let you know the result.

@daywalkerbc

This comment has been minimized.

Copy link

@daywalkerbc daywalkerbc commented Jul 16, 2021

hi. trying dual.cfg revision 16 Jun, not working with two dhcp-clients. only work when disable one of dhcp clients.

Now working when one isp have "internet" another not have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment