~!!!~ Article By Syed Jahanzaib ~!!!~
Recently at a local cable.network setup @ gulzar-e-hijri, an OP asked told me that he wanted to add an extra DSL line just for some specific users (VIP users who are paying some extra money for better speed, as the current single dsl is getting clogged by over subscribed users. He wanted to manage all users / link via single Mikrotik router-board.
I accomplished this task by adding 2nd DSL line with the Mikrotik BOX and few rules, and Alhamdolillah it worked fine :). I am just sharing basic logic on how i achieved it.
You can take this idea and modify it according to your requirement, either use this logic and mix it with hotspot or pppoe base setup. In this example, user MAC-IP was binded.
Let us assume that we have 2 Users lists.
DSL1_USERS_LIST = 192.168.2.6
DSL2_USERS_LIST = 192.168.2.7
DSL1 Router GW IP = 192.168.5.2
DSL2 Router GW IP = 192.168.6.2
Now we will route users through DSL-1 OR DSL-2 wan links based on there ip addresses.
To accomplish this task, the simple logic is …
- STEP#1: First we will create ADDRESS-LIST, and add our users in the list,
- STEP#2: Then We have to add two IP Firewall Mangle rules to mark the packets originated from user 1 and user2.
- STEP#3: Then we should specify two default routes (destination 0.0.0.0/0) with appropriate routing marks and gateways.
- STEP#4: Then simple add one NAT rule for local ip series and Action masquerade.
Code:
# Adding IP Address on interfaces like lan/wan # IP for LAN User Network Connectivity /ip address add address=192.168.2.1/24 disabled=no interface=LAN network=192.168.2.0 # IP for WAN DSL Connectivity add address=192.168.5.1/24 disabled=no interface=WAN1 network=192.168.5.0 add address=192.168.6.1/24 disabled=no interface=WAN2 network=192.168.6.0 # Create 2 Address lists and add ip as per required, you can add Range as well. # I am adding just 2 ips only /ip firewall address-list add address=192.168.2.6 disabled=no list=DSL1_USERS_LIST add address=192.168.2.7 disabled=no list=DSL2_USERS_LIST # Marking Users connection coming from specific address lists /ip firewall mangle add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan1_user passthrough=no src-address-list=DSL1_USERS_LIST add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan2_user passthrough=no src-address-list=DSL2_USERS_LIST # Create Routes for above marked packets so each marked packets goes via specific wan link only /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.2 routing-mark=wan1_user scope=30 target-scope=10 add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.6.2 routing-mark=wan2_user scope=30 target-scope=10 # Finally create NAT rule so that users (ip range) internet can work /ip firewall nat add action=masquerade chain=srcnat disabled=no src-address=192.168.2.0/24
TESTING
From Client PC # 1 whose ip address is 192.168.2.6, run TRACEROUTE command
For example traceroute yahoo.com
Results
TESTING FROM DSL1_USERS_LIST = 192.168.2.6
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
C:\Documents and Settings\zaib>tracert yahoo.com
Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops1 <1 ms <1 ms 2 ms 192.168.2.1
2 2 ms 2 ms 3 ms 192.168.5.2
.
.
TESTING FROM DSL2_USERS_LIST = 192.168.2.7
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
C:\Documents and Settings\zaib>tracert yahoo.com
Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops1 <1 ms <1 ms 2 ms 192.168.2.1
2 2 ms 2 ms 3 ms 192.168.6.2
.
.
Regard’s
SYED JAHANZAIB
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
Nice sharing Jahanzaib bhai! can we do this with any other open source linux distros???
LikeLike
Comment by faizan — October 28, 2011 @ 12:22 AM
sir do this work with hotspot on same pc?
LikeLike
Comment by adeel ahmed — November 13, 2011 @ 9:03 PM
I never tested this in on HOTSPOT particularly, But The theory says it can work 🙂
It will work I am sure.
LikeLike
Comment by Pinochio~:) — November 14, 2011 @ 10:35 AM
sir…i interested with this consep…how to setup this concep with external proxy…
may u help me sir
LikeLike
Comment by Mukhsin — January 3, 2012 @ 4:45 PM
Wan1 & Wan2 —- (eth1&2) RB450 (eth4) —- Lan
(eth3)
‘ |
‘ Proxy
LikeLike
Comment by Mukhsin — January 3, 2012 @ 4:49 PM
just wanna to ask you one question..
1) can i change the default ip (192.168.88.1) to different ip like 10.200.0.1?
2) Here my connection
ISP RB750GL switch
How i want to config my router? I have to use 10.200.0.1/24 ip for my LAN
LikeLike
Comment by nisa — January 9, 2012 @ 11:20 AM
yes you can do
LikeLike
Comment by Muhammad Arsalan Siddiqui — July 21, 2017 @ 3:58 AM
am so sorry that I post my recent post in “About Me” page
now
how I can split the IP range of (for example 10.0.0.2-10.0.0.254) in to two groups (A&B)
Group A take NET from ADSL1 ,and Group B take NET from ADSL2 ?
do I have to enter the IP for each Group ?
as I mentioned before ,I use the article “http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways”
but it didn’t work for me
I need it in PPoE and Hotspot
am very grateful to you ,and to any one who can assist me in this
My Best Regards
(also I send you email about that)
LikeLike
Comment by Firas A.Kareem — February 9, 2012 @ 8:18 PM
Dear its easy to achieve your goal. If you read the article thoroughly , you will be able to make it.
First create two address list, DSL1_Users and DSL2_Users , then add ips in these address list as per your requirements, now mark packets for these address list, and define route for specific marked packets to go through your desired wan link.
Just follow the guide.
in Address list, use your user ip pool (i.e hotspot or pppoe pool)
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 10, 2012 @ 9:05 AM
you are right Mr.Sayd ,I did it ,I put in user list 1:10.0.0.0/25 and 10.0.0.128/25 in user list 2
many thanks to your wonderful ideas !
I have simple question ..or request …
can I put welcome screen in PPoE servers (like login screen of Hotspot)
I want to put a page ,so my clients learn how to setup a PPoE connection
i.e ,when some one connect to my router,rather than Hotspot Login page ,he see that page only,so he learn how to setup PPoE connection,and then connect
Accept my Regards
LikeLike
Comment by Firas A.Kareem — February 11, 2012 @ 6:09 AM
PPPoE doesn’t support this feature.
However you can create custom pppoe dialer, through which when user connects, it opens your local intranet page with instructions. You can use auto-it to create automatd dialer, use your own logic with the following guide.
https://aacable.wordpress.com/2011/09/27/howto-create-windows-7-pppoe-dialer-installer-package-using-auto-it/
Or another approach is to block internet ads and put your own ad with your local intranet page which have all the required links and your service info, for example like the following.
https://aacable.wordpress.com/2011/06/01/squid-howto-block-ads/
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 11, 2012 @ 11:42 AM
Hi, I’ve been able to follow through your tutorials many times to solve my problems. I must say you are doing an excellent job.
However, for this particular one, I use a RB1200 and have setup 2 hotspot on 2 interfaces earlier. Now I’m adding a second internet connection (ISP) and want to route traffic from each hotspot through different internet connection. The last instruction in your blog post tells me to add NAT rules for the scr address but I found out the rules have been placed there already by the hotspot setup.
I could do a trace route when I finished the setup which means the setup should be ok, however I cannot do PING and cannot browse any site. Is it about the hotspot setup or what could have been the problem? Please what suggestion do you have for me to be able to get through this.
Thank you!
LikeLike
Comment by Sim1 — April 5, 2013 @ 2:59 PM
Salaam Brother,
Sorry my previous post does not make sence!
******************************************************************************************************************
I am thinking if the following scenrio is possible.
Is it possible in policy routing? That it spread clients equally on wan links. For example:-
If I have 3 wan links and there are 3 users are online, then each client should me on each wan etc etc…
Hope you understand.
LikeLike
Comment by nominet — May 8, 2012 @ 12:57 PM
You can’t do it using PCC. PCC have its algorithm to distribute users among multiple wan links. try with src-address.
Or use policy base routing to distribute users using pools assignment.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — May 8, 2012 @ 3:09 PM
It can be achieved by using pools assignments but this is not exactly thing I wanted to do.
I want mikrotik to automatically spread users on wan’s. Is there no other ways other than PCC?
Thanks…
LikeLike
Comment by nominet — May 8, 2012 @ 4:08 PM
Jahanzaib Bro , how can i use it with failover ..
LikeLike
Comment by AHMED — July 10, 2012 @ 7:31 PM
Salaam, is it possible to do as following?
ip addresses: 192.168.0.1 to 192.168.199 go to DSL1
ip addresses: 192.168.0.200 to 192.168.0.254 go to DSL2
If yes, then can you please explain how?
Thanks
LikeLike
Comment by nominet — July 28, 2012 @ 4:27 PM
Assalaamu Alaikum Syed Jahanzaib bhai aapnay youtube cache server ka jo project rakha howa hay wo menay kar lihay kaam bhi kar raha hay ALLAH aap ko kush rakhay salama rakhay per ek masla aa raha hay aghar main client ban kar use karta hoon to mujhay proxy lagani parti hay jo insterner explorer main lagai jati hay address main phiar port dena perta hay main chahta hoon auto detect chal jahay proxy internet explorer main use na karni paray is ka plz mujhay tareeqa batain
LikeLike
Comment by abdulsami — September 5, 2012 @ 4:00 AM
Mikrotik mujhay use nhi karna jahanziab bhai srif mujhay squid youtube cache server bana kar
client site use kar raha hoon to proxy use karni perti hay bas itna bata dain yai proxy hat nhi sakti auto detect client side chal jahay plz help me
LikeLike
Comment by abdulsami — September 5, 2012 @ 9:32 PM
how to connect printer in mikrotik router
LikeLike
Comment by rasheed — October 17, 2012 @ 5:20 PM
Thanks a lot for sharing your idea. I learned many things from you Sir.
LikeLike
Comment by Rodel Saludares — February 14, 2013 @ 3:32 PM
thank you very much for your work, following your site I learned a lot on mikrotik and networking in general.
I wanted to ask you a question,
I followed the guide and everything works perfectly
I want to make sure that if the line DSL1 does not work , the group DSL1_USER must be connected to DSL2 line .
when the line DSL1 back to work, the users DSL1_USER return to DSL1 line
Thank you very much for your work
LikeLike
Comment by Erasmo — February 22, 2013 @ 7:21 PM
Jahanzaib Sir i want to know how to two vpn client network combine in one network
LikeLike
Comment by Ghufran Khizar — May 1, 2013 @ 4:36 AM
can we add fail over function. i.e. if DSL 1 is down. DSL 2 will all serve dsl 1 userlist and dsl 2 userlist.
LikeLike
Comment by Alex Adamos — June 30, 2013 @ 7:14 AM
Yes you can. Either use scripting which can fulfill more suitably, or use the additional route with high distance.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 1, 2013 @ 9:33 AM
How Can I mark the connections so as to know which or who is going through a particular host without having access to the client’s system to do a trace?
Secondly I need the script for failover so that if DSL 1 is down. DSL 2 will all serve dsl 1 userlist and dsl 2 userlist.
LikeLike
Comment by Jones Cosmos — July 26, 2013 @ 1:22 AM
hi can u describe how i can i split browsing and mail with 2 isp in 1 routerboard (mikrotik)
1 isp for mail and 1 other isp for browsing
ether1 = WAN1
ether2 = WAN2
ether3 = LAN1
ether4 = LAN2
LAN1 is farm server
LAN2 is client
i want split client (LAN2) for browsing is via WAN2
and for server farm (LAN1) i want via WAN1
LikeLike
Comment by krak — December 16, 2013 @ 9:58 PM
You need policy base routing, since your requirements is customized, you have to build the custom scripts as a solution.
Try this.
https://aacable.wordpress.com/2011/10/27/mikrotik-policy-routing-based-on-client-ip-address/
http://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 17, 2013 @ 9:05 AM
thx, i’ll try your tutorial
LikeLike
Comment by krak — December 17, 2013 @ 11:09 AM
hi, can u write script for failover for your tutorial
LikeLike
Comment by krak — December 19, 2013 @ 7:14 PM
Assalam Syed Jahanzaib
i have follow this tutorial and working like i want now i want if dsl1 is down i want list user in dsl1_user can use link dsl2 and if dsl1 is up then the user in list dsl1 go to link dsl1
can u write script for failover for this one tutorial if can implement in this tutorial
or can u email for me
Wassalam
mozax
LikeLike
Comment by mozax — December 21, 2013 @ 9:31 PM
It can be made with the simple scripting and netwatch tool.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 23, 2013 @ 8:15 AM
Assalam o alikum.
how to configure this rule with squid proxy server and mikrotik proxy ?
LikeLike
Comment by asad — September 25, 2014 @ 11:56 PM
السلام عليكم
Dear Syed Jahanzaib is it posible to use pppoe client instead of ip as Wan2, i tested it and found problems with this method and tried other methods still got no working result.
here’s what i’m trying to make..
Wan01 is ip I use it to provide a pppoe server..
Wan02 is a pppoe client1 to use it with single ip on lan, only mark rooting couldnt gave a clean result, thanks in advice bro.
LikeLike
Comment by Red Heart — October 22, 2014 @ 7:45 AM
My Dear Syed Jahanzaib,
Your solution worked with me perfectly,
Thanks a lot.
You are a life saver 🙂
Jazak Allah
LikeLike
Comment by Asim Khan — April 15, 2015 @ 6:56 PM
Dear Syed Jahanzaib; i can’t access all network on this policy routing load balance methods. This is perfect for me but I can’t access other dsl list network. How can I do?
LikeLike
Comment by eray — April 19, 2015 @ 8:13 AM
Thx man I had to make isolation for 3 IP from my network company and pass them through second unused WAN. I read few articles but they were about how to combine all WAN together and use them as one. Only this article showed it is easy and you don’t have to mark any connections and packets 🙂 just mark routing and pass it for address-list. Thx
LikeLike
Comment by Konrad — July 29, 2015 @ 11:34 AM
Hai..
Thanks for your tutorial i use same as your configuration but i have problem when i ping from the ousite (from http://network-tools.com) to my wan1 and wan2, i get timed Out. but when i set with no routing-mark in wan ip route configuration and i ping from outsite i get normally reply ping.
There any one have solution for this problem ?
LikeLike
Comment by Wahyu — October 30, 2015 @ 2:16 PM
I have this configuration but with a pppoe server.
lan ether1 192.168.1.1/24 – pppoe client: 192.168.20.1/24
wan1 ether2 192.168.5.1
wan2 ether3 192.168.6.1
everything works perfectly.
if I try to communicate from 192.168.1.5 to 192.168.20.2 can not.
If I disable the rule mangle can communicate from 192.168.1.5 to 192.168.20.2 but if active rule mangle can not communicate between 192.168.1.5 and 192.168.20.2
LikeLike
Comment by Erasmo — November 22, 2015 @ 5:36 PM
you can use a simple NAT MASQUERADE rule to enable communication from SRC to DST subnet.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 23, 2015 @ 8:49 AM
I created a nat masquerade rule but the problem persists.
The problem comes when I enable the rule mangle with routing mark
LikeLike
Comment by Erasmo — November 23, 2015 @ 4:26 PM
any other ideas?
LikeLike
Comment by Erasmo — November 27, 2015 @ 7:48 PM
same problem with my network . users can’t communicate with each others ip or can’t open web server but if i enable ICMP option in mangle then they can communicate but they can’t use internet .. pls share if you have any solution i try every think on NAT and MANGLE
LikeLike
Comment by Ahmed — August 7, 2016 @ 4:24 AM
wan 6 link pcc
LikeLike
Comment by زيد الصليحي — August 12, 2016 @ 11:25 PM
i wrote many guides on pcc. search my blog and use it. you can duplicate pcc entries to accommodate your require wan links.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — August 13, 2016 @ 11:31 AM
the tutorial worked automagically but l2tp servers didn’t work after having the two lines up through mikrotik. how can i make remote l2tp connections to connect to the mikrotiks l2tp vpn connections using the scenario.
LikeLike
Comment by Samuel — July 25, 2017 @ 9:58 PM
Sir your topic is really helpful but if somehow you create video of your topics and upload on YouTube that’s would be very good for all.
LikeLike
Comment by ahmed — December 15, 2017 @ 10:05 AM
Well I don’t think my posts are that much professional to be accompanied with videos. 🙂
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 15, 2017 @ 10:35 AM
youtube bdix kasa add karunga sazid bro
LikeLike
Comment by robin — June 8, 2018 @ 9:43 PM
[…] other scenario’s, you may want to look into prerouting […]
LikeLike
Pingback by Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge ! — November 19, 2018 @ 3:58 PM
Can please let me know, using two WAN, can we balance it like, use uplink from WAN A and downlink from WAN B?
LikeLike
Comment by Usama Zafar — January 29, 2019 @ 11:01 PM