AKZN Notes

Archives for My Lazy and Forgetful Mind

Mikrotik Load balance PCC + Hotspot

Last Modified on

Script

generated from https://buananetpbun.github.io/pcc.html

ROS 7.X


#############################################################
# LOAD BALANCING (LB) PCC SCRIPT GENERATOR
# Date/Time: 6/27/2022, 1:19:22 PM
# Created By: BuanaNETPBun.Github.io - fb.me/buananet.pbun
# Load Balancing Method -> PCC (Per Connection Clasifier)
#############################################################

/ip firewall address-list
add address=192.168.0.0/16 list=LOCAL-IP comment="LB By BNT"
add address=172.16.0.0/12 list=LOCAL-IP comment="LB By BNT"
add address=10.0.0.0/8 list=LOCAL-IP comment="LB By BNT"
/ip firewall nat
add chain=srcnat out-interface="ether1-WAN" action=masquerade comment="LB By BNT"
add chain=srcnat out-interface="ether2-WAN" action=masquerade comment="LB By BNT"
/routing table
add name="to-ether1-WAN" fib comment="LB By BNT"
add name="to-ether2-WAN" fib comment="LB By BNT"
/ip route
add check-gateway=ping distance=1 gateway="10.5.51.1" routing-table="to-ether1-WAN" comment="LB By BNT"
add check-gateway=ping distance=1 gateway="192.168.1.1" routing-table="to-ether2-WAN" comment="LB By BNT"
add check-gateway=ping distance=1 gateway="10.5.51.1" comment="LB By BNT"
add check-gateway=ping distance=2 gateway="192.168.1.1" comment="LB By BNT"
/ip firewall mangle
add action=mark-connection chain=input in-interface="ether1-WAN" new-connection-mark="cm-ether1-WAN" passthrough=yes comment="LB By BNT"
add action=mark-connection chain=input in-interface="ether2-WAN" new-connection-mark="cm-ether2-WAN" passthrough=yes comment="LB By BNT"
add action=mark-routing chain=output connection-mark="cm-ether1-WAN" new-routing-mark="to-ether1-WAN" passthrough=yes comment="LB By BNT"
add action=mark-routing chain=output connection-mark="cm-ether2-WAN" new-routing-mark="to-ether2-WAN" passthrough=yes comment="LB By BNT"
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP dst-address-type=!local new-connection-mark="cm-ether1-WAN" passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=LOCAL-IP comment="LB By BNT"
add action=mark-connection chain=prerouting dst-address-list=!LOCAL-IP dst-address-type=!local new-connection-mark="cm-ether2-WAN" passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=LOCAL-IP comment="LB By BNT"
add action=mark-routing chain=prerouting connection-mark="cm-ether1-WAN" dst-address-list=!LOCAL-IP new-routing-mark="to-ether1-WAN" passthrough=yes src-address-list=LOCAL-IP comment="LB By BNT"
add action=mark-routing chain=prerouting connection-mark="cm-ether2-WAN" dst-address-list=!LOCAL-IP new-routing-mark="to-ether2-WAN" passthrough=yes src-address-list=LOCAL-IP comment="LB By BNT"

Hotspot Setting

  1. Setting hotspot as usual

  2. Change mangle for PCC (every mangel with "per-connection-classifier" set) by argument hotspot=auth

    Note :
    because now mange rule is applied only to hotspot (or pppoe if you set it), IF you want to use Load Balance to be used on other lan (or bypassed hotspot client), you need to make another PCC mangle with separate address list
    example :

    add action=mark-connection chain=prerouting dst-address-list=!OTHER-LOCAL-IP dst-address-type=!local new-connection-mark="cm-ether1-WAN" passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=OTHER-LOCAL-IP comment="LB By BNT"
    add action=mark-connection chain=prerouting dst-address-list=!OTHER-LOCAL-IP dst-address-type=!local new-connection-mark="cm-ether2-WAN" passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address-list=OTHER-LOCAL-IP comment="LB By BNT"

    And make sure thoose address list is incuded to LOCAL-IP or address list name you use on your setting, so it will stil get route mangle from the last line from above script. OR you can just make new mangel route rule wiht OTHER-LOCAL-IP address list

  3. EDIT dinamic firewall dns nat created from hotspot setup to alow dns traffic if user is authenticated, because otherwise authenticated hotspot user dns traffic will be blocked.

    /ip firewall nat set 2,3 hotspot=!auth

    adjust the 2,3 part to match your firewall configuration, make sure its the DNS part from dynamically created hotspot rule.

    The rules above will change to the default when we disable and re-enable the hotspot service, so it must be re-set if we want to use it again.

Leave a Reply

Your email address will not be published.