Mikrotik Load Balancing ADSL lines

[ColinR]

I have 2 ADSL lines that I load balance as below. It's notoriously dodgy. Https sites work - but the Virgin Money banking site doesn't.
My biggest issue is that VPN connects, but nothing routes. If I disable the one wan, all works as expected, vpn & port forwarding rules.

/ ip firewall mangle
add chain=input in-interface=wan1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=wan2 action=mark-connection new-connection-mark=wan2_conn
add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=prerouting dst-address-type=!local in-interface=3_SWITCH per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=3_SWITCH per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting connection-mark=wan1_conn in-interface=3_SWITCH action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=3_SWITCH action=mark-routing new-routing-mark=to_wan2
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=3_SWITCH connection-mark=no-mark new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=3_SWITCH connection-mark=no-mark new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1

/ ip route
add dst-address=0.0.0.0/0 gateway=wan1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=wan2 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=wan1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=wan2 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade

 

[froot]

The problem with load balancing as above, is that you have two IP addresses, so SSL, etc have a problem, since the protocols are designed with only one connecting address per session in mind. That's exactly the reason why your VPN, etc works when you disable the one connection.

 

[ColinR]

Yeah. There is the option for Per traffic load balancing
Is it the best option? It's not going to balance as well though.

 

[Pada]

Why don't you just add exclusions for sites that shouldn't be load balanced? Banking websites often check the IP address that you're connecting from, and if it changes then they log you out. It has nothing to do with SSL.

Alternatively you can load balance based on the source LAN IP address.

 

[ColinR]

Why don't you just add exclusions for sites that shouldn't be load balanced?

This is a good option.

Alternatively you can load balance based on the source LAN IP address.

Even with src-address PCC, the virgin site is still unhappy.

 

[Pada]

This is a good option.

Even with src-address PCC, the virgin site is still unhappy.

I don't believe that your SRC Address PCC works like it should then!

Usually they do the SRC Address PCC by dividing like an 192.168.1.x subnet into 2 segments: 192.168.1.0 - 192.168.1.127 (aka 192.168.1.0/25) and 192.168.1.128 - 192.168.1.255 (192.168.1.128/25). Then they ALWAYS route 192.168.1.0/25 via ADSL modem A and ALWAYS route 192.168.1.128/25 via ADSL modem B.

The only reason why Virgin could disconnect you is if you have an unstable ADSL modem connection...

 

[ColinR]

The only reason why Virgin could disconnect you is if you have an unstable ADSL modem connection...

My adsl is solid enough. its not related to that. Perhaps I'm just asking too much of the little RB750.

 

[Pada]

You're welcome to post your SRC Address PCC setup here and then we could see if we can find any faults with it.

 

[Hummercellc]

I am load balancing with pfsense and don't have problems with SSL traffic or VPN. Maybe give pfsense a try?

 

[Pada]

I am load balancing with pfsense and don't have problems with SSL traffic or VPN. Maybe give pfsense a try?

Usually you don't have any issues with SSL load balancing. It is just with some banking websites that you'll have issues where they'll log you out - like with ABSA - when your IP address changes (like when you load balance every TCP connection on another ADSL connection).

Load balancing can be achieved in so many different ways, but load balancer setup has its own drawbacks.

 

[ColinR]

You're welcome to post your SRC Address PCC setup here and then we could see if we can find any faults with it.

I never kept my scripts for the src-address config I used - but I have a backup of the config. Can I generate a script from it?

 

[eddief1]

Have you tried NTH outgoing load balancing. We use this and policy route troublesome websites. Seems OK.

 

[ColinR]

Have you tried NTH outgoing load balancing. We use this and policy route troublesome websites. Seems OK.

I haven't. I'm trying to work out the best way to do this. My other issue is port forwarding. It's like it's a 50/50 chance if it will work or not.