MikroTik Dual WAN Load Balancing and failover is a highly sought-after configuration for businesses and advanced home networks looking to maximize uptime and optimize internet usage. This guide provides step-by-step instructions on setting up Dual WAN Load Balancing and failover on the MikroTik RB750Gr3 router. While the steps focus on this model, they are applicable to most MikroTik routers.
What You Need
- MikroTik router (RB750Gr3 in this guide).
- Two active internet connections:
- WAN1: Dynamic IP (via DHCP).
- WAN2: Static IP (example:
172.28.62.195/24
, Gateway:172.28.62.1
).
- A computer to access the MikroTik router using WinBox.
Note: You can configure the settings using either the terminal commands provided or the GUI steps outlined below. Please choose the method you’re most comfortable with and avoid combining both methods to prevent configuration conflicts.
Step 1: Download and Install WinBox
- Visit the MikroTik official website.
- Download the WinBox utility for your OS.
- Install and launch WinBox on your computer.
- Connect your computer to the MikroTik router using an Ethernet cable.
- Open WinBox and log in to the router:
- Default username: admin
- Default password: (leave blank) or check the back of the router for a printed password if “blank” doesn’t work.
- For Linux or macOS users, consider using a browser-based configuration by accessing the router’s default IP (
192.168.88.1
) or running WinBox through a Windows emulator like Wine.
Step 2: Configure WAN Interfaces
Terminal Commands
/interface ethernet set [find default-name=ether1] name=WAN1
/interface ethernet set [find default-name=ether2] name=WAN2
/ip dhcp-client add interface=WAN1 disabled=no
/ip address add address=172.28.62.195/24 interface=WAN2
/ip route add gateway=172.28.62.1
Steps in WinBox
- In WinBox, navigate to Interfaces.
- Rename Ethernet ports for clarity:
ether1
→ WAN1ether2
→ WAN2
- Assign the IP configurations:
- WAN1: Set to DHCP client.
- WAN2: Assign a static IP (e.g.,
172.28.62.195/24
) with the gateway as172.28.62.1
.
Explanation
- WAN1 Configuration: This assigns a dynamic IP address to WAN1 using DHCP, ensuring it receives an IP from the ISP automatically.
- WAN2 Configuration: Assigning a static IP ensures WAN2 uses the fixed IP address provided by your ISP. This step is crucial for ISPs that do not provide DHCP for certain plans.
Step 3: Set Up Firewall NAT Rules
Terminal Commands
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN1 comment="NAT for WAN1"
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN2 comment="NAT for WAN2"
Steps in WinBox
- Navigate to IP > Firewall > NAT.
- Configure the following rules:
- Rule 1 (WAN1):
- Chain:
srcnat
- Action:
masquerade
- Out Interface:
WAN1
- Comment: NAT for WAN1
- Chain:
- Rule 2 (WAN2):
- Chain:
srcnat
- Action:
masquerade
- Out Interface:
WAN2
- Comment: NAT for WAN2
- Chain:
- Rule 1 (WAN1):
Explanation
- Why NAT Rules Are Needed: These rules ensure that outgoing traffic from your local network (LAN) is properly translated to use the respective public IPs of WAN1 and WAN2. Without these rules, devices on your LAN cannot access the internet.
Step 4: Configure Mangle Rules for Load Balancing
Terminal Commands
/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=Local_Network per-connection-classifier=src-address:2/0
/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=Local_Network per-connection-classifier=src-address:2/1
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn in-interface=Local_Network
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn in-interface=Local_Network
Steps in WinBox
- Navigate to IP > Firewall > Mangle.
- Add connection marking rules:
- Rule 1 (WAN1 Connection Mark):
- Chain:
prerouting
- Action:
mark-connection
- New Connection Mark:
WAN1_conn
- Per Connection Classifier:
src-address:2/0
- In Interface:
LAN
- Chain:
- Rule 2 (WAN2 Connection Mark):
- Chain:
prerouting
- Action:
mark-connection
- New Connection Mark:
WAN2_conn
- Per Connection Classifier:
src-address:2/1
- In Interface:
LAN
- Chain:
- Rule 1 (WAN1 Connection Mark):
- Add routing marking rules:
- Rule 1 (Route WAN1):
- Chain:
prerouting
- Action:
mark-routing
- New Routing Mark:
to_WAN1
- Connection Mark:
WAN1_conn
- In Interface:
LAN
- Chain:
- Rule 2 (Route WAN2):
- Chain:
prerouting
- Action:
mark-routing
- New Routing Mark:
to_WAN2
- Connection Mark:
WAN2_conn
- In Interface:
LAN
- Chain:
- Rule 1 (Route WAN1):
Explanation
- Connection Marking*: This step divides traffic based on source addresses into two group*s, directing them to either WAN1 or WAN2.
- Routing Marking: Ensures marked traffic is routed through the correct WAN interface, enabling effective load balancing.
Step 5: Add Static Routes
Terminal Commands
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=1 routing-mark=to_WAN1 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=172.28.62.1 distance=2 routing-mark=to_WAN2 check-gateway=ping
Steps in WinBox
- Navigate to IP > Routes.
- Configure the following:
- Route 1 (WAN1):
- Destination Address:
0.0.0.0/0
- Gateway:
10.0.0.1
- Distance:
1
- Routing Mark:
to_WAN1
- Destination Address:
- Route 2 (WAN2):
- Destination Address:
0.0.0.0/0
- Gateway:
172.28.62.1
- Distance:
2
- Routing Mark:
to_WAN2
- Destination Address:
- Route 1 (WAN1):
Explanation
- Static Routes: Define how marked traffic flows through the respective WAN gateways.
Check-gateway=ping
ensures routes remain active only if the gateway is reachable.
Step 6: Test Load Balancing and Failover
Terminal Commands
/tool torch interface=WAN1
/tool torch interface=WAN2
/ip firewall connection print where connection-mark~"WAN"
Steps in WinBox
- Use Torch to monitor traffic on WAN1 and WAN2:
- Navigate to Tools > Torch.
- Select
WAN1
orWAN2
to monitor traffic.
- Disconnect one WAN to test failover functionality.
- Traffic should seamlessly switch to the active WAN.
- Reconnect the WAN and verify load balancing resumes.
Explanation
- Torch Tool: Helps visualize traffic distribution across interfaces.
- Failover Test: Ensures uninterrupted internet access if one WAN connection fails.
Final Thoughts
Setting up MikroTik Dual WAN Load Balancing and Failover enhances your network’s reliability and performance by optimizing traffic distribution and ensuring redundancy. By following this guide, your MikroTik router can provide uninterrupted internet access tailored to your needs.
For more networking tips, visit TechBreeze.
Step 4.
new-routing-mark=to_WAN1 does not work.
in WEinBox UI it is limited to selecting “main”.
in terminal, it complaints that input does not match any value for new-routing-mark
Thanks for pointing that out!
You’re absolutely right — in the WinBox UI, the new-routing-mark field for mangle rules does not offer dropdown options beyond main, and in CLI, it can throw an error if the routing mark hasn’t been defined yet.
To resolve this:
First, ensure you’ve already created the routing table (or route) that uses the routing-mark before you reference it in a mangle rule.
Here’s how you can do it via CLI:
/ip route add dst-address=0.0.0.0/0 gateway= routing-mark=to_WAN1
Replace with the actual gateway IP for your WAN1 interface. This creates a custom routing table entry associated with the to_WAN1 mark.
Then, in your mangle rule, you can safely assign:
/ip firewall mangle add chain=prerouting src-address= action=mark-routing new-routing-mark=to_WAN1 passthrough=yes
If you’re using WinBox, it might not list the routing-mark until it has been created via CLI first. Once the route exists, the mark becomes valid for selection or typing.
Let me know if you’re still facing issues — happy to guide you further!
Hello, I have 3 starlink standard kits as ISPs. I want bond and create a failover 3 OF them on amikrotik rb1100 router. What additional configs may need to achieve this
Mikrotik RB1100 Configuration for 3 WAN Load Balancing + Failover (NTH Method)
Let’s assume:
STEP 1: Rename Interfaces (Optional)
/interface set ether1 name=WAN1
/interface set ether2 name=WAN2
/interface set ether3 name=WAN3
/interface set ether10 name=LAN
STEP 2: Set Up DHCP Clients (If all Starlinks use DHCP)
/ip dhcp-client add interface=WAN1 use-peer-dns=no add-default-route=no
/ip dhcp-client add interface=WAN2 use-peer-dns=no add-default-route=no
/ip dhcp-client add interface=WAN3 use-peer-dns=no add-default-route=no
STEP 3: Configure NAT
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
add chain=srcnat out-interface=WAN3 action=masquerade
STEP 4: Add Mangle Rules for Load Balancing using NTH (per-connection classifier)
/ip firewall mangle
Clear connection marks
add chain=prerouting connection-mark=no-mark in-interface=LAN action=mark-connection new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add chain=prerouting connection-mark=no-mark in-interface=LAN action=mark-connection new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add chain=prerouting connection-mark=no-mark in-interface=LAN action=mark-connection new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses:3/2
Route the marked connections
add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1 passthrough=yes
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2 passthrough=yes
add chain=prerouting connection-mark=WAN3_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN3 passthrough=yes
STEP 5: Add Routing Rules with Check-Gateway
You need to know the actual gateway IPs of each Starlink DHCP client (check ip dhcp-client print once they are assigned)
/ip route routing-mark=to_WAN1 check-gateway=ping routing-mark=to_WAN2 check-gateway=ping routing-mark=to_WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=
add dst-address=0.0.0.0/0 gateway=
add dst-address=0.0.0.0/0 gateway=
Default route with ECMP for failover
add dst-address=0.0.0.0/0 gateway=,, check-gateway=ping
STEP 6: DNS and LAN Config
/ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yes
/ip address add address=192.168.88.1/24 interface=LAN
/ip pool add name=dhcp_pool ranges=192.168.88.10-192.168.88.100
/ip dhcp-server add name=dhcp1 interface=LAN lease-time=1h address-pool=dhcp_pool
/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=8.8.8.8
Optional: Real “Bonding” with VPS or Tunnel
If you want:
Then consider:
Let me know if you want that configuration too.