MikroTik Dual WAN Load Balancing and failover is a highly sought-after configuration for businesses and advanced home networks looking to maximize uptime and optimize internet usage. This guide provides step-by-step instructions on setting up Dual WAN Load Balancing and failover on the MikroTik RB750Gr3 router. While the steps focus on this model, they are applicable to most MikroTik routers.
What You Need
- MikroTik router (RB750Gr3 in this guide).
- Two active internet connections:
- WAN1: Dynamic IP (via DHCP).
- WAN2: Static IP (example:
172.28.62.195/24, Gateway:172.28.62.1).
- A computer to access the MikroTik router using WinBox.
Note: You can configure the settings using either the terminal commands provided or the GUI steps outlined below. Please choose the method you’re most comfortable with and avoid combining both methods to prevent configuration conflicts.
Step 1: Download and Install WinBox
- Visit the MikroTik official website.
- Download the WinBox utility for your OS.
- Install and launch WinBox on your computer.
- Connect your computer to the MikroTik router using an Ethernet cable.
- Open WinBox and log in to the router:
- Default username: admin
- Default password: (leave blank) or check the back of the router for a printed password if “blank” doesn’t work.
- For Linux or macOS users, consider using a browser-based configuration by accessing the router’s default IP (
192.168.88.1) or running WinBox through a Windows emulator like Wine.
Step 2: Configure WAN Interfaces
Terminal Commands
/interface ethernet set [find default-name=ether1] name=WAN1
/interface ethernet set [find default-name=ether2] name=WAN2
/ip dhcp-client add interface=WAN1 disabled=no
/ip address add address=172.28.62.195/24 interface=WAN2
/ip route add gateway=172.28.62.1Steps in WinBox
- In WinBox, navigate to Interfaces.
- Rename Ethernet ports for clarity:
ether1→ WAN1ether2→ WAN2
- Assign the IP configurations:
- WAN1: Set to DHCP client.
- WAN2: Assign a static IP (e.g.,
172.28.62.195/24) with the gateway as172.28.62.1.
Explanation
- WAN1 Configuration: This assigns a dynamic IP address to WAN1 using DHCP, ensuring it receives an IP from the ISP automatically.
- WAN2 Configuration: Assigning a static IP ensures WAN2 uses the fixed IP address provided by your ISP. This step is crucial for ISPs that do not provide DHCP for certain plans.
Step 3: Set Up Firewall NAT Rules
Terminal Commands
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN1 comment="NAT for WAN1"
/ip firewall nat add chain=srcnat action=masquerade out-interface=WAN2 comment="NAT for WAN2"
Steps in WinBox
- Navigate to IP > Firewall > NAT.
- Configure the following rules:
- Rule 1 (WAN1):
- Chain:
srcnat - Action:
masquerade - Out Interface:
WAN1 - Comment: NAT for WAN1
- Chain:
- Rule 2 (WAN2):
- Chain:
srcnat - Action:
masquerade - Out Interface:
WAN2 - Comment: NAT for WAN2
- Chain:
- Rule 1 (WAN1):
Explanation
- Why NAT Rules Are Needed: These rules ensure that outgoing traffic from your local network (LAN) is properly translated to use the respective public IPs of WAN1 and WAN2. Without these rules, devices on your LAN cannot access the internet.
Step 4: Configure Mangle Rules for Load Balancing
Terminal Commands
/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=Local_Network per-connection-classifier=src-address:2/0
/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=Local_Network per-connection-classifier=src-address:2/1
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn in-interface=Local_Network
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn in-interface=Local_Network
Steps in WinBox
- Navigate to IP > Firewall > Mangle.
- Add connection marking rules:
- Rule 1 (WAN1 Connection Mark):
- Chain:
prerouting - Action:
mark-connection - New Connection Mark:
WAN1_conn - Per Connection Classifier:
src-address:2/0 - In Interface:
LAN
- Chain:
- Rule 2 (WAN2 Connection Mark):
- Chain:
prerouting - Action:
mark-connection - New Connection Mark:
WAN2_conn - Per Connection Classifier:
src-address:2/1 - In Interface:
LAN
- Chain:
- Rule 1 (WAN1 Connection Mark):
- Add routing marking rules:
- Rule 1 (Route WAN1):
- Chain:
prerouting - Action:
mark-routing - New Routing Mark:
to_WAN1 - Connection Mark:
WAN1_conn - In Interface:
LAN
- Chain:
- Rule 2 (Route WAN2):
- Chain:
prerouting - Action:
mark-routing - New Routing Mark:
to_WAN2 - Connection Mark:
WAN2_conn - In Interface:
LAN
- Chain:
- Rule 1 (Route WAN1):
Explanation
- Connection Marking*: This step divides traffic based on source addresses into two group*s, directing them to either WAN1 or WAN2.
- Routing Marking: Ensures marked traffic is routed through the correct WAN interface, enabling effective load balancing.
Step 5: Add Static Routes
Terminal Commands
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1 distance=1 routing-mark=to_WAN1 check-gateway=ping
/ip route add dst-address=0.0.0.0/0 gateway=172.28.62.1 distance=2 routing-mark=to_WAN2 check-gateway=ping
Steps in WinBox
- Navigate to IP > Routes.
- Configure the following:
- Route 1 (WAN1):
- Destination Address:
0.0.0.0/0 - Gateway:
10.0.0.1 - Distance:
1 - Routing Mark:
to_WAN1
- Destination Address:
- Route 2 (WAN2):
- Destination Address:
0.0.0.0/0 - Gateway:
172.28.62.1 - Distance:
2 - Routing Mark:
to_WAN2
- Destination Address:
- Route 1 (WAN1):
Explanation
- Static Routes: Define how marked traffic flows through the respective WAN gateways.
Check-gateway=pingensures routes remain active only if the gateway is reachable.
Step 6: Test Load Balancing and Failover
Terminal Commands
/tool torch interface=WAN1
/tool torch interface=WAN2
/ip firewall connection print where connection-mark~"WAN"
Steps in WinBox
- Use Torch to monitor traffic on WAN1 and WAN2:
- Navigate to Tools > Torch.
- Select
WAN1orWAN2to monitor traffic.
- Disconnect one WAN to test failover functionality.
- Traffic should seamlessly switch to the active WAN.
- Reconnect the WAN and verify load balancing resumes.
Explanation
- Torch Tool: Helps visualize traffic distribution across interfaces.
- Failover Test: Ensures uninterrupted internet access if one WAN connection fails.
Final Thoughts
Setting up MikroTik Dual WAN Load Balancing and Failover enhances your network’s reliability and performance by optimizing traffic distribution and ensuring redundancy. By following this guide, your MikroTik router can provide uninterrupted internet access tailored to your needs.
For more networking tips, visit TechBreeze.
Step 4.
new-routing-mark=to_WAN1 does not work.
in WEinBox UI it is limited to selecting “main”.
in terminal, it complaints that input does not match any value for new-routing-mark
Thanks for pointing that out!
You’re absolutely right — in the WinBox UI, the new-routing-mark field for mangle rules does not offer dropdown options beyond main, and in CLI, it can throw an error if the routing mark hasn’t been defined yet.
To resolve this:
First, ensure you’ve already created the routing table (or route) that uses the routing-mark before you reference it in a mangle rule.
Here’s how you can do it via CLI:
/ip route add dst-address=0.0.0.0/0 gateway= routing-mark=to_WAN1
Replace with the actual gateway IP for your WAN1 interface. This creates a custom routing table entry associated with the to_WAN1 mark.
Then, in your mangle rule, you can safely assign:
/ip firewall mangle add chain=prerouting src-address= action=mark-routing new-routing-mark=to_WAN1 passthrough=yes
If you’re using WinBox, it might not list the routing-mark until it has been created via CLI first. Once the route exists, the mark becomes valid for selection or typing.
Let me know if you’re still facing issues — happy to guide you further!