mikrotikscript

mikrotik 2 wan Pppoe Load balance with Fail Over

Written by

itdhivii

in

Here’s a complete MikroTik RouterOS script for your requirements:

  • 2 WAN PPPoE connections (load-balanced with NTH + failover)
  • LAN IP 172.23.34.0/24
  • Bandwidth limit (50Mbps per LAN client)
  • Basic firewall rules (security + NAT)

Script

/interface pppoe-client
add name=pppoe-wan1 interface=ether1 user=user1 password=pass1 add-default-route=no
add name=pppoe-wan2 interface=ether2 user=user2 password=pass2 add-default-route=no

/ip pool
add name=lan-pool ranges=172.23.34.100-172.23.34.200

/ip dhcp-server
add address-pool=lan-pool interface=bridge-lan disabled=no name=dhcp-lan

/interface bridge
add name=bridge-lan
/interface bridge port
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
# Add more LAN ports if needed

/ip address
add address=172.23.34.1/24 interface=bridge-lan network=172.23.34.0

/ip dhcp-server network
add address=172.23.34.0/24 gateway=172.23.34.1 dns-server=8.8.8.8,1.1.1.1

/ip firewall mangle
add chain=prerouting connection-state=new nth=2,1 action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1 passthrough=no
add chain=prerouting connection-state=new nth=2,2 action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-wan1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan2 routing-mark=to_wan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-wan1 distance=3
add dst-address=0.0.0.0/0 gateway=pppoe-wan2 distance=4

/ip firewall nat
add chain=srcnat out-interface=pppoe-wan1 action=masquerade
add chain=srcnat out-interface=pppoe-wan2 action=masquerade

# Bandwidth limit (50Mbps per LAN client)
/queue simple
add name=limit-lan target=172.23.34.0/24 max-limit=50M/50M

# Basic firewall rules
/ip firewall filter
add chain=input action=drop connection-state=invalid
add chain=input action=accept connection-state=established,related
add chain=input action=drop in-interface=pppoe-wan1 protocol=tcp dst-port=23,80,443,8291
add chain=input action=drop in-interface=pppoe-wan2 protocol=tcp dst-port=23,80,443,8291
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop connection-state=invalid

Key Features:

  1. Dual WAN PPPoE Load Balancing
  • Uses NTH (every 2nd connection alternates between WAN1/WAN2).
  • Failover: If one PPPoE fails, traffic auto-switches.
  1. LAN Setup
  • DHCP server for 172.23.34.0/24.
  • Clients get IPs from 172.23.34.100-172.23.34.200.
  1. Bandwidth Limiting
  • Each LAN client restricted to 50Mbps up/down.
  1. Basic Firewall
  • Blocks invalid packets, protects RouterOS ports (Winbox/WebFig).
  • NAT for outbound traffic.

How to Apply:

  1. Copy the script to Winbox Terminal (or SSH).
  2. Adjust:
  • pppoe-wan1/wan2 credentials.
  • LAN interfaces (ether3, ether4, etc.).
  1. Test failover by unplugging one PPPoE.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts