simple 3 isp dhcp clients with aggregation

newbie54321 · Sat Dec 16, 2023 7:06 pm

hi,
i have purchased few months ago a RB4011iGS + RM . it is 10 port gigabit switch like router. i have watched some youtube videos and successfully configured 3 dhcp clients on port 1, port 2 ,port 3; with per connection classifier rules in firewall. the problem : as soon as i created the first dhcp client (with cable connected to port i.e. live), i lost connectivity to the router. i.e. winbox stopped connecting to the router ip. the router also doesnt show up in 'neighbors' of winbox. i disconnected all three cables and configured remining 2 dhcp clients. after connecting even ONE of the isp cables (from their fiber ont router) i loose winbox connectivity. if i remove all the three isp lan cables from the ethernet ports THEN instantly i get connectivty back.

please can anyone tell what is happening. it seems i should have gone for the much costlier unifi dream machine thingies. but they were way too costly.

i just want to do speed aggregation with the 3 isps. that is only reason i bought this mikrotik!!!! i am home user.

anav · Sat Dec 16, 2023 10:59 pm

To do PCC with dynamic IPs you will need scripts for each ISP such that the new gatewayIP is entered into all the applicable routes.

newbie54321 · Sun Dec 17, 2023 2:08 pm

To do PCC with dynamic IPs you will need scripts for each ISP such that the new gatewayIP is entered into all the applicable routes.

there is no dynamic gateway. all three gateways are always the same. the ip assigned to this mikrotik might change, but that is also mostly static.

newbie54321 · Sun Dec 17, 2023 2:14 pm

To do PCC with dynamic IPs you will need scripts for each ISP such that the new gatewayIP is entered into all the applicable routes.

btw, i used this video to do the pcc. is this correct? i just followed the video:
https://www.youtube.com/watch?v=MJzJ2xNlzw8

anav · Mon Dec 18, 2023 3:08 am

Keep in mind you wont get aggregation, just more bandwidth to share amongst users and redundancy maybe if your ISPs are different.

Dont like that video, his WAN2 is not working, mangling for PCC is very easy if your WAN ISPs are fixed/static IPs, ( or pppoe assigned IPs), otherwise you need complex scripts to make it work.

This is better...........
https://www.youtube.com/watch?v=nlb7XAv57tw&t=471s

newbie54321 · Fri Dec 29, 2023 7:39 pm

yeah. i saw that official mikrotik video just before seeing ur post. followed that one and now everything is OK!!!! BTW what do u mean by "Keep in mind you wont get aggregation,....." . my download speed from single pc from single gdrive and all has become the total of all isps combined. now getting 600mbps download speed on single files (afcourse via accelerators like IDM). thus i am getting aggregation. right ??

anav · Fri Dec 29, 2023 9:19 pm

Nope the best you can hope for, on any one sessions, is the maximum throughput of the ISP the user is connected to.
The total amount of bandwidth is greater to share.
So instead of 50 users sharing 500Mbps of throughput, they are sharing 1Gbps throughput, so each user has more opportunity for a bigger part of the pipe than before.

Sob · Fri Dec 29, 2023 9:43 pm

@anav: You missed the "afcourse via accelerators like IDM", i.e. instead of downloading one file using one connection from beginning to end, there are multiple connections, each downloading different part of that file. It may not work with everything, but when it does, you can get maximum speed from all ISPs combined.

anav · Fri Dec 29, 2023 11:25 pm

Not familiar with other tools someone might use, I am strictly referring to the performance provided by the MT config.
If there is aggregation wrt to a single session, some other device/software is performing this not the MT.

newbie54321 · Fri Jan 19, 2024 1:25 pm

hi,
what is "bonding"? is it useful in my scenario where i have one mikrotik and it uses 3 dhcp isp ports and i want to join their speeds.

i think bonding requires two mikrotiks or routers, right? it is like link aggregation on some routers, right?

newbie54321 · Tue Apr 09, 2024 10:32 am

hi everyone. the pcc is working fine. now i want todo 2 seperate networks with the 3 isps. i.e. isp1 and isp3 (ether1, ether3) in one network with access to ONLY ports 4,5,9,10 . AAND other isp2 (ether2) in another network with access to ONLY ports 6,7,8. i successfully configured this and the 2 networks were working fine BUT i wanted to forward a port from isp2 to its second network, this did NOT work. can anyone help me?
what command or button should i press to give u guys a log or such of my settings, so u know my current setup/settings.
i saw in firewall that traffic on desired port was reaching the router thru isp2(ether2) BUT not getting forwarded to the required lan address.
now i have deleted the pcc config and just kept 3 wan dhcp clients with '1' as distance on all. thus it is ecmp. i did this to simplify the settings.
how can i show u my setup, so u can help me out.

llamajaja · Tue Apr 09, 2024 8:58 pm

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc)

newbie54321 · Wed Apr 10, 2024 6:25 pm

hi. as illamajaja showed me, i have attached the rsc file here. i went back to doing PCC as ecmp was not giving me combined speeds of the isps. so now only isp1 and isp3 are pcc. isp2 is on its own (i.e. accepting traffic from bridge2 directly). i created 2 bridges as i needed to attach dhcp server 2 to the ports 6,7,8. as attaching individual ports to the ip address list is not possible (in IP > Addresses window).

llamajaja · Wed Apr 10, 2024 7:24 pm

Why not have all three WANs share PCC as well?
What are the down/up throughputs of each WAN??

newbie54321 · Thu Apr 11, 2024 3:01 pm

Why not have all three WANs share PCC as well?
What are the down/up throughputs of each WAN??

i want to seperate the wans into 2 groups. i dont want dhcp server 2 to send traffic to isp1,isp3. i want no communication between the 2 networks. isp2 alongwith pports 6,7,8 should function as a seperate router!! no communication between the 2 groups!!! how can i have pcc from same dhcp server traffic to all 3 wan (i dont want this)!!!
the speeds of wans r --> wan1(ether1) 200mbps down/up , wan2 (ether2) 300mbps down/up, wan3 (ether3) 200mbps down/up.
right now , the 2 networks are working as expected , BUT port forwarding from isp2 to its own group (ether6,7,8) is NOT working. i can see the traffic (bytes) in the firewall but it is not going through.

anav · Thu Apr 11, 2024 9:06 pm

Do not tie ISPs to ports, so inflexible an approach and is not based on requirements but not understanding how networking actually works.
ONLY need to
a. identify user/device or groups of users/devices
b. what traffic flow they required

anav · Thu Apr 11, 2024 9:51 pm

What I hear is that you have 3 wan connections that you could use to server all LAN users.
Separately you have some layers of further requirements
- use WAN2 for external users to reach LAN servers

Its one router so there is no separate router concept. One uses the functionality and tools available on the router to create isolation in traffic. All doable.

Trying to use port based control access to WANs, is really old thinking.
You have to decide if you want each port to get an IP address and not be on a bridge but all separate thats fine.
However most use a single bridge, assigne vlans to subnets and then assign the vlans to the ports as required.
This allows for trunk ports where one can send many vlans down one port, to a smart access port or switch for further distribution in another location/room.

Your ip pools make little sense.

Lacking firewall rules.......

/ip routes make no sense
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The solution below moves everything to one bridge and four vlans, subnets. You may only elect to use two of them for example.
Its a rational approach that may not be quite correct at the start but will allow you to meet your requirements as they become clearer.

PCC for three wans, wan2 gets two hits for every one hit of the other being slightly larger in capacity.
So we need mangle for PCC, we need mangle for incoming traffic to server via WAN2,
We need to ensure that server traffic is not captured by PCC traffic as its separate.

Will assume you have static WANIPs.

+++++++++++++++++++++++++++++++++++++++++++++++++++

# model = RB4011iGS+
# serial number = xxx.xxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10  Comment="old bridge1 subnet maybe"
add interface=bridge1 name=VLAN11 vlan-id=11  Comment="old bridge2 subnet maybe"
add interface=bridge1 name=VLAN12 vlan-id=12  Comment="any subnet"
add interface=bridge1 name=VLAN13 vlan-id=13  Comment="any subnet"
/interface list
add name=WAN
add name=LAN
add name=Trusted
/ip pool
add name=dhcp_pool0 ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool1 ranges=192.168.11.100-192.168.11.254
add name=dhcp_pool2 ranges=192.168.12.100-192.168.12.254
add name=dhcp_pool3 ranges=192.168.13.100-192.168.13.254
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=VLAN10 list=LAN 
add interface=VLAN11 list=LAN
add interface=VLAN12 list=LAN
add interface=VLAN13 list=LAN
add interface= ???  list=Trusted
/ip dhcp-server
add address-pool=dhcp_pool0 interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool1 interface=VLAN11 name=dhcp11 
add address-pool=dhcp_pool2 interface=VLAN12 name=dhcp12
add address-pool=dhcp_pool3 interface=VLAN13  name=dhcp13
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAY
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether9 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether10 pvid=10
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.11.1.1/24 interface=VLAN11 network=192.168.11.0
add address=192.168.12.1/24 interface=VLAN12 network=192.168.12.0
add address=192.168.13.1/24 interface=VLAN13 network=192.168.13.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad
add add-default-route=no interface=ether2-hathway
add add-default-route=no interface=ether3-TataPLAY
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=\
    192.168.10.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=\
    192.168.11.1
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=\
    192.168.12.1
add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=\
    192.168.13.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=192.168.11.99/32 list=ServersWAN2
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="accept only LAN traffic" in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward \
    connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forwardconnection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept comment="port fowarding" connection-nat-state=dstnat
add action=drop  commment="Drop All Else"
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=ether2-hathway new-connection-mark=incomingWAN2 passthrough=yes
	comment="Mark connections heading to Server via WAN2"
add action=mark-routing chain=prerouting connection-mark=incomingWAN2 \
    new-routing-mark=tohathway  src-address-list=ServersWAN2 passthrough=no
	comment=" Mark Server Return traffic to go out WAN2"	
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN1 passthrough=yes \
    in-interface-list=LAN per-connection-classifier=src-address-and-port:4/0 \
	comment="Identify Traffic from LAN to go out WAN1"
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN2 passthrough=yes \
    in-interface-list=LAN per-connection-classifier=src-address-and-port:4/1 \
	comment="Identify Traffic from LAN to go out WAN2"
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN3 passthrough=yes \
    in-interface-list=LAN per-connection-classifier=src-address-and-port:4/2 \
	comment="Identify Traffic from LAN to go out WAN3"
add action=mark-connection chain=pforward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN2 passthrough=yes \
    in-interface-list=LAN per-connection-classifier=src-address-and-port:4/3 \
	comment="Identify Traffic from LAN to go out WAN2"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN1 \
    new-routing-mark=toYOUbroad passthrough=no
	commment="Route traffic from PCC to WAN1" 
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN2 \
    new-routing-mark=tohathway passthrough=no
	commment="Route traffic from PCC to WAN2"
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN3 \
    new-routing-mark=toTataPLAY passthrough=no
	commment="Route traffic from PCC to WAN3"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad \
add action=masquerade chain=srcnat out-interface=ether2-hathway \
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY \
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
    protocol=tcp to-addresses=192.168.11.199
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
    protocol=udp to-addresses=192.168.11.199
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=192.168.4.4 scope=10 target-scope=11 \
    comment="Recursive router for WAN1"
+++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=192.168.1.1 scope=10 target-scope=11 \
    comment="Recursive Router for WAN2"
++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=6 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12
add distance=6 dst-address=8.8.4.4/32 gateway=192.168.72.72 scope=10 target-scope=11 \
    comment="Recursive Router for WAN3"
++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=192.168.4.4 routing-table=toYOUbroad
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=tohathway
add dst-address=0.0.0.0/0 gateway=192.168.72.72 routing-table=toTataPLAY
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

newbie54321 · Sat Apr 20, 2024 4:06 pm

hi anav, have now done VLANs. saw a couple videos and also ur comment. port is STILL not getting forwarded. BTW i have kept PCC seperate for the 2 networks/vlans. i.e. vlan1 has pcc but vlan2 does not have it.

anav · Sat Apr 20, 2024 4:21 pm

post latest config please,,,,, if you want assistance.

newbie54321 · Fri Apr 26, 2024 2:19 pm

hi,
have uploaded my latest config. btw, what i am doing is: testing a openvpn and wireguard server. i.e. the server is in vlan 2 and i am connecting to it from a client which is in vlan 1. thus i cannot have the vlan1 to use isp2 or vlan2 to use isp1,isp3. the vlans should have their seperate isps. the forwarded traffic must go 'out' from vlan2 to isp2 and come "in" thru the other isps on a vlan1 pc.

anav · Fri Apr 26, 2024 6:09 pm

What you are saying makes little sense to me.
First off VPN is for remote clients coming in on a particlular WAN
OR
VPN is going outbound to a third party provider.
So I have no clue about why you would have VPN between vlan1 and vlan2 -- use firewall rules.

Also, why is vlan2 not part of the LAN? Should it not have internet?

Vlan2 has a single server....... , who is using it?
++++++++++++++++++++++++++++

So as requested please state again without discussion of solution
a. identify all user(s)/device(s) groups of users/device including admin
b. identify the traffic flow they require.

Once thats clear then a config can be planned.

newbie54321 · Wed May 01, 2024 11:11 am

VPN is for remote clients coming in on a particlular WAN.
vpn is for accessing office/vlan2 network from outside. Vlan2 has a single server and other normal PCs.
'outside' network (having wireguard client soft on windows PC) is supposed to be vlan1. vlan1 has PC with wireguard client. this client is tunneling/connecting to server in vlan2.
the traffic should go from one wan to another and NOT directly from one subnet/lan to other subnet (skipping wan). thus i not include vlan2 in "LAN" list. it has its own list called "LANhathway".
this "LANhathway" list is used for outbound connections to wan2 (firewall mangle rule). i dont want vlan2 to use wan1 or wan3. it should strictly use wan2. wan2/isp2 has static ip that i can use for the wireguard server.
BTW, do i need to allow wireguard packets (i.e. some special rule) to flow through the mikrotik? i am using a wireguard client (in vlan1) to dial a connection to the wireguard server (in vlan2).

simple 3 isp dhcp clients with aggregation

simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Re: simple 3 isp dhcp clients with aggregation

Who is online