Mikrotik PBR with MultiWan & Failover

What is PBR ?

Policy-based routing is a networking technique that allows you to control the path of network traffic based on specific policies or rules. In simpler terms, it’s like having a set of instructions that determine which path your internet data should take.
Typically, when you send data over the internet, it follows a default route determined by your network configuration. However, policy-based routing lets you define additional rules to override this default behavior. These rules can be based on factors like source IP address, destination IP address, protocol type, or even the time of day.

Topology

So what are we doing here ?

 Let’s say we’ve internet connectivity from 2 different sources, one is primary link and another one is backup/secondary link.So,we’re trying to use both link at the time for different user groups,when any of the link goes down then respective user group will be switched to active link automatically.

Configuration

Adding LAN address for User Groups

/ip address
add address=100.64.10.1/24 interface=LAN network=100.64.10.0

add address=100.64.20.1/24 interface=LAN network=100.64.20.0

 

Configuration for PBR

/ip firewall mangle

add action=mark-routing chain=prerouting comment=ISP_1 dst-address-list=!local_addr new-routing-mark=1_ISP \

    passthrough=no src-address-list=group1

add action=mark-routing chain=prerouting comment=ISP_2 dst-address-list=!local_addr new-routing-mark=2_ISP \

    passthrough=no src-address-list=group2

/ip firewall address-list

add address=100.64.0.0/10 list=local_addr

add address=100.64.10.0/24 list=group1

add address=100.64.20.0/24 list=group1

/ip route

add distance=1 gateway=x.x.x.x routing-mark=1_ISP

add distance=1 gateway=y.y.y.y routing-mark=2_ISP

add distance=1 gateway=x.x.x.x

add distance=2 gateway=y.y.y.y

/ip firewall nat

add action=masquerade chain=srcnat dst-address=!group1 src-address=group1

add action=masquerade chain=srcnat dst-address=!group2 src-address=group2

Pros

·         Cheaper than dedicated leased circuits.

o   Can be deployed for small enterprises / Businesses (firms that do not need their own ASN).

·         Redundancy/Failover/High Reliability.

o   If one uplink goes down, traffic is routed over the next available uplink.

·         Kind of Load Balancing.

o   Where total traffic split between the available uplinks.

o   Doesn’t break P2P traffics

o   You can route specific destination addresses/prefixes via a specific WAN interface that     happens to have better routing to the said subnets (example: ISP2 has lower latency to Cloudflare’s DNS resolvers when compared to ISP1).

Cons

·         Likely behind an CGNAT.

o   And they will not provide a public IP as their IPv4 pools are again likely to be exhausted.