routerosload-balancingpppoe

RouterOS 7 MultiWAN PPPoE Load Balance Script

Overview

Comprehensive RouterOS 7 configuration script for distributing traffic across multiple PPPoE WAN connections. CPU-efficient, production-ready.

Key Features

  1. Address-Based Routing — Send traffic from special address lists via certain PPPoE connection, bypassing the load balance logic (example: dedicated TV traffic on specific links)
  2. Hairpin NAT Support — Return traffic through the same interface for locally-originated connections
  3. VPN Tunnel Optimization — Resolves issues with outgoing VPN construction (OpenVPN, WireGuard, IPSec) through dedicated routing profiles
  4. Resource Efficiency — CPU-friendly for production environments

Network Topology Assumptions

  • WAN Interfaces: ether1 (FPT via pppoe-01), ether2 (VNPT via pppoe-02)
  • LAN Bridges: bridge-lan-01 and bridge-lan-02
  • Default Routes: Disabled on PPPoE clients for manual routing control

Configuration Sections

Interface Setup

/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-01 add-default-route=no
add disabled=no interface=ether2 name=pppoe-02 add-default-route=no

Routing Tables

Two dedicated routing tables manage traffic segregation:

  • rtab_pppoe-01: Routes for primary WAN link
  • rtab_pppoe-02: Routes for secondary WAN link

Connection Marking (Mangle Rules)

Sequential rules in prerouting chain:

  1. Mark connections from PPPoE interfaces
  2. Route address-list traffic to designated WAN links
  3. Distribute remaining traffic via per-connection classifier (2/0 and 2/1 splits)
  4. Apply routing marks for output and transit chains

PPP Profiles

Dynamic profiles manage IP assignment and routing updates:

  • profile-pppoe-01: Updates rtab_pppoe-01 with dynamic source IPs
  • profile-pppoe-02: Updates rtab_pppoe-02 with dynamic source IPs

Profiles automatically adjust routing rules when PPPoE sessions establish or terminate.

Fallback Mechanisms

  • Primary route via first link (distance=1)
  • Backup route via second link (distance=2)
  • Emergency loopback interface for complete WAN failure scenarios

DNS Configuration

Primary: 1.1.1.1, Secondary: 8.8.8.8

BOGON Protection

Comprehensive address-list prevents routing to reserved/unroutable IP ranges.

Attribution

Based on architectural principles from Vladimir Prislonsky's load balancing methodology.