Tutorial Asus Dual WAN Router Load Balancing and Failover Router Problems and Fix

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

OpenSpeedTest

New Around Here
TLDR -> Do a Factory Reset using WPS button.

Load Balancing and Failover working? NO
Load Balancing Working? Yes but not Practical for real-world
usage. [Timeouts, Connection Reset & Total Network BreakDown]
Failover? YES if you spend some time on it. [Setup Static IP, Match MTU from your Router]

Fallback? YES But you need to tune the values depends on the latency and connection reliability.

Here is my DualWan Setup
Screen Shot 2021-05-24 at 6.16.48 PM.png



I spend last few days playing with ASUS DUAL WAN feature.

Load balancing work best when you set 3:1 or 5:1 or 9:1 ratios. That means most of the time you use Primary connection.
But when one connection goes down it will not use the working connection to reroute the traffic. Sometimes it will take 10 to 15 minutes to get proper network on all machines.
result unreliable network!

Load balancing is good enough? NO it's waste of time.

OK Failover is working fine after a FULL factory reset by holding wps buttton for 30 seconds.

To get it working it's better both connection have static ip allocation.

because renewing DHCP will kick Failover for some reason.

Also set Fallback to 40 or 99 times otherwise it will keep interrupt the backup connection.

OK Failover and Fallback working? Yes for the most part.

You can setup a script to update DDNS domain for the wan-event

here is my script for DUCKDNS

// wan-event file
#!/bin/sh
killall "My-DDNS"
/jffs/scripts/My-DDNS $1 $2


// My-DDNS file


#!/bin/sh
WAN_IF=$1
WAN_STATE=$2
SUBDOMAIN="subdomain-name"
TOKEN="duck-dns-token"

if [ "$WAN_STATE" == "connected" ]; then
sleep 5s
IP=$(curl -s 'http://myip.dnsomatic.com/')
sleep 5s
response=$(curl -s "https://www.duckdns.org/update?domains=$SUBDOMAIN&token=$TOKEN&ip=$IP")
sleep 5s

if [ "$response" == "OK" ]; then
logger "DuckDNS Response was [$response]. & Updated IP: $IP"
else
logger "DuckDNS Response was [$response] & Failed to Update IP: $IP"
logger "Trying again by Executing wan-event..."
./wan-event $1 $2
fi
else
logger "WAN Status : $WAN_STATE"
fi
After creating these two files make sure you run chmod a+rx /jffs/scripts/*



Finally I really wish if i can use Load Balancing and Failover at the same time.
 
Last edited:

garycnew

Regular Contributor
@OpenSpeedTest

My experience has been similar to yours with Asuswrt-Merlin Dual WAN.

The Dual WAN - Loadbalancing provides a very basic ROUNDROBIN loadbalancing algorithm, but it is not fit for production implemention. It lacks session stickiness and more advance loadbalancing algorithms (such as LEASTCONNECTIONS, etc) that you'd find with an enterprise level loadbalancer such as Citrix Netscaler or F5 BigIP.

620BDCB4-2ECA-4ABF-B8A5-2688712B114E.png


However, I have found Asuswrt-Merlin's Dual WAN - Fail Over functionality useful for production implementation when configured properly.

41492E2C-22E7-4004-BEBC-C6A2547DFE2D.png


BTW... If Asuswrt provided more advance loadbalancing algorithms, there would be no need for simultaneous loadbalancing and failover.

Hope that helps provide some prospective.

Respectfully,


Gary
 

OpenSpeedTest

New Around Here
I ended up purchasing a $60 Mikrotik router.
here is what it can do.
Continuous ping
Live Streaming

But i use my AC5300 in front of my Mikrotik router. Because we all know asus UI is very user-friendly and easy to manage everything.

Yes, asus should learn from Mikrotik and other who do Dual Wan very well.
 

garycnew

Regular Contributor
But i use my AC5300 in front of my Mikrotik router. Because we all know asus UI is very user-friendly and easy to manage everything.

@OpenSpeedTest

Seems like a nice, cost-effective, hardware workaround. How stable/reliable do the combination seem to be?

Would you provide a little more detail regarding your topology between the AC5300 and Mikrotik? ISP1 plugs where? ISP2 plugs where? How do the AC5300 and Mikrotik plug together?

Thanks for sharing!


Gary
 

OpenSpeedTest

New Around Here
I port forward from both of my ISP to AC5300.
It's pretty easy

Port Forwarding for ISP 1
Firewall >> NAT
Chain : dstnat
dst address : 192.168.0.3
protocol : 6(tcp)
Dst Port : 8080
>>Action
dst nat
to Address : 192.168.100.3 [LAN IP]
to Port : 8080

Port Forwarding for ISP 2
Firewall >> NAT
Chain : dstnat
dst address : 192.168.20.3
protocol : 6(tcp)
Dst Port : 3389
>>Action
dst nat
to Address : 192.168.100.3 [LAN IP]
to Port : 3389

Here is my Full Config.

# jul/20/2021 13:38:32 by RouterOS 6.48.3
# software id = BY5Y-GDY1
#
# model = RB750Gr3
# serial number = XXXXXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.100.1/24 interface=ether5 network=192.168.100.0
add address=192.168.0.3 interface=ether1 network=192.168.0.1
add address=192.168.20.3 interface=ether2 network=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=output disabled=yes dst-address=8.8.8.8 protocol=icmp
add action=drop chain=output disabled=yes dst-address=8.8.4.4 protocol=icmp
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=accept chain=prerouting dst-address=192.168.20.0/24
add action=accept chain=prerouting dst-address=192.168.100.0/24
add action=mark-connection chain=prerouting in-interface=ether5 \
new-connection-mark=ISP1 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting in-interface=ether5 \
new-connection-mark=ISP2 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting in-interface=ether5 \
new-connection-mark=ISP3 passthrough=yes per-connection-classifier=\
both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=ISP1 in-interface=\
ether5 new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=\
ether5 new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP3 in-interface=\
ether5 new-routing-mark=ISP3 passthrough=no
add action=mark-connection chain=prerouting in-interface=ether1 \
new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether2 \
new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether1 \
new-connection-mark=ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=\
ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\
ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP3 new-routing-mark=\
ISP3 passthrough=no
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.3 dst-port=8080 \
protocol=tcp to-addresses=192.168.100.3 to-ports=8080
add action=dst-nat chain=dstnat dst-address=192.168.20.3 dst-port=3389 \
protocol=tcp to-addresses=192.168.100.3 to-ports=3389
add action=masquerade chain=srcnat src-address=192.168.100.0/24
/ip route
add distance=1 gateway=192.168.0.1 routing-mark=ISP1
add distance=2 gateway=192.168.20.1 routing-mark=ISP1
add distance=1 gateway=192.168.20.1 routing-mark=ISP2
add distance=2 gateway=192.168.0.1 routing-mark=ISP2
add distance=1 gateway=192.168.0.1 routing-mark=ISP3
add distance=2 gateway=192.168.20.1 routing-mark=ISP3
add distance=1 gateway=8.8.8.8 target-scope=30
add distance=1 gateway=8.8.4.4 target-scope=30
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.20.1
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system ntp client
set enabled=yes primary-ntp=192.46.215.60 secondary-ntp=162.159.200.123 \
server-dns-names=8.8.8.8
/tool bandwidth-server
set enabled=no
/tool netwatch
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
20.1]\r\
\n/ip firewall connection remove [find connection-mark=\"ISP2\"]\r\
\n:log error \"ISP2 down\"" host=8.8.4.4 interval=3s timeout=300ms \
up-script="ip route enable [find dst-address=0.0.0.0/0 gateway=192.168.20.\
1]\r\
\n/ip firewall connection remove [find connection-mark=\"ISP2\"]\r\
\nlog error \"ISP2 up\"\r\
\n/tool fetch url=\"https://go.vishnu.pro/BSNL\" keep-result=no"
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
0.1]\r\
\n/ip firewall connection remove [find connection-mark=\"ISP1\"]\r\
\n/ip firewall connection remove [find connection-mark=\"ISP3\"]\r\
\nlog error \"ISP1 down\"" host=8.8.8.8 interval=2s timeout=500ms \
up-script="ip route enable [find dst-address=0.0.0.0/0 gateway=192.168.0.1\
]\r\
\n/ip firewall connection remove [find connection-mark=\"ISP1\"]\r\
\n/ip firewall connection remove [find connection-mark=\"ISP3\"]\r\
\nlog error \"ISP1 up\"\r\
\n/tool fetch url=\"https://go.vishnu.pro/Asianet\" keep-result=no"
 

OpenSpeedTest

New Around Here
I was just a click away from buying an Intel Mini PC with 6 LANs from Alibaba. It will take more than 15 days and cost me 500 to 600$. Luckily someone from Reddit shared his experience with Mikrotik when I posted a question about dual wan failover and load balancing. that gives me enough confidence, and it was already available online store where I live and cost me around 60$.. so I told Alibaba rep. to hold my order for a week, and I purchased this. Still, I have not completed that order and going to put that money to buy a NAS :) maybe DS920

Edit : I was planning to use that Mini Pc for PfSense
 

garycnew

Regular Contributor
@OpenSpeedTest

I appreciate you sharing the details of your cost-effective, alternative loadbalancing solution.

Perhaps, one day, Asus will provide a Dual WAN - Loadbalancing offering that's actually usable in a production network.

Until then... Enjoy your Mikrotik and bonus Synology solutions.

Respectfully,


Gary
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top