🚀 Launching your own ISP? Create a free account and get 1 router slot for life!
Back to all articles
Tutorial By MikroRadius Team

Dual-WAN Load Balancing & Failover on MikroTik (PCC + Recursive Routing)

Combine two internet connections for higher speed and automatic failover. This guide covers PCC load balancing, recursive routing for reliable WAN detection, and firewall rules – all on MikroTik RouterOS.

Running a business or a busy home network on a single internet link is risky. When that link fails, you're offline. Dual-WAN (two internet connections) gives you redundancy and the option to combine bandwidth. This guide walks you through configuring load balancing (splitting traffic across both links) and automatic failover (switching to the backup when the primary fails) on MikroTik RouterOS.

Why Dual-WAN?

  • Redundancy – If one ISP goes down, the other takes over seamlessly.
  • Increased throughput – Combine two connections (e.g., 100 Mbps + 50 Mbps = up to 150 Mbps total).
  • Per‑connection load balancing – Different sessions go to different WANs, avoiding out‑of‑order packets.

Prerequisites

  • MikroTik router with at least two WAN interfaces (ether1, ether2) or one WAN and one LTE modem.
  • Two active internet connections with different gateway IPs (or dynamic DHCP).
  • Static public IPs are not required, but helpful for some advanced routing.

Topology Example

  • WAN1 (ether1): 203.0.113.10/30, gateway 203.0.113.1 (ISP A)
  • WAN2 (ether2): 198.51.100.20/30, gateway 198.51.100.1 (ISP B)
  • LAN (bridge-local): 192.168.88.0/24

Step 1: Configure Both WAN Interfaces

Ensure each WAN interface gets an IP address and default gateway – either static or via DHCP client.

For static IPs:

/ip address add address=203.0.113.10/30 interface=ether1
/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 distance=1 comment="Primary WAN1"
/ip address add address=198.51.100.20/30 interface=ether2
/ip route add dst-address=0.0.0.0/0 gateway=198.51.100.1 distance=2 comment="Secondary WAN2"

For DHCP (most common):

/ip dhcp-client add interface=ether1 add-default-route=yes
/ip dhcp-client add interface=ether2 add-default-route=yes

Note: Both DHCP clients will add default routes; the one with lower distance (or the one learned first) will be primary. We'll manage this via recursive routing later.

Step 2: Create PCC Load Balancing Rules

PCC (Per Connection Classifier) splits traffic based on a hash of source and destination addresses/ports. It ensures that a single connection (e.g., a large file download) always uses the same WAN, preserving packet order.

Add mangle rules to mark connections and routing marks.

/ip firewall mangle
# Mark incoming connections from LAN
add chain=prerouting in-interface=bridge-local connection-state=new dst-address-type=!local action=mark-connection new-connection-mark=conn-1 nth=1,2
add chain=prerouting in-interface=bridge-local connection-state=new dst-address-type=!local action=mark-connection new-connection-mark=conn-2 nth=1,1

# Mark routing based on connection marks
add chain=prerouting connection-mark=conn-1 action=mark-routing new-routing-mark=to-wan1
add chain=prerouting connection-mark=conn-2 action=mark-routing new-routing-mark=to-wan2

Here, half the connections get to-wan1, half get to-wan2. Adjust the nth values if you have three or more WANs.

Step 3: Create Routing Tables

We need separate routing tables for each WAN, so packets with to-wan1 mark use a special route.

/routing table add name=table-wan1 fib
/routing table add name=table-wan2 fib

Step 4: Add Routes to the Routing Tables

Add routes for each table, directing traffic to the respective WAN gateway.

/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 routing-mark=table-wan1 comment="WAN1 route"
/ip route add dst-address=0.0.0.0/0 gateway=198.51.100.1 routing-mark=table-wan2 comment="WAN2 route"

Step 5: Configure Masquerade (NAT) for Both WANs

Traffic leaving each WAN must be source‑NAT’d with the correct source IP from that interface.

/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade comment="NAT WAN1"
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade comment="NAT WAN2"

Step 6: Implement Recursive Routing for Reliable Failover

The problem with simple gateways: If the ISP’s gateway is still pingable but internet access is down (e.g., DNS failure, local outage), your router won’t failover. Recursive routing solves this by using a far‑end IP (e.g., 1.1.1.1, 8.8.8.8) to verify actual internet connectivity.

First, create a route to a stable internet IP via each WAN’s gateway.

/ip route add dst-address=1.1.1.1/32 gateway=203.0.113.1 scope=10 comment="Ping target via WAN1"
/ip route add dst-address=8.8.8.8/32 gateway=198.51.100.1 scope=10 comment="Ping target via WAN2"

Now create the recursive default routes. These routes point to the far‑end IPs, not directly to the gateways.

/ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=table-wan1 distance=1
/ip route add dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-mark=table-wan2 distance=2

Finally, disable the earlier static default routes (or adjust distances). If 1.1.1.1 becomes unreachable via WAN1, the recursive route is removed, and traffic marked to-wan1 will use the next available route (distance 2, which is WAN2).

Step 7: Add Failover for Non‑Marked Traffic

For traffic that isn’t marked (e.g., the router’s own traffic), add a regular default route with distance failover.

/ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 distance=1 scope=30
/ip route add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=2

Now, if WAN1 fails, both marked and unmarked traffic will use WAN2 automatically.

Step 8: Test Your Setup

  • Load balancing: From a LAN client, open multiple websites and check their public IPs. You should see roughly half showing WAN1 IP, half WAN2.
  • Failover: Unplug ether1. Within 10-30 seconds, all traffic should shift to ether2. Plug it back – traffic should return.
  • Check status:
/ip route print where gateway~"1.1.1.1|8.8.8.8"
/ip firewall mangle print
/ip firewall connection print where connection-mark~"conn"

Common Pitfalls and Fixes

Problem 1: Connections are stuck on one WAN

Check the mangle rules. The nth pattern must correctly split new connections. Use connection-state=new and ensure the rules are placed early (high priority) in the mangle table.

Problem 2: Failover works but load balancing doesn’t

Your routing marks might not be applied. Verify that packets are hitting the mangle rules (look at counters in WinBox). Also ensure that the routes with routing-mark exist and have the correct gateways.

Problem 3: Some websites break or SSL errors

This is rare with PCC but can happen if a website’s assets load from multiple IPs. Use src‑address and dst‑address hash instead of per‑connection classifier. Or stick to failover only (no load balancing) for simplicity.

Problem 4: After failback, traffic stays on backup WAN

Recursive routes should recover. If not, reduce the distance of the primary route, or add a netwatch script to force route removal/re‑addition.

Alternative: Simple Failover Without Load Balancing

If you don’t need combined bandwidth, just redundancy, the configuration is simpler. Use two default routes with different distances:

/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1 distance=1
/ip route add dst-address=0.0.0.0/0 gateway=198.51.100.1 distance=2

Add recursive check as described in Step 6, but you don’t need separate routing tables or mangle rules. All traffic uses WAN1; if it fails, WAN2 takes over.

Hardware Considerations

Dual-WAN with PCC adds CPU load. On very low‑end routers (e.g., hEX lite), you may experience throughput limits. For reliable operation, a hEX (RB750Gr3), RB4011, or CCR is recommended. Also ensure both WAN links have similar latency – large differences can cause some applications to behave oddly.

Monitoring and Logging

To get alerts when a WAN fails, you can use netwatch:

/tool netwatch add host=1.1.1.1 interface=ether1 timeout=5s up-script="..." down-script="..."

And view logs:

/log print where topics~"netwatch"

Conclusion

Dual-WAN with PCC load balancing and recursive failover turns two consumer internet lines into a resilient, higher‑capacity connection. It’s a must‑have for any business or power user. Start by testing simple failover, then add PCC load balancing once you’re comfortable with the concepts. Monitor performance and adjust distances and check intervals to suit your ISP’s reliability.

For advanced setups, explore multiple PCC matchers (by source IP, destination port, etc.) or BGP with multiple upstreams. But for most users, the configuration above provides excellent results.

You might also like

How to Set Up a MikroTik Router from Scratch: A Complete Beginner's Guide (2026)

How to Set Up a PPTP Server on MikroTik Router (And Why You Should Think Twice)

How to Set Up WireGuard VPN on MikroTik Router (Fast & Secure)

Was this article helpful?

Share Share