PCC Config glitching but working ?

killa88 · Tue Dec 05, 2023 2:18 pm

Hey forum gurus,

I'm currently grounded by office seniors since 2 days due to a config issue, and i'm hoping i can get out of my seat
can anyone take a look at this, this was done after i consulted and used Anav's knowledge (i can't expect him to be online 24/7)

The issue: (which shouldn't be happening) for testing as this i a relatively new config, when i disable wan1 connections go out to wan2 as expected and then i renable wan1 and it works..;
That is the routes in the routing table show unreachable ! Yet somehow it still works..
and if i change the gateway from 'ether' to the static ip's i loose connectivity which can't happen (or theoretically shouldn't) and i have to do a restore then

i was hoping ot do some bandwidth aggregation changes to config but this has scared and stopped me,
Any quick info would be of tremendous help..

# model = RB5009UG+S+
/interface bridge
add name="LAN bridge"
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface="LAN bridge" name=dhcp1
/routing table
add fib name=useWAN1
add fib name=useWAN2
add fib name=useWAN3
add fib name=useAB
add fib name=useAC
add fib name=useBA
add fib name=useBC
add fib name=useCA
add fib name=useCB
/interface bridge port
add bridge="LAN bridge" interface=ether8
add bridge="LAN bridge" interface=ether7
add bridge="LAN bridge" interface=ether6
add bridge="LAN bridge" interface=ether5
/interface list member
add interface="LAN bridge" list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
/ip address
add address=192.168.100.1/24 interface="LAN bridge" network=192.168.100.0
add address=100.90.80.70/29 interface=ether1 network=100.90.80.70
add address=110.100.90.80/30 interface=ether2 network=110.100.90.80
add address=192.168.10.3/24 interface=ether3 network=192.168.10.0
/ip arp
add address=192.168.100.100 interface="LAN bridge" mac-address=AA:AA:AF:A6:A5:AB
/ip dhcp-server lease
add address=192.168.100.100 client-id=1:70:5a:f:c6:95:ab mac-address=A0:AA:AF:A6:A5:AB server=dhcp1
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.100.100 comment="local admin desktop" list=Authorized
add address=192.168.100.200 comment="local admin laptop" list=Authorized
add address=192.168.100.250 comment="local admin smartphone/ipad" list=Authorized
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related \
    hw-offload=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Admin access" src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=no-mark connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related,Untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="DROP ALL ELSE"
add action=drop chain=input comment="DROP ALL ELSE"
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1-incoming passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=ISP2-incoming passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3 new-connection-mark=ISP3-incoming passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface="LAN bridge" new-connection-mark=WAN1-2 \
    passthrough=yes per-connection-classifier=src-address:6/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface="LAN bridge" new-connection-mark=WAN1-3 \
    passthrough=yes per-connection-classifier=src-address:6/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface="LAN bridge" new-connection-mark=WAN2-1 \
    passthrough=yes per-connection-classifier=src-address:6/2
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface="LAN bridge" new-connection-mark=WAN2-3 \
    passthrough=yes per-connection-classifier=src-address:6/3
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface="LAN bridge" new-connection-mark=WAN3-2 \
    passthrough=yes per-connection-classifier=src-address:6/5
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface="LAN bridge" new-connection-mark=WAN3-1 \
    passthrough=yes per-connection-classifier=src-address:6/4
add action=mark-routing chain=prerouting connection-mark=WAN1-2 new-routing-mark=useAB passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1-3 new-routing-mark=useAC passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2-1 new-routing-mark=useBA passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2-3 new-routing-mark=useBC passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3-1 new-routing-mark=useCA passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3-2 new-routing-mark=useCB passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3-incoming new-routing-mark=useWAN3 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-incoming new-routing-mark=useWAN2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1-incoming new-routing-mark=useWAN1 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=x.x.x.x pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.10.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=ether1 routing-table=useWAN1
add dst-address=0.0.0.0/0 gateway=ether2 routing-table=useWAN2
add dst-address=0.0.0.0/0 gateway=ether3 routing-table=useWAN3
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=ether1 routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether2 routing-table=main
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=ether3 routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether1 routing-table=useAB
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ether2 routing-table=useAB
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether1 routing-table=useAC
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ether3 routing-table=useAC
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether2 routing-table=useBA
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ether1 routing-table=useBA
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether2 routing-table=useBC
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ether3 routing-table=useBC
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether3 routing-table=useCA
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ether1 routing-table=useCA
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether3 routing-table=useCB
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ether2 routing-table=useCB
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
[admin@MikroTik] >

anav · Tue Dec 05, 2023 2:38 pm

As per your other post,

(1) MISMATCH in address and gateway!!
(2) Duplicate routes.

/ip address
add address=192.168.100.1/24 interface="LAN bridge" network=192.168.100.0
add address=100.90.80.70/29 interface=ether1 network=100.90.80.70
add address=110.100.90.80/30 interface=ether2 network=110.100.90.80
add address=192.168.10.3/24 interface=ether3 network=192.168.10.0

Check the route table main for this.....
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=x.x.x.x pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10

Duplicates:
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.x pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=x.x.x.x pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.10.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10

and

add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=ether1 routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether2 routing-table=main
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=ether3 routing-table=main

killa88 · Wed Dec 06, 2023 3:28 pm

- Multiple (duplicated) routes deleted
- Address gateway was a redaction issue, it was fine before..

so the config is okay (apparently) but routes are shown as USI (unreachable) except for the main table ones..

So why is connectivity lost once we replace 'ether' with the public ip's, i think this is a looming/impending config bomb ready to explode and im hoping we can catch it now

anav · Wed Dec 06, 2023 10:37 pm

Change all IP ROUTE entries, from ether1,ether2,ether3 to actual gateway IPs.
That should solve most of your issues.

Sent you an updated email with some modifications to Mangles.

killa88 · Thu Dec 07, 2023 2:39 pm

Yeah, i did all that turns out, the new mangle ((prerouting/output)) rules (6) seem to be the issue

anav · Thu Dec 07, 2023 9:48 pm

Sent you necessary changes. As noted all IP routes should have actual Gateway IPs.
Prerouting marking rules for WAN1,2,3 only required if hosting servers, the output chain rules are for ensuring traffic to router comes out the right WAN.
All mark routing rules should have passthrough=no

PCC Config glitching but working ?

PCC Config glitching but working ?

Re: PCC Config glitching but working ?

Re: PCC Config glitching but working ?

Re: PCC Config glitching but working ?

Re: PCC Config glitching but working ?

Re: PCC Config glitching but working ?