New firewall matcher PCC

Mon Apr 27, 2009 1:54 pm

Following discussions about ECMP with Masquerade and similar, we have made a new firewall matcher that will allow you more control and hopefully will overcome the previous limitations, read on:

http://wiki.mikrotik.com/wiki/PCC#Introduction

NetworkPro · Mon Apr 27, 2009 4:32 pm

Very cool my friend! Jumping with joy

alphahawk · Mon Apr 27, 2009 5:45 pm

Thanks normis.

So next question when is 3.24 going to be released.

changeip · Mon Apr 27, 2009 8:09 pm

i hope this would work on the output chain - ie; connections generated from the router itself. Mainly for l2tp and pptp tunnels in my case.

NetworkPro · Tue Apr 28, 2009 12:22 am

i hope this would work on the output chain - ie; connections generated from the router itself. Mainly for l2tp and pptp tunnels in my case.

I vote it to be also in output chain as well!

Chupaka · Tue Apr 28, 2009 2:29 am

it's just one more simple firewall matcher - it will work everywhere =)

maybe any plans for TTL matcher? I'm waiting for it for about 1.5 year...

Tue Apr 28, 2009 8:33 am

i hope this would work on the output chain - ie; connections generated from the router itself. Mainly for l2tp and pptp tunnels in my case.

Well as far as i can see you can use any chain there, so it shouldn't be a problem.

But overall a very nice addition

Tue Apr 28, 2009 8:36 am

If you have some ready setup to test, ask support for a pre-release package.

GuJack20 · Wed Apr 29, 2009 12:00 am

Any chance of giving the possibility to check another Ip not only the gateway if there is Internet connection through one gateway or not.???

alphahawk · Wed Apr 29, 2009 12:08 am

Testing new system right now. So far working great. haven't seen anything drop so far.

I am watching it though. It seems to act a little more like nth on splitting how it picks which gateway but so far no major issues.

Going to keep testing it more tonight and push it harder with more connections tonight

skillful · Wed Apr 29, 2009 12:23 am

Any chance of giving the possibility to check another Ip not only the gateway if there is Internet connection through one gateway or not.???

I second that! The gateway might be up and reachable but internet is down. This is often the case with VSAT connections.

NetworkPro · Wed Apr 29, 2009 12:38 am

Any chance of giving the possibility to check another Ip not only the gateway if there is Internet connection through one gateway or not.???
I second that! The gateway might be up and reachable but internet is down. This is often the case with VSAT connections.

True. For example I could use check-gateway=<IP>, instead of "ping" or "arp" !

Chupaka · Wed Apr 29, 2009 12:57 am

Any chance of giving the possibility to check another Ip not only the gateway if there is Internet connection through one gateway or not.???
I second that! The gateway might be up and reachable but internet is down. This is often the case with VSAT connections.
True. For example I could use check-gateway=<IP>, instead of "ping" or "arp" !

yep! Netwatch with possibility to set Routing Table like in Ping command would be nice! feature request? somebody who need this, please write to support

Wed Apr 29, 2009 10:00 am

I think we should keep all checks limited to the closest network or else it will start to become ridiculous and dangerous.

Imagine half of the country constantly checking your server's IP address..... and what will happen if that address goes down - router willl drop perfectly working connection? I think there is no point even trying to ask for this.

Testing new system right now. So far working great. haven't seen anything drop so far.

I am watching it though. It seems to act a little more like nth on splitting how it picks which gateway but so far no major issues.

Going to keep testing it more tonight and push it harder with more connections tonight

Well it is NTH it is persistent NTH.

Anyone has any other applications to this feature?

NetworkPro · Wed Apr 29, 2009 11:01 am

I think we should keep all checks limited to the closest network or else it will start to become ridiculous and dangerous.

Imagine half of the country constantly checking your server's IP address..... and what will happen if that address goes down - router willl drop perfectly working connection? I think there is no point even trying to ask for this.
...

Major servers are designed to be checked, they are powerful machines, load balanced by DNS, on powerful connections, can not be DoS attacked, so what I am saying is that we need the feature to ping a further up IP than the gateway and thats final. If your concerns are valid, than that can be avoided by providing a LIST OF IPs to ping to switch between them, if one fails - start ping the other one etc etc. simple logic. Right MikroTik ?

Wed Apr 29, 2009 3:09 pm

If we look from that point - all ISPs should have OSPF and BGP on their network one way or other, and should have backups, so that only time when you loose connection it should be because your gateway is dead, and this is now eliminated be check-gateway=ping or arp.

Wed Apr 29, 2009 3:12 pm

le'ts keep this thread on the topic of PCC not server reliability issues.

omega-00 · Wed Apr 29, 2009 5:56 pm

Woohoo! Thanks normis.

*emails support for pre-released package*

janisk · Thu Apr 30, 2009 3:48 pm

Major servers are designed to be checked, they are powerful machines, load balanced by DNS, on powerful connections, can not be DoS attacked, so what I am saying is that we need the feature to ping a further up IP than the gateway and thats final. If your concerns are valid, than that can be avoided by providing a LIST OF IPs to ping to switch between them, if one fails - start ping the other one etc etc. simple logic. Right MikroTik ?

IMO - wrong!

and here is why - when you ping closest hop, you know this hop is working or not - if it is, then you do not have to worry about that. But in this case your owner of gateway should worry and supply you with route to network if links of gateway by any chance is down.

and most interesting part, if you are pinging some outer address, when route goes down, you adjust your routes and host is available again, your automatic configuration switches to previous configuration and no ping again - so, infinite loop of switching gateways.

and one more thing - do not hijack other threads and stay on topic in this case PCC

NetworkPro · Thu Apr 30, 2009 4:00 pm

Major servers are designed to be checked, they are powerful machines, load balanced by DNS, on powerful connections, can not be DoS attacked, so what I am saying is that we need the feature to ping a further up IP than the gateway and thats final. If your concerns are valid, than that can be avoided by providing a LIST OF IPs to ping to switch between them, if one fails - start ping the other one etc etc. simple logic. Right MikroTik ?
IMO - wrong!

and here is why - when you ping closest hop, you know this hop is working or not - if it is, then you do not have to worry about that. But in this case your owner of gateway should worry and supply you with route to network if links of gateway by any chance is down.

and most interesting part, if you are pinging some outer address, when route goes down, you adjust your routes and host is available again, your automatic configuration switches to previous configuration and no ping again - so, infinite loop of switching gateways.

and one more thing - do not hijack other threads and stay on topic in this case PCC

You do understand that check-gateway=ping,arp is not enough to know whether a route is OK, right? You know that we need to know if an ISP gateway is up in the case we have a CPE before the MirkoTik Router, right? We can not ping 192.168.1.1 we need to ping the Internet IP of the ISP gateway.

So get to work my friends, I'm sure you can do it and make it in a way that is a problem-free (no loops etc).

Chupaka · Thu Apr 30, 2009 5:14 pm

and most interesting part, if you are pinging some outer address, when route goes down, you adjust your routes and host is available again, your automatic configuration switches to previous configuration and no ping again - so, infinite loop of switching gateways.

that's why you should use 'Routing Table' parameter in Ping command with table that have only one gw, isn't it? =)

alphahawk · Tue May 05, 2009 6:15 pm

Nice fix for the nth load balance.

Question though is will there ever be a fix or patch for ecmp to work correctly?

Wed May 06, 2009 8:55 am

Nice fix for the nth load balance.

Question though is will there ever be a fix or patch for ecmp to work correctly?

there is nothing to fix, it just works that way - linux kernel developers made this. this is why we made another method that does what you want.

Chupaka · Wed May 06, 2009 6:47 pm

MikroTik do not change kernel code at all?

NetworkPro · Wed May 06, 2009 6:59 pm

Well they should. And if its too much work, they should give the kernel job to others, aka outsource it he he.

Chupaka · Wed May 06, 2009 7:12 pm

kernel is open-source

www.kernel.org =)

NetworkPro · Wed May 06, 2009 7:25 pm

My freeend

) to outsource a job means to let someone else do it for little money overseas or something. Of course the Linux kernel is open source.

Chupaka · Wed May 06, 2009 9:06 pm

but you should just post bug report - and they'll fix it for no money )))))

NetworkPro · Wed May 06, 2009 9:17 pm

Sure. If its not a RouterOS specific issue.

Chupaka · Wed May 06, 2009 10:56 pm

as it was said, it's kernel 'feature', not ROS =)

alphahawk · Thu May 07, 2009 1:03 am

Nice fix for the nth load balance.

Question though is will there ever be a fix or patch for ecmp to work correctly?
there is nothing to fix, it just works that way - linux kernel developers made this. this is why we made another method that does what you want.

Thanks for reply normis.

janisk · Fri May 08, 2009 8:42 am

that's why you should use 'Routing Table' parameter in Ping command with table that have only one gw, isn't it? =)

there is no need to complicate simple things. to achieve effect you can already have but not in so direct way. i am stressing once more - your only concern is that link to any number of gateways is working and you can pass data there. For ease of explanation, lets make diagram

A - B - C - D

before A are your clients, your network stretches and includes B, in case of link failure between A and B you will want your host A react and change routing, so it can reach default GW B, lets say through link E and that is it. If your main GW that is B drops link from B to C, that is concern of B not of A, because B will have to adjust its routing table so, you can reach out, now you use your backup provider to get your clients internet in the wild. For that you can use various dynamic routing protocols, eg: OSPF, but initiator of change in routing table will always be host that got link broken, not some obscure host across the network.

NetworkPro · Fri May 08, 2009 10:14 am

I have read your explanation Janis K, and I am sure that from your perspective you could be right that there is no need to complicate things. MikroTik is free to decide whether or not to implement such feature.

But I warn you:

Every time a RouterOS user connects an ADSL modem, a SOHO "Broadband Router", some DOCSIS modems, some 3G modems etc etc etc THAT IS IN NAT MODE they will not be able to use check-gateway to know if that link to the Internet is good or not. They will become frustrated with the product, as usual, and either give up on it, or get on your nerves about it.

And when a veteran RouterOS user needs to use a GW that is a NAT he would need to implement a script and that's work overtime that the user would rather not waste to discover the hot water (=the right working script) every time.

RouterOS as a product can be much more automated and easier for the customer. Is MikroTik willing to improve on this matter? Stability is more important And ease of use will make more happy customers.

By the way I am so happy for PCC very useful!

p.s. and even in a lot of cases when GW is not NAT, Internet connectivity through it is lost, due to upstream ISP problems. Happens all the time. So the problem is bigger, so MikroTik should take action.

janisk · Fri May 08, 2009 1:43 pm

then use netwach to ping some host and take actions weather it is up or down.

Tue May 12, 2009 9:49 am

I have read your explanation Janis K, and I am sure that from your perspective you could be right that there is no need to complicate things. MikroTik is free to decide whether or not to implement such feature.

But I warn you:

Every time a RouterOS user connects an ADSL modem, a SOHO "Broadband Router", some DOCSIS modems, some 3G modems etc etc etc THAT IS IN NAT MODE they will not be able to use check-gateway to know if that link to the Internet is good or not. They will become frustrated with the product, as usual, and either give up on it, or get on your nerves about it.

And when a veteran RouterOS user needs to use a GW that is a NAT he would need to implement a script and that's work overtime that the user would rather not waste to discover the hot water (=the right working script) every time.

RouterOS as a product can be much more automated and easier for the customer. Is MikroTik willing to improve on this matter? Stability is more important And ease of use will make more happy customers.

By the way I am so happy for PCC very useful!

p.s. and even in a lot of cases when GW is not NAT, Internet connectivity through it is lost, due to upstream ISP problems. Happens all the time. So the problem is bigger, so MikroTik should take action.

What NAT have to do with all this???? Clients are not sending anything - router is. And router is sending it from its local-ip , so no NAT is required for that address - it is in the same network as gateway.

MrIC · Mon May 25, 2009 2:41 am

there is wrong in PCC Wiki in those rules

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address,dst-address:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address,dst-address:2/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes

per-connection-classifier=src-address,dst-address must be
per-connection-classifier=src-address,src-port

or it will be invalid .

i just tried PCC and it works fine until now .

Mon May 25, 2009 8:28 am

Nop, example is correct. No matter how many connections from address A to address B will be always marked the same aand sent via same gateway.

Chupaka · Mon May 25, 2009 9:41 am

I'd say, 'it depends' =) both examples are correct

you should use the example you need

kchris · Mon May 25, 2009 12:46 pm

Nop, example is correct. No matter how many connections from address A to address B will be always marked the same aand sent via same gateway.

what if that gateway goes down? how can I implement high availability?

"add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
"
does this?

Mon May 25, 2009 1:16 pm

If gateway goes down and you have "check-gateway" in the routes - those routes will become inactive and packets will be routed by other available route.

kchris · Mon May 25, 2009 1:47 pm

If gateway goes down and you have "check-gateway" in the routes - those routes will become inactive and packets will be routed by other available route.

thx. Do You have any idea what performance can I achive with this config? I'd need more than 1-3Gbit/s.. I think with this I can implement Server Load Balancing - Gateways become Servers in the Farm and clients become the users of the servers...

Mon May 25, 2009 3:24 pm

Picture is unclear for me. Server load balancing is more a NATing not routing - isn't it?

jywmpg · Tue May 26, 2009 4:07 am

Guys, I hate to disagree, but the rules from the wiki contain a syntax error under 3.24

If you just paste the example, you get the following:

/ip firewall mangle> add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address,dst-address:2/0 ac
tion=mark-connection new-connection-mark=wlan1_conn passthrough=yes
syntax error (line 1 column 91)

It looks like the acceptable syntax has changed?

jw

Tue May 26, 2009 8:45 am

ok we have updated the manual slightly

Tue May 26, 2009 8:48 am

It looks like the acceptable syntax has changed?

Can't you use <tab> button - it is so easy to see where changes are exactly! If you just copy/paste configuration without thinking what you are doing it end up as a big problem one time.

jywmpg · Tue May 26, 2009 3:02 pm

Normis,

Thanks very much for the wiki update and new facility. I have not yet got it to work, but am still plugging away at it. It looks like exactly what I need.

macgaiver

Yes, I can and did use the tab button (one of the world's great inventions, right after the delete key). But the Wiki should be correct, no?

jw

godovic · Wed May 27, 2009 9:43 pm

there is wrong in PCC Wiki in those rules
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address,dst-address:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=src-address,dst-address:2/1 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
per-connection-classifier=src-address,dst-address must be
per-connection-classifier=src-address,src-port

or it will be invalid .

i just tried PCC and it works fine until now .

Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx

Thu May 28, 2009 12:16 pm

Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx

Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.

RAket · Tue Jun 02, 2009 10:21 am

Hello,
new PCC matcher is proprietary Mikrotik solution or implementation of open source code? I am interested in how this new thing works. Many thanks.

Tue Jun 02, 2009 10:22 am

Hello,
new PCC matcher is proprietary Mikrotik solution or implementation of open source code? I am interested how this new thing works. Many thanks.

read the link in the first post of this thread. it's very simple, there is nothing special

tarcisionmjr · Wed Jun 03, 2009 12:46 pm

to be perfect should be in the style of rules PCQ

per-connection-classifier = src-address, dst-address, dst-port: 2 / 1

here the rules (both-address) or (both-address-ports) does not serve me well yet, but already much help ...

sorry my English is written by the translator ...

tarcisionmjr · Thu Jun 04, 2009 11:50 am

to my rules would work perfectly ,necessarily the combination of (dst-address + dst-port + src-address), when will it be possible to use this way?

sorry my English is written by the translator ...

omega-00 · Thu Jun 11, 2009 9:24 pm

Edit: I'm an idiot.

omega-00 · Thu Jun 11, 2009 9:31 pm

one thing I'm not entirely sure of thou, shouldn't the wiki examples specifying type=new established or related?

This would seem to do the classification each time unless I haven't read something correctly? *scratches head*

omega-00 · Thu Jun 11, 2009 10:55 pm

My current "inbound routing + PCC on outbound routing" implementation.

I know NetworkPro was looking for something like this recently so I hope this helps some people out:

# allow multiple inbound connections on dynamic (adsl) interfaces
/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 connection-state=new disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 connection-state=new disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark new established connection wan1" connection-state=established disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new established connection wan2" connection-state=established disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new established route wan1" connection-mark=wan1 connection-state=established disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new established route wan2" connection-mark=wan2 connection-state=established disabled=no new-routing-mark=wan2 passthrough=no

# round robin outbound traffic routing, based on src port and src address
/ip firewall mangle    
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/0 action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/1 action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes
add chain=prerouting connection-mark=wan1_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan1
add chain=prerouting connection-mark=wan2_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan2

Fri Jun 12, 2009 9:29 am

Prerouting is always before Input, so you can put your rules whatever order you like. So first 4 rules or second 4 rules in the mangle are completely useless.

First you mark all Prerouting (input and forward) connections that come into interfaces, then you remark them in input forward again...

What exactly doesn't work in "both-addresses" PCC? How did you test it? How many clients did you have to test it?

omega-00 · Fri Jun 12, 2009 9:35 am

Edit: I'm an idiot.

Fri Jun 12, 2009 11:44 am

Are you sure you using official release version, not some kind of pre-release, that was distributed for testing only????

omega-00 · Fri Jun 12, 2009 11:58 am

Edit: I'm an idiot.

Chupaka · Fri Jun 12, 2009 12:11 pm

press 'Tab' =)

RAket · Fri Jun 12, 2009 1:35 pm

Hello,
new PCC matcher is proprietary Mikrotik solution or implementation of open source code? I am interested how this new thing works. Many thanks.
read the link in the first post of this thread. it's very simple, there is nothing special

Thank you,
I read it, but there's still question. Is the PCC matcher closed or OSS?

Fri Jun 12, 2009 2:41 pm

AFAIK MT uses only Vanilla Kernel, all other code is written by MT. (at least starting from 3.x)

to omega-00: MT gave out pre-release version out to test PCC, there was your syntax, but in official release of 3.24 syntax was changed. Example is correct.

Fri Jun 12, 2009 2:43 pm

well not everything, you have to read the RouterOS license provided with each installation

godovic · Fri Jun 12, 2009 3:36 pm

Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx
Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.

Can I add this rules:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/1 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/2 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/3 \
action=mark-connection new-connection-mark=wlan3_conn passthrough=yes

so most of the connection will be made to WAN1, than WAN2 and WAN3. I know that will not be 50/25/25

or about stream - how to make streams? Using queues?

Tnx

omega-00 · Fri Jun 12, 2009 5:08 pm

AFAIK MT uses only Vanilla Kernel, all other code is written by MT. (at least starting from 3.x)

to omega-00: MT gave out pre-release version out to test PCC, there was your syntax, but in official release of 3.24 syntax was changed. Example is correct.

Completely correct, the wrong (pre-release) version was uploaded onto 2 routers and upgraded. Funnily enough they seem to be working fine, but I'm waiting until early morning to downgrade and re-upgrade.

godovic · Tue Jun 16, 2009 5:44 pm

Following discussions about ECMP with Masquerade and similar, we have made a new firewall matcher that will allow you more control and hopefully will overcome the previous limitations, read on:

http://wiki.mikrotik.com/wiki/PCC#Introduction

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping

are the lines add address wrong? 10.111.0.24 is wlan2, and at the route 10.111.0.1 is wlan1 ?????

wispnz · Wed Jun 17, 2009 6:16 pm

Hi everyone!

When I use the configuration method described in the MT wiki for PCC http://wiki.mikrotik.com/wiki/PCC#Introduction,
the system works fine until you enable a hotspot! Then DNS screws up and the Hotpsot Login page does not appear.
If you disable the hotspot again then all returns to normal.

When using Omegas configuration example which he so kindly provided, the system works fine and also functions correctly when activating the hotspot feature.

SO my question to MT is: Why does the Wiki example on PCC config not work in conjunction with an activate hotspot, and Omega's example does?

Info on this would be greatly appreciated

(ATM I am using a modified version of Omega's configs which works fine, just though this needs to get highlighted for people who are struggling with getting Hotspot+PCC working)

My current "inbound routing + PCC on outbound routing" implementation.

I know NetworkPro was looking for something like this recently so I hope this helps some people out:

# allow multiple inbound connections on dynamic (adsl) interfaces
/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 connection-state=new disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 connection-state=new disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark new established connection wan1" connection-state=established disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new established connection wan2" connection-state=established disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new established route wan1" connection-mark=wan1 connection-state=established disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new established route wan2" connection-mark=wan2 connection-state=established disabled=no new-routing-mark=wan2 passthrough=no

# round robin outbound traffic routing, based on src port and src address
/ip firewall mangle    
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/0 action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/1 action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes
add chain=prerouting connection-mark=wan1_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan1
add chain=prerouting connection-mark=wan2_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan2

MrIC · Thu Jun 18, 2009 1:56 am

i'm trying to load balance for 3 lines using PCC

this is my config

/ ip address
add address=192.168.100.1/24 network=192.168.100.0 broadcast=192.168.100.255 interface=Local
add address=192.168.0.5/24 network=192.168.0.0 broadcast=192.168.0.255 interface=WAN1
add address=192.168.1.5/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN2
add address=192.168.2.5/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN3

/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=WAN3
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-routing-mark=WAN3

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=3 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
add chain=srcnat out-interface=WAN3 action=masquerade

but it didn't work .
where is the problem ?

wispnz · Thu Jun 18, 2009 2:11 am

Here is one mistake that I could pick up:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

Should be :

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

You had per-connection-classifier=both-addresses:3/1 twice instead of 3/2

Kind Regards,
Arno

MrIC · Thu Jun 18, 2009 3:37 am

thanks mate . it's my wrong .
i will try .

godovic · Thu Jun 18, 2009 9:46 am

no one answer for my question can I use:

4/0 mark new connection mark wlan1
4/1 mark new connection mark wlan1
4/2 mark new connection mark wlan2
4/3 mark new connection mark wlan3

so wlan1 will become more forced ?

Thu Jun 18, 2009 1:43 pm

Do you really need a blessing to try it?

I did write you to do it like this. where is the problem?

Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx
Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.

godovic · Thu Jun 18, 2009 1:56 pm

Do you really need a blessing to try it?

I did write you to do it like this. where is the problem?

Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx
Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.

I am sorry... I just ask how to divide traffic into streams? Using queue or ?? Cannot find .. sorry

Thu Jun 18, 2009 2:50 pm

PCC mangle will make 4 routing marks, then you need to create a route for every routing mark - very similar as is shown in the wiki example.

godovic · Fri Jun 19, 2009 12:17 am

I have successfully configured RB493AH with PCC, thanks to all and it seems to works good

I have a situation with three WAN ports ADSL, Cable and dedicated line with static IP pool - xx.yy.zz.56/29 (xx.yy.zz.56 to xx.yy.zz.63), so my gateway at the internet provider is xx.yy.zz.57, and I am using now just xx.yy.zz.58 for NAT and xx.yy.zz.59 for the mail server.

The mail server is on the ether5 with master port WAN2 (like switch).

My problem is when I do a trace route from LAN to the mail server (with ip xx.yy.zz.59) via WAN (xx.yy.zz.58) packets are going first to my provider's gateway (xx.yy.zz.57) ???

The .58 and .59 are on the same mikrotik

why the route is going to internet provider and back again?
In the /IP address the WAN port is setup correctly xx.yy.zz.58/29 so he know the pool?

were I am wrong?

wispnz · Fri Jun 19, 2009 5:14 am

Hi there, Any ideas or answers on my previous question why MT's PCC example doesnt work when you enable the Hotspot feature but Omega's does?

Thanks!
Arno

Fri Jun 19, 2009 8:35 am

For that we will see your configuration --> create another topic, or just send mail to support@mikrotik.com - let them take a look.

chapex · Tue Jun 23, 2009 8:30 am

It is possible to order a bigger percentage towards one interface? Example: 50 % - 25 % - 25 % (working with three lines) (Similar to nth, but saving his problems).

regards

Chupaka · Tue Jun 23, 2009 12:11 pm

yes. just divide your traffic into 4 streams, mark streams 1 & 2 with routing_mark 1, stream 3 = routing_mark 2, stream 4 = routing_mark 3

chapex · Wed Jun 24, 2009 7:10 am

thanks chupaka!

regards

soporte_tecnico · Wed Jun 24, 2009 6:00 pm

hello everyone
The problem is that I cut the videos on youtube, and some website.
The web youtube I F5 to refresh from the browser many times.
is my configuration.
3 lines are equal 3MB download 256Kbs upload. (ADSL WANs).

Mangle

0 chain=input action=mark-connection new-connection-mark=Telefonica1_conn passthrough=yes in-interface=Telefonica1

1 chain=input action=mark-connection new-connection-mark=Telefonica2_conn passthrough=yes in-interface=Telefonica2

2 chain=input action=mark-connection new-connection-mark=Telefonica3_conn passthrough=yes in-interface=Telefonica3

3 chain=output action=mark-routing new-routing-mark=to_Telefonica1 passthrough=yes connection-mark=Telefonica1_conn

4 chain=output action=mark-routing new-routing-mark=to_Telefonica2 passthrough=yes connection-mark=Telefonica2_conn

5 chain=output action=mark-routing new-routing-mark=to_Telefonica3 passthrough=yes connection-mark=Telefonica3_conn

6 chain=prerouting action=mark-connection new-connection-mark=Telefonica1_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses:3/0

7 chain=prerouting action=mark-connection new-connection-mark=Telefonica2_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses:3/1

8 chain=prerouting action=mark-connection new-connection-mark=Telefonica3_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses:3/2

9 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica1 passthrough=yes in-interface=Local
connection-mark=Telefonica1_conn

10 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica2 passthrough=yes in-interface=Local
connection-mark=Telefonica2_conn

11 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica3 passthrough=yes in-interface=Local
connection-mark=Telefonica3_conn

12 ;;; Marcado Conexion de Trafico Lan
chain=forward action=mark-connection new-connection-mark=users-con passthrough=yes src-address=192.168.1.0/24

13 ;;; Marcado de paquetes Conexion Lan
chain=forward action=mark-packet new-packet-mark=users passthrough=yes connection-mark=users-con

Route

# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 reachable Telefonica1 1 Telefonica1
1 A S 0.0.0.0/0 reachable Telefonica1 1 Telefonica1
2 A S 0.0.0.0/0 reachable Telefonica2 1 Telefonica2
3 A S 0.0.0.0/0 reachable Telefonica3 1 Telefonica3
4 S 0.0.0.0/0 reachable Telefonica3 3 Telefonica3
5 S 0.0.0.0/0 reachable Telefonica2 2 Telefonica2
6 A S 168.226.214.43/32 reachable Telefonica1 1 Telefonica1
7 ADC 192.168.1.0/24 192.168.1.1 0 Local
8 ADC 200.51.241.209/32 168.226.214.43 0 Telefonica1
9 ADC 200.51.241.227/32 190.48.248.249 0 Telefonica3
10 ADC 200.51.241.233/32 201.254.124.172 0 Telefonica2

Nat

7 chain=srcnat action=masquerade out-interface=Telefonica1

8 chain=srcnat action=masquerade out-interface=Telefonica2

9 chain=srcnat action=masquerade out-interface=Telefonica3

gustkiller · Wed Jun 24, 2009 6:14 pm

going to test the omega setup becouse the wiki example screws up the hotspot

omega-00 · Wed Jun 24, 2009 6:29 pm

I believe my example still has a few kinks to be worked out too, seems to work ok with webpages but I'm getting some reports that things like xbox games that make multiple connections over time don't like it very much.

Will post if I find a config that works better but would be happy for anyone else to make suggestions also.

Note that this is only the outbound connections, inbound works perfectly for me.

soporte_tecnico · Wed Jun 24, 2009 7:30 pm

Hi omega 00

The same thing happens with the game diablo2 and online

tiagom · Thu Jun 25, 2009 6:53 pm

Hello staff,
I did some loadbalaced with PCC and in particular the improvements in the rules of the omega-00, took some things that I thought needed to n, and only added the rules of the wiki in the chain INPUT and OUTPUT = NEW STATE CONECTIONS and solved the problem of open the page of the hotspot authentication.
But some other problems appeared as:
1 - It has been reported to the top of youtube videos does not open at first
2 - once the customer is communicated with all the valid IP ranges that the server mikrotik using this loadbalaced to do directly with the PCC balancing the client leaves for internet to communicate with the network itself, but to solve it, just take these bands of IPs that the server mikrotik using this outside of the cache.
3 - When you make a bank transaction for the IP is changed so Desloge bank by the customer think that he is on another machine, so q is doing the same way up, taking the tracks out of the IP cache.
4 - Sometimes the pages of the Internet expires, as it was n the air, and that precionar F5 to return to open.
5 - There is no possibility to use an external proxy for customers who use the internet this loadbalaced.

Balancing out these details it is very good, I believe that the mikrotik will solve the problem soon.

Tiago Matias

tiagom · Thu Jun 25, 2009 7:18 pm

A photo of a loadbalaced with 7 WAN working well

Fri Jun 26, 2009 12:16 pm

Hello staff,
I did some loadbalaced with PCC and in particular the improvements in the rules of the omega-00, took some things that I thought needed to n, and only added the rules of the wiki in the chain INPUT and OUTPUT = NEW STATE CONECTIONS and solved the problem of open the page of the hotspot authentication.
But some other problems appeared as:
1 - It has been reported to the top of youtube videos does not open at first
2 - once the customer is communicated with all the valid IP ranges that the server mikrotik using this loadbalaced to do directly with the PCC balancing the client leaves for internet to communicate with the network itself, but to solve it, just take these bands of IPs that the server mikrotik using this outside of the cache.
3 - When you make a bank transaction for the IP is changed so Desloge bank by the customer think that he is on another machine, so q is doing the same way up, taking the tracks out of the IP cache.
4 - Sometimes the pages of the Internet expires, as it was n the air, and that precionar F5 to return to open.
5 - There is no possibility to use an external proxy for customers who use the internet this loadbalaced.

Balancing out these details it is very good, I believe that the mikrotik will solve the problem soon.

Tiago Matias

What is your PCC configuration??? in case of "both-addresses" problems 1. 3. 4. should be out of the picture.

I would also add rule that closest (ISPs) networks will always be routed to a corresponding interface (that should solve 2.)

tiagom · Sat Jun 27, 2009 4:11 am

Hello staff,
I did some loadbalaced with PCC and in particular the improvements in the rules of the omega-00, took some things that I thought needed to n, and only added the rules of the wiki in the chain INPUT and OUTPUT = NEW STATE CONECTIONS and solved the problem of open the page of the hotspot authentication.
But some other problems appeared as:
1 - It has been reported to the top of youtube videos does not open at first
2 - once the customer is communicated with all the valid IP ranges that the server mikrotik using this loadbalaced to do directly with the PCC balancing the client leaves for internet to communicate with the network itself, but to solve it, just take these bands of IPs that the server mikrotik using this outside of the cache.
3 - When you make a bank transaction for the IP is changed so Desloge bank by the customer think that he is on another machine, so q is doing the same way up, taking the tracks out of the IP cache.
4 - Sometimes the pages of the Internet expires, as it was n the air, and that precionar F5 to return to open.
5 - There is no possibility to use an external proxy for customers who use the internet this loadbalaced.

Balancing out these details it is very good, I believe that the mikrotik will solve the problem soon.

Tiago Matias
What is your PCC configuration??? in case of "both-addresses" problems 1. 3. 4. should be out of the picture.

I would also add rule that closest (ISPs) networks will always be routed to a corresponding interface (that should solve 2.)

My setup is this PCC below:

My interfaces
Interfaces WANs:
ether1, ether2, ether3, ether4, ether5, ether6 and ether7
LAN Interface: ether9-Clientes

My mangle
/ip firewall mangle
add action=accept chain=prerouting comment="out load DST" disabled=no dst-address-list=rede-interna in-interface=ether9-Clientes
add action=mark-connection chain=input comment=ether1_conn connection-state=new disabled=no in-interface=ether1 new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=input comment=ether2_conn connection-state=new disabled=no in-interface=ether2 new-connection-mark=ether2_conn passthrough=yes
add action=mark-connection chain=input comment=ether3_conn connection-state=new disabled=no in-interface=ether3 new-connection-mark=ether3_conn passthrough=yes
add action=mark-connection chain=input comment=ether4_conn connection-state=new disabled=no in-interface=ether4 new-connection-mark=ether4_conn passthrough=yes
add action=mark-connection chain=input comment=ether5_conn connection-state=new disabled=no in-interface=ether5 new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=input comment=ether6_conn connection-state=new disabled=no in-interface=ether6 new-connection-mark=ether6_conn passthrough=yes
add action=mark-connection chain=input comment=ether7_conn connection-state=new disabled=no in-interface=ether7 new-connection-mark=ether7_conn passthrough=yes
add action=mark-routing chain=output comment=to_ether1 connection-mark=ether1_conn connection-state=new disabled=no new-routing-mark=to_ether1 passthrough=no
add action=mark-routing chain=output comment=to_ether2 connection-mark=ether2_conn connection-state=new disabled=no new-routing-mark=to_ether2 passthrough=no
add action=mark-routing chain=output comment=to_ether3 connection-mark=ether3_conn connection-state=new disabled=no new-routing-mark=to_ether3 passthrough=no
add action=mark-routing chain=output comment=to_ether4 connection-mark=ether4_conn connection-state=new disabled=no new-routing-mark=to_ether4 passthrough=no
add action=mark-routing chain=output comment=to_ether5 connection-mark=ether5_conn connection-state=new disabled=no new-routing-mark=to_ether5 passthrough=no
add action=mark-routing chain=output comment=to_ether6 connection-mark=ether6_conn connection-state=new disabled=no new-routing-mark=to_ether6 passthrough=no
add action=mark-routing chain=output comment=to_ether7 connection-mark=ether7_conn connection-state=new disabled=no new-routing-mark=to_ether7 passthrough=no
add action=mark-connection chain=prerouting comment=ether1_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/0
add action=mark-connection chain=prerouting comment=ether2_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/1
add action=mark-connection chain=prerouting comment=ether3_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/2
add action=mark-connection chain=prerouting comment=ether4_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/3
add action=mark-connection chain=prerouting comment=ether5_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether5_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/4
add action=mark-connection chain=prerouting comment=ether6_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether6_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/5
add action=mark-connection chain=prerouting comment=ether7_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether7_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/6
add action=mark-routing chain=prerouting comment=to_ether1 connection-mark=ether1_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether1 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether2 connection-mark=ether2_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether2 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether3 connection-mark=ether3_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether3 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether4 connection-mark=ether4_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether4 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether5 connection-mark=ether5_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether5 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether6 connection-mark=ether6_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether6 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether7 connection-mark=ether7_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether7 passthrough=no

My NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether3
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether4
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether5
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether6
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether7

My route
/ip route
add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=189.19.x.x scope=30 target-scope=10
add comment=link2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10
add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=189.19.86.1 routing-mark=to_ether1 scope=30 target-scope=10
add comment=link2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_ether2 scope=30 target-scope=10
add comment=link3 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_ether3 scope=30 target-scope=10
add comment=link6 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.253.253 routing-mark=to_ether6 scope=30 target-scope=10
add comment=link5 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.5.1 scope=30 target-scope=10
add comment=link3 disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=30 target-scope=10
add comment=link4 disabled=no distance=4 dst-address=0.0.0.0/0 gateway=200.161.x.x scope=30 target-scope=10
add comment=link6 disabled=no distance=6 dst-address=0.0.0.0/0 gateway=172.16.253.253 scope=30 target-scope=10
add comment=link4 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.161.x.x routing-mark=to_ether4 scope=30 target-scope=10
add comment=link5 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=to_ether5 scope=30 target-scope=10
add comment=link7 disabled=no distance=7 dst-address=0.0.0.0/0 gateway=172.16.254.252 scope=30 target-scope=10
add comment=link7 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.254.252 routing-mark=to_ether7 scope=30 target-scope=10

I am using at:
per-connection-classifier = both-addresses-and-ports
only in this way could add the links when doing a download with a download management application
Not tested using the classifier per-connection-classifier just as both-addresses, I do the test to test for it to problems with the youtube videos and freezing some pages.

Examine how it is to test the rules and we can leave it in the best way possible
Grateful

maaking2 · Sun Jun 28, 2009 2:10 pm

Hello,

I'm using the example posted by: tiagom

my source is 6 gateways adsl and wireless internet each one is (128kbps).

I have setup this on my router and all traffic goes to ether1 only.

there were 25 users online, and all were taking internet from ether1

all my users are connected through ether9-Clients, via PPPOE each one has PPPOE username and password.

my question is:

- how can i get users to use other connections ether2,ether3,ether4... (divide traffic)

- i need to use the full speed of these gateways.
each gateway is (128kbps) so i should get 768kps

thanks

tiagom · Sun Jun 28, 2009 5:42 pm

Hello,

I'm using the example posted by: tiagom

my source is 6 gateways adsl and wireless internet each one is (128kbps).

I have setup this on my router and all traffic goes to ether1 only.

there were 25 users online, and all were taking internet from ether1

all my users are connected through ether9-Clients, via PPPOE each one has PPPOE username and password.

my question is:

- how can i get users to use other connections ether2,ether3,ether4... (divide traffic)

- i need to use the full speed of these gateways.
each gateway is (128kbps) so i should get 768kps

thanks

Hello maaking2,
I also tested the PCC by loadbalaced with customers connected via PPPoE, and the problem we realized that each client connected via the PPPoE client proprio itself is a virtual interface, so q would have to create a rule for each client to connect via PPPoE I believe that it is not sure and I believe also that mikrotik will solve this problem.
I have some clients that use the authentication via PPPoE for their clients and in the case of my clients did the CCP loadbalaced in a routerboard before and this routerboard share the Internet to a server so that this wheel is a PPPoE server.

Let 's hope and expect that mikrotik can adjust to the same machine that has the CCP loadbalaced can have servers hotspot server and PPPoE

Tiago Matias

Chupaka · Sun Jun 28, 2009 7:39 pm

- i need to use the full speed of these gateways.
each gateway is (128kbps) so i should get 768kps

at first, it's not possible to get 768 kbps for single connection

second - do not use

others' examples without understanding it! your clients come from pppoe interfaces, so "in-interface=ether9-Clientes" do not have sense. use something like 'src-address=your_pppoe_address_pool'

Mon Jun 29, 2009 8:43 am

to tiagom: "both-addresses-and-ports" is the problem. Use "both-addresses"

tiagom · Tue Jun 30, 2009 8:42 pm

to tiagom: "both-addresses-and-ports" is the problem. Use "both-addresses"

still the videos on youtube need to refresh the page to load, but all sites have stopped giving site expired

chapex · Sat Jul 04, 2009 9:37 pm

It is possible that coexists web-proxy and pcc balanc. ? ... Previously it was not possible due to the fact that the output of the web-proxy takes one of the like own chains of exit.

regards

dssmiktik · Sat Jul 04, 2009 10:26 pm

Mikrotik, PCC looks like a great facility. And whether it's open source or not, any addition that makes Mikrotik stand out, but still gives users freedom is great. As long as it works, and stable, etc. go for it. EoIP seems to have taken off quite well too I must say.

Thanks for the great work Mikrotik!

Chupaka · Mon Jul 06, 2009 11:05 am

It is possible that coexists web-proxy and pcc balanc. ? ... Previously it was not possible due to the fact that the output of the web-proxy takes one of the like own chains of exit.

yes, you should use 'Mangle Output' to redistribute proxy's output between different routing marks

soporte_tecnico · Mon Jul 06, 2009 11:19 am

Hi all
as is equal to redistribute example?

soporte_tecnico · Mon Jul 06, 2009 1:36 pm

for example we have 3 WANs with pcc and have the same web-server proxy, but it always comes out of the wan Pueto 80.
And honestly I could not redistribute it.

Thank all

Nevyn357 · Tue Jul 07, 2009 12:29 am

How long are the idle connections kept before they're removed from the connection table and it counts as new? (ie. If I have a connection, then walk away for x amount of minutes, come back and refresh and it goes out a different WAN connection due to the first connection expiring - what is x?)

Thanks,
Greg

Chupaka · Tue Jul 07, 2009 1:53 am

How long are the idle connections kept before they're removed from the connection table and it counts as new? (ie. If I have a connection, then walk away for x amount of minutes, come back and refresh and it goes out a different WAN connection due to the first connection expiring - what is x?)

that's not about PCC. if you use 'src-dst-address' classifier and address of the server you are connecting to is constant, then you will always go through the same gateway, because the hash function PCC is using is deterministic

Nevyn357 · Tue Jul 07, 2009 4:43 pm

Was thinking there was a time based aspect to it - guess I should have just looked over the wiki again. Thanks.

Chupaka · Tue Jul 07, 2009 11:09 pm

it's about ECMP - that's why PCC was introduced, to avoid time aspects of WAN selecting

rainmaker · Wed Jul 08, 2009 12:14 am

Dear All
Thank for you help so far.
Your examples is towards Ethernet user with static interface.
how can i adapter it to suit dynamic interface such as pppoe server.
how should l define the in-interface in this case?

The other problem l have is the up link mangle rule what should l do if am using pppoe with dynamic ip.

Thanks

Chupaka · Wed Jul 08, 2009 12:27 am

for your users, you may use 'src-address' instead of 'in-interface'

powernetscm · Fri Jul 24, 2009 11:56 pm

hi i´m new in forum

for best performance in pcc what option i can use

both addresses our both addresses and ports

our other

tks

Chupaka · Sat Jul 25, 2009 3:08 pm

it depends on your task and do not affect the performance, I believe

grescho · Fri Aug 07, 2009 2:41 pm

is it possible to use a transparent proxy server with ppc setup?
I'm sure i read somewhere that it isn't possible because the PPC clasifies each connection coming from the proxy as the same, and therefore sends it to the same interface each time.

If this is the case, is there likely to be a fix or a work around for this?
If nanyone could put be straight i would be grateful.

Chupaka · Fri Aug 07, 2009 2:44 pm

of course you can do it with pcc. just load-balance your outgoing connections by routing-marking in 'output' mangle chain. and use at least 'dst-address' in PCC classifier

hilton · Mon Aug 10, 2009 11:02 pm

Chupaka, please confirm something for me.

If I simply want to route say ports 80 and 443 via wan1 and say the rest via wan2, I then DO NOT need PCC, rather policy based routing?

PCC is more for load balancing?

Thanks.

Chupaka · Tue Aug 11, 2009 12:31 pm

of course. PCC is for load balancing only. if you do not need to divide similar traffic into different flows - you do not need PCC

hilton · Tue Aug 11, 2009 12:56 pm

Thanks Chupaka.

Can one have a combination of PCC for general load balancing and then policy based routing for a certain traffic?

NetworkPro · Tue Aug 11, 2009 1:28 pm

Yes, static routing will always work. Its a matter of managing the routes themselves.

edit: just exclude whatever is routed statically from the PCC mangle

hilton · Tue Aug 11, 2009 2:03 pm

Cool, thanks.

Chupaka · Tue Aug 11, 2009 3:36 pm

summing up: with RouterOS you can route almost everything as you need =)

Muhammad · Wed Aug 19, 2009 12:45 pm

Hi, to All Experts
i Try PCC on my setup, butt PCC not work for me properly, i am using Version 3.28, 2 WAN and 1 LAN for PPPoE Users
i use 2 Configuration examples, one from Mikrotik wiki and other from one user

hare is both of Configuration script witch i used butt not working, please highlight and tell me where my mistake

Example 1

My interfaces
WAN Interfaces: WAN1 and WAN2
LAN Interface: LAN

/ ip firewall mangle

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.20.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.30.0/24 action=accept in-interface=LAN

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.20.254 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

###############################################################
Example 2

My interfaces
WAN Interfaces: WAN1 and WAN2
LAN Interface: LAN

/ip firewall mangle

add action=accept chain=prerouting comment="out load DST" disabled=no dst-address=0.0.0.0/0 in-interface=LAN

add action=mark-connection chain=input comment=WAN1_conn connection-state=new disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment=WAN2_conn connection-state=new disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes

add action=mark-routing chain=output comment=to_WAN1 connection-mark=WAN1_conn connection-state=new disabled=no new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output comment=to_WAN2 connection-mark=WAN2_conn connection-state=new disabled=no new-routing-mark=to_WAN2 passthrough=no

add action=mark-connection chain=prerouting comment=WAN1_conn disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=WAN2_conn disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1

add action=mark-routing chain=prerouting comment=to_WAN1 connection-mark=WAN1_conn disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting comment=to_WAN2 connection-mark=WAN2_conn disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=no

/ip firewall nat

add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2

/ip route

add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.254 scope=30 target-scope=10
add comment=link2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.30.254 scope=30 target-scope=10
add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=to_WAN1 scope=30 target-scope=10
add comment=link2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.30.254 routing-mark=to_WAN2 scope=30 target-scope=10

###############################################################

magnavox · Wed Aug 19, 2009 8:56 pm

Hi Muhammad.

not working you mean "not matching"?

Muhammad · Wed Aug 19, 2009 9:17 pm

Hi Muhammad.

not working you mean "not matching"?

First Thanks for your reply,

not working mean, after using that both scripts my 100% internet traffic going throw WAN1. not 50% on each WAN

i am using PPPoE Server for Clint's on LAN Interface

magnavox · Wed Aug 19, 2009 9:37 pm

Hi Muhammad.

not working you mean "not matching"?
First Thanks for your reply,

not working mean, after using that both scripts my 100% internet traffic going throw WAN1. not 50% on each WAN

i am using PPPoE Server for Clint's on LAN Interface

Hi, can you post a screeshot of Firewall/Mangle rules?

magnavox · Wed Aug 19, 2009 9:40 pm

Note: you can split only session, not bandwith consumed by session.

Assuming that you have a 10 Mbps LAN to WANs traffic, each session can consume 0kps up to 10MBps... (+ or -)

Chupaka · Thu Aug 20, 2009 3:55 am

Muhammad, are there any differences between Example 1 and Example 2?..

and what about your rules with PCC - do they count packets?

Muhammad · Thu Aug 20, 2009 4:25 pm

Hi Muhammad.

not working you mean "not matching"?
First Thanks for your reply,

not working mean, after using that both scripts my 100% internet traffic going throw WAN1. not 50% on each WAN

i am using PPPoE Server for Clint's on LAN Interface
Hi, can you post a screeshot of Firewall/Mangle rules?

Thanks for reply
here is configuration and screen-shoots

My interfaces
Interfaces WANs: 1 and 2
LAN Interface: LAN

/ ip firewall mangle

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.20.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.30.0/24 action=accept in-interface=LAN

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2

/

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.20.254 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 distance=2 check-gateway=ping

/

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

mangal.JPG

ip firewall nat

nat.JPG

route

Route.JPG

see in screen-shoots, all traffic going throw WAN1

magnavox · Thu Aug 20, 2009 4:38 pm

mmm, can you post a shot of Firewall/Connection section?

Muhammad · Thu Aug 20, 2009 5:07 pm

mmm, can you post a shot of Firewall/Connection section?

test.JPG

magnavox · Thu Aug 20, 2009 5:11 pm

As you can see, Connection Mark is empty!!!!!

If you want, I can access this MT to help you... send me a PM...

magnavox · Thu Aug 20, 2009 5:20 pm

A sample PCC...

Muhammad · Thu Aug 20, 2009 5:26 pm

As you can see, Connection Mark is empty!!!!!

If you want, I can access this MT to help you... send me a PM...

Thanks for reply
i cant sent a PM
((((((((((You are not authorised to send private messages.)))))))))

if you like, my yahoo ID is: muhammad_eng77
i have teamviewer remote access

Thanks

magnavox · Thu Aug 20, 2009 7:11 pm

You need to set in PCC rules "connection-state=new".

magnavox · Thu Aug 20, 2009 7:14 pm

On my RB433Ah the script work fine... as you are running a RB532... Mikrotik staff, are you sure that PPC matcher are bug free on RB532?

maaking2 · Fri Aug 21, 2009 3:33 pm

Hello Guys,

I have setup the config in:
http://wiki.mikrotik.com/wiki/PCC#Introduction

My router is: RB433ah
Router Os ver = 3.28

here is what i came with:


/ ip address
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Local 
add address=192.168.1.99/24 network=192.168.1.0 broadcast=192.168.1.255 interface=adsl1
add address=192.168.10.10/24 network=192.168.10.0 broadcast=192.168.10.255 interface=adsl2



/ ip firewall mangle
add chain=input in-interface=adsl1 action=mark-connection new-connection-mark=adsl1_conn
add chain=input in-interface=adsl2 action=mark-connection new-connection-mark=adsl2_conn
add chain=output connection-mark=adsl1_conn action=mark-routing new-routing-mark=to_adsl1     
add chain=output connection-mark=adsl2_conn action=mark-routing new-routing-mark=to_adsl2

add chain=prerouting dst-address=192.168.1.0/24  action=accept in-interface=Local 
add chain=prerouting dst-address=192.168.10.0/24  action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0  action=mark-connection new-connection-mark=adsl1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1  action=mark-connection new-connection-mark=adsl2_conn passthrough=yes

add chain=prerouting connection-mark=adsl1_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl1
add chain=prerouting connection-mark=adsl2_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl2



/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_adsl1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_adsl2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 distance=2 check-gateway=ping


/ ip firewall nat 
add chain=srcnat out-interface=adsl1 action=masquerade
add chain=srcnat out-interface=adsl2 action=masquerade

ff11.JPG

the problem is:

all traffic goes to adsl1 , not divided to both.

all my clients connect to router via pppoe connection through Local interface.

i check the config several times, but helpless.

from my searches, i notced that all people who test it reported the same bug.

i hope somebody post a fix for it.

Muhammad · Fri Aug 21, 2009 5:00 pm

Hello Guys,

I have setup the config in:
http://wiki.mikrotik.com/wiki/PCC#Introduction

My router is: RB433ah
Router Os ver = 3.28

here is what i came with:


/ ip address
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Local 
add address=192.168.1.99/24 network=192.168.1.0 broadcast=192.168.1.255 interface=adsl1
add address=192.168.10.10/24 network=192.168.10.0 broadcast=192.168.10.255 interface=adsl2



/ ip firewall mangle
add chain=input in-interface=adsl1 action=mark-connection new-connection-mark=adsl1_conn
add chain=input in-interface=adsl2 action=mark-connection new-connection-mark=adsl2_conn
add chain=output connection-mark=adsl1_conn action=mark-routing new-routing-mark=to_adsl1     
add chain=output connection-mark=adsl2_conn action=mark-routing new-routing-mark=to_adsl2

add chain=prerouting dst-address=192.168.1.0/24  action=accept in-interface=Local 
add chain=prerouting dst-address=192.168.10.0/24  action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0  action=mark-connection new-connection-mark=adsl1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1  action=mark-connection new-connection-mark=adsl2_conn passthrough=yes

add chain=prerouting connection-mark=adsl1_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl1
add chain=prerouting connection-mark=adsl2_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl2



/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_adsl1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_adsl2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 distance=2 check-gateway=ping


/ ip firewall nat 
add chain=srcnat out-interface=adsl1 action=masquerade
add chain=srcnat out-interface=adsl2 action=masquerade

the problem is:

all traffic goes to adsl1 , not divided to both.

all my clients connect to router via pppoe connection through Local interface.

i check the config several times, but helpless.

from my searches, i notced that all people who test it reported the same bug.

i hope somebody post a fix for it.

i have same problem in RB532 OS-3.28
((((i think)))) PCC is not working if you use PPPoE server on Same Router or your pppoe-clients is connected throw Local interface

magnavox · Fri Aug 21, 2009 6:32 pm

PPPoE server create a interface for each connected client.

It's wrong to set in-interface as phisical ethernet.
You need to match packets by source address or by other via.
As you can see above, the PCC work fine on my RB433AH, splitting connection in 3 "slot".

for Muhammad: I think that your problem is a NAT rule or other. In last cfg that we have make, PCC split correctly traffic in two.

maaking2 · Fri Aug 21, 2009 8:55 pm

PPPoE server create a interface for each connected client.

It's wrong to set in-interface as physical Ethernet.
You need to match packets by source address or by other via.

thanks for your quick reply.

do you know how can i do that, or can mikrotik guys post help here!.

regards

omega-00 · Sat Aug 22, 2009 8:55 am

An updated set of my multi-connection PCC rules.

/ip route
add check-gateway=arp comment="WAN 3  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan3
add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment="WAN 2  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 1  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 1  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 1  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 3  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan3
add check-gateway=arp comment="WAN 3  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan3
add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe

/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 \
    passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 \
    passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan3" connection-state=new disabled=no in-interface=wan3-pppoe new-connection-mark=wan3 \
    passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan1" connection-state=established disabled=no in-interface=wan1-pppoe \
    new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan2" connection-state=established disabled=no in-interface=wan2-pppoe \
    new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan3" connection-state=established disabled=no in-interface=wan3-pppoe \
    new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan1" connection-state=related disabled=no in-interface=wan1-pppoe \
    new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan2" connection-state=related disabled=no in-interface=wan2-pppoe \
    new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan3" connection-state=related disabled=no in-interface=wan3-pppoe \
    new-connection-mark=wan3 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan3" connection-mark=wan3 disabled=no new-routing-mark=wan3 passthrough=no
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=new disabled=no \
    dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=new disabled=no \
    dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=new disabled=no \
    dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=\
    established disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=\
    established disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=\
    established disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=related \
    disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=related \
    disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=related \
    disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 1" connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=\
    yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 2" connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=\
    yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 3" connection-mark=wan3_pcc_conn disabled=no new-routing-mark=wan3 passthrough=\
    yes

These allow the following:

- PCC outbound connection loadbalancing
- Inbound connections to the mikrotik over any wan interface
- Any new inbound connections to internal machines will work fine as they are locked to the initial interface
- Automatic fallover to alternate gateways in the event that one of the links goes offline (using check-arp to determine if a link is online)

Notes:

- I've used pppoe authentication directly on the mikrotik so it has the public IP addresses
- All three of these connections are the same speed so balancing is done with equal cost on each interface

If anyone has any questions about this implementation just reply here and I'll answer as best I can.

maaking2 · Sat Aug 22, 2009 1:27 pm

thanks omega-00 for sharing pcc load balancing:

unfortionatly it didn't work for me, all traffic goes to Interface1, not divided ,

all my clients connect VIA PPPOE.

I have 2 interfaces gateways:

1 = adsl1
2= adsl2

3- Local - is an interface which clients use.

here is my configuration based on yours:

/ip route
add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.10.1

add check-gateway=arp comment="WAN 1  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1  routing-mark=wan1
add check-gateway=arp comment="WAN 1  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=wan1

add check-gateway=arp comment="WAN 2  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=wan2
add check-gateway=arp comment="WAN 2  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1  routing-mark=wan2





/ip firewall mangle
add action=mark-connection chain=input connection-state=new disabled=no in-interface=adsl1 new-connection-mark=wan1 passthrough=yes  comment="Mark new inbound connection wan1"
add action=mark-connection chain=input connection-state=new disabled=no in-interface=adsl2 new-connection-mark=wan2 passthrough=yes  comment="Mark new inbound connection wan2"

add action=mark-connection chain=prerouting connection-state=established disabled=no in-interface=adsl1 new-connection-mark=wan1 passthrough=yes  comment="Mark established inbound connection wan1"
add action=mark-connection chain=prerouting connection-state=established disabled=no in-interface=adsl2 new-connection-mark=wan2 passthrough=yes  comment="Mark established inbound connection wan2"

add action=mark-connection chain=prerouting connection-state=related disabled=no in-interface=adsl1 new-connection-mark=wan2 passthrough=yes  comment="Mark related inbound connection wan1"
add action=mark-connection chain=prerouting connection-state=related disabled=no in-interface=adsl2 new-connection-mark=wan2 passthrough=yes  comment="Mark related inbound connection wan2"

add action=mark-routing chain=output connection-mark=wan1 disabled=no new-routing-mark=wan1 passthrough=no  comment="Mark new inbound route wan1"
add action=mark-routing chain=output connection-mark=wan2 disabled=no new-routing-mark=wan2 passthrough=no  comment="Mark new inbound route wan2"

add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0  comment="Mark traffic that isn't local with PCC mark rand (2 possibilities) - option 1"
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1  comment="Mark traffic that isn't local with PCC mark rand (2 possibilities) - option 2"

add action=mark-connection chain=prerouting connection-state=established disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0  comment="Mark established traffic that isn't local with PCC mark rand (2 possibilities) - option 1"
add action=mark-connection chain=prerouting connection-state=established disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1  comment="Mark established traffic that isn't local with PCC mark rand (2 possibilities) - option 2"

add action=mark-connection chain=prerouting connection-state=related disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0  comment="Mark related traffic that isn't local with PCC mark rand (2 possibilities) - option 1"
add action=mark-connection chain=prerouting connection-state=related disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1  comment="Mark related traffic that isn't local with PCC mark rand (2 possibilities) - option 2"

add action=mark-routing chain=prerouting connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=yes  comment="Mark routing for  PCC mark - option 1"
add action=mark-routing chain=prerouting connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=yes  comment="Mark routing for  PCC mark - option 2"

again, all traffic goes to interface 1, not divided.

i hope somebody can figure out a solution.

thanks

NetworkPro · Sat Aug 22, 2009 2:28 pm

omega-00 Thank you for the brain excersie here. I think you don't need to mangle related and established connections. So please explain why you mangle them, maybe there is a point to it that we need to understand.

omega-00 · Sat Aug 22, 2009 7:58 pm

maaking2: Not entirely sure, although you mentioned your connections are PPPoE connections in this router? If that is correct then would the users actually pass via the local interface or each via is own pppoe interface?

NetworkPro: Feel free to try out the first part of the rules (mangling for all inbound connections) for yourself and let me know if you have any issues or improvements.

I find it works fine for ftp servers and similar hosted behind the router, regardless of which connection they're running on (eg: forward ports over adsl1 to the ftp server and run all connections over adsl1 to the server) catching the established connections is just something I do as a best practise as I don't want to accidentally change the established connections further down in the rules by accident.

If anyone wants to suggest further testing I could do I'm happy to try, I just find this particular setup works perfectly for me.

maaking2 · Sat Aug 22, 2009 10:41 pm

maaking2: Not entirely sure, although you mentioned your connections are PPPoE connections in this router? If that is correct then would the users actually pass via the local interface or each via is own pppoe interface?
.

thanks for the reply.

here is a screen of my config:
take a loot at interface list. i think: each user has his own pppoe interface, created automatically.

Untitled-1.jpg

Mon Aug 24, 2009 12:42 pm

to maaking2 - in first picture you can clearly see - problematic interface don't have ready flag, so maybe you need to plug Ethernet cable first

omega-00 · Mon Aug 24, 2009 12:46 pm

to maaking2 - in first picture you can clearly see - problematic interface don't have ready flag, so maybe you need to plug Ethernet cable first

Haha, indeed. Sometimes all it takes is another set of eyes

maaking2 · Mon Aug 24, 2009 1:08 pm

to maaking2 - in first picture you can clearly see - problematic interface don't have ready flag, so maybe you need to plug Ethernet cable first

NO, it's plugged in.

[attachment=0]interface_list.jpg[/attachment]

When i Disable adsl1, all traffic goes to adsl2.

the king problem of all times is: traffic is not divided into the 2 interfaces, adsl1 and adsl2.

i tried all examples available on the wiki, and got the same thing.

what can i do next? smash down the router!!!!!

thanks all

NetworkPro · Mon Aug 24, 2009 1:10 pm

Route table seems not correct... the route that should be active is not - it can't reach the gateway 10.1 ?

omega-00 · Mon Aug 24, 2009 7:49 pm

Hey maaking2 please post another image of both the interface page and the ip route page while everything is connected and enabled.

Remember that the PCC does a "round robin" outbound load sharing, so try getting the one computer to open 2 tabs of www.speedtest.net and try to 2 different servers (you might need to try this on a couple of servers before you end up getting one running over each link as your computer will probably be doing other things in the background)

You should then be able to see traffic passing out both interfaces.

NetworkPro · Mon Aug 24, 2009 8:21 pm

Don't worry I fixed it. He uses transparent web proxy and his clients connect via PPPoE so the PCC configuration is more difficult. I could post it in a WiKi so you can admire my work

he he just joking

But anyway, I could post it when I have time, no problem ...

Chupaka · Tue Aug 25, 2009 1:40 am

much much harder? add two PCQ rules in output chain?..

NetworkPro · Tue Aug 25, 2009 1:59 am

Yes it has hidden problems for example we had to "accept" this and that in prerouting before they hit the PCC matchers... watch out in output chain what goes to clients etc etc.. see the WiKi ..

hilton · Tue Aug 25, 2009 12:05 pm

Post your config NetworkPro, I'm interested in your handy work.

Chupaka · Tue Aug 25, 2009 12:20 pm

even if you mark routing - redirect rule for transparent proxy still works = no need to 'accept' =)

NetworkPro · Tue Aug 25, 2009 12:43 pm

I think so yes. Because Mohammed reported problem was back after a few minutes so we don't really know what caused it. We thought it was fixed by that accept rule but .. no. I'm waiting for him to contact me to bring the config to a complete working state with proxy.

maaking2 · Wed Aug 26, 2009 8:29 pm

I think so yes. Because Mohammad reported problem was back after a few minutes so we don't really know what caused it. We thought it was fixed by that accept rule but .. no. I'm waiting waiting for him to contact me to bring the config to a complete working state with proxy.

yes, it's not fully working yet.

i disabled web-proxy and disable NAT related to web-proxy port forwarding: my clients complain port 80 not working, browsing is notworking, but other chatting programms working fine with them.

i had to restore a prevoius backup. till we figure out a solution.

thanks

NetworkPro · Thu Aug 27, 2009 11:41 am

Chat programs rarely depend on a working DNS. Maybe the DNS settings were not correct ... hence the web sites not opening.

petrik · Fri Aug 28, 2009 11:34 am

Hello, one question: what is the more compatible match setting, both addresses with or without ports? I want to loadballance lots of windows desktops and I dont want to cause any problems as somebody have here with youtube etc. I guess that both addresses without ports should work good, only in case some program connects to some kind of cluster (i.e. to more different IPs) it could be problem, if that cluster need all connections gouing from same IP. what are the real exps? thanks a lot for this new FW matcher!! I am going to use two MK in HA VRRP cluster with 4 DSL connected to each, so loadballance between 8 DSL lines with failover, it it will work, it is a holly grall of load ballancing without a SPoF.

NetworkPro · Fri Aug 28, 2009 3:47 pm

Chat programs rarely depend on a working DNS. Maybe the DNS settings were not correct ... hence the web sites not opening.

The DNS problem was that the router tried to connect to ADSL1 IP through ADSL2 gateway therefore breaking DNS...

Here is the current stable config: wiki.mikrotik.com/wiki/NetworkPro_on_Combining_NATed_Links please comment, review, edit the WiKi, ...

grescho · Thu Sep 03, 2009 11:16 pm

Just a small problem.. AGAIN!! ( My lack of knowledge really is anonying)

Ok so i currently have a hotspot running with the PCC load balancer. Everything working ok.. except for:
My customers are complaining that they have finding it difficult to access there banks webpage, I have also experinced this.
I assume it is because its trying to access the site and then it switches to a different IP and the website no longer reconises the connection.
Is there a way to rectify this? and if not,
can i send all https traffic through one interface, eg bypass the pcc.

here's my mangle:

 0   ;;; Mark new inbound connection Telefonica1
     chain=input action=mark-connection new-connection-mark=Telefonica1 passthrough=yes 
     connection-state=new in-interface=Telefonica1 

 1   ;;; Mark new inbound connection Telefonica2
     chain=input action=mark-connection new-connection-mark=Telefonica2 passthrough=yes 
     connection-state=new in-interface=Telefonica2 

 2   ;;; Mark new inbound route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 passthrough=no 
     connection-state=new connection-mark=Telefonica1 

 3   ;;; Mark new inbound route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 passthrough=no 
     connection-state=new connection-mark=Telefonica2 

 4   ;;; Mark new established connection Telefonica1
     chain=prerouting action=mark-connection new-connection-mark=Telefonica1 
     passthrough=yes connection-state=established in-interface=Telefonica1 

 5   ;;; Mark new established connection Telefonica2
     chain=prerouting action=mark-connection new-connection-mark=Telefonica2 
     passthrough=yes connection-state=established in-interface=Telefonica2
 6   ;;; Mark new established route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 passthrough=no 
     connection-state=established connection-mark=Telefonica1 

 7   ;;; Mark new established route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 passthrough=no 
     connection-state=established connection-mark=Telefonica2 

 8   chain=prerouting action=mark-connection new-connection-mark=Telefonica1_pcc_conn 
     passthrough=yes dst-address-type=!local in-interface=ether2 
     per-connection-classifier=src-address-and-port:2/0 

 9   chain=prerouting action=mark-connection new-connection-mark=Telefonica2_pcc_conn 
     passthrough=yes dst-address-type=!local in-interface=ether2 
     per-connection-classifier=src-address-and-port:2/1 

10   chain=prerouting action=mark-routing new-routing-mark=Telefonica1 passthrough=yes 
     in-interface=ether2 connection-mark=Telefonica1_pcc_conn 

11   chain=prerouting action=mark-routing new-routing-mark=Telefonica2 passthrough=yes 
     in-interface=ether2 connection-mark=Telefonica2_pcc_conn

if you require any more info please let me know
Thankyou

magnavox · Thu Sep 03, 2009 11:21 pm

Make a rule to mark HTTPS traffic and redirige it to unique connectivity.

grescho · Thu Sep 03, 2009 11:42 pm

Make a rule to mark HTTPS traffic and redirige it to unique connectivity.

Is this the only solution? and if so, can you explain a bit further and possible give a script example. Whenever i try and make my own rules they never seem to work.

Thank you !!

magnavox · Fri Sep 04, 2009 12:01 am

Make a rule to mark HTTPS traffic and redirige it to unique connectivity.

Is this the only solution? and if so, can you explain a bit further and possible give a script example. Whenever i try and make my own rules they never seem to work.

Thank you !!

...
add action=mark-connection chain=prerouting comment=HTTPS_to_ADSL1 connection-state=new disabled=no dst-port=443 in-interface=\
  ether1 new-connection-mark=https passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx/xx src-port=1025-65535
add action=mark-routing chain=prerouting comment="" connection-mark=https disabled=no in-interface=ether1 new-routing-mark=ADSL1 passthrough=no
...

replace src-address=xxx.xxx.xxx.xxx/xx...

Chupaka · Fri Sep 04, 2009 2:08 am

grescho, simply change your per-connection-classifier to 'both-addresses' - then all should be okay. and it's more correct solution

NetworkPro · Fri Sep 04, 2009 4:17 am

I can confirm about what Chupaka is suggesting. Tested with serveral banking sites and other sites that remember the IP a user has logged in from. The new PCC set up as he says WORKS like a charm. All hail MikroTik. AND there is some free room for QoS contrary to what I've thought earlier.

omega-00 · Fri Sep 04, 2009 6:07 am

If you're breaking the logins due to PCC outbound balancing why not just use the both-addresses option to force connections to continue out the same connection for same IP?

If you do it for everything but https aren't you going to need further workarounds to deal with the "uh oh adsl1 is offline" issue?

Chupaka · Fri Sep 04, 2009 11:50 am

omega-00, thanks for describing my answer in detail

grescho · Fri Sep 04, 2009 11:49 pm

If you're breaking the logins due to PCC outbound balancing why not just use the both-addresses option to force connections to continue out the same connection for same IP?

If you do it for everything but https aren't you going to need further workarounds to deal with the "uh oh adsl1 is offline" issue?

sorry to be a pain, but how do I go about that? You'll have to assume i'm a complete idiot to be on the safe side.

thanks!

omega-00 · Sat Sep 05, 2009 4:46 am

omega-00, thanks for describing my answer in detail

bahah sorry I was replying to his without having read yours

But yeah, https works fine for me with the both-addresses option and has been working on one site for just over a 3 weeks now.

grescho · Fri Sep 11, 2009 8:59 pm

If you're breaking the logins due to PCC outbound balancing why not just use the both-addresses option to force connections to continue out the same connection for same IP?

If you do it for everything but https aren't you going to need further workarounds to deal with the "uh oh adsl1 is offline" issue?

Thanks for your help. all seems to be working much better now.
Just need some help with my web proxy if anyone has a spare minute. I did mention it earlier on in this topic and someone said its perfectly ok to implement a web proxy with PCC load balancing.
But whenever I enanble web proxy, all the web traffic directs through one connection, and the other is very rarely used afterwards.
Please can someone spot the mistake in my config Thank you!!!

Mangle:

0   ;;; Mark new inbound connection Telefonica1
     chain=input action=mark-connection new-connection-mark=Telefonica1 
     passthrough=yes connection-state=new in-interface=Telefonica1 

 1   ;;; Mark new inbound connection Telefonica2
     chain=input action=mark-connection new-connection-mark=Telefonica2 
     passthrough=yes connection-state=new in-interface=Telefonica2 

 2   ;;; Mark new inbound route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 
     passthrough=no connection-state=new connection-mark=Telefonica1 

 3   ;;; Mark new inbound route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 
     passthrough=no connection-state=new connection-mark=Telefonica2 

 4   ;;; Mark new established connection Telefonica1
     chain=prerouting action=mark-connection new-connection-mark=Telefonica1 
     passthrough=yes connection-state=established in-interface=Telefonica1 

 5   ;;; Mark new established connection Telefonica2
     chain=prerouting action=mark-connection new-connection-mark=Telefonica2 
passthrough=yes connection-state=established in-interface=Telefonica2 

 6   ;;; Mark new established route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 
     passthrough=no connection-state=established connection-mark=Telefonica1 

 7   ;;; Mark new established route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 
     passthrough=no connection-state=established connection-mark=Telefonica2 

 8   chain=prerouting action=mark-connection 
     new-connection-mark=Telefonica1_pcc_conn passthrough=yes 
     dst-address-type=!local in-interface=ether2 
     per-connection-classifier=both-addresses:2/0 

 9   chain=prerouting action=mark-connection 
     new-connection-mark=Telefonica2_pcc_conn passthrough=yes 
     dst-address-type=!local in-interface=ether2 
     per-connection-classifier=both-addresses:2/1 

10   chain=prerouting action=mark-routing new-routing-mark=Telefonica1 
     passthrough=yes in-interface=ether2 connection-mark=Telefonica1_pcc_conn

11   chain=prerouting action=mark-routing new-routing-mark=Telefonica2 
     passthrough=yes in-interface=ether2 connection-mark=Telefonica2_pcc_conn

NAT

0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   chain=srcnat action=masquerade src-address=192.168.88.0/24 
     out-interface=Telefonica1 

 2   chain=srcnat action=masquerade src-address=192.168.88.0/24 
     out-interface=Telefonica2 

 3 X ;;; Transparent Web Proxy
     chain=dstnat action=redirect to-ports=8080 protocol=tcp 
     in-interface=ether2 dst-port=80

Chupaka · Fri Sep 11, 2009 9:34 pm

add two more rules to your Mangle:

chain=output action=mark-routing 
     new-routing-mark=Telefonica1 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/0 

chain=output action=mark-routing 
     new-routing-mark=Telefonica2 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/1

grescho · Fri Sep 11, 2009 10:47 pm

add two more rules to your Mangle:

chain=output action=mark-routing 
     new-routing-mark=Telefonica1 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/0 

chain=output action=mark-routing 
     new-routing-mark=Telefonica2 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/1

Thanks for your help Chupaka, you are a very valuable member of this forum.

grescho · Sun Sep 13, 2009 12:00 am

add two more rules to your Mangle:

When i add these rules to the mangle, my clients seem to lose all conection to the internet, and I also loose communication with my radius server, which is on my local network..??

chain=output action=mark-routing 
     new-routing-mark=Telefonica1 
     dst-address=192.168.88.0/24
     per-connection-classifier=both-addresses:2/0 

chain=output action=mark-routing 
     new-routing-mark=Telefonica2 
     dst-address=192.168.88.0/24
     per-connection-classifier=both-addresses:2/1

did i do something wrong?

thanks

Chupaka · Sun Sep 13, 2009 6:11 pm

yes, you didn't notice '!' sign, should be

dst-address=!192.168.88.0/24

rainmaker · Mon Sep 14, 2009 5:12 am

Dear All
There have been examples of PCC match when the clients are on a single LAN or network.
Can some one convert one of these numerous examples to a network that uses pppoe or specify ip address.

Have been trying but get confused as to where to change the interface to ip address.

Any help or idea will be greatly be appreciated.

thanks in advance
Son of rainmaker

Mon Sep 14, 2009 8:39 am

There is no virtual difference - only limitation is that you just can't use in-interface (cause you have many).

1) you must make sure that you are working only with client's upload - in your case this can be achieved by filtering out all download traffic in beginning of mange - just use in-interface "public" to capture that traffic.
2) now you can use PCC for your upload with "Both-addresses"

petrik · Tue Sep 15, 2009 11:20 am

Hello, I have configured two RB450G (3.28) as VRRP HA cluster for LAN side. Each has 2 DSL lines using PPPoE and routers are connected to each other by dedicated cross ethernet line. It works very good, I only have to take care about outgoing traffic, mikrotik take care of incomming (related, established) automaticly. Master router divides traffic to two equal streams, one for his own two PPPoE GW, second for slave router, so all 4 DSL lines are used. Our LAN generates lots of connections to different servers, so load ballancing woks miraculously thanks to PCC matcher. I am using both addresses and have no problem with any application or web server or any other service at all.
I had to make simple script on slave router to route traffic back to master while in slave mode and when he become master (after master failure) he have to start routing directly to LAN. VRRP implementation is little weird (there has to be IP of the same subnet on parrent physical interface, which causes problems with rouing to master), but it works well

As a result I have NO SINGLE POINT OF FAILURE and if any DSL line fails, "using check GW" redirect traffic to other one. This is possible only because it is possible to use routing interface instead of GW IP, which is not possible due to dynamic DSL addresses. Great job MikroTik team!! I think this setup is the holly grail of load ballancing using cheap DSL lines, if requested I can share more details.

interpoint · Wed Sep 16, 2009 11:05 am

Guys, many thanks for the configs that have been evolving over the course of this thread.

They have been very usefull and I would like to contribute back something.

I have implemented the following system in a 400 user complex.

I have this type of setup:

Clients x 400------>10 x VLANS ---->Router A (RB600) Hotspot Gateway ---->10.2.0.0/30------>Router B (RB433AH) with 4 x PPPoE DSL Clients to ISP, NAT, PCC and ECMP Load Balancing ------>Internet

This is my config for the 433AH and all is working fine. Failover, Skype, HTTPS etc.. All good.

I decided to split the job between the two routers to keep things simple. BTW there is OSPF running between the 433AH and the RB600 to ensure routes are populated upto the NAT gateway on the 433AH. If anyone wants the RB600 config no prob but it is not relevent to this thread as it is effectively carrying out queue and DHCP functions only.

Router B config.

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out3
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out4

/ip firewall filter
add action=drop chain=forward comment="" connection-state=invalid disabled=no

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe1_conn \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe2_conn \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out3 new-connection-mark=pppoe3_conn \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out4 new-connection-mark=pppoe4_conn \
passthrough=yes

/ip firewall mangle
add action=mark-routing chain=output comment="" connection-mark=pppoe1_conn disabled=no new-routing-mark=to_pppoe1 \
passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pppoe2_conn disabled=no new-routing-mark=to_pppoe2 \
passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pppoe3_conn disabled=no new-routing-mark=to_pppoe3 \
passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pppoe4_conn disabled=no new-routing-mark=to_pppoe4 \
passthrough=yes

/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.0.0/30 in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=83.71.aaa.aaa in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.bbb.bbb in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ccc.ccc in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ddd.ddd in-interface=ether6

/ip firewall mangle
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe1_conn passthrough=yes per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe2_conn passthrough=yes per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe3_conn passthrough=yes per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe4_conn passthrough=yes per-connection-classifier=both-addresses:4/3

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe1_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe2_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe3_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe3 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe4_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe4 passthrough=yes

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_pppoe2
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out4 routing-mark=to_pppoe4
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_pppoe1
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=to_pppoe3

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2,pppoe-out3,pppoe-out4,pppoe-out1

/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether2 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 profile=default service-name="" \
use-peer-dns=no
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether3 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out2 profile=default service-name="" \
use-peer-dns=no
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether4 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out3 profile=default service-name="" \
use-peer-dns=no
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether5 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out4 profile=default service-name="" \
use-peer-dns=no

petrik · Tue Sep 22, 2009 12:54 pm

2 interpoint: and what happens when your RB600 dies? Try VRRP with two boxes, it is really great!

godovic · Fri Oct 02, 2009 1:04 pm

mikrotik RB493AH with RouterOS 3.30

Have problem with cable modem route.
The route is blue in winbox, and there is no traffic. I tried to set Modem as DHCP client and get the same addresses as I manually entered before.
I am using open dns - for dns servers.
The gateway stays as unreachable.

addresses

 
#   ADDRESS          NETWORK          BROADCAST          INTERFACE 
0  192.168.1.1/24   192.168.1.0      192.168.1.255        LOCAL
1  21*.13.82.58/29  21*.13.82.56    21*.13.82.63         WAN2
2  *78.157.13.39/24 *78.157.13.0  *78.157.13.255       WAN3
3 D*77.28.18.50/32  *77.28.0.1           0.0.0.0            WAN1 

mangle
1   chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=yes in-interface=WAN1 
2   chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=WAN2 
3   chain=input action=mark-connection new-connection-mark=WAN3_conn passthrough=yes in-interface=WAN3 
4   chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn 
5   chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn 
6   chain=output action=mark-routing new-routing-mark=to_WAN3 passthrough=yes connection-mark=WAN3_conn 
7   chain=prerouting action=accept dst-address=21*.13.64.0/19 in-interface=LOCAL 
8   chain=prerouting action=accept dst-address=*78.157.13.0/24 in-interface=LOCAL 
9   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local in-interface=LOCAL per-connection-classifier=both-addresses:3/0
10 chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=LOCAL per-connection-classifier=both-addresses:3/1
11 chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes dst-address-type=!local in-interface=LOCAL per-connection-classifier=both-addresses:3/2
12 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=LOCAL connection-mark=WAN1_conn
13 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes in-interface=LOCAL connection-mark=WAN2_conn
14 chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes in-interface=LOCAL connection-mark=WAN3_conn

NAT
0   chain=srcnat action=masquerade out-interface=WAN1
1   chain=srcnat action=masquerade out-interface=WAN2
2   chain=srcnat action=masquerade out-interface=WAN3 

Route
#DST-ADDRESS         PREF-SRC          GATEWAY-STATE          GATEWAY         DISTANCE         INTERFACE  
0 AS 0.0.0.0/0                                       reachable             21*.13.82.57           1                    WAN2       
1 S   0.0.0.0/0                                      unreachable          *78.157.13.1            1                    WAN3       
2 AS 0.0.0.0/0                                       reachable               *77.28.0.1             1                   WAN1       
3 AS 0.0.0.0/0                                       reachable             21*.13.82.57            1                   WAN2       
4 S   0.0.0.0/0                                     unreachable            *78.157.13.1            3                   WAN3       
5 S   0.0.0.0/0                                        reachable               *77.28.0.1            2                  WAN1       
6 ADC *77.28.0.1/32      *77.28.18.50                                                               0                   WAN1       
7 ADC *78.157.13.0/24   *78.157.13.39                                                             0                   WAN3       
8 ADC 192.168.1.0/24      192.168.1.1                                                               0                   LOCAL      
9 ADC 21*.13.82.56/29    21*.13.82.58                                                              0                  WAN2

Chupaka · Fri Oct 02, 2009 4:08 pm

/ip route export

but I think you need to assign routing-marks to your routes...

godovic · Fri Oct 02, 2009 4:10 pm

Code: Select all
/ip route export
but I think you need to assign routing-marks to your routes...

/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=21*.13.82.57 routing-mark=to_WAN2 scope=30 \
target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=*78.157.13.1 routing-mark=to_WAN3 scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=*77.28.0.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=21*.13.82.57 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=3 dst-address=\
0.0.0.0/0 gateway=*78.157.13.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=*77.28.0.1 scope=30 target-scope=10

Chupaka · Fri Oct 02, 2009 4:18 pm

can you ping *78.157.13.1?.. route #4 should be inactive, it's backup

godovic · Fri Oct 02, 2009 10:43 pm

can you ping *78.157.13.1?.. route #4 should be inactive, it's backup

nope, cannot ping nothing... If I run traceroute with connection mark wan1 or wan2 to some address it is ok, but if I run with connection mark wan3 the route goes trough backup wan2.
I cannot understand why I cannot ping gateway that is assigned automatically from the provider’s DHCP server

update!! I am on the same provider at home, and cannot ping the gateway too which is differnet from the one at work

So how can I activate that route - I cannot belevie

Chupaka · Fri Oct 02, 2009 11:07 pm

maybe, you should change 'check-gateway=ping' to 'check-gateway=arp' or even remove this check?

godovic · Fri Oct 02, 2009 11:37 pm

maybe, you should change 'check-gateway=ping' to 'check-gateway=arp' or even remove this check?

tnx

but that does not solve the problem, I set up gateway interface WAN3 without gateway IP and now trafic start to flow..

godovic · Thu Oct 15, 2009 4:51 pm

little confused about passthrough...

when should I use passthrough enabled? @ the wiki PCC website there is no explicit yes or no, and reading other forums or web site I can find different setups.

At the PCC wiki website, passthrought=yes is defined only on this line:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes

Should be on all other lines set to no? (unchecked in winbox)

tnx

hilton · Thu Oct 15, 2009 5:24 pm

My understanding of 'passthrough' is this;

If you want the firewall to continue to find and match further/more packets based on the criteria in the current rule then you need to tick 'passthrough'.

If you are happy that the firewall has matched all you need then you may untick 'passthrough'.

Here's an example;

18   ;;; routing mark for http
     chain=prerouting action=mark-routing new-routing-mark=http 
     passthrough=yes protocol=tcp dst-port=80 

19   ;;; routing mark for http-local
     chain=prerouting action=mark-routing new-routing-mark=http-local 
     passthrough=no protocol=tcp dst-address-list=sa_ip dst-port=80

After matching packets with a destination address of port 80 I marked the packet but I still needed further matching so I had to enable 'passthrough'.

Billal · Sat Nov 07, 2009 10:19 am

Hi,

Can we use PCC with Web-Proxy?

I have 3 WAN,
R OS, 3.30
RB 450G

LoadBalance working fine with PCC

how can i use WebProxy?, you have any other ida for use Proxy server
may be is so simple for you but not simple for me, can you help me?

thanks

hilton · Sat Nov 07, 2009 12:06 pm

Hi,

Can we use PCC with Web-Proxy?

The answer to this can be found right here in this thread. Page 2, under one of Chupaka's posts.

Billal · Sat Nov 07, 2009 12:57 pm

Hi,

Can we use PCC with Web-Proxy?

The answer to this can be found right here in this thread. Page 2, under one of Chupaka's posts.

Thanks for reply
Chupaka sys: you should use 'Mangle Output' to redistribute proxy's output between different routing marks
but i cant understand, ther no have example or clear Explation wich can understand bigners

any one have any configuratin for wbproxy on PCC please past hare

thanks

Chupaka · Sat Nov 07, 2009 1:43 pm

with my eyes shut:

/ip firewall mangle
add chain=output per-connection-classifier=dst-address:2/0 action=mark-routing new-routing-mark=table1 disabled=no
add chain=output per-connection-classifier=dst-address:2/1 action=mark-routing new-routing-mark=table2 disabled=no

Billal · Sat Nov 07, 2009 2:15 pm

with my eyes shut:

/ip firewall mangle
add chain=output per-connection-classifier=dst-address:2/0 action=mark-routing new-routing-mark=table1 disabled=no
add chain=output per-connection-classifier=dst-address:2/1 action=mark-routing new-routing-mark=table2 disabled=no

Thanks Chupaka

Please if you dont mind,

wher we put your 2 lines before this? after this? or replace this
/ip firewall mangle
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

Again thanks

NetworkPro · Sat Nov 07, 2009 2:20 pm

With my eyes very very widely open!!!

http://forum.mikrotik.com/viewtopic.php ... 72#p169172 (complete config with a little comments that may explain it, or may confuse you LOL

)

Billal · Sat Nov 07, 2009 3:35 pm

With my eyes very very widely open!!! http://forum.mikrotik.com/viewtopic.php ... 72#p169172 (complete config with a little comments that may explain it, or may confuse you LOL )

Thanks NetworkPro

Nice way to Explain to a bigner
i find one thing in your that post
http://wiki.mikrotik.com/wiki/NetworkPr ... ATed_Links
in that post one thing is missing, you not wright there Firewall Address List but you use name of address list clients in mangle address-list=clients
please explain Address List clients if you dont mind

Thanks

NetworkPro · Sat Nov 07, 2009 4:05 pm

in ROS v3 I use IP-> Firewall->Address List to manage groups of IP addresses for use with Manlge, NAT and Firewall. PPP can add the IPs of the clients to an address list automatically. This kind of stuff is explained in the manual and wiki

Billal · Sat Nov 07, 2009 4:19 pm

in ROS v3 I use IP-> Firewall->Address List to manage groups of IP addresses for use with Manlge, NAT and Firewall. PPP can add the IPs of the clients to an address list automatically. This kind of stuff is explained in the manual and wiki

Thanks for reply
i am also using Ip/Firewall/Address List, i know what is this but my Qui is wich ip Address you used in name of clients

i reed your complet configuration, but there no have ip>firewall>address list
if you wright there address-list also then may helpful for bigners

thanks

petrik · Thu Nov 12, 2009 6:38 pm

Hello guys, I have a problem with policy rounting and PCC matcher. I have very nice setup with two routers in HA VRRP cluster and PCC over 4 different DSLs (2 in each router), everythings working nicely, except I want to use some VPNs iniciated from one of the router and I want either to use PCC to choose DSL or manually set which DSL will particullar VPN use. I tried it with Output mangle connection mark rule and also with prerouting, but it doesnt work, all VPNs goes through only one (first) DSL line

Do you have any ideas how to correctly set policy routing for conections iniciated from localhost? thanks a lot

Chupaka · Thu Nov 12, 2009 10:41 pm

until you cannot set local address - you cannot select output interface, as far as I remember...

anyway, could you please be more detailed in your setup? config, etc...

petrik · Fri Nov 13, 2009 1:54 pm

The question shrinked to this: if I am using only policy rounting with connection marking and routes only with routing mark, i.e. no normal default route (all 0/0 routes has some routing mark set), how do I match and mark connections from localhost to internet like ping or VPN? Output in mangle doesnt work as well as prerouting.

Chupaka · Fri Nov 13, 2009 2:18 pm

if you don't have a default route in main routing table - then any local-originated connections will fail, afair - you need to add any default gateway, and then use output mangling (see Routing Adjustment block in http://wiki.mikrotik.com/wiki/Packet_Flow )

petrik · Fri Nov 13, 2009 6:06 pm

thnx for reply, I just learn by experience that I really need some default GW, but even with it, I still cannot force any local-originated to go through some other route than is the default one

I tried output rule in mangle, with and with out local host address 127.0.0.1, even with some concrete destination IP, I think I tried almost everythink but it still goes through the default gw

Chupaka · Fri Nov 13, 2009 7:23 pm

[admin@MikroTik] > tool traceroute ya.ru max-hops=4
     ADDRESS                                    STATUS
   1  192.168.16.250 2ms 2ms 10ms 
   2   192.168.0.200 9ms 10ms 12ms 
   3   192.168.0.200 6ms 11ms 10ms network unreachable
   4   192.168.0.200 14ms 6ms 53ms network unreachable
max-hops reached
[admin@MikroTik] > /ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.16.141 routing-mark=preved
[admin@MikroTik] > /ip firewall mangle add chain=output action=mark-routing new-routing-mark=preved 
[admin@MikroTik] > tool traceroute ya.ru max-hops=4
     ADDRESS                                    STATUS
   1  192.168.16.141 5ms 7ms 10ms 
   2  192.168.16.250 11ms 9ms 1ms 
   3   192.168.0.200 6ms 7ms 5ms 
   4   192.168.0.200 4ms 19ms 11ms network unreachable
max-hops reached
[admin@MikroTik] >

pacella · Sat Nov 14, 2009 8:23 am

What is the best firewall you used for windows xp? I have been testing several versions of firewall, bitdefender, kaspersky, kerio, sunbelt, and some more. For now, I find that Bitdefender wins the gold medal, in my opinion. But still the antivirus within Bitdefender is not that powerful. I installed Avast 4 and tried to use only the firewall in bitdefender (disabling the antivirus of bitdefender) but conflicts happen between the two softwares when loading windows. Do you people, know the best firewall please?
____________________
asian matrimonial

MrIC · Sun Nov 15, 2009 6:01 pm

i have to lines with load balance PCC but there is problem that hot spot doesn't redirect automatic , i have to write 10.5.50.1 in my browser to login .
my config :

/ ip address
add address=10.5.50.1/24 network=10.5.50.0 broadcast=10.5.50.255 interface=Local
add address=192.168.1.5/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.0.5/24 network=192.168.0.0 broadcast=192.168.0.255 interface=WAN2

/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=WAN2
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

some guy told me to change those lines :

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

to those one :

add chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

but i got another problem , clients log in but they use only one line .

so can someone help me in this ?

jirristols · Wed Nov 25, 2009 11:40 am

To anyone still reading this, but especially to interpoint regarding his mangle rules here:

/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.0.0/30 in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=83.71.aaa.aaa in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.bbb.bbb in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ccc.ccc in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ddd.ddd in-interface=ether6

The dst-address fields that I made blue, they look like public IP addresses of the PPPoE accounts, and they look like they would be static, what would I need to do if my Public IP's were Dynamic? Is there a way around this or do I have to use a script to find my public addresses and add them into the dst-address fields. I really would rather not try to mess around with a script if I don't have to.

Please if anyone can help!

Chupaka · Wed Nov 25, 2009 12:43 pm

jirristols, where did you find that rules? and where's PCC? =)