can't make PCC and Port Forward work together

Gibzon · Sun Jan 18, 2015 2:41 am

Hello people, i searched the forum but i couldn't find a fix that worked for me so i decided to open a new thread.

currently i have two mikrotik routers connected together via ethernet, like this:

INTERNET (6 ADSL LINES) --> RB2011iL (PCC+NAT) --> RB450G (QUEUES+WEBPROXY) --> SWITCH --> USERS

my problem is i can't reach the rb450g (172.16.0.10) over the internet when i port forward from the rb2011il.

this is the rb2011il config:

# jan/17/2015 21:32:06 by RouterOS 6.23
/ip address
add address=172.16.0.1/24 interface="ether1 - SALIDA" network=172.16.0.0

/ip firewall address-list
add address=172.16.0.0/24 list=LAN_NAT

/ip firewall filter
add chain=input dst-port=8291 protocol=tcp
add chain=input dst-port=53 protocol=udp
add chain=input dst-port=80 protocol=tcp
add chain=forward dst-port=53 protocol=udp

/ip firewall mangle
add chain=input comment=TEST disabled=yes in-interface="ether1 - SALIDA"
add action=mark-connection chain=input comment=Entrantes in-interface=\
    pppoe-out1 new-connection-mark=pppoe-out1_conn
add action=mark-connection chain=input in-interface=pppoe-out2 \
    new-connection-mark=pppoe-out2_conn
add action=mark-connection chain=input in-interface=pppoe-out3 \
    new-connection-mark=pppoe-out3_conn
add action=mark-connection chain=input in-interface=pppoe-out4 \
    new-connection-mark=pppoe-out4_conn
add action=mark-connection chain=input in-interface=pppoe-out5 \
    new-connection-mark=pppoe-out5_conn
add action=mark-connection chain=input in-interface=pppoe-out6 \
    new-connection-mark=pppoe-out6_conn
add action=mark-routing chain=output connection-mark=pppoe-out1_conn \
    new-routing-mark=to_pppoe-out1 passthrough=no
add action=mark-routing chain=output connection-mark=pppoe-out2_conn \
    new-routing-mark=to_pppoe-out2 passthrough=no
add action=mark-routing chain=output connection-mark=pppoe-out3_conn \
    new-routing-mark=to_pppoe-out3 passthrough=no
add action=mark-routing chain=output connection-mark=pppoe-out4_conn \
    new-routing-mark=to_pppoe-out4 passthrough=no
add action=mark-routing chain=output connection-mark=pppoe-out5_conn \
    new-routing-mark=to_pppoe-out5 passthrough=no
add action=mark-routing chain=output connection-mark=pppoe-out6_conn \
    new-routing-mark=to_pppoe-out6 passthrough=no
add action=mark-routing chain=prerouting comment=TEST2 disabled=yes \
    in-interface=pppoe-out1 new-routing-mark=to_pppoe-out1 passthrough=no
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out1 \
    passthrough=no per-connection-classifier=both-addresses:7/0 \
    src-address-list=LAN_NAT
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out1 \
    passthrough=no per-connection-classifier=both-addresses:7/1 \
    src-address-list=LAN_NAT
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out2 \
    passthrough=no per-connection-classifier=both-addresses:7/2 \
    src-address-list=LAN_NAT
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out3 \
    per-connection-classifier=both-addresses:7/3 src-address-list=LAN_NAT
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out4 \
    per-connection-classifier=both-addresses:7/4 src-address-list=LAN_NAT
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out5 \
    per-connection-classifier=both-addresses:7/5 src-address-list=LAN_NAT
add action=mark-routing chain=prerouting dst-address-list=!LAN_NAT \
    in-interface="ether1 - SALIDA" new-routing-mark=to_pppoe-out6 \
    per-connection-classifier=both-addresses:7/6 src-address-list=LAN_NAT

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pppoe-out3
add action=masquerade chain=srcnat out-interface=pppoe-out4
add action=masquerade chain=srcnat out-interface=pppoe-out5
add action=masquerade chain=srcnat out-interface=pppoe-out6
add action=dst-nat chain=dstnat dst-port=1414 in-interface="!ether1 - SALIDA" \
protocol=tcp to-addresses=172.16.0.10 to-ports=80

/ip route
add distance=1 gateway=pppoe-out1 routing-mark=to_pppoe-out1
add distance=1 gateway=pppoe-out2 routing-mark=to_pppoe-out2
add distance=1 gateway=pppoe-out3 routing-mark=to_pppoe-out3
add distance=1 gateway=pppoe-out4 routing-mark=to_pppoe-out4
add distance=1 gateway=pppoe-out5 routing-mark=to_pppoe-out5
add distance=1 gateway=pppoe-out6 routing-mark=to_pppoe-out6
add distance=1 gateway=pppoe-out1
add distance=5 gateway=pppoe-out2
add distance=10 gateway=pppoe-out3
add distance=15 gateway=pppoe-out4
add distance=15 gateway=pppoe-out5
add distance=15 gateway=pppoe-out6
add check-gateway=ping distance=30 gateway=192.168.1.1
add check-gateway=ping distance=30 gateway=192.168.2.1
add check-gateway=ping distance=30 gateway=192.168.3.1
add check-gateway=ping distance=30 gateway=192.168.4.1
add check-gateway=ping distance=30 gateway=192.168.5.1
add check-gateway=ping distance=30 gateway=192.168.6.1
add distance=1 dst-address=10.10.37.0/24 gateway=10.10.37.10 scope=255

hope someone can give me some help on this

ronix · Sun Jan 18, 2015 10:12 am

please try to put :

ros code

add action=dst-nat chain=dstnat dst-port=1414 in-interface="!ether1 - SALIDA" \
protocol=tcp to-addresses=172.16.0.10 to-ports=80

as first in NAT

when I used PCC with 2 WANs it worked with out problem

Gibzon · Sun Jan 18, 2015 3:01 pm

ronix, tried what you said with no luck

anything else it might be the issue?

ronix · Sun Jan 18, 2015 9:11 pm

then use one of your real IP instead of "!ether1 - SALIDA"

Gibzon · Mon Jan 19, 2015 4:16 am

sorry but not working either.

i think i have something wrong on my mangle rules but can't figure out what

Caci99 · Mon Jan 19, 2015 12:45 pm

Try with a general masquerade rule:

/ip firewall nat
add chain=srcnat action=masquerade

leave the other masquerade rules, but disable them for the purpose of testing.

Gibzon · Mon Jan 19, 2015 7:54 pm

Caci99 thank you! its working now

what is the difference between one general masquerade rule and individual ones?

Caci99 · Mon Jan 19, 2015 9:57 pm

Well, masquerade substitutes the source address with the one of the interface the packet is leaving. I am not sure why this helps your case, looks like the router does not keep track from where the connection is coming and does not reply from the same gateway. Masquerade helps it ( I don't know how precisely

)