Community discussions

MikroTik App
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

my PCC dual wan initial setup won't work

Tue Feb 02, 2016 1:35 pm

Hi, guys
I'm considering changing my router from "Tomato" to Routerboard 493AH with R52H installed, below is my configurations.. Would you help me to take a look at my configs, thanks.

WAN1 IP address "112.65.129.178/30", gateway is "112.65.129.177", WAN2 IP address "140.206.103.134/30", gateway is "140.206.103.133", DNS server are "140.207.198.6" and "223.6.6.6", local LAN is "192.168.100.0/24", switched ether2-6, master port is ether2-lan, bridged wlan1 with ether2-lan
[admin@MikroTik] > interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0     name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1526 mac-address=00:0C:42:75:C3:E4 fast-path=no link-downs=0 

 1  RS name="ether2-lan" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:E5 fast-path=no 
       last-link-up-time=feb/02/2016 17:03:50 link-downs=0 

 2   S name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:E6 fast-path=no link-downs=0 

 3   S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:E7 fast-path=no link-downs=0 

 4   S name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:E8 fast-path=no link-downs=0 

 5   S name="ether6" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:E9 fast-path=no link-downs=0 

 6  R  name="ether7-wan1" default-name="ether7" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:EA fast-path=no 
       last-link-up-time=feb/02/2016 17:03:50 link-downs=0 

 7  R  name="ether8-wan2" default-name="ether8" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:EB fast-path=no 
       last-link-up-time=feb/02/2016 17:03:50 link-downs=0 

 8     name="ether9" default-name="ether9" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1522 max-l2mtu=1522 mac-address=00:0C:42:75:C3:EC fast-path=no link-downs=0 

 9   S name="wlan1" default-name="wlan1" type="wlan" mtu=1500 actual-mtu=1500 l2mtu=1600 max-l2mtu=2290 mac-address=00:0C:42:69:61:A1 fast-path=yes link-downs=0 

10  R  name="bridge1" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1522 mac-address=00:0C:42:75:C3:E5 fast-path=yes last-link-up-time=feb/02/2016 17:03:47 link-downs=0
[admin@MikroTik] > interface bridge port print detail 
Flags: X - disabled, I - inactive, D - dynamic 
 0    interface=ether2-lan bridge=bridge1 priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no 

 1 I  interface=wlan1 bridge=bridge1 priority=0x80 path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none auto-isolate=no 

[admin@MikroTik] > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.100.1/24 network=192.168.100.0 interface=bridge1 actual-interface=bridge1 

 1   address=112.65.129.178/30 network=112.65.129.176 interface=ether7-wan1 
     actual-interface=ether7-wan1 

 2   address=140.206.103.134/30 network=140.206.103.132 interface=ether8-wan2 
     actual-interface=ether8-wan2
[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=112.65.129.177 
        gateway-status=112.65.129.177 reachable via  ether7-wan1 check-gateway=ping distance=1 
        scope=30 target-scope=10 routing-mark=wan1_route 

 1 A S  dst-address=0.0.0.0/0 gateway=140.206.103.133 
        gateway-status=140.206.103.133 reachable via  ether8-wan2 check-gateway=ping distance=2 
        scope=30 target-scope=10 routing-mark=wan2_route 

 2 ADC  dst-address=112.65.129.176/30 pref-src=112.65.129.178 gateway=ether7-wan1 
        gateway-status=ether7-wan1 reachable distance=0 scope=10 

 3 ADC  dst-address=140.206.103.132/30 pref-src=140.206.103.134 gateway=ether8-wan2 
        gateway-status=ether8-wan2 reachable distance=0 scope=10 

 4 ADC  dst-address=192.168.100.0/24 pref-src=192.168.100.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10
[admin@MikroTik] > ip dns print
                servers: 140.207.198.6,223.6.6.6
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 9KiB
[admin@MikroTik] > ip dhcp-server print detail 
Flags: X - disabled, I - invalid 
 0   name="dhcp1" interface=bridge1 lease-time=1d address-pool=dhcp_pool1 bootp-support=static 
     authoritative=after-2sec-delay lease-script="" 

[admin@MikroTik] > ip firewall nat print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=src-nat to-addresses=112.65.129.178 out-interface=ether7-wan1 log=no log-prefix="" 

 1    chain=srcnat action=src-nat to-addresses=140.206.103.134 out-interface=ether8-wan2 log=no log-prefix="" 
[admin@MikroTik] > ip firewall mangle print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=accept dst-address-type=!local per-connection-classifier=both-addresses:2/0 log=no log-prefix="" 

 1    chain=prerouting action=accept dst-address-type=!local per-connection-classifier=both-addresses:2/1 log=no log-prefix="" 

 2    chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=bridge1 per-connection-classifier=both-addresses:2/0 log=no log-prefix="" 

 3    chain=prerouting action=mark-routing new-routing-mark=wan1_conn passthrough=yes in-interface=bridge1 connection-mark=wan1_conn log=no log-prefix="" 

 4    chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=bridge1 per-connection-classifier=both-addresses:2/1 log=no log-prefix="" 

 5    chain=prerouting action=mark-routing new-routing-mark=wan2_conn passthrough=yes in-interface=bridge1 connection-mark=wan2_conn log=no log-prefix="" 

 6    chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=ether7-wan1 log=no log-prefix="" 

 7    chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=ether8-wan2 log=no log-prefix="" 

 8    chain=output action=mark-routing new-routing-mark=wan1_route passthrough=yes connection-mark=wan1_conn log=no log-prefix="" 

 9    chain=output action=mark-routing new-routing-mark=wan2_route passthrough=yes connection-mark=wan2_conn log=no log-prefix="" 
The result is, I can't surf web, even can't ping DNS servers.
Even if PCC works, i still need to implement uPnP/VPN/Port Forwarding on both wan connection...
Thanks in advance.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Tue Feb 02, 2016 2:42 pm

First, how are the two connections provided to you in term of bandwidth and latency? If they are not symmetrical you will have problems. With symmetrical I mean they should have more or less same latency and equal down/up or one has to be the factor of the other down/up.
Second, dns servers should be public ones from same server, not from of your two providers. This because usually ISP block access to their dns servers when requested from outside of their IP range.
Since you are allowing dns requests within your router you should block access of your dns cache from outside (this is important)

Now your config, there are a couple of mistakes there. In PCC config:
[admin@MikroTik] > ip firewall mangle print detail
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=prerouting action=accept dst-address=112.65.129.176/30 in-interface=bridge1

 1    chain=prerouting action=accept dst-address=140.206.103.132/30 in-interface=bridge1

 2    chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=bridge1 per-connection-classifier=both-addresses:2/0 log=no log-prefix=""

 3    chain=prerouting action=mark-routing new-routing-mark=wan1_conn passthrough=no in-interface=bridge1 connection-mark=wan1_conn log=no log-prefix=""

 4    chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=bridge1 per-connection-classifier=both-addresses:2/1 log=no log-prefix=""

 5    chain=prerouting action=mark-routing new-routing-mark=wan2_conn passthrough=no in-interface=bridge1 connection-mark=wan2_conn log=no log-prefix=""

 6    chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=ether7-wan1 log=no log-prefix=""

 7    chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=ether8-wan2 log=no log-prefix=""

 8    chain=output action=mark-routing new-routing-mark=wan1_route passthrough=no connection-mark=wan1_conn log=no log-prefix=""

 9    chain=output action=mark-routing new-routing-mark=wan2_route passthrough=no connection-mark=wan2_conn log=no log-prefix=""
In routing table you should add one more rule to allow connections of router itself to the internet:
/ip route
add dst-address=0.0.0.0/0 gateway=112.65.129.177 distance=1
add dst-address=0.0.0.0/0 gateway=140.206.103.133 distance=5 
And the masquerade rules:
/ip firewall mangle
add chain=prerouting out-interface=ether7-wan1 action=masquerade
add chain=prerouting out-interface=ether8-wan2 action=masquerade
The protection of you dns cache:
/ip firewall filter
add chain=input in-interface=ether7-wan1 protocol=tcp dst-port=53 action=drop
add chain=input in-interface=ether7-wan1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether8-wan2 protocol=tcp dst-port=53 action=drop
add chain=input in-interface=ether8-wan2 protocol=udp dst-port=53 action=drop
Try it and see if it works
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Tue Feb 02, 2016 3:07 pm

Hi, @Caci99
Thanks for your quick reply. My 2 WANs come from same ISP with exact same bandwidth and latency.
For the masquerade, i do intend to use src-nat method cuz i have static wan ip, hope it should be better than masquerade.
I've getting some confusion about interface stuff, like if i set dhcp server running on ether2-lan, it won't work untill change running interface to bridge1.Others like add ip route gateway can't choose which interface... Those guides on internet look different when i open winbox 3.1 with ROS 6.4...
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Tue Feb 02, 2016 3:18 pm

My 2 WANs come from same ISP with exact same bandwidth and latency.
That's very good for PCC
For the masquerade, i do intend to use src-nat method cuz i have static wan ip, hope it should be better than masquerade.
Choose which one you prefer, it is basically the same.
if i set dhcp server running on ether2-lan, it won't work untill change running interface to bridge1
That is obvious, ether2 is encapsulated into interface bridge1 and so are its slave interfaces.
Others like add ip route gateway can't choose which interface
Don't quite get what you mean.

Anyway, have you given a try to the PCC rules?
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Tue Feb 02, 2016 3:32 pm

Nah, home now, will try it tomorrow. I'll let you know if it works or not.
Thank you.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Wed Feb 03, 2016 11:14 am

Hi, @Caci99
It's not working, below is exported commands:
[admin@MikroTik] > export hide-sensitive 
# feb/03/2016 16:54:16 by RouterOS 6.34
# software id = XXXX-XXXX
#
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 antenna-mode=rxa-txb disabled=no frequency=auto max-station-count=32 mode=ap-bridge wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether3 ] master-port=ether2-lan
set [ find default-name=ether4 ] master-port=ether2-lan
set [ find default-name=ether5 ] master-port=ether2-lan
set [ find default-name=ether6 ] master-port=ether2-lan
set [ find default-name=ether7 ] name=ether7-wan1
set [ find default-name=ether8 ] name=ether8-wan2
/interface wireless nstreme
set wlan1 enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys
/ip pool
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2-lan
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
add address=112.65.129.178/30 interface=ether7-wan1 network=112.65.129.176
add address=140.206.103.134/30 interface=ether8-wan2 network=140.206.103.132
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=140.207.198.6,223.6.6.6 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=140.207.198.6,223.6.6.6
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether7-wan1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether7-wan1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether8-wan2 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether8-wan2 protocol=udp
/ip firewall mangle
add chain=prerouting dst-address=112.65.129.176/30 in-interface=bridge1 per-connection-classifier=both-addresses:2/0
add chain=prerouting dst-address=140.206.103.132/30 in-interface=bridge1 per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting in-interface=bridge1 new-connection-mark=wan1_conn per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge1 new-routing-mark=wan1_conn passthrough=no
add action=mark-connection chain=prerouting in-interface=bridge1 new-connection-mark=wan2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge1 new-routing-mark=wan2_conn passthrough=no
add action=mark-connection chain=input in-interface=ether7-wan1 new-connection-mark=wan1_conn
add action=mark-connection chain=input in-interface=ether8-wan2 new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_route passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_route passthrough=no
/ip firewall nat
add action=masquerade chain=prerouting out-interface=ether7-wan1
add action=masquerade chain=prerouting out-interface=ether8-wan2
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=112.65.129.177 routing-mark=wan1_route
add distance=1 gateway=140.206.103.133 routing-mark=wan2_route
add distance=1 gateway=140.206.103.133
add distance=1 gateway=112.65.129.177
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Asia/Shanghai
/system routerboard settings
set cpu-frequency=800MHz
/tool bandwidth-server
set enabled=no
The image attached shows router can ping DNS servers now, but only if i choose interface as wan2, and i still can't ping dns server from my laptop.
Waiting for your replay, thanks.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Wed Feb 03, 2016 11:51 am

The first two mangle rules, remove the part about per connection classifier:
/ip firewall mangle
add chain=prerouting dst-address=112.65.129.176/30 in-interface=bridge1 per-connection-classifier=both-addresses:2/0
add chain=prerouting dst-address=140.206.103.132/30 in-interface=bridge1 per-connection-classifier=both-addresses:2/1
These two rules are there to avoid any loop of connections to connected hosts by the routing policy that follows. These rules should be like this:
add chain=prerouting dst-address=112.65.129.176/30 in-interface=bridge1
add chain=prerouting dst-address=140.206.103.132/30 in-interface=bridge1
The image attached shows router can ping DNS servers now, but only if i choose interface as wan2, and i still can't ping dns server from my laptop.
That is understandable, in your routing table the route that goes through ether7-wan1 generated from router itself (ping from router to dns server) is blue and with "S" mark, meaning not active, while that one that goes through ether8-wan2 is black with "AS" marked, meaning Active Static.
If you want ether7-wan1 to be active, change the distance of ether8-wan2 to 5 for example. But only one of these two can be active at the same time

Also, when you test, test ping known public IP addresses form router and from laptop, like pinging 8.8.8.8. This will make sure that routing policy is working.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Wed Feb 03, 2016 12:29 pm

ok, i removed the pcc part fo first 2 mangle rules as you mentioned.
But I still can't ping 8.8.4.4 from my laptop, while passed from router, there must be something wrong on ether the route rule, or the mangle rules.
Thanks.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Wed Feb 03, 2016 12:48 pm

ok, i removed the pcc part fo first 2 mangle rules as you mentioned.
But I still can't ping 8.8.4.4 from my laptop, while passed from router, there must be something wrong on ether the route rule, or the mangle rules.
Thanks.
Ok, let's try with rules order and disabling the first two rules:
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether7-wan1 new-connection-mark=wan1_conn
add action=mark-connection chain=input in-interface=ether8-wan2 new-connection-mark=wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=wan1_route passthrough=no
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=wan2_route passthrough=no
add action=mark-connection chain=prerouting in-interface=bridge1 dst-address-type=!local new-connection-mark=wan1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting in-interface=bridge1 dst-address-type=!local new-connection-mark=wan2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge1 new-routing-mark=wan1_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge1 new-routing-mark=wan2_conn passthrough=no
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Wed Feb 03, 2016 1:15 pm

It works!

I re-worked the mangle rules as you typed.
Then, rechecked the masquerade rule, modified it from
/ip firewall mangle
add chain=prerouting out-interface=ether7-wan1 action=masquerade
add chain=prerouting out-interface=ether8-wan2 action=masquerade
to
/ip firewall mangle
add chain=srcnat out-interface=ether7-wan1 action=masquerade
add chain=srcnat out-interface=ether8-wan2 action=masquerade
Now i can reply the thread through RB493 :)
Will do more test tomorrow, thank you very much.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Wed Feb 03, 2016 2:06 pm

It works!

I re-worked the mangle rules as you typed.
Then, rechecked the masquerade rule, modified it from
/ip firewall mangle
add chain=prerouting out-interface=ether7-wan1 action=masquerade
add chain=prerouting out-interface=ether8-wan2 action=masquerade
to
/ip firewall mangle
add chain=srcnat out-interface=ether7-wan1 action=masquerade
add chain=srcnat out-interface=ether8-wan2 action=masquerade
Now i can reply the thread through RB493 :)
Will do more test tomorrow, thank you very much.
Oh my, what a stupid mistake :D
Glad it works
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Thu Feb 04, 2016 6:35 pm

Hi, @Caci99
The router runs well today, i may do more configuration test tomorrow.
1. add both port forwarding and uPnP to this router, then VPNs (OpenVPN, PPTP, IKEV2...) on both WANs.
2. Stick clients (or certain inside lan IP, ports, mac) to use dedicated output WAN route.
3. Automatic block IP by tracking fail information from windows event log (most are SQL "sa" login attack, my old client need to use default MSSQL port and "sa" account, also must be public to internet)

I searched the forum, found some threads related, will try those methods to see if they works.
I'd be appreciated if you tell me how to do these^_^
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Thu Feb 04, 2016 7:58 pm

Hi, @Caci99
The router runs well today, i may do more configuration test tomorrow.
1. add both port forwarding and uPnP to this router, then VPNs (OpenVPN, PPTP, IKEV2...) on both WANs.
2. Stick clients (or certain inside lan IP, ports, mac) to use dedicated output WAN route.
3. Automatic block IP by tracking fail information from windows event log (most are SQL "sa" login attack, my old client need to use default MSSQL port and "sa" account, also must be public to internet)

I searched the forum, found some threads related, will try those methods to see if they works.
I'd be appreciated if you tell me how to do these^_^
That is good news :)

For other issues, I would open a separate thread, so more people can join and discuss every one of them.
2. Stick clients (or certain inside lan IP, ports, mac) to use dedicated output WAN route.
For this I can give a quick answer. Just accept the connections of such users in /firewall mangle before the PCC rules start. Once connections are accepted they will no longer be processed and will use the default gateway in your routing table with no routing mark specified. You can create an address list in /firewall address-list with the IPs of users and than use that address-list in the mangle rule:
/ip firewall mangle
add chain=prerouting in-interface=bridge1 src-address-list=whatever action=accept
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Fri Feb 05, 2016 6:35 pm

Hi, Caci99
just one question, anyway to test PCC works or not? I mean i need to know traffic are both going through WAN1 and WAN2 equally, or most are. Thanks
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1076
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: my PCC dual wan initial setup won't work

Fri Feb 05, 2016 7:28 pm

Hi, Caci99
just one question, anyway to test PCC works or not? I mean i need to know traffic are both going through WAN1 and WAN2 equally, or most are. Thanks
In a day average it would almost equalize, but the most important is the packets average because different connections would have different packets size. Also, the bigger the LAN devices the closer you are to an evenly distributed traffic.
 
kenyloveg
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Tue Jul 14, 2009 3:25 pm

Re: my PCC dual wan initial setup won't work

Tue Feb 23, 2016 4:27 am

Reworked the mangle rules, according to "Steve Discher presentation at MUM US 12" pdf, removed DNS 53 port filter cuz i don't "Allow remote DNS requests".
Here are the exported configs, for those newbies like me to start a ROS from scratch.
[admin@MikroTik] > export compact hide-sensitive 
# feb/23/2016 10:25:10 by RouterOS 6.34
# software id = L64Z-49CA
#
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 antenna-mode=rxa-txb band=2ghz-onlyg disabled=no distance=indoors frequency=2452 max-station-count=32 mode=ap-bridge ssid=ShiyuTech \
    wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether3 ] master-port=ether2-lan
set [ find default-name=ether4 ] master-port=ether2-lan
set [ find default-name=ether5 ] master-port=ether2-lan
set [ find default-name=ether6 ] master-port=ether2-lan
set [ find default-name=ether7 ] name=ether7-wan1
set [ find default-name=ether8 ] name=ether8-wan2
/interface wireless nstreme
set wlan1 enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=yes disabled=no interface=bridge1 lease-time=1d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2-lan
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=112.65.129.178/30 interface=ether7-wan1 network=112.65.129.176
add address=140.206.103.134/30 interface=ether8-wan2 network=140.206.103.132
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.88.10 client-id=1:0:8:9b:8c:69:11 mac-address=00:08:9B:8C:69:11 server=dhcp1
add address=192.168.88.20 client-id=1:8:0:37:bb:8a:da mac-address=08:00:37:BB:8A:DA server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=140.207.198.6,223.6.6.6 gateway=192.168.88.1
/ip dns
set cache-max-ttl=1d servers=140.207.198.6,223.6.6.6
/ip firewall mangle
add chain=prerouting dst-address=112.65.129.177
add chain=prerouting dst-address=140.206.103.134
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=wan1 per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=wan2 per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface=bridge1 new-routing-mark=wan1-mark
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface=bridge1 new-routing-mark=wan2-mark
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=wan1-mark
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=wan2-mark
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether7-wan1 new-connection-mark=wan1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether8-wan2 new-connection-mark=wan2
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether7-wan1 to-addresses=112.65.129.178
add action=src-nat chain=srcnat out-interface=ether8-wan2 to-addresses=140.206.103.134
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=112.65.129.177 routing-mark=wan1-mark
add check-gateway=ping distance=1 gateway=140.206.103.133 routing-mark=wan2-mark
add distance=1 gateway=140.206.103.133
add distance=1 gateway=112.65.129.177
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=ether7-wan1 type=external
add interface=ether8-wan2 type=external
add interface=bridge1 type=internal
/system clock
set time-zone-name=Asia/Shanghai
/system ntp client
set enabled=yes primary-ntp=120.24.166.46 secondary-ntp=212.26.18.41
/system package update
set channel=release-candidate
/system routerboard settings
set cpu-frequency=800MHz
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set enabled=no
[admin@MikroTik] > 
Thanks again @Caci99

Who is online

Users browsing this forum: mukkelek and 29 guests