HOWTO: Dual WAN PCC with Dynamic IP

IntrusDave · Wed Sep 28, 2016 6:41 pm

Hey guys, I wanted to post my PCC setup so it may help others.
I have two DOCSIS 3 Cable services (Charter Communications), each has a Dynamic IP.
My WAN interfaces are named "wan0" and "wan1".
I have two LAN interfaces, "lanBridge" and "iot_vlan" - The LAN's are not permitted to communicate. (I don't trust IoT devices on my LAN)
I use address lists and Interface lists where possible. I've also included a script that runs every 5 minutes that will update the routes when the public IP changes.
Note - the script WILL NOT run if you have more than 1 IP on a WAN interface.

WAN interface names are important. Need to be able to fine the interface and address

/interface ethernet
set [ find default-name=ether9 ] comment="wan0" name=wan0
set [ find default-name=ether10 ] comment="wan1" name=wan1

Using Interface Lists to simplify the Mangles and Filters

/interface list
add name=lanLinks
add name=wanLinks

/interface list member
add interface=iot_vlan list=lanLinks
add interface=lanBridge list=lanLinks
add interface=wan0 list=wanLinks
add interface=wan1 list=wanLinks

Default Router Distance on the DHCP client is important. Set to 100 to allow for failover.

/ip dhcp-client
add default-route-distance=100 disabled=no interface=wan0 use-peer-dns=no use-peer-ntp=no
add default-route-distance=100 disabled=no interface=wan1 use-peer-dns=no use-peer-ntp=no

The PCC Routes distance is set to 50, the DHCP client will add the other routes in for you.

/ip route
add comment=wan0 distance=50 gateway=66.215.192.1 routing-mark=to_wan0
add comment=wan1 distance=50 gateway=66.215.176.1 routing-mark=to_wan1

These are the only needed NAT rules for the PCC to work. Make sure they are the last in your srcnat chain.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan0
add action=masquerade chain=srcnat out-interface=wan1

Mangle order is important here too. Address and Interface lists are used to reduce the number of entries.

/ip firewall mangle
add action=mark-connection chain=input comment=pcc_rule in-interface=wan0 new-connection-mark=wan0_conn passthrough=no
add action=mark-connection chain=input comment=pcc_rule in-interface=wan1 new-connection-mark=wan1_conn passthrough=no
add action=mark-routing chain=output comment=pcc_rule connection-mark=wan0_conn new-routing-mark=to_wan0 passthrough=no
add action=mark-routing chain=output comment=pcc_rule connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=no
add action=accept chain=prerouting comment=pcc_rule dst-address-list=privateNetworks in-interface-list=lanBridge
add action=accept chain=prerouting comment=pcc_rule dst-address-list=wanSubnets in-interface-list=lanBridge
add action=mark-connection chain=prerouting comment=pcc_rule dst-address-type=!local in-interface-list=lanLinks new-connection-mark=wan0_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=pcc_rule dst-address-type=!local in-interface-list=lanLinks new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment=pcc_rule connection-mark=wan0_conn in-interface-list=lanLinks new-routing-mark=to_wan0 passthrough=yes
add action=mark-routing chain=prerouting comment=pcc_rule connection-mark=wan1_conn in-interface-list=lanLinks new-routing-mark=to_wan1 passthrough=yes

These are used in the Mangle rules, routes local and gateway traffic to the right interface

/ip firewall address-list
add address=192.168.0.0/16 list=privateNetworks
add address=172.16.0.0/16 list=privateNetworks
add address=10.0.0.0/8 list=privateNetworks
add address=66.215.192.0/22 comment=wan0 list=wanSubnets
add address=66.215.176.0/22 comment=wan1 list=wanSubnets

Filter rules are completely optional and not needed for PCC to work. This is the basic framework that I use.

/ip firewall filter
add action=accept chain=Filter connection-state=established,related
add action=drop chain=Filter comment="Invalid packets (No valid current connection)" connection-state=invalid
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,syn
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,rst
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=fin,urg
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=syn,rst
add action=drop chain=Filter comment="Invalid TCP flag combo" protocol=tcp tcp-flags=rst,urg
add action=drop chain=Filter comment="Invalid TCP source port (0)" protocol=tcp src-port=0
add action=drop chain=Filter comment="Invalid TCP destination port (0)" dst-port=0 protocol=tcp
add action=drop chain=Filter comment="Invalid UDP source port (0)" protocol=udp src-port=0
add action=drop chain=Filter comment="Invalid UDP destination port (0)" dst-port=0 protocol=udp
add action=return chain=Filter comment="Return to the chain that jumped"
add action=jump chain=input comment="Check for bad stuff in \"Filters\" chain" jump-target=Filter
add action=accept chain=input in-interface-list=lanLinks
add action=accept chain=input dst-port=22,8291 protocol=tcp
add action=drop chain=input in-interface-list=wanLinks
add action=jump chain=forward comment="Check for bad stuff in \"Filter\" chain" jump-target=Filter
add action=accept chain=forward in-interface=lanBridge out-interface-list=wanLinks
add action=accept chain=forward in-interface=iot_vlan out-interface-list=wanLinks
add action=drop chain=forward log=yes

This script need to run every few minutes. It will update your gateways and address lists with your current WAN gateway and subnets

# Dynamic IP Updater

:local wan0name "wan0";
:local wan1name "wan1";
:global wan0address;
:global wan1address;

:local wan0ip [/ip dhcp-client get [find interface="$wan0name"] value-name=address];
:if ($wan0address != $wan0ip) do={
	:global wan0address [:pick $wan0ip 0 [:find $wan0ip "/"]];
	:local wan0gateway [/ip dhcp-client get  [find interface="$wan0name"] value-name=gateway];
	:local wan0temp [/ip address get [find interface="$wan0name"] value-name=network ]
	:local wan0subnet ($wan0temp . "/" . [:pick $wan0ip ([:find $wan0ip "/"]+1) [:len $wan0ip] ] )
	/ip route set [find comment="wan0"] gateway=$wan0gateway;
	/ip firewall address-list set [find comment="wan0"] address=$wan0subnet;
}

:local wan1ip [/ip dhcp-client get [find interface="$wan1name"] value-name=address];
:if ($wan1address != $wan1ip) do={
	:global wan1address [:pick $wan1ip 0 [:find $wan1ip "/"]];
	:local wan1gateway [/ip dhcp-client get  [find interface="$wan1name"] value-name=gateway];
	:local wan1temp [/ip address get [find interface="$wan1name"] value-name=network ]
	:local wan1subnet ($wan1temp . "/" . [:pick $wan1ip ([:find $wan1ip "/"]+1) [:len $wan1ip] ] )
	/ip route set [find comment="wan1"] gateway=$wan1gateway;
	/ip firewall address-list set [find comment="wan1"] address=$wan1subnet;
}

I hope this helps simplify the Dual WAN / Dynamic IP PCC config for anything that needs it.
If it helped - I'd love some extra Karma points

djago · Mon Sep 11, 2017 5:27 pm

Hi!

Thanks! It works OK with my setup.
May I ask you a question about it? I'm having troubles with one of the ISPs, having intermittent connection problems. I'm trying to ping using the troublesome adapter but I can't get out of my router. But this is not a problem of the ISP but from the router's config. Can you help me?

Thanks!

IntrusDave · Tue Sep 12, 2017 6:41 am

You will need to set a static route using the WAN you would like the ping to go though.

djago · Thu Sep 14, 2017 3:23 am

I assumed (wrongly) that the ping tool should be agnostic of the configuration and work directly over the interface... I'll try as you suggest

angphc · Tue Nov 07, 2017 4:03 am

Seems very helpful I'm trying to understand your config and script Since I've never used RouterOS before in my life.
I'm wondering
where you put

/ip route
add comment=wan0 distance=50 gateway=66.215.192.1 routing-mark=to_wan0
add comment=wan1 distance=50 gateway=66.215.176.1 routing-mark=to_wan1

Where those IP addresses come from? are them specific for your ISP?
Do i need to figure those out from my ISP? or are them just as a kick start until the script tries to determine gateways/routes?
Thanks for the effort you put in sharing this How-To
Best Regards
Will

CoolTom · Fri May 03, 2019 5:01 pm

Just wondering: Whi didnt you put the dhcp script into /ip dhcp-client -- Lease script and it will run always (only) when DHCP client obtains new lease or loses existing. No need to schedule it and have delay in address updates .... ?

Sob · Fri May 03, 2019 5:50 pm

Possibly because old RouterOS didn't have lease scripts and even though the feature did exist in 2016, sometimes people either miss new features, or already have older working solutions they don't want to redo.

anav · Fri May 03, 2019 6:11 pm

Just wondering: Whi didnt you put the dhcp script into /ip dhcp-client -- Lease script and it will run always (only) when DHCP client obtains new lease or loses existing. No need to schedule it and have delay in address updates .... ?

Hi @CoolTom, the problem with that script, at least for me, is that my primary WAN is bell fibre. If for some reason the IP goes down, and switches to cable (no probs there) it will not be able to go back to the Primary (bell) if the IP changes. The reason for this is they often also change the gateway and thus although the new gateway is recognized and captured on my DHCP client, I have to go manually and read that new gateway off of winbox and then insert the new gateway into my IP (recursive) routing rules.

Is there a way in a script do perform that extra function of ensuring the Bell WAN will come back up if the IP AND gateway changes? If so I will probably start using PCC and both my connections, in a load balance type of way (PCC but favouring the primary connection).

@intrus dave (you are so close to Canada ( Ontario is your neighbour

)

sindy · Fri May 03, 2019 7:56 pm

although the new gateway is recognized and captured on my DHCP client, I have to go manually and read that new gateway off of winbox and then insert the new gateway into my IP (recursive) routing rules

As @Sob has suggested, a few years ago it has become possible to add a script into /ip dhcp-client configuration which the client calls each time it gets (or loses) a new lease. And using this script you can update the routes with the IP address of the new gateway. Yes, some of the variable names have to be guessed and you have to use the counter-intuitive syntax like $"gateway-address" because they contain other than alphanumeric characters, but it works.

anav · Fri May 03, 2019 8:02 pm

Much thanks! (Sob&Sindy)

CoolTom · Tue May 07, 2019 6:46 pm

Thnx for reply guys! I just stuck with LTE setup - 2 LTE modems + 1 cable WAN over eth1. Eth1 works over DHCP Client so no problem.

Using Mikrotil LTE modem (s). LTE interface get IP not over DHCP client but Mikrotik automatically add it as dynamic address into /ip addresses.

No problem, I get get this IP or network address over addresses instead of dhcp client:

:put [/ip address get [find interface="lte1"] value-name=address]
:put ([/ip address get [find interface="lte1"] value-name=network]&255.255.255.0)

But there is no info about GW. Default dynamic route made by LTE is

add distance=1 dst-address=0.0.0.0/0 gateway=lte1

So for LTE I sould create routes without GW IP, just interface LTE as GW?

sebastia · Tue May 07, 2019 7:12 pm

LTE probably gets an /32 ip? That's a point-to-point connection, and in such a case the "gateway" can be determined by OS (=ip at the other end), so interface is enough.

sindy · Tue May 07, 2019 8:15 pm

There are two ways LTE modems behave. Those which emulate serial modems use PPP so there is no DHCP and there is no need for a gateway IP as only one device can be connected at the remote end of a Point to Point connection as @Sebastia has explained. Those which emulate network cards use DHCP and provide also a default gateway that way. The problem with this second LTE type is that the DHCP client is added "autodynamically" so you cannot change its parameters, so no way to bind a script to it. But at least there is an address of the gateway so recursive next-hop search can be used with a scheduled script updating the gateway IP; with the PPP LTE, it simply doesn't work due to the complete absence of gateway IP.

CoolTom · Sun May 12, 2019 1:30 pm

Hi guys, thnx for reply. I am using Mikrotik LTE card so its second option. You are right it doesnt show in winbox ( network mask) but when u read it in comandline it show /32.

I am able get:
[admin@LTEstream] > put [/ip address get [find interface="lte1"] value-name=addres]
10.X.X.31/32
[admin@LTEstream] > put [/ip address get [find interface="lte1"] value-name=network]
10.X.X.31
[admin@LTEstream] > put ([/ip address get [find interface="lte1"] value-name=network]&255.255.255.0)
10.X.X.0

So should I use in mangle 10.x.x.0/32 as connected networks (add them into address list with comment "xx" - to make sure it overwrite the old one)?
Can you give me example of script for "so recursive next-hop search can be used"?

To fire the script I guess I can use as trigger "if lte1 interface change state to running" - dont know how to do that yet

) - is it possible run script base on this event?

There are two ways LTE modems behave. Those which emulate serial modems use PPP so there is no DHCP and there is no need for a gateway IP as only one device can be connected at the remote end of a Point to Point connection as @Sebastia has explained. Those which emulate network cards use DHCP and provide also a default gateway that way. The problem with this second LTE type is that the DHCP client is added "autodynamically" so you cannot change its parameters, so no way to bind a script to it. But at least there is an address of the gateway so recursive next-hop search can be used with a scheduled script updating the gateway IP; with the PPP LTE, it simply doesn't work due to the complete absence of gateway IP.

sindy · Sun May 12, 2019 2:32 pm

So should I use in mangle 10.x.x.0/32 as connected networks (add them into address list with comment "xx" - to make sure it overwrite the old one)?

What makes you think that the contents of a comment field affects how the rule is handled? There is no way how a newly added rule can overwrite an existing way. You can put a new rule before the existing one in the chain, which may make the new one shadow the older one (in terms that if a packet matches the new rule, it will never get to the older rule which it would also match if it got there), or you can modify an existing rule by setting new match conditions in it or removing some of them using the unset command. Or you can remove the old rule as a whole.

Can you give me example of script for "so recursive next-hop search can be used"?

The recursive next-hop search in context of dual-wan makes sense for automatic failover without scripting in the sense of "programming" where you periodically test the functionality of the individual WAN paths by checking their ability to deliver a packet to a host in the internet (so you can see also whether your ISP can connect to the internet, not only whether you can connect to your ISP). I'm not sure whether it is possible to make use of it where there is no IP on the "connected next hop", I have to check that first. If not, you have to use you own scripts to provide the same functionality by modifying configuration, or possibly by adding dynamic items to address lists to effectively disable some firewall rules (which is a modification not causing a write operation on the flash).

I know it is not the answer you expected, so be patient.

To fire the script I guess I can use as trigger "if lte1 interface change state to running" - dont know how to do that yet ) - is it possible run script base on this event?

That's the point, not directly. Some objects in the configuration can spawn a script on an event (up, down, change of address assignment state), others (currently the LTE interfaces fall into this group) cannot. There is no generic way to specify a state change of a particular object to spawn a script. So the only way is to use a scheduler to run a script periodically, and let that script check the state of the objects, store it for its next reincarnation, and do something/spawn another script if the stored and current state differs.

CoolTom · Sun May 12, 2019 3:14 pm

I described it wrong. I was thinking this means, find address list item with comment "wan0" and "overwrite it" with new IP/subnet - so address list doest grows with adding more end more IPs into address list

/ip firewall address-list set [find comment="wan0"] address=$wan0subnet;

So u are changing address list and use it in rules - no need change rules. Correct?

What makes you think that the contents of a comment field affects how the rule is handled?

The rest not helping much, but thank you for explaining

So should I use in mangle 10.x.x.0/32 as connected networks (add them into address list with comment "xx" - to make sure it overwrite the old one)?
What makes you think that the contents of a comment field affects how the rule is handled? There is no way how a newly added rule can overwrite an existing way. You can put a new rule before the existing one in the chain, which may make the new one shadow the older one (in terms that if a packet matches the new rule, it will never get to the older rule which it would also match if it got there), or you can modify an existing rule by setting new match conditions in it or removing some of them using the unset command. Or you can remove the old rule as a whole.

Can you give me example of script for "so recursive next-hop search can be used"?
The recursive next-hop search in context of dual-wan makes sense for automatic failover without scripting in the sense of "programming" where you periodically test the functionality of the individual WAN paths by checking their ability to deliver a packet to a host in the internet (so you can see also whether your ISP can connect to the internet, not only whether you can connect to your ISP). I'm not sure whether it is possible to make use of it where there is no IP on the "connected next hop", I have to check that first. If not, you have to use you own scripts to provide the same functionality by modifying configuration, or possibly by adding dynamic items to address lists to effectively disable some firewall rules (which is a modification not causing a write operation on the flash).

I know it is not the answer you expected, so be patient.

To fire the script I guess I can use as trigger "if lte1 interface change state to running" - dont know how to do that yet ) - is it possible run script base on this event?
That's the point, not directly. Some objects in the configuration can spawn a script on an event (up, down, change of address assignment state), others (currently the LTE interfaces fall into this group) cannot. There is no generic way to specify a state change of a particular object to spawn a script. So the only way is to use a scheduler to run a script periodically, and let that script check the state of the objects, store it for its next reincarnation, and do something/spawn another script if the stored and current state differs.

sindy · Sun May 12, 2019 3:30 pm

I described it wrong. I was thinking this means, find address list item with comment "wan0" and "overwrite it" with new IP/subnet - so address list doest grows with adding more end more IPs into address list

/ip firewall address-list set [find comment="wan0"] address=$wan0subnet;

So u are changing address list and use it in rules - no need change rules. Correct?

Correct, this way you replace the address field of an existing address list item.

CoolTom · Sun May 12, 2019 5:02 pm

btw how to add string "/32" to the end?
Just can not make it work ...

/ip firewall address-list set [find comment="wan0"] address="[([/ip address get [find interface=\"lte1\"] value-name=network]&255.255.255.0)]"."/32"]
/ip firewall address-list set [find comment="wan0"] address=([/ip address get [find interface="lte1"] value-name=network]&255.255.255.0)]."/32"

sindy · Sun May 12, 2019 5:50 pm

btw how to add string "/32" to the end?
Just can not make it work ...

/ip firewall address-list set [find comment="wan0"] address="[([/ip address get [find interface=\"lte1\"] value-name=network]&255.255.255.0)]"."/32"]
/ip firewall address-list set [find comment="wan0"] address=([/ip address get [find interface="lte1"] value-name=network]&255.255.255.0)]."/32"

Two things:

I'm not sure why would you determine the /24 network address to which the original address fits and then add that network address as a /32 one, it makes little sense to me
you have to use parentheses to separate operations of different types (integer, IP mask , string operations) from each other:
[me@MyTik] > put (192.168.1.3&255.255.255.0)
192.168.1.0
[me@MyTik] > put ((192.168.1.3&255.255.255.0)."/32")
192.168.1.0/32

CoolTom · Mon May 13, 2019 11:46 am

Was like most easy way how to get 0 on the end of IP to put whole subnet into address list (to manage connected networks). /32 is mask of "ISP privat IP on LTE". If I put whole subnet /24 it will do the same job I guess ...

btw how to add string "/32" to the end?
Just can not make it work ...

/ip firewall address-list set [find comment="wan0"] address="[([/ip address get [find interface=\"lte1\"] value-name=network]&255.255.255.0)]"."/32"]
/ip firewall address-list set [find comment="wan0"] address=([/ip address get [find interface="lte1"] value-name=network]&255.255.255.0)]."/32"
Two things:
I'm not sure why would you determine the /24 network address to which the original address fits and then add that network address as a /32 one, it makes little sense to me

you have to use parentheses to separate operations of different types (integer, IP mask , string operations) from each other:
[me@MyTik] > put (192.168.1.3&255.255.255.0)
192.168.1.0
[me@MyTik] > put ((192.168.1.3&255.255.255.0)."/32")
192.168.1.0/32

sindy · Mon May 13, 2019 12:23 pm

Was like most easy way how to get 0 on the end of IP to put whole subnet into address list (to manage connected networks). /32 is mask of "ISP privat IP on LTE". If I put whole subnet /24 it will do the same job I guess ...

If you put the whole subnet to the address-list (with /24), or if you put the unchanged /32 address there, the address list item will in both cases match to the /32 address (and in first case, to 255 other ones). If you take the original /32 address, force its last byte to 0, and add the result as a /32 address to the list, the address list item will not match the original /32 address.

CoolTom · Mon May 13, 2019 3:27 pm

Yes wrong /32 is one address. So it means that if WAN IP is for example 10.65.123.15/32 and I put into Address list 10.65.123.15/24 or 10.65.123.0/24 it will have same result (match adresses 10.65.123.1-255)? Just need to get connected networks from ISP LTE IPs ...

Was like most easy way how to get 0 on the end of IP to put whole subnet into address list (to manage connected networks). /32 is mask of "ISP privat IP on LTE". If I put whole subnet /24 it will do the same job I guess ...
If you put the whole subnet to the address-list (with /24), or if you put the unchanged /32 address there, the address list item will in both cases match to the /32 address (and in first case, to 255 other ones). If you take the original /32 address, force its last byte to 0, and add the result as a /32 address to the list, the address list item will not match the original /32 address.

sindy · Mon May 13, 2019 3:37 pm

Yes wrong /32 is one address. So it means that if WAN IP is for example 10.65.123.15/32 and I put into Address list 10.65.123.15/24 or 10.65.123.0/24 it will have same result (match adresses 10.65.123.1-255)? Just need to get connected networks from ISP LTE IPs ...

If you add 10.65.123.15/24 to an address list, RouterOS will make 10.65.123.0/24 out of it automatically:

[me@MyTik] > ip firewall address-list add list=my-test-list address=192.168.12.25/24
[me@MyTik] > ip firewall address-list print where list~"my-test-list"
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 my-test-list 192.168.12.0/24 may/13/2019 14:33:50

But with any kind of PPP, the notion of "subnet" has no meaning because you don't need to distinguish between devices on the same medium and others (like you do in case of Point-to-multipoint interfaces). Whatever you send out through a PPP interface will be received by the single device on the remote end of the PPP link. So a /32 address one higher or one lower than yours doesn't get any special treatment as compared to any other address.

CoolTom · Tue May 14, 2019 12:21 pm

Thnx, I see. I was trying in winbox and it doesnt allow u save it. CLI works. I guess I will use "network from host IP" conversion. It should always works.

/ip firewall address-list set [find comment="WAN1"] address=( (([/ip address get [find interface="lte1"] value-name=network])&255.255.255.0 )."/24")

Now just find way how to fire script on LTE change. Now running it every 5-10s, but not sure if that is good ...

Yes wrong /32 is one address. So it means that if WAN IP is for example 10.65.123.15/32 and I put into Address list 10.65.123.15/24 or 10.65.123.0/24 it will have same result (match adresses 10.65.123.1-255)? Just need to get connected networks from ISP LTE IPs ...
If you add 10.65.123.15/24 to an address list, RouterOS will make 10.65.123.0/24 out of it automatically:

[me@MyTik] > ip firewall address-list add list=my-test-list address=192.168.12.25/24
[me@MyTik] > ip firewall address-list print where list~"my-test-list"
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 my-test-list 192.168.12.0/24 may/13/2019 14:33:50

But with any kind of PPP, the notion of "subnet" has no meaning because you don't need to distinguish between devices on the same medium and others (like you do in case of Point-to-multipoint interfaces). Whatever you send out through a PPP interface will be received by the single device on the remote end of the PPP link. So a /32 address one higher or one lower than yours doesn't get any special treatment as compared to any other address.

sindy · Tue May 14, 2019 12:43 pm

Thnx, I see. I was trying in winbox and it doesnt allow u save it. CLI works. I guess I will use "network from host IP" conversion. It should always works.

Yes, the manual conversion of host address to a network address using a mask always works, but I still don't understand the purpose of doing so

Now just find way how to fire script on LTE change. Now running it every 5-10s, but not sure if that is good ...

There is currently none. As for the timing, when there is the possibility to use automatic failover based on the recursive next-hop search (not your case), the check-gateway pings are sent every 10 seconds, so the detection is no faster than with your periodic scheduling of the script. Do not get tempted to use netwatch as it currently cannot do any configuration changes, altough maybe it can add/remove dynamic items to/from address list, I haven't tried that.

CoolTom · Tue May 14, 2019 12:54 pm

Just wondering. In this post example, he use for input trafic marking - chain=input :

/ip firewall mangle
add action=mark-connection chain=input comment=pcc_rule in-interface=wan0 new-connection-mark=wan0_conn passthrough=no
add action=mark-connection chain=input comment=pcc_rule in-interface=wan1 new-connection-mark=wan1_conn passthrough=no

I was checking another nice PCC tutorial, where author use for marking incomming trafic - chain=prerouting:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=ether2 new-connection-mark=WAN2 passthrough=yes

https://mum.mikrotik.com/presentations/US12/steve.pdf

Any differents do it on input or prerouting chain??

CoolTom · Tue May 14, 2019 1:11 pm

How elase get connected networks subnets (LAN is easy, but LTE intefaces) into Mangle rules and into routes

This will aways works, no? Even if LTE IP will be privat or public subnet. Cut last part, replace 0 and add /24 mask. If I use only WAN IP, what if other LTE ISP will use different addressing/ mask than /32. Other hand I am not expecting router / host behing router will comunicate with another IP from same subnet as I get LTE WAN IP from ISP...

add action=accept chain=prerouting comment=pcc_rule dst-address-list=privateNetworks in-interface-list=lanBridge
add action=accept chain=prerouting comment=pcc_rule dst-address-list=wanSubnets in-interface-list=lanBridge

Thnx, I see. I was trying in winbox and it doesnt allow u save it. CLI works. I guess I will use "network from host IP" conversion. It should always works.
Yes, the manual conversion of host address to a network address using a mask always works, but I still don't understand the purpose of doing so

sindy · Tue May 14, 2019 1:27 pm

Any differents do it on input or prerouting chain??

Sure there is. Check this and this picture for understanding the packet flow through the kernel and through the firewall in particular.

sindy · Tue May 14, 2019 1:31 pm

How elase get connected networks subnets (LAN is easy, but LTE intefaces) into Mangle rules and into routes This will aways works, no?

No, it doesn't. Read here how to deal with connected subnets and routing-mark.

CoolTom · Wed May 15, 2019 11:57 am

Means I can add routing lookup

/ip route rule add action=lookup table=main dst-address=X

Or over address lists and we are back with needs to add subnet adress which is changing/dynamic.

Or did I miss something in that post? So u suggest add lookup over script instead of "getting subnets" and add them into address list?

How elase get connected networks subnets (LAN is easy, but LTE intefaces) into Mangle rules and into routes This will aways works, no?
No, it doesn't. Read here how to deal with connected subnets and routing-mark.

CoolTom · Wed May 15, 2019 12:02 pm

Thank you. I do understand, there is different between input or prerouting chain. But this 2 setup solutions looks same and one use input and one prerouting chain to manage connected networks connection. Is it the different in passthrough=no/yes

Any differents do it on input or prerouting chain??
Sure there is. Check this and this picture for understanding the packet flow through the kernel and through the firewall in particular.

sindy · Wed May 15, 2019 12:34 pm

Means I can add routing lookup
Code: Select all
/ip route rule add action=lookup table=main dst-address=X
Or over address lists and we are back with needs to add subnet adress which is changing/dynamic.

Or did I miss something in that post? So u suggest add lookup over script instead of "getting subnets" and add them into address list?

You still haven't explained why you need to treat in a special way the (non-existent!) subnet to which the address assigned to the LTE interface "belongs" (it actually doesn't belong to any subnet).

I mean, there is no need to make sure that you use WAN2 to access devices in WAN2 subnet even if the routing-mark indicates to use WAN1, because there are no devices to be accessed in WAN2 subnet as there is no WAN2 subnet.

The post I referred to deals with handling of "real" connected subnets, i.e. those with masks of 30 bits and shorter, which are on the LAN side of your device, and I probably misunderstood you as talking about the LAN side. Of course, where we talk about "normal" WAN subnets (on other than PPP interfaces), where your device gets a dynamic IP and still there are other hosts with public IPs in the same subnet which you need to access, the address-list approach with incurring the subnet address from your own address and mask makes sense at least theoretically, but in that case you have to take the mask also form the DHCP assignment, not use a static one.

sindy · Wed May 15, 2019 12:52 pm

Thank you. I do understand, there is different between input or prerouting chain. But this 2 setup solutions looks same and one use input and one prerouting chain to manage connected networks connection. Is it the different in passthrough=no/yes

I'm not sure which two solutions you have in mind. Anyway, chain=input handles received packets as late as when it is already clear that their destination (after dst-nat handling in connection tracking) is one of the own addresses of the Mikrotik, whereas chain=prerouting handles all received packets, regardless whether they will be finally transited to another interface or whether they end up on the Mikrotik itself.

passthrough has a different meaning, it only controls the way of a single packet through a single firewall chain. Sometimes you need to do more than one action on a packet (like assign to it a connection-mark, a routing-mark, a packet-mark, and a DSCP value), and each rule has just a single action. So in some chains (like mangle) you can specify, by setting passthrough=yes, that even if a rule matches a packet and its action is executed, the processing of that packet by that firewall chain doesn't end and the packet makes it to the next rule(s) of that chain.

Kazek · Fri Jan 10, 2020 6:10 pm

Hi,
Sorry for digging out such an old topic but I'm trying to implement a script to update the routes and address-list from top post here and can't make it work.
Can you please suggest where the problem lies (v6.46.1)?
MK config:

/interface ethernet
set [ find default-name=ether1 ] comment=ether1
set [ find default-name=ether2 ] comment=ether2
/ip dhcp-client
add add-default-route=no comment=ether1 disabled=no interface=ether1
add add-default-route=no comment=ether2 disabled=no interface=ether2
/ip firewall address-list
add address=10.111.0.1/22 comment=ether1 list=WAN
add address=10.112.0.1/22 comment=ether2 list=WAN
/ip route
add check-gateway=ping comment=ether1 distance=1 gateway=10.111.0.1 routing-mark=to_ether1
add check-gateway=ping comment=ether2 distance=1 gateway=10.112.0.1 routing-mark=to_ether2
add check-gateway=ping comment=ether1 distance=1 gateway=10.111.0.1
add check-gateway=ping comment=ether2 distance=2 gateway=10.112.0.1

Script:


:local ether1name "ether1";
:local ether2name "ether2";
:global ether1address;
:global ether2address;

:local ether1ip [/ip dhcp-client get [find interface="$ether1name"] value-name=address];
:if ($ether1address != $ether1ip) do={
	:global ether1address [:pick $ether1ip 0 [:find $ether1ip "/"]];
	:local ether1gateway [/ip dhcp-client get  [find interface="$ether1name"] value-name=gateway];
	:local ether1temp [/ip address get [find interface="$ether1name"] value-name=network ]
	:local ether1subnet ($ether1temp . "/" . [:pick $ether1ip ([:find $ether1ip "/"]+1) [:len $ether1ip] ] )
	/ip route set [find comment="ether1"] gateway=$ether1gateway;
	/ip firewall address-list set [find comment="ether1"] address=$ether1subnet;
}

:local ether2ip [/ip dhcp-client get [find interface="$ether2name"] value-name=address];
:if ($ether2address != $ether2ip) do={
	:global ether2address [:pick $ether2ip 0 [:find $ether2ip "/"]];
	:local ether2gateway [/ip dhcp-client get  [find interface="$ether2name"] value-name=gateway];
	:local ether2temp [/ip address get [find interface="$ether2name"] value-name=network ]
	:local ether2subnet ($ether2temp . "/" . [:pick $ether2ip ([:find $ether2ip "/"]+1) [:len $ether2ip] ] )
	/ip route set [find comment="ether2"] gateway=$ether2gateway;
	/ip firewall address-list set [find comment="ether2"] address=$ether2subnet;
}

Sob · Fri Jan 10, 2020 6:57 pm

I suggest to go with lease script instead of script run from scheduler. And if the example looks too complicated, here's a tip how to make it simpler.

HOWTO: Dual WAN PCC with Dynamic IP

HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP

Re: HOWTO: Dual WAN PCC with Dynamic IP