Community discussions

MikroTik App
  4. RouterOS
  5. General

[BUG?] mikrotik PCC with 2 Internet connections not behaving

Post Reply
 
dimm0k
newbie
Topic Author
Posts: 33
Joined: Wed Feb 24, 2016 5:27 pm

[BUG?] mikrotik PCC with 2 Internet connections not behaving

Tue Sep 13, 2016 7:42 pm

we currently have two Internet connections, one from Verizon FIOS and another from Verizon Enterprise, both with their own gateways, DNS, and sets of static IP addresses. the Verizon FIOS Internet does not have a router and we simply plugged the ethernet cable into our mikrotik RB951G-2HnD router. the Verizon Enterprise Internet comes in through an AdTran router that splits the connection for Internet and another for our VOIP phone lines. because of this split, we're hesitant to make any changes on that router and would prefer if it could be left in place while still getting PCC working. for the most part it looks like PCC does work, but it is very spotty at best and by that I mean if both connections are enabled then a good majority of the office has difficulties reaching secure sites and because everything these days are done via https, these connections die. as soon as I disable either of the connections, the Internet springs back to life and secure connections are reachable instantly. as soon as both connections are enabled again, new secure connections aren't reachable, but already connected ones are okay. below is an /export of my config with the IP addresses changed appropriately.
Code: Select all
/interface ethernet
set [ find default-name=ether3 ] comment="port 3" name=LAN
set [ find default-name=ether1 ] comment="port 1 - VerizonFIOS" name=WAN1
set [ find default-name=ether2 ] comment="port 2 - Verizon" name=WAN2
set [ find default-name=ether4 ] disabled=yes master-port=LAN
set [ find default-name=ether5 ] disabled=yes master-port=LAN
/ip neighbor discovery
set LAN comment="port 3" discover=no
set WAN1 comment="port 1 - VerizonFIOS" discover=no
set WAN2 comment="port 2 - Verizon" discover=no
set ether4 discover=no
set ether5 discover=no
set wlan1 discover=no
set bridge-local comment=defconf discover=no
/interface wireless security-profiles
/ip pool
add name=default-dhcp ranges=192.168.18.10-192.168.18.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=wlan1 name=defconf
/system logging action
set 0 memory-lines=2000
set 1 disk-lines-per-file=2000
add disk-file-count=10 disk-file-name=firewallhits name=FirewallHits target=disk
/interface bridge port
add bridge=bridge-local comment=defconf disabled=yes interface=WAN2
add bridge=bridge-local comment=defconf disabled=yes interface=wlan1
add bridge=bridge-local interface=LAN
/ip neighbor discovery settings
set default=no
/interface wireless access-list
add mac-address=78:F8:82:A5:66:9D vlan-mode=no-tag
add interface=wlan1 mac-address=24:FD:52:0B:F6:BA vlan-mode=no-tag
/ip address
add address=192.168.18.1/24 comment=defconf interface=wlan1 network=192.168.18.0
add address=192.168.200.1/24 interface=LAN network=192.168.200.0
add address=100.37.200.22/24 interface=WAN1 network=100.37.200.0
add address=65.213.18.23/29 interface=WAN2 network=65.213.18.224
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN1
/ip dhcp-server network
add address=192.168.18.0/24 comment=defconf dns-server=8.8.8.8 domain=8.8.4.4 gateway=192.168.18.1 netmask=24
/ip dns
set servers=192.168.200.5,192.168.200.4,192.168.200.6
/ip dns static
add address=192.168.18.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN1 log-prefix="**** drop all from WAN ****"
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN2
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface=WAN1
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface=WAN2
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=yes
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=yes
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment=UDP disabled=yes protocol=udp
add action=accept chain=input comment="From our private LAN" src-address=192.168.200.0/24
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 disabled=yes protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 disabled=\
    yes protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=yes dst-address-type=broadcast
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
/ip firewall mangle
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=accept chain=prerouting dst-address=100.37.200.0/24 in-interface=bridge-local
add action=accept chain=prerouting dst-address=65.213.18.224/29 in-interface=bridge-local
add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn \
    passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=wlan1 new-connection-mark=WAN1_conn passthrough=\
    yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=wlan1 new-connection-mark=WAN1_conn passthrough=\
    yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=wlan1 new-connection-mark=WAN2_conn passthrough=\
    yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge-local new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge-local new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN1 to-addresses=100.37.200.0/24
add action=masquerade chain=srcnat out-interface=WAN2 to-addresses=65.213.18.224/29
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN2 protocol=tcp to-addresses=192.168.200.24 to-ports=443
add action=dst-nat chain=dstnat dst-port=1723 in-interface=WAN1 protocol=tcp to-addresses=192.168.200.15 to-ports=1723
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.200.15 to-ports=443
/ip route
add check-gateway=ping distance=1 gateway=100.37.200.1%WAN1 routing-mark=to_WAN1
add check-gateway=ping distance=2 gateway=65.213.18.225%WAN2 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=100.37.200.1%WAN1
add check-gateway=ping distance=2 gateway=65.213.18.225%WAN2
add comment="route for IP addresses listed in 'exempted-from-pcc' Address List" disabled=yes distance=3 gateway=100.37.200.1%WAN1
/ip service
set telnet disabled=yes
set ftp address=192.168.200.0/24 disabled=yes port=21
set www disabled=yes
set ssh disabled=yes port=22
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system leds
set 0 interface=wlan1
/system logging
set 0 topics=info,!firewall
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=warning
add action=FirewallHits topics=firewall
add topics=firewall
/system note
set note="Authorized administrators only. Access to this device is monitored."
/system routerboard settings
set init-delay=0s
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge-local
/tool mac-server ping
set enabled=no
Top
 
MATU
just joined
Posts: 13
Joined: Thu Apr 03, 2014 11:01 am

Re: [BUG?] mikrotik PCC with 2 Internet connections not behaving

Fri Jun 02, 2017 7:20 pm

Hi dimm0k,

How did you finally solve the problem?

Matu
Top
 
dimm0k
newbie
Topic Author
Posts: 33
Joined: Wed Feb 24, 2016 5:27 pm

Re: [BUG?] mikrotik PCC with 2 Internet connections not behaving

Fri Jun 02, 2017 7:54 pm

sorry, I posted this in many places that I never got a chance to mention how I fixed it. my issue was that I built my PCC rules using the default MikroTik rules and that had Fast Track enabled. I ended up tweaking up my rules to have Fast Track only work on WAN1 and not on WAN2. been flawless since! let me know how it goes with you
Top
Post Reply
  4. RouterOS
  5. General