Page 1 of 1
problem using a forum with pcc load balance
Posted: Sat Jul 02, 2011 5:16 pm
by namo
I have combine two equal ADSL line using PCC. There is a forum (http://www.****.com) and when I login to the forum, the forum sign me out and I have to login again. Next , I try to connect to one of the modems directly and I was able to use the forum normally. Next, I connect to the other ADSL modem and the forum log me out.
I think the forum doesn't allow the user to login from two ip address.
what should I do?
Note: the code that I am using
/ip firewall address-list
add list=exempt-from-pcc address=192.168.9.168/32
add list=exempt-from-pcc address=192.168.3.168/32
/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept
/ip address
add address=192.168.9.60/24 broadcast=192.168.9.255 comment="" disabled=no interface=wan1 network=192.168.9.0
add address=192.168.3.60/24 broadcast=192.168.3.255 comment="" disabled=no interface=wan2 network=192.168.3.0
add address=192.168.1.168/24 broadcast=192.168.1.255 comment="" disabled=no interface=lan network=192.168.1.0
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=wan1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=wan2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan1_conn disabled=no new-routing-mark=wan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan2_conn disabled=no new-routing-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn disabled=no in-interface=lan new-routing-mark=wan1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn disabled=no in-interface=lan new-routing-mark=wan2 passthrough=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2
/ip dns set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512
Re: problem using a forum with pcc load blance
Posted: Sat Jul 02, 2011 8:13 pm
by Egate
In PCC classifier use src-address.
Re: problem using a forum with pcc load blance
Posted: Sun Jul 03, 2011 2:00 pm
by namo
before I have the fallowing code to access the modem page of the two modems.
/ip firewall address-list
add list=exempt-from-pcc address=192.168.9.168/32
add list=exempt-from-pcc address=192.168.3.168/32
/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept
I have added the fallowing line
/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32
where x.x.x.x is the IP of the forum.
now it is working but it is a bit slow. The forum might be the one that is slow
Re: problem using a forum with pcc load blance
Posted: Sun Jul 03, 2011 5:47 pm
by Egate
/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32
This way, your forum will make use of your default route.
You will still have problems with secure sites and some game servers unless you make use of src-address in PCC classifier.
Re: problem using a forum with pcc load blance
Posted: Sat Jul 09, 2011 1:25 pm
by namo
/ip firewall address-list
add list=exempt-from-pcc address=x.x.x.x/32
This way, your forum will make use of your default route.
You will still have problems with secure sites and some game servers unless you make use of src-address in PCC classifier.
how to do that?
Re: problem using a forum with pcc load blance
Posted: Sat Jul 09, 2011 4:02 pm
by Egate
Have a look at Mikrotik wiki PCC, they have nice example and description.
Re: problem using a forum with pcc load blance
Posted: Sun Jul 10, 2011 4:22 am
by namo
It turn out that there is many forums that have the same problem as that forum ( Does not allow user to login from two diffrent IPs in the same time). Do I have to add thier IPs one by one as my users requested?
Re: problem using a forum with pcc load balance
Posted: Sun Jul 10, 2011 4:40 am
by fewi
You've been told the solution twice already in this thread: use src-address as the classifier. The manuals outline how.
http://wiki.mikrotik.com/wiki/Manual:PCC#Theory
http://wiki.mikrotik.com/wiki/How_PCC_works_(beginner)
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 6:37 am
by namo
Do you mean that I should add
that I should change "the per-connection-classifier" from both-addresses-and-ports to src-address-and-port.
or just add the code:
/ip firewall mangle add chain=prerouting action=mark-connection \
new-connection-mark=1st_conn per-connection-classifier=src-address-and-port:3/0
/ip firewall mangle add chain=prerouting action=mark-connection \
new-connection-mark=2nd_conn per-connection-classifier=src-address-and-port:3/1
/ip firewall mangle add chain=prerouting action=mark-connection \
new-connection-mark=3rd_conn per-connection-classifier=src-address-and-port:3/2
Note : all src addresses are 192.168.1.60 because I am using two different router for combining the two line and for the hotspot.
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 6:47 am
by fewi
No, you should change it to src-address and remove all masquerade rules on the Hotspot router so that the real source addresses are seen. You don't need NAT on that router, and should only NAT when it is absolutely required. src-address-and-port doesn't help you as per the beginner link - browsers choose random source ports for HTTP requests.
When you remove the NAT rule you probably will have to insert a route to the customer Hotspot network on the PCC router with a next hop equal to the IP address on the directly connected Hotspot router interface, which presumably is 192.168.1.60. That is so that the PCC router can find the Hotspot users via that connection.
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 7:28 am
by namo
the internet stop working when I remove masquerade rules in the hotspot+PPPoE router
In one router , I have combine the two ADSL line and in the second router, I have WAN that is connected to the LAN of the first router and LAN for hotspot and PPPoE.
the forum now is working after adding its ip to exempt-from-pcc list.
what kind of secure sites that Egate is talking about? (I heard there is problem with user having accounts on hosting sites; they say that they can not login to the control panel of their sites)
Note: the WAN of hotspot router is 192.168.1.60 and LAN of dual WAN Mikrotik router is 192.168.1.168
In the hotspot router , there is route for 192.168.1.168
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 7:48 am
by fewi
Did you insert a route to the Hotspot network and all other relevant networks on the PCC router? It sounds like you didn't.
Post the output of "/ip route print detail", "/ip address print detail", "/ip firewall nat export", and "/interface print detail" from both routers if these general instructions aren't sufficient and you need specific, step by step help.
Egate is talking about any site that does session wide source address verification.
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 9:44 am
by namo
Did you insert a route to the Hotspot network and all other relevant networks on the PCC router? It sounds like you didn't.
Post the output of "/ip route print detail", "/ip address print detail", "/ip firewall nat export", and "/interface print detail" from both routers if these general instructions aren't sufficient and you need specific, step by step help.
Egate is talking about any site that does session wide source address verification.
Hotspot router:
/ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.1.168
gateway-status=192.168.1.168 reachable wan distance=1 scope=30
target-scope=10
1 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.60 gateway=wan
gateway-status=wan reachable distance=0 scope=10
2 ADC dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=lan
gateway-status=lan reachable distance=0 scope=10
3 ADC dst-address=192.168.5.254/32 pref-src=192.168.2.5 gateway=<pppoe-saif>
gateway-status=<pppoe-saif> reachable distance=0 scope=10
/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.2.1/24 network=192.168.2.0 interface=lan
actual-interface=lan
1 address=192.168.1.60/24 network=192.168.1.0 interface=wan
actual-interface=wan
3 D address=192.168.2.5/32 network=192.168.5.254 interface=<pppoe-xxx>
actual-interface=<pppoe-xxx>
/ip firewall nat export
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=192.168.2.0/24
add action=redirect chain=dstnat comment="Transparent Proxy" disabled=\
yes dst-port=80 protocol=tcp to-ports=8080
add action=masquerade chain=srcnat comment="masquerade pppoe network" \
disabled=no src-address=192.168.5.0/24
/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="wan" type="ether" mtu=1500
1 R name="lan" type="ether" mtu=1500 l2mtu=1600
2 DR name="<pppoe-xxx>" type="pppoe-in" mtu=1460
/ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=192.168.9.168
0 A S dst-address=0.0.0.0/0 gateway=192.168.9.168
gateway-status=192.168.9.168 reachable wan1 check-gateway=ping
distance=1 scope=30 target-scope=10 routing-mark=wan1
1 A S dst-address=0.0.0.0/0 gateway=192.168.3.168
gateway-status=192.168.3.168 reachable wan2 check-gateway=ping
distance=1 scope=30 target-scope=10 routing-mark=wan2
2 A S dst-address=0.0.0.0/0 gateway=192.168.9.168
gateway-status=192.168.9.168 reachable wan1 check-gateway=ping
distance=1 scope=30 target-scope=10
3 S dst-address=0.0.0.0/0 gateway=192.168.3.168
gateway-status=192.168.3.168 reachable wan2 check-gateway=ping
distance=2 scope=30 target-scope=10
4 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.168 gateway=lan
gateway-status=lan reachable distance=0 scope=10
5 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.60 gateway=wan2
gateway-status=wan2 reachable distance=0 scope=10
6 ADC dst-address=192.168.9.0/24 pref-src=192.168.9.60 gateway=wan1
gateway-status=wan1 reachable distance=0 scope=10
/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.1.168/24 network=192.168.1.0 interface=lan actual-interface=lan
1 address=192.168.9.60/24 network=192.168.9.0 interface=wan1 actual-interface=wan1
2 address=192.168.3.60/24 network=192.168.3.0 interface=wan2 actual-interface=wan2
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=wan1
add action=masquerade chain=srcnat disabled=no out-interface=wan2
/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name="wan1" type="ether" mtu=1500 l2mtu=1526
1 R name="lan" type="ether" mtu=1500 l2mtu=1522
2 R name="wan2" type="ether" mtu=1500 l2mtu=1522
3 name="ether4" type="ether" mtu=1500 l2mtu=1522
4 name="ether5" type="ether" mtu=1500 l2mtu=1522
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 5:20 pm
by fewi
On the Hotspot router disable ALL NAT, including the transparent proxy:
/ip firewall nat { disable [find] };
On the Hotspot router prevent all other Hotspot proxying, this should be the only active NAT rule:
/ip firewall nat add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept
On the PCC router add a route to the Hotspot/PPPoE network:
/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.60
Then change the PCC classifier to "src-address" (just "scr-address, no other option will fix your problem).
That is it. It's the only general solution to your problem, if you don't use that you will forever be making exemptions and some sites won't work for your customers. You can't use a transparent or manually configured proxy with this.
Re: problem using a forum with pcc load balance
Posted: Mon Jul 11, 2011 11:11 pm
by namo
I did this and the internet stop working
Re: problem using a forum with pcc load balance
Posted: Tue Jul 12, 2011 12:00 am
by Egate
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan2
You should probably have this enabled. Sounds like natting is disabled on ADSL modem. Definitely disable transparent proxy
Re: problem using a forum with pcc load balance
Posted: Tue Jul 12, 2011 3:57 am
by fewi
I can't help you if the only feedback is "it doesn't work".
Good luck with your issue.
Re: problem using a forum with pcc load balance
Posted: Tue Jul 12, 2011 7:37 am
by namo
I have reboot the routers. PPPoE is the one that stop working and I had to enabled the masquerade for it .
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade pppoe network" \
disabled=no src-address=192.168.5.0/24
another thing for PCC router in the mangle prerouting chain should I use src-address only or src-address-and-port?
Re: problem using a forum with pcc load balance
Posted: Tue Jul 12, 2011 2:01 pm
by fewi
Yes, of course. NAT should be turned off on the Hotspot router ONLY. It's necessary on the PCC router.
Again, you should use 'src-address'. Read the "How PCC works (beginner)" link again. 'src-address-and-port' includes the source port in the decision, the source port is random, so it doesn't help your issue with getting all hits to that forum on the same WAN connection. Only 'src-address' is going to keep that stable.
Re: problem using a forum with pcc load balance
Posted: Wed Jul 13, 2011 8:23 am
by namo
Yes, of course. NAT should be turned off on the Hotspot router ONLY. It's necessary on the PCC router.
Again, you should use 'src-address'. Read the "How PCC works (beginner)" link again. 'src-address-and-port' includes the source port in the decision, the source port is random, so it doesn't help your issue with getting all hits to that forum on the same WAN connection. Only 'src-address' is going to keep that stable.
thank you fewi. I just hope that the heavy download users are split between the two ADSL line because now each user traffic goes through one line only
Re: problem using a forum with pcc load balance
Posted: Wed Jul 13, 2011 2:47 pm
by fewi
Indeed. It is, however, the only generic solution available to you.
Though you could of course single out heavy download users and manually assign PCC marks. That's much more feasible than tracking all clustered secure sites and forums.
Re: problem using a forum with pcc load balance
Posted: Sat Jul 16, 2011 10:17 am
by namo
Indeed. It is, however, the only generic solution available to you.
Though you could of course single out heavy download users and manually assign PCC marks. That's much more feasible than tracking all clustered secure sites and forums.
thank you few.
Now since each user go to one line. Should I change the distance to both 1 in
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10
Re: problem using a forum with pcc load balance
Posted: Sat Jul 16, 2011 10:26 pm
by Egate
Nope. This is for your default route. No influence on PCC route used. however all router data, like DNS and data not router marked, will only go through default route 192.168.9.168 unless it should go down for some reason, then the alternative will be used.
Re: problem using a forum with pcc load balance
Posted: Sun Jul 17, 2011 8:52 am
by namo
thank you for your help. Now everything is fine expect when one of internet connection is off. The traffic doesn't go to the second line since the modem of the first line is on (there is respond from the modem and there is ADSL connection but there is no internet).
Re: problem using a forum with pcc load balance
Posted: Sun Jul 17, 2011 10:51 am
by Egate
If you put ADSL modem in bridge mode and make PPPoE connection with mikrotik, through the modem, this will solve this. Make use off PPPoE instead of Ether. Will also just have to Nat the PPPoE connection on Mikrotik, since ADSL modem wont do it in bridge mode.
Re: problem using a forum with pcc load balance
Posted: Mon Jul 18, 2011 9:33 am
by namo
If you put ADSL modem in bridge mode and make PPPoE connection with mikrotik, through the modem, this will solve this. Make use off PPPoE instead of Ether. Will also just have to Nat the PPPoE connection on Mikrotik, since ADSL modem wont do it in bridge mode.
I have modem-router and I look for away to put them in bridge mode.
other than adding two PPPoE clients in PPP in Winbox. What should I add?
my current route
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.3.168 scope=30 target-scope=10
should I replace 192.168.9.168 with pppoe-out1 interface and 192.168.3.168 with pppoe-out2 interface? Do I need to replace wan1 and wan2 interfaces to pppoe-out1 and pppoe-out2 interface in firewall mangle too?
In short, after bridging the two modem, what changes that I should made in dual wan Mikrotik router?
Re: problem using a forum with pcc load balance
Posted: Mon Jul 18, 2011 4:41 pm
by Egate
I have modem-router and I look for away to put them in bridge mode.
This will be a setting on the modem-router itself.
should I replace 192.168.9.168 with pppoe-out1 interface
Yes in the following rules.
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.168 routing-mark=wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.168 routing-mark=wan2 scope=30 target-scope=10
Replace ip with the interface name, like pppoe-out1. This will only of cause work if the PPPoE connection is made from mikrotik.
Re: problem using a forum with pcc load balance
Posted: Fri Jul 29, 2011 9:24 pm
by namo
/ip firewall nat add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept
this code has cause the internet to stop working in some of the computers and when I disabled it, the internet work with those users.
why is this happening with those users?