Community discussions

MikroTik App
 
tarcisionmjr
just joined
Posts: 17
Joined: Thu Sep 21, 2006 1:47 pm

Re: New firewall matcher PCC

Wed Jun 03, 2009 12:46 pm

to be perfect should be in the style of rules PCQ

per-connection-classifier = src-address, dst-address, dst-port: 2 / 1

here the rules (both-address) or (both-address-ports) does not serve me well yet, but already much help ...

sorry my English is written by the translator ...
 
tarcisionmjr
just joined
Posts: 17
Joined: Thu Sep 21, 2006 1:47 pm

Re: New firewall matcher PCC

Thu Jun 04, 2009 11:50 am

to my rules would work perfectly ,necessarily the combination of (dst-address + dst-port + src-address), when will it be possible to use this way?

sorry my English is written by the translator ...
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Thu Jun 11, 2009 9:24 pm

Edit: I'm an idiot.
Last edited by omega-00 on Fri Jun 12, 2009 5:08 pm, edited 1 time in total.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Thu Jun 11, 2009 9:31 pm

one thing I'm not entirely sure of thou, shouldn't the wiki examples specifying type=new established or related?

This would seem to do the classification each time unless I haven't read something correctly? *scratches head*
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Thu Jun 11, 2009 10:55 pm

My current "inbound routing + PCC on outbound routing" implementation.

I know NetworkPro was looking for something like this recently so I hope this helps some people out:
# allow multiple inbound connections on dynamic (adsl) interfaces
/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 connection-state=new disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 connection-state=new disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark new established connection wan1" connection-state=established disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new established connection wan2" connection-state=established disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new established route wan1" connection-mark=wan1 connection-state=established disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new established route wan2" connection-mark=wan2 connection-state=established disabled=no new-routing-mark=wan2 passthrough=no

# round robin outbound traffic routing, based on src port and src address
/ip firewall mangle    
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/0 action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/1 action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes
add chain=prerouting connection-mark=wan1_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan1
add chain=prerouting connection-mark=wan2_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan2
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Fri Jun 12, 2009 9:29 am

Prerouting is always before Input, so you can put your rules whatever order you like. So first 4 rules or second 4 rules in the mangle are completely useless.

First you mark all Prerouting (input and forward) connections that come into interfaces, then you remark them in input forward again...

What exactly doesn't work in "both-addresses" PCC? How did you test it? How many clients did you have to test it?
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Fri Jun 12, 2009 9:35 am

Edit: I'm an idiot.
Last edited by omega-00 on Fri Jun 12, 2009 5:09 pm, edited 1 time in total.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Fri Jun 12, 2009 11:44 am

Are you sure you using official release version, not some kind of pre-release, that was distributed for testing only????
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Fri Jun 12, 2009 11:58 am

Edit: I'm an idiot.
You do not have the required permissions to view the files attached to this post.
Last edited by omega-00 on Fri Jun 12, 2009 5:09 pm, edited 1 time in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Jun 12, 2009 12:11 pm

press 'Tab' =)
You do not have the required permissions to view the files attached to this post.
 
RAket
just joined
Posts: 10
Joined: Sat Sep 08, 2007 7:04 pm

Re: New firewall matcher PCC

Fri Jun 12, 2009 1:35 pm

Hello,
new PCC matcher is proprietary Mikrotik solution or implementation of open source code? I am interested how this new thing works. Many thanks.
read the link in the first post of this thread. it's very simple, there is nothing special
Thank you,
I read it, but there's still question. Is the PCC matcher closed or OSS?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Fri Jun 12, 2009 2:41 pm

AFAIK MT uses only Vanilla Kernel, all other code is written by MT. (at least starting from 3.x)

to omega-00: MT gave out pre-release version out to test PCC, there was your syntax, but in official release of 3.24 syntax was changed. Example is correct.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26293
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: New firewall matcher PCC

Fri Jun 12, 2009 2:43 pm

well not everything, you have to read the RouterOS license provided with each installation
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Fri Jun 12, 2009 3:36 pm

Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx
Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.
Can I add this rules:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/1 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/2 \
action=mark-connection new-connection-mark=wlan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:4/3 \
action=mark-connection new-connection-mark=wlan3_conn passthrough=yes

so most of the connection will be made to WAN1, than WAN2 and WAN3. I know that will not be 50/25/25

or about stream - how to make streams? Using queues?

Tnx
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Fri Jun 12, 2009 5:08 pm

AFAIK MT uses only Vanilla Kernel, all other code is written by MT. (at least starting from 3.x)

to omega-00: MT gave out pre-release version out to test PCC, there was your syntax, but in official release of 3.24 syntax was changed. Example is correct.
Completely correct, the wrong (pre-release) version was uploaded onto 2 routers and upgraded. Funnily enough they seem to be working fine, but I'm waiting until early morning to downgrade and re-upgrade.
:(
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Tue Jun 16, 2009 5:44 pm

Following discussions about ECMP with Masquerade and similar, we have made a new firewall matcher that will allow you more control and hopefully will overcome the previous limitations, read on:

http://wiki.mikrotik.com/wiki/PCC#Introduction
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1


/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping

are the lines add address wrong? 10.111.0.24 is wlan2, and at the route 10.111.0.1 is wlan1 ?????
 
wispnz
just joined
Posts: 9
Joined: Sun Mar 15, 2009 7:38 am

Re: New firewall matcher PCC

Wed Jun 17, 2009 6:16 pm

Hi everyone!

When I use the configuration method described in the MT wiki for PCC http://wiki.mikrotik.com/wiki/PCC#Introduction,
the system works fine until you enable a hotspot! Then DNS screws up and the Hotpsot Login page does not appear.
If you disable the hotspot again then all returns to normal.

When using Omegas configuration example which he so kindly provided, the system works fine and also functions correctly when activating the hotspot feature.

SO my question to MT is: Why does the Wiki example on PCC config not work in conjunction with an activate hotspot, and Omega's example does?

Info on this would be greatly appreciated :)

(ATM I am using a modified version of Omega's configs which works fine, just though this needs to get highlighted for people who are struggling with getting Hotspot+PCC working)
My current "inbound routing + PCC on outbound routing" implementation.

I know NetworkPro was looking for something like this recently so I hope this helps some people out:
# allow multiple inbound connections on dynamic (adsl) interfaces
/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 connection-state=new disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 connection-state=new disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark new established connection wan1" connection-state=established disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new established connection wan2" connection-state=established disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new established route wan1" connection-mark=wan1 connection-state=established disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new established route wan2" connection-mark=wan2 connection-state=established disabled=no new-routing-mark=wan2 passthrough=no

# round robin outbound traffic routing, based on src port and src address
/ip firewall mangle    
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/0 action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Hotspot per-connection-classifier=src-address-and-port:2/1 action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes
add chain=prerouting connection-mark=wan1_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan1
add chain=prerouting connection-mark=wan2_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan2
 
MrIC
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue Jan 13, 2009 11:34 pm

Re: New firewall matcher PCC

Thu Jun 18, 2009 1:56 am

i'm trying to load balance for 3 lines using PCC

this is my config
/ ip address
add address=192.168.100.1/24 network=192.168.100.0 broadcast=192.168.100.255 interface=Local
add address=192.168.0.5/24 network=192.168.0.0 broadcast=192.168.0.255 interface=WAN1
add address=192.168.1.5/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN2
add address=192.168.2.5/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN3

/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=WAN3
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-routing-mark=WAN3

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=3 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
add chain=srcnat out-interface=WAN3 action=masquerade
but it didn't work .
where is the problem ?
 
wispnz
just joined
Posts: 9
Joined: Sun Mar 15, 2009 7:38 am

Re: New firewall matcher PCC

Thu Jun 18, 2009 2:11 am

Here is one mistake that I could pick up:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes


Should be :

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:3/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes


You had per-connection-classifier=both-addresses:3/1 twice instead of 3/2

Kind Regards,
Arno
 
MrIC
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue Jan 13, 2009 11:34 pm

Re: New firewall matcher PCC

Thu Jun 18, 2009 3:37 am

thanks mate . it's my wrong .
i will try .
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Thu Jun 18, 2009 9:46 am

no one answer for my question can I use:

4/0 mark new connection mark wlan1
4/1 mark new connection mark wlan1
4/2 mark new connection mark wlan2
4/3 mark new connection mark wlan3

so wlan1 will become more forced ?
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Thu Jun 18, 2009 1:43 pm

Do you really need a blessing to try it?

I did write you to do it like this. where is the problem?
Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx
Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Thu Jun 18, 2009 1:56 pm

Do you really need a blessing to try it?

I did write you to do it like this. where is the problem?
Both examples are correct.. so what is the difference?
How can I force one WAN port with 50% and the two others WAN ports with 25%?

tnx
Divide traffic into 4 streams and send first 2 on the first gateway. (use both addresses as separator)

Note that this is not per packet load balancing, so it will not be 50/25/25 all the time. - More connections/clients you will have closer to those numbers you will get.
I am sorry... I just ask how to divide traffic into streams? Using queue or ?? Cannot find .. sorry
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Thu Jun 18, 2009 2:50 pm

PCC mangle will make 4 routing marks, then you need to create a route for every routing mark - very similar as is shown in the wiki example.
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Fri Jun 19, 2009 12:17 am

I have successfully configured RB493AH with PCC, thanks to all and it seems to works good :)

I have a situation with three WAN ports ADSL, Cable and dedicated line with static IP pool - xx.yy.zz.56/29 (xx.yy.zz.56 to xx.yy.zz.63), so my gateway at the internet provider is xx.yy.zz.57, and I am using now just xx.yy.zz.58 for NAT and xx.yy.zz.59 for the mail server.

The mail server is on the ether5 with master port WAN2 (like switch).

My problem is when I do a trace route from LAN to the mail server (with ip xx.yy.zz.59) via WAN (xx.yy.zz.58) packets are going first to my provider's gateway (xx.yy.zz.57) ???

The .58 and .59 are on the same mikrotik :( why the route is going to internet provider and back again?
In the /IP address the WAN port is setup correctly xx.yy.zz.58/29 so he know the pool?


were I am wrong?
 
wispnz
just joined
Posts: 9
Joined: Sun Mar 15, 2009 7:38 am

Re: New firewall matcher PCC

Fri Jun 19, 2009 5:14 am

Hi there, Any ideas or answers on my previous question why MT's PCC example doesnt work when you enable the Hotspot feature but Omega's does?

Thanks!
Arno
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Fri Jun 19, 2009 8:35 am

For that we will see your configuration --> create another topic, or just send mail to support@mikrotik.com - let them take a look.
 
User avatar
chapex
Member Candidate
Member Candidate
Posts: 138
Joined: Wed May 30, 2007 1:23 am
Location: Patagónia Argentina
Contact:

Re: New firewall matcher PCC

Tue Jun 23, 2009 8:30 am

It is possible to order a bigger percentage towards one interface? Example: 50 % - 25 % - 25 % (working with three lines) (Similar to nth, but saving his problems).

regards
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Jun 23, 2009 12:11 pm

yes. just divide your traffic into 4 streams, mark streams 1 & 2 with routing_mark 1, stream 3 = routing_mark 2, stream 4 = routing_mark 3
 
User avatar
chapex
Member Candidate
Member Candidate
Posts: 138
Joined: Wed May 30, 2007 1:23 am
Location: Patagónia Argentina
Contact:

Re: New firewall matcher PCC

Wed Jun 24, 2009 7:10 am

thanks chupaka!

regards
 
soporte_tecnico
just joined
Posts: 18
Joined: Wed May 14, 2008 4:39 pm
Location: Buenos Aires

Re: New firewall matcher PCC

Wed Jun 24, 2009 6:00 pm

hello everyone
The problem is that I cut the videos on youtube, and some website.
The web youtube I F5 to refresh from the browser many times.
is my configuration.
3 lines are equal 3MB download 256Kbs upload. (ADSL WANs).

Mangle


0 chain=input action=mark-connection new-connection-mark=Telefonica1_conn passthrough=yes in-interface=Telefonica1

1 chain=input action=mark-connection new-connection-mark=Telefonica2_conn passthrough=yes in-interface=Telefonica2

2 chain=input action=mark-connection new-connection-mark=Telefonica3_conn passthrough=yes in-interface=Telefonica3

3 chain=output action=mark-routing new-routing-mark=to_Telefonica1 passthrough=yes connection-mark=Telefonica1_conn

4 chain=output action=mark-routing new-routing-mark=to_Telefonica2 passthrough=yes connection-mark=Telefonica2_conn

5 chain=output action=mark-routing new-routing-mark=to_Telefonica3 passthrough=yes connection-mark=Telefonica3_conn

6 chain=prerouting action=mark-connection new-connection-mark=Telefonica1_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses:3/0

7 chain=prerouting action=mark-connection new-connection-mark=Telefonica2_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses:3/1

8 chain=prerouting action=mark-connection new-connection-mark=Telefonica3_conn passthrough=yes dst-address-type=!local
in-interface=Local per-connection-classifier=both-addresses:3/2

9 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica1 passthrough=yes in-interface=Local
connection-mark=Telefonica1_conn

10 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica2 passthrough=yes in-interface=Local
connection-mark=Telefonica2_conn

11 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica3 passthrough=yes in-interface=Local
connection-mark=Telefonica3_conn

12 ;;; Marcado Conexion de Trafico Lan
chain=forward action=mark-connection new-connection-mark=users-con passthrough=yes src-address=192.168.1.0/24

13 ;;; Marcado de paquetes Conexion Lan
chain=forward action=mark-packet new-packet-mark=users passthrough=yes connection-mark=users-con

Route

# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 reachable Telefonica1 1 Telefonica1
1 A S 0.0.0.0/0 reachable Telefonica1 1 Telefonica1
2 A S 0.0.0.0/0 reachable Telefonica2 1 Telefonica2
3 A S 0.0.0.0/0 reachable Telefonica3 1 Telefonica3
4 S 0.0.0.0/0 reachable Telefonica3 3 Telefonica3
5 S 0.0.0.0/0 reachable Telefonica2 2 Telefonica2
6 A S 168.226.214.43/32 reachable Telefonica1 1 Telefonica1
7 ADC 192.168.1.0/24 192.168.1.1 0 Local
8 ADC 200.51.241.209/32 168.226.214.43 0 Telefonica1
9 ADC 200.51.241.227/32 190.48.248.249 0 Telefonica3
10 ADC 200.51.241.233/32 201.254.124.172 0 Telefonica2


Nat

7 chain=srcnat action=masquerade out-interface=Telefonica1

8 chain=srcnat action=masquerade out-interface=Telefonica2

9 chain=srcnat action=masquerade out-interface=Telefonica3
 
User avatar
gustkiller
Member
Member
Posts: 419
Joined: Sat Jan 07, 2006 5:15 am
Location: Brazil
Contact:

Re: New firewall matcher PCC

Wed Jun 24, 2009 6:14 pm

going to test the omega setup becouse the wiki example screws up the hotspot :(
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Wed Jun 24, 2009 6:29 pm

I believe my example still has a few kinks to be worked out too, seems to work ok with webpages but I'm getting some reports that things like xbox games that make multiple connections over time don't like it very much.

Will post if I find a config that works better but would be happy for anyone else to make suggestions also.

Note that this is only the outbound connections, inbound works perfectly for me.
 
soporte_tecnico
just joined
Posts: 18
Joined: Wed May 14, 2008 4:39 pm
Location: Buenos Aires

Re: New firewall matcher PCC

Wed Jun 24, 2009 7:30 pm

Hi omega 00

The same thing happens with the game diablo2 and online
 
tiagom
just joined
Posts: 21
Joined: Thu Jun 30, 2005 3:48 pm
Location: Ariquemes - Rondonia - Brasil
Contact:

Re: New firewall matcher PCC

Thu Jun 25, 2009 6:53 pm

Hello staff,
I did some loadbalaced with PCC and in particular the improvements in the rules of the omega-00, took some things that I thought needed to n, and only added the rules of the wiki in the chain INPUT and OUTPUT = NEW STATE CONECTIONS and solved the problem of open the page of the hotspot authentication.
But some other problems appeared as:
1 - It has been reported to the top of youtube videos does not open at first
2 - once the customer is communicated with all the valid IP ranges that the server mikrotik using this loadbalaced to do directly with the PCC balancing the client leaves for internet to communicate with the network itself, but to solve it, just take these bands of IPs that the server mikrotik using this outside of the cache.
3 - When you make a bank transaction for the IP is changed so Desloge bank by the customer think that he is on another machine, so q is doing the same way up, taking the tracks out of the IP cache.
4 - Sometimes the pages of the Internet expires, as it was n the air, and that precionar F5 to return to open.
5 - There is no possibility to use an external proxy for customers who use the internet this loadbalaced.

Balancing out these details it is very good, I believe that the mikrotik will solve the problem soon.

Tiago Matias
 
tiagom
just joined
Posts: 21
Joined: Thu Jun 30, 2005 3:48 pm
Location: Ariquemes - Rondonia - Brasil
Contact:

Re: New firewall matcher PCC

Thu Jun 25, 2009 7:18 pm

A photo of a loadbalaced with 7 WAN working well
You do not have the required permissions to view the files attached to this post.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Fri Jun 26, 2009 12:16 pm

Hello staff,
I did some loadbalaced with PCC and in particular the improvements in the rules of the omega-00, took some things that I thought needed to n, and only added the rules of the wiki in the chain INPUT and OUTPUT = NEW STATE CONECTIONS and solved the problem of open the page of the hotspot authentication.
But some other problems appeared as:
1 - It has been reported to the top of youtube videos does not open at first
2 - once the customer is communicated with all the valid IP ranges that the server mikrotik using this loadbalaced to do directly with the PCC balancing the client leaves for internet to communicate with the network itself, but to solve it, just take these bands of IPs that the server mikrotik using this outside of the cache.
3 - When you make a bank transaction for the IP is changed so Desloge bank by the customer think that he is on another machine, so q is doing the same way up, taking the tracks out of the IP cache.
4 - Sometimes the pages of the Internet expires, as it was n the air, and that precionar F5 to return to open.
5 - There is no possibility to use an external proxy for customers who use the internet this loadbalaced.

Balancing out these details it is very good, I believe that the mikrotik will solve the problem soon.

Tiago Matias
What is your PCC configuration??? in case of "both-addresses" problems 1. 3. 4. should be out of the picture.

I would also add rule that closest (ISPs) networks will always be routed to a corresponding interface (that should solve 2.)
 
tiagom
just joined
Posts: 21
Joined: Thu Jun 30, 2005 3:48 pm
Location: Ariquemes - Rondonia - Brasil
Contact:

Re: New firewall matcher PCC

Sat Jun 27, 2009 4:11 am

Hello staff,
I did some loadbalaced with PCC and in particular the improvements in the rules of the omega-00, took some things that I thought needed to n, and only added the rules of the wiki in the chain INPUT and OUTPUT = NEW STATE CONECTIONS and solved the problem of open the page of the hotspot authentication.
But some other problems appeared as:
1 - It has been reported to the top of youtube videos does not open at first
2 - once the customer is communicated with all the valid IP ranges that the server mikrotik using this loadbalaced to do directly with the PCC balancing the client leaves for internet to communicate with the network itself, but to solve it, just take these bands of IPs that the server mikrotik using this outside of the cache.
3 - When you make a bank transaction for the IP is changed so Desloge bank by the customer think that he is on another machine, so q is doing the same way up, taking the tracks out of the IP cache.
4 - Sometimes the pages of the Internet expires, as it was n the air, and that precionar F5 to return to open.
5 - There is no possibility to use an external proxy for customers who use the internet this loadbalaced.

Balancing out these details it is very good, I believe that the mikrotik will solve the problem soon.

Tiago Matias
What is your PCC configuration??? in case of "both-addresses" problems 1. 3. 4. should be out of the picture.

I would also add rule that closest (ISPs) networks will always be routed to a corresponding interface (that should solve 2.)

My setup is this PCC below:
My interfaces
Interfaces WANs:
ether1, ether2, ether3, ether4, ether5, ether6 and ether7
LAN Interface: ether9-Clientes

My mangle
/ip firewall mangle
add action=accept chain=prerouting comment="out load DST" disabled=no dst-address-list=rede-interna in-interface=ether9-Clientes
add action=mark-connection chain=input comment=ether1_conn connection-state=new disabled=no in-interface=ether1 new-connection-mark=ether1_conn passthrough=yes
add action=mark-connection chain=input comment=ether2_conn connection-state=new disabled=no in-interface=ether2 new-connection-mark=ether2_conn passthrough=yes
add action=mark-connection chain=input comment=ether3_conn connection-state=new disabled=no in-interface=ether3 new-connection-mark=ether3_conn passthrough=yes
add action=mark-connection chain=input comment=ether4_conn connection-state=new disabled=no in-interface=ether4 new-connection-mark=ether4_conn passthrough=yes
add action=mark-connection chain=input comment=ether5_conn connection-state=new disabled=no in-interface=ether5 new-connection-mark=ether5_conn passthrough=yes
add action=mark-connection chain=input comment=ether6_conn connection-state=new disabled=no in-interface=ether6 new-connection-mark=ether6_conn passthrough=yes
add action=mark-connection chain=input comment=ether7_conn connection-state=new disabled=no in-interface=ether7 new-connection-mark=ether7_conn passthrough=yes
add action=mark-routing chain=output comment=to_ether1 connection-mark=ether1_conn connection-state=new disabled=no new-routing-mark=to_ether1 passthrough=no
add action=mark-routing chain=output comment=to_ether2 connection-mark=ether2_conn connection-state=new disabled=no new-routing-mark=to_ether2 passthrough=no
add action=mark-routing chain=output comment=to_ether3 connection-mark=ether3_conn connection-state=new disabled=no new-routing-mark=to_ether3 passthrough=no
add action=mark-routing chain=output comment=to_ether4 connection-mark=ether4_conn connection-state=new disabled=no new-routing-mark=to_ether4 passthrough=no
add action=mark-routing chain=output comment=to_ether5 connection-mark=ether5_conn connection-state=new disabled=no new-routing-mark=to_ether5 passthrough=no
add action=mark-routing chain=output comment=to_ether6 connection-mark=ether6_conn connection-state=new disabled=no new-routing-mark=to_ether6 passthrough=no
add action=mark-routing chain=output comment=to_ether7 connection-mark=ether7_conn connection-state=new disabled=no new-routing-mark=to_ether7 passthrough=no
add action=mark-connection chain=prerouting comment=ether1_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/0
add action=mark-connection chain=prerouting comment=ether2_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/1
add action=mark-connection chain=prerouting comment=ether3_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/2
add action=mark-connection chain=prerouting comment=ether4_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/3
add action=mark-connection chain=prerouting comment=ether5_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether5_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/4
add action=mark-connection chain=prerouting comment=ether6_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether6_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/5
add action=mark-connection chain=prerouting comment=ether7_conn disabled=no dst-address-type=!local in-interface=ether9-Clientes new-connection-mark=ether7_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:7/6
add action=mark-routing chain=prerouting comment=to_ether1 connection-mark=ether1_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether1 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether2 connection-mark=ether2_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether2 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether3 connection-mark=ether3_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether3 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether4 connection-mark=ether4_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether4 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether5 connection-mark=ether5_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether5 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether6 connection-mark=ether6_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether6 passthrough=no
add action=mark-routing chain=prerouting comment=to_ether7 connection-mark=ether7_conn disabled=no in-interface=ether9-Clientes new-routing-mark=to_ether7 passthrough=no

My NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether3
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether4
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether5
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether6
add action=masquerade chain=srcnat comment="" disabled=no out-interface=ether7

My route
/ip route
add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=189.19.x.x scope=30 target-scope=10
add comment=link2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10
add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=189.19.86.1 routing-mark=to_ether1 scope=30 target-scope=10
add comment=link2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_ether2 scope=30 target-scope=10
add comment=link3 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-mark=to_ether3 scope=30 target-scope=10
add comment=link6 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.253.253 routing-mark=to_ether6 scope=30 target-scope=10
add comment=link5 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.5.1 scope=30 target-scope=10
add comment=link3 disabled=no distance=3 dst-address=0.0.0.0/0 gateway=10.1.1.1 scope=30 target-scope=10
add comment=link4 disabled=no distance=4 dst-address=0.0.0.0/0 gateway=200.161.x.x scope=30 target-scope=10
add comment=link6 disabled=no distance=6 dst-address=0.0.0.0/0 gateway=172.16.253.253 scope=30 target-scope=10
add comment=link4 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.161.x.x routing-mark=to_ether4 scope=30 target-scope=10
add comment=link5 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=to_ether5 scope=30 target-scope=10
add comment=link7 disabled=no distance=7 dst-address=0.0.0.0/0 gateway=172.16.254.252 scope=30 target-scope=10
add comment=link7 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.254.252 routing-mark=to_ether7 scope=30 target-scope=10
I am using at:
per-connection-classifier = both-addresses-and-ports
only in this way could add the links when doing a download with a download management application
Not tested using the classifier per-connection-classifier just as both-addresses, I do the test to test for it to problems with the youtube videos and freezing some pages.

Examine how it is to test the rules and we can leave it in the best way possible
Grateful
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Sun Jun 28, 2009 2:10 pm


Hello,

I'm using the example posted by: tiagom


my source is 6 gateways adsl and wireless internet each one is (128kbps).

I have setup this on my router and all traffic goes to ether1 only.

there were 25 users online, and all were taking internet from ether1

all my users are connected through ether9-Clients, via PPPOE each one has PPPOE username and password.

my question is:

- how can i get users to use other connections ether2,ether3,ether4... (divide traffic)

- i need to use the full speed of these gateways.
each gateway is (128kbps) so i should get 768kps


thanks



 
tiagom
just joined
Posts: 21
Joined: Thu Jun 30, 2005 3:48 pm
Location: Ariquemes - Rondonia - Brasil
Contact:

Re: New firewall matcher PCC

Sun Jun 28, 2009 5:42 pm


Hello,

I'm using the example posted by: tiagom


my source is 6 gateways adsl and wireless internet each one is (128kbps).

I have setup this on my router and all traffic goes to ether1 only.

there were 25 users online, and all were taking internet from ether1

all my users are connected through ether9-Clients, via PPPOE each one has PPPOE username and password.

my question is:

- how can i get users to use other connections ether2,ether3,ether4... (divide traffic)

- i need to use the full speed of these gateways.
each gateway is (128kbps) so i should get 768kps


thanks




Hello maaking2,
I also tested the PCC by loadbalaced with customers connected via PPPoE, and the problem we realized that each client connected via the PPPoE client proprio itself is a virtual interface, so q would have to create a rule for each client to connect via PPPoE I believe that it is not sure and I believe also that mikrotik will solve this problem.
I have some clients that use the authentication via PPPoE for their clients and in the case of my clients did the CCP loadbalaced in a routerboard before and this routerboard share the Internet to a server so that this wheel is a PPPoE server.

Let 's hope and expect that mikrotik can adjust to the same machine that has the CCP loadbalaced can have servers hotspot server and PPPoE

Tiago Matias
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sun Jun 28, 2009 7:39 pm

- i need to use the full speed of these gateways.
each gateway is (128kbps) so i should get 768kps
at first, it's not possible to get 768 kbps for single connection

second - do not use Image others' examples without understanding it! your clients come from pppoe interfaces, so "in-interface=ether9-Clientes" do not have sense. use something like 'src-address=your_pppoe_address_pool'
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Mon Jun 29, 2009 8:43 am

to tiagom: "both-addresses-and-ports" is the problem. Use "both-addresses"
 
tiagom
just joined
Posts: 21
Joined: Thu Jun 30, 2005 3:48 pm
Location: Ariquemes - Rondonia - Brasil
Contact:

Re: New firewall matcher PCC

Tue Jun 30, 2009 8:42 pm

to tiagom: "both-addresses-and-ports" is the problem. Use "both-addresses"
still the videos on youtube need to refresh the page to load, but all sites have stopped giving site expired
 
User avatar
chapex
Member Candidate
Member Candidate
Posts: 138
Joined: Wed May 30, 2007 1:23 am
Location: Patagónia Argentina
Contact:

Re: New firewall matcher PCC

Sat Jul 04, 2009 9:37 pm

It is possible that coexists web-proxy and pcc balanc. ? ... Previously it was not possible due to the fact that the output of the web-proxy takes one of the like own chains of exit.

regards
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: New firewall matcher PCC

Sat Jul 04, 2009 10:26 pm

Mikrotik, PCC looks like a great facility. And whether it's open source or not, any addition that makes Mikrotik stand out, but still gives users freedom is great. As long as it works, and stable, etc. go for it. EoIP seems to have taken off quite well too I must say.

Thanks for the great work Mikrotik!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon Jul 06, 2009 11:05 am

It is possible that coexists web-proxy and pcc balanc. ? ... Previously it was not possible due to the fact that the output of the web-proxy takes one of the like own chains of exit.
yes, you should use 'Mangle Output' to redistribute proxy's output between different routing marks
 
soporte_tecnico
just joined
Posts: 18
Joined: Wed May 14, 2008 4:39 pm
Location: Buenos Aires

Re: New firewall matcher PCC

Mon Jul 06, 2009 11:19 am

Hi all
as is equal to redistribute example?
 
soporte_tecnico
just joined
Posts: 18
Joined: Wed May 14, 2008 4:39 pm
Location: Buenos Aires

Re: New firewall matcher PCC

Mon Jul 06, 2009 1:36 pm

for example we have 3 WANs with pcc and have the same web-server proxy, but it always comes out of the wan Pueto 80.
And honestly I could not redistribute it.

Thank all
 
Nevyn357
just joined
Posts: 13
Joined: Tue Jul 07, 2009 12:24 am

Re: New firewall matcher PCC

Tue Jul 07, 2009 12:29 am

How long are the idle connections kept before they're removed from the connection table and it counts as new? (ie. If I have a connection, then walk away for x amount of minutes, come back and refresh and it goes out a different WAN connection due to the first connection expiring - what is x?)

Thanks,
Greg
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Jul 07, 2009 1:53 am

How long are the idle connections kept before they're removed from the connection table and it counts as new? (ie. If I have a connection, then walk away for x amount of minutes, come back and refresh and it goes out a different WAN connection due to the first connection expiring - what is x?)
that's not about PCC. if you use 'src-dst-address' classifier and address of the server you are connecting to is constant, then you will always go through the same gateway, because the hash function PCC is using is deterministic
 
Nevyn357
just joined
Posts: 13
Joined: Tue Jul 07, 2009 12:24 am

Re: New firewall matcher PCC

Tue Jul 07, 2009 4:43 pm

Was thinking there was a time based aspect to it - guess I should have just looked over the wiki again. Thanks.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Jul 07, 2009 11:09 pm

it's about ECMP - that's why PCC was introduced, to avoid time aspects of WAN selecting
 
rainmaker
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jan 30, 2009 9:32 pm

Re: New firewall matcher PCC

Wed Jul 08, 2009 12:14 am

Dear All
Thank for you help so far.
Your examples is towards Ethernet user with static interface.
how can i adapter it to suit dynamic interface such as pppoe server.
how should l define the in-interface in this case?


The other problem l have is the up link mangle rule what should l do if am using pppoe with dynamic ip.

Thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Jul 08, 2009 12:27 am

for your users, you may use 'src-address' instead of 'in-interface'
 
powernetscm
just joined
Posts: 1
Joined: Mon Jul 20, 2009 6:48 pm

Re: New firewall matcher PCC

Fri Jul 24, 2009 11:56 pm

hi i´m new in forum

for best performance in pcc what option i can use

both addresses our both addresses and ports

our other

tks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sat Jul 25, 2009 3:08 pm

it depends on your task and do not affect the performance, I believe
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Fri Aug 07, 2009 2:41 pm

is it possible to use a transparent proxy server with ppc setup?
I'm sure i read somewhere that it isn't possible because the PPC clasifies each connection coming from the proxy as the same, and therefore sends it to the same interface each time.

If this is the case, is there likely to be a fix or a work around for this?
If nanyone could put be straight i would be grateful.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Aug 07, 2009 2:44 pm

of course you can do it with pcc. just load-balance your outgoing connections by routing-marking in 'output' mangle chain. and use at least 'dst-address' in PCC classifier
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: New firewall matcher PCC

Mon Aug 10, 2009 11:02 pm

Chupaka, please confirm something for me.

If I simply want to route say ports 80 and 443 via wan1 and say the rest via wan2, I then DO NOT need PCC, rather policy based routing?

PCC is more for load balancing?

Thanks.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Aug 11, 2009 12:31 pm

of course. PCC is for load balancing only. if you do not need to divide similar traffic into different flows - you do not need PCC
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: New firewall matcher PCC

Tue Aug 11, 2009 12:56 pm

Thanks Chupaka.

Can one have a combination of PCC for general load balancing and then policy based routing for a certain traffic?
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Tue Aug 11, 2009 1:28 pm

Yes, static routing will always work. Its a matter of managing the routes themselves.

edit: just exclude whatever is routed statically from the PCC mangle ;)
Last edited by NetworkPro on Fri Sep 04, 2009 11:08 am, edited 1 time in total.
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: New firewall matcher PCC

Tue Aug 11, 2009 2:03 pm

Cool, thanks.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Aug 11, 2009 3:36 pm

summing up: with RouterOS you can route almost everything as you need =)
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

PCC not working for me

Wed Aug 19, 2009 12:45 pm

Hi, to All Experts
i Try PCC on my setup, butt PCC not work for me properly, i am using Version 3.28, 2 WAN and 1 LAN for PPPoE Users
i use 2 Configuration examples, one from Mikrotik wiki and other from one user

hare is both of Configuration script witch i used butt not working, please highlight and tell me where my mistake

Example 1

My interfaces
WAN Interfaces: WAN1 and WAN2
LAN Interface: LAN


/ ip firewall mangle

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.20.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.30.0/24 action=accept in-interface=LAN

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.20.254 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

###############################################################
Example 2

My interfaces
WAN Interfaces: WAN1 and WAN2
LAN Interface: LAN


/ip firewall mangle

add action=accept chain=prerouting comment="out load DST" disabled=no dst-address=0.0.0.0/0 in-interface=LAN

add action=mark-connection chain=input comment=WAN1_conn connection-state=new disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input comment=WAN2_conn connection-state=new disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes

add action=mark-routing chain=output comment=to_WAN1 connection-mark=WAN1_conn connection-state=new disabled=no new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=output comment=to_WAN2 connection-mark=WAN2_conn connection-state=new disabled=no new-routing-mark=to_WAN2 passthrough=no

add action=mark-connection chain=prerouting comment=WAN1_conn disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment=WAN2_conn disabled=no dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1

add action=mark-routing chain=prerouting comment=to_WAN1 connection-mark=WAN1_conn disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=no
add action=mark-routing chain=prerouting comment=to_WAN2 connection-mark=WAN2_conn disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=no

/ip firewall nat

add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2

/ip route

add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.254 scope=30 target-scope=10
add comment=link2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.30.254 scope=30 target-scope=10
add comment=link1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=to_WAN1 scope=30 target-scope=10
add comment=link2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.30.254 routing-mark=to_WAN2 scope=30 target-scope=10


###############################################################
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Wed Aug 19, 2009 8:56 pm

Hi Muhammad.

not working you mean "not matching"?
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: New firewall matcher PCC

Wed Aug 19, 2009 9:17 pm

Hi Muhammad.

not working you mean "not matching"?
First Thanks for your reply,

not working mean, after using that both scripts my 100% internet traffic going throw WAN1. not 50% on each WAN

i am using PPPoE Server for Clint's on LAN Interface
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Wed Aug 19, 2009 9:37 pm

Hi Muhammad.

not working you mean "not matching"?
First Thanks for your reply,

not working mean, after using that both scripts my 100% internet traffic going throw WAN1. not 50% on each WAN

i am using PPPoE Server for Clint's on LAN Interface
Hi, can you post a screeshot of Firewall/Mangle rules?
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Wed Aug 19, 2009 9:40 pm

Note: you can split only session, not bandwith consumed by session.

Assuming that you have a 10 Mbps LAN to WANs traffic, each session can consume 0kps up to 10MBps... (+ or -)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Thu Aug 20, 2009 3:55 am

Muhammad, are there any differences between Example 1 and Example 2?..

and what about your rules with PCC - do they count packets?
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: New firewall matcher PCC

Thu Aug 20, 2009 4:25 pm

Hi Muhammad.

not working you mean "not matching"?
First Thanks for your reply,

not working mean, after using that both scripts my 100% internet traffic going throw WAN1. not 50% on each WAN

i am using PPPoE Server for Clint's on LAN Interface
Hi, can you post a screeshot of Firewall/Mangle rules?
Thanks for reply
here is configuration and screen-shoots

My interfaces
Interfaces WANs: 1 and 2
LAN Interface: LAN

/ ip firewall mangle

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.20.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.30.0/24 action=accept in-interface=LAN

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:2/1 \
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2

/

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.20.254 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.30.254 distance=2 check-gateway=ping

/

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
mangal.JPG
ip firewall nat
nat.JPG
route
Route.JPG
see in screen-shoots, all traffic going throw WAN1
You do not have the required permissions to view the files attached to this post.
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Thu Aug 20, 2009 4:38 pm

mmm, can you post a shot of Firewall/Connection section?
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: New firewall matcher PCC

Thu Aug 20, 2009 5:07 pm

mmm, can you post a shot of Firewall/Connection section?
test.JPG
You do not have the required permissions to view the files attached to this post.
Last edited by Muhammad on Thu Aug 20, 2009 5:51 pm, edited 1 time in total.
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Thu Aug 20, 2009 5:11 pm

As you can see, Connection Mark is empty!!!!!

If you want, I can access this MT to help you... send me a PM...
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Thu Aug 20, 2009 5:20 pm

A sample PCC...
You do not have the required permissions to view the files attached to this post.
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: New firewall matcher PCC

Thu Aug 20, 2009 5:26 pm

As you can see, Connection Mark is empty!!!!!

If you want, I can access this MT to help you... send me a PM...
Thanks for reply
i cant sent a PM
((((((((((You are not authorised to send private messages.)))))))))
:(
if you like, my yahoo ID is: muhammad_eng77
i have teamviewer remote access

Thanks
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Thu Aug 20, 2009 7:11 pm

You need to set in PCC rules "connection-state=new".
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Thu Aug 20, 2009 7:14 pm

On my RB433Ah the script work fine... as you are running a RB532... Mikrotik staff, are you sure that PPC matcher are bug free on RB532?
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Fri Aug 21, 2009 3:33 pm

Hello Guys,

I have setup the config in:
http://wiki.mikrotik.com/wiki/PCC#Introduction


My router is: RB433ah
Router Os ver = 3.28


here is what i came with:

/ ip address
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Local 
add address=192.168.1.99/24 network=192.168.1.0 broadcast=192.168.1.255 interface=adsl1
add address=192.168.10.10/24 network=192.168.10.0 broadcast=192.168.10.255 interface=adsl2



/ ip firewall mangle
add chain=input in-interface=adsl1 action=mark-connection new-connection-mark=adsl1_conn
add chain=input in-interface=adsl2 action=mark-connection new-connection-mark=adsl2_conn
add chain=output connection-mark=adsl1_conn action=mark-routing new-routing-mark=to_adsl1     
add chain=output connection-mark=adsl2_conn action=mark-routing new-routing-mark=to_adsl2

add chain=prerouting dst-address=192.168.1.0/24  action=accept in-interface=Local 
add chain=prerouting dst-address=192.168.10.0/24  action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0  action=mark-connection new-connection-mark=adsl1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1  action=mark-connection new-connection-mark=adsl2_conn passthrough=yes

add chain=prerouting connection-mark=adsl1_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl1
add chain=prerouting connection-mark=adsl2_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl2



/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_adsl1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_adsl2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 distance=2 check-gateway=ping


/ ip firewall nat 
add chain=srcnat out-interface=adsl1 action=masquerade
add chain=srcnat out-interface=adsl2 action=masquerade
ff11.JPG
the problem is:

all traffic goes to adsl1 , not divided to both.

all my clients connect to router via pppoe connection through Local interface.

i check the config several times, but helpless.


from my searches, i notced that all people who test it reported the same bug.


i hope somebody post a fix for it.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Muhammad
Member Candidate
Member Candidate
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Re: New firewall matcher PCC

Fri Aug 21, 2009 5:00 pm

Hello Guys,

I have setup the config in:
http://wiki.mikrotik.com/wiki/PCC#Introduction


My router is: RB433ah
Router Os ver = 3.28


here is what i came with:

/ ip address
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=Local 
add address=192.168.1.99/24 network=192.168.1.0 broadcast=192.168.1.255 interface=adsl1
add address=192.168.10.10/24 network=192.168.10.0 broadcast=192.168.10.255 interface=adsl2



/ ip firewall mangle
add chain=input in-interface=adsl1 action=mark-connection new-connection-mark=adsl1_conn
add chain=input in-interface=adsl2 action=mark-connection new-connection-mark=adsl2_conn
add chain=output connection-mark=adsl1_conn action=mark-routing new-routing-mark=to_adsl1     
add chain=output connection-mark=adsl2_conn action=mark-routing new-routing-mark=to_adsl2

add chain=prerouting dst-address=192.168.1.0/24  action=accept in-interface=Local 
add chain=prerouting dst-address=192.168.10.0/24  action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0  action=mark-connection new-connection-mark=adsl1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1  action=mark-connection new-connection-mark=adsl2_conn passthrough=yes

add chain=prerouting connection-mark=adsl1_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl1
add chain=prerouting connection-mark=adsl2_conn in-interface=Local action=mark-routing new-routing-mark=to_adsl2



/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_adsl1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_adsl2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 distance=2 check-gateway=ping


/ ip firewall nat 
add chain=srcnat out-interface=adsl1 action=masquerade
add chain=srcnat out-interface=adsl2 action=masquerade
the problem is:

all traffic goes to adsl1 , not divided to both.

all my clients connect to router via pppoe connection through Local interface.

i check the config several times, but helpless.


from my searches, i notced that all people who test it reported the same bug.


i hope somebody post a fix for it.
i have same problem in RB532 OS-3.28
((((i think)))) PCC is not working if you use PPPoE server on Same Router or your pppoe-clients is connected throw Local interface
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Fri Aug 21, 2009 6:32 pm

PPPoE server create a interface for each connected client.

It's wrong to set in-interface as phisical ethernet.
You need to match packets by source address or by other via.
As you can see above, the PCC work fine on my RB433AH, splitting connection in 3 "slot".

for Muhammad: I think that your problem is a NAT rule or other. In last cfg that we have make, PCC split correctly traffic in two.
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Fri Aug 21, 2009 8:55 pm

PPPoE server create a interface for each connected client.

It's wrong to set in-interface as physical Ethernet.
You need to match packets by source address or by other via.
thanks for your quick reply.

do you know how can i do that, or can mikrotik guys post help here!.


regards
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Sat Aug 22, 2009 8:55 am

An updated set of my multi-connection PCC rules.
/ip route
add check-gateway=arp comment="WAN 3  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan3
add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment="WAN 2  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 1  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 1  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 1  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 3  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan3
add check-gateway=arp comment="WAN 3  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan3
add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe

/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 \
    passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 \
    passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan3" connection-state=new disabled=no in-interface=wan3-pppoe new-connection-mark=wan3 \
    passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan1" connection-state=established disabled=no in-interface=wan1-pppoe \
    new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan2" connection-state=established disabled=no in-interface=wan2-pppoe \
    new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan3" connection-state=established disabled=no in-interface=wan3-pppoe \
    new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan1" connection-state=related disabled=no in-interface=wan1-pppoe \
    new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan2" connection-state=related disabled=no in-interface=wan2-pppoe \
    new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan3" connection-state=related disabled=no in-interface=wan3-pppoe \
    new-connection-mark=wan3 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan3" connection-mark=wan3 disabled=no new-routing-mark=wan3 passthrough=no
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=new disabled=no \
    dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=new disabled=no \
    dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=new disabled=no \
    dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=\
    established disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=\
    established disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=\
    established disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=\
    both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=related \
    disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=related \
    disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=related \
    disabled=no dst-address-type=!local in-interface=hotspot-bridge new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 1" connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=\
    yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 2" connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=\
    yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 3" connection-mark=wan3_pcc_conn disabled=no new-routing-mark=wan3 passthrough=\
    yes
These allow the following:

- PCC outbound connection loadbalancing
- Inbound connections to the mikrotik over any wan interface
- Any new inbound connections to internal machines will work fine as they are locked to the initial interface
- Automatic fallover to alternate gateways in the event that one of the links goes offline (using check-arp to determine if a link is online)

Notes:

- I've used pppoe authentication directly on the mikrotik so it has the public IP addresses
- All three of these connections are the same speed so balancing is done with equal cost on each interface

If anyone has any questions about this implementation just reply here and I'll answer as best I can.
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Sat Aug 22, 2009 1:27 pm

thanks omega-00 for sharing pcc load balancing:


unfortionatly it didn't work for me, all traffic goes to Interface1, not divided ,

all my clients connect VIA PPPOE.

I have 2 interfaces gateways:

1 = adsl1
2= adsl2

3- Local - is an interface which clients use.

here is my configuration based on yours:
/ip route
add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.10.1

add check-gateway=arp comment="WAN 1  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1  routing-mark=wan1
add check-gateway=arp comment="WAN 1  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=wan1

add check-gateway=arp comment="WAN 2  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=wan2
add check-gateway=arp comment="WAN 2  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1  routing-mark=wan2





/ip firewall mangle
add action=mark-connection chain=input connection-state=new disabled=no in-interface=adsl1 new-connection-mark=wan1 passthrough=yes  comment="Mark new inbound connection wan1"
add action=mark-connection chain=input connection-state=new disabled=no in-interface=adsl2 new-connection-mark=wan2 passthrough=yes  comment="Mark new inbound connection wan2"

add action=mark-connection chain=prerouting connection-state=established disabled=no in-interface=adsl1 new-connection-mark=wan1 passthrough=yes  comment="Mark established inbound connection wan1"
add action=mark-connection chain=prerouting connection-state=established disabled=no in-interface=adsl2 new-connection-mark=wan2 passthrough=yes  comment="Mark established inbound connection wan2"

add action=mark-connection chain=prerouting connection-state=related disabled=no in-interface=adsl1 new-connection-mark=wan2 passthrough=yes  comment="Mark related inbound connection wan1"
add action=mark-connection chain=prerouting connection-state=related disabled=no in-interface=adsl2 new-connection-mark=wan2 passthrough=yes  comment="Mark related inbound connection wan2"

add action=mark-routing chain=output connection-mark=wan1 disabled=no new-routing-mark=wan1 passthrough=no  comment="Mark new inbound route wan1"
add action=mark-routing chain=output connection-mark=wan2 disabled=no new-routing-mark=wan2 passthrough=no  comment="Mark new inbound route wan2"

add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0  comment="Mark traffic that isn't local with PCC mark rand (2 possibilities) - option 1"
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1  comment="Mark traffic that isn't local with PCC mark rand (2 possibilities) - option 2"

add action=mark-connection chain=prerouting connection-state=established disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0  comment="Mark established traffic that isn't local with PCC mark rand (2 possibilities) - option 1"
add action=mark-connection chain=prerouting connection-state=established disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1  comment="Mark established traffic that isn't local with PCC mark rand (2 possibilities) - option 2"

add action=mark-connection chain=prerouting connection-state=related disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/0  comment="Mark related traffic that isn't local with PCC mark rand (2 possibilities) - option 1"
add action=mark-connection chain=prerouting connection-state=related disabled=no dst-address-type=!local in-interface=Local new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:2/1  comment="Mark related traffic that isn't local with PCC mark rand (2 possibilities) - option 2"

add action=mark-routing chain=prerouting connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=yes  comment="Mark routing for  PCC mark - option 1"
add action=mark-routing chain=prerouting connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=yes  comment="Mark routing for  PCC mark - option 2"





again, all traffic goes to interface 1, not divided.

i hope somebody can figure out a solution.

thanks
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Sat Aug 22, 2009 2:28 pm

omega-00 Thank you for the brain excersie here. I think you don't need to mangle related and established connections. So please explain why you mangle them, maybe there is a point to it that we need to understand.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Sat Aug 22, 2009 7:58 pm

maaking2: Not entirely sure, although you mentioned your connections are PPPoE connections in this router? If that is correct then would the users actually pass via the local interface or each via is own pppoe interface?

NetworkPro: Feel free to try out the first part of the rules (mangling for all inbound connections) for yourself and let me know if you have any issues or improvements.

I find it works fine for ftp servers and similar hosted behind the router, regardless of which connection they're running on (eg: forward ports over adsl1 to the ftp server and run all connections over adsl1 to the server) catching the established connections is just something I do as a best practise as I don't want to accidentally change the established connections further down in the rules by accident.

If anyone wants to suggest further testing I could do I'm happy to try, I just find this particular setup works perfectly for me.
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Sat Aug 22, 2009 10:41 pm

maaking2: Not entirely sure, although you mentioned your connections are PPPoE connections in this router? If that is correct then would the users actually pass via the local interface or each via is own pppoe interface?
.
thanks for the reply.

here is a screen of my config:
take a loot at interface list. i think: each user has his own pppoe interface, created automatically.
Untitled-1.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Mon Aug 24, 2009 12:42 pm

to maaking2 - in first picture you can clearly see - problematic interface don't have ready flag, so maybe you need to plug Ethernet cable first :)
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Mon Aug 24, 2009 12:46 pm

to maaking2 - in first picture you can clearly see - problematic interface don't have ready flag, so maybe you need to plug Ethernet cable first :)
Haha, indeed. Sometimes all it takes is another set of eyes :-D
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Mon Aug 24, 2009 1:08 pm

to maaking2 - in first picture you can clearly see - problematic interface don't have ready flag, so maybe you need to plug Ethernet cable first :)

NO, it's plugged in.

[attachment=0]interface_list.jpg[/attachment]

When i Disable adsl1, all traffic goes to adsl2.


the king problem of all times is: traffic is not divided into the 2 interfaces, adsl1 and adsl2.


i tried all examples available on the wiki, and got the same thing.

what can i do next? smash down the router!!!!!


thanks all
You do not have the required permissions to view the files attached to this post.
Last edited by maaking2 on Mon Aug 24, 2009 1:13 pm, edited 1 time in total.
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Mon Aug 24, 2009 1:10 pm

Route table seems not correct... the route that should be active is not - it can't reach the gateway 10.1 ?
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Mon Aug 24, 2009 7:49 pm

Hey maaking2 please post another image of both the interface page and the ip route page while everything is connected and enabled.

Remember that the PCC does a "round robin" outbound load sharing, so try getting the one computer to open 2 tabs of www.speedtest.net and try to 2 different servers (you might need to try this on a couple of servers before you end up getting one running over each link as your computer will probably be doing other things in the background)

You should then be able to see traffic passing out both interfaces.
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Mon Aug 24, 2009 8:21 pm

Don't worry I fixed it. He uses transparent web proxy and his clients connect via PPPoE so the PCC configuration is more difficult. I could post it in a WiKi so you can admire my work :) he he just joking

But anyway, I could post it when I have time, no problem ...
Last edited by NetworkPro on Tue Aug 25, 2009 1:49 am, edited 1 time in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Aug 25, 2009 1:40 am

much much harder? add two PCQ rules in output chain?..
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Tue Aug 25, 2009 1:59 am

Yes it has hidden problems for example we had to "accept" this and that in prerouting before they hit the PCC matchers... watch out in output chain what goes to clients etc etc.. see the WiKi ..
Last edited by NetworkPro on Fri Sep 04, 2009 11:12 am, edited 1 time in total.
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: New firewall matcher PCC

Tue Aug 25, 2009 12:05 pm

Post your config NetworkPro, I'm interested in your handy work.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Aug 25, 2009 12:20 pm

even if you mark routing - redirect rule for transparent proxy still works = no need to 'accept' =)
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Tue Aug 25, 2009 12:43 pm

I think so yes. Because Mohammed reported problem was back after a few minutes so we don't really know what caused it. We thought it was fixed by that accept rule but .. no. I'm waiting for him to contact me to bring the config to a complete working state with proxy.
Last edited by NetworkPro on Fri Sep 04, 2009 11:13 am, edited 2 times in total.
 
User avatar
maaking2
just joined
Posts: 8
Joined: Fri Jun 01, 2007 7:15 pm
Location: Gaza, Palestine
Contact:

Re: New firewall matcher PCC

Wed Aug 26, 2009 8:29 pm

I think so yes. Because Mohammad reported problem was back after a few minutes so we don't really know what caused it. We thought it was fixed by that accept rule but .. no. I'm waiting waiting for him to contact me to bring the config to a complete working state with proxy.

yes, it's not fully working yet.

i disabled web-proxy and disable NAT related to web-proxy port forwarding: my clients complain port 80 not working, browsing is notworking, but other chatting programms working fine with them.

i had to restore a prevoius backup. till we figure out a solution.


thanks
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Thu Aug 27, 2009 11:41 am

Chat programs rarely depend on a working DNS. Maybe the DNS settings were not correct ... hence the web sites not opening.
 
petrik
newbie
Posts: 26
Joined: Tue Sep 26, 2006 9:37 pm

Re: New firewall matcher PCC

Fri Aug 28, 2009 11:34 am

Hello, one question: what is the more compatible match setting, both addresses with or without ports? I want to loadballance lots of windows desktops and I dont want to cause any problems as somebody have here with youtube etc. I guess that both addresses without ports should work good, only in case some program connects to some kind of cluster (i.e. to more different IPs) it could be problem, if that cluster need all connections gouing from same IP. what are the real exps? thanks a lot for this new FW matcher!! I am going to use two MK in HA VRRP cluster with 4 DSL connected to each, so loadballance between 8 DSL lines with failover, it it will work, it is a holly grall of load ballancing without a SPoF.
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

PCC with web proxy + PPPoE clients

Fri Aug 28, 2009 3:47 pm

Chat programs rarely depend on a working DNS. Maybe the DNS settings were not correct ... hence the web sites not opening.
The DNS problem was that the router tried to connect to ADSL1 IP through ADSL2 gateway therefore breaking DNS...

Here is the current stable config: wiki.mikrotik.com/wiki/NetworkPro_on_Combining_NATed_Links please comment, review, edit the WiKi, ... :)
Last edited by NetworkPro on Fri Sep 04, 2009 11:14 am, edited 1 time in total.
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Thu Sep 03, 2009 11:16 pm

Just a small problem.. AGAIN!! ( My lack of knowledge really is anonying)

Ok so i currently have a hotspot running with the PCC load balancer. Everything working ok.. except for:
My customers are complaining that they have finding it difficult to access there banks webpage, I have also experinced this.
I assume it is because its trying to access the site and then it switches to a different IP and the website no longer reconises the connection.
Is there a way to rectify this? and if not,
can i send all https traffic through one interface, eg bypass the pcc.

here's my mangle:
 0   ;;; Mark new inbound connection Telefonica1
     chain=input action=mark-connection new-connection-mark=Telefonica1 passthrough=yes 
     connection-state=new in-interface=Telefonica1 

 1   ;;; Mark new inbound connection Telefonica2
     chain=input action=mark-connection new-connection-mark=Telefonica2 passthrough=yes 
     connection-state=new in-interface=Telefonica2 

 2   ;;; Mark new inbound route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 passthrough=no 
     connection-state=new connection-mark=Telefonica1 

 3   ;;; Mark new inbound route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 passthrough=no 
     connection-state=new connection-mark=Telefonica2 

 4   ;;; Mark new established connection Telefonica1
     chain=prerouting action=mark-connection new-connection-mark=Telefonica1 
     passthrough=yes connection-state=established in-interface=Telefonica1 

 5   ;;; Mark new established connection Telefonica2
     chain=prerouting action=mark-connection new-connection-mark=Telefonica2 
     passthrough=yes connection-state=established in-interface=Telefonica2
 6   ;;; Mark new established route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 passthrough=no 
     connection-state=established connection-mark=Telefonica1 

 7   ;;; Mark new established route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 passthrough=no 
     connection-state=established connection-mark=Telefonica2 

 8   chain=prerouting action=mark-connection new-connection-mark=Telefonica1_pcc_conn 
     passthrough=yes dst-address-type=!local in-interface=ether2 
     per-connection-classifier=src-address-and-port:2/0 

 9   chain=prerouting action=mark-connection new-connection-mark=Telefonica2_pcc_conn 
     passthrough=yes dst-address-type=!local in-interface=ether2 
     per-connection-classifier=src-address-and-port:2/1 

10   chain=prerouting action=mark-routing new-routing-mark=Telefonica1 passthrough=yes 
     in-interface=ether2 connection-mark=Telefonica1_pcc_conn 

11   chain=prerouting action=mark-routing new-routing-mark=Telefonica2 passthrough=yes 
     in-interface=ether2 connection-mark=Telefonica2_pcc_conn 

if you require any more info please let me know
Thankyou
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Thu Sep 03, 2009 11:21 pm

Make a rule to mark HTTPS traffic and redirige it to unique connectivity.
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Thu Sep 03, 2009 11:42 pm

Make a rule to mark HTTPS traffic and redirige it to unique connectivity.

Is this the only solution? and if so, can you explain a bit further and possible give a script example. Whenever i try and make my own rules they never seem to work.

Thank you !!
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Fri Sep 04, 2009 12:01 am

Make a rule to mark HTTPS traffic and redirige it to unique connectivity.

Is this the only solution? and if so, can you explain a bit further and possible give a script example. Whenever i try and make my own rules they never seem to work.

Thank you !!
...
add action=mark-connection chain=prerouting comment=HTTPS_to_ADSL1 connection-state=new disabled=no dst-port=443 in-interface=\
  ether1 new-connection-mark=https passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx/xx src-port=1025-65535
add action=mark-routing chain=prerouting comment="" connection-mark=https disabled=no in-interface=ether1 new-routing-mark=ADSL1 passthrough=no
...
replace src-address=xxx.xxx.xxx.xxx/xx...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Sep 04, 2009 2:08 am

grescho, simply change your per-connection-classifier to 'both-addresses' - then all should be okay. and it's more correct solution
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Fri Sep 04, 2009 4:17 am

I can confirm about what Chupaka is suggesting. Tested with serveral banking sites and other sites that remember the IP a user has logged in from. The new PCC set up as he says WORKS like a charm. All hail MikroTik. AND there is some free room for QoS contrary to what I've thought earlier.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Fri Sep 04, 2009 6:07 am

If you're breaking the logins due to PCC outbound balancing why not just use the both-addresses option to force connections to continue out the same connection for same IP?

If you do it for everything but https aren't you going to need further workarounds to deal with the "uh oh adsl1 is offline" issue?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Sep 04, 2009 11:50 am

omega-00, thanks for describing my answer in detail :D
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Fri Sep 04, 2009 11:49 pm

If you're breaking the logins due to PCC outbound balancing why not just use the both-addresses option to force connections to continue out the same connection for same IP?

If you do it for everything but https aren't you going to need further workarounds to deal with the "uh oh adsl1 is offline" issue?
sorry to be a pain, but how do I go about that? You'll have to assume i'm a complete idiot to be on the safe side.

thanks!
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Sat Sep 05, 2009 4:46 am

omega-00, thanks for describing my answer in detail :D
bahah sorry I was replying to his without having read yours :-P
But yeah, https works fine for me with the both-addresses option and has been working on one site for just over a 3 weeks now.
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Fri Sep 11, 2009 8:59 pm

If you're breaking the logins due to PCC outbound balancing why not just use the both-addresses option to force connections to continue out the same connection for same IP?

If you do it for everything but https aren't you going to need further workarounds to deal with the "uh oh adsl1 is offline" issue?
Thanks for your help. all seems to be working much better now.
Just need some help with my web proxy if anyone has a spare minute. I did mention it earlier on in this topic and someone said its perfectly ok to implement a web proxy with PCC load balancing.
But whenever I enanble web proxy, all the web traffic directs through one connection, and the other is very rarely used afterwards.
Please can someone spot the mistake in my config Thank you!!!

Mangle:
0   ;;; Mark new inbound connection Telefonica1
     chain=input action=mark-connection new-connection-mark=Telefonica1 
     passthrough=yes connection-state=new in-interface=Telefonica1 

 1   ;;; Mark new inbound connection Telefonica2
     chain=input action=mark-connection new-connection-mark=Telefonica2 
     passthrough=yes connection-state=new in-interface=Telefonica2 

 2   ;;; Mark new inbound route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 
     passthrough=no connection-state=new connection-mark=Telefonica1 

 3   ;;; Mark new inbound route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 
     passthrough=no connection-state=new connection-mark=Telefonica2 

 4   ;;; Mark new established connection Telefonica1
     chain=prerouting action=mark-connection new-connection-mark=Telefonica1 
     passthrough=yes connection-state=established in-interface=Telefonica1 

 5   ;;; Mark new established connection Telefonica2
     chain=prerouting action=mark-connection new-connection-mark=Telefonica2 
passthrough=yes connection-state=established in-interface=Telefonica2 

 6   ;;; Mark new established route Telefonica1
     chain=output action=mark-routing new-routing-mark=Telefonica1 
     passthrough=no connection-state=established connection-mark=Telefonica1 

 7   ;;; Mark new established route Telefonica2
     chain=output action=mark-routing new-routing-mark=Telefonica2 
     passthrough=no connection-state=established connection-mark=Telefonica2 

 8   chain=prerouting action=mark-connection 
     new-connection-mark=Telefonica1_pcc_conn passthrough=yes 
     dst-address-type=!local in-interface=ether2 
     per-connection-classifier=both-addresses:2/0 

 9   chain=prerouting action=mark-connection 
     new-connection-mark=Telefonica2_pcc_conn passthrough=yes 
     dst-address-type=!local in-interface=ether2 
     per-connection-classifier=both-addresses:2/1 

10   chain=prerouting action=mark-routing new-routing-mark=Telefonica1 
     passthrough=yes in-interface=ether2 connection-mark=Telefonica1_pcc_conn

11   chain=prerouting action=mark-routing new-routing-mark=Telefonica2 
     passthrough=yes in-interface=ether2 connection-mark=Telefonica2_pcc_conn 

NAT
0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   chain=srcnat action=masquerade src-address=192.168.88.0/24 
     out-interface=Telefonica1 

 2   chain=srcnat action=masquerade src-address=192.168.88.0/24 
     out-interface=Telefonica2 

 3 X ;;; Transparent Web Proxy
     chain=dstnat action=redirect to-ports=8080 protocol=tcp 
     in-interface=ether2 dst-port=80 
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Sep 11, 2009 9:34 pm

add two more rules to your Mangle:
chain=output action=mark-routing 
     new-routing-mark=Telefonica1 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/0 

chain=output action=mark-routing 
     new-routing-mark=Telefonica2 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/1 
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Fri Sep 11, 2009 10:47 pm

add two more rules to your Mangle:
chain=output action=mark-routing 
     new-routing-mark=Telefonica1 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/0 

chain=output action=mark-routing 
     new-routing-mark=Telefonica2 
     dst-address=!your_LAN_addresses
     per-connection-classifier=both-addresses:2/1 

Thanks for your help Chupaka, you are a very valuable member of this forum.
 
grescho
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Fri Apr 24, 2009 11:07 pm
Location: Murcia, Spain
Contact:

Re: New firewall matcher PCC

Sun Sep 13, 2009 12:00 am

add two more rules to your Mangle:

When i add these rules to the mangle, my clients seem to lose all conection to the internet, and I also loose communication with my radius server, which is on my local network..??
chain=output action=mark-routing 
     new-routing-mark=Telefonica1 
     dst-address=192.168.88.0/24
     per-connection-classifier=both-addresses:2/0 

chain=output action=mark-routing 
     new-routing-mark=Telefonica2 
     dst-address=192.168.88.0/24
     per-connection-classifier=both-addresses:2/1
did i do something wrong?

thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sun Sep 13, 2009 6:11 pm

yes, you didn't notice '!' sign, should be
dst-address=!192.168.88.0/24
 
rainmaker
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jan 30, 2009 9:32 pm

Re: New firewall matcher PCC when clients are using pppoe

Mon Sep 14, 2009 5:12 am

Dear All
There have been examples of PCC match when the clients are on a single LAN or network.
Can some one convert one of these numerous examples to a network that uses pppoe or specify ip address.

Have been trying but get confused as to where to change the interface to ip address.

Any help or idea will be greatly be appreciated.

thanks in advance
Son of rainmaker
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Mon Sep 14, 2009 8:39 am

There is no virtual difference - only limitation is that you just can't use in-interface (cause you have many).

1) you must make sure that you are working only with client's upload - in your case this can be achieved by filtering out all download traffic in beginning of mange - just use in-interface "public" to capture that traffic.
2) now you can use PCC for your upload with "Both-addresses"
 
petrik
newbie
Posts: 26
Joined: Tue Sep 26, 2006 9:37 pm

Re: New firewall matcher PCC

Tue Sep 15, 2009 11:20 am

Hello, I have configured two RB450G (3.28) as VRRP HA cluster for LAN side. Each has 2 DSL lines using PPPoE and routers are connected to each other by dedicated cross ethernet line. It works very good, I only have to take care about outgoing traffic, mikrotik take care of incomming (related, established) automaticly. Master router divides traffic to two equal streams, one for his own two PPPoE GW, second for slave router, so all 4 DSL lines are used. Our LAN generates lots of connections to different servers, so load ballancing woks miraculously thanks to PCC matcher. I am using both addresses and have no problem with any application or web server or any other service at all.
I had to make simple script on slave router to route traffic back to master while in slave mode and when he become master (after master failure) he have to start routing directly to LAN. VRRP implementation is little weird (there has to be IP of the same subnet on parrent physical interface, which causes problems with rouing to master), but it works well :) As a result I have NO SINGLE POINT OF FAILURE and if any DSL line fails, "using check GW" redirect traffic to other one. This is possible only because it is possible to use routing interface instead of GW IP, which is not possible due to dynamic DSL addresses. Great job MikroTik team!! I think this setup is the holly grail of load ballancing using cheap DSL lines, if requested I can share more details.
Last edited by petrik on Tue Sep 22, 2009 12:53 pm, edited 1 time in total.
 
User avatar
interpoint
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Jun 06, 2007 3:42 pm
Location: Ireland
Contact:

Re: New firewall matcher PCC

Wed Sep 16, 2009 11:05 am

Guys, many thanks for the configs that have been evolving over the course of this thread.

They have been very usefull and I would like to contribute back something.

I have implemented the following system in a 400 user complex.

I have this type of setup:

Clients x 400------>10 x VLANS ---->Router A (RB600) Hotspot Gateway ---->10.2.0.0/30------>Router B (RB433AH) with 4 x PPPoE DSL Clients to ISP, NAT, PCC and ECMP Load Balancing ------>Internet

This is my config for the 433AH and all is working fine. Failover, Skype, HTTPS etc.. All good.

I decided to split the job between the two routers to keep things simple. BTW there is OSPF running between the 433AH and the RB600 to ensure routes are populated upto the NAT gateway on the 433AH. If anyone wants the RB600 config no prob but it is not relevent to this thread as it is effectively carrying out queue and DHCP functions only.

Router B config.

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out2
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out3
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
pppoe-out4

/ip firewall filter
add action=drop chain=forward comment="" connection-state=invalid disabled=no

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe1_conn \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe2_conn \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out3 new-connection-mark=pppoe3_conn \
passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=pppoe-out4 new-connection-mark=pppoe4_conn \
passthrough=yes

/ip firewall mangle
add action=mark-routing chain=output comment="" connection-mark=pppoe1_conn disabled=no new-routing-mark=to_pppoe1 \
passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pppoe2_conn disabled=no new-routing-mark=to_pppoe2 \
passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pppoe3_conn disabled=no new-routing-mark=to_pppoe3 \
passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=pppoe4_conn disabled=no new-routing-mark=to_pppoe4 \
passthrough=yes

/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.0.0/30 in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=83.71.aaa.aaa in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.bbb.bbb in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ccc.ccc in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ddd.ddd in-interface=ether6

/ip firewall mangle
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe1_conn passthrough=yes per-connection-classifier=both-addresses:4/0
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe2_conn passthrough=yes per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe3_conn passthrough=yes per-connection-classifier=both-addresses:4/2
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=ether6 \
new-connection-mark=pppoe4_conn passthrough=yes per-connection-classifier=both-addresses:4/3

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe1_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe1 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe2_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe2 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe3_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe3 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=pppoe4_conn disabled=no in-interface=ether6 \
new-routing-mark=to_pppoe4 passthrough=yes

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_pppoe2
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out4 routing-mark=to_pppoe4
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_pppoe1
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=to_pppoe3

/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2,pppoe-out3,pppoe-out4,pppoe-out1

/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether2 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 profile=default service-name="" \
use-peer-dns=no
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether3 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out2 profile=default service-name="" \
use-peer-dns=no
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether4 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out3 profile=default service-name="" \
use-peer-dns=no
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=\
ether5 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out4 profile=default service-name="" \
use-peer-dns=no
 
petrik
newbie
Posts: 26
Joined: Tue Sep 26, 2006 9:37 pm

Re: New firewall matcher PCC

Tue Sep 22, 2009 12:54 pm

2 interpoint: and what happens when your RB600 dies? Try VRRP with two boxes, it is really great!
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Fri Oct 02, 2009 1:04 pm

mikrotik RB493AH with RouterOS 3.30

Have problem with cable modem route.
The route is blue in winbox, and there is no traffic. I tried to set Modem as DHCP client and get the same addresses as I manually entered before.
I am using open dns - for dns servers.
The gateway stays as unreachable.

addresses
 
#   ADDRESS          NETWORK          BROADCAST          INTERFACE 
0  192.168.1.1/24   192.168.1.0      192.168.1.255        LOCAL
1  21*.13.82.58/29  21*.13.82.56    21*.13.82.63         WAN2
2  *78.157.13.39/24 *78.157.13.0  *78.157.13.255       WAN3
3 D*77.28.18.50/32  *77.28.0.1           0.0.0.0            WAN1 

mangle
1   chain=input action=mark-connection new-connection-mark=WAN1_conn passthrough=yes in-interface=WAN1 
2   chain=input action=mark-connection new-connection-mark=WAN2_conn passthrough=yes in-interface=WAN2 
3   chain=input action=mark-connection new-connection-mark=WAN3_conn passthrough=yes in-interface=WAN3 
4   chain=output action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn 
5   chain=output action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn 
6   chain=output action=mark-routing new-routing-mark=to_WAN3 passthrough=yes connection-mark=WAN3_conn 
7   chain=prerouting action=accept dst-address=21*.13.64.0/19 in-interface=LOCAL 
8   chain=prerouting action=accept dst-address=*78.157.13.0/24 in-interface=LOCAL 
9   chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local in-interface=LOCAL per-connection-classifier=both-addresses:3/0
10 chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local in-interface=LOCAL per-connection-classifier=both-addresses:3/1
11 chain=prerouting action=mark-connection new-connection-mark=WAN3_conn passthrough=yes dst-address-type=!local in-interface=LOCAL per-connection-classifier=both-addresses:3/2
12 chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes in-interface=LOCAL connection-mark=WAN1_conn
13 chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes in-interface=LOCAL connection-mark=WAN2_conn
14 chain=prerouting action=mark-routing new-routing-mark=to_WAN3 passthrough=yes in-interface=LOCAL connection-mark=WAN3_conn

NAT
0   chain=srcnat action=masquerade out-interface=WAN1
1   chain=srcnat action=masquerade out-interface=WAN2
2   chain=srcnat action=masquerade out-interface=WAN3 

Route
#DST-ADDRESS         PREF-SRC          GATEWAY-STATE          GATEWAY         DISTANCE         INTERFACE  
0 AS 0.0.0.0/0                                       reachable             21*.13.82.57           1                    WAN2       
1 S   0.0.0.0/0                                      unreachable          *78.157.13.1            1                    WAN3       
2 AS 0.0.0.0/0                                       reachable               *77.28.0.1             1                   WAN1       
3 AS 0.0.0.0/0                                       reachable             21*.13.82.57            1                   WAN2       
4 S   0.0.0.0/0                                     unreachable            *78.157.13.1            3                   WAN3       
5 S   0.0.0.0/0                                        reachable               *77.28.0.1            2                  WAN1       
6 ADC *77.28.0.1/32      *77.28.18.50                                                               0                   WAN1       
7 ADC *78.157.13.0/24   *78.157.13.39                                                             0                   WAN3       
8 ADC 192.168.1.0/24      192.168.1.1                                                               0                   LOCAL      
9 ADC 21*.13.82.56/29    21*.13.82.58                                                              0                  WAN2 

 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Oct 02, 2009 4:08 pm

/ip route export
but I think you need to assign routing-marks to your routes...
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Fri Oct 02, 2009 4:10 pm

/ip route export
but I think you need to assign routing-marks to your routes...

/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=21*.13.82.57 routing-mark=to_WAN2 scope=30 \
target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=*78.157.13.1 routing-mark=to_WAN3 scope=30 target-scope=\
10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=*77.28.0.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=21*.13.82.57 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=3 dst-address=\
0.0.0.0/0 gateway=*78.157.13.1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=\
0.0.0.0/0 gateway=*77.28.0.1 scope=30 target-scope=10
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Oct 02, 2009 4:18 pm

can you ping *78.157.13.1?.. route #4 should be inactive, it's backup
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Fri Oct 02, 2009 10:43 pm

can you ping *78.157.13.1?.. route #4 should be inactive, it's backup
nope, cannot ping nothing... If I run traceroute with connection mark wan1 or wan2 to some address it is ok, but if I run with connection mark wan3 the route goes trough backup wan2.
I cannot understand why I cannot ping gateway that is assigned automatically from the provider’s DHCP server

update!! I am on the same provider at home, and cannot ping the gateway too which is differnet from the one at work :( So how can I activate that route - I cannot belevie :(
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Oct 02, 2009 11:07 pm

maybe, you should change 'check-gateway=ping' to 'check-gateway=arp' or even remove this check?
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Fri Oct 02, 2009 11:37 pm

maybe, you should change 'check-gateway=ping' to 'check-gateway=arp' or even remove this check?
tnx :( but that does not solve the problem, I set up gateway interface WAN3 without gateway IP and now trafic start to flow..
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Thu Oct 15, 2009 4:51 pm

little confused about passthrough...

when should I use passthrough enabled? @ the wiki PCC website there is no explicit yes or no, and reading other forums or web site I can find different setups.

At the PCC wiki website, passthrought=yes is defined only on this line:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 \
action=mark-connection new-connection-mark=wlan1_conn passthrough=yes


Should be on all other lines set to no? (unchecked in winbox)

tnx
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: New firewall matcher PCC

Thu Oct 15, 2009 5:24 pm

My understanding of 'passthrough' is this;

If you want the firewall to continue to find and match further/more packets based on the criteria in the current rule then you need to tick 'passthrough'.

If you are happy that the firewall has matched all you need then you may untick 'passthrough'.

Here's an example;
18   ;;; routing mark for http
     chain=prerouting action=mark-routing new-routing-mark=http 
     passthrough=yes protocol=tcp dst-port=80 

19   ;;; routing mark for http-local
     chain=prerouting action=mark-routing new-routing-mark=http-local 
     passthrough=no protocol=tcp dst-address-list=sa_ip dst-port=80 
After matching packets with a destination address of port 80 I marked the packet but I still needed further matching so I had to enable 'passthrough'.
 
User avatar
Billal
just joined
Posts: 13
Joined: Sat Nov 07, 2009 10:05 am

New firewall matcher PCC and Web-Proxy

Sat Nov 07, 2009 10:19 am

Hi,

Can we use PCC with Web-Proxy?

I have 3 WAN,
R OS, 3.30
RB 450G

LoadBalance working fine with PCC

how can i use WebProxy?, you have any other ida for use Proxy server
may be is so simple for you but not simple for me, can you help me?

thanks
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: New firewall matcher PCC and Web-Proxy

Sat Nov 07, 2009 12:06 pm

Hi,

Can we use PCC with Web-Proxy?
The answer to this can be found right here in this thread. Page 2, under one of Chupaka's posts.
 
User avatar
Billal
just joined
Posts: 13
Joined: Sat Nov 07, 2009 10:05 am

Re: New firewall matcher PCC and Web-Proxy

Sat Nov 07, 2009 12:57 pm

Hi,

Can we use PCC with Web-Proxy?
The answer to this can be found right here in this thread. Page 2, under one of Chupaka's posts.
Thanks for reply
Chupaka sys: you should use 'Mangle Output' to redistribute proxy's output between different routing marks
but i cant understand, ther no have example or clear Explation wich can understand bigners

any one have any configuratin for wbproxy on PCC please past hare

thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sat Nov 07, 2009 1:43 pm

with my eyes shut:
/ip firewall mangle
add chain=output per-connection-classifier=dst-address:2/0 action=mark-routing new-routing-mark=table1 disabled=no
add chain=output per-connection-classifier=dst-address:2/1 action=mark-routing new-routing-mark=table2 disabled=no
 
User avatar
Billal
just joined
Posts: 13
Joined: Sat Nov 07, 2009 10:05 am

Re: New firewall matcher PCC

Sat Nov 07, 2009 2:15 pm

with my eyes shut:
/ip firewall mangle
add chain=output per-connection-classifier=dst-address:2/0 action=mark-routing new-routing-mark=table1 disabled=no
add chain=output per-connection-classifier=dst-address:2/1 action=mark-routing new-routing-mark=table2 disabled=no
Thanks Chupaka

Please if you dont mind,

wher we put your 2 lines before this? after this? or replace this
/ip firewall mangle
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2


Again thanks
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Sat Nov 07, 2009 2:20 pm

With my eyes very very widely open!!! :) http://forum.mikrotik.com/viewtopic.php ... 72#p169172 (complete config with a little comments that may explain it, or may confuse you LOL :lol: )
 
User avatar
Billal
just joined
Posts: 13
Joined: Sat Nov 07, 2009 10:05 am

Re: New firewall matcher PCC

Sat Nov 07, 2009 3:35 pm

With my eyes very very widely open!!! :) http://forum.mikrotik.com/viewtopic.php ... 72#p169172 (complete config with a little comments that may explain it, or may confuse you LOL :lol: )
Thanks NetworkPro

Nice way to Explain to a bigner
i find one thing in your that post
http://wiki.mikrotik.com/wiki/NetworkPr ... ATed_Links
in that post one thing is missing, you not wright there Firewall Address List but you use name of address list clients in mangle address-list=clients
please explain Address List clients if you dont mind

Thanks
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Sat Nov 07, 2009 4:05 pm

in ROS v3 I use IP-> Firewall->Address List to manage groups of IP addresses for use with Manlge, NAT and Firewall. PPP can add the IPs of the clients to an address list automatically. This kind of stuff is explained in the manual and wiki :)
 
User avatar
Billal
just joined
Posts: 13
Joined: Sat Nov 07, 2009 10:05 am

Re: New firewall matcher PCC

Sat Nov 07, 2009 4:19 pm

in ROS v3 I use IP-> Firewall->Address List to manage groups of IP addresses for use with Manlge, NAT and Firewall. PPP can add the IPs of the clients to an address list automatically. This kind of stuff is explained in the manual and wiki :)
Thanks for reply
i am also using Ip/Firewall/Address List, i know what is this but my Qui is wich ip Address you used in name of clients

i reed your complet configuration, but there no have ip>firewall>address list
if you wright there address-list also then may helpful for bigners

thanks
 
petrik
newbie
Posts: 26
Joined: Tue Sep 26, 2006 9:37 pm

Re: New firewall matcher PCC

Thu Nov 12, 2009 6:38 pm

Hello guys, I have a problem with policy rounting and PCC matcher. I have very nice setup with two routers in HA VRRP cluster and PCC over 4 different DSLs (2 in each router), everythings working nicely, except I want to use some VPNs iniciated from one of the router and I want either to use PCC to choose DSL or manually set which DSL will particullar VPN use. I tried it with Output mangle connection mark rule and also with prerouting, but it doesnt work, all VPNs goes through only one (first) DSL line :( Do you have any ideas how to correctly set policy routing for conections iniciated from localhost? thanks a lot
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Thu Nov 12, 2009 10:41 pm

until you cannot set local address - you cannot select output interface, as far as I remember...

anyway, could you please be more detailed in your setup? config, etc...
 
petrik
newbie
Posts: 26
Joined: Tue Sep 26, 2006 9:37 pm

Re: New firewall matcher PCC

Fri Nov 13, 2009 1:54 pm

The question shrinked to this: if I am using only policy rounting with connection marking and routes only with routing mark, i.e. no normal default route (all 0/0 routes has some routing mark set), how do I match and mark connections from localhost to internet like ping or VPN? Output in mangle doesnt work as well as prerouting.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Nov 13, 2009 2:18 pm

if you don't have a default route in main routing table - then any local-originated connections will fail, afair - you need to add any default gateway, and then use output mangling (see Routing Adjustment block in http://wiki.mikrotik.com/wiki/Packet_Flow )
 
petrik
newbie
Posts: 26
Joined: Tue Sep 26, 2006 9:37 pm

Re: New firewall matcher PCC

Fri Nov 13, 2009 6:06 pm

thnx for reply, I just learn by experience that I really need some default GW, but even with it, I still cannot force any local-originated to go through some other route than is the default one :( I tried output rule in mangle, with and with out local host address 127.0.0.1, even with some concrete destination IP, I think I tried almost everythink but it still goes through the default gw :(
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Nov 13, 2009 7:23 pm

[admin@MikroTik] > tool traceroute ya.ru max-hops=4
     ADDRESS                                    STATUS
   1  192.168.16.250 2ms 2ms 10ms 
   2   192.168.0.200 9ms 10ms 12ms 
   3   192.168.0.200 6ms 11ms 10ms network unreachable
   4   192.168.0.200 14ms 6ms 53ms network unreachable
max-hops reached
[admin@MikroTik] > /ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.16.141 routing-mark=preved
[admin@MikroTik] > /ip firewall mangle add chain=output action=mark-routing new-routing-mark=preved 
[admin@MikroTik] > tool traceroute ya.ru max-hops=4
     ADDRESS                                    STATUS
   1  192.168.16.141 5ms 7ms 10ms 
   2  192.168.16.250 11ms 9ms 1ms 
   3   192.168.0.200 6ms 7ms 5ms 
   4   192.168.0.200 4ms 19ms 11ms network unreachable
max-hops reached
[admin@MikroTik] > 
 
pacella
just joined
Posts: 1
Joined: Thu Nov 12, 2009 7:19 am

Re: New firewall matcher PCC

Sat Nov 14, 2009 8:23 am

What is the best firewall you used for windows xp? I have been testing several versions of firewall, bitdefender, kaspersky, kerio, sunbelt, and some more. For now, I find that Bitdefender wins the gold medal, in my opinion. But still the antivirus within Bitdefender is not that powerful. I installed Avast 4 and tried to use only the firewall in bitdefender (disabling the antivirus of bitdefender) but conflicts happen between the two softwares when loading windows. Do you people, know the best firewall please?
____________________
asian matrimonial
Last edited by pacella on Sat Nov 21, 2009 8:09 am, edited 1 time in total.
 
MrIC
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue Jan 13, 2009 11:34 pm

Re: New firewall matcher PCC

Sun Nov 15, 2009 6:01 pm

i have to lines with load balance PCC but there is problem that hot spot doesn't redirect automatic , i have to write 10.5.50.1 in my browser to login .
my config :
/ ip address
add address=10.5.50.1/24 network=10.5.50.0 broadcast=10.5.50.255 interface=Local
add address=192.168.1.5/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.0.5/24 network=192.168.0.0 broadcast=192.168.0.255 interface=WAN2

/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=WAN2
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=WAN2

/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=2 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
some guy told me to change those lines :
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
to those one :
add chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
but i got another problem , clients log in but they use only one line .

so can someone help me in this ?
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Wed Nov 25, 2009 11:40 am

To anyone still reading this, but especially to interpoint regarding his mangle rules here:
/ip firewall mangle
add action=accept chain=prerouting comment="" disabled=no dst-address=10.2.0.0/30 in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=83.71.aaa.aaa in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.bbb.bbb in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ccc.ccc in-interface=ether6
add action=accept chain=prerouting comment="" disabled=no dst-address=82.141.ddd.ddd in-interface=ether6
The dst-address fields that I made blue, they look like public IP addresses of the PPPoE accounts, and they look like they would be static, what would I need to do if my Public IP's were Dynamic? Is there a way around this or do I have to use a script to find my public addresses and add them into the dst-address fields. I really would rather not try to mess around with a script if I don't have to.

Please if anyone can help!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Nov 25, 2009 12:43 pm

jirristols, where did you find that rules? and where's PCC? =)
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Wed Nov 25, 2009 1:44 pm

That was the a snippet out of the config that Interpoint pasted somewhere around the middle of this page. This is part the pre-routing chain. I only "re-pasted" this part because I want to substitute the dst-address, which is a static ip, with an interface (out-interface=ADSL1) or something.

Is there a better way of doing this or did I miss something completely?

EDIT: Um previous page around the middle :?
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Mon Nov 30, 2009 12:50 pm

Ok so I got the loadbalancing working with ppc and everything is fine on my computer, but most of the other users on the "localLAN" (bridged ethernet and WDS) cannot log in to their internet banking, even tried two different Banks. What could be the issue that it works for me on IP 192.168.2.102 and not for 192.168.2.111 +some others?

Now I even disabled the 3 out of 4 ADSL(pppoe) connections and they still can't log in. Now this is fishy, could it be something else because as far as I know this should disable the load balancing automatically and everyone will be forced to connect via one Public IP.

If someone replies I'll post my configs. I hope there is still someone reading this thread :(
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon Nov 30, 2009 1:03 pm

sure, post your firewall config

what do you mean saying "can't log in"? just like no connection at all?
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Mon Nov 30, 2009 2:33 pm

Sweet! It's a 2 step authentication, first account number and pin, it accepts, then you have to fill in the missing letters of your passphrase. You receive a text message "confirmation of internet banking" if you set it up, then after you fill in the blanks and click on logon it returns you to the first page where you have to enter your account number and pin with a caption reading: "you have successfully logged out".

I have had this issue with a previous load balancer(edimax) before and it was a balancing issue. PCC should fix this if this is a load balancing issue.

Here is the Mangle:

[admin@RB493 Master] /ip firewall> mangle prin
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=pppoe1_conn
passthrough=yes in-interface=inter1

1 I chain=input action=mark-connection new-connection-mark=pppoe2_conn
passthrough=yes in-interface=inter2

2 I chain=input action=mark-connection new-connection-mark=pppoe3_conn
passthrough=yes in-interface=inter3

3 I chain=input action=mark-connection new-connection-mark=pppoe4_conn
passthrough=yes in-interface=inter4

4 chain=output action=mark-routing new-routing-mark=to_pppoe1
passthrough=yes connection-mark=pppoe1_conn

5 chain=output action=mark-routing new-routing-mark=to_pppoe2
passthrough=yes connection-mark=pppoe2_conn

6 chain=output action=mark-routing new-routing-mark=to_pppoe3
passthrough=yes connection-mark=pppoe3_conn

7 chain=output action=mark-routing new-routing-mark=to_pppoe4
passthrough=yes connection-mark=pppoe4_conn

8 chain=prerouting action=accept dst-address=192.168.2.0/24
in-interface=LocalLAN

9 chain=prerouting action=accept dst-address=41.240.0.0/13
in-interface=LocalLAN

10 chain=prerouting action=mark-connection new-connection-mark=pppoe1_conn
passthrough=yes dst-address-type=!local in-interface=LocalLAN
per-connection-classifier=both-addresses:4/0

11 chain=prerouting action=mark-connection new-connection-mark=pppoe2_conn
passthrough=yes dst-address-type=!local in-interface=LocalLAN
per-connection-classifier=both-addresses:4/1

12 chain=prerouting action=mark-connection new-connection-mark=pppoe3_conn
passthrough=yes dst-address-type=!local in-interface=LocalLAN
per-connection-classifier=both-addresses:4/2

13 chain=prerouting action=mark-connection new-connection-mark=pppoe4_conn
passthrough=yes dst-address-type=!local in-interface=LocalLAN
per-connection-classifier=both-addresses:4/3

14 chain=prerouting action=mark-routing new-routing-mark=to_pppoe1
passthrough=yes in-interface=LocalLAN connection-mark=pppoe1_conn

15 chain=prerouting action=mark-routing new-routing-mark=to_pppoe2
passthrough=yes in-interface=LocalLAN connection-mark=pppoe2_conn

16 chain=prerouting action=mark-routing new-routing-mark=to_pppoe3
passthrough=yes in-interface=LocalLAN connection-mark=pppoe3_conn

17 chain=prerouting action=mark-routing new-routing-mark=to_pppoe4
passthrough=yes in-interface=LocalLAN connection-mark=pppoe4_conn

Didn't even write out the whole "print"

If needed, Here is the NAT:

[admin@RB493 Master] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=192.168.2.102 to-ports=5900 protocol=tcp dst-port=5900

1 chain=srcnat action=masquerade dst-address=0.0.0.0/0

2 chain=srcnat action=masquerade out-interface=inter1

3 I chain=srcnat action=masquerade out-interface=inter2

4 I chain=srcnat action=masquerade out-interface=inter3

5 I chain=srcnat action=masquerade out-interface=inter4

Could this be sonething else because my computer on the same network can log into the internet banking? By the way I am splitting local and international routes and the banking site's IP is in the Local routing table.

And my forum session timed out... twice before being able to submit.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon Nov 30, 2009 4:39 pm

what is 8th rule for?.. I think, it breaks all setup %)
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Mon Nov 30, 2009 5:13 pm

Giving it a try now, disabling the rule to see if it helps. I thought it had to be there for your LAN to effectively communicate to the outside world.

edit: Tried that but it still doesn't remember I'm logged onto the forums and the internet banking on the computer tested still loops back to the initial login page (Passwords and everything checked).

I have a static route in blue too, wonder if I should just let all local banking sites go through the Local-ADSL interface only. But that would still not solve my forum issue. I wonder if anyone else is having a problem.
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Tue Dec 01, 2009 2:18 pm

OH and something else that might be an issue - My adsl has dynamic ip adresses - when specifying this:

9 chain=prerouting action=accept dst-address=41.240.0.0/13
in-interface=LocalLAN

I use the IP range. This is the IP range for all my adsl connections as I am using the same ISP dishing out IP's in the same ip range... most of the time. All the tests I have done the IP's looked like this. I am going to retry the example in the wiki and see if it makes a difference, still using the above as the dst-address for my LocalLAN

Any thoughts?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Dec 01, 2009 2:57 pm

I still can't understand, why you use 'action=accept'... it simply stops processing of other rules... mangle is not filtering =)
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Tue Dec 01, 2009 3:05 pm

Because the wiki says so... :(
Then we will assign proper routing-mark to the packets leaving the router.

add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local
I just substituted the 10.111.0.0/24 with my public IP address range and removed the other one...
Doing this stuff by the book because the firewall makes my head hurt... :D
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: New firewall matcher PCC

Wed Dec 02, 2009 12:31 am

Like Chupaka said,

If you use action=accept, processing of all other rules STOP. No further processing is done down the list.

If you use action=mark-(anything), it applies the mark, then CONTINUES to process down the list.

Does this make sense? I think maybe the order of your rules may be an issue.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Dec 02, 2009 2:40 am

sorry for no answer... dssmiktik, yes, 'accept' should be used in the setup from Wiki... (by the way, 10.100.0.0/24 are internal addresses, not public IPs :) )

I just don't know what can be a reason for such strange behaviour:
It's a 2 step authentication, first account number and pin, it accepts, then you have to fill in the missing letters of your passphrase. You receive a text message "confirmation of internet banking" if you set it up, then after you fill in the blanks and click on logon it returns you to the first page where you have to enter your account number and pin with a caption reading: "you have successfully logged out".
all I can say for now (taking into account that it works on your machine and isn't working on another one ("+ some others")), try to clear browser's cache and remove saved cookies... maybe try another web-browser :)

By the way I am splitting local and international routes and the banking site's IP is in the Local routing table.
hmmm... I don't see any of it in your config... am I too tired?..
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Wed Dec 02, 2009 9:38 am

No haha, I didn't post the config, I'm splitting the traffic using static routes (splitting local and international traffic wiki) I have something like 1500 routes created so posting that would have taken up the whole page but here is a snippet
[admin@RB493 Master] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 inter1 1 (Routing mark to_inter1)
1 A S 0.0.0.0/0 inter2 1 (Routing mark to_inter2)
2 A S 0.0.0.0/0 inter3 1 (Routing mark to_inter3)
3 A S 0.0.0.0/0 inter4 1 (Routing mark to_inter4)
4 A S 0.0.0.0/0 inter1 1
inter2
inter3
inter4
5 X S ;;; Default Route old
0.0.0.0/0 inter1 1
6 X S 0.0.0.0/0 inter2 2
7 X S 0.0.0.0/0 inter3 3
8 X S 0.0.0.0/0 inter4 4
9 A S 17.255.248.0/23 Local-PPPoE 2
10 A S 32.106.152.0/24 Local-PPPoE 2
11 A S 32.106.153.0/24 Local-PPPoE 2
12 A S 32.107.9.0/24 Local-PPPoE 2
13 A S 32.238.152.0/24 Local-PPPoE 2
14 A S 32.238.153.0/24 Local-PPPoE 2
15 A S 32.239.182.0/24 Local-PPPoE 2
16 A S 41.0.0.0/16 Local-PPPoE 2
17 A S 41.0.5.0/24 Local-PPPoE 2
18 A S 41.0.6.0/24 Local-PPPoE 2
I tried using the wiki way of assigning the routes e.g gateway1 distance=1 gateway2 distance=2 ..3-3 ..4-4 but that only utilized gateway1 100% and didn't loadbalance at all, it made GW2-3-4 blue in gui (disabled). Thats the reason for rule 4 with multiple interfaces and rule 5-8 being disabled.

I know those aren't public ip's but I use multiple ADSL (PPPoE client) lines instead of WLAN interfaces to do the loadbalacing on so I had to put in my Public IP range because they are dynamic (thats what I read in the forums for when you are using ADSL with dynamic IP's) which was a mission to track down.

BTW looks like the banking is working now perfectly but browsing seemed slow and sometimes pages load halfway and need to be refreshed especially youtube after I redid the config using the wiki one directly with only a few changes. But this morning everything is looking good. Browsing is fine, traffic is devided almost equally and banking works... Hell knows maybe the fairies chased the gremlins out of my network?

Changes
routes: instead of making distance 1,2,3,4 I made them all 1 -rule4 /
and this line
add action=accept chain=prerouting comment="" disabled=no dst-address=41.240.0.0/13 in-interface=LocalLAN
which I adopted from another config.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Dec 02, 2009 11:03 am

oh, about your static routes: they're not working, I believe

if you mark packet, then routes with that routing mark are used. so all marked traffic goes through the default route
 
KARABAYA
just joined
Posts: 15
Joined: Thu Apr 23, 2009 2:49 am

Re: New firewall matcher PCC

Wed Dec 02, 2009 11:21 am

Is it possible to use pcc with only one interface?
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Wed Dec 02, 2009 11:48 am

If I set the route distance GW1:1 GW2:2 GW3:3... everything goes through GW1 so doesn't work - no Load Balancing.

My routes are: dst: 0.0.0.0/0
interface: inter1, inter2, inter3, inter4
distance: 1
All in the same single static route... this works

If I create 4 individual routes, 3 routes are blue (disabled) and it only runs through the active route and does not load balance... doesn't work

As far as I understand it, when you connect to the internet through GW1 the packets are marked to return to GW1 and that session or so only uses GW1. The same goes for the other GW's.
And the way I understand it further is that the router decides according to the routing table, out which GW the packet should go.

Is this right because I don't understand firewall rules that great but I could not see where it decides to assign gateways in the PCC rules? All the PCC does is when it sees a packet it slaps it with a lable or 3 before it is able to leave the router.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Dec 02, 2009 2:41 pm

Is it possible to use pcc with only one interface?
for what goal? PCC is just classifier - it can classify packets =)
 
KARABAYA
just joined
Posts: 15
Joined: Thu Apr 23, 2009 2:49 am

Re: New firewall matcher PCC

Thu Dec 03, 2009 10:52 pm

Because I have clients and modems connected tought same ethernet interface.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Dec 04, 2009 2:24 am

sure. with PCC, you classify connections by groups. then you can do anything you want with that groups. for example, route via different gateways (yous modems' addresses on the same interface). just add correct '/ip route' info
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Fri Dec 04, 2009 5:01 pm

FYI, noticing on a couple of sites I've been testing with 4.2 that the mangle rules don't seem to be working the same as before.

I'm yet to determine what is causing the issue but it's not balancing the links very well at all right now.
wan1.gif
wan2.gif
wan3.gif
Has only changed to this since I upgraded to 4.2 (31 days ago)

Will be rolling back to check differences shortly.
You do not have the required permissions to view the files attached to this post.
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Fri Dec 04, 2009 5:07 pm

How did you get the graph?

I'm running the PCC in my setup too and will also place my findings over the weekend here.

(mmm logged me out again before I could post PCC'ing around :D )
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Fri Dec 04, 2009 5:13 pm

The graphs are the built-in mikrotik ones (tools -> graphing)

Those are from our 3 adsl interfaces for the site.
 
magnavox
Member
Member
Posts: 357
Joined: Thu Jun 14, 2007 1:03 pm

Re: New firewall matcher PCC

Fri Dec 04, 2009 9:04 pm

FYI, noticing on a couple of sites I've been testing with 4.2 that the mangle rules don't seem to be working the same as before.

I'm yet to determine what is causing the issue but it's not balancing the links very well at all right now.


Has only changed to this since I upgraded to 4.2 (31 days ago)

Will be rolling back to check differences shortly.
Can you post your mangle rules set and route list?
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Sat Dec 05, 2009 4:21 am

They're the same as the set I've previously posted on here, full set is listed at: http://www.mikrotik-routeros.com/?p=12
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Mon Dec 07, 2009 9:10 am

Has anybody had a problem with World of Warcraft or teamspeak? This weekend I had to disable the routes to the other GW's just so WoW don't log off every ten minutes, This is the same with teamspeak, both log out at the same time. I'm going to try a different setup (the one omega is linking to) and see if that works.

Okay I just changed my PPC config to the one omega listed above (http://www.mikrotik-routeros.com/?p=12) and I havn't had any problems so far, I'm still figuring out the graphing but will post that this week. This config doesn't seem to disconnect anything like the config from the wiki does. I'll post the issues here if I find any.
 
ERNEST
just joined
Posts: 13
Joined: Sun Dec 06, 2009 12:08 pm

Re: New firewall matcher PCC

Mon Dec 07, 2009 12:46 pm

Can someone explain how this works
both-addresses
both-ports
dst-address-and-port
src-address
src-port
both-addresses-and-ports
dst-address
dst-port
src-address-and-port
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon Dec 07, 2009 12:59 pm

 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 230
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Re: New firewall matcher PCC

Mon Dec 07, 2009 3:14 pm

I want to load balance two connections that shares same upload... Does PCC help me do the trick?

upload ISP1 / Download via Satelite (fully routed 1Mbps / 7 Mbps) 79.141.89.xx/28

upload ISP 1 / Download ISP 1 (1Mbps / 2 Mbps) 89.108.43.xx/29

Any help would be highly appreciated...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon Dec 07, 2009 3:46 pm

something like
/ip route add gateway=ISP1_gateway
/ip firewall nat add chain=srcnat <condition for satellite packets> action=src-nat to-addresses=79.141.89.xx/28
doesn't your ISP1 block packets with unknown src-addresses?
 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 230
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Re: New firewall matcher PCC

Mon Dec 07, 2009 4:07 pm

But if I use the gateway of ISP 1, will be using the upload and download from ISP 1.... while If I use the gateway 79.141.17.xx that is fully routed will be downloading from satelite....

I want to use both downloads (satelite and ISP 1).
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon Dec 07, 2009 6:57 pm

while If I use the gateway 79.141.17.xx
you cannot use that GW. satellite link is unidirectional

you should src-nat packets with your satellite's address, so that it returns via satellite, not via ISP1
 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 230
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Re: New firewall matcher PCC

Tue Dec 08, 2009 9:50 am

Chupaka here below my scenario....

scenario.JPG
You do not have the required permissions to view the files attached to this post.
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Tue Dec 08, 2009 12:13 pm

Ok, banking doesn't work with Omega's config on my system. I have configured that all local internet traffic are routed through a local internet ADSL Line (ether1 has 2 accounts on, international1 and Local-PPPoE) and all internatioal traffic is routed over the 4 international PPPoE/ADSL accounts. I can see that there has been over 1GB traffic passing through the Local ADSL so it is working mostly.

Now my problem is that banking (which is local and is reachable through Local-PPPoE) is not routed, at all, over the local ADSL. I think the mangle rules have something to do with it. Because it randomises traffic to X interfaces which isn't Local(meaning not public) but it doesn't take into condsideration that my routing table says "hey! These dst-addresses go through this interface!"

Can I add a "destination address type" that identifies traffic intended for my Local-PPPoE interface? So I can add it to the mange rules (local invert/localint invert). It's 1500+static routes FYI.

Extra info - My routes for local internet are all distance=2 and I've set my international routes to start from distance=3-6

Or something in the mangle rules that says, if these routes are identified by some means "accept" and don't continue down the mangle list?

Please Help!

EDT- I think I found something but that requires me to add all 1500+ routes into my address list and let them go Local-PPPoE but would that be chain=
Input
Output
Input and Output?
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Tue Dec 08, 2009 5:39 pm

You're correct in assuming they're being *overriden* by the mangle rules.

As for how to tag them, there's a number of solutions, from using the address-list idea, to autogenerating a list based on routes each day.

if the list of routes is manual, I'd do if a different way to what you have now.
1. create a single route, dst-address=0.0.0.0/0 routing-mark=via-local-transit gw=<ip address or interface>
2. create an address list of all the ranges you want to route via it.
3. add a mangling rule (if you're using my setup it should go between the inbound rules and the pcc rules) that marks routing for all traffic to dst-address-list=<your new address list> with passthrough set to no.
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Wed Dec 09, 2009 9:37 am

Hehe I cheated that, I just edited all the rules, with comments "trafic that isn't local...". By Advanced (gui) I added:
Dst. Address List: (inverted, check box checked) Localpppoe.
Localpppoe is the address list I made with all the local IP ranges in my country)

So now the mangle rules are only applied to addresses/ranges not in the address list. Quick and Easy Fix

By the way I sorted out the Internet banking like this as it also goes through only the local now. But that is a temporary fix though because other things that require a connection over one IP might be troublesome but I havn't found any issues so far that I believe is a PPC problem. My hotspot on another router freaked out last night so I'm checking that out now to see if it as anything to do with PPC or my own human error.

thanx for the help though.
 
dentalmaterial
just joined
Posts: 3
Joined: Fri Dec 11, 2009 6:18 am

Re: New firewall matcher PCC

Fri Dec 11, 2009 11:33 am

I have the same problem too , 1 WAN interface takes up mostly all the traffic , other doesnt
Please Help...

My rules











MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.30 (c) 1999-2009 http://www.mikrotik.com/





[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> nat
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.80.0/24

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24

3 chain=srcnat action=masquerade out-interface=TeData

4 chain=srcnat action=masquerade out-interface=LinkDotNet
[admin@MikroTik] /ip firewall nat> /ip firewall mangle
[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; out load DST
chain=prerouting action=accept dst-address-list=rede-interna
in-interface=LAN

1 ;;; Mark new inbound connection Link1
chain=input action=mark-connection new-connection-mark=Link1
passthrough=yes connection-state=new in-interface=LinkDotNet

2 ;;; Mark new inbound connection Link2
chain=input action=mark-connection new-connection-mark=Link2
passthrough=yes connection-state=new in-interface=TeData

3 ;;; Mark new inbound route Link1
chain=output action=mark-routing new-routing-mark=Link1 passthrough=no
connection-state=new connection-mark=Link1

4 ;;; Mark new inbound route Link2
chain=output action=mark-routing new-routing-mark=Link2 passthrough=no
connection-state=new connection-mark=Link2

5 ;;; Mark new established connection Link1
chain=prerouting action=mark-connection new-connection-mark=Link1
passthrough=yes connection-state=established in-interface=LinkDotNet

6 ;;; Mark new established connection Link2
chain=prerouting action=mark-connection new-connection-mark=Link2
passthrough=yes connection-state=established in-interface=TeData

7 ;;; Mark new established route Link1
chain=output action=mark-routing new-routing-mark=Link2 passthrough=no
connection-state=established connection-mark=Link1

8 ;;; Mark new established route Link2
chain=output action=mark-routing new-routing-mark=Link2 passthrough=no
connection-state=established connection-mark=Link2

9 chain=prerouting action=mark-connection new-connection-mark=Link1_pcc_con>
passthrough=yes dst-address-type=!local in-interface=LAN
per-connection-classifier=both-addresses:2/0

10 chain=prerouting action=mark-connection new-connection-mark=Link2_pcc_con>
passthrough=yes dst-address-type=!local in-interface=LAN
per-connection-classifier=both-addresses:2/1

11 chain=prerouting action=mark-routing new-routing-mark=Link1
passthrough=yes in-interface=LAN connection-mark=Link1_pcc_conn

12 chain=prerouting action=mark-routing new-routing-mark=Link2
passthrough=yes in-interface=LAN connection-mark=Link2_pcc_conn

[admin@MikroTik] /ip firewall mangle>
[admin@MikroTik] /ip firewall mangle> /ip route
[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE IN..
0 S ;;; Default route-Distance 2
0.0.0.0/0 r TeData 2 Te..
1 S ;;; Link1 Distance 1
0.0.0.0/0 r LinkDotNet 1 Li..
2 A S ;;; Delfault route-Distance1
0.0.0.0/0 r LinkDotNet 1 Li..
3 A S ;;; Link1 Distance 2
0.0.0.0/0 r TeData 2 Te..
4 A S ;;; Link2 Distance 1
0.0.0.0/0 r TeData 1 Te..
5 S ;;; Link2 Distance 2
0.0.0.0/0 r LinkDotNet 2 Li..
6 ADC 41.130.0.1/32 41.130.11.54 0 Li..
7 ADC 163.121.170.22/32 196.202.112.105 0 Te..
8 ADC 192.168.80.0/24 192.168.80.1 0 wl..
9 ADC 192.168.88.0/24 192.168.88.1 0 LAN
[admin@MikroTik] /ip route>




























MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.30 (c) 1999-2009 http://www.mikrotik.com/





[admin@MikroTik] > ip
[admin@MikroTik] /ip> firewall
[admin@MikroTik] /ip firewall> filter
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 ;;; allow established connections
chain=forward action=accept connection-state=established

2 ;;; allow related connections
chain=forward action=accept connection-state=related

3 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

4 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=135-139

5 ;;; Drop Messenger Worm
chain=virus action=drop protocol=udp dst-port=135-139

6 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=445

7 ;;; Drop Blaster Worm
chain=virus action=drop protocol=udp dst-port=445

8 ;;; ________
chain=virus action=drop protocol=tcp dst-port=593

9 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1024-1030

10 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=1080

11 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1214

12 ;;; ndm requester
chain=virus action=drop protocol=tcp dst-port=1363

13 ;;; ndm server
chain=virus action=drop protocol=tcp dst-port=1364

14 ;;; screen cast
chain=virus action=drop protocol=tcp dst-port=1368

15 ;;; hromgrafx
chain=virus action=drop protocol=tcp dst-port=1373

16 ;;; cichlid
chain=virus action=drop protocol=tcp dst-port=1377

17 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=1433-1434

18 ;;; Bagle Virus
chain=virus action=drop protocol=tcp dst-port=2745

19 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=2283

20 ;;; Drop Beagle
chain=virus action=drop protocol=tcp dst-port=2535

21 ;;; Drop Beagle.C-K
chain=virus action=drop protocol=tcp dst-port=2745

22 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=3127-3128

23 ;;; Drop Backdoor OptixPro
chain=virus action=drop protocol=tcp dst-port=3410

24 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=4444

25 ;;; Worm
chain=virus action=drop protocol=udp dst-port=4444

26 ;;; Drop Sasser
chain=virus action=drop protocol=tcp dst-port=5554

27 ;;; Drop Beagle.B
chain=virus action=drop protocol=tcp dst-port=8866

28 ;;; Drop Dabber.A-B
chain=virus action=drop protocol=tcp dst-port=9898

29 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=10000

30 ;;; Drop MyDoom.B
chain=virus action=drop protocol=tcp dst-port=10080

31 ;;; Drop NetBus
chain=virus action=drop protocol=tcp dst-port=12345

32 ;;; Drop Kuang2
chain=virus action=drop protocol=tcp dst-port=17300

33 ;;; Drop SubSeven
chain=virus action=drop protocol=tcp dst-port=27374

34 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=drop protocol=tcp dst-port=65506

35 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus

36 ;;; Allow HTTP
chain=forward action=accept protocol=tcp dst-port=80

37 ;;; Allow SMTP
chain=forward action=accept protocol=tcp dst-port=25

38 ;;; allow TCP
chain=forward action=accept protocol=tcp

39 ;;; allow ping
chain=forward action=accept protocol=icmp

40 ;;; allow udp
chain=forward action=accept protocol=udp

41 ;;; drop everything else
chain=forward action=drop

42 chain=forward action=accept protocol=tcp src-address-list=spammer dst-port=25

43 chain=forward action=accept protocol=tcp src-address-list=spammer dst-port=25

44 ;;; BLOCK SPAMMERS OR INFECTED USERS
chain=forward action=drop protocol=tcp src-address-list=spammer dst-port=25

45 ;;; Detect and add-list SMTP virus or spammers
chain=forward action=add-src-to-address-list protocol=tcp src-address-list=spammer address-list=spammer
address-list-timeout=1d dst-port=25 connection-limit=30,32 limit=50,5

46 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners
address-list-timeout=2w

47 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

48 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
address-list-timeout=2w

49 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners
address-list-timeout=2w

50 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

51 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w

52 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

53 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

54 ;;; Accept established connections
chain=input action=accept connection-state=established

55 ;;; Accept related connections
chain=input action=accept connection-state=related

56 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

57 ;;; UDP
chain=input action=accept protocol=udp

58 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2

59 ;;; Drop excess pings
chain=input action=drop protocol=icmp

60 ;;; SSH for secure shell
chain=input action=accept protocol=tcp dst-port=22

61 ;;; winbox
chain=input action=accept protocol=tcp dst-port=8291

62 ;;; From Mikrotikls network
chain=input action=accept src-address=159.148.172.192/28

63 ;;; From our private LAN
chain=input action=accept src-address=10.0.0.0/8

64 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners
address-list-timeout=2w

65 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

66 chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
address-list-timeout=2w

67 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
address-list-timeout=2w

68 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners
address-list-timeout=2w

69 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

70 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w

71 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

72 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

73 ;;; Port scanners to list
chain=forward action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners
address-list-timeout=2w

74 ;;; NMAP FIN Stealth scan
chain=forward action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

75 chain=forward action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
address-list-timeout=2w

76 ;;; SYN/FIN scan
chain=forward action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners
address-list-timeout=2w

77 ;;; SYN/RST scan
chain=forward action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners
address-list-timeout=2w

78 ;;; FIN/PSH/URG scan
chain=forward action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

79 ;;; ALL/ALL scan
chain=forward action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w

80 ;;; NMAP NULL scan
chain=forward action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

81 ;;; dropping port scanners
chain=forward action=drop src-address-list=port scanners

82 chain=forward action=jump jump-target=restrict-tcp protocol=tcp

83 I chain=forward action=jump jump-target=restrict-udp protocol=udp

84 I chain=forward action=jump jump-target=restrict-ip

85 chain=restrict-tcp action=reject reject-with=icmp-network-unreachable connection-mark=auth

86 ;;; anti-spam policy
chain=restrict-tcp action=jump jump-target=smtp-first-drop connection-mark=smtp

87 chain=smtp-first-drop action=add-src-to-address-list src-address-list=first-smtp address-list=approved-smtp
address-list-timeout=5s

88 chain=smtp-first-drop action=return src-address-list=approved-smtp

89 chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=5s

90 chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

91 I chain=restrict-tcp action=jump jump-target=drop connection-mark=other-tcp

92 I chain=restrict-udp action=jump jump-target=drop connection-mark=other-udp

93 I chain=restrict-ip action=jump jump-target=drop connection-mark=other

[admin@MikroTik] /ip firewall filter>
untitled2.JPG
untitled.JPG
You do not have the required permissions to view the files attached to this post.
 
markbecken09
just joined
Posts: 3
Joined: Thu Dec 10, 2009 4:48 pm

Re: New firewall matcher PCC

Fri Dec 11, 2009 1:20 pm

Hey guys,
I tested it with 2 ro 3 different PCs, maybe more traffic is needed? I have 2 DSL lines from/to the same ISP, with the same gateway IP address, is this a problem using above configuration? just for surety.

Thanks.
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Mon Dec 14, 2009 10:59 pm

[admin@MikroTik] > tool traceroute ya.ru max-hops=4
     ADDRESS                                    STATUS
   1  192.168.16.250 2ms 2ms 10ms 
   2   192.168.0.200 9ms 10ms 12ms 
   3   192.168.0.200 6ms 11ms 10ms network unreachable
   4   192.168.0.200 14ms 6ms 53ms network unreachable
max-hops reached
[admin@MikroTik] > /ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.16.141 routing-mark=preved
[admin@MikroTik] > /ip firewall mangle add chain=output action=mark-routing new-routing-mark=preved 
[admin@MikroTik] > tool traceroute ya.ru max-hops=4
     ADDRESS                                    STATUS
   1  192.168.16.141 5ms 7ms 10ms 
   2  192.168.16.250 11ms 9ms 1ms 
   3   192.168.0.200 6ms 7ms 5ms 
   4   192.168.0.200 4ms 19ms 11ms network unreachable
max-hops reached
[admin@MikroTik] > 

hello Chupaka, thanks for your help, this routing mark works fine, but i need that when the ping is originated from the router itself the router send the ping for the marked route although when the interface is down, i need to avoid that the ping gos for the default gateway, i need to do this in order to resolve the failover in NATed providers, i try to make a netwatch to an address and when the address doesnt respond then deactivate the interface, but when the gateway is down then the router send the ping for the default gateway and the netwatch see the interface UP again

thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Dec 15, 2009 1:41 am

first, you should limit route lookup to the routes with that packet-mark:
/ip route rule add routing-mark=to_ISP1 action=lookup-only-in-table table=to_ISP1
now your default route from 'main' table won't work for packets with 'to_ISP1' mark

then you can simply use 'ping' command via that routing table:
/ping google.com routing-table=to_ISP1
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Dec 15, 2009 1:46 am

... or just mark netwatch icmp requests as before =)

also, you should _not_ disable the interface - you should just disable a route for that provider - create two similar routing tables, one for users and another for Netwatch. and netwatch will set the state of users' route, so that you always know when Internet is UP again :)
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Tue Dec 15, 2009 3:46 am

Thanks Chupaka i will try this, now i want to know if i can use action=lookup ? because i´m using 3.30 and not 4.x OS. thanks
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Tue Dec 15, 2009 8:38 am

Cool config, Chupaka I just want to know if you are using 4.x with the loadbalancing? Because I'm having a lot of trouble with 4.x and I'm downgrading today to 3.30 Until I can get everything sorted out.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Dec 15, 2009 10:19 am

if i can use action=lookup ? because i´m using 3.30 and not 4.x OS. thanks
no, 'action=lookup' will continue searching in 'main' table in case of failure. install 'routing-test' package for 3.30
Cool config, Chupaka
thanks =)
if you are using 4.x with the loadbalancing? Because I'm having a lot of trouble with 4.x and I'm downgrading today to 3.30 Until I can get everything sorted out.
well, I'm still using v3.27 on Internet router =) v4 is only on core routers. just waiting for a moment to update internet and border routers to v4 ))

what kind of troubles?
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Tue Dec 15, 2009 4:24 pm

hmph, I upgraded to 4.2 from 3.22 on a few test and did some tests and it seemed to be working alright, then I decided to replace our old loadbalancer and hotspot gateway with the mikrotiks (just to give you my situation now). RB493 as Main router for internet (PCC loadbalance 4 adsl lines and one local account onb the same interface as one of the international accounts) that supplies our office with internet. This is also connected to a hotspot gateway (RB750) which is connected to our own radius billing server. Everything seemed to work until I did the field test and integrate into our WISP network.

Thats for the background.

I'm having issues getting the lines to balance equally using the mangle rules and then I heard some of them don't work as they should. I use scripts from the wiki and just customise them accordingly as I'm not really good with the firewall. The PCC had internet banking drop, I couldn't port forward to any interal IP's and the Hotspot crashed alot, internet speeds were uinstable - speed tests showed good results but browsing was slow, emails couldn't send in the hotspot network (I might add only some) and when I disabled it it worked.

The worst thing is my mother is on our WISP network and she gets pretty peeved when she can't farmville :)

So I took the bold step and downgraded to 3.30 as that was the last time I played around with mikrotik.
 
dentalmaterial
just joined
Posts: 3
Joined: Fri Dec 11, 2009 6:18 am

Re: New firewall matcher PCC

Fri Dec 18, 2009 3:37 pm

Hi Chupaka, please check my above configuration and tell me whats causing improper load balancing...as one of the 2 lines has almost all the bandwidth while the other is very little activity...thank you ,
also my email : dental_material@yahoo.com
dental_material@hotmail.com, fell free to add me , waiting your reply
Dr.Ahmed
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Fri Dec 18, 2009 11:06 pm

can I have WinBox access to your router? I don't like textual output, and there's not enough info in your post =)

feel free to contact me at Skype: pavel.skuratovich
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Fri Dec 18, 2009 11:12 pm

Hey Chupaka, i will make you a question off topic, i have a linux server with, squid, dns, dhcp, etc etc etc, i need to publish a temporal logn page, i dont want to replace all my linux box for a mikrotik router yet, but i need a simple hotspo to show the page for a few days, it possible to setup a hotspot in a mikrotik box and then redirect teh port 80 from my linux box to the mikrotik hotspot? thanks a lot and excuse me for the off topic comment
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sat Dec 19, 2009 12:04 am

sorry, I'm not familiar with Hotspot. try simply dst-nat all port 80 requests to your Hotspot... 'man iptables' =)
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Sat Dec 19, 2009 12:19 am

sorry, I'm not familiar with Hotspot. try simply dst-nat all port 80 requests to your Hotspot... 'man iptables' =)

Thanks Anyway Chupaka, i've try

iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.19.91.253:80

it redirect all 80 traffic to the port 80 of the hotspot but doesnt work, if somebody knows something it will be apreciated, thanks a lot
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sat Dec 19, 2009 12:37 am

what's your client's IP?..

p.s. offtop, btw... create another topic =) this one is about PCC =)
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Sat Dec 19, 2009 12:48 am

sorry it's yet created but seems that it's really borred, no replies :'(

http://forum.mikrotik.com/viewtopic.php?f=2&t=37652

my clients ip is 10.19.91.1 - 10.19.91.200

10.19.91.254 linux
10.19.91.253 mk hotspot

talk you in the another topic.. thanks
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Mon Dec 21, 2009 7:12 am

Normis, yeah it's simple but very special too, jejej
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Mon Dec 21, 2009 3:57 pm

I am having trouble with opening ports using UPnP while Loadbalancing with PCC, the UPnP docs say you can only specify one External Interface... Is there a way around this except forwarding traffic to a single gateway that I want to open up ports to?
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Mon Dec 21, 2009 4:34 pm

In one network of one client Im doing it with two routers - first - RouterBOARD - has PCC and and forwards everything to the second and the second has UPnP turned on and Proxy (x86 with a HDD).
 
jirristols
newbie
Posts: 33
Joined: Fri May 15, 2009 4:36 pm
Location: Pretoria, South Africa
Contact:

Re: New firewall matcher PCC

Mon Dec 21, 2009 4:50 pm

Hey NetworkPro,

Thats what I'm also doing, RB493 as main router PCC 4Lines and RB750 as hotspot router, How do I forward everything to my RB750 ip 192.168.2.253 interface=LocalLan V3.30

I want to espescially forward these ports:
TCP: 37918, 1119, 3724, 6112, 6881-6999
UDP: 3724, 37918

These are the ports I can test with at the moment the easiest.
 
User avatar
calman
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Feb 06, 2009 12:16 pm

Re: New firewall matcher PCC

Wed Dec 30, 2009 12:27 am

I confirm the upnp issue, don't work in multiwan pcc, but with one unique gateway works correctly
 
ilius168
Member Candidate
Member Candidate
Posts: 255
Joined: Sat Apr 07, 2007 3:54 am

Re: New firewall matcher PCC

Thu Dec 31, 2009 6:29 pm

Hi,
I've been using nth & pcc for loadbalancing, pretty much the same config as provided in wiki. Both work well except this, traffic seems to prioritized to the default gateway, this happens using nth and/or pcc configuration.
Is this normal or is there anything that i've missed?

Using ROS v4.4 (the same happened when using 3.x) on RB 1000 with 8 WAN (vlan-ed).

Thanks.
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Thu Dec 31, 2009 6:45 pm

pcc works perfect for me, in the firewall mangle you can see that the packet count it's almost balanced perfect, also in the interface statics. maybe you miss something,
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: New firewall matcher PCC

Wed Jan 06, 2010 8:31 am

PCC solution will be more precise for bigger number of connections. If you have only few connections even one traffic heavy connection can result into imbalance.
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Sun Jan 17, 2010 6:15 am

first, you should limit route lookup to the routes with that packet-mark:
/ip route rule add routing-mark=to_ISP1 action=lookup-only-in-table table=to_ISP1
now your default route from 'main' table won't work for packets with 'to_ISP1' mark

then you can simply use 'ping' command via that routing table:
/ping google.com routing-table=to_ISP1
ok the test works perfect when i use the ping comand in terminal, but with the packet marks in output mangle doesnt work, i will make an script to replace the netwatch. thanks a lot
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Thu Jan 28, 2010 11:25 pm

even Google Translate doesn't understand you. please write in English
 
galaxy70
just joined
Posts: 3
Joined: Wed Feb 17, 2010 12:38 pm
Location: Ukraine

Re: New firewall matcher PCC

Wed Feb 17, 2010 1:08 pm

Hello, I have configured mikrotik(v4.4 x86). Each has 2 DSL lines using PPPoE and connect PPPoE clients
Config not work
/ip firewall mangle
add action=mark-connection chain=input comment="Mark Incoming (to router itself) connections so their reply packets get routed to the interface the connections came in" connection-state=new \
    disabled=no in-interface=pppoe-out1 new-connection-mark=adsl1_conn passthrough=yes
add action=mark-connection chain=input comment="" connection-state=new disabled=no in-interface=pppoe-out2 new-connection-mark=adsl2_conn passthrough=yes
add action=accept chain=output comment="Prevent Outgoing connections to clients' IP addresses from being mangled and routed by PCC" disabled=no dst-address-list=clients
add action=accept chain=output comment="" disabled=no dst-address=172.16.4.0/22

add action=mark-connection chain=output comment="Mark outgoing from router connections w PCC by dst-address for proxy (and everything from router) balancing" connection-state=new disabled=no \
    dst-address-type=!local new-connection-mark=adsl1_conn passthrough=yes per-connection-classifier=dst-address:2/0
add action=mark-connection chain=output comment="" connection-state=new disabled=no dst-address-type=!local new-connection-mark=adsl2_conn passthrough=yes per-connection-classifier=dst-address:2/1

add action=mark-routing chain=output comment="" connection-mark=adsl1_conn disabled=no new-routing-mark=to_adsl1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=adsl2_conn disabled=no new-routing-mark=to_adsl2 passthrough=yes

add action=accept chain=prerouting comment="" disabled=no dst-address-list=clients src-address-list=clients
add action=mark-connection chain=prerouting comment="Mark connections from clients ip addresses w PCC balance before they get routed so they can be assigned routing rules later and get routed" \
    connection-state=new disabled=no dst-address-type=!local new-connection-mark=adsl1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=clients
add action=mark-connection chain=prerouting comment="" connection-state=new disabled=no dst-address-type=!local new-connection-mark=adsl2_conn passthrough=yes per-connection-classifier=\
    both-addresses:2/1 src-address-list=clients
add action=mark-routing chain=prerouting comment="" connection-mark=adsl1_conn disabled=no new-routing-mark=to_adsl1 passthrough=yes src-address-list=clients
add action=mark-routing chain=prerouting comment="" connection-mark=adsl2_conn disabled=no new-routing-mark=to_adsl2 passthrough=yes src-address-list=clients


/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2


/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_ADSL1 scope=30 target-scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_ADSL2 scope=30 target-scope=10
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=10


Please help my
 
galaxy70
just joined
Posts: 3
Joined: Wed Feb 17, 2010 12:38 pm
Location: Ukraine

Re: New firewall matcher PCC

Wed Feb 17, 2010 5:07 pm

By all thanks for attention, the decision it is found.
Working config:
/ ip firewall mangle
add chain=input action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=pppoe-out1 
add chain=input action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=pppoe-out2 

add chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes src-address=172.16.4.0/22 dst-address-type=!local per-connection-classifier=both-addresses:2/0 
add chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes src-address=172.16.4.0/22 dst-address-type=!local per-connection-classifier=both-addresses:2/1 

add chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=yes connection-mark=wan1_conn 
add chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=yes connection-mark=wan2_conn 

add chain=prerouting action=mark-routing new-routing-mark=to_wan1 passthrough=yes src-address=172.16.4.0/22 connection-mark=wan1_conn 
add chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=yes src-address=172.16.4.0/22 connection-mark=wan2_conn

/ ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out2 distance=2 check-gateway=ping


/ ip firewall nat
add chain=srcnat out-interface=pppoe-out1 action=masquerade
add chain=srcnat out-interface=pppoe-out2 action=masquerade
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Feb 17, 2010 6:19 pm

please create new topic and describe, what exactly don't work. we are not telepathists. what does traceroute show, etc?..
 
galaxy70
just joined
Posts: 3
Joined: Wed Feb 17, 2010 12:38 pm
Location: Ukraine

Re: New firewall matcher PCC

Thu Feb 18, 2010 8:57 am

Thanks, but have already earned all, loading went only on one channel. The second config completely the worker, both channels, but non-uniformly are loaded. Reaction to balancing slowed down
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Tue Feb 23, 2010 1:15 pm

sorry for no answer... dssmiktik, yes, 'accept' should be used in the setup from Wiki... (by the way, 10.100.0.0/24 are internal addresses, not public IPs :) )
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local

If they are public, what lines should I have to put there instead of that two lines.

tnx

!update
If I remove those two lines (with public IP addresses) I cannot send mails - mail sever is set up with public IP and connected to the bridged port with WAN2 with static IP address in the same pool as WAN2 port
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Mon Mar 15, 2010 9:38 pm

I make a loda balance with 8 wan, all works perfect, the issue is that when some provider goes down then the router send the traffic marked to the down provider for the default gateway, it's normal, but can you imagine what happen when 5 of 8 providers is down? all traffic for that 5 providers will go trought the default gateway.. do you understand the problem? thanks
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: New firewall matcher PCC

Mon Mar 15, 2010 11:41 pm

@lukkes, the script to distribute the load can be achieved with simple scripting and with more complex to do it in a more precise way so ... its the scripting that will help as usual.
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Mon Mar 15, 2010 11:52 pm

@lukkes, the script to distribute the load can be achieved with simple scripting and with more complex to do it in a more precise way so ... its the scripting that will help as usual.
i was affraid about that answer, i dont know much about scripting, i just imagine an script to change dynamic 20 rules for 10 wan (10 for mar connection + 10 to mark routing) and i want to cry...

maybe somebody has this problem resolved.. heelp please... :(
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Mar 16, 2010 3:02 am

simply add backup default routes (with bigger distances) to each routing table
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Tue Mar 16, 2010 3:12 am

simply add backup default routes (with bigger distances) to each routing table
Sorry Chupaka, i cant understand your point... also can you see this post for me? it's another topic, but i don't know how to talk with you directly, and thanks for your help...
i have 8 wan, how i can do what you advise me?

http://forum.mikrotik.com/viewtopic.php ... 39#p198539
Last edited by lukkes on Tue Mar 16, 2010 5:12 am, edited 1 time in total.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Tue Mar 16, 2010 3:28 am

for example, you have
/ip route add dst-address=0.0.0.0/0 gateway=gw1 routing-mark=to_gw1
then add
/ip route add dst-address=0.0.0.0/0 gateway=gw2 routing-mark=to_gw1 distance=10
/ip route add dst-address=0.0.0.0/0 gateway=gw3 routing-mark=to_gw1 distance=10
/ip route add dst-address=0.0.0.0/0 gateway=gw4 routing-mark=to_gw1 distance=20
so now, if gw1 will be down, all traffic with that routing mark will be directed to gw2, gw3 or gw4 (with gw4 having the lowest priority)
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Tue Mar 16, 2010 3:59 am

for example, you have
/ip route add dst-address=0.0.0.0/0 gateway=gw1 routing-mark=to_gw1
then add
/ip route add dst-address=0.0.0.0/0 gateway=gw2 routing-mark=to_gw1 distance=10
/ip route add dst-address=0.0.0.0/0 gateway=gw3 routing-mark=to_gw1 distance=10
/ip route add dst-address=0.0.0.0/0 gateway=gw4 routing-mark=to_gw1 distance=20
so now, if gw1 will be down, all traffic with that routing mark will be directed to gw2, gw3 or gw4 (with gw4 having the lowest priority)

ok i understand well your explanation, but it really will not make load balance, that just will send the traffic for the next available route and will collapse the link, it's the same problem, or i'm wrong?

the real problem it's that if i have 8 links and if 5 links go down, then the default gateway will have to take the traffic from the other 5 down links, understand?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New firewall matcher PCC

Tue Mar 16, 2010 4:05 am

With those rules, it wouldn't because there'd be fallback routes for the routing marks. Balance the order of routes between the gateways and things will still be (roughly) balanced, at least more so than everything hitting one gateway.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Wed Mar 17, 2010 12:46 am

exactly. in case if failure of 1st link, you send it's traffic to 5th link. in case if failure of 3rd link, you send it's traffic to 2nd link. etc.
 
lukkes
Member Candidate
Member Candidate
Posts: 177
Joined: Mon Jun 16, 2008 2:12 am
Location: Venezuela
Contact:

Re: New firewall matcher PCC

Wed Mar 17, 2010 12:49 am

yes you're right but it will be a fake load balance, well but better than collapse the first link, i'm tryng to make an script to recreate the pcc mangle rules dinamically and the routing marks too.. somebody have any idea? thanks again
 
logros
newbie
Posts: 49
Joined: Thu Feb 04, 2010 11:01 pm

Re: New firewall matcher PCC

Sat May 01, 2010 4:30 pm

with my eyes shut:
/ip firewall mangle
add chain=output per-connection-classifier=dst-address:2/0 action=mark-routing new-routing-mark=table1 disabled=no
add chain=output per-connection-classifier=dst-address:2/1 action=mark-routing new-routing-mark=table2 disabled=no
Hi again, i need you professional help :)
This is my mangle rules
# may/01/2010 16:24:54 by RouterOS 4.7

#
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=\
pppoe-out1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
pppoe-out2 new-connection-mark=wan2_conn passthrough=yes

First i replace this code by your code, after don't load any page but web-proxy has activities
add action=mark-routing chain=output comment="" connection-mark=wan1_conn \
disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan2_conn \
disabled=no new-routing-mark=to_wan2 passthrough=yes


then i replace both-address by src-address
in chain prerouting and output work but traffic goes only through pppoe-out1 another pppoe-out2 and pppoe-out3 has small traffic

add action=mark-connection chain=prerouting comment="" disabled=no \
dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting comment="" disabled=no \
dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes \
per-connection-classifier=both-addresses:2/1 src-address=192.168.88.0/24
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn \
disabled=no new-routing-mark=to_wan1 passthrough=yes src-address=\
192.168.88.0/24
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn \
disabled=no new-routing-mark=to_wan2 passthrough=yes src-address=\
192.168.88.0/24

What i must to do?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Sat May 01, 2010 11:51 pm

this setup is for wan1 and wan2. how do you use it with three lines? %)

and... do you use web-proxy?
 
logros
newbie
Posts: 49
Joined: Thu Feb 04, 2010 11:01 pm

Re: New firewall matcher PCC

Mon May 03, 2010 11:32 am

this setup is for wan1 and wan2. how do you use it with three lines? %)

and... do you use web-proxy?
In this case is wan1 and wan2
I use web-proxy
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-administrator: "webmaster"
max-cache-size: none
cache-on-disk: no
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: yes
always-from-cache: yes
cache-hit-dscp: 4
cache-drive: system

NAT rules
0 chain=srcnat action=masquerade out-interface=pppoe-out1

1 chain=srcnat action=masquerade out-interface=pppoe-out2

2 chain=dstnat action=redirect to-ports=3128 protocol=tcp dst-port=80

When i manipulated with per-connection-clasifier values and has this
then i replace both-address by src-address
in chain prerouting and output work but traffic goes only through pppoe-out1 another pppoe-out2 and pppoe-out3 has small traffic
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon May 03, 2010 3:14 pm

you haven't posted your mangle output rules...

if you use web-proxy, then you should balance both clients' traffic and router's (proxy) traffic
 
heavyd
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Aug 08, 2007 12:32 pm

Re: New firewall matcher PCC

Mon May 03, 2010 3:24 pm

I am trying to load balancing 3 lines thru pcc src-address , reason i am using src-address it looks like to me that the connections from each client will go thru the same line.

connections - both-address
pcc-both-address.png
connections - src - address
pcc-src-address.png
The only problem now is that the lines are not load balancing .
Connections with pcc src-address are no were close of being balanced
ppc-conn.png
Can you use pcc src-address like this ? And why are the connections not being balanced ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon May 03, 2010 6:29 pm

so, if you use 'src-address' classifier, then each client is bound to one of the uplinks. if you have five clients, one of them being using the Internet heavily, then his channel will be used much more than others... with >100 clients there should not be much difference
 
heavyd
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Aug 08, 2007 12:32 pm

Re: New firewall matcher PCC

Mon May 03, 2010 7:07 pm

Yes i want the client to use the same uplink , this sorts out online gaming / https / etc etc . The network has +- 1000 clients but what i have done now is moved the routing rules around and see the uplinks are better balanced now
pcc-last.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: New firewall matcher PCC

Mon May 03, 2010 7:17 pm

btw, I hate screenshots because I cannot click on the row and see the details %)
 
heavyd
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Wed Aug 08, 2007 12:32 pm

Re: New firewall matcher PCC

Mon May 03, 2010 8:36 pm

I think it looks pretty
/ip firewall mangle
add action=mark-connection chain=input comment=pcc disabled=no in-interface=x.x.x.72/29 new-connection-mark=72/29_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=x.x.x.217/29 new-connection-mark=217/29_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=x.x.x.81/29 new-connection-mark=81/29_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=72/29_conn disabled=no new-routing-mark=to_72/29 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=217/29_conn disabled=no new-routing-mark=to_217/29 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=81/29_conn disabled=no new-routing-mark=to_81/29 passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=x.x.x.72/29 in-interface=radius_dmz
add action=accept chain=prerouting comment="" disabled=no dst-address=x.x.x.216/29 in-interface=radius_dmz
add action=accept chain=prerouting comment="" disabled=no dst-address=x.x.x.80/29 in-interface=radius_dmz
add action=accept chain=input comment="" disabled=no dst-address=x.x.x.x in-interface=radius_dmz
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=radius_dmz new-connection-mark=72/29_conn passthrough=yes \
    per-connection-classifier=src-address:3/0
add action=mark-routing chain=prerouting comment="" connection-mark=72/29_conn disabled=no in-interface=radius_dmz new-routing-mark=to_72/29 passthrough=no
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=radius_dmz new-connection-mark=217/29_conn passthrough=yes \
    per-connection-classifier=src-address:3/1
add action=mark-routing chain=prerouting comment="" connection-mark=217/29_conn disabled=no in-interface=radius_dmz new-routing-mark=to_217/29 passthrough=no
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local in-interface=radius_dmz new-connection-mark=81/29_conn passthrough=yes \
    per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting comment="" connection-mark=81/29_conn disabled=no in-interface=radius_dmz new-routing-mark=to_81/29 passthrough=no

ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.81 routing-mark=to_81/29 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.73 routing-mark=to_72/29 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.x.217 routing-mark=to_217/29 scope=30 target-scope=10
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Tue Jul 06, 2010 6:35 pm

I have problems with PCC form different providers and different type of connections.

1 x ADSL
1 x Leased Line
1 x Cable Modem

I have exactly same configuration like the wiki example and have problems with incoming connections.
Load balancing is working fine. The Leased Line and Cable Modem have static IP addresses - so I run web server on a local IP address and I have added three lines in the firewall nat:

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=WAN1 protocol=tcp to-addresses=192.168.1.15 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.1.15 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=WAN3 protocol=tcp to-addresses=192.168.1.15 to-ports=80

The problem is very strange:
Some ppl cannot access my web site over WAN1 and WAN2.. but only some of them.
So i tried online web site test servers (like http://host-tracker.com/) and find out that 20-40% of ppl from many parts of the world cannot access the web server...

After that i decide to disable one wan port - in my case Cable - and everything is fine now.. running only on ADSL and Leased Line.
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \
    dial-on-demand=no disabled=no interface=ADSL max-mru=1480 max-mtu=1480 \
    mrru=disabled name=WAN1 password=xxxxxxx profile=default \
    service-name="" use-peer-dns=no user=xxxxxx

/ ip address
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN 
add address=x.x.82.58/29 network=x.x.82.56 broadcast=x.x.x.63 interface=WAN2
add address=x.x.13.39/24 network=x.x.13.0 broadcast=x.x.13.255 interface=WAN3

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4,4.2.2.2

/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=wan2_conn

add chain=output connection-mark=wan1_conn action=mark-routing new-routing-mark=to_wan1     
add chain=output connection-mark=wan2_conn action=mark-routing new-routing-mark=to_wan2
add chain=output connection-mark=wan3_conn action=mark-routing new-routing-mark=to_wan3

add chain=prerouting dst-address=x.x.82.58/29  action=accept in-interface=LAN 
add chain=prerouting dst-address=x.x.13.39/24  action=accept in-interface=LAN

add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:3/0 \
    action=mark-connection new-connection-mark=wan1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:3/1 \
    action=mark-connection new-connection-mark=wan2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses:3/2 \
    action=mark-connection new-connection-mark=wan3_conn passthrough=yes


add chain=prerouting connection-mark=wan1_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan1
add chain=prerouting connection-mark=wan2_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan2_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan3

/ ip route
add dst-address=0.0.0.0/0 gateway=x.x.0.1 routing-mark=to_wan1 check-gateway=arp
add dst-address=0.0.0.0/0 gateway=x.x.82.57 routing-mark=to_wan2 check-gateway=arp
add dst-address=0.0.0.0/0 gateway=x.x.13.1 routing-mark=to_wan3 check-gateway=arp

add dst-address=0.0.0.0/0 gateway=x.x.0.1 distance=1 check-gateway=arp
add dst-address=0.0.0.0/0 gateway=x.x.82.57 distance=2 check-gateway=arp
add dst-address=0.0.0.0/0 gateway=x.x.13.1 distance=3 check-gateway=arp

/ ip firewall nat 

add chain=srcnat out-interface=wan1 action=masquerade
add chain=srcnat out-interface=wan2 action=masquerade
add chain=srcnat out-interface=wan3 action=masquerade

add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=WAN1 protocol=tcp to-addresses=192.168.1.15 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=WAN2 protocol=tcp to-addresses=192.168.1.15 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=WAN3 protocol=tcp to-addresses=192.168.1.15 to-ports=80
Maybe the passthrough set to yes or no is a problem or something inside the routes?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New firewall matcher PCC

Tue Jul 06, 2010 6:43 pm

Possibly a stupid question, but have you verified and made absolutely sure that your cable provider isn't blocking inbound TCP/80?
Mine is, and it would explain your symptoms.
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Tue Jul 06, 2010 6:49 pm

no... cos some one can access without problems on all 3 wans :)
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Tue Jul 06, 2010 7:14 pm

I'd Change the following rules:
/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=wan1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=wan2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=wan2_conn
To:
/ ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=wan1_conn passthrough=no
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=wan2_conn passthrough=no
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=wan2_conn passthrough=no
Explanation: If traffic is coming in on WAN1/2/3 you want it to *only* go back out over WAN1/2/3 and not to be remarked, otherwise it's going to continue down through the list and get re-marked.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New firewall matcher PCC

Tue Jul 06, 2010 7:19 pm

But traffic coming in via WAN1/2/3 would only match one of those rules due to the in-interface quantifier. Though passthrough=no definitely wouldn't hurt so you can bail out on first match and save resources - but I don't think it'll fix the issue.
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: New firewall matcher PCC

Tue Jul 06, 2010 7:19 pm

You probably need to mark new incoming connections with connection mark for particular WAN just as you do for input chain. btw:
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=wan2_conn
should be:
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=wan3_conn
same here:
add chain=prerouting connection-mark=wan2_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan2_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan3
add chain=prerouting connection-mark=wan2_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan2
add chain=prerouting connection-mark=wan3_conn in-interface=LAN action=mark-routing new-routing-mark=to_wan3
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Tue Jul 06, 2010 8:17 pm

tnx rmichel but that is wrong paste into code section cos the entire rsc file is too long..
That is not the problem in this case.

Does anyone have scenario with 3 or more different WAN connections with different gateways and host something inside LAN?
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: New firewall matcher PCC

Tue Jul 06, 2010 8:47 pm

As I said, I think the issue is that new incoming connections are not bound to WAN interface they came on. Code below attempts to fix that (untested):
/ ip firewall mangle
add chain=forward in-interface=WAN1 connection-mark=no-mark action=mark-connection new-connection-mark=wan1_conn
add chain=forward in-interface=WAN2 connection-mark=no-mark action=mark-connection new-connection-mark=wan2_conn
add chain=forward in-interface=WAN3 connection-mark=no-mark action=mark-connection new-connection-mark=wan3_conn
replace per-connection-classifier rules with:
/ ip firewall mangle
add chain=prerouting dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:3/0 \
    action=mark-connection new-connection-mark=wan1_conn passthrough=no
add chain=prerouting dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:3/1 \
    action=mark-connection new-connection-mark=wan2_conn passthrough=no
add chain=prerouting dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:3/2 \
    action=mark-connection new-connection-mark=wan3_conn passthrough=no
 
godovic
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Sun Mar 08, 2009 11:52 pm

Re: New firewall matcher PCC

Wed Jul 07, 2010 9:30 am

As I said, I think the issue is that new incoming connections are not bound to WAN interface they came on. Code below attempts to fix that (untested):
/ ip firewall mangle
add chain=forward in-interface=WAN1 connection-mark=no-mark action=mark-connection new-connection-mark=wan1_conn
add chain=forward in-interface=WAN2 connection-mark=no-mark action=mark-connection new-connection-mark=wan2_conn
add chain=forward in-interface=WAN3 connection-mark=no-mark action=mark-connection new-connection-mark=wan3_conn
replace per-connection-classifier rules with:
/ ip firewall mangle
add chain=prerouting dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:3/0 \
    action=mark-connection new-connection-mark=wan1_conn passthrough=no
add chain=prerouting dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:3/1 \
    action=mark-connection new-connection-mark=wan2_conn passthrough=no
add chain=prerouting dst-address-type=!local connection-mark=no-mark in-interface=LAN per-connection-classifier=both-addresses:3/2 \
    action=mark-connection new-connection-mark=wan3_conn passthrough=no

I lost connection to internet :( Doesn't help tnx for your time
 
ekkas
Long time Member
Long time Member
Posts: 567
Joined: Mon Sep 26, 2005 1:01 pm
Location: South Africa

Re: New firewall matcher PCC

Tue Nov 16, 2010 8:52 pm

To dust off an old post littered with off-topic HA issues...
But back on track...

Any possibility of adding another PCC option called 'Src-Address and dst-port".

The reason I'm asking is that we have 2 banking websites that have (for some reason) 2 server IPs involved in the transactions, so PCC is great, but not for them.
For these IPs I have to route all traffic to that 1 'website'(2 servers) through 1 line, for my whole network. Most of the time it is ok, but come Friday afternoon, that 1 poor DSL router need liquid cooling. ;-) (No, don't start a cooling discussion here, it was just a joke)

B.t.w. I use PCC and Nth in combo, first use PCC for 'problem' ports like 443,1119,1723,2082,2095,3724,5192,8443
and then Nth for the rest of normal traffic.

So with download manager, you can still get full load-balanced speed over all lines(Nth), but banking and other https get PCC'ed to one line. (Is PCC'ed a new word?)

Anyways, just thought I'd ask...

Ekkas
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New firewall matcher PCC

Tue Nov 16, 2010 9:04 pm

Since you're already using PCC and Nth combined, have you considered using PCC with just src-address for 'problem ports' such as HTTPS, and then other classifiers for other protocols? That should work very well.
 
ekkas
Long time Member
Long time Member
Posts: 567
Joined: Mon Sep 26, 2005 1:01 pm
Location: South Africa

Re: New firewall matcher PCC

Tue Nov 16, 2010 9:23 pm

Valid point!
Guess I couldn't see the forest through all the trees. :-?

Although it would mean that all of 1 clients' (e.g.) https will go through 1 line, I guess it would fix my dilemma.

Thanks
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: New firewall matcher PCC

Wed Nov 17, 2010 3:12 am

I would actually recommend the both-addresses option instead.
It means that each IP address on the inside gets a static connection to an IP on the outside however multiple users won't use the same line to get to the one external IP address.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New firewall matcher PCC

Wed Nov 17, 2010 6:46 am

Both-addresses can break SSL clusters. Multiple SSL web servers with different public IPs can sometimes access the same session data on their backend, and refuse services if the client session comes from multiple perceived source addresses to prevent session hijacking attacks.
 
ekkas
Long time Member
Long time Member
Posts: 567
Joined: Mon Sep 26, 2005 1:01 pm
Location: South Africa

Re: New firewall matcher PCC

Wed Nov 17, 2010 9:47 am

Both-addresses can break SSL clusters. Multiple SSL web servers with different public IPs can sometimes access the same session data on their backend, and refuse services if the client session comes from multiple perceived source addresses to prevent session hijacking attacks.
Which is what is happening here.
that have (for some reason) 2 server IPs involved in the transactions, so PCC is great, but not for them.
Ekkas

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], kazza, Soleous75 and 76 guests