Hi, finally I got PCC load balancing to work with PPoE and Hotspot, now my problem is that it’s blocking the mikrotik with the user mannager that is in another server. I have been trying to leave the 10.0.0.0 network where the user mannager and other services are out of the PCC rules but I can’t do it.

ether1-hotspot 172.165.15.1
ether2-PPoE 172.165.20.1
ether3-ADSL 192.168.20.254
ether4-ADSL 192.168.254.254
ether6-Radius 10.0.0.5

How do I tell mikrotik to leave ether6 out of the PCC load balancing?

Depends on your configuration. Post it.

Also I forgot to mention that other 4 routers with MT connect through this router to the radius server, this is my configuration:

ip firewall filter

/ip firewall mangle
add action=mark-connection chain=input comment=“Mark Incoming” connection-state=new
disabled=no in-interface=ether3 new-connection-mark=adsl1_conn passthrough=yes
add action=mark-connection chain=input comment=“” connection-state=new disabled=no in-interface=bridge1 new-connection-mark=adsl2_conn passthrough=yes
add action=accept chain=output comment=“Prevent Outgoing connections to clients’ IP addresses from being mangled and routed by PCC” disabled=no dst-address-list=clients
add action=accept chain=output comment=“” disabled=no dst-address=172.165.20.0/24
add action=accept chain=output comment=“” disabled=no dst-address=172.165.15.0/24
add action=accept chain=output comment=“Prevent proper to gateway connections from hitting the PCC mangles and being re-assigned to other gateway” connection-state=new disabled=no dst-address=
192.168.20.0/24
add action=accept chain=output comment=“” connection-state=new disabled=no dst-address=192.168.254.0/24
add action=mark-routing chain=output comment=“” connection-mark=adsl1_conn disabled=no new-routing-mark=to_adsl1 passthrough=yes
add action=mark-routing chain=output comment=“” connection-mark=adsl2_conn disabled=no new-routing-mark=to_adsl2 passthrough=yes
add action=accept chain=prerouting comment=“Accept rules - Prevent local connections from being marked and sent to the Internet gateways where they would be dropped since the addresses wont match”
disabled=no dst-address=192.168.20.0/24 src-address-list=clients
add action=accept chain=prerouting comment=“” disabled=no dst-address=192.168.254.0/24 src-address-list=clients
add action=accept chain=prerouting comment=“” disabled=no dst-address-list=clients src-address-list=clients
add action=mark-connection chain=prerouting comment=“Mark connections from clients ip addresses w PCC balance before they get routed so they can be assigned routing rules later and get routed”
connection-state=new disabled=no dst-address-type=!local new-connection-mark=adsl1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=clients
add action=mark-connection chain=prerouting comment=“” connection-state=new disabled=no dst-address-type=!local new-connection-mark=adsl2_conn passthrough=yes per-connection-classifier=
both-addresses:2/1 src-address-list=clients
add action=mark-routing chain=prerouting comment=“” connection-mark=adsl1_conn disabled=no new-routing-mark=to_adsl1 passthrough=yes src-address-list=clients
add action=mark-routing chain=prerouting comment=“” connection-mark=adsl2_conn disabled=no new-routing-mark=to_adsl2 passthrough=yes src-address-list=clients

ip firewall nat
add action=masquerade chain=srcnat comment=NAT disabled=no out-interface=
ether3
add action=masquerade chain=srcnat disabled=no out-interface=bridge1

/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=192.168.20.254 scope=30 target-scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=
192.168.254.254 routing-mark=to_adsl2 scope=30 target-scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=
192.168.20.254 routing-mark=to_adsl1 scope=30 target-scope=10
add check-gateway=ping distance=3 dst-address=
0.0.0.0/0 gateway=192.168.254.254 scope=30 target-scope=10

Add accepts for the network on ether6 above the PCC rules, like you’re already doing for the WAN connections.
That should do it.

Thak you for taking the time to answer, that worked perfect.

Just one more thing, I changed the port of the radius server to 60000 and I added a NAT rule in the Mikrotik that has the internet connections to redirect the port 60000 to the mikrotik with the user manager, before pcc if I entered xxxxxx.dyndns.org:60000/userman I could access remotely to the usermanager but that is not working anymore, any idea why?

Your PCC setup should not affect that.
Please post the output of

/ip services print
/ip firewall filter print 
/ip firewall nat print

Thank you for your help.

/ip services print

Flags: X - disabled, I - invalid

NAME PORT ADDRESS CERTIFICATE

0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 X www-ssl 443 0.0.0.0/0 none
5 X api 8728 0.0.0.0/0
6 winbox 8291 0.0.0.0/0

Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

/ip firewall filter print

1 ;;; Prevenir Ataques FTP
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist
dst-port=21

2 chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m

3 chain=output action=add-dst-to-address-list protocol=tcp
address-list=ftp_blacklist address-list-timeout=1d
content=530 Login incorrect

4 ;;; Prevenir ataques SSH
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

5 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
6 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22

7 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22

8 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22

9 ;;; lista ares
chain=forward action=add-src-to-address-list p2p=all-p2p
src-address=172.165.15.0/24 address-list=Ares address-list-timeout=10m

10 X ;;; lista ares
chain=forward action=add-src-to-address-list p2p=all-p2p
src-address=172.165.20.0/24 address-list=Ares address-list-timeout=10m
11 ;;; Control UDP P2P
chain=forward action=drop protocol=udp src-address-list=Ares
dst-port=4000-65535 time=9h-21h59m,sun,mon,tue,wed,thu,fri,sat

12 ;;; Control TCP P2P
chain=forward action=drop protocol=tcp src-address-list=Ares
connection-limit=200,32 time=9h-21h59m,sun,mon,tue,wed,thu,fri,sat

13 X chain=forward action=drop dst-address=192.168.254.254

14 X chain=forward action=drop dst-address=192.168.1.254

15 X ;;; Bloqueo UDP Karla Islas
chain=forward action=drop protocol=udp src-address=172.165.15.17
dst-port=3000-65355

16 X ;;; Bloqueo TCP Karla Islas
chain=forward action=drop protocol=tcp src-address=172.165.15.17
connection-limit=150,32

17 ;;; Aceptar Establecidas
chain=input action=accept connection-state=established
18 ;;; Aceptar Related
chain=input action=accept connection-state=related

19 ;;; Drop Invalid
chain=input action=drop connection-state=invalid

20 ;;; De nuestra red
chain=input action=accept src-address=172.165.15.0/24
in-interface=ether1

21 ;;; De nuestra red
chain=input action=accept dst-address=10.0.0.0/24

22 ;;; De nuestra red
chain=input action=accept src-address=172.165.20.0/24
in-interface=ether2

23 ;;; De nuestra red
chain=input action=accept dst-address=10.10.10.0/24

24 ;;; De nuestra red
chain=input action=accept dst-address=10.10.20.0/24
25 ;;; De nuestra red
chain=input action=accept dst-address=192.168.254.0/24

26 ;;; De nuestra red
chain=input action=accept dst-address=192.168.20.0/24

27 X ;;; Mandar al log
chain=input action=log log-prefix="Drop Input"

28 ;;; Tirar todo lo demas
chain=input action=drop

29 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2

30 ;;; Drop excess pings
chain=input action=drop protocol=icmp

31 ;;; SSH for secure shell
chain=input action=accept protocol=tcp dst-port=22

32 ;;; winbox
chain=input action=accept protocol=tcp dst-port=8291

/ip firewall nat print

0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 X ;;; publicas
chain=srcnat action=masquerade src-address-list=publicas
out-interface=ether3

2 X ;;; CALIDAD Y RESPUESTA
chain=dstnat action=dst-nat to-addresses=10.200.189.2
dst-address=201.116.21.3

3 X chain=srcnat action=src-nat to-addresses=201.116.21.3
src-address=10.200.189.2

4 X ;;; Maquerade PPoE
chain=srcnat action=masquerade src-address=172.165.20.0/24

5 X ;;; Masquerade Hotspot
chain=srcnat action=masquerade src-address=172.165.15.0/24

6 ;;; Para User Mannager
chain=dstnat action=dst-nat to-addresses=10.0.0.5 protocol=tcp
dst-port=60000

7 ;;; NAT
chain=srcnat action=masquerade out-interface=ether4

8 chain=srcnat action=masquerade out-interface=Bridge1

9 X chain=dstnat action=dst-nat to-addresses=10.0.0.1 protocol=tcp
src-address-type=!local dst-port=80

That should work - I don’t see anything that would be blocking things. I would confirm that User Manager on the router behind this one is still running on port 60000. By default it would run on port 80, check “/ip services” there to see what port it is using. If it’s not 60000, either change it to 60000 or edit rule #6 under “/ip firewall nat” to include “to-ports=80”, or whatever port the www service on the User Manager router is using.

Me also can’t find where the problem is, if I use 10.0.0.5:60000/userman I can see the user mannager, If I use 10.0.0.1 (the address of the main router) I see the mikrotik page but if I try to access from the outside I just can’t do it. Also if I enter in Winbox xxxxxx.dynds.org it opens mikrotik.