After configuring PCC load balancing, the required DDNS public IP address cannot be obtained.

RouterOS General
1

My family currently uses two broadband service access providers. IPS1 provides a Dynamic public IP address, and IPS2 does not provide a public IP address. When I use the IPS1 service provider line alone, the router can obtain the correct public IP address and can use the DDNS service normally.

The problem now is: I use both IPS1 and IPS2 lines. PPC load balancing is configured for them. The public IP address obtained by DDNS is IPS2 (the IP actually obtained by the router is the intranet IP provided by the IPS2 service provider)

The help I need is:
When I use two lines, DDNS specifies to obtain the public IP address of IPS1.

This is my first time using MikroTik routing products. I followed the official video tutorial to do PCC load balancing. Due to the language, I could only configure it based on my own understanding. I don’t know if the configuration is correct (but the actual effect is very good). I’m attaching my own configuration parameters, hoping to help.

Hardware: RB5009UG+S+
Software version: 7.13.3 stable version
IPS1 service provider: The access speed is 1000M downlink
IPS2 service provider: access speed is 500M downlink

I made 3 routing connection tags: IPS1_conn, IPS2_conn, IPS3_conn,1 and 2 are marks for the IPS1 service provider, and 3 is the mark for the IPS2 service provider.

Configuration file:

# 2024-01-31 17:01:32 by RouterOS 7.13.3
# software id =123456
#
# model = RB5009UG+S+
# serial number =123456
/interface bridge
add admin-mac=123456 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 user=123456
add disabled=no interface=ether2 name=pppoe-out2 user=123456
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.21-192.168.88.50
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=IPS1
add disabled=no fib name=IPS2
add disabled=no fib name=IPS3
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=pppoe-out2 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out1 new-connection-mark=\
    IPS1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out1 new-connection-mark=\
    IPS2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=pppoe-out2 new-connection-mark=\
    IPS3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=IPS1_conn \
    new-routing-mark=IPS1 passthrough=yes
add action=mark-routing chain=output connection-mark=IPS2_conn \
    new-routing-mark=IPS2 passthrough=yes
add action=mark-routing chain=output connection-mark=IPS3_conn \
    new-routing-mark=IPS3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge \
    new-connection-mark=IPS1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge \
    new-connection-mark=IPS2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge \
    new-connection-mark=IPS3_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=IPS1_conn \
    in-interface=bridge new-routing-mark=IPS1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=IPS2_conn \
    in-interface=bridge new-routing-mark=IPS2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=IPS3_conn \
    in-interface=bridge new-routing-mark=IPS3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS disabled=yes dst-port=1026 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=\
    5002
add action=dst-nat chain=dstnat comment=NAS-dstnet disabled=yes dst-port=1026 \
    in-interface=bridge protocol=tcp to-addresses=192.168.88.10 to-ports=5002
add action=masquerade chain=srcnat comment=NAS-srcnat disabled=yes \
    dst-address=192.168.88.0/24 dst-port=1026 out-interface=bridge protocol=\
    tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment=Openwrt disabled=yes dst-port=1025 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.2 to-ports=\
    443
add action=dst-nat chain=dstnat comment=Openwrt-dstnat disabled=yes dst-port=\
    1025 in-interface=bridge protocol=tcp to-addresses=192.168.88.2 to-ports=\
    443
add action=masquerade chain=srcnat comment=Openwrt-srcnat disabled=yes \
    dst-address=192.168.88.0/24 dst-port=1025 out-interface=bridge protocol=\
    tcp to-addresses=192.168.88.2
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=\
    "" routing-table=IPS1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=\
    "" routing-table=IPS2 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    pppoe-out2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 pref-src=\
    "" routing-table=IPS3 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Shanghai
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Deleted.

3

A handy howto is here:
http://forum.mikrotik.com/t/forum-rules/173010/1
The configuration in text format is much easier to read and, more than that, it is easier to communicate suggested changes.

4

At a high level, you can do this in two steps:

  • add an address list in firewall that resolves “cloud2.mikrotik.com
  • add prerouting rule for new + mark-connection that uses the dst-address-list= set to the address-list above for cloud2.mikroitk.com — just before the PCC rules so the connection set BEFORE PCC happens.
5

Thank you, I have exported the configuration file

6

I’ll try your method first, and if it solves the problem, I’ll give you feedback.

7

According to your steps, DDNS can correctly obtain the IP of the specified line.

8

Good to hear.

Yeah since PCC connection marking has the filter, “connection-mark=no-mark”… So, as along as you do action=mark-connection in chain=prerouting BEFORE any PCC rules… you can force any traffic out a particular WAN – since the PCC rules will ignore them. The later mark-routing does NOT care how something was marked, as long as it was marked.

And, the address-list is pretty helpful for that since it can resolve DNS or IP or subnets. Keep in mind you can have multiple DNS/IP/subnets entries using SAME list name, so if you name the address list “to-isp1”, you can have another “to-isp2” – so two prerouting rules to mark-connection, on for each list. This can be used to direct other traffic to a specific ISP by adding an address-list entry and pick either “to-isp1” or “to-isp2” as the list. While still doing PCC load balancing on everything else & not having to change the mangle rules directly for each “special case” routing.

9

Hi Ammo, not quite clear in my head.
So can we assume the OP needs MYNETNAME to point to router WAN2 IP address? But the Primary Route is via WAN1.
Can we assume its because he has LAN servers for people to reach and they should reach it over WAN2?

DDNS is a router service so not sure why you speak of LAN traffic???

10

Dunno OP’s specific rational. But certainly if one internet was more reliable/stable/etc, had low latency, etc. You might want to force incoming traffic that used the routers DDNS name to a particular ISP. Leaving the PCC to handling load balancing for normal LAN.


OP had a good example of PCC. So more expanding to other eventual readers.

But in /ip/firewall/mangle, chain=prerouting handles BOTH input and forwarded traffic. More just pointing out you COULD do more than just DDNS. And the address-list is good way to steer traffic to isp1 or isp2 when you’re using PCC. The only difference being a dst-address-list= in prerouting rule to select an ISP based on internet destination. Or src-address-list= for to force a LAN IP to out specific ISP.

The secret sauce in all the multiwan options is using some “chain=prerouting action=mark-connection” with some “chain=output action=mark-routing”, and some /routing/table’s defined with the desire outbound route in /ip/route for those tables. How someone puts them together kinda depends on needs.