Dual wan through pcc, some sites don't load properly

majorlogic · July 24, 2022, 3:37am

Hello! I am not an expert on mikrotik and learned it on online materials only so please be gentle on me if my scripts are a mess.

I’ve setup my mikrotik to dual wan using pcc method with load balancing and auto fail over however as the subject says, sites like messenger, facebook stories, IG stories don’t load properly but when I disable one of the wans then it loads perfectly. My wan1 and wan2 have both static ip address assigned through which has 500 Mbps and 1 Gbps both which are different providers.

I think it may be to do with DNS or I am missing mangle rules?

my scripts are below.

# jul/23/2022 20:08:15 by RouterOS 6.47.8
# software id = 7QI2-K6HX
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add name=bridge-LAN
add auto-mac=no comment=defconf name=bridge-LPB \
    vlan-filtering=yes
add name=bridge-pppoe
add name=bridge-pppoe-globe
/interface ethernet
set [ find default-name=ether1 ] comment=ISP-PLDT speed=100Mbps
set [ find default-name=ether2 ] comment=Vendo l2mtu=1598 name=ether2-LPB speed=100Mbps
set [ find default-name=ether3 ] comment=AP l2mtu=1598 name=ether3-AP speed=100Mbps
set [ find default-name=ether4 ] comment=LAN l2mtu=1598 name=ether4-LAN speed=100Mbps
set [ find default-name=ether5 ] comment=PPPoE l2mtu=1598 name=ether5-PPPoE speed=100Mbps
set [ find default-name=ether6 ] comment=ISP-GLOBE disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=videos regexp="^.+(videoplayback|watch|video|youtube).*\\\$"
add name=fast regexp="^.+(fast).*\\\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-LAN ranges=192.168.7.2-192.168.7.254
add name=pppoe-client ranges=192.168.66.2-192.168.66.254
add name=expired ranges=192.168.99.2-192.168.99.254
add name=pool-Vendo ranges=192.168.9.2-192.168.9.254
add name=pppoe-client-globe ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=pool-LAN disabled=no interface=bridge-LAN lease-time=1d \
    name=server-LAN
add address-pool=pool-Vendo disabled=no interface=bridge-LPB lease-time=3d10m \
    name=dhcp1
/queue simple
add max-limit=256k/2M name=icmp packet-marks=packet-mark-icmp
add name=PPPOE-GLOBE priority=1/1 target=192.168.77.0/24
/ppp profile
add local-address=192.168.99.1 name=Expired parent-queue=icmp rate-limit=\
    1M/1M remote-address=expired
add dns-server=192.168.77.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.77.1 name="100 MBPS w/o Q , Globe" only-one=yes parent-queue=\
    PPPOE-GLOBE rate-limit=100M/100M remote-address=pppoe-client-globe
/queue type
add kind=pcq name=PCQ_3M pcq-classifier=dst-address pcq-dst-address-mask=0 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-rate=3M \
    pcq-src-address-mask=0 pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ pcq-classifier=dst-address pcq-dst-address-mask=0 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-src-address-mask=0 \
    pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ-DWN pcq-classifier=dst-address pcq-dst-address-mask=24 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-src-address-mask=24 \
    pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ-UP pcq-classifier=src-address pcq-dst-address-mask=24 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-src-address-mask=24 \
    pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ-10M-UL pcq-classifier=src-address pcq-dst-address-mask=\
    24 pcq-dst-address6-mask=64 pcq-limit=256KiB pcq-rate=10M \
    pcq-src-address-mask=24 pcq-src-address6-mask=64 pcq-total-limit=768KiB
add kind=pcq name=PCQ-10M-DL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
/queue simple
add name=PPPOE priority=1/1 queue=pcq-upload-default/pcq-download-default \
    target=192.168.66.0/24 total-priority=1
/ppp profile
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="50 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=50M/50M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="10 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=10M/10M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="100 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=100M/100M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="70 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=80M/80M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="5 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=5M/5M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="25 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=25M/25M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="150 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=150M/150M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="300 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=320M/320M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="200 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=200M/200M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="250 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=250M/250M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="120 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=120M/120M remote-address=pppoe-client
/queue tree
add comment="=======================================================PISOWIFI==\
    =============================================" name=ALL_LBP_DOWNLOAD \
    parent=bridge-LPB queue=pcq-download-default
add comment="=======================================================LAN=======\
    ========================================" name=ALL_PISONET_DOWNLOAD \
    parent=bridge-LAN queue=pcq-download-default
add comment="=======================================================UPLOAD====\
    ===========================================" name=ALL_UPLOAD parent=\
    ether1 queue=pcq-upload-default
add name=ALL_GAMES parent=ALL_PISONET_DOWNLOAD priority=1 queue=\
    pcq-download-default
add name=ALL_downloads parent=ALL_PISONET_DOWNLOAD queue=pcq-download-default
add name=other_unmark_games packet-mark=light_traffic,others_traffic parent=\
    ALL_GAMES priority=1 queue=pcq-download-default
add name=game1 packet-mark=pubg-mobile.pkt,cod-traffic,lol_traffic parent=\
    ALL_GAMES priority=1 queue=pcq-download-default
add disabled=yes limit-at=350k max-limit=5M name=roblox packet-mark=\
    roblox.pkt parent=ALL_GAMES priority=1 queue=pcq-download-default
add name=ML packet-mark=MLpkt.dl,LOLWRpkt.dl parent=ALL_GAMES priority=1 \
    queue=pcq-download-default
add disabled=yes name=dota2 packet-mark=DOTA2_Traffic parent=ALL_GAMES \
    priority=1 queue=pcq-download-default
add disabled=yes name=ros packet-mark=ros_traffic,ROS_Traffic parent=\
    ALL_GAMES priority=1 queue=pcq-download-default
add name=heavy_dl packet-mark=other_heavy_traffic,high_dl_1_traffic parent=\
    ALL_downloads queue=pcq-download-default
add name=Streaming packet-mark=FB_YT_traffic parent=ALL_downloads queue=\
    pcq-download-default
add burst-time=3s name=others&browsing packet-mark=browsing_traffic parent=\
    ALL_downloads queue=pcq-download-default
add name=queue1 parent=ALL_LBP_DOWNLOAD priority=1 queue=pcq-download-default
add limit-at=256k max-limit=100M name=queue2 packet-mark=MLpkt.dl,LOLWRpkt.dl \
    parent=queue1 priority=1 queue=pcq-download-default
add name=queue3 packet-mark=\
    DOTA2_Traffic,pubg-mobile.pkt,lol_traffic,ros_traffic,ROS_Traffic parent=\
    queue1 priority=1 queue=pcq-download-default
add name=queue4 packet-mark=light_traffic,others_traffic parent=queue1 \
    priority=2 queue=pcq-download-default
add name=queue5 parent=ALL_LBP_DOWNLOAD queue=pcq-download-default
add name=queue6 packet-mark=FB_YT_traffic parent=queue5 queue=\
    pcq-download-default
add name=queue7 packet-mark=other_heavy_traffic,high_dl_1_traffic parent=\
    queue5 queue=pcq-download-default
add name=queue8 packet-mark=browsing_traffic parent=queue5 queue=\
    pcq-download-default
add name=queue9 parent=ALL_UPLOAD priority=1 queue=pcq-upload-default
add limit-at=256k max-limit=100M name=queue10 packet-mark=\
    MLpkt.dl,LOLWRpkt.dl parent=queue9 priority=1 queue=pcq-upload-default
add disabled=yes name=queue11 packet-mark=DOTA2_Traffic parent=queue9 \
    priority=1 queue=pcq-upload-default
add disabled=yes name=queue12 packet-mark=\
    pubg-mobile.pkt,cod-traffic,lol_traffic parent=queue9 priority=1 queue=\
    pcq-upload-default
add name=queue13 packet-mark=light_traffic,others_traffic parent=queue9 \
    priority=3 queue=pcq-upload-default
add disabled=yes limit-at=350k max-limit=5M name=queue14 packet-mark=\
    roblox.pkt parent=queue9 priority=1 queue=pcq-upload-default
add disabled=yes name=queue15 packet-mark=ros_traffic,ROS_Traffic parent=\
    queue9 priority=1 queue=pcq-upload-default
add name=queue16 parent=ALL_UPLOAD queue=pcq-upload-default
add name=queue17 packet-mark=FB_YT_traffic parent=queue16 queue=\
    pcq-upload-default
add name=queue18 packet-mark=other_heavy_traffic,high_dl_1_traffic parent=\
    queue16 queue=pcq-upload-default
add name=queue19 packet-mark=no-mark,browsing_traffic parent=queue16 queue=\
    pcq-upload-default
add disabled=yes name=Valorant packet-mark=Valorant_Traffic parent=ALL_GAMES \
    priority=1 queue=pcq-download-default
add comment="=======================================================UPLOAD LAN\
    ===============================================" disabled=yes name=\
    ALL_UPLOAD_LAN parent=ether4-LAN priority=1 queue=pcq-upload-default
add disabled=yes name=ALL_UPLOAD_LAN_STREAM parent=ALL_UPLOAD_LAN queue=\
    pcq-upload-default
add disabled=yes name=Streaming_lan packet-mark=FB_YT_traffic parent=\
    ALL_UPLOAD_LAN_STREAM queue=pcq-download-default
add disabled=yes name=heavy_up packet-mark=\
    other_heavy_traffic,high_dl_1_traffic parent=ALL_UPLOAD_LAN_STREAM queue=\
    pcq-download-default
add disabled=yes name="no-mark- browse" packet-mark=no-mark,browsing_traffic \
    parent=ALL_UPLOAD_LAN_STREAM queue=pcq-download-default
add disabled=yes name=Forest packet-mark=Forest_Traffic parent=ALL_GAMES \
    priority=1 queue=pcq-download-default
add disabled=yes name=queue21 packet-mark=Valorant_Traffic parent=queue9 \
    priority=1
add disabled=yes name=queue20 packet-mark=Valorant_Traffic parent=\
    ALL_UPLOAD_LAN priority=1 queue=pcq-upload-default
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge-LAN interface=ether4-LAN
add bridge=bridge-pppoe interface=ether5-PPPoE
add bridge=bridge-LPB comment=defconf interface=ether2-LPB
add bridge=bridge-LPB comment=defconf interface=ether3-AP pvid=13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-LPB disabled=yes tagged=ether3-AP untagged=ether2-LPB \
    vlan-ids=11
add bridge=bridge-LPB tagged=ether2-LPB untagged=ether1 vlan-ids=13
/interface detect-internet
set wan-interface-list=all
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge-pppoe max-mru=1500 \
    max-mtu=1500 mrru=1600 one-session-per-host=yes service-name=PPPoE-Server
/ip address
add address=192.168.7.1/24 interface=bridge-LAN network=192.168.7.0
add address=192.168.66.1/24 disabled=yes interface=bridge-pppoe network=\
    192.168.66.0
add address=192.168.9.1/24 interface=ether2-LPB network=192.168.9.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface=ether6 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.7.0/24 gateway=192.168.7.1
add address=192.168.9.0/24 gateway=192.168.9.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,1.1.1.1
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall filter
add action=accept chain=input comment="Allow Remote Winbox" disabled=yes \
    in-interface=RemoteWinboxVPN1
add action=add-dst-to-address-list address-list=youtube&fbvids \
    address-list-timeout=5m chain=forward content=youtube.com
add action=add-dst-to-address-list address-list=youtube&fbvids \
    address-list-timeout=5m chain=forward content=googlevids.com
add action=add-dst-to-address-list address-list=youtube&fbvids \
    address-list-timeout=5m chain=forward content=facebook.com
add action=add-dst-to-address-list address-list=fast.com \
    address-list-timeout=5m chain=forward comment=fast.com content=fast.com
add action=accept chain=forward dst-port=53 protocol=tcp src-address-list=\
    non-payment
add action=accept chain=forward dst-port=53 protocol=udp src-address-list=\
    non-payment
add action=fasttrack-connection chain=forward comment=DNS dst-port=53 \
    protocol=tcp
add action=fasttrack-connection chain=forward dst-port=53 protocol=udp
add action=drop chain=forward src-address-list=non-payment
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="drop modem access" dst-address=\
    192.168.1.1 dst-port=80,443 out-interface=all-ethernet protocol=tcp
add action=drop chain=input dst-port=43 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward disabled=yes dst-address=192.168.254.254 \
    dst-port=80,443 out-interface=all-ethernet protocol=tcp
add action=drop chain=input disabled=yes dst-port=43 in-interface=ether6 \
    protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether6 \
    protocol=udp
/ip firewall mangle
add action=accept chain=prerouting comment="accept rule" dst-address=\
    192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.254.0/24
add action=accept chain=prerouting dst-address=192.168.7.0/24
add action=accept chain=prerouting dst-address=192.168.9.0/24
add action=accept chain=prerouting dst-address=192.168.66.0/24
add action=accept chain=prerouting dst-address=192.168.77.0/24
add action=mark-connection chain=input comment="input rule" in-interface=\
    ether1 new-connection-mark=PLDT passthrough=yes
add action=mark-connection chain=input in-interface=ether6 \
    new-connection-mark=GLOBE passthrough=yes
add action=mark-connection chain=prerouting comment="mark connection rule" \
    in-interface=ether1 new-connection-mark=PLDT passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether6 \
    new-connection-mark=GLOBE passthrough=yes
add action=mark-connection chain=prerouting comment="pcc rule" \
    dst-address-type=!local in-interface=bridge-LAN new-connection-mark=PLDT \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=GLOBE passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LPB new-connection-mark=PLDT passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LPB new-connection-mark=GLOBE passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-pppoe new-connection-mark=PLDT passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-pppoe new-connection-mark=GLOBE passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=output comment="output rule" connection-mark=\
    PLDT new-routing-mark=to-PLDT passthrough=yes
add action=mark-routing chain=output connection-mark=GLOBE new-routing-mark=\
    to-GLOBE passthrough=yes
add action=mark-routing chain=prerouting comment="mark routes rule" \
    connection-mark=PLDT in-interface=bridge-LAN new-routing-mark=to-PLDT \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=GLOBE in-interface=\
    bridge-LAN new-routing-mark=to-GLOBE passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PLDT in-interface=\
    bridge-LPB new-routing-mark=to-PLDT passthrough=yes
add action=mark-routing chain=prerouting connection-mark=GLOBE in-interface=\
    bridge-LPB new-routing-mark=to-GLOBE passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PLDT in-interface=\
    bridge-pppoe new-routing-mark=to-PLDT passthrough=yes
add action=mark-routing chain=prerouting connection-mark=GLOBE in-interface=\
    bridge-pppoe new-routing-mark=to-GLOBE passthrough=yes
add action=mark-connection chain=prerouting comment=ML dst-port=\
    7000,8913,10003,30000-30150,5001-5059,5101-5105,9001,5501-5559,5601-5651 \
    new-connection-mark=ML.conns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=\
    7000,8913,10003,30000-30150,5001-5059,5101-5105,9001,5501-5559,5601-5651 \
    new-connection-mark=ML.conns passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=ML.conns \
    new-packet-mark=MLpkt.dl passthrough=no
add action=mark-connection chain=prerouting comment=LOLWR disabled=yes \
    dst-port=5223,5228,8013,10001,20731 new-connection-mark=LOLWR.conns \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    17000,15004,20001 new-connection-mark=LOLWR.conns passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=LOLWR.conns disabled=\
    yes new-packet-mark=LOLWRpkt.dl passthrough=no
add action=mark-connection chain=prerouting comment=games_ros disabled=yes \
    dst-port=\
    5501-5599,24000-26000,51549,51550,51547,9080,9000-9915,8900,24000-24050 \
    new-connection-mark=games_ros_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    5501-5599,24000-26000,51549,51550,51547,9080,9000-9915,8900,24000-24050 \
    new-connection-mark=games_ros_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=games_lol disabled=yes \
    dst-port=2099,5223,5222 new-connection-mark=games_lol_conn passthrough=\
    yes protocol=tcp
add action=mark-connection chain=prerouting connection-mark=all_traffic \
    disabled=yes dst-port=5000-5500 new-connection-mark=games_lol_conn \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=games_codmobile dst-port=\
    65010,65050,10012 new-connection-mark=games_cod_conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting dst-port=\
    7500-7700,17000,20001-20100 new-connection-mark=games_cod_conn \
    passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=games_cod_conn \
    new-packet-mark=cod-traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=games_lol_conn \
    new-packet-mark=lol_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=games_ros_conn \
    new-packet-mark=ros_traffic passthrough=no
add action=mark-connection chain=prerouting comment="PUBG Mobile" \
    dst-address-type=!local dst-port=10012,17500,9330-9340 \
    new-connection-mark=pubg-mobile.conns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-type=!local dst-port="\
    10491,10010,10013,10612,20002,20001,20000,12235,13748,13972,13894,11455,10\
    096,10039" new-connection-mark=pubg-mobile.conns passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=pubg-mobile.conns \
    new-packet-mark=pubg-mobile.pkt passthrough=no
add action=mark-connection chain=prerouting comment=ROS disabled=yes \
    dst-port=9000-9100 new-connection-mark=ROS_conn passthrough=yes protocol=\
    tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=24000-24050 \
    new-connection-mark=ROS_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=ROS_conn disabled=yes \
    new-packet-mark=ROS_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment="Dota 2" disabled=yes \
    dst-port=27000-28998,36567,8001 new-connection-mark=DOTA2_conn \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    27000-28998,8001 new-connection-mark=DOTA2_conn passthrough=yes protocol=\
    udp
add action=mark-packet chain=prerouting connection-mark=DOTA2_conn disabled=\
    yes new-packet-mark=DOTA2_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment=Valorant dst-port=\
    2099,5222-5223,8088,8393-8400 new-connection-mark=Valorant_conn \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=7000-7500,8088 \
    new-connection-mark=Valorant_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=Valorant_conn \
    new-packet-mark=Valorant_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment="The Forest" disabled=yes \
    dst-port=8766,27015-27030,27036-27037 new-connection-mark=Forest_conn \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    4380,8766,27000-27031,27036 new-connection-mark=Forest_conn passthrough=\
    yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=Forest_conn disabled=\
    yes new-packet-mark=Forest_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment=Fast.com content=fast.com \
    disabled=yes dst-address-list=fast.com dst-port=443 new-connection-mark=\
    "fast conn" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting content=oca.nflxvideo.net \
    disabled=yes dst-port=443 layer7-protocol=fast new-connection-mark=\
    "fast conn" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=443 \
    new-connection-mark="fast conn" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="fast conn" disabled=\
    yes new-packet-mark="fastcom dl" passthrough=no
add action=mark-connection chain=prerouting comment=FB_YT_vids_conn \
    dst-address-list=youtube&fbvids new-connection-mark=FB_YT_vids_conn \
    passthrough=yes
add action=mark-connection chain=prerouting comment=L7 layer7-protocol=videos \
    new-connection-mark=FB_YT_vids_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=FB_YT_vids_conn \
    new-packet-mark=FB_YT_traffic passthrough=no
add action=mark-packet chain=prerouting comment=Speedtest connection-mark=\
    "speedtest conn" disabled=yes new-packet-mark="speedtest dl" passthrough=\
    no
add action=mark-packet chain=prerouting connection-mark="speedtest conn" \
    disabled=yes new-packet-mark="speedtest up" passthrough=no
add action=mark-connection chain=prerouting disabled=yes dst-port=8080 \
    new-connection-mark="speedtest conn" passthrough=no protocol=tcp
add action=mark-connection chain=prerouting content=speedtest.net disabled=\
    yes dst-port=8080 new-connection-mark="speedtest conn" passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting content=\
    .prod.hosts.ooklaserver.net disabled=yes dst-port=8080 \
    new-connection-mark="speedtest conn" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=browsing dst-port=\
    80,8080,20,21,443 new-connection-mark=browsing_conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting dst-port=80,8080,20,21,443 \
    new-connection-mark=browsing_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-bytes=150000-5000000 \
    dst-port=80,8080,20,21,443 new-connection-mark=5M_dl_conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=150000-5000000 \
    dst-port=80,8080,20,21,443 new-connection-mark=5M_dl_conn passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=5M_dl_conn \
    new-packet-mark=high_dl_1_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=browsing_conn \
    new-packet-mark=browsing_traffic passthrough=no
add action=mark-connection chain=prerouting comment=others dst-port=\
    1000-65535 new-connection-mark=others_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=1000-65535 \
    new-connection-mark=others_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-bytes=149000-100000000 \
    connection-mark=others_conn connection-rate=149k-100M \
    new-connection-mark=other_heavy_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=!other_heavy_conn \
    new-connection-mark=light_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=light_conn \
    new-packet-mark=light_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=other_heavy_conn \
    new-packet-mark=other_heavy_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=others_conn \
    new-packet-mark=others_traffic passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=PLDT out-interface=ether1
add action=masquerade chain=srcnat comment=Globe out-interface=ether6
add action=masquerade chain=srcnat comment=LAN src-address=192.168.7.0/24
add action=masquerade chain=srcnat comment=PPPOE src-address=192.168.66.0/24
add action=masquerade chain=srcnat comment=PPPOE src-address=192.168.77.0/24
add action=masquerade chain=srcnat comment=VENDO disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to-PLDT
add check-gateway=ping distance=1 gateway=192.168.254.254 routing-mark=\
    to-GLOBE
add distance=1 gateway=192.168.254.254
add distance=1 gateway=192.168.1.1
/ip service
set ssh disabled=yes
/ppp secret
add comment="10 MBPS ONLY" name=Fetiluna profile="10 MBPS w/o Q" \
    remote-address=192.168.66.254
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=Rb4011
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=119.28.183.184 \
    server-dns-names=time.google.com
/system resource irq rps
set ether1 disabled=no
set ether2-LPB disabled=no
set ether3-AP disabled=no
set ether4-LAN disabled=no
set ether5-PPPoE disabled=no
/system scheduler
add comment="Google Certificate Update" interval=1w name=\
    Certificate_Google_Update on-event=Certificate_Google policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/24/2022 start-time=05:20:00
add comment="DoH Cache Flush" interval=1d name="DNS Cache Flush" on-event=\
    DNS_Flush_Cache policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/24/2022 start-time=05:30:00
/system script
add dont-require-permissions=no name=Certificate_Google owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch url=https://pki.goog/roots.pem\r\
    \n/certificate import file-name=roots.pem passphrase=\"\""
add dont-require-permissions=no name=DNS_Flush_Cache owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip dns cache flush"

sindy · July 24, 2022, 6:14am

As the first step before digging deep into it, try changing the per-connection-classifier mode from both-addresses-and-ports to just src-address. The security policies of some web sites kick in if related requests arrive from different IP addresses. This change will make sure that any given host in LAN will keep using the same WAN as long as it is available.

majorlogic · July 24, 2022, 8:20am

I tried your suggestion and it worked but I noticed that browsing speed has slowed significantly and my wan2(backup) has more bandwidth used than my wan1(primary). Now i’m not sure if my mangle rules are even correct.

sindy · July 24, 2022, 8:31am

If everything works, they likely are. The thing is that with both-addresses-and-ports, the connections are evenly spread among the two WANs even if they are initiated by a single LAN host, whereas with just src-address, any given LAN host always uses the same WAN. So if you have just a few LAN hosts, one of the WANs may get more load (even significantly more). But there’s no middle way - either you accept this uneven distribution (which you may be able to affect by changing the IP addresses assigned to the LAN hosts), or you’ll get an even traffic distribution but also those problems with some sites.

bpwl · July 24, 2022, 9:39am

For secure aware sites (on-line banking etc) then both addresses and ports as PCC can give problems. (some content is loaded via port 80, some via port 433 and will use different src-ports as well).
The combination src-dst address should be kept on the same load balance wan port, for all src ports and dst ports.

Draytek calls this “IP based” load balancing, versus “Session Based”

The equivalent of “IP based” is ‘per-connection-classifier=both-addresses’ , isn’t it? Never gave problems.
‘per-connection-classifier=src-address’ only seems too strict.
“Session based” would be ‘both-addresses-and-ports’

sindy · July 24, 2022, 10:01am

Given that some sites redirect the client from one server to another but keep (synchronize) the context, per-connnection-classifier=src-address is the only choice that is 100 % reliable. And yes, it does have its drawbacks as described above.

So if I were an ISP, I would stick with src-address (enough clients to have the traffic evenly spread even with that setting and not enough people at helpdesk to deal with customer complaints about mysteries). As a home user, if I could afford to use the LTE for loadsharing rather than just for an emergency backup, I would use both-addresses until some site would force me to stop doing that.

Bruzxce · July 24, 2022, 1:44pm

Hello! I am not an expert on mikrotik and learned it on online materials only so please be gentle on me if my scripts are a mess.

I’ve setup my mikrotik to dual wan using pcc method with load balancing and auto fail over however as the subject says, sites like messenger, facebook stories, IG stories don’t load properly but when I disable one of the wans then it loads perfectly. My wan1 and wan2 have both static ip address assigned through which has 500 Mbps and 1 Gbps both which are different providers.

I think it may be to do with DNS or I am missing mangle rules?

my scripts are below.

# jul/23/2022 20:08:15 by RouterOS 6.47.8
# software id = 7QI2-K6HX
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add name=bridge-LAN
add auto-mac=no comment=defconf name=bridge-LPB \
    vlan-filtering=yes
add name=bridge-pppoe
add name=bridge-pppoe-globe
/interface ethernet
set [ find default-name=ether1 ] comment=ISP-PLDT speed=100Mbps
set [ find default-name=ether2 ] comment=Vendo l2mtu=1598 name=ether2-LPB speed=100Mbps
set [ find default-name=ether3 ] comment=AP l2mtu=1598 name=ether3-AP speed=100Mbps
set [ find default-name=ether4 ] comment=LAN l2mtu=1598 name=ether4-LAN speed=100Mbps
set [ find default-name=ether5 ] comment=PPPoE l2mtu=1598 name=ether5-PPPoE speed=100Mbps
set [ find default-name=ether6 ] comment=ISP-GLOBE disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=videos regexp="^.+(videoplayback|watch|video|youtube).*\\\$"
add name=fast regexp="^.+(fast).*\\\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-LAN ranges=192.168.7.2-192.168.7.254
add name=pppoe-client ranges=192.168.66.2-192.168.66.254
add name=expired ranges=192.168.99.2-192.168.99.254
add name=pool-Vendo ranges=192.168.9.2-192.168.9.254
add name=pppoe-client-globe ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=pool-LAN disabled=no interface=bridge-LAN lease-time=1d \
    name=server-LAN
add address-pool=pool-Vendo disabled=no interface=bridge-LPB lease-time=3d10m \
    name=dhcp1
/queue simple
add max-limit=256k/2M name=icmp packet-marks=packet-mark-icmp
add name=PPPOE-GLOBE priority=1/1 target=192.168.77.0/24
/ppp profile
add local-address=192.168.99.1 name=Expired parent-queue=icmp rate-limit=\
    1M/1M remote-address=expired
add dns-server=192.168.77.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.77.1 name="100 MBPS w/o Q , Globe" only-one=yes parent-queue=\
    PPPOE-GLOBE rate-limit=100M/100M remote-address=pppoe-client-globe
/queue type
add kind=pcq name=PCQ_3M pcq-classifier=dst-address pcq-dst-address-mask=0 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-rate=3M \
    pcq-src-address-mask=0 pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ pcq-classifier=dst-address pcq-dst-address-mask=0 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-src-address-mask=0 \
    pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ-DWN pcq-classifier=dst-address pcq-dst-address-mask=24 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-src-address-mask=24 \
    pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ-UP pcq-classifier=src-address pcq-dst-address-mask=24 \
    pcq-dst-address6-mask=64 pcq-limit=16KiB pcq-src-address-mask=24 \
    pcq-src-address6-mask=64 pcq-total-limit=640KiB
add kind=pcq name=PCQ-10M-UL pcq-classifier=src-address pcq-dst-address-mask=\
    24 pcq-dst-address6-mask=64 pcq-limit=256KiB pcq-rate=10M \
    pcq-src-address-mask=24 pcq-src-address6-mask=64 pcq-total-limit=768KiB
add kind=pcq name=PCQ-10M-DL pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
/queue simple
add name=PPPOE priority=1/1 queue=pcq-upload-default/pcq-download-default \
    target=192.168.66.0/24 total-priority=1
/ppp profile
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="50 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=50M/50M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="10 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=10M/10M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="100 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=100M/100M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="70 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=80M/80M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="5 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=5M/5M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="25 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=25M/25M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="150 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=150M/150M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="300 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=320M/320M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="200 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=200M/200M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="250 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=250M/250M remote-address=pppoe-client
add dns-server=192.168.66.1,8.8.8.8 insert-queue-before=bottom local-address=\
    192.168.66.1 name="120 MBPS w/o Q" only-one=yes parent-queue=PPPOE \
    rate-limit=120M/120M remote-address=pppoe-client
/queue tree
add comment="=======================================================PISOWIFI==\
    =============================================" name=ALL_LBP_DOWNLOAD \
    parent=bridge-LPB queue=pcq-download-default
add comment="=======================================================LAN=======\
    ========================================" name=ALL_PISONET_DOWNLOAD \
    parent=bridge-LAN queue=pcq-download-default
add comment="=======================================================UPLOAD====\
    ===========================================" name=ALL_UPLOAD parent=\
    ether1 queue=pcq-upload-default
add name=ALL_GAMES parent=ALL_PISONET_DOWNLOAD priority=1 queue=\
    pcq-download-default
add name=ALL_downloads parent=ALL_PISONET_DOWNLOAD queue=pcq-download-default
add name=other_unmark_games packet-mark=light_traffic,others_traffic parent=\
    ALL_GAMES priority=1 queue=pcq-download-default
add name=game1 packet-mark=pubg-mobile.pkt,cod-traffic,lol_traffic parent=\
    ALL_GAMES priority=1 queue=pcq-download-default
add disabled=yes limit-at=350k max-limit=5M name=roblox packet-mark=\
    roblox.pkt parent=ALL_GAMES priority=1 queue=pcq-download-default
add name=ML packet-mark=MLpkt.dl,LOLWRpkt.dl parent=ALL_GAMES priority=1 \
    queue=pcq-download-default
add disabled=yes name=dota2 packet-mark=DOTA2_Traffic parent=ALL_GAMES \
    priority=1 queue=pcq-download-default
add disabled=yes name=ros packet-mark=ros_traffic,ROS_Traffic parent=\
    ALL_GAMES priority=1 queue=pcq-download-default
add name=heavy_dl packet-mark=other_heavy_traffic,high_dl_1_traffic parent=\
    ALL_downloads queue=pcq-download-default
add name=Streaming packet-mark=FB_YT_traffic parent=ALL_downloads queue=\
    pcq-download-default
add burst-time=3s name=others&browsing packet-mark=browsing_traffic parent=\
    ALL_downloads queue=pcq-download-default
add name=queue1 parent=ALL_LBP_DOWNLOAD priority=1 queue=pcq-download-default
add limit-at=256k max-limit=100M name=queue2 packet-mark=MLpkt.dl,LOLWRpkt.dl \
    parent=queue1 priority=1 queue=pcq-download-default
add name=queue3 packet-mark=\
    DOTA2_Traffic,pubg-mobile.pkt,lol_traffic,ros_traffic,ROS_Traffic parent=\
    queue1 priority=1 queue=pcq-download-default
add name=queue4 packet-mark=light_traffic,others_traffic parent=queue1 \
    priority=2 queue=pcq-download-default
add name=queue5 parent=ALL_LBP_DOWNLOAD queue=pcq-download-default
add name=queue6 packet-mark=FB_YT_traffic parent=queue5 queue=\
    pcq-download-default
add name=queue7 packet-mark=other_heavy_traffic,high_dl_1_traffic parent=\
    queue5 queue=pcq-download-default
add name=queue8 packet-mark=browsing_traffic parent=queue5 queue=\
    pcq-download-default
add name=queue9 parent=ALL_UPLOAD priority=1 queue=pcq-upload-default
add limit-at=256k max-limit=100M name=queue10 packet-mark=\
    MLpkt.dl,LOLWRpkt.dl parent=queue9 priority=1 queue=pcq-upload-default
add disabled=yes name=queue11 packet-mark=DOTA2_Traffic parent=queue9 \
    priority=1 queue=pcq-upload-default
add disabled=yes name=queue12 packet-mark=\
    pubg-mobile.pkt,cod-traffic,lol_traffic parent=queue9 priority=1 queue=\
    pcq-upload-default
add name=queue13 packet-mark=light_traffic,others_traffic parent=queue9 \
    priority=3 queue=pcq-upload-default
add disabled=yes limit-at=350k max-limit=5M name=queue14 packet-mark=\
    roblox.pkt parent=queue9 priority=1 queue=pcq-upload-default
add disabled=yes name=queue15 packet-mark=ros_traffic,ROS_Traffic parent=\
    queue9 priority=1 queue=pcq-upload-default
add name=queue16 parent=ALL_UPLOAD queue=pcq-upload-default
add name=queue17 packet-mark=FB_YT_traffic parent=queue16 queue=\
    pcq-upload-default
add name=queue18 packet-mark=other_heavy_traffic,high_dl_1_traffic parent=\
    queue16 queue=pcq-upload-default
add name=queue19 packet-mark=no-mark,browsing_traffic parent=queue16 queue=\
    pcq-upload-default
add disabled=yes name=Valorant packet-mark=Valorant_Traffic parent=ALL_GAMES \
    priority=1 queue=pcq-download-default
add comment="=======================================================UPLOAD LAN\
    ===============================================" disabled=yes name=\
    ALL_UPLOAD_LAN parent=ether4-LAN priority=1 queue=pcq-upload-default
add disabled=yes name=ALL_UPLOAD_LAN_STREAM parent=ALL_UPLOAD_LAN queue=\
    pcq-upload-default
add disabled=yes name=Streaming_lan packet-mark=FB_YT_traffic parent=\
    ALL_UPLOAD_LAN_STREAM queue=pcq-download-default
add disabled=yes name=heavy_up packet-mark=\
    other_heavy_traffic,high_dl_1_traffic parent=ALL_UPLOAD_LAN_STREAM queue=\
    pcq-download-default
add disabled=yes name="no-mark- browse" packet-mark=no-mark,browsing_traffic \
    parent=ALL_UPLOAD_LAN_STREAM queue=pcq-download-default
add disabled=yes name=Forest packet-mark=Forest_Traffic parent=ALL_GAMES \
    priority=1 queue=pcq-download-default
add disabled=yes name=queue21 packet-mark=Valorant_Traffic parent=queue9 \
    priority=1
add disabled=yes name=queue20 packet-mark=Valorant_Traffic parent=\
    ALL_UPLOAD_LAN priority=1 queue=pcq-upload-default
/system logging action
set 1 disk-file-name=log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge-LAN interface=ether4-LAN
add bridge=bridge-pppoe interface=ether5-PPPoE
add bridge=bridge-LPB comment=defconf interface=ether2-LPB
add bridge=bridge-LPB comment=defconf interface=ether3-AP pvid=13
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-LPB disabled=yes tagged=ether3-AP untagged=ether2-LPB \
    vlan-ids=11
add bridge=bridge-LPB tagged=ether2-LPB untagged=ether1 vlan-ids=13
/interface detect-internet
set wan-interface-list=all
/interface pppoe-server server
add authentication=pap disabled=no interface=bridge-pppoe max-mru=1500 \
    max-mtu=1500 mrru=1600 one-session-per-host=yes service-name=PPPoE-Server
/ip address
add address=192.168.7.1/24 interface=bridge-LAN network=192.168.7.0
add address=192.168.66.1/24 disabled=yes interface=bridge-pppoe network=\
    192.168.66.0
add address=192.168.9.1/24 interface=ether2-LPB network=192.168.9.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface=ether6 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.7.0/24 gateway=192.168.7.1
add address=192.168.9.0/24 gateway=192.168.9.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,1.1.1.1
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall filter
add action=accept chain=input comment="Allow Remote Winbox" disabled=yes \
    in-interface=RemoteWinboxVPN1
add action=add-dst-to-address-list address-list=youtube&fbvids \
    address-list-timeout=5m chain=forward content=youtube.com
add action=add-dst-to-address-list address-list=youtube&fbvids \
    address-list-timeout=5m chain=forward content=googlevids.com
add action=add-dst-to-address-list address-list=youtube&fbvids \
    address-list-timeout=5m chain=forward content=facebook.com
add action=add-dst-to-address-list address-list=fast.com \
    address-list-timeout=5m chain=forward comment=fast.com content=fast.com
add action=accept chain=forward dst-port=53 protocol=tcp src-address-list=\
    non-payment
add action=accept chain=forward dst-port=53 protocol=udp src-address-list=\
    non-payment
add action=fasttrack-connection chain=forward comment=DNS dst-port=53 \
    protocol=tcp
add action=fasttrack-connection chain=forward dst-port=53 protocol=udp
add action=drop chain=forward src-address-list=non-payment
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="drop modem access" dst-address=\
    192.168.1.1 dst-port=80,443 out-interface=all-ethernet protocol=tcp
add action=drop chain=input dst-port=43 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward disabled=yes dst-address=192.168.254.254 \
    dst-port=80,443 out-interface=all-ethernet protocol=tcp
add action=drop chain=input disabled=yes dst-port=43 in-interface=ether6 \
    protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether6 \
    protocol=udp
/ip firewall mangle
add action=accept chain=prerouting comment="accept rule" dst-address=\
    192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.254.0/24
add action=accept chain=prerouting dst-address=192.168.7.0/24
add action=accept chain=prerouting dst-address=192.168.9.0/24
add action=accept chain=prerouting dst-address=192.168.66.0/24
add action=accept chain=prerouting dst-address=192.168.77.0/24
add action=mark-connection chain=input comment="input rule" in-interface=\
    ether1 new-connection-mark=PLDT passthrough=yes
add action=mark-connection chain=input in-interface=ether6 \
    new-connection-mark=GLOBE passthrough=yes
add action=mark-connection chain=prerouting comment="mark connection rule" \
    in-interface=ether1 new-connection-mark=PLDT passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether6 \
    new-connection-mark=GLOBE passthrough=yes
add action=mark-connection chain=prerouting comment="pcc rule" \
    dst-address-type=!local in-interface=bridge-LAN new-connection-mark=PLDT \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LAN new-connection-mark=GLOBE passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LPB new-connection-mark=PLDT passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-LPB new-connection-mark=GLOBE passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-pppoe new-connection-mark=PLDT passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridge-pppoe new-connection-mark=GLOBE passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=output comment="output rule" connection-mark=\
    PLDT new-routing-mark=to-PLDT passthrough=yes
add action=mark-routing chain=output connection-mark=GLOBE new-routing-mark=\
    to-GLOBE passthrough=yes
add action=mark-routing chain=prerouting comment="mark routes rule" \
    connection-mark=PLDT in-interface=bridge-LAN new-routing-mark=to-PLDT \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=GLOBE in-interface=\
    bridge-LAN new-routing-mark=to-GLOBE passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PLDT in-interface=\
    bridge-LPB new-routing-mark=to-PLDT passthrough=yes
add action=mark-routing chain=prerouting connection-mark=GLOBE in-interface=\
    bridge-LPB new-routing-mark=to-GLOBE passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PLDT in-interface=\
    bridge-pppoe new-routing-mark=to-PLDT passthrough=yes
add action=mark-routing chain=prerouting connection-mark=GLOBE in-interface=\
    bridge-pppoe new-routing-mark=to-GLOBE passthrough=yes
add action=mark-connection chain=prerouting comment=ML dst-port=\
    7000,8913,10003,30000-30150,5001-5059,5101-5105,9001,5501-5559,5601-5651 \
    new-connection-mark=ML.conns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=\
    7000,8913,10003,30000-30150,5001-5059,5101-5105,9001,5501-5559,5601-5651 \
    new-connection-mark=ML.conns passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=ML.conns \
    new-packet-mark=MLpkt.dl passthrough=no
add action=mark-connection chain=prerouting comment=LOLWR disabled=yes \
    dst-port=5223,5228,8013,10001,20731 new-connection-mark=LOLWR.conns \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    17000,15004,20001 new-connection-mark=LOLWR.conns passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=LOLWR.conns disabled=\
    yes new-packet-mark=LOLWRpkt.dl passthrough=no
add action=mark-connection chain=prerouting comment=games_ros disabled=yes \
    dst-port=\
    5501-5599,24000-26000,51549,51550,51547,9080,9000-9915,8900,24000-24050 \
    new-connection-mark=games_ros_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    5501-5599,24000-26000,51549,51550,51547,9080,9000-9915,8900,24000-24050 \
    new-connection-mark=games_ros_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=games_lol disabled=yes \
    dst-port=2099,5223,5222 new-connection-mark=games_lol_conn passthrough=\
    yes protocol=tcp
add action=mark-connection chain=prerouting connection-mark=all_traffic \
    disabled=yes dst-port=5000-5500 new-connection-mark=games_lol_conn \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=games_codmobile dst-port=\
    65010,65050,10012 new-connection-mark=games_cod_conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting dst-port=\
    7500-7700,17000,20001-20100 new-connection-mark=games_cod_conn \
    passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=games_cod_conn \
    new-packet-mark=cod-traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=games_lol_conn \
    new-packet-mark=lol_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=games_ros_conn \
    new-packet-mark=ros_traffic passthrough=no
add action=mark-connection chain=prerouting comment="PUBG Mobile" \
    dst-address-type=!local dst-port=10012,17500,9330-9340 \
    new-connection-mark=pubg-mobile.conns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-type=!local dst-port="\
    10491,10010,10013,10612,20002,20001,20000,12235,13748,13972,13894,11455,10\
    096,10039" new-connection-mark=pubg-mobile.conns passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=pubg-mobile.conns \
    new-packet-mark=pubg-mobile.pkt passthrough=no
add action=mark-connection chain=prerouting comment=ROS disabled=yes \
    dst-port=9000-9100 new-connection-mark=ROS_conn passthrough=yes protocol=\
    tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=24000-24050 \
    new-connection-mark=ROS_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=ROS_conn disabled=yes \
    new-packet-mark=ROS_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment="Dota 2" disabled=yes \
    dst-port=27000-28998,36567,8001 new-connection-mark=DOTA2_conn \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    27000-28998,8001 new-connection-mark=DOTA2_conn passthrough=yes protocol=\
    udp
add action=mark-packet chain=prerouting connection-mark=DOTA2_conn disabled=\
    yes new-packet-mark=DOTA2_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment=Valorant dst-port=\
    2099,5222-5223,8088,8393-8400 new-connection-mark=Valorant_conn \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=7000-7500,8088 \
    new-connection-mark=Valorant_conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=Valorant_conn \
    new-packet-mark=Valorant_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment="The Forest" disabled=yes \
    dst-port=8766,27015-27030,27036-27037 new-connection-mark=Forest_conn \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=\
    4380,8766,27000-27031,27036 new-connection-mark=Forest_conn passthrough=\
    yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=Forest_conn disabled=\
    yes new-packet-mark=Forest_Traffic passthrough=no routing-mark=""
add action=mark-connection chain=prerouting comment=Fast.com content=fast.com \
    disabled=yes dst-address-list=fast.com dst-port=443 new-connection-mark=\
    "fast conn" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting content=oca.nflxvideo.net \
    disabled=yes dst-port=443 layer7-protocol=fast new-connection-mark=\
    "fast conn" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-port=443 \
    new-connection-mark="fast conn" passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark="fast conn" disabled=\
    yes new-packet-mark="fastcom dl" passthrough=no
add action=mark-connection chain=prerouting comment=FB_YT_vids_conn \
    dst-address-list=youtube&fbvids new-connection-mark=FB_YT_vids_conn \
    passthrough=yes
add action=mark-connection chain=prerouting comment=L7 layer7-protocol=videos \
    new-connection-mark=FB_YT_vids_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=FB_YT_vids_conn \
    new-packet-mark=FB_YT_traffic passthrough=no
add action=mark-packet chain=prerouting comment=Speedtest connection-mark=\
    "speedtest conn" disabled=yes new-packet-mark="speedtest dl" passthrough=\
    no
add action=mark-packet chain=prerouting connection-mark="speedtest conn" \
    disabled=yes new-packet-mark="speedtest up" passthrough=no
add action=mark-connection chain=prerouting disabled=yes dst-port=8080 \
    new-connection-mark="speedtest conn" passthrough=no protocol=tcp
add action=mark-connection chain=prerouting content=speedtest.net disabled=\
    yes dst-port=8080 new-connection-mark="speedtest conn" passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting content=\
    .prod.hosts.ooklaserver.net disabled=yes dst-port=8080 \
    new-connection-mark="speedtest conn" passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=browsing dst-port=\
    80,8080,20,21,443 new-connection-mark=browsing_conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting dst-port=80,8080,20,21,443 \
    new-connection-mark=browsing_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-bytes=150000-5000000 \
    dst-port=80,8080,20,21,443 new-connection-mark=5M_dl_conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=150000-5000000 \
    dst-port=80,8080,20,21,443 new-connection-mark=5M_dl_conn passthrough=yes \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=5M_dl_conn \
    new-packet-mark=high_dl_1_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=browsing_conn \
    new-packet-mark=browsing_traffic passthrough=no
add action=mark-connection chain=prerouting comment=others dst-port=\
    1000-65535 new-connection-mark=others_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=1000-65535 \
    new-connection-mark=others_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-bytes=149000-100000000 \
    connection-mark=others_conn connection-rate=149k-100M \
    new-connection-mark=other_heavy_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=!other_heavy_conn \
    new-connection-mark=light_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=light_conn \
    new-packet-mark=light_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=other_heavy_conn \
    new-packet-mark=other_heavy_traffic passthrough=no
add action=mark-packet chain=prerouting connection-mark=others_conn \
    new-packet-mark=others_traffic passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=PLDT out-interface=ether1
add action=masquerade chain=srcnat comment=Globe out-interface=ether6
add action=masquerade chain=srcnat comment=LAN src-address=192.168.7.0/24
add action=masquerade chain=srcnat comment=PPPOE src-address=192.168.66.0/24
add action=masquerade chain=srcnat comment=PPPOE src-address=192.168.77.0/24
add action=masquerade chain=srcnat comment=VENDO disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to-PLDT
add check-gateway=ping distance=1 gateway=192.168.254.254 routing-mark=\
    to-GLOBE
add distance=1 gateway=192.168.254.254
add distance=1 gateway=192.168.1.1
/ip service
set ssh disabled=yes
/ppp secret
add comment="10 MBPS ONLY" name=Fetiluna profile="10 MBPS w/o Q" \
    remote-address=192.168.66.254
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=Rb4011
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=119.28.183.184 \
    server-dns-names=time.google.com
/system resource irq rps
set ether1 disabled=no
set ether2-LPB disabled=no
set ether3-AP disabled=no
set ether4-LAN disabled=no
set ether5-PPPoE disabled=no
/system scheduler
add comment="Google Certificate Update" interval=1w name=\
    Certificate_Google_Update on-event=Certificate_Google policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/24/2022 start-time=05:20:00
add comment="DoH Cache Flush" interval=1d name="DNS Cache Flush" on-event=\
    DNS_Flush_Cache policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/24/2022 start-time=05:30:00
/system script
add dont-require-permissions=no name=Certificate_Google owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch url=https://pki.goog/roots.pem\r\
    \n/certificate import file-name=roots.pem passphrase=\"\""
add dont-require-permissions=no name=DNS_Flush_Cache owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip dns cache flush"

You have some very complicated config which can be optimized Vendo and PPP users. On the issue you have you can try both addresses and ports for the pcc set-up.

Also, be aware on how you organize your mangle config per sequence and just a trick try to do PBR for those 443 sites.

majorlogic · July 25, 2022, 12:34pm

Do you think load balancing has to do with the slow browsing speed? If I turn off either one of the WANs, it loads much faster compare to enabling both WANs.

sindy · July 26, 2022, 5:17am

The whole issue is that you haven’t noticed an important fact - in RouterOS, you can have at most one connection-mark per connection (it’s a difference compared to bare Linux). So you assign the connection-mark values PLDT and GLOBE that you later translate to routing-mark values to-PLDT and to-GLOBE, but as you rewrite the already assigned connection-mark values in the subsequent rules by new values like ML.conns, LOLWR.conns etc., some packets that should have been sent via ether6 end up being sent via ether1, causing them to reach the remote server with a wrong source address (as they get NATed at the other uplink modem/router) and ignored.

So you have to change the whole approach. Either you must use connection-mark values only to assign packet-mark values for queue handling, and use per-connection-classifier to directly assign routing-mark values, or you must introduce aggregated connection-mark values like PLDT.ML.conns and GLOBE.ML.conns, and of course only assign them when handling the initial packet of each connection (i.e. packets matching connection-state=new). The very purpose of connection-mark is to avoid classifying each packet of connection using complex match conditions - the idea is that you use those complex conditions to classify the initial packet and store the result of the classification into a connection-mark for all subsequent packets of the connection, regardless their direction. In more complicated setups, you may want to change the classification depending on traffic volume (the goal is to prioritize interactive traffic over downloads, so you typically move connections that have exceeded a certain threshold of transported data into a slower queue), but the basic idea is still the same.

anav · July 26, 2022, 1:59pm

PCC load balancing the MT way…
https://mum.mikrotik.com/presentations/US12/steve.pdf

majorlogic · July 31, 2022, 9:18am

hello everybody!

Update on my thread. It seems my config works well, the issue was on my second ISP. the modem they provided hangs up. I’ve reached up to the ISP company and they suggest to change the mode of the modem to BRIDGE mode which solves it. Thank you for all the answers and suggestions!