I have configured two WAN links, to eth6 and wlan1 of the RB2011 with static IPs.
Destinations from address lists “balticom” and “ltk” always use link one or two respectively. Host 192.168.15.17 always uses WAN link one. The rest are divided equally using PCC.
The problem is that I can no longer use tracert from LAN. The first hop which is the RB2011 no longer gives a response.
C:\>tracert routerboard.com
Tracing route to routerboard.com [159.148.147.197]
over a maximum of 30 hops:
1 * * * Request timed out.
2 <1 ms <1 ms <1 ms 10.91.104.254
C:\>tracert msfn.org
Tracing route to msfn.org [74.86.39.114]
over a maximum of 30 hops:
1 * * * Request timed out.
2 1 ms 1 ms 1 ms 192.168.1.1
3 4 ms 11 ms 7 ms 95.68.48.1
Pinging the router works.
How do I adjust my config to enable traceroute to work again?
/ip address
add address=192.168.15.254/24 interface=ether1-gb network=192.168.15.0
add address=192.168.8.1/24 interface=ether10 network=192.168.8.0
add address=192.168.19.254/24 interface=ether9 network=192.168.19.0
add address=192.168.1.28/24 interface=wlan1 network=192.168.1.0
add address=212.142.84.209/24 interface=ether6-balticom network=212.142.84.0
/ip firewall mangle
add chain=prerouting dst-address=212.142.84.0/24
add chain=prerouting dst-address=192.168.1.0/24
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether6-balticom new-connection-mark=
to_balticom
add action=mark-connection chain=input connection-mark=no-mark in-interface=wlan1 new-connection-mark=to_kardon
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=ltk new-connection-mark=to_kardon
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=balticom new-connection-mark=
to_balticom
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.0.0/16 dst-address-type=!local
new-connection-mark=to_balticom src-address=192.168.15.17
add action=mark-connection chain=prerouting comment=PCH connection-mark=no-mark dst-address=!192.168.0.0/16
new-connection-mark=to_balticom per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.0.0/16 new-connection-mark=
to_kardon per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=to_balticom new-routing-mark=to_balticom
add action=mark-routing chain=prerouting connection-mark=to_kardon new-routing-mark=to_kardon
add action=mark-routing chain=output connection-mark=to_balticom new-routing-mark=to_balticom
add action=mark-routing chain=output connection-mark=to_kardon new-routing-mark=to_kardon
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6-balticom to-addresses=212.142.84.209
add action=src-nat chain=srcnat out-interface=wlan1 to-addresses=192.168.1.28
add action=src-nat chain=srcnat dst-address=192.168.15.0/24 src-address=192.168.15.0/24 to-addresses=212.142.84.209
/ip route
add check-gateway=arp distance=2 gateway=212.142.84.254 pref-src=212.142.84.209 routing-mark=to_balticom
add check-gateway=arp distance=2 gateway=192.168.1.1 pref-src=192.168.1.28 routing-mark=to_kardon
add check-gateway=arp distance=5 gateway=192.168.1.1 pref-src=192.168.1.28
add check-gateway=arp distance=5 gateway=212.142.84.254 pref-src=212.142.84.209
Edit:
The problem has been solved by re-reading the wiki about firewall chains. My PCC was wrong. I’ve moved the input rules to prerouting, and made an exception for directly connected networks in the output rule.
/ip firewall address-list
add address=212.142.84.0/24 list=networks
add address=192.168.0.0/16 list=networks
/ip firewall mangle
add action=mark-routing chain=output connection-mark=to_balticom dst-address-list=!networks new-routing-mark=to_balticom
add action=mark-routing chain=output connection-mark=to_kardon dst-address-list=!networks new-routing-mark=to_kardon