Why no firewall rules?
Why no interface list or members?
Why do you have the bridge giving out DHCP when you have vlans.
What is the purpose of the vlans.
Why is vlan associated to sfp plus1, when spfplus one is also attached to the bridge.
Besides the answers to these questions the complete config is required.
/export file=anynameyouwish ( minus router serial#, any public WANIP info, keys etc. )
Do not need connection-state=new!
Do not need the first set of mangles for the WANs only for simple PCC nor their associated output chain rules…
Also, do not recommend using names of interfaces with quotes, keep quotes for comments only.
It highlights your errors in mangling where you have FORGOTTEn to add the quotes back in!!!
You have to ensure that the appropriate packets don’t go via fasttrack.
Either by having an accept statement for these packets prior to the fasttrack rule or by disabling the fasttrack rule.
One possible option (just prior to fasttrack rule)
add action=accept chain=forward comment="accept established related marked connections (using wan ports) " connection-state=established,related connection_mark=!no_mark
Amazing you can diagnose problems without information, can I hire you as my doctor too..
By the way the reason to put connection-mark=no-mark in the mangle rules,a s the OP has done — oh look at me using evidence!! ----, is to ensure that on the fastrack rule
one simply adds connection-mark=no-mark as part of the rule, and then any LAN traffic not involved in PCC can make use of fasttrack.
thanks for replying l, I’m a newbie in mk. I only understand some, and most of my configs are from the tutorials from the internet . but here is the config attached to this reply
by the way I changed the vlan to all-ppp it it works but when i tried to use vlan or eth7 it doesn’t. Im curious why MK CFG.txt (20.5 KB)
the vlan in sfp is what used to be the one im using but the dac cable stopped workin so I migrated the pppoe server and it’s clients to vlan in eth7.
yeah, it’s full of errors but I can’t change anything until I understand what is going in with each config. it’s still working so i let it be, but im planning to change everything when I learn.
the script for routes is for the isp sometimes the isp’s modem changes ip or something that it disconnects error ,so someone suggested that I include script and it works, I don’t know how but it solved the problem.
what im trying to pcc is the traffic for the ether7 where the vlan is, and that vlan has pppoe server with many clients. when i try the pcc with the eth7 or vlan that is in eth7 it doesn’t work but when I change it to all-ppp it works.
Can you provide a network diagram as detailed as possible so I can try to figure out what is going on.
To help with the diagram please provide teh following.
a. identify all the users/devices or groups of users devices on the router
b. identify all the external users coming into the router
c. all the traffic flow requirements, what each user/device group needs to be able to accomplish.
Okay that is excellent progress!
Now you only want to load balance vlan7 to all the ISPs correct?
Your laptop you want to use a specific ISP?
What is on etherports 5,6 ??
What is the purpose of SFP and which ISP should it use…
Yes I want to pcc load balance vlan10 or specifically eth7. also if eth7 is load balanced, does the interfaces under it inherit the load balancing such as vlan10>ppoe server>pppoe clients all the way down? Im also a bit curious why when I tried pcc tutorial by mikrotik YT channel it doesn’t work when I use “eth7” or “vlan10” in mangle, but when I change it to “all-ppp” it works
In my laptop it doesn’t matter, I only use it to connect to mk via winbox
eth5, 6 are empty
SFP doesn’t have purpose, dac cable broke so I wont be using it.
Okay, all good info, yes it should load balance any connection coming from vlan7,ether10.
I dont understand the purpose of your complex scripts…
Why are they needed especially the dhcp server???
You seem to have two sets,
DHCP server and DHCP clients etc…
THe dhcp client assuming ISP… seems overly complex…
For example for my dhcp client setting, the problem is that I can set an IP route but when the wanip changes, the router is unable to update the gateway, so I have to do this by script.
What is your particular issue for needing script??
Yes, you’re right, the script is for auto updating wan ip because sometimes it causes problems, its a bit complex, to be honest i don’t really understand most of it but it works
nope, there is only one dchp server which is in the bridge where my laptop is connected
In your config I see this… Which indicated an error that needs to be resolved. /interface pppoe-server server
add interface=*B service-name=service1
AND
_/ip address
add address=100.0.41.1/20 disabled=yes interface=*B network=100.0.3_2.0
AND
add address=10.14.0.2/16 disabled=yes interface=*15 network=10.14.0.0
add address=10.14.0.2/16 disabled=yes interface=*16 network=10.14.0.0
The main problem is the structure off the users and profiles and interface lists…
ONce that is sorted then we will have interfaces that can be used properly in mangle rules.
Sadly its above my head…
When a PPP-something (L2TP, SSTP, PPTP, even OpenVPN) client establishes a connection to the server, a virtual interface is created for that client on the server, the name consisting of a <pppoe- prefix, the username, eventually and order extension like -2, and a suffix >. So if user john has connected three times so far, there are three interfaces: , , and . Once the client disconnects, the corresponding interface gets removed, so any firewall rules referring to it now refer to an unused id of an interface, something like *1e7, and never match to anything again.
If you do not use any other PPP-something clients than PPPoE, and you want to handle the routing equally for all PPPoE users regardless their speed and traffic volume limits, you can use a predefined interface list all-ppp; as it is a pre-defined one, it is treated as a virtual interface rather than an actual list, so the match condition to use in firewall rules is in-interface=all-ppp. But a more advanced way is to create an interface list of you own, e.g. pppoe-clients, and let the rules match on src-address-list=pppoe-clients. To make RouterOS add the individual virtual interfaces to that list as its dynamic members, it is enough to set the interface-list parameter of all the /ppp profile rows you use on your ppp secret rows to the name of the list, i.e. pppoe-clients in our case. But the interface will only be added to the list upon the next login of the client.
You can do a similar thing with address lists, or you can let the firewall rules match on the address ranges from which you assign addresses to your PPPoE clients - choose the way which seems most logical to you.
I’m not sure if my understanding is accurate but in my understanding arp checks the mac of the device if its connected. I had problems when I use ping even it’s connected to the router, i dont know why but maybe sometimes ping doesn’t respond and it says unreachable, but when I use arp it always does. so it’s kinda my preference because I don’t actually understand it in depth, I had to manually change and observe how the changes react, and by these process I observed that arp works best in my case.
Apparently ARP is a very viable method of what you are doing with it. Similar to ping and the only difference is ARP would not be used recursive routing which is where I am used to it being used.
As was explained to me, Ping is checking to see if if something is UP or ON, while ARP is checking if something is down or OFF. Reverse viewpoint same results…
