hi everyone
I config PCC ( both address and port ) for 2 wan link and I have some services inside my LAN that is published (outlook web app and citrix )
1- is both wan link simultaneously active and response to incoming traffic?
2 -has pcc any affect to my published services? my user have some problem in connecting to my mail server from wan.
3-how should I config pcc for forcing a wan more traffic ? for 2 wan 2/0 , 2/1, 2/2 or 3/0 , 3/1, 3/2 , 3/3 ?
Yes, but it depends on the rest of your configuration whether the response is sent out via the same WAN via which the request has come in. Before asking additional questions, post the output of /export hide-sensitive after systematically replacing each occurrence of any public address eventually present by a distinctive, meaningful pattern like my.public.ip.1
If you use the pcc alone, without connection marking, it may cause issues. Same advice as above applies.
2/2 and 3/3 are incorrect. The second number is the reminder after integer division of the hash by the first number, so it must be smaller than the first number.
So to distribute traffic among two WANs in 3:2 ratio, use five PCC rules, 5/0, 5/1, 5/2 via WAN1 and 5/3, 5/4 via WAN2.
thanks for reply
wan1: 2 Mbps wan2: 4Mbps
add action=mark-connection chain=input comment=PCC in-interface=wan1
new-connection-mark=wan1-conn passthrough=yes
add action=mark-connection chain=input in-interface=wan2 new-connection-mark=
wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1
new-routing-mark=To_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2
new-routing-mark=To_wan2 passthrough=yes
add action=accept chain=prerouting dst-address=GW1 in-interface=ether3
add action=accept chain=prerouting dst-address=GW2 in-interface=ether3
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether3 new-connection-mark=wan1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local
in-interface=ether3 new-connection-mark=wan2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1
in-interface=ether3 new-routing-mark=To_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Systec_conn
in-interface=ether3 new-routing-mark=To_wan2 passthrough=yes
add check-gateway=ping comment=“to wan1” distance=1 gateway=GW1
routing-mark=To_wan1
add check-gateway=ping comment=“to wan2” distance=1 gateway=GW2
routing-mark=To_wan2
add check-gateway=ping comment=Backup-Systec distance=1 gateway=GW1
add check-gateway=ping comment=backup-Shatel distance=2 gateway=GW2
my problem:
1-my 2 wan link doesn’t respond simultaneously. I want user from outside can access to published service by both wan links.
2- can I force upload through wan2 ?
3- by pcc I cant access Mikrotik (winbox) from the internet !!
4-how can I force some services like rdp and citrix use wan2 ?
5- I have ipip tunnel to my branch. what is pcc affect to the tunnel?
First the errors - your configuration looks as if you wanted to change all the mark names to match your needs but missed some occurrences:
With the errors above fixed, this should start working properly. Whenever a packet comes in via one of the WAN interfaces, the connection to which it belongs or which it establishes gets marked with a connection-mark later used to assign a routing-mark to a response packet belonging to this connection so that response packet is routed out via that same WAN interface.
Explain better what you mean by upload. You can control through which of the WANs a new session initiated by a device in your LAN will be established. Whether that session will later be used for download or upload is a different question. So you can configure that particular devices in your LAN will always use one particular WAN, or that sessions towards a particular remote server will always use one particular WAN, or a combination of both. But if the same LAN device connects to the same port of the same remote server once for download and once for upload, there is no way to choose a different WAN for download than for upload.
With the errors above fixed, this should start working properly.
To “force some services to use a particular WAN” actually means to override the PCC rules for those connections. To do so, you have to place mangle rules assigning a connection-mark based on some conditions (e.g., the remote TCP port) before the PCC rules in chain=prerouting in /ip firewall mangle. Plus you have to add one condition to all these rules except the topmost one and the PCC rules as well: connection-mark=no-mark. This is necessary to prevent later rules from rewriting connection-marks already assigned by earlier rules if their conditions eventually match.
Also, bear in mind that connections initiated from WAN side and those matching the exception rules as described above use the bandwidth on their respective WANs and the PCC rules have no way to accommodate to it. So let’s say you use two PCC rules (:3/0 and :3/1) to send traffic to WAN2 which has 4 Mbit/s bandwidth and one PCC rule (:3/2) to send traffic to WAN1 which has 2 Mbit/s bandwidth, but if the other rules send all their traffic to WAN2 and that traffic already has 4 Mbit/s, the PCC rules will nevertheless send 2/3 of the remaining traffic to WAN2.
One point is how the transport packets of the tunnel will be routed. IPIP uses no ports so PCC rules can only work with IP addresses and always send the tunnel from the same source to the same destination through the same WAN. There may be an issue if PCC chooses the wrong WAN for the IPIP tunnel, so better to place an explicit rule in front of the PCC rules as described just above.
Another point is that unless you set up an exceptional handling for packets which should go via the tunnel, the PCC rules along with routing-marking rules will redirect that traffic to WANs.
The simplest and most reliable way is to use /ip route rule to tell the routing to ignore, for the traffic which should go through the ipip tunnel, the routing-mark eventually assigned and thus route that traffic using the default routing table:
ip route rule add action=lookup-only-in-table table=main dst-address=the.subnet.behind.ipip/mask
thanks again sindy
here is my mangel code. just change GW :
add action=mark-connection chain=input comment=PCC in-interface=SHATEL new-connection-mark=Shatel-conn passthrough=yes
add action=mark-connection chain=input in-interface=SYSTEC new-connection-mark=Systec_conn passthrough=yes
add action=mark-routing chain=output connection-mark=Shatel-conn new-routing-mark=To_Shatel passthrough=yes
add action=mark-routing chain=output connection-mark=Systec_conn new-routing-mark=To_Systec passthrough=yes
add action=accept chain=prerouting dst-address=GW1 in-interface=ether3
add action=accept chain=prerouting dst-address=GW2 in-interface=ether3
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether3 new-connection-mark=Shatel-conn
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether3 new-connection-mark=Systec_conn
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=Shatel-conn in-interface=ether3 new-routing-mark=To_Shatel
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Systec_conn in-interface=ether3 new-routing-mark=To_Systec
passthrough=yes
your explanation was good.
1-with this config both wan link work at the same time and respond to inbound traffic? or something missed?
2-as my understanding pcc affect both download and upload. I mean load balancing occurs in both direction.is this true? I already thought that pcc work just for download.
3-some pcc config include connection mark = no mark in rule 1 and 2 . what is for that?
and some have different order for input, output, prerouting and accept !!!
4- as I said shatel wan is adsl 4Mb/512Kb and systec wan wireless 4Mb/4Mb.
in my config when I get speed test in download time shatel ppoe come first and most downloads go through shatel and in upload systec ppoe come firsrt in order and most uploads go through systec.and their order constantly changing in ppoe section.
5- what is the basis of 5/0 …5/4 calculation? Can I for example use 8/0 …8/5 for shatel wan and 8/6…8/7 for systec?
I copy-paste here an explanation from another topics:
The point is that the connection-tracker part of the firewall keeps note on packets in both directions which belong to the same communication flow between a client and a server - a connection. The recognized types of connections are a TCP session (where the connection is directly equivalent to the session), a UDP flow (where swapped source and destination addresses and ports identify packets belogning to the opposite direction), or an ICMP echo request/response flow (where the combination of source and destination addresses along with ICMP ID field discriminates one ICMP connection from another).
Now if you use an action=mark-connection rule to assign a connection-mark to one packet belonging to a connection, the connection tracker remembers that and all subsequent packets identified to belong to that connection, regardless their direction, get the same connection-mark automatically. So in other rules, you can match packet against that connection-mark and take specific action (like assignment of routing-mark which is, unlike the connection-mark, only valid for the actual packet to which it has been assigned).
So by assigning a connection-mark once, to a newly initiated connection, you note down for that connection which WAN its packets should use; to actually force them to a different path that the default routing table would choose for them, you must translate the connection-mark to a routing-mark for every single packet of such connection which you route out. For these connections, you must disable fasttracking because fasttracking skips mangle rules, so the routing-mark would be assigned only to the first packet of that connection but not to the subsequent ones.
So the rules in chain=input which assign a connection-mark depending on in-interface, together with the rules in chain=output which translate that connection-mark to a routing-mark which makes the routing route the response packets of that connection out via the same interface through which the requests come in, make sure that the local services of the 'Tik are available at both its WAN IP addresses.
The per-connection-classifier itself can be used anywhere, but it only makes sense to use it to choose the WAN interface for connections initiated by devices on Mikrotik’s LAN, because the amount of connections initiated by Mikrotik itself is negligible and because the choice of WAN for connections initiated from outside is done by the remote client so the PCC cannot override it - the response must come from the same IP to which the request has arrived, that’s how internet transport protocols work in most cases.
So the PCC doesn’t actually distribute bandwidth occupation between the WANs, but distributes the sessions initiated from LAN side. There is no way to determine in advance what will be the bandwidth occupied by these sessions and whether they will be used mostly for upload, mostly for download or symmetrically, so there is no load distribution mechanism which could distribute the sessions among the WANs to optimize bandwidth occupation on both. So we rely on statistics and expect that if there are enough sessions, the average bandwidth occupation will be distributed between the WANs in the same ratio like the sessions were distributed.
You’ve provided no details, but connection-mark=no-mark is used to prevent rewriting already assigned connection-marks. While the per-connection-classifier matches all packets of a given direction of a given connection (because all these packets have the same source and destination address and port), other match conditions may give a different result. Or you want to exclude some connections from the PCC handling, but as you have to set passthrough=yes so that the packets just assigned a connection-mark would get also the routing-mark, you must prevent the PCC rules from assigning another connection-mark to packets which have already been connection-marked by some previous rule.
Order of rules matters only within each chain. See this picture to understand which phase of packet processing each of the chains actually covers.
I didn’t get what you are talking about. What is ppoe section?
It’s like in “mix one share of the powder with four shares of water”. Regardless whether the share is a teaspoon, a cup or a barrel, the ratio (by volume in this case) of the components remains the same. So the 5 is the sum of the shares. It would even be possible but hardly practical to use 100 rules with values from 100/0 to 100/99 to express the distribution in percent, so if you use 8/0..8/5 for Shatel and 8/6..8/7 for systec, you may as well use just 4/0 to 4/2 for Shatel and 4/3 for systec and the result will be exactly the same: 3/4 of the sessions will go to Shatel and 1/4 to systec.
thanks for your comprehensive response
in 4 :
my shatel wan is adsl 4Mb/512Kb with 700G traffic usage per month and systec wan is wireless 4Mb/4Mb with 50G traffic per month.
I config pcc 5/0—5/3 for shatel wan and 5/4 for systec wan.
in this config when I get speed test in download shatel wan come first and most downloads go through shatel (as I want this) and in upload systec come firsrt in order and most uploads go through systec.
I’m afraid this is just a random effect which depends on which client-side TCP ports are used to establish the test sessions. The client side port number affects the result of the PCC hash but it is not as simple as that a delta of 1 in port number causes a delta of 1 in the hash result. And in real use, the results may be yet another ones, as the remote server’s addresses will also change (as compared to the speedtest where the server IP is the same for all test sessions).