I’ve implemented PCC with masquerading with multiple WANs as in the example fewi gave in this thread. Both of the WANs I’m masquerading through are on the same subnet, though I’m not entirely certain if that’s the issue here. What I’m seeing is that I can connect to internal (10.0.0.0/8 and 192.168.0.0/16) hosts fine, and hosts on the same subnet as the WANs (x.y.80.0/22) also are OK. I can’t seem to go beyond that subnet. My IP configuration:
/ip firewall mangle
add action=accept chain=prerouting comment="TODO: filter bogon addresses above this rule" disabled=no dst-address-list=!internal in-interface=ether3 \
src-address-list=internal
add action=mark-connection chain=prerouting comment="mark incoming 80.66 tcp services" connection-state=new disabled=yes dst-port=1194 in-interface=public-66 \
new-connection-mark=conn-66 passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="PCC unmarked data connections" disabled=no dst-address-list=!internal dst-address-type=!local in-interface=\
ether3 new-connection-mark=conn-64 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="PCC unmarked video connections" disabled=no dst-address-list=!internal dst-address-type=!local in-interface=\
ether4 new-connection-mark=conn-65 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=conn-64 disabled=no new-routing-mark=to-64 passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=conn-65 disabled=no new-routing-mark=to-65 passthrough=yes
/ip firewall address-list
add address=10.0.0.0/8 comment="" disabled=no list=internal
add address=192.168.0.0/16 comment="" disabled=no list=internal
add address=10.2.0.0/16 comment="" disabled=no list=internal-net1
add address=10.1.0.0/16 comment="" disabled=no list=internal-net2
add address=10.4.0.0/16 comment="" disabled=no list=internal-net2
/ip firewall filter
add action=accept chain=input comment="allow traffic to the router" connection-state=established disabled=no
add action=accept chain=input comment="allow traffic to the router" connection-state=related disabled=no
add action=drop chain=input comment="drop invalid traffic to the router" connection-state=invalid disabled=no
add action=accept chain=input comment="allow admin traffic to router" disabled=no src-address-list=internal
add action=drop chain=input comment="deny all other traffic to router" disabled=no
add action=accept chain=forward comment="allow traffic through router" connection-state=established disabled=no
add action=accept chain=forward comment="allow traffic through router" connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid traffic through router" connection-state=invalid disabled=no
add action=accept chain=forward comment="allow LAN traffic through router" disabled=no in-interface=ether3
add action=accept chain=forward comment="allow 1194/tcp from public-66 to 192.168.10.190" disabled=no dst-address=192.168.10.190 dst-port=1194 protocol=tcp
add action=drop chain=forward comment="deny all other traffic through router" disabled=no
/ip route print detail
0 A S dst-address=0.0.0.0/0 gateway=public-64 gateway-status=public-64 reachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to-64
1 A S dst-address=0.0.0.0/0 gateway=public-65 gateway-status=public-65 reachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to-65
2 A S dst-address=0.0.0.0/0 gateway=public-66 gateway-status=public-66 reachable check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to-66
4 ADC dst-address=10.1.0.0/16 pref-src=10.1.0.1 gateway=ether1 gateway-status=ether1 unreachable distance=0 scope=200
5 ADC dst-address=10.2.0.0/16 pref-src=10.2.0.1 gateway=ether2 gateway-status=ether2 unreachable distance=0 scope=200
6 ADC dst-address=10.4.0.0/16 pref-src=10.4.0.1 gateway=ether3 gateway-status=ether3 reachable distance=0 scope=10
7 ADC dst-address=x.y.80.0/22 pref-src=x.y.80.65 gateway=public-65,public-64,public-66
gateway-status=public-65 reachable,public-64 reachable,public-66 reachable distance=0 scope=10
8 ADC dst-address=192.168.0.0/16 pref-src=192.168.10.104 gateway=ether5 gateway-status=ether5 reachable distance=0 scope=10
/ip firewall nat
add action=masquerade chain=srcnat comment="GSU outbound traffic" disabled=yes out-interface=public-64
add action=masquerade chain=srcnat comment="80.64 outbound traffic" disabled=no out-interface=public-64
add action=masquerade chain=srcnat comment="GSU video outbound traffic" disabled=yes out-interface=public-65
add action=masquerade chain=srcnat comment="80.65 outbound traffic" disabled=no out-interface=public-65
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=x.y.80.66 dst-port=1194 protocol=tcp to-addresses=192.168.10.190 to-ports=1194
There are a few entries in there for things that are not yet fully configured, so here is a network diagram showing what is currently connected and I would like to have working. You will notice the existing gateway, it’s mostly unimportant to this discussion, it just needs to remain in place until the RB1100 is fully working.
I suspect that the issue is not too complicated, but I am new to RouterOS and maybe I just can’t see it.