loadbalancing pcc

CSteve · March 10, 2025, 12:57pm

Hi!

I have two diffrent providers which i want to utilize in the following scheme.
From provider 1 i have a set of fixed ip-s , which i use for my servers, and i want to use this uplink (ether12) when i m accessing some fixed ip-s. 193.16.xxx.xxx

I have another cheap provider with unguaranteed bandwidth which is cheap and has a larger bandwidth basically for browsing and downloading. This is a pppoe connection on ether10.
The problem is that i could not even test my secondary pppoe connection, problably because i m not routing correctly , or marking my connection correctly.

brief          file       follow-strict     oid          stats            without-paging   
count-only     follow     from              proplist     stats-detail     
[admin@MikroTik] > interface print 
Flags: R - RUNNING
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
 #   NAME      TYPE       ACTUAL-MTU  L2MTU  MAX-L2MTU  MAC-ADDRESS      
 0   ether1    ether            1500   1580      10222  4C:5E:0C:6A:80:4C
;;; AdminLan
 1 R ether2    ether            1500   1580      10222  4C:5E:0C:6A:80:4D
;;; SecuredWifi
 2 R ether3    ether            1500   1580      10222  4C:5E:0C:6A:80:4E
;;; FreeWifi
 3 R ether4    ether            1500   1580      10222  4C:5E:0C:6A:80:4F
;;; AccesPoints
 4 R ether5    ether            1500   1580      10222  4C:5E:0C:6A:80:50
;;; VideoProduction
 5   ether6    ether            1500   1580      10222  4C:5E:0C:6A:80:51
;;; Class&Library
 6   ether7    ether            1500   1580      10222  4C:5E:0C:6A:80:52
;;; Professors
 7   ether8    ether            1500   1580      10222  4C:5E:0C:6A:80:53
;;; DMZ
 8 R ether9    ether            1500   1580      10222  4C:5E:0C:6A:80:54
;;; Wan2 - digi - 1 GB/s
 9 R ether10   ether            1500   1580      10222  4C:5E:0C:6A:80:55
;;; teszt
;;; Wan
11 R ether12   ether            1500   1580      10222  4C:5E:0C:6A:80:57
12 R Int_DIGI  pppoe-out        1492                                     
13 R vlan0     vlan             1500   1576             4C:5E:0C:6A:80:4D
14 R vlan3     vlan             1500   1576             4C:5E:0C:6A:80:4E
15 R vlan4     vlan             1500   1576             4C:5E:0C:6A:80:4F
16 R vlan5     vlan             1500   1576             4C:5E:0C:6A:80:50
17 R vlan100   vlan             1500   1576             4C:5E:0C:6A:80:54
18 R vlan105   vlan             1500   1576             4C:5E:0C:6A:80:4D

[admin@MikroTik] > ip route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 IsH 0.0.0.0/0 0.0.0.0 1
1 As 0.0.0.0/0 193.16.xxx.141 5
DAc 10.0.19.48/32 Int_DIGI 0
2 As 10.0.99.1/32 ether11 1
DAc 10.0.100.0/24 vlan100 0
DAc 10.0.105.0/24 vlan105 0
DAc 192.168.0.0/24 vlan0 0
DAc 192.168.3.0/24 vlan3 0
DAc 192.168.4.0/24 vlan4 0
DAc 192.168.5.0/24 vlan5 0
DIcH 192.168.88.0/24 ether1 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc + 193.16.xxx.128/26 ether12 0
DAc 193.16.xxx.128/32 ether12 0
[admin@MikroTik] >
[/quote]

[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid; D - dynamic
5 chain=prerouting action=mark-routing new-routing-mark=test-mark passthrough=yes protocol=tcp
src-address=192.168.0.24 dst-address=104.19.223.79 log=yes log-prefix=""

6 chain=prerouting action=mark-routing new-routing-mark=test-mark passthrough=yes protocol=tcp
src-address=192.168.0.24 dst-address=104.19.222.79 log=no log-prefix=""

I tried to mark my connection for my local ip 192.168.0.24 to destination https://whatsmyipaddress.com with the intent to force Int_DIGI as default gateway.

Could somebody help me set this up?
Any help would be appreciated.
Steve

anav · March 10, 2025, 2:20pm

Do you have anything else going on with the WANIPs… any VPN traffic or port forwarding to local servers??

Will need to see your config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

CSteve · March 11, 2025, 8:20am

yes i have a bunch of forwarded ports, also have a l2tp with ipsec set up. Basically this router which acts as my firewall also, it s a router on a stick.

anav · March 11, 2025, 4:50pm

Then you will need to mangle.
a. accept all local traffic to local traffic ( and which is allowed by applicable firewall rules of course ) ( avoids this traffic getting caught in any mangle rules )
b. mangle traffic coming in each WAN to go out same WAN ( important for configuration and vpn aspects )
c. mangle traffic coming on a specific WAN to servers, goes out same WAN. ( to fro LAN servers).

Rest of traffic can be accomplished by ECMP load balancing. Two routes, same distance etc.

If you desire PCC load balancing then you need to mangle lastly for PCC

CSteve · March 12, 2025, 10:35am

Before i destroy multiple hundreds of firewall rules and i break something which works, i just want to test my second wan connection (the pppoe) for a single lan user. I m not familiar with the mangle table.
I have all my fixed ip s on ether 12. Lets say thats provider 1. Here s a snippet of my firewall. I m not confortable to share all my firewall, but to make a basic idea, my mailserver rules:

chain=srcnat action=src-nat to-addresses=193.xxx.xxx.163
src-address=10.0.100.25 dst-address-list=!local-networks
out-interface=ether12 log=no log-prefix=“”
54 ;;; ***MAILS Pop,Imap
chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
dst-address=193.xxx.xxx.163 in-interface=all-vlan dst-port=110,143
log=no log-prefix=“”

55 ;;; SMTPS
chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
dst-address=193.xxx.xxx.163 in-interface=all-vlan dst-port=587 log=no
log-prefix=“”

56 chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
dst-address=193.xxx.xxx.163 in-interface=all-vlan dst-port=80,443,25,53
log=no log-prefix=“”

57 ;;; Imaps,Pop3s
chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
dst-address=193.xxx.xxxx.163 in-interface=all-vlan dst-port=993,995
log=no log-prefix=“ImapS,Pop3S”
58 ;;; EXTERNAL Imaps,Pop3s connection
chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
dst-address=193.xxx.xxx.163 in-interface=ether12 dst-port=993,995 log=no
log-prefix=“”

59 ;;; EXTERNAL Imaps,Pop3s connection
chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
dst-address=193.xxx.xxx.163 in-interface=ether12 dst-port=143 log=no
log-prefix=“”
63 ;;; VPN<->Mail
chain=dstnat action=dst-nat to-addresses=10.0.100.25 protocol=tcp
src-address=10.10.99.0/24 dst-address=193.xxx.xxx.163
dst-port=22,53,80,443,993,995,25,587,110,143 log=yes log-prefix=“”

ip firewall filter print

;;; VMmails
chain=forward action=accept src-address=10.0.100.25 out-interface=ether12 log=no log-prefix=“”

135 chain=forward action=accept connection-nat-state=srcnat dst-address=10.0.100.25 in-interface=ether12 log=no log-prefix=“”

136 chain=forward action=accept connection-nat-state=dstnat dst-address=10.0.100.25 in-interface=ether12 log=yes log-prefix=“”

I don t really want ecmp, my final goal is to use ether 10 for browsing, and ether 12 for my services. But for now i just want to implement a testcase in which i can actually use provider 2 for a fixed lan ip or something, and i m kinda lost in the mangle, and route setup process.

Any help would be appreciated.

anav · March 12, 2025, 1:37pm

No can do…
I work from a provided config…