For my bandwidth I used https://wiki.mikrotik.com/wiki/Manual:PCC Now listen how it works.. All connections based on second ISP will be timeouted when I tried to disabe the Torch utility.. I think it happens because router can’t understand wich default routs must be used.. I’m not a sysadmin and not understand many kinds of things in routing tables, but one I know that this second ISP has Multipath (ECMP) routes.. and maybe I cant configure my ros with PCC in this nonstandart for its situation. Help me please fix this mistace. Thanks.
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=PUBLIC_IP in-interface=BRIDGE log-prefix="SDAD: "
add action=return chain=forward comment="block tau gg for dom ru" dst-address=37.230.210.160 log=yes log-prefix="Forward -> Dropped tau.gg to: " out-interface=INET_DOM_RU src-address=192.168.88.250
add action=return chain=forward comment="block srcds from tau gg" in-interface=INET_DOM_RU log=yes log-prefix="Forward -> Dropped tuu.gg from: " src-address=37.230.210.160
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=INET_TTK new-connection-mark=TTK_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=INET_DOM_RU log-prefix="DOM_conn: " new-connection-mark=DOM_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=BRIDGE new-connection-mark=TTK_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=BRIDGE log-prefix="CLASSFIELD: " new-connection-mark=DOM_conn passthrough=yes per-connection-classifier
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=TTK_conn in-interface=BRIDGE new-routing-mark=to_TTK passthrough=yes
add action=mark-routing chain=prerouting connection-mark=DOM_conn in-interface=BRIDGE new-routing-mark=to_DOM passthrough=yes
add action=mark-routing chain=output connection-mark=TTK_conn log-prefix="TTK_conn -> to_TTK: " new-routing-mark=to_TTK passthrough=yes
add action=mark-routing chain=output connection-mark=DOM_conn log-prefix="DOM_conn -> to_DOM: " new-routing-mark=to_DOM passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="allow traffic between nat ower wan connection (Hairpin NAT)" dst-address-list=ALL_NAT log-prefix="MASQ ALL_NAT: " out-interface=BRIDGE src-address=192.168.88.250/31
add action=masquerade chain=srcnat comment="MASQUE ALL TTK!" log-prefix="MASQ TTK: " out-interface=INET_TTK
add action=masquerade chain=srcnat comment="MASQUE ALL DOM!" log-prefix="MASQ DOM: " out-interface=INET_DOM_RU
add action=netmap chain=dstnat comment="allow web access" dst-address-list=PUBLIC_IP dst-port=80 log-prefix="WWW: " protocol=tcp to-addresses=192.168.88.251 to-ports=80
add action=netmap chain=dstnat comment="allow RCON srcds TCP connection" dst-address=FIRST_ISP_ADDRR dst-port=27015 protocol=tcp src-address-list="public rcon" to-addresses=192.168.88.250 to-ports=27015
add action=netmap chain=dstnat comment="allow My srcds UDP connection" dst-address=SECOND_ISP_ADDRR dst-port=27015 log-prefix="NAT_CSGO: " protocol=udp to-addresses=192.168.88.250 to-ports=27015
add action=netmap chain=dstnat comment="allow valve masterserver connection" dst-address=141.105.36.91 dst-port=26900,26901,26902 log=yes log-prefix="SRCDS to MS REQ:" protocol=udp to-addresses=192.168.88.250/31 to-ports=\
26900-26902
add action=netmap chain=dstnat comment="srcds clientport" dst-address=141.105.36.91 dst-port=27080 protocol=udp to-addresses=192.168.88.250 to-ports=27080
add action=netmap chain=dstnat comment="allow srctv connection" dst-address=141.105.36.91 dst-port=27400 protocol=udp to-addresses=192.168.88.250 to-ports=27400
add action=netmap chain=dstnat comment="allow RCON hlds TCP connection" dst-port=27777 in-interface-list=INETS protocol=tcp src-address-list="public rcon" to-addresses=192.168.88.251 to-ports=27777
add action=netmap chain=dstnat comment="allow hlds UDP connection" dst-port=27777 in-interface-list=INETS protocol=udp to-addresses=192.168.88.251 to-ports=27777
add action=netmap chain=dstnat comment=L2J disabled=yes dst-port=2106 in-interface-list=INETS protocol=tcp to-addresses=192.168.88.251 to-ports=2106
add action=netmap chain=dstnat comment=TORRENT disabled=yes dst-address-list=PUBLIC_IP dst-port=50000 protocol=udp to-addresses=192.168.88.251 to-ports=50000
add action=netmap chain=dstnat comment=TORRENT disabled=yes dst-address-list=PUBLIC_IP dst-port=50000 protocol=tcp to-addresses=192.168.88.251 to-ports=50000
add action=netmap chain=dstnat comment=L2J disabled=yes dst-port=7777 in-interface-list=INETS protocol=tcp to-addresses=192.168.88.251 to-ports=7777
add action=netmap chain=dstnat comment="Team Viewer" dst-port=5938 log-prefix="5938 dst-nat: " protocol=tcp src-address-list="public rcon" to-addresses=192.168.88.251 to-ports=593
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop all from INET not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=INETS log-prefix="DROP NOT DSTNATED: "
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="DROP INVALID: "
add action=accept chain=input comment="defconf: accept input established, related " connection-state=established,related
add action=accept chain=input dst-port=8291 in-interface-list=INETS log-prefix="**** WINBOX: " protocol=tcp src-address-list="public rcon"
add action=accept chain=input comment="ICMP REQUEST" in-interface-list=INETS log-prefix="**** ICMP:" protocol=icmp src-address-list="public rcon"
add action=drop chain=input comment="view to other flood" in-interface-list=INETS log-prefix="DROP INETS: "
add action=drop chain=input comment="drop all from WAN" in-interface-list=WANS log-prefix="DROP WANS: "
Such as u can see the netwok of ISPs addresses.. the first isp from same sub-net 141.105.32.0\24,
but the second ISP has a multipath, its ADDRESS not from NETWORK 10.71.255.126 :
I can’t understand why all traffic drops from INET_DOM_RU if Torch disabled..
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 BRIDGE
1 D SECOND_ISP_ADDRR/32 10.71.255.126 INET_DOM_RU
2 D FIRST_ISP_ADDRR/32 141.105.32.6 INET_TTK
/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=INET_TTK gateway-status=INET_TTK reachable distance=1 scope=30 target-scope=10 routing-mark=to_TTK
1 A S dst-address=0.0.0.0/0 gateway=INET_DOM_RU gateway-status=INET_DOM_RU reachable distance=1 scope=30 target-scope=10 routing-mark=to_DOM
2 A S dst-address=0.0.0.0/0 gateway=INET_TTK gateway-status=INET_TTK reachable check-gateway=ping distance=1 scope=30 target-scope=10
3 S dst-address=0.0.0.0/0 gateway=INET_DOM_RU gateway-status=INET_DOM_RU reachable check-gateway=ping distance=2 scope=30 target-scope=10
4 ADC dst-address=10.71.255.126/32 pref-src=SECOND_ISP_ADDRR gateway=INET_DOM_RU gateway-status=INET_DOM_RU reachable distance=0 scope=10
5 ADC dst-address=141.105.32.6/32 pref-src=FIRST_ISP_ADDRR gateway=INET_TTK gateway-status=INET_TTK reachable distance=0 scope=10
6 A S dst-address=SECOND_ISP_ADDRR/32 pref-src=SECOND_ISP_ADDRR gateway=10.71.255.126 gateway-status=10.71.255.126 reachable via INET_DOM_RU distance=1 scope=10 target-scope=10
7 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=BRIDGE gateway-status=BRIDGE reachable distance=0 scope=10