PCC and callback authentication issue

lucasasdelli · June 2, 2022, 4:00pm

Hi all,

with a PCC configuration, I’m unable to register on websites using external authentication (e.g. aliexpress.com with google or facebook auth): just after 3rd party agreement, it appears a blank page and stop (e.g. https://thirdparty.aliexpress.com/ggcallback.htm?state=blahblahblah).
This happens even if with that website the pcc has been expliciy bypassed.

Any ideas?

Thanks
Luca

Znevna · June 2, 2022, 4:04pm

Wrong PCC configuration.

lucasasdelli · June 2, 2022, 4:06pm

Any better hint please?
Thanks
Luca

Znevna · June 2, 2022, 4:12pm

Use only src-addr as classifier.

Zacharias · June 2, 2022, 4:55pm

This happens even if with that website the pcc has been expliciy bypassed.

Can you post your PCC configuration ?

lucasasdelli · June 2, 2022, 6:36pm

Unfortunately it didn’t change the behaviour, except than reducing throughput.
Thanks anyway
Luca

lucasasdelli · June 2, 2022, 6:37pm

There are 3 SXT LTE6 routers with IP 172.16.2.1, 172.16.4.1 and 172.16.5.1

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
/routing table
add disabled=no fib name=rt_wan4
add disabled=no fib name=rt_wan2
add disabled=no fib name=rt_wan5
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=dynamic trusted=yes
/ip firewall connection tracking
set enabled=yes tcp-close-wait-timeout=1m tcp-established-timeout=1h
tcp-fin-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-syn-received-timeout=1m tcp-syn-sent-timeout=10s
tcp-time-wait-timeout=1m udp-timeout=30s
/interface list member
add interface=ether2 list=WAN
add interface=ether4 list=WAN
/ip address
add address=172.16.2.254/24 interface=ether2 network=172.16.2.0
add address=172.16.4.254/24 interface=ether4 network=172.16.4.0
add address=192.168.10.20/24 interface=bridge1 network=192.168.10.0
add address=172.16.5.254/24 interface=ether5 network=172.16.5.0
/ip firewall address-list
add address=172.16.2.1 list=exempt-from-pcc
add address=172.16.4.1 list=exempt-from-pcc
add address=172.16.5.1 list=exempt-from-pcc
add address=192.168.10.0/24 list=cohousers
add address=127.0.0.1 list=local_ip
add address=192.168.10.20 list=local_ip
add address=192.168.0.0/16 list=internal
add address=172.16.0.0/16 list=internal
/ip firewall filter
add action=drop chain=forward dst-port=137-139,445 in-interface=bridge1
protocol=tcp
add action=drop chain=forward dst-port=137-139,445 in-interface=bridge1
protocol=udp
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall mangle
add action=accept chain=prerouting comment=“exempt from PCC hosts”
dst-address-list=exempt-from-pcc in-interface=bridge1
add action=mark-connection chain=prerouting comment=
“from LAN egress through WAN2” connection-mark=no-mark dst-address-list=
“from LAN egress through WAN2” dst-address-type=!local in-interface=
bridge1 new-connection-mark=conn_wan2 passthrough=yes
add action=mark-connection chain=prerouting comment=
“from LAN egress through WAN4” connection-mark=no-mark dst-address-list=
“from LAN egress through WAN4” dst-address-type=!local in-interface=
bridge1 new-connection-mark=conn_wan4 passthrough=yes
add action=mark-connection chain=prerouting comment=
“from LAN egress through WAN5” connection-mark=no-mark dst-address-list=
“from LAN egress through WAN5” dst-address-type=!local in-interface=
bridge1 new-connection-mark=conn_wan_5 passthrough=yes
add action=mark-connection chain=prerouting comment=“PCC to WAN2”
connection-mark=no-mark dst-address-type=!local in-interface=bridge1
new-connection-mark=conn_wan2 passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting comment=“PCC to WAN4”
connection-mark=no-mark dst-address-type=!local in-interface=bridge1
new-connection-mark=conn_wan4 passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting comment=“PCC to WAN5”
connection-mark=no-mark dst-address-type=!local in-interface=bridge1
new-connection-mark=conn_wan_5 passthrough=yes per-connection-classifier=
both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting comment=“WAN2 egress”
connection-mark=conn_wan2 in-interface=bridge1 new-routing-mark=rt_wan2
passthrough=yes
add action=mark-routing chain=prerouting comment=“WAN4 egress”
connection-mark=conn_wan4 in-interface=bridge1 new-routing-mark=rt_wan4
passthrough=yes
add action=mark-routing chain=prerouting comment=“WAN5 egress”
connection-mark=conn_wan_5 in-interface=bridge1 new-routing-mark=rt_wan5
passthrough=yes
add action=mark-routing chain=output comment=“policy routing WAN2”
connection-mark=conn_wan2 new-routing-mark=rt_wan2 passthrough=yes
add action=mark-routing chain=output comment=“policy routing WAN4”
connection-mark=conn_wan4 new-routing-mark=rt_wan4 passthrough=yes
add action=mark-routing chain=output comment=“policy routing WAN5”
connection-mark=conn_wan_5 new-routing-mark=rt_wan5 passthrough=yes
add action=mark-connection chain=prerouting comment=“mark inbound WAN2”
connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_wan2
passthrough=yes
add action=mark-connection chain=prerouting comment=“mark inbound WAN4”
connection-mark=no-mark in-interface=ether4 new-connection-mark=conn_wan4
passthrough=yes
add action=mark-connection chain=prerouting comment=“mark inbound WAN5”
connection-mark=no-mark in-interface=ether5 new-connection-mark=
conn_wan_5 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“WAN masq” out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat out-interface=ether5
/ip route
add disabled=no distance=1 dst-address=/0 gateway=172.16.2.1 routing-table=
rt_wan4 suppress-hw-offload=no
add disabled=no distance=1 dst-address=/0 gateway=172.16.5.1
suppress-hw-offload=no
add disabled=no distance=1 dst-address=/0 gateway=172.16.4.1
suppress-hw-offload=no
add disabled=no distance=1 dst-address=/0 gateway=172.16.3.1 routing-table=
rt_wan2 suppress-hw-offload=no
add check-gateway=ping comment=“marked default via WAN2” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=172.16.2.1 pref-src=0.0.0.0
routing-table=rt_wan2 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=“marked default via WAN4” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=172.16.4.1 pref-src=0.0.0.0
routing-table=rt_wan4 scope=30 suppress-hw-offload=no target-scope=10
add comment=“unmarked default via WAN2” disabled=no distance=2 dst-address=
0.0.0.0/0 gateway=172.16.2.1 pref-src=0.0.0.0 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment=“unmarked default via WAN4” disabled=no distance=2 dst-address=
0.0.0.0/0 gateway=172.16.4.1 pref-src=0.0.0.0 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=“marked default via WAN5” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=172.16.5.1 pref-src=0.0.0.0
routing-table=rt_wan5 scope=30 suppress-hw-offload=no target-scope=10
add comment=“unmarked default via WAN5” disabled=no distance=2 dst-address=
0.0.0.0/0 gateway=172.16.5.1 pref-src=0.0.0.0 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.1.0/24 gateway=192.168.10.11
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/routing rule
add action=lookup disabled=no dst-address=192.168.0.0/16 interface=ether1
routing-mark=main table=main
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=
ether2 routing-mark=rt_wan2 table=main
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=
ether4 routing-mark=rt_wan4 table=main
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=
ether5 routing-mark=rt_wan5 table=main