Pcc and Hotspot

mikronab · December 17, 2012, 10:40am

Good Day

I have setup PCC and Hotspot with different profiles (3 in total) each having their own address list tags.

I want to limit 2 of the profiles so that they may not access Wan1. All attempts have not worked 100%. I tired the following where “src-address-list=Staffs” is the variable for ISP1. This just seems to mess with mail and skype. Browsing still works. I tried the same on Nat, trying to have only ISP1 nat to “src-address-list=Staffs”. Again no luck.

[admin@MikroTik] /ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=accept dst-address=XX.XX.XX.140/30 
     src-address-list=Staffs hotspot=auth in-interface=LAN 

 1   chain=prerouting action=accept dst-address=192.168.XX.0/24 hotspot=auth 
     in-interface=LAN 

 2   chain=prerouting action=mark-connection new-connection-mark=ISP1_conn 
     passthrough=yes src-address-list=Staffs hotspot=auth in-interface=ISP1 
     connection-mark=no-mark 

 3   chain=prerouting action=mark-connection new-connection-mark=ISP2_conn 
     passthrough=yes hotspot=auth in-interface=ISP2 connection-mark=no-mark 

 4   chain=prerouting action=mark-connection new-connection-mark=ISP1_conn 
     passthrough=yes dst-address-type=!local src-address-list=Staffs 
     hotspot=auth in-interface=LAN connection-mark=no-mark 
     per-connection-classifier=both-addresses:2/0 

 5   chain=prerouting action=mark-connection new-connection-mark=ISP2_conn 
     passthrough=yes dst-address-type=!local hotspot=auth in-interface=LAN 
     connection-mark=no-mark per-connection-classifier=both-addresses:2/1 

 6   chain=prerouting action=mark-routing new-routing-mark=to_ISP1 
     passthrough=yes src-address-list=Staffs hotspot=auth in-interface=LAN 
     connection-mark=ISP1_conn 

 7   chain=prerouting action=mark-routing new-routing-mark=to_ISP2 
     passthrough=yes hotspot=auth in-interface=LAN connection-mark=ISP2_conn 

 8   chain=output action=mark-routing new-routing-mark=to_ISP1 passthrough=yes 
     src-address-list=Staffs hotspot=auth connection-mark=ISP1_conn 

 9   chain=output action=mark-routing new-routing-mark=to_ISP2 passthrough=yes 
     hotspot=auth connection-mark=ISP2_conn

Is there an easier way to do this?

Thanks in advance

mikronab · December 19, 2012, 6:09am

any suggestions?

mikronab · December 19, 2012, 10:11am

i did the following changed to the pcc and it seems to be working well.

1   chain=srcnat action=masquerade src-address-list=!Student out-interface=ISP1

This does not allow address list Student to nat to ISP1.

 4   chain=prerouting action=mark-connection new-connection-mark=ISP1_conn 
     passthrough=yes dst-address-type=!local hotspot=auth in-interface=LAN 
     connection-mark=no-mark per-connection-classifier=src-address:2/0 

 5   chain=prerouting action=mark-connection new-connection-mark=ISP2_conn 
     passthrough=yes dst-address-type=!local hotspot=auth in-interface=LAN 
     connection-mark=no-mark per-connection-classifier=src-address:2/1

no when i unplug ISP2, users from Student profiles are unable to access the internet whereas other profiles go on unaffected.