Finally have PCC working, however it looks like it’s breaking some sites for some users… For me I disable PCC by disabling the two routes for WAN2, though I can also do the same for WAN1. one of the sites that has been problematic has been the business.facebook.com site. for me it loads up fine, but for other users on the local LAN it does not work unless I disable one of the WAN connections. without one of them being disabled, the user experiences timeouts trying to access this site. I’m sure this isn’t the only site, but no one has spoke up… once I disable one of the WAN connections, this site loads up immediately! is there anything wrong with my config?
/ip pool
/ip address
add address=192.168.200.1/24 interface=LAN network=192.168.200.0
add address=100.37.200.202/24 interface=WAN1 network=100.37.200.0
add address=65.23.200.230/29 interface=WAN2 network=65.23.200.224
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN1
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=192.168.200.5,192.168.200.4,192.168.200.6
/ip dns static
add address=192.168.88.1 name=router
/ip neighbor discovery settings
set default=no
/ip settings
set rp-filter=loose
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN1
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN2
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN1
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN2
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add chain=input comment="SSH for secure shell" dst-port=2220 protocol=tcp
add chain=input comment=winbox dst-port=8220 protocol=tcp
add chain=input comment="From our private LAN" src-address=192.168.200.0/24
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5:packet protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5:packet protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5:packet protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5:packet protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
/ip firewall mangle
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add chain=prerouting dst-address=100.37.200.0/24 in-interface=bridge-local
add chain=prerouting dst-address=65.23.200.224/29 in-interface=bridge-local
add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN1_conn per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=WAN2_conn per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge-local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge-local new-routing-mark=to_WAN2
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN1 to-addresses=100.37.200.0/24
add action=masquerade chain=srcnat out-interface=WAN2 to-addresses=65.23.200.224/29
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN2 protocol=tcp to-addresses=192.168.200.99 to-ports=443
add action=dst-nat chain=dstnat dst-port=1723 in-interface=WAN1 protocol=tcp to-addresses=192.168.200.15 to-ports=1723
add action=dst-nat chain=dstnat dst-port=443 in-interface=WAN1 protocol=tcp to-addresses=192.168.200.15 to-ports=443
/ip route
add check-gateway=ping distance=1 gateway=100.37.200.1%WAN1 routing-mark=to_WAN1
add check-gateway=ping disabled=yes distance=1 gateway=65.23.200.225%WAN2 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=100.37.200.1%WAN1
add check-gateway=ping disabled=yes distance=2 gateway=65.23.200.225%WAN2