PCC - dstnat to local IP and routing to mail server

RouterOS General
1

Mikrotik RB493AH OS v3.25
Two kind of problems with PCC and 3 WAN load balancing

  1. Route to mail server is always going trough Internet providers gateway so I cannot use a LAN speed to mail server

ether1 Local - 192.168.1.1

ether2 WAN1 - ADSL
ether3 WAN2 - leased line xx.xx.xx.58 gateway - xx.xx.xx.57
ether4 WAN3 - Cable Modem static IP

ether5 master port ether3 - mail server xx.xx.xx.59 gateway - xx.xx.xx.57

C:\Users\Mikrotik>tracert xx.xx.xx.59

Tracing route to mail.mailserver.com [xx.xx.xx.59] over a maximum of 30
hops:

  1. 192.168.1.1
  2. xx.xx.xx.57
  3. mail.mailserver.com [xx.xx.xx.59] Trace complete.

    \
  4. Cannot access neither to my local IP 192.168.1.15 web server, Remote Desktop etc, on WAN2 and WAN3.
    The connection cannot be fully established; got some freeze.
    With WAN1 - ADSL is working fine - so I played with mangles and changed the MTU MSS on non-ADSL connections

I add the same rules to WAN2 and WAN3 in mangle that are automatically added with the ADSL connection and now is working fine but want to find the real problem?

chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp in-interface=WAN2 tcp-mss=1441-65535 
chain=forward action=change-mss new-mss=1452 tcp-flags=syn protocol=tcp out-interface=WAN2 tcp-mss=1453-65535 
chain=forward action=change-mss new-mss=1440 tcp-flags=syn protocol=tcp in-interface=WAN3 tcp-mss=1441-65535 
chain=forward action=change-mss new-mss=1452 tcp-flags=syn protocol=tcp out-interface=WAN3 tcp-mss=1453-65535

full configuration:

/interface ethernet
set 0 arp=enabled disabled=no full-duplex=yes mtu=1500 name=LOCAL speed=100Mbps
set 1 arp=enabled disabled=no full-duplex=yes mtu=1500 name=ether2_adsl speed=100Mbps
set 2 arp=enabled disabled=no full-duplex=yes mtu=1500 name=WAN2 speed=100Mbps
set 3 arp=enabled disabled=no full-duplex=yes mtu=1500 name=WAN3 speed=100Mbps
set 4 arp=enabled disabled=no full-duplex=yes master-port= WAN2 mtu=1500 name=5.Mail speed=100Mbps

/ip pool add name=dhcp_pool1 ranges=192.168.10.90-192.168.10.190

/ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=LOCAL lease-time=3d name=LOCAL

/ppp 
profile set default change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-vj-compression=default

/interface pppoe-client add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface=ether2_adsl max-mru=1480 max-mtu=1480 mrru=disabled name=WAN1 password=password profile=default service-name="" use-peer-dns=no user=adsl@adsl.com

/ip address
add address=192.168.10.1/24 broadcast=192.168.10.255 disabled=no interface=LOCAL network=192.168.10.0
add address=xx.xx.xx.58/29 broadcast=xx.xx.xx.63 disabled=no interface=WAN2 network=xx.xx.xx.56
add address=yy.yy.yy.39/24 broadcast=yy.yy.yy.255 disabled=no interface=WAN3 network=yy.yy.yy.0

/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.10.1,208.67.220.220 gateway=192.168.10.1

/ip firewall mangle
add action=mark-routing chain=prerouting comment "Mark out only to WAN1" disabled=no dst-address=204.16.252.0/24 new-routing-mark=to_WAN1 passthrough=no src-address=192.168.10.115
add action=mark-routing chain=prerouting comment "Mark out only to WAN2" disabled=no dst-address=xx.xx.xx.0/19 new-routing-mark=to_WAN2 passthrough=no src-address=192.168.10.0/24

add action=mark-connection chain=input disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes

add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LOCAL new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LOCAL new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local in-interface=LOCAL new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses:3/2

add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no in-interface=LOCAL new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no in-interface=LOCAL new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn disabled=no in-interface=LOCAL new-routing-mark=to_WAN3 passthrough=yes

add action=change-mss chain=forward disabled=no in-interface=WAN2 new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add action=change-mss chain=forward disabled=no new-mss=1452 out-interface=WAN2 protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward disabled=no in-interface=WAN3 new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add action=change-mss chain=forward disabled=no new-mss=1452 out-interface=WAN3 protocol=tcp tcp-flags=syn tcp-mss=1453-65535

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN3
add action=dst-nat chain=dstnat disabled=no dst-port=9909 in-interface=!LOCAL protocol=udp to-addresses=192.168.10.16 to-ports=9909
add action=dst-nat chain=dstnat disabled=no dst-port=8877 in-interface=!LOCAL protocol=udp to-addresses=192.168.10.16 to-ports=8877
add action=dst-nat chain=dstnat disabled=no dst-port=3393 in-interface=!LOCAL protocol=tcp to-addresses=192.168.10.15 to-ports=3393
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=!LOCAL protocol=tcp to-addresses=192.168.10.15 to-ports=80

/ip route 
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=xx.xx.xx.57 routing-mark=to_WAN2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=yy.yy.yy.1 routing-mark=to_WAN3 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address= 0.0.0.0/0 gateway=xx.xx.xx.57 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=zz.zz.zz.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=zz.zz.zz.1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address= 0.0.0.0/0 gateway=yy.yy.yy.1 scope=30 target-scope=10
2

the PCC article has been modified to avoid this kind of issue

add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=Local

With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) in the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks.

3

Hello,
I can confirm that after adding this line

add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=Local

routing to mail server is now ok..
But, I still need to enable change MSS to 1440 to accept connections to web server or remote desktop.

4

Well it looks like your ISP uses tunnels without change-mss rules :slight_smile:

5

Maybe… so the only solution is to do that by myself? Is it ok to add those two lines? or maybe rush something else doing that?

I cannot understand why I have MTU MSS related problems with the WAN2 - leased line WAN3 - Cable Modem?

6

That so good morning to all

in the example of wiki:
prerouting add chain = dst-address = 10.111.0.0/24 action = accept in-interface = Local
ie addresses ip fixed.
in the particular case I have 3 ADSL and IP addresses are dynamic.

Question:
What can I do in my case because the rule is for fixed IP addresses?

thank all

7

Hi.. you will put the entire IP pool of your ISP

8

Hi
Godovic
Thanks for your reply
Mikrotik with pcc is my 3 wan adsl on the same router dials the Internet through ppoe client.
The router from my isp is in bridge mode.
How do I put in the mangle dynamic IP that I surrender my isp?.

thank you all

9

Ask them to tell you an entire pool - like 100.200.0.0/19 and add it in that way

10

Thanks Godovic
I put in the mangle, but not brand Okb traffic.
the rules are in the same order as the example of wiki.

11

well.. paste your config here, so someone will help you for sure.. maybe I will :slight_smile:

12

Thanks again for your input Godovic
I step my configuration is this ..
if someone can help me.
Greetings to all


[admin@Firewall-Router] /ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=mark-connection new-connection-mark=Telefonica1_conn
passthrough=yes in-interface=Telefonica1

1 chain=input action=mark-connection new-connection-mark=Telefonica2_conn
passthrough=yes in-interface=Telefonica2

2 chain=input action=mark-connection new-connection-mark=Telefonica3_conn
passthrough=yes in-interface=Telefonica3

3 chain=output action=mark-routing new-routing-mark=to_Telefonica1
passthrough=yes connection-mark=Telefonica1_conn

4 chain=output action=mark-routing new-routing-mark=to_Telefonica2
passthrough=yes connection-mark=Telefonica2_conn

5 chain=output action=mark-routing new-routing-mark=to_Telefonica3
passthrough=yes connection-mark=Telefonica3_conn

6 chain=prerouting action=accept dst-address=168.0.0.0 in-interface=Local

7 chain=prerouting action=accept dst-address=201.254.0.0 in-interface=Local

8 chain=prerouting action=accept dst-address=190.48.0.0 in-interface=Local

9 chain=prerouting action=mark-connection
new-connection-mark=Telefonica1_conn passthrough=yes
dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/0

10 chain=prerouting action=mark-connection
new-connection-mark=Telefonica2_conn passthrough=yes
dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/1

11 chain=prerouting action=mark-connection
new-connection-mark=Telefonica3_conn passthrough=yes
dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses:3/2

12 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica1
passthrough=yes in-interface=Local connection-mark=Telefonica1_conn

13 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica2
passthrough=yes in-interface=Local connection-mark=Telefonica2_conn

14 chain=prerouting action=mark-routing new-routing-mark=to_Telefonica3
passthrough=yes in-interface=Local connection-mark=Telefonica3_conn

13

6 chain=prerouting action=accept dst-address=168.0.0.0 in-interface=Local

7 chain=prerouting action=accept dst-address=201.254.0.0 in-interface=Local

8 chain=prerouting action=accept dst-address=190.48.0.0 in-interface=Local

Should maybe be something like this:

6 chain=prerouting action=accept dst-address=168.0.0.0/8 in-interface=Local

7 chain=prerouting action=accept dst-address=201.254.0.0/16 in-interface=Local

8 chain=prerouting action=accept dst-address=190.48.0.0/16 in-interface=Local

?