PCC load balance issue

RouterOS General
1

Hello all,

I have been trying to get a PCC load balance configuration working on a 750 routerboard with no luck.

I followed the wiki example almost to letter, except for the static IP addresses for the ISP, I used DHCP client for both WAN interfaces.

The problem is that I cannot get internet access, and I tested both WAN connection without the routerboard and they both work find.

This is my configuration:

/ip dhcp-client
add comment="default configuration" disabled=no interface=WAN1/eth1 \
    use-peer-dns=yes
add comment="" disabled=no interface=WAN2/eth5 use-peer-dns=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=200.44.32.12,200.11.248.12
/ip dns static
add address=192.168.88.1 comment="" disabled=no name=router ttl=1d
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=WAN1/eth1
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=no in-interface=WAN2/eth5
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=WAN1/eth1
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=no in-interface=WAN2/eth5
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=WAN1/eth1
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=WAN2/eth5
/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN1/eth1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN2/eth5 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan1_conn \
    disabled=no new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan2_conn \
    disabled=no new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=Local/eth2 new-connection-mark=\
    wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=Local/eth2 new-connection-mark=\
    wan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn \
    disabled=no in-interface=Local/eth2 new-routing-mark=to_wan1 passthrough=\
    yes
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn \
    disabled=no in-interface=Local/eth2 new-routing-mark=to_wan2 passthrough=\
    yes
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    190.74.96.0/19 in-interface=Local/eth2
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    190.203.136.0/24 in-interface=Local/eth2
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=WAN1/eth1
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    WAN2/eth5
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WAN1/eth1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WAN2/eth5 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WAN1/eth1 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=WAN2/eth5 scope=30 target-scope=10

I appreciate any help you can give me.

2

Hello again,

I found out that the problem has to do with only one of my ISP, and happens when I enable the ip routes that have routing marks.

Here’s what I’ve tested:

  1. Connection 1 alone with or without routing marks on the ip routes, works ok
  2. Connection 2 alone without routing marks on the ip route, works ok
  3. Connection 2 alone with routing marks on the ip route, doesn’t work
  4. Connection 2 alone but passed through a cisco wireless router, meaning that the public IP is on Cisco router and static IP on RB, works ok with or without the routing marks in the IP route

It’s getting on my nerve because I can’t seem to find any reason why with this particular ISP I can’t put routing marks

Don’t know if have anything to do with this but, when the routing marks are enabled on Connection 2, the interface keeps getting like 90kbps all the time, doesn’t matter that there is not one client requesting anything.

Also I don’t think it has anything to do with this but, connection 1 is adsl and connection 2 is Cable modem.

Any help or test suggestion will be appreciated

3

Your ISP should not see or care about what routing marks you use. Routing marks are just used internally to determine what routing table to be used in the MikroTik and the ISP will have no knowledge about them.

Please post:
/ip address print
/ip route print detail

4

Here you go:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                       
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    ether4-local1                                                                   
 1 D 186.188.14.129/18  186.188.0.0     ether1-wan1                                                                     
 2 D 190.203.134.6/19   190.203.128.0   ether2-wan2 

[admin@MikroTik] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, 
B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=ether1-wan1 
        gateway-status=ether1-wan1 reachable check-ga
        scope=30 target-scope=10 routing-mark=to_wan1

 1 A S  dst-address=0.0.0.0/0 gateway=ether2-wan2 
        gateway-status=ether2-wan2 reachable check-ga
        scope=30 target-scope=10 routing-mark=to_wan2

 2 A S  dst-address=0.0.0.0/0 gateway=ether2-wan2 
        gateway-status=ether2-wan2 reachable check-ga
        scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=ether1-wan1 
        gateway-status=ether1-wan1 reachable check-ga
        scope=30 target-scope=10 

 4 ADC  dst-address=186.188.0.0/18 pref-src=186.188.1
        gateway-status=ether1-wan1 reachable distance

 5 ADC  dst-address=190.203.128.0/19 pref-src=190.203
        gateway-status=ether2-wan2 reachable distance=0 scope=10 

 6 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether4-local>
        gateway-status=ether4-local1 reachable distance=0 scope=10
5

I have solve the issue, (partially).

I found out that the problem wasn’t really the routing marks, but the gateway itself. Apparently for this particular ISP I have to manually input the IP address of the gateway and it’s not sufficient to just input the gateway interface name on the IP route.

By inputting the IP address on the IP route the service it’s working find load balancing and stuff, but I’m a little worried about what would happen if that Gateway changes in the future.

Does anyone know why this happens?

6

I observed some mistakes in your PCC configuration.
Here is like it should be:

/ip firewall mangle
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN1/eth1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    WAN2/eth5 new-connection-mark=wan2_conn passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=wan1_conn \
    disabled=no new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=output comment="" connection-mark=wan2_conn \
    disabled=no new-routing-mark=to_wan2 passthrough=no
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=Local/eth2 new-connection-mark=\
    wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=Local/eth2 new-connection-mark=\
    wan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn \
    disabled=no in-interface=Local/eth2 new-routing-mark=to_wan1 passthrough=\
    no
add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn \
    disabled=no in-interface=Local/eth2 new-routing-mark=to_wan2 passthrough=\
    no
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    192.168.88.0/24 in-interface=Local/eth2

It’s a bit strange you have named your interfaces using slash punctuation “/”, it should be better
wan1_ether1 instead of wan1/ether1

7

Your IP and default gateway should rarely change, but that doesn’t mean it never will. Since you are getting both of your routes via DHCP for those links and just have static ones for the load balancing. It’s a little tricky setting up the appropriate rules to take remote access into account at all times. I would recommend looking into the DDNS scripts and modifying them somewhat. You can have the router send you an e-mail whenever it gets a new IP address, and use that to connect to it. In addition to the remote access mangle rules you have set up, I would narrow them down to the current IP address you are getting, so that if something should change you’ll at least have access through the main routing table of one connection.